Win2000interview Questions Dump0

Prepared By Ranjit Kumar Bendalam,Hyderabad,A.P, India.
Interview Questions
1. In Winnt4.0 what is the Database Name?

A. SAM Security Accounts Manager)
2. When you are created the share folder In security tab By default some
user will be there? They Have
One special Permission tell me that permission name?
A. Inheritable Permission.
3. What is the Global Catlog Server? What is the main use of this server?
Global Catlog server maintain his Domain Information and Partial Information Of other
Domain Information.It Is Used for Replication.
4. You are Creating Domain (Win2000 server) In your Home.(It is Single

PC)After Enter the Domain
Name and Netbios Name Finally It gives one Error That Is “Network Cannot Be
reached”Why It
Is Coming?
When u Creating the Domain the system Link Will be up .In Case We Don’t Have any Link
Install The Ms Loopback Adapter.
5. Tell me Domain Wide Roles?

Domain Naming Master and Schema Master.
6. When you creating the Forest trust Relationship 1 st Step what you will
take?
Raise the Domain Level Native Mode to Mixed Mode.
7 You have a Windows 2000 server.On Monday you Take a Normal

Backup.Tuesday,Wednesday
Thurday and Friday you Taken the Backup Of Incremental.Suddenly your Server is
Down.After
Installing the server Which backup you Have to Restore?
All Backups (Mon, Tue, Wed, Thurs and Friday)
8 What is Kerberos?If It is Failed Which Protocol Will Work?

Kerberos is User Athentication Protocol.If It is Failed NTLM Will Work.
9 What Is the DataBase File Name In Active Directory?
1
Prepared By Ranjit Kumar Bendalam,Hyderabad,A.P, India. 2
NTDS.DIT (New Technology Of Directory Service.Directory Information Tree)
10 In Enterprise Network Users are Login in different systems and

different Times.They Have a Roaming Profile When They logged in
system his Profile is Opened Very Slow.. How Can I
Resolve the Problem?
Enable the FolderRedirection.
11 What IS the ICMP Tools?

Ping Traceroute and Telnet.
12 One System Already Installed Win2000 server and Domain.Whether It

is Dc or Adc or Cdc how can
I Know?
Type the Command Net accounts.
13 What Is the Port Number Of Wins (Windows Internet Naming Service)?

42.
14 When you are Creating Software Deployment there will be two options:
Assigend and Published
What is the Difference between Assigned and Published?
Assigend Means When the User Login In the computer that Software Will be Installed.
Published Means Every Time User Go To The Control Panel and Add that Software.
15 Dc and Adc By Default What Is the Replication Time?

60 min.
16 How Many Hives On the Registry? What Are They?

5 Hives On The
Registry.Hkey_classes_root,Hkey_Current_User,Hkey_Local_Machine,Hkey_Users
Hkey_Current_Config.
17 How Can I Enable the Schema Master in Win2003 Server?

Type The Command in Run-----Regsvr32schmmgmt.dll.
18 What Is the Difference Between Subnetting and CIDR?

Dividing Single Network into Multipul Networks is Called Subnetting.
Combining Multipul Networks into Single Network is called CIDR.
2
18 In Dns How Many Root Servers We Have?

13
19 your Created Group policies, Login Scripts By Default Where it will

Stored?
SysVol.
20If Any Changes Made in Group Policies What is The command to

Update Without Restart the System?
In Windows 2000-----Secedit /refresh System policy
In Windows2003-----Gpupdate.
21 How Can I Convert Fat To Ntfs?

Convert /fs:Ntfs D:(Specify the Drive)
(Again It will Ask you The Volume Label)Enter Volume Label.
22 What Is the Extra Feature Added In Win2k Advanced Server?

Clustering.
23 Windows 2000 server Supports Maximum Memory Upto?

4GB RAM.
24 How Many Primary Partitions We can Create in Win2000 Server?

Upto 4 Partitions.
25 What is the Difference Between Winnt4.0 Server Mirroring And

Win2000 Server Mirroring?
In Winnt Mirroring Done By Basic Disks.
In Win2000 Server Mirroring Done By Dynamic Disks.
26 How Can I Create BootDisk Of Winnt Or Win2k Server?

Formatte the floppy With Same Os and copy these files NTLDR,NTDETECT.COM and
BOOT.INI.
If It is Scsi Harddisk Copy Scsi Card *.sys file into Floppy and rename the filename into
NTBOOTDD.SYS.
3
27My Win2k Prof System Getting one error in Bluescreen

“Inaccessble_Boot_Device”.When I Search
In Google It Is showing MBR Is Infected By Virus. How can I Clean?
Boot With Safemode With Command Prompt.
Then Type the command------Chkdsk /p.
28 I have a 4 Scsi HardDisks .I Configured these 4 Harddisks in Raid5

Level(Raid5+Hot Fix).After 2 Days one Hard Disk Is Failed.Iam Inserted
New Harddisk Into Raid Array.After What Step you
Have to Take ?
Rebuild.
29 In Remote Installation Service What is the Answer File Name?

Ristndrd.sif.
30 Emergency Repair Disk Contains?

Autoexec.nt and Config.nt.
31 What is Reqirement Protocols to Install the Microsoft Exchange server?

SMTP and NNTP.
32 WinXp Stands For?

Windows Expert.
1. Explain hidden shares. Hidden or administrative shares are share names with a
dollar sign ($) appended to their names. Administrative shares are usually created
automatically for the root of each drive letter. They do not display in the network
browse list.
2. How do the permissions work in Windows 2000? What permissions does
folder inherit from the parent? When you combine NTFS permissions based on
users and their group memberships, the least restrictive permissions take
precedence. However, explicit Deny entries always override Allow entries.
3. Why can’t I encrypt a compressed file on Windows 2000? You can either
compress it or encrypt it, but not both.
4. If I rename an account, what must I do to make sure the renamed account
has the same permissions as the original one? Nothing, it’s all maintained
automatically.
5. What’s the most powerful group on a Windows system? Administrators.
4
6. What are the accessibility features in Windows 2000? StickyKeys, FilterKeys

Narrator, Magnifier, and On-Screen Keyboard.
7. Why can’t I get to the Fax Service Management console? You can only see it if
a fax had been installed.
8. What do I need to ensure before deploying an application via a Group
Policy? Make sure it’s either an MSI file, or contains a ZAP file for Group Policy.
9. How do you configure mandatory profiles? Rename ntuser.dat to ntuser.man
10. I can’t get multiple displays to work in Windows 2000. Multiple displays have
to use peripheral connection interface (PCI) or Accelerated Graphics Port (AGP)
port devices to work properly with Windows 2000.
11. What’s a maximum number of processors Win2k supports? 2
12. I had some NTFS volumes under my Windows NT installation. What
happened to NTFS after Win 2k installation? It got upgraded to NTFS 5.
13. How do you convert a drive from FAT/FAT32 to NTFS from the command
line? convert c: /fs:ntfs
14. Explain APIPA. Auto Private IP Addressing (APIPA) takes effect on Windows
2000 Professional computers if no DHCP server can be contacted. APIPA assigns
the computer an IP address within the range of 169.254.0.0 through
169.254.255.254 with a subnet mask of 255.255.0.0.
15. How does Internet Connection Sharing work on Windows 2000? Internet
Connection Sharing (ICS) uses the DHCP Allocator service to assign dynamic IP
addresses to clients on the LAN within the range of 192.168.0.2 through
192.168.0.254. In addition, the DNS Proxy service becomes enabled when you
implement ICS.
Microsoft Win32 interview questions
1. Tell the differences between Windows 95 and Windows NT? Lack of Unicode
implementation for most of the functions of Win95. Different extended error
codes. Different number window and menu handles. Windows 95 implements
some window management features in 16 bits. Windows 95 uses 16-bit world
coordinate system and the coordinates restricted to 32K. Deletion of drawing
objects is different. Windows 95 does not implement print monitor DLLs of
Windows NT. Differences in registry. Windows 95 does not support
multiprocessor computers. NT implementation of scheduler is quite different.
Different driver models. Win95 was built with back-compatibility in mind and ill-
behaving 16-bit process may easily corrupt the system. Win95 starts from real
DOS, while WinNT uses DOS emulation when one needs a DOS. Win95’s FAT is
built over 16-bit win3.1 FAT (not FAT32!, actually, Win95’s FAT contains two
FATs).
5
Windows Server 2003 IIS and Scripting interview

questions
1. What is presentation layer responsible for in the OSI model? The presentation
layer establishes the data format prior to passing it along to the network
application’s interface. TCP/IP networks perform this task at the application layer.
2. Does Windows Server 2003 support IPv6? Yes, run ipv6.exe from command
line to disable it.
3. Can Windows Server 2003 function as a bridge? Yes, and it’s a new feature for
the 2003 product. You can combine several networks and devices connected via
several adapters by enabling IP routing.
4. What’s the difference between the basic disk and dynamic disk? The basic
type contains partitions, extended partitions, logical drivers, and an assortment of
static volumes; the dynamic type does not use partitions but dynamically manages
volumes and provides advanced storage options
5. What’s a media pool? It is any compilation of disks or tapes with the same
administrative properties.
6. How do you install recovery console? C:\i386\win32 /cmdcons,
assuming that your Win server installation is on drive C.
7. What’s new in Terminal Services for Windows 2003 Server? Supports audio
transmissions as well, although prepare for heavy network load.
8. What scripts ship with IIS 6.0? iisweb.vsb to create, delete, start, stop, and list
Web sites, iisftp.vsb to create, delete, start, stop, and list FTP sites, iisdir.vsb to
create, delete, start, stop, and display virtual directories, iisftpdr.vsb to create,
delete, start, stop, and display virtual directories under an FTP root, iiscnfg.vbs to
export and import IIS configuration to an XML file.
9. What’s the name of the user who connects to the Web site anonymously?
IUSR_computername
10. What secure authentication and encryption mechanisms are supported by
IIS 6.0? Basic authentication, Digest authentication, Advanced digest
authentication, Certificate-based Web transactions that use PKCS #7/PKCS #10,
Fortezza, SSL, Server-Gated Cryptography, Transport Layer Security
11. What’s the relation between SSL and TLS? Transport Layer Security (TLS)
extends SSL by providing cryptographic authentication.
12. What’s the role of http.sys in IIS? It is the point of contact for all incoming
HTTP requests. It listens for requests and queues them until they are all
processed, no more queues are available, or the Web server is shut down.
13. Where’s ASP cache located on IIS 6.0? On disk, as opposed to memory, as it
used to be in IIS 5.
14. What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More
than one application can use a given socket.
15. Describe the process of clustering with Windows 2003 Server when a new
node is added. As a node goes online, it searches for other nodes to join by
polling the designated internal network. In this way, all nodes are notified of the
new node’s existence. If other nodes cannot be found on a preexisting cluster, the
new node takes control of the quorum resources residing on the shared disk that
contains state and configuration data.
6
16. What applications are not capable of performing in Windows 2003 Server
clusters? The ones written exclusively for NetBEUI and IPX.
17. What’s a heartbeat? Communication processes between the nodes designed to
ensure node’s health.
18. What’s a threshold in clustered environment? The number of times a restart is
attempted, when the node fails.
19. You need to change and admin password on a clustered Windows box, but
that requires rebooting the cluster, doesn’t it? No, it doesn’t. In 2003
environment you can do that via cluster.exe utility which does not require
rebooting the entire cluster.
20. For the document of size 1 MB, what size would you expect the index to be
with Indexing Service? 150-300 KB, 15-30% is a reasonable expectation.
21. Doesn’t the Indexing Service introduce a security flaw when allowing access
to the index? No, because users can only view the indices of documents and
folders that they have permissions for.
22. What’s the typical size of the index? Less then 100K documents - up to 128
MB. More than that - 256+ MB.
23. Which characters should be enclosed in quotes when searching the index? &,
@, $, #, ^, ( ), and |.
24. How would you search for C++? Just enter C++, since + is not a special
character (and neither is C).
25. What about Barnes&Noble? Should be searched for as Barnes’&’Noble.
26. Are the searches case-sensitive? No.
27. What’s the order of precedence of Boolean operators in Microsoft Windows
2003 Server Indexing Service? NOT, AND, NEAR, OR.
28. What’s a vector space query? A multiple-word query where the weight can be
assigned to each of the search words. For example, if you want to fight
information on ‘black hole’, but would prefer to give more weight to the word
hole, you can enter black[1] hole[20] into the search window.
29. What’s a response queue? It’s the message queue that holds response messages
sent from the receiving application to the sender.
30. What’s MQPing used for? Testing Microsoft Message Queue services between
the nodes on a network.
31. Which add-on package for Windows 2003 Server would you use to monitor
the installed software and license compliance? SMS (System Management
Server).
32. Which service do you use to set up various alerts? MOM (Microsoft
Operations Manager).
33. What languages does Windows Scripting Host support? VB, VBScript,
JScript.
1. What is presentation layer responsible for in the OSI model? The presentation
layer establishes the data format prior to passing it along to the network
application’s interface. TCP/IP networks perform this task at the application layer.
Windows Server 2003 Active Directory and Security

questions
7
1. What’s the difference between local, global and universal groups? Domain
local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains.
Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal
groups are allowed only in native-mode Windows Server 2003 environments.
Native mode requires that all domain controllers be promoted to Windows Server
2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are
applied to Local machines, Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist,
it has the highest priority among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot
%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority? The computer settings take
priority.
9. You want to set up remote installation procedure, but do not want the user to
gain access over it. What do you do? gponame–> User Configuration–>
Windows Settings–> Remote Installation Services–> Choice Options is your
friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting
policies
11. How can you restrict running certain applications on a machine? Via group
policy, security settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What
do you do? A .zap text file can be used to add applications using the Software
Installer, rather than the Windows Installer.
13. What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus,
it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in
previous products? Group Policy in Windows Server 2003 determines a users
right to modify network and dial-up TCP/IP properties. Users may be selectively
restricted from modifying their IP address and other network configuration
parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure
you check Block inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user
preferences that are not stored in maintained portions of the Registry. If the group
policy is removed or changed, the user preference will persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
8
20. How do you fight tattooing in 2003 installations? User Configuration -

Administrative Templates - System - Group Policy - enable - Enforce Show
Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications,
and stored files for users, particularly those who move between workstations or
those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native
NTFS provides extensive permission control on both remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both
have support for sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as
Read & Execute, but not inherited by files within a folder. However, newly
created subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to
read it. Can he access it? It is possible for a user to navigate to a file for which
he does not have folder permission. This involves simply knowing the path of the
file object. Even if the user can’t drill down the file/folder tree using My
Computer, he can still gain access to the file using the Universal Naming
Convention (UNC). The best way to start would be to type the full path of a file
into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will
have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will
be denied access, regardless of other group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$,
Drive$, IPC$, NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS
(Distributed File System) installations? The standalone server stores the Dfs
directory tree structure or topology locally. Thus, if a shared folder is inaccessible
or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active
Directory, which is replicated to other domain controllers. Thus, redundant root
nodes may include multiple connections to the same data residing in different
shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a
Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access
Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active
Directory? In Partition Knowledge Table, which is then replicated to other
domain controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the
redundant copies of the file at the same time, with no file-locking involved in
9
DFS, changing the contents and then saving. Only one file will be propagated
through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah,
you can’t. Install a standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on
encrypted line? Time stamp is attached to the initial client request, encrypted
with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data
Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure
Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003
Server? Windows Server 2003 uses the industry standard PKCS-10 certificate
request and PKCS-7 certificate response to exchange CA certificates with third-
party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator
account? Unlimited. Remember, though, that it’s the Administrator account, not
any account that’s part of the Administrators group.
40. If hashing is one-way function and Windows Server uses hashing for storing
passwords, how is it possible to attack the password lists, specifically the ones
using NTLMv1? A cracker would launch a dictionary attack by hashing every
imaginable term used for password and then compare the hashes.
41. What’s the difference between guest accounts in Server 2003 and other
editions? More restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce
Password History Remembered"? User’s last 6 passwords.
1.
more interview questions - all Windows interview questions
Windows Server 2003 interview and certification

questions
1. How do you double-boot a Win 2003 server box? The Boot.ini file is set as
read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini
timeout and default settings, use the System option in Control Panel from the
Advanced tab and select Startup. (more…)
Advanced tab and select Startup.
2. What do you do if earlier application doesn’t run on Windows Server 2003?
When an application that ran on an earlier legacy version of Windows cannot be
loaded during the setup function or if it later malfunctions, you must run the
compatibility mode function. This is accomplished by right-clicking the
10
application or setup program and selecting Properties –> Compatibility –>

selecting the previously supported operating system.
3. If you uninstall Windows Server 2003, which operating systems can you
revert to? Win ME and Win 98.
4. How do you get to Internet Firewall settings? Start –> Control Panel –>
Network and Internet Connections –> Network Connections.
5. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or
closes the Start menu. Winkey + BREAK displays the System Properties dialog
box. Winkey + TAB moves the focus to the next application in the taskbar.
Winkey + SHIFT + TAB moves the focus to the previous application in the
taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows
the desktop. Winkey + E opens Windows Explorer showing My Computer.
Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel
with Search for Computers module selected. Winkey + F1 opens Help. Winkey +
M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens
Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the
computer.
6. What is Active Directory? Active Directory is a network-based object store and
service that locates and manages resources, and makes these resources available
to authorized users and groups. An underlying principle of the Active Directory is
that everything is considered an object—people, servers, workstations, printers,
documents, and devices. Each object has certain attributes and its own security
access control list (ACL).
7. Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003? The Active Directory
replaces them. Now all domain controllers share a multimaster peer-to-peer read
and write relationship that hosts copies of the Active Directory.
8. How long does it take for security changes to be replicated among the domain
controllers? Security-related modifications are replicated within a site
immediately. These changes include account and individual user lockout policies,
changes to password policies, changes to computer account passwords, and
modifications to the Local Security Authority (LSA).
9. What’s new in Windows Server 2003 regarding the DNS management? When
DC promotion occurs with an existing forest, the Active Directory Installation
Wizard contacts an existing DC to update the directory and replicate from the DC
the required portions of the directory. If the wizard fails to locate a DC, it
performs debugging and reports what caused the failure and how to fix the
problem. In order to be located on a network, every DC must register in DNS DC
locator DNS records. The Active Directory Installation Wizard verifies a proper
configuration of the DNS infrastructure. All DNS configuration debugging and
reporting activity is done with the Active Directory Installation Wizard.
10. When should you create a forest? Organizations that operate on radically
different bases may require separate trees with distinct namespaces. Unique trade
or brand names often give rise to separate DNS identities. Organizations merge or
are acquired and naming continuity is desired. Organizations form partnerships
and joint ventures. While access to common resources is desired, a separately
defined tree can enforce more direct administrative and security restrictions.
11
11. How can you authenticate between forests? Four types of authentication are
used across forests: (1) Kerberos and NTLM network logon for remote access to a
server in another forest; (2) Kerberos and NTLM interactive logon for physical
logon outside the user’s home forest; (3) Kerberos delegation to N-tier application
in another forest; and (4) user principal name (UPN) credentials.
12. What snap-in administrative tools are available for Active Directory? Active
Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory
Replication (optional, available from the Resource Kit), Active Directory Schema
Manager (optional, available from adminpak)
13. What types of classes exist in Windows Server 2003 Active Directory?
o Structural class. The structural class is important to the system
administrator in that it is the only type from which new Active Directory
objects are created. Structural classes are developed from either the
modification of an existing structural type or the use of one or more
abstract classes.
o Abstract class. Abstract classes are so named because they take the form
of templates that actually create other templates (abstracts) and structural
and auxiliary classes. Think of abstract classes as frameworks for the
defining objects.
o Auxiliary class. The auxiliary class is a list of attributes. Rather than
apply numerous attributes when creating a structural class, it provides a
streamlined alternative by applying a combination of attributes with a
single include action.
o 88 class. The 88 class includes object classes defined prior to 1993, when
the 1988 X.500 specification was adopted. This type does not use the
structural, abstract, and auxiliary definitions, nor is it in common use for
the development of objects in Windows Server 2003 environments.
14. How do you delete a lingering object? Windows Server 2003 provides a
command called Repadmin that provides the ability to delete lingering objects in
the Active Directory.
15. What is Global Catalog? The Global Catalog authenticates network user logons
and fields inquiries about objects across a forest or tree. Every domain has at least
one GC that is hosted on a domain controller. In Windows 2000, there was
typically one GC on every site in order to prevent user logon failures across the
network.
16. How is user account security established in Windows Server 2003? When an
account is created, it is given a unique access number known as a security
identifier (SID). Every group to which the user belongs has an associated SID.
The user and related group SIDs together form the user account’s security token,
which determines access levels to objects throughout the system and network.
SIDs from the security token are mapped to the access control list (ACL) of any
object the user attempts to access.
17. If I delete a user and then create a new account with the same username and
password, would the SID and permissions stay the same? No. If you delete a
user account and attempt to recreate it with the same user name and password, the
SID will be different.
12
18. What do you do with secure sign-ons in an organization with many roaming
users? Credential Management feature of Windows Server 2003 provides a
consistent single sign-on experience for users. This can be useful for roaming
users who move between computer systems. The Credential Management feature
provides a secure store of user credentials that includes passwords and X.509
certificates.
19. Anything special you should do when adding a user that has a Mac? "Save
password as encrypted clear text" must be selected on User Properties Account
Tab Options, since the Macs only store their passwords that way.
20. What remote access options does Windows Server 2003 support? Dial-in,
VPN, dial-in with callback.
21. Where are the documents and settings for the roaming profile stored? All the
documents and environmental settings for the roaming user are stored locally on
the system, and, when the user logs off, all changes to the locally stored profile
are copied to the shared server folder. Therefore, the first time a roaming user logs
on to a new system the logon process may take some time, depending on how
large his profile folder is.
22. Where are the settings for all the users stored on a given machine? \Document
and Settings\All Users
What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com,
.bat, or even .exe)
Advanced tab and select Startup.
2. What do you do if earlier application doesn’t run on Windows Server 2003?
When an application that ran on an earlier legacy version of Windows cannot be
loaded during the setup function or if it later malfunctions, you must run the
compatibility mode function. This is accomplished by right-clicking the
application or setup program and selecting Properties –> Compatibility –>
selecting the previously supported operating system.
3. If you uninstall Windows Server 2003, which operating systems can you
revert to? Win ME and Win 98.
4. How do you get to Internet Firewall settings? Start –> Control Panel –>
Network and Internet Connections –> Network Connections.
5. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or
closes the Start menu. Winkey + BREAK displays the System Properties dialog
box. Winkey + TAB moves the focus to the next application in the taskbar.
Winkey + SHIFT + TAB moves the focus to the previous application in the
taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows
the desktop. Winkey + E opens Windows Explorer showing My Computer.
Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel
with Search for Computers module selected. Winkey + F1 opens Help. Winkey +
M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens
13
Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the
computer.
6. What is Active Directory? Active Directory is a network-based object store and
service that locates and manages resources, and makes these resources available
to authorized users and groups. An underlying principle of the Active Directory is
that everything is considered an object—people, servers, workstations, printers,
documents, and devices. Each object has certain attributes and its own security
access control list (ACL).
7. Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003? The Active Directory
replaces them. Now all domain controllers share a multimaster peer-to-peer read
and write relationship that hosts copies of the Active Directory.
8. How long does it take for security changes to be replicated among the domain
controllers? Security-related modifications are replicated within a site
immediately. These changes include account and individual user lockout policies,
changes to password policies, changes to computer account passwords, and
modifications to the Local Security Authority (LSA).
9. What’s new in Windows Server 2003 regarding the DNS management? When
DC promotion occurs with an existing forest, the Active Directory Installation
Wizard contacts an existing DC to update the directory and replicate from the DC
the required portions of the directory. If the wizard fails to locate a DC, it
performs debugging and reports what caused the failure and how to fix the
problem. In order to be located on a network, every DC must register in DNS DC
locator DNS records. The Active Directory Installation Wizard verifies a proper
configuration of the DNS infrastructure. All DNS configuration debugging and
reporting activity is done with the Active Directory Installation Wizard.
10. When should you create a forest? Organizations that operate on radically
different bases may require separate trees with distinct namespaces. Unique trade
or brand names often give rise to separate DNS identities. Organizations merge or
are acquired and naming continuity is desired. Organizations form partnerships
and joint ventures. While access to common resources is desired, a separately
defined tree can enforce more direct administrative and security restrictions.
11. How can you authenticate between forests? Four types of authentication are
used across forests: (1) Kerberos and NTLM network logon for remote access to a
server in another forest; (2) Kerberos and NTLM interactive logon for physical
logon outside the user’s home forest; (3) Kerberos delegation to N-tier application
in another forest; and (4) user principal name (UPN) credentials.
12. What snap-in administrative tools are available for Active Directory? Active
Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory
Replication (optional, available from the Resource Kit), Active Directory Schema
Manager (optional, available from adminpak)
13. What types of classes exist in Windows Server 2003 Active Directory?
o Structural class. The structural class is important to the system
administrator in that it is the only type from which new Active Directory
objects are created. Structural classes are developed from either the
14
modification of an existing structural type or the use of one or more

abstract classes.
o Abstract class. Abstract classes are so named because they take the form
of templates that actually create other templates (abstracts) and structural
and auxiliary classes. Think of abstract classes as frameworks for the
defining objects.
o Auxiliary class. The auxiliary class is a list of attributes. Rather than
apply numerous attributes when creating a structural class, it provides a
streamlined alternative by applying a combination of attributes with a
single include action.
o 88 class. The 88 class includes object classes defined prior to 1993, when
the 1988 X.500 specification was adopted. This type does not use the
structural, abstract, and auxiliary definitions, nor is it in common use for
the development of objects in Windows Server 2003 environments.
14. How do you delete a lingering object? Windows Server 2003 provides a
command called Repadmin that provides the ability to delete lingering objects in
the Active Directory.
15. What is Global Catalog? The Global Catalog authenticates network user logons
and fields inquiries about objects across a forest or tree. Every domain has at least
one GC that is hosted on a domain controller. In Windows 2000, there was
typically one GC on every site in order to prevent user logon failures across the
network.
16. How is user account security established in Windows Server 2003? When an
account is created, it is given a unique access number known as a security
identifier (SID). Every group to which the user belongs has an associated SID.
The user and related group SIDs together form the user account’s security token,
which determines access levels to objects throughout the system and network.
SIDs from the security token are mapped to the access control list (ACL) of any
object the user attempts to access.
17. If I delete a user and then create a new account with the same username and
password, would the SID and permissions stay the same? No. If you delete a
user account and attempt to recreate it with the same user name and password, the
SID will be different.
18. What do you do with secure sign-ons in an organization with many roaming
users? Credential Management feature of Windows Server 2003 provides a
consistent single sign-on experience for users. This can be useful for roaming
users who move between computer systems. The Credential Management feature
provides a secure store of user credentials that includes passwords and X.509
certificates.
19. Anything special you should do when adding a user that has a Mac? "Save
password as encrypted clear text" must be selected on User Properties Account
Tab Options, since the Macs only store their passwords that way.
20. What remote access options does Windows Server 2003 support? Dial-in,
VPN, dial-in with callback.
21. Where are the documents and settings for the roaming profile stored? All the
documents and environmental settings for the roaming user are stored locally on
the system, and, when the user logs off, all changes to the locally stored profile
15
are copied to the shared server folder. Therefore, the first time a roaming user logs
on to a new system the logon process may take some time, depending on how
large his profile folder is.
22. Where are the settings for all the users stored on a given machine? \Document
and Settings\All Users
23. What languages can you use for log-on scripts? JavaScipt, VBScript, DOS
batch files (.com, .bat, or even .exe)
1. How can you authenticate between forests?
Windows 2000 always uses NTLM for authentication between

forests; 2003 will use kerberos if and only if dns is used while
setting up the domains. If the netbios name is uses; NTLM is used
for 2003.
Tech Interviews comment by Anonymous
1. Describe how the DHCP lease is obtained.
It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection

and (d) acknowledgement.
2. I can’t seem to access the Internet, don’t have any access to the corporate
network and on ipconfig my address is 169.254.*.*. What happened?
The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP

if the DHCP server is not available. The name for the technology is APIPA
(Automatic Private Internet Protocol Addressing).
3. We’ve installed a new Windows-based DHCP server, however, the users do

not seem to be getting DHCP leases off of it.
The server must be authorized first with the Active Directory.
4. How can you force the client to give up the dhcp lease if you have access to
the client PC?
ipconfig /release
5. What authentication options do Windows 2000 Servers have for remote

clients?
PAP, SPAP, CHAP, MS-CHAP and EAP.
16
6. What are the networking protocol options for the Windows clients if for some
reason you do not want to use TCP/IP?
NWLink (Novell), NetBEUI, AppleTalk (Apple).
7. What is data link layer in the OSI reference model responsible for? Data link
layer is located above the physical layer, but below the network layer.
Taking raw data bits and packaging them into frames. The network layer will be
responsible for addressing the frames, while the physical layer is reponsible for
retrieving and sending raw data bits.
8. What is binding order?
The order by which the network protocols are used for client-server
communications. The most frequently used protocols should be at the top.
9. How do cryptography-based keys ensure the validity of data transferred

across the network?
Each IP packet is assigned a checksum, so if the checksums do not match on both

receiving and transmitting ends, the data was modified or corrupted.
10. Should we deploy IPSEC-based security or certificate-based security?
They are really two different technologies. IPSec secures the TCP/IP
communication and protects the integrity of the packets. Certificate-based security
ensures the validity of authenticated clients and servers.
11. What is LMHOSTS file?
It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP
addresses.
12. What’s the difference between forward lookup and reverse lookup in DNS?
Forward lookup is name-to-address, the reverse lookup is address-to-name.
13. How can you recover a file encrypted using EFS?
Use the domain recovery agent.
Active Directory Backup and Restore
When you are taking the backup of Active directory database run this command
In Start----Run-----ntbackup.
17
In this utility you have to choose restore on the restore you have to select
Systemstate data.It’s contain Active Directory database,Registry and Com+ root
Certifications.
After taking the backup if you want to restore the database Go F8 Start menu in
That choose Directory Services Restore Mode.
After booting the system In Start Menu ------Run----------ntbackup
Restore Database (What you are taken previous backup)
After restore it will ask you restart the system -------Don’t restart system at that
time.Press No.
Why Because Data Will restore it will show in ActiveDirectory Users And
Computers but it will not work .You have to Authorize the database…
Next You go on Command Prompt Type this Commands…
C:\>ntdsutil
Ntdsutil:Authoritative restore(Type this Command)
:Restore Database(Type this Command)This Means Entire Database Will
be Authorize.If you Want to restore only Single user of OU.Type the Command
Like This
Restore Subtree cn=(username),cn=(Ou name),cn=(dot Before
name),cn=(dot after name)---------then Enter ….
Dot Before and Dot After Means…….

Suppose your Domain is unics.com
User Name is test
Ou Name is sales
The Context Should be Like this:

Cn=test,cn=sales,cn=unics,cn=com
If there is no OU pls remove the ou Context ….
Caution:This Procedure Will Work When the Active Directory Database Will
Corrupt.
If you want format the system after installation of OS You Have to restore
same OU’s and Users Follow This Procedure:
First you Take the backup of Systemstate.

Then format the system and install OS in WorkGroup.
Here No need to Create a Domain…
Then you Restore Systemstate backup What iam said in Previous Document…
18
The Same Procedure Will Work….

But Here one Disadvantage is there -----You Follow this Procedure User’s Group
Policy’s Will not work.
If u Want Group Policy’s also After installation OS Create Domain in Same Name
What is Previous name Of Domain.
Then Restore Database and Authorize. It will Work.
Answer the questions below

1. the port number of DNS?
A. DNS Port no is 53
2. What is the Active Directory?
3. To Manipulate Active Directory , will use one Protocol what is that?
A.LDAP
4. How can u check whether the DNS is working or not?
5. What is the use of SOA (Source of Authority)
6. How to view Event Viewer through command line from Remote System without
using Remote Management tools?
7. What are the FSMO roles?
8. What is the use of DHCP Relay Agent?
The DHCP Relay Agent component is a Bootstrap Protocol (BOOTP) relay
agent that relays Dynamic Host Configuration Protocol (DHCP) messages
between DHCP clients and DHCP servers on different IP networks
9. What is RPC over HTTP?

10. What is the Default folder IIS?
11. What is name of Active Directory File?
12. What are the DNS Zone Types?
13. To run IIS what are the services are required?
14. What is the Log files path and Configuration backup Path of IIS?
15. What are the Protocols we need to install to run IIS?
16. What are the port numbers of FTP,HTTP,SMTP and NNTP?
17. What is the difference between DNS & WINS?
18. What is the default Authentication protocol of Windows 200?
19. How can u take backup of IIS Configuration?
20. How resolving happens in windows 2000?
21. What is DFS, Purpose of DFS, how can you implement practically explain step by
22. What is RAID Level? Explain differences between them?
23. What is differences between Software & Hardware RAID? Which one is better?
24. What is difference between Basic Disk and Dynamic Disks?
25. What are the Backup Types & Strategies?
26. How can u restore Particular Container Objects from System State Restore?
19
27. I Configures DHCP Scope in DHCP Server, but Workstations are not getting IP
address from contact DHCP Server, what would be the problem?
28. Differences between NT & 2000 & 2003?
29. What is Schema? And what its role in Active Directory environment?
30. What is the maximum number of Global Catalog Servers we can install in single
forest?
31. What are the modes are there in Terminal Services ? Explain?
32. What is default CAL in Terminal Services ? and it works on which Protocol?
33. What is Difference between Native & Mixed mode?
34. What is the difference Migration & Upgradation?
35. What are the steps involved while upgrading WinNT to Win2000?
36. Explain about Kerberos Authentication in Windows 2000 Domain Environment?
37. How many types of Policies are there? Is it possible to Implement Group Policy
on single Group or User?
38. How can you deploy Software from Group Policy?
39. What is the use of SYSVOL & NETLOGON folders?
40. What is the Use of Organizational Unit?
41. What is Replication? What are Replication Data types in a Forest?
Question 1
You are the administrator of the corp.arborshoes.com domain.

Users in the domain run Windows 2000 Professional on their desktop computers. A user named
Katrin in the Sales organizational unit reports that her mouse is not working correctly. You logon
to the domain from Katrin's computer using a domain administrative account.
You use Device Manager to display the current information for the mouse drivers. You discover
that Katrin's computer is using an older version of the mouse driver. You have a current driver by
the manufacturer of mouse. You install the current driver by the usage of Device Manager and
restart the computer. You test the mouse and it is still not functioning correctly. You check the
problem and see that the previous driver is still installed. You want to be able to install the correct
mouse driver.
What should you do?
(Question provided by: HotCerts)
( A ) Set the Sales OU policy for security to warn and allow the installation to override the local
security defaults.
( B ) Set the domain policy for security to block but allow the installation to override local and
Sales OU security defaults.
20
( C ) Set the local computer policy for security on Katrin's computer to warn but allow the
installation to override the domain and the Sales OU security defaults.
( D ) Disable plug and play on Katrin's computer. Restart the computer and manually setup the
system resources for the mouse.
(E ) None of the above
You are the administrator of a small server based network.
While installing Windows 2000 Professional on your computer,

you configure the network adapter card for each computer to
use TCP/IP and assign static IP setting information.
During installation the setup detects and installs the 10/100

Mbps UTP only network adapter card on computers #6 and #8,
and a 10 Mbps/UTP combination adapter card on the other 7
computers.
You accept the default settings for the network adapter card
and finish installing the network adapter card. All computers
are connected to a 10/100 switch that has category 5 UTP
cabling.
After installation you find that only computer #6 and #8 can

communicate with each other. You want all 9 computers on
your network to be able to communicate with each other.
What should you do?

(A) Configure the 10/100 switch to transfer only at the 100 Mbps rate.
(B) Configure the 10/100 Mbps network adapter card to switch all the computers to the 10
Mbps rate.
(C ) Change the combination network adapter card to use the BNC transceiver setting.
(D) Change the combination network adapter card to use the UTP transceiver setting.
21
You need to install Windows 2000 Professional on a new computer in your network.
You use the setup manager wizard to configure a fully automated installation script
file. You begin an unattended installation and leave the office.
When you return, the installation has reached the GUI-mode

setup and you see the following error message "Unattended
setup is unable to continue because a setup parameter
specified by your system administrator or computer
manufacturer is missing or invalid."
You need to complete the installation. What must you do?

(A) In the unattended section of the answer file, set the OemPreinstall property to Yes.
(B) In the NetBinding section of the answer file, specify the Enable variable.
(C ) In the User Data section of the answer file, specify the ProductID variable
(D) In the GUIUnattended section of the answer file set the OemSkipWelcome property to 1.
You purchase a USB board, ISDN terminal adapter for your Windows 2000
Professional portable computer. You plug the device into the USB port.
Plug and Play fails to detect the new device. You test the
device on a Windows 2000 Professional desktop computer. You
find that plug and play correctly detects the device. You want
to resolve the problem so that you can use ISDN terminal
adapter on your portable computer.
What should you do?
22
You are the administrator for your company's network. The network is configured
as shown in the exhibit.
You want to install Windows 2000 Professional on 20 new PXE-

compliant computers on the marketing segment of your
network. The new computers do not have operating systems
installed. You create a RIS image. You load the image onto the
RIS server. You then start the new computers. You find that
the new computers cannot connect to the RIS server. You
verify that the new computers cannot connect to the RIS
server. You verify that the existing client computers in the
network can connect to the network servers, including the RIS
server. You want to enable the new computers to connect to
the RIS server.
What should you do?

(A) Add a Windows 2000 Server computer running WINS to the network.
(B) Add a Windows 2000 Server computer running DHCP to the network.
(C ) Add the domain Everyone group to the RIS OS image security settings.
(D) Place the new computers on the same segment as the RIS server.
23
(A) Use the Device Manager to enable the USB manager root hub.
(B) Use the Device Manager to enable the USB host controller in the current hardware
profile.
(C ) Contact the hardware manufacturer to obtain the upgrade for the Plug and Play BIOS.
(D) Turn off the computer plug in the ISDN terminal host adapter and restart the computer.
A Windows 2000 Server computer named Server1 is a file server on your network.
Server1 runs numerous 16-bit applications. One of the applications, named App1,
stops responding, causing all of the other 16-bit applications to stop responding.
You want to isolate App1 for monitoring and troubleshooting

purposes.
What can you do?

(A) Create a batch file that starts App1 by running the start command with the /separate
switch. Use this batch file to start App1.
(B) Create a shortcut to App1, and select the Run in separate memory space option in the
shortcut properties. Use this shortcut to start App1.
(C ) In the properties for File and Printer Sharing for Microsoft Networks, select the Maximize
data throughput for file sharing option button.
(D) In the properties for File and Printer Sharing Microsoft Networks, select the Balance
option button.
(E ) Both A and B
You configure a Group Policy Object for the Marketing organizational unit (OU) to
prevent users from accessing My Network Places and from running System in
Control Panel. You want the Managers domain local group to be able to access My
Network Places, but you still want to prevent them from running System in Control
Panel.
What should you do?
24
(A) Add the managers group to the access control list of the GPO.
Disable the permission of the managers group to read and apply the group policy.
(B) Add the managers group to the access control list of the GPO.
Deny the permission of the managers group to read and apply the group policy.
(C ) Create a second GPO in the OU.

Add the managers group to the access control list.
Allow the managers group to apply the group policy.
Deny the authenticated users group permission to read and apply group policy.
Configure the new GPO to deny the ability to run System in Control Panel.
Give the original GPO a higher priority than the new GPO.
(D) Create a second GPO in the OU.

Add the managers group to the access control list.
Allow the managers group to read and apply the group policy.
Disable the permission of the authenticated user group to read and apply the group
policy.
Configure the new GPO to allow access to My Network Places.
Give the new GPO a higher priority than the original GPO.
Your company network includes Windows 98, Windows 2000 Professional, and
Macintosh client computers. All of the client computers currently use TCP/IP as
their only network protocol.
You create several shared folders on a Windows 2000 Server

computer. You plan to store the company's financial data in
these shared folders. During testing, you discover that the
Macintosh client computers cannot access the shared folders.
You want the shared folders to be accessible from all of the
client computers on the network.
What should you do first?

(A) Install the SAP protocol on the Windows 2000 Server computer.
(B) Install the Apple Talk network protocol on the Macintosh computers and on the Windows
2000 Server computer
(C ) Install Apple Talk network integration on the Windows 2000 Server computer
(D) Install RIP on the Windows 2000 Server computer
25
Your company’s network includes Windows 3.1 client computers, Windows 95 client
computers and Windows 2000 Professional client computers. The company’s
manufacturing facilities run 24 hours per day.
The company has developed its own 32-bit application that

collects information from the manufacturing processes so that
workers on one shift can find out what was manufactured
during the previous shift. The company wants to make the
application available on all of the client computers by using
Terminal Services on a Windows 2000 Server computer. The
server will not run as a domain controller. You install Terminal
Services.
Users want to collect information on the manufacturing

processes from other shifts. The company wants users to shut
down their computers at the end of their shifts, and to leave
the application running on the Terminal server.
What should you do?

(A) Set the Delete temporary folders on exit setting for the Terminal server to No.
(B) Set the Remote Desktop Protocol (RDP) on the server to override user settings, and set
the End disconnected sessions setting to Never.
(C ) At the Terminal server, grant the users the right to log on as a batch job.
(D) Do nothing. User programs are always terminated on disconnection.
You are preparing to install Windows 2000 Server on a new computer. The
computer is connected to a network that includes Windows 98 computers and
Windows 2000 Server computers.
You want to install Windows 2000 Server from source files

that are located on a server on the network.
What should you do?
26
(A) Start the new computer by using a Windows 98 network boot disk. Connect to the
network server. Run Winnt32.exe.
(B) Start the new computer by using Windows 98 network boot disk. Connect to the
network server. Run Winnt.exe.
(C ) On a Windows 2000 Server computer, use Makebt32.exe to create installation startup

disk. Start the new computer by using the first disk.
(D) On a Windows 2000 computer, format a floppy disk. Copy NTLDR, boot.ini,
Ntdetect.com, Ntbootdd.sys to this disk. Start the new computer by using the disk.
Question 1 C E [view Q & A] [stats] 26 sec

Question 2 C D [view Q & A] [stats] 42 sec
Question 3 B B [view Q & A] [stats] 31 sec
Question 4 C B [view Q & A] [stats] 50 sec
Question 5 A B
1. How do you prevent or ensure the inappropriate use of the domain

A. Renaming the Administrator account and change password.
B. Track failed logons on the domain
C. Set account lockout policies to track after one fialed attempt.
Ans: A
2. You have a laptop that is docked to the OS at office, you installed a
SCSI adapter card for the printer in the office on the office laptop, you
notice that the card runs on the laptop at home and consumes a lot of
power. You want to disable that and conserve power usage.
A. You disable the card in the hardware profile of the laptop.
Ans: A
3. A question on wanting to encrypt a compressed file.
A. You cannot encrypt and compress a file at the same time.
Ans: A
4. A question testing the measurement of memory. You have an 854 byte
memory and you want to compress. Options are 512bytes, 4 kb.
27
A. Know which is
greater bytes or Kilobytes. (this is a give away question if you know
these)
Ans: A
5. You have a portable laptop with W2KPro installed. You add a PNP SCSI
device to the docking station, connect the portable and boot W2K. It fails
to detect the SCSI device. You start the Hardware wizard, but
when it finished it didn't detected the device. You want to enable W2K to
detect the device. What to do?
a. Start the Add/Remove Hardware wizard. Manually install the drivers.
b. Wrong answer
c. Wrong answer
d. Adds the drivers to the %systemroot%driver cachei386 folder and start
the Add/Remove Hardware wizard.
ANS: D
check this folder you will see it’s actually there and contains
all the drivers that a present on windows 2000 by default
%systemroot%driver cachei386 folder. Check it out.
6. You scan an image into your computer running Win2000, the image looks
distorted on your monitor and is not clear. You try and print the image
and it prints out well were can you solve this problem.
a. You can solve the problem through control panel, scanners &cameras
icon and click the colour management tab.
b. You can go to the Display properties icon and change the refresh
frequency.
c. You can go to the Display properties icon and click the colour
management tab.
d. You can go to the printers icon and the colour management tab.
ANS: C
2. 7. Your desktop Computer has Windows 2000 Professional installed. You

create a new dial-up connection to connect to the Internet. You configure
the Internet connection to enable Internet Connection Sharing. After you
configure the connection, you cannot see or connect to any shared
resources on your local network. You want your computer to be able to
connect to shared resources. What should you do?
A. Configure the dial-up connection to disable shared access.
B. Configure the dial-up connection to disable on-demand dialing.
C. Disable data encryption in the new dial-up connection.
D. Use the ipconfig command to release and renew your network TCP/P
address.
ANS: A
(Why? Search for "Internet connection sharing" (ICS) on the W2KServer
online help. Quoting from there: "When you enable Internet connection
sharing, the adapter connected to the home or small office network is
given a new static IP address configuration. Consequently, TCP/IP
connections established between any small office or home office computer
and the Internet connection sharing computer at the time of enabling
Internet connection sharing are lost and need to be reestablished. Also:
"To use the Internet connection sharing feature, users on your home office
28
or small office network must configure TCP/IP on their local area

connection to obtain an IP address automatically." What this means; the
ICS machine becomes the DHCP provider for the network and will assign
itself the IP 192.168.0.1. If you use the IPCONFIG command to release and
renew your network TCP/P address, it will assign itself the same IP and
will wait for the other machines to be set properly to assign them IP
addresses. Since none of the options talk about configuring the TCP/IP
connection on all the other machines to obtain an IP address
automatically, only answer A is correct.)
8. You want to use RIS to install windows 2000 Prof to 2 systems. You open
the exhibit and notice that you have Active Directory (AD), a RIS server
and a DNS server. The PC's are PXE capable, but they cannot connect to the
RIS Server. WHY? (Drag and place figure, and select the missing server)
A. The DHCP server is missing Explanation: The Remote Installation Service
environment consists of several technologies and services within a network
containing an existing Dynamic Host Configuration Protocol (DHCP), Domain
Name System (DNS), RIS server and Active Directory. You use the Pre-Boot
eXecution Environment (PXE) DHCP-based remote boot technology to install
the operating system on the client computer from a remote source. The
remote source-the Remote Installation Services server-contains the
operating system image to be installed in either compact disc (CD) or
Remote Installation Preparation wizard (RIPrep) image format. The CD-based
option is similar to setting up a client directly from the Windows 2000
Professional CD, except that the source files reside on an available
Remote Installation Services server. You use the RIPrep option if you want
to install and configure a client computer to comply with specific
corporate desktop standards that are unique to the organization
Ans: A
9. You want to install windows2000 professional on 30 PXE-compliant
computers and 35 non-PXE-compliant computers. All 65 computers are
included on the current hardware compatibility list (HCL). You create a
RIS image. You load the Image on the RIS server. You then start the 65
computers. You find that the 30 PXE-Compliant computers can connect to the
RIS server. However, the 35 non-PXE-compliant computers have to connect to
the RIS server. What should you do?
A. Run Rbfg.exe to create a Non-PXE-compliant startup disk
B. Run Riprep.exe to create a non-PXE complaint startup disk
C. Grant the everyone group NTFS Read permission for the RIS image
D. Grant the Administrators group NTFS Read permission for the RIS image
Ans: A
10. You have laptop with a smart card and a certificate enable. Create a
dialup and must choose the correct protocol for authentication.
A. EAP
Ans: A
11. Question about RRAS and enabling "Smart Card Support". It shows an
exhibit of the RRAS Authentication screen. (Choose all that apply)
A. Use Extensible Authentication Protocol (EAP)
B. Unencrypted password (PAP)
C. Shiva Password Authentication Protocol (SPAP)
D. Challenge Handshake Authentication Protocol (CHAP)
E. Microsoft CHAP (MS-CHAP)
29
F. Microsoft CHAP Version 2 (MS-CHAP v2)

G. For MS-CHAP based protocols; automatically use my Windows logon name
and password (and domain, if any)
ANS: A
CHOOSE THE EAP only. (For Smart Cards all you need is EAP. Once you
click on the EAP button, all other options are disable by default.)
12. You install Windows 2000 professional on your computer at home. You
create a new dial-up connection to connect to your company's remote access
server. You configure the connection to use both of your external modems
and to use multi-link to bind the modems together. You start the dial-up
connection and connect to the remote access server. You notice that only
one of the modems is connected to the remote access server. What should
you do?
A. Configure the dial-up connection to use a SLIP connection
B. Configure the company's remote access server to accept multi-link
connections
C. Replace your modems with new modems that support multi-link
D. Grant your user account multi-link permission on the company's remote
access
ANS: B
13. You are creating a dial-up connection for Internet access. The wizard
cannot access the default Internet Service Providers (ISP) with either of
the numbers provided. What is your alternate method for setting up the
connection?
A. Configure the dial-up connection to negotiate with the server using
Challenge-Handshake Authentication Protocol (CHAP).
B. You can choose the option to set up the Internet connection manually if
you know the ISP's phone number and your account and password already.
C. You need to provide a known IP address before attempting to connect to
the ISP server.
D. Your ISP is requiring Data Encryption. Configure the dial-up connection
to use it.
ANS: B
14. You are the admin for your company network. You have identical
machines with W2Kpro that are used by your telemarketing employees. They
use any of the machines at any time. You want them to use the company's
standards desktop settings when they log into the PC, but you want to
allow them to change settings while they are working with the PCs. What to
do?
A. Enable mandatory profiles.
Ans: A
15. You are the administrator of your company's network. You configure a
local group named accounting to have a mandatory user profile. The
mandatory profile has been configured to include a custom logo that was
saved with 16-bit color and 1025x768 resolution. Some of the Windows 2000
Professional computers in the accounting department have standard VGA
video adapters, and others have SVGA video adapters. Several users report
that when they log on to certain Windows 2000 Professional computers, the
custom bitmap becomes very pixilated and distorted, and does not reflect
the proper color depth. You want users to be able to correctly view the
custom bitmap on any computer in the accounting department. What should
30
you do?
A. Change the custom bitmap to a 16-color bitmap that has 640x480
resolution, and reconfigure the mandatory user profile.
Ans: A
16. You install a PNP USB device on a portable running W2KPro but it is
not detected. You them install the same device on a PC running W2KPro and
it detects the USB device. What to do to enable the portable to detect the
device?
A. Request new BIOS from the hardware manufacturer to enable USB
Ans: A
17. You are the Administrator of your company's network. You install
Windows 2000 Professional onto 10 Computers in the Graphics-Department.
The 10 Computers have built in USB-Controllers. You then physically
install new USB-Tablet devices on each of the 10 Computers. You are
prompted for the Tablet-Software. You install the Tablet-Software and a
Tablet-Icon appears in the control panel to configure the device, but the
device does not work. You view Device Manager as in the "Exhibit", but no
USB device are displayed (Click the "Exhibit" Button). You want the
USB-Tablets to work on all 10 Computers. What should you do?
A. Disable USB error detection for the USB Root-Hub-Controller and enable
USB-Tablet device in hardware profile.
B. Reinstall the USB device drivers and disable the USB error detection.
C. Enable the USB Root-Hub-Controller and reinstall the USB-Tablet device
driver.
D. Enable the USB ports in the Computer BIOS and reinstall the USB-Tablet
device drivers.
Ans: D
18. You have 3 drives: 0,1,2. You want to put 98 on 0 and w2kp on 1 you
want to put files on 2 that can be accessed from both, open the exhibit
and place so fat 32 on 0 and 2, NTFS on 1. The question gives some stuff
about needing to have NTFS features on drive 1
A. DRIVE 0 = FAT32, DRIVE 1 = NTFS, DRIVE 2 = FAT32
Ans: A
19. You are the administrator of your company's network. Your network has
75 windows 2000 professional computers and eight Windows 2000 Server
computers. Users on the network drive save their work files in home
folders on a network server. The NTFS partition that contains the home
folders has Encrypting File System (EFS) enabled. The partition also has
disk quotas defined. A user named Candy reports that she cannot save any
files to her home folder. She also cannot update files in her home folder.
When she attempts to save files to the folder she receives the following
error message "insufficient disk space". Other users are not experiencing
this problem with their home folders. You want to enable Candy to save
files in her home folder. What should you do?
A. Log on to the network as a Recovery Agent. Decrypt all of candy's files
in her home folder.
B. Log on to the network by using the domain Administrator account. Grant
Candy Full control permission to her home folder.
C. Use Windows Backup to archive and remove old files on the server.
D. Increase the server a disk quota entry for Candy to accommodate the
additional files.
31
ANS: D
20. You encrypt three files to ensure the security of the files. You want
to make a backup copy of the three files and maintain security setting.
You have the option of backing up to either the network or a floppy disk.
What should you do?
A. Copy the files to a network share on a NTFS volume. Do nothing further.
B. Copy the files to a network share on a FAT32 volume. Do nothing
further.
C. Copy the files to a floppy disk that has been formatted by using
Windows 2000 Professional. Do nothing further.
D. Place the files in an encrypted folder. Then copy the folder to a
floppy disk.
ANS: A (Only NTFS keeps encryption)
21. Kevin, the Software Developer of Perfect Solution Inc., recently left
the job. The company's Administrator moves all of his home folder files to
his Manager's home folder. The NTFS partition that contains the home
folders has the Encrypting File System (EFS) enabled. When the Manager
attempts to open Kevin's files, he is denied access. What should be done,
so that the Manager can access those files with least administrative
burden?
A. Grant the Manager NTFS Full Control (FC) permission to the files.
B. Grant the Manager the NTFS Take Ownership (TO) permission to the files.
C. Logon to the network as a Recovery Agent. Decrypt the files for the
Manager.
D. Logon to the network as a member of Backup Operators group. Decrypt the
files for the Manager.
ANS: C (Why? Because only the user that created the EFS file or the
Recovery agent can decrypt EFS files. Nobody else, it doesn't matter if
you give them FC or TO)
22. You have a 2 MB Windows bitmap. You have compression enabled on Drive
c: The file has been compressed to 1 MB. You try to copy the file to a
floppy disk but you get the message "insufficient disk space." How can you
copy the file to the disk?
A. Compress the bitmap with a compression program then transfer it to the
"a" drive. (Also could said; "Use the COMPRESS.EXE file (from the W2K
Resource kit) to compress the file and put it on a floppy." The EXPAND.EXE
file located in %systemroot%system32 is used to expand them back into W2K
from a floppy.)
Ans: A
23. You have a PC with one drive and one volume, which has a NTFS folder
called Sales, which is compressed. You also have a folder called CORP,
which is not compressed. You want to place Sales under Corp, still
compressed, and have a backup of Sales in case something goes wrong. What
should you do?
A. Backup the sales folder to an NTFS volume, and move Sales under Corp.
(One more option they had given -- Move sales under Corp in the NTFS vol.
- but backup not mentioned)
Ans: A
24. You set up scheduled tasks to run and notify you of any failures. 3
days later you see that none of the tasks ran and you received no
32
notifications. What to do?

a. Set the schedule service to run under the administrator account.
b. Set the scheduled tasks to run under the administrator account.
c. Enable the messenger serviced.
d. Set the schedule service to run under the local system account and set
it to start automatically.
ANS: D
because the schedule service wasn't running, the jobs never ran
and therefore didn't notify you of an error because they never ran in the
first place.
25. You have a W2K machine with a Pentium II 400 MHz that has a graphics
program. When the program is running, performance is degraded. You look at
the exhibit, which displays some counters. You notice that the Processor:
%Processor Time is most of the time in 100% and another counter related to
the processor is also high (don't remember which). The other counters are
within normal (learn all of them). What to do?
A. Add another Pentium II 400 MHz processor.
Ans: A
26. You have 10 win2k Professional computer in your company. You are the
administrator and want your clients to use Internet in your network. But
your budget is low. How can you accomplish this in windows 2000
professional environment? (Choose all that apply)
A. 1) Install the modem
on a W2K pro PC2) Create a dial-up connection for the ISP
2) Enable Internet connection sharing
3) Enable the option to dial-up on demand on the others computers
Ans: A
27. Question about three 16-bit programs, one collects data, the other is
a data analysis program that communicates through OLE with the graphics
program, which displays data in realtime. Machine has only one processor
and performance is not good. You add a second processor, which is setup
and displays in the device manager. Even though, the apps run only in one
processor and performance is slow. What to do? (Choose only 2) (Study
this, NOT SURE about the wording here but just to give you an idea, i
think I got this wrong.)
A. a) Configure the graphics program to run in
its own (VDM).
b) Configure the programs that collect data and analyses data with
affinity 0 for processor 1, configure the graphics program with affinity 1
for processor 2.
Ans: A
28. You have an 18 GB SCSI hard drive. W2K is installed on it. You add a
new ATA-100 hard drive and a controller. After reboot, both drives are
detected but you get an error saying "No OS detected". What to do to be
able to boot to W2K with boot drives connected? (They gave 4 possible
choices, three of them were absolutely wrong, only the want below was a
logical and duable answer)
A. Disconnect the ATA-100 drive and boot to W2K. Insert a floppy disk
and format it. Copy the boot files from the SCSI drive to the floppy and
shutdown. Reconnect the ATA-100 drive. Boot from the floppy into W2K and
format the ATA-100 drive. Copy the boot files from the floppy into the
33
ATA-100 drive.
Ans: A
29. You take backups of your hard drives every night. On Thursday morning
you see that the hard disk has crashed. The EXIHIBT SHOWS The backup log
as follows:
Friday - normal backup, completed
Saturday - incremental backup, completed
Sunday - incremental backup, completed
Monday - incremental backup, completed
Tuesday - incremental backup, terminated incomplete (but some files get
backup)
Wednesday - incremental backup, complete
What should you do?
A.Restore fri, sat, sun, mon, tue, wed which will restore current
data as of Wed.
Ans: A
30. (Similar questions to this one - same answer) You are the
administrator of a Windows 2000 network that has 1,500 Windows 2000
Professional computers. Microsoft Office 2000 was assigned to all the
computers on the network by using Group Policy object (GPO). You deploy
the Office 2000 service release to all Windows 2000 Professional computers
on the network. The service release, in addition to other software that
had been assigned, fails to install on only one of the computers. What
should you do?
a. Re-deploy the service release by using a .Zap file.
b. ......... mst file.
c. Restart windows installer on the do main controller.
d. Restart windows installer on the computers that failed to install the
service release.
ANS: D
31. You are using Windows Installer to deploy an application to 750
Windows 2000 Professional Computers on your network. The network includes
an organizational unit (OU) named Sales. A Group Policy object is created
for the Sales OU. The software deployment of the application is
unsuccessful. During the deployment, some users in the Sales OU report
that the installation is aborting with random errors midway through the
installation process. The remaining users in the sales OU report that the
software is installing, but is giving them general protection fault
errors. What should you do?
A. Repackage and re-deploy the application's .msi file for the Sales OU.
B. Repackage and re-deploy the application's .mst file for the Sales OU.
C. Re-deploy the application by using the Group Policy object for the
Sales OU.
D. Restart Windows Installer on all Computers in the Sales OU. Then
re-deploy the application's .zap file to the Sales OU.
ANS: A
This is the true answer, because you can only use .mst together
with .msi, not by themselves. Look it up.
32. Based on the exhibit: three computers pc1, pc2, pc3 and a DHCP server
on the sales segment of the network, configured to get IP settings
automatically. The pc1, pc2, and the DHCP server all have TCP/IP and have
34
IP addresses (192.168.10.31, -32, -34), subnet mask (255.255.255.0)

configured. They all have the wrong default gateway 192.168.10.20, while
the router was labeled with 192.168.10.60. PC1, PC2, and the DHCP server
also have NWLINK 802.2. PC3 has NWLINK 802.3 only, no IP. Then, there is a
router. The development segment is at the other side of the router and was
configured with IP address 192.168.10.x, subnet mask (255.255.255.0), and
default gateway that match the router. PC1 and PC2 couldn't see computers
on the development segment, PC3 couldn't see anybody. What should you do
to make everybody on both subnets can see everybody else on both subnets
(select 2).
A. Change the IP configuration on the DHCP server on the Sales subnet to
have the right default gateway address.
B. Install TCP/IP with default settings on PC3.
Ans: A, B
33. You want to install Win2K PRO on X new computers on your company's
network. You first install Win2K PRO on one of the new computers. You log
on to the computer by using local admin account. You install MS Office 97,
a virus scanner, and other company standard applications. You then create
a RIS image of the computer you configured. You want to configure the RIS
image so that the standard applications will be accessible to the user
when the user first logs on to the network. What should you do?
a) Run RBFG.exe before installing the standard apps
b) Run RIPREP.exe before installing the standard apps
c) Copy the ALL USERS profile to the DEFAULT users profile
d) Copy the LOCAL ADMINISTRATOR account profile to the DEFAULT user
profile
Ans: D
Correct answer is D, when you set up the apps as a Local
Administrator, depending on the apps, some shortcuts will be placed on the
All Users profile (like MS Office 97) and others will be placed only in
the Local Administrator profile. If you copy the Local Administrator
profile, the custom settings (shortcuts) installed under this profile will
be copied to the Default Users Profile, and thus available when new user
are setup on the PC's. Use Control Panel --> System --> User profiles tab
to copy the profile. The copied files will inherit the permissions setting
for Default User folder. Remember the only things that you are providing
here are shortcuts; you are NOT providing permissions or rights here.
Those are controlled by NTFS permissions and group rights assignments. The
All Users Profile is just that what it says for "ALL USERS", so it will be
saved on the RIS image and deployed to the new PC's, this will include all
the shortcuts associated with it. Check the study guide for W2KPRo on
BrainBuzz.com, also look on (assuming C is your W2KPro drive) C:Documents
and Settings and check the different entries for the standards profiles.
Especially on the Start Menu --> Programs area.
34. You are trying to copy big files from a UNIX server to WIN2K computer
(running TCP/IP). You do the copy in explorer. The files are 100 MB each,
and you need to copy 20 of them. The copying always aborts. What should
you do to resolve the problem?
A. Install network monitor agent, use performance console and review all
counters for TCP/IP.
B. Install network monitor agent, use performance console and review
35
Fragmented Datagrams/Sec.
C. Install SNMP and monitor TCP/IP counters.
D. Install simple TCP/IP protocol and monitor Fragmented Data
ans: B
35. You are performing a Weekly backup and you want to be sure that you
backup everything including the registry, boot files, and COM
A. Configure the backup to backup the system state area
B. Configure the backup to backup the system partition
C. Create a batch file to run RDISK.EXE /s-before backup starts
D. Create a batch file to run RDISK.EXE /s- after backup is started
Answer: A
36. You take backups of your hard drives every night. On Thursday morning
you see that the hard disk has crashed. The EXIHIBT SHOWS The backup log
as follows:
Friday - normal backup, completed
Saturday - incremental backup, completed
Sunday - incremental backup, completed
Monday - incremental backup, completed
Tuesday - incremental backup, incomplete
Wednesday - incremental backup, complete
What should you do?
A. Restore fri, sat, sun, mon, and wed
Ans: A
37. You have two drives in a PC. You want to make sure that you are
prepared in case of disk failure. System and boot partition must be backed
up. How do you do it?
A. Configure the backup to backup the system state area
B. Run weekly backup it will take care of backing up these files
C. Create a batch file to run RDISK.EXE /s-before backup starts
D. Create a batch file to run RDISK.EXE /s- after backup is started
Answer: A
38. You are the administrator of your company's network. You want to deploy
a Windows 2000 Professional service pack to 10 computers in the
Development organizational unit (OU). You create a Windows Installer
package file for the service pack. You use the package file to
successfully install the service pack to other computers in the domain.
You assign the package file to the Development OU. After the installation,
you notice that the service pack was not installed on any of the 10
computers. You want to ensure that the service pack is successfully
installed on the Computers in the Development OU. What should you do?
A. Use Computer Management to start the Windows Installer service on all
of the computers in the Development OU.
B. Use the local Administrator account to log on to the Computers in the
Development OU. Then redeploys the service pack to the computers in the
Development OU.
C. Run WinINSTALL LE to repair the package file. Then redeploys the
service pack to the computers in the Development OU.
D. Add the user accounts from the Development OU to the DACL. Grant the
user accounts Read permission to the service pack deployment directory.
ANS: D
36
Search for "Windows Installer" and see the "Best Practices"

sections on W2KPro and W2KServer Online Help
39. You are the administrator of a Windows 2000 domain. You develop a
graphics software application to users in the Graphics organizational unit
(OU). You want to create a custom installation for three users named
Carlos, Carmen, and Maria, who are members of the Graphics OU. You want
these three users to be able to access additional text, filters, and other
graphics options for the software. What should you do?
A. Create the Graphic Users OU in the domain. Add a custom .msi file to
the Graphics OU.
B. Create the Graphic Users OU in the domain. Add a custom .mst file to
the Graphics OU.
C. Create the Advanced Software OU within the Graphics OU, and add Carlos,
Carmen, and Maria. Create an .msi file, including changes, and apply the
modifications to the Advanced Software OU.
D. Create the Advanced Software OU within the Graphics OU, and add Carlos.
Carmen, and Maria. Create an: mst file, including changes, and apply the
modifications to the Advanced Software OU.
ANS: D
40. You have recently deployed an application to several hundred Windows

2000 Professional computers on your company's network. However, you were
just made aware that there is a patch available for the application and
you would like to apply this to all of the computers to which the
application was deployed. Which of the following represents that correct
way to do this?
A. Replace the .msi file on the network server with a new .msi file.
Restart the Windows Installer service on all of the clients.
B. Replace the .msi file on the network server with a .msp file. Restart
the Windows Installer service on all of the clients.
C. Replace the .msi file on the network server with a .mst file. Restart
the Windows Installer service on all of the clients.
D. Use the msiexec command to specify the location of a .msp file.
Redeploy the application through Group Policies.
E. Use the msiexec command to specify the location of a .mst file. Redeploy the application
through
Group Policies.
Answer: D
Search Knowledge base for "How to Patch a Software Installation
Stored on a Network Server That Is Deployed Using Microsoft Software
Installer"
41. You are the administrator of a Windows 2000 network that has 1,500
Windows 2000 Professional computers. Microsoft Office 2000 was assigned to
all the computers on the network by using Group Policy object (GPO). You
deploy the Office 2000 service release to all Windows 2000 Professional
computers on the network. The service release, in addition to other
software that had been assigned, fails to install on only one of the
computers. What should you do?
a. Re-deploy the service release by using a .Zap file.
37
b. ......... mst file.

c. Restart windows installer on the do main controller.
d. Restart windows installer on the computers that failed to install the
service release.
ANS: D
42. You are deploying an application using windows 2000 (Windows 2000
Service pack). When Users try to install it the installation fails. What
do you need to do in order correct the situation?
A. Re-deploy the .msi file
B. Re-deploy the .mst file
C. Re-deploy using the .zap file
Ans: A
43. You are using Windows Installer to deploy an application to 750 Windows
2000 Professional Computers on your network. The network includes an
organizational unit (OU) named Sales. A Group Policy object is created for
the Sales OU. The software deployment of the application is unsuccessful.
During the deployment, some users in the Sales OU report that the
installation is aborting with random errors midway through the
installation process. The remaining users in the sales OU report that the
software is installing, but is giving them general protection fault
errors. What should you do?
A. Repackage and re-deploy the application's .msi file for the Sales OU.
B. Repackage and re-deploy the application's .mst file for the Sales OU.
C. Re-deploy the application by using the Group Policy object for the
Sales OU.
D. Restart Windows Installer on all Computers in the Sales OU. Then
re-deploy the application's .zap file to the Sales OU.
ANS: A
This is the true answer, because you can only use .mst together
with .msi, not by themselves. Look it up.
44. You are the administrator for a network supporting win2000 active
directory services. You want to use windows installer to deploy
applications on computers running win2000pro while achieving these desired
results:
A. The software should appear as though it has been installed but it
should not actually be installed until users attempt to run the
application.
B. The application should always be available to roaming users who log on
to several different computers in a typical workday.
C. If the software is deleted for any reason it should be reinstalled at
logon.
D. Only authorized users should be allowed to run the application.
Your proposed solution is to assign the software package to the users in
the appropriate OU. Which result does the proposed solution provide?
(Choose 3)
ANSWER: A, B, C
38
45. Your desktop Computer has Windows 2000 Professional installed. You
create a new dial-up connection to connect to the Internet. You configure
the Internet connection to enable Internet Connection Sharing. After you
configure the connection, you cannot see or connect to any shared
resources on your local network. You want your computer to be able to
connect to shared resources. What should you do?
A. Configure the dial-up connection to disable shared access.
B. Configure the dial-up connection to disable on-demand dialing.
C. Disable data encryption in the new dial-up connection.
D. Use the ipconfig command to release and renew your network TCP/P
address.
ANS: A
Why? Search for "Internet connection sharing" (ICS) on the
W2KServer online help. Quoting from there: "When you enable Internet
connection sharing, the adapter connected to the home or small office
network is given a new static IP address configuration. Consequently,
TCP/IP connections established between any small office or home office
computer and the Internet connection sharing computer at the time of
enabling Internet connection sharing are lost and need to be
reestablished. Also: "To use the Internet connection sharing feature,
users on your home office or small office network must configure TCP/IP on
their local area connection to obtain an IP address automatically." What
this means; the ICS machine becomes the DHCP provider for the network and
will assign itself the IP 192.168.0.1. If you use the IPCONFIG command to
release and renew your network TCP/P address, it will assign itself the
same IP and will wait for the other machines to be set properly to assign
them IP addresses. Since none of the options talk about configuring the
TCP/IP connection on all the other machines to obtain an IP address
automatically, only answer A is correct.)
46. You are creating a shared Internet connection on your W2P. You want to
enable other computer on the LAN to be able to connect only through HTTP
and FTP site in the Internet. (Check all that apply)
A. Configure shared Internet connection to disable LCP extension.
B. Configure shared Internet connection to disable on demand dialing
C. Create an Internet connection sharing application type for HTTP to use
remote server port 25
D. Create an Internet connection sharing application type for HTTP to use
E. Create an Internet connection sharing application type for FTP to use
F. Create an Internet connection sharing application type for FTP to use
ANS: D,E
47. You want your clients to use the Internet in your network but your
budget is low. How can you accomplish this with one 56K modem and a
dial-up connection to the ISP?
A. Enable Internet Connection Sharing, and install the
modem on a one W2K Professional PC and create a dial-up for the ISP.
Ans: A
39
48. You have 10 win2k Professional computer in your company. You are the
administrator and want your clients to use Internet in your network. But
your budget is low. How can you accomplish this in windows 2000
professional environment?
A. Set the Internet connection share and select the option to dial-up on
demand, and install the modem on a W2K pro PC and create a dial-up for the
ISP.
Ans: A
49. You have ten computers in your organization that are not connected to
the Internet. The company breaks down and purchases a 56K modem to connect
to the Internet. You implement Internet connectivity sharing. Now you
can't see any of the other computers on your network. What do you do?
A. Disable Internet Connection Sharing.
B. Use IPCONFIG to release and to renewC. Disable dial on demand.
ANS: A (Variation of #1 above)
50. You want to create a shared Internet connection, but the users
shouldn't have any permission except http and ftp-site.
a. Enable HTTP-port 80 and FTP-port21
ANS: A
learn also that Telnet is port 23, POP3 is port 110, and SMTP is
port 25
51. You create a shared Internet connection on a Windows 2000 Professional
computer. Your network has 10 users on the LAN. All of the users can
connect to HTTP sites, FTP sites, and streaming audio content on the
Internet. One of the computers on your LAN is running an FTP host
application. Users on the Internet cannot connect to the FTP host on your
network. What should you do?
A. Configure the FTP host to accept incoming requests on service port 80.
B. Configure an Internet Connection Sharing application type for FTP to
use remote server port 23.
C. Configure an Internet Connection Sharing service type for FTP use
service port 21 on the FTP host computer.
D. Configure an Internet Connection Sharing service type for FTP use
service port 23 on the FTP host computer.
ANS: C
52. Your graphic department just got several new dual processor computers
to replace the old single processor computers. The graphic department runs
variety of DOS, Win16, and Win32 applications. After upgrading to new
computers, users in the graphic department tell you when they are running
Win16 applications; they did not see any improvement. What should you do?
A. Upgrade the Win16 applications with Win32 version.
Ans: A
53. You are preparing to install Windows 2000 Professional on 100

MPS-compliant computers. Each computer has two 550-MHz processors. The
Computers are configured identically. You want to use one of the computers
as a reference computer for deploying Windows 2000 Professional to the
remaining Computers. You install Windows 2000 Professional on the
reference computer. You view Device Manager and notice that the drivers
for the second processor are not installed. You want to add support for
the second processor on the remaining 99 computers. You want to accomplish
40
this with the least amount of administrative effort. What should you do?
A. Use Setup Manager to configure the reference computer, and then create
a disk image.
B. Use the System Preparation Tool with the -pnp parameter to set up the
reference disk, and then create a disk image.
C. Use Device Manager to add the appropriate hardware abstraction layer
(HAL) to the reference computer to support the second processor, and then
Create a disk image.
D. After imaging the reference computer, restart the reference computer in
safe mode and add the driver for the second processor.
ANS: C
54. You install a new 2nd processor to your system, but your system is
still slow. You check the performance log and see that the 1st processor
is overloaded. What should you do to make your system use both processors?
A. install the MPS driver for the second processor via the device
manager for the new processor
Ans: A
55. You are an administrator that has just received in 100 PC's with
Windows 98 on them. They also have Dual 500Mhz processors on them. You
decide that you want to upgrade them all up to Windows 2000 Professional.
After running set up on a machine, you realize that only one of the
processors is being seen by the OS what do you do next?
A. Run sysprep.exe update the machines after deployment
B. Run sysprep.exe with -pnp option
C. On the test machine update use device manager to update the system to
recognize the second processor. Then run sysprep.exe.
ANS: C
56. You need to upgrade 6 MPS computers from NT to W2K. Each machine has
two CPUs. After the upgrade performance is slow. What to do?
a) Enable AGP Bridge Controller.
b) Install the MPS-compliant drivers for the 2nd processor using Device
Manager.
c) Install the ACPI-compliant drivers for the 2nd processor using Device
Manager.
d) During startup, press F8 and install the MPS-compliant drivers for the
2 CPU.
ANS: B
57. Someone is reading your Word documents. How should you setup auditing?
A. Use explorer to enable file auditing, and change the local policy to
record successful events on objects.
The options were:
-Use Explorer to enable file auditing of your files
-Enable successful auditing of object access
-Enable failed auditing of object access
-Enable successful auditing of processes
-Enable failed auditing of processes
Ans: A
58. You have a share on your local computer. Someone has been intentionally
damaging your files. You want to be able to know which account is doing
this. What do you do?
41
A. Turn on auditing for objects in the Local Security Policy and Select.
B. Use Windows Explorer to turn on auditing for the specific files.
ANS: A,B
59. You use a shared Windows 2000 Professional Computer. You notice, that
some of your Microsoft Word documents that were on the local hard drive
have been deleted. You restore the documents from a recent backup. You
want to be able to track all users who access your Word documents in the
future. What should you do? (Choose two.)
A. Enable the local Group Policy for auditing object access events that
are successful.
B. Enable the local Group Policy for auditing object access events that
are unsuccessful.
C. Enable the local Group Policy for auditing process tracking events that
are successful.
D. Enable the local Group Policy for auditing process tracking events that
are unsuccessful.
E. Use Windows 2000 Explorer to enable auditing for your files.
F. Run the diskperf-y command. Use System Monitor to examine the logical
I/O counter. Restart the Computer.
Ans: A, E
60. You want to remove the logoff option from your screen. What TWO places
can you do this from?
A. Local Policy
B. Group policy
Ans: A, B
61. You are delegated administrative control of the graphics organizational
unit (OU). You install Windows 2000 Professional on 25 PXE-compliant
computers in the Graphics OU by using disk-duplicating software. The
reference Computer was configured to have Windows 2000 Professional
default desktop settings. Users in the Graphics OU have home folders
specified in their user account settings. The home folders are located on
the \ServerlUsers network share. You want to change the default path of
the users My Documents folders to their respective home folders whenever
users log on to the network. You want to accomplish this with the least
amount of administrative effort. What should you do?
A. In the properties of the My Documents folder, select Move, and define
the UNC path \ServerlUsers.
B. Reconfigure each domain user account properties on the Profile tab, and
define the UNC path \ServerlUsers.
C. Enable a Local Computer Policy to redirect the My Documents folder, and
define the UNC path \Server 1 Users\%Username%.
D. Create a Group Policy object for the Graphics OU to redirect the My
Documents folder, and define the UNC path \ServerlUsers\%Username%.
ANS: D
62. You are the administrator of your company's network. You want to
configure a Security Policy for the Windows 2000 Professional Computers
that are in the sales department. On one of the computers, you use
Security Templates to configure the Security Policy based on the desired
security settings. You then export those settings to an .inf file that
will be used on all of the Computers in the sales department. You want to
configure each Computer to have a customized Security Policy. What should
42
you do?
A. Use Secedit.exe to import the security settings from the .inf file to
the computers in the sales department.
B. Use a text editor to change the default security settings to the
desired security settings. Then export those settings to the Computers in
the sales department.
C. Create an organizational unit (OU) named Sales. Add the users in the
sales department to the Sales OU. Then apply the security template to the
users in the Sales OU.
D. Create an organizational unit (OU) named Sales. Add the computers in
the sales department to the Sales OU. Then apply the security template to
computers in the Sales OU.
ANS: D
63. You are the administrator of a workgroup supporting Windows 2000
Professional computers. You configure the Group Policy by setting the
Account lockout duration to 0. What effect will this have?
A. Users will never be locked out
B. Users will be locked out for 69 days.
C. Users will be locked out after one failed logon attempt.
D. Users will be locked out indefinitely until the Administrator unlocks
the user account.
ans: D
64. After restarting your Windows 2000 Professional Computer, your Monitor
shows a blank blue screen without text and the Computer will not respond
to keyboard or mouse commands. You discover that an incorrect driver was
just installed. How should you correct the problem?
A. Use the "Last Known Good Configuration" to restart you system and
correct the problem.
B. There is nothing you can do. Reinstall the Operating System.
C. Call the manufacturer to request a Windows 2000 compatible driver.
D. Use the Emergency-Repair-Disk.
Ans: A
65. You install an ISA sound card into your Windows 2000 Professional
system. The card fails. You reboot and go into safe mode. What do you do?
A. Enable driver-signing
B. Disable driver-signing
C. Disable driver
D. Disable using computer management
Ans: C
66. You installed an ISA SCSI Card (?????? Only Microsoft knows this card.)
After restarting your Windows 2000 Professional Computer, your Monitor is
a blank screen without text and the Computer will not respond to the
keyboard. How should you correct the problem?
A. Use the "Last Known Good Configuration" to restart you system and
correct the problem.
Ans: A
67. You install an external SCSI tape drive. The drivers install OK and the
system starts up normally. When you reboot the PC later in the afternoon,
you get a blue screen. What to do?
a. Go into device manager and remove SCSI device.
b. Select recovery console and disable the driver with DISABLE command
43
c. Select safe mode and remove the driver

ANS: C
68. You want to troubleshoot system restoration by starting Windows 2000
Professional in Safe Mode. What should you do after the computer is
restarted into Safe Mode? (Choose three.)
a. Run msinfo32
b. Run verifier
c. Expand Components, and click Problem Devices.
d. Expand Software Environment, and click Drivers.
e. Expand Hardware Resources, and click Forced Hardware.
f. Expand Hardware Resources, and click Conflicts/Sharing.
ANS: A, C, F
msinfo32 open the System Information window
69. Which Windows 2000 Advanced Options menu item would you use if you
wanted to load Windows 2000 Professional without the GUI?
A. Safe Mode
B. Safe Mode with No GUI
C. Safe Mode Limited
D. Safe Mode with Command Prompt
Answer: D
Safe Mode with Command Prompt loads the operating system without
the graphical interface. Safe Mode uses a graphical interface. There is no
startup option called Safe Mode Limited or Safe Mode with No GUI.
70. Which of the following commands or utilities can be used to create an
Emergency Repair Disk?
A. ERDB.
B. RDISKC.
C. RDISK32D.
D. The Backup utility
Answer: D
The only utility that can be used to create an Emergency Repair Disk (ERD)
is the Backup utility. ERD, RDISK, and RDISK32 do not exist in Windows
2000 Professional.
71. What process do you use to restore an ERD?
A. Boot with the ERD
B. Use the Windows Backup utility
C. Use the Windows 2000 boot disk
D. Use the Windows 2000 Professional Setup Disks
Answer: D
In order to restore the system using an ERD, you must use the
Windows 2000 Professional Setup Disks. ERD Disk is NOT a bootable disk.
72. You use Windows 2000 Professional on your desktop Computer. You
schedule a task to run an MMC snap-in to perform configuration tasks on
other computers. You notice that the task is not completing correctly. You
manually start MMC. You add the snap-in. You are then able to successfully
run the task. You verify that all of your other tasks are working
correctly. You want to enable your tasks to complete successfully. What
should you do?
A. Use Scheduled Tasks to configure the task to run under the security
context of your account.
B. Configure the Task Scheduler service account to use a local
44
Administrator account and password.

C. Use Computer Management to start the Messenger service and to configure
the Messenger service to start automatically.
D. Use Computer Management to start the Task Scheduler service and to
configure the Task Scheduler service to start automatically.
ANS: A
73. You the administrator logs onto a Windows 2000 professional computer,
which is used by different students. User1 is not an administrator. You
like to use this account instead of logging on as administrator for
security reasons. You want to schedule a task to run a command called
ADDUSERS.CMD to add six new users. What do you need to do?
Schedule the task to run under an administrator account
b. Log on as Administrator and schedule to run under USER1
c. Take Ownership of ADDUSERS.CMD
Answer: A
74. You set up scheduled tasks to run and notify you of any failures. 3
days later you see that none of the tasks ran and you received no
notifications. What to do?
a. Set the schedule service to run under the administrator account.
b. Set the scheduled tasks to run under the administrator account.
c. Enable the messenger serviced. Set the schedule service to run under
the local system account and set it to start automatically.
ANS: C
because the schedule service wasn't running, the jobs never ran
and therefore didn't notify you of an error because they never ran in the
first place.
75. Bob is going on a trip with his laptop configured with Windows 2000
professional. He is concerned that he will run out of battery life and his
system will crash. He asks you to configure the power savings feature so
that when he is not using his laptop, it will save his work and power
down. You go into APM options. What should you do next?
A. Set the system to hibernation mode to 15 minutes
B. Set the system to snooze mode after 15 minutes.
Ans: A
76. You have a laptop that doesn't shut down at all. It stays on the
shutdown screen and even if you try to switch it off, it won't switch off?
a. Enable APM in control panel, power options.
b. Disable APM in the BIOS
c. Enable hibernate in control panel, power options
ANS: A
77. You are the administrator of your company's network. You use Security
Templates to configure a Security Policy on the Windows 2000 Professional
Computers in the Sales organizational unit (OU). You notice that the
Computers in the Sales OU are not downloading the Security Policy
settings. On each computer, the Security Policy appears in the Local
Computer Policy, but is not listed as the effective policy. You want all
computers in the Sales OU to have the Security Policy listed as the
effective policy. What should you do?
A. Use Security Templates to correct the setting and export the security
45
file.
B. Use Security Configuration and Analysis to import the security setting.
Then create a Group Policy object (GPO) for the Sales QU.
C. Use Secedit /RefreshPolicy Machine_Policy command.
D. Use the Basicwk.inf security file settings, save the security file, and
then import the file to the Computers.
ANS: C
78. You have 30 NT 4 machines and 5 W2kpro machines on your network. You
want to share files on the W2kpro machines that only they can access. The
NT 4 machines must not be able to access those shared files at all?
a. Implement the hisecws.inf template
ANS: A
79. You upgrade 5 computers in the Finance Organization (OU) from Win NT
workstation 4.0 to W2P. The computers are used by members of the Finance
OU to run financial application. All 5 computers are configure to have
default security setting. A user named Helene report that she can no
longer run the financial application on her W2P computer. Prior to the
upgrade, Helene was able to run the financial application on her computer.
Helene is a member of the local user group. You want the financial
application to run on Helene's computer. What should you do?
A. Use computer Management to configure separate memory space for each
financial application on Helene's computer
B. Use Security Templates to edit the Security Policy to include the
financial application on Helene's computer. Then, add Helene's user
account to the Power users group on Helene's computer.
C. Use Security configurations and Analysis to reconfigure the default
security Policy.inf file to allow the financial applications to run on
Helene's computer
D. Use Secedit.exe to apply the compatws.inf security to Helene's security
Policy to loosen the permission for the local group on Helene's computer.
ANS: D
See the "Predefined security templates" topic in the W2KServer
online help for more info"
80. You load NT 4 on C and W2kp on D. You do not want users to save files
to D in either operating system, but you do want them to be able to access
D. You implement user quotas in W2kp so that users cannot save files to D.
When you restart the PC and go into NT4, users can still write to D. What
to do?
a. Use NT4 NTFS permissions to deny users write access to D:
b. Enable EFS on D:
c. Format the NT 4 partition and reload NT 4
Ans: A
81. You have a 2 MB Windows bitmap. You have compression
enabled on Drive C; The file has been compressed to 1 MB. You try to copy the file to a
floppy disk but you get the message "insufficient disk space." How can you
copy the file to the disk?
A. Compress the bitmap with a 3rd party compression tool then transfer
it to the "a" drive.
Ans: A
82. You have a NTFS folder called Sales, which is compressed. You also have
a folder called CORP, which is not compressed. You want to place Sales
46
under Corp, still compressed, and have a backup of Sales in case something
goes wrong. What should you do?
A. Backup the sales folder to an NTFS
volume, and move Sales under Corp. (One more option they had given -- Move
sales under Corp in the NTFS vol. - but backup not mentioned)
Ans: A
83. You want to connect to your branch office printer through the browser.
Your Windows 2000 Professional computer is running Peer Web Server. You
were told the share name of the printer is HPColorL. You are unable to see
it when you type its URL. What do you need to do to connect to this
printer?
A. Double-click the connect hotspot in the left pane of the printer's
dialog box to view the printer.
B. Ask the branch office administrator to reinstall the printer by using
its URL as the port.
C. Install Internet Explorer 3.0 or higher on your Windows 2000
Professional.
D. Ask the administrator at the branch office to install IIS on the branch
server.
ANS: D
84. You are delegated administrative control of the Finance organizational
unit (OU). The Finance department has recently purchased 15 Windows 2000
Professional computers. Each computer has a fax modern. Each computer has
the Fax service installed with the default values and settings. A user
named Peter reports that he wants to add a fax printer by using the Add
Printer wizard, but the wizard is missing from the Printers system folder.
What should you do on Peter's computer to allow him to use a fax printer?
A. Restart the Fax service.
B. Reinstall the Fax service.
C. Remove the Local Computer Policy.
D. Add Peter to the local Administrator group.
ANS: D
85. What should you do before you share the printer with other users in the
OU?
A. Change the LPT port settings to enable legacy plug and play detection
on your computer.
B. Change the LPT port settings to bi-directional in the Bios on your
computer, then reinstall the printer software.
C. Connect the printer to another computer in the OU, then install the
device driver.
D. Obtain and install the WDM-compliant device drivers and printing
software for the printer.
Answer: D
86. How do you move the printer spool to another drive?
A. Print Server properties, Advanced tab (To get to this choose Start -->
Settings --> Printers. Once the Printers windows opens click File -->
Server Properties, this will open the "Print Server Properties" windows,
choose the Advanced Tab. Don't fall for the WRONG answer "Printer
Properties, Advanced tab")
Ans: A
87. You are admin of a company. You have a printer named printer 1 on
47
computer 1 and is not on. You have similar device named Printer 2 on
computer 2. Users have 3 print jobs that are pending for Printer 1. You
want to send the three print jobs to the printer2 on computer2 that are in
the computer1 queue. You do not want to have users to re-send these jobs
to the printer. How can you accomplish this?
A. Select a second printer port on the printer in computer1 redirect the
port to \computer2printer2
Ans: A
88. A user prints a lot of small docs by using a network printer. After
printing a doc, he gets a short message that the doc is printed
completely. How to turn these messages?
a. Print server properties, disable " notify when remote documents are
printed"
b. Print server properties, disable "notify computer, not user, when
remote documents are printed"
c. Printer properties, disable bi-directional support
ANS: A
89. A user with installed fax-service isn't able to receive faxes, but to
send them. What is the problem?
a. Log on to the machine as administrator and enable the fax to receive
faxes (this is disabled by default)
ANS: A
90. You are the administrator of a Windows 2000 professional computer and
you have a shared printer. Several dept in your company use the shared
printer. The sales dept frequently sends multiple page graphics, which
takes long time to print. Users in other dept who have short messages have
to wait for a long time to get their documents printed. You want to
improve the efficiency of printing for all users who use the shared
printer. You want to accomplish this with least amount of administrative
effort. What should you do?
a. Configure the priority of printer to 50. Add a new printer and set the
priority to 1. For the new printer deny the print permission for the users
of sales department.
b. Configure the priority of printer to 50. Add a new printer and set the
priority to 94. For the new printer deny the print permission for users in
the sales dept.
c. Monitor the print queue and raise the priority for all of the print
jobs that are sent by the members who are not members for the sales dept.
d. Delete the old printer. Add a new printer and set the priority to a
higher value. Pause and print queue only when the graphics intensive jobs
are printing.
ANS: B
1 is the lowest priority, 99 is the highest
91. Your windows 2000 professional computer has 50 MB of free space on
drive C and 500MB on drive D. Print jobs are failing because of inadequate
space on drive C. You want the print jobs to be able to use the space on
the drive D. What should you do?
a. From the print server properties dialog box change the location of the
spool folder to any existing path on the drive D.
b. From the printer properties dialog box, go to the advanced properties
option and change the location of the spool folder to
48
D:winntsystem32spool
c. Copy the Cwinntsystem32spoolprinter to
Dwinntsystem32spoolprinter folder
d. Mount drive C as subdirectories on drive D
ANS: A
don't fall for B, wrong answer
92. You have a printer on Computer1 that is shared. Computer2 has an
identical shared printer. The printer on Computer1 fails. Users have sent
jobs to Computer1 and the jobs are waiting to be printed. How can you
print these documents without having the users resubmit the jobs?
A. Create another port on the printer on computer1. Assign a UNC name to
the port similar to this: \Computer2Printer2.
ANS: A
93. You're running Windows 2000 professional. You set up a color LaserJet
printer on Computer1 and you name it printer 2. You have the same color
LaserJet on Computer2; you name this one printer 2. The LaserJet on
Computer1 fails. You want to send the three print jobs to the printer on
Computer2 that are in the Computer1 queue. You do not want to have users
to re-send these jobs to the printer. How can you accomplish this?
A. Select a second printer port on the printer in computer1 redirect the
port to \computer2printer2
B. Physically haul a 120lb printer over to computer1
C. Stop and restart the service
Ans: A
94. You are a member of the Enterprise Admins group at Trey Research. You
create and share a printer named HPColorL2 on a Windows 2000 Server
computer named pserver.treyresearch.local. You grant Print permission only
to the Domain Local group named CompanySales. Later, you add a new child
domain named london.treyresearch.local. Clair Hector is a member of the
global group named LondonSales in the london.treyresearch.local domain.
Clair reports that she is unable to send a print job to the HPColorL2
printer. You want all members of the LondonSales group to be able to print
to the HPColorL2 printer. What should you do?
A. Add the LondonSales group to the CompanySales group.
B. Add the CompanySales group to the LondonSales group.
C. Change the CompanySales group to a universal group.
D. Change the LondonSales group to a universal group.
NS: A
95. You are the administrator of your Company's network. The network has 50
Windows 2000 Professional computers. Each computer has 32 MB of RAM. A
user named Susan in the accounting department reports that her Computer
performs very slow when she runs the Company's accounts payable
application. You suspect that her Computer's RAM is insufficient when
other applications are running. You want to find out whether adding more
RAM would improve the performance of Susan's Computer. You start the
application. What should you do next?
A. Use Task Manager to see if memory usage exceeds 32 MB.
B. Use Task Manager to see if the peak commit charge exceeds 32 MB.
C. Use System Monitor to see if the Processor\%ProcessorTime counter
consistently exceeds 50.
D. Use System Monitor to see if the MemoryPage Faults per Second counter
49
consistently exceeds 50.

ANS: A
96. A user name Tom report that application on his W2P computer is running
slowly. You notice Tom's computer has 64 MB of RAM and 100 MB of free disk
space. What should you do to improve the performance? (Check all that
apply)
A. Add Tom to the Power user group
B. Set the total paging file to 75 % of physical memory
C. Perform a disk analysis and use the disk defragmenter if recommended
D. Use Disk cleanup to delete temporary files and unnecessary program
files
E. Ensure that the Performance Options windows is optimized for background
services
ANS: C, D
97. You have a PC on which an application is halting for some reason. You
take a look at the task manager and notice there is another application
running at Realtime priority. What should you do?
A. Decrease the base priority of the application running in Realtime.
ANS: A
98. Two hard disks, computer runs very slowly. Disk1 contains win2000,
where and how do you put the paging file.
A. Any partition other then system partition or boot partition
ANS: A
99. You have two processes running on your computer P1 and P2. You noticed
that when you run both of them, P2 always times out, while when you
pause/stop P1, P2 runs fine. P1 runs with "realtime" priority and uses 12
threads; P2 runs with "normal" priority" and uses 1 thread. What should
you do?
A. Decrease the base priority for P1
ANS: A
100. You want Excel to receive all the processor time possible on your
Windows 2000 Professional computer because you are processing some complex
formulas. What do you need to change on your system?
A. Put the logged-on user in the Power Users group so that system rights
will be increased.
B. In the System's Environment Variables dialog box, in Control Panel,
increase the amount of RAM for user applications.
C. Under System's Property sheet found in Control Panel, increase the
Paging File initial size to the value currently in the maximum size
available in the Performance Options dialog box.
D. Under System's Property sheet found in Control Panel, choose the
Advanced tab and make sure Applications receive the foreground priority.
ANS: D
101. You want to configure image color management (ICM) everywhere possible
on your new computer. Which devices are configurable for ICM 2.0 on your
Windows 2000 Professional computer? (Choose all that apply.)
A. Displays B. Tablets C. Printers D. CD-ROM disks
E. BarCoders F. Cameras G. DVD disks H. Scanners
Ans: A, C, F, H
These are the only correct ones, check them out.
102. You have Windows 2000 Professional system. It has built in 33.6k modem
50
you installed another 56k modem. Modem 56k is conflicting with 33.6k
modem. You only need 56k modem to work. You rebooted the machine in safe
mode. Then they show an exhibit. (Choose 2)
A. Disable 33.6k modem using computer management.
B. Remove 33.6k modem using computer management.
C. No Action Required
D. Something else?
Answer: A, C
103. You are having problems with video during an unattended installation,
the screen flickers and blanks out. Place the cross hairs on the line
where the problem exists in your unattended.txt file.
[Display]BitsPerPel = 8
A. Vrefresh = 80 B. Xresolution = 640 C. Yresolution = 480
ANS: A
104. You install a new CD-ROM. It is not working correctly. You check
resources and see that it is not using "Automatic¨ resource settings. How
do you get your CDROM to work?
A. Check "Use Automatic Settings¨
ANS: A
105. You are trying to install a plug-and-play printer. During the
completion of the install, the following error pops up Plug-n-play printer
error 00000007E-293 WINPRINT.DLL modules not found. What can you do?
A. Install a WDM compliant driver
ANS: A
106. You are the Administrator of your company's network. You install
Windows 2000 Professional onto 10 Computers in the Graphics-Department.
The 10 Computers have built in USB-Controllers. You then physically
install new USB-Tablet devices on each of the 10 Computers. You are
prompted for the Tablet-Software. You install the Tablet-Software and a
Tablet-Icon appears in the control panel to configure the device, but the
device does not work. You view Device Manager as in the "Exhibit" (Click
the "Exhibit" Button). You want the USB-Tablets to work on all 10
Computers. What should you do?
A. Disable USB error detection for the USB Root-Hub-Controller and enable
USB-Tablet device in hardware profile.
B. Reinstall the USB device drivers and disable the USB error detection.
C. Enable the USB Root-Hub-Controller and reinstall the USB-Tablet device
driver.
D. Enable the USB ports in the Computer BIOS and reinstall the USB-Tablet
device drivers.
Ans: D
107. You have a system with two monitors, both set for 16-bit color and 1024
X 768 resolution. You decide to set up a DOS application in a DOS Virtual
Machine Window. Default DOS configuration is in effect (Default
autoexec.nt and config.nt) and the default DOS.PIF file is present. You
place the shortcut on the first monitor screen. When you open it the
screen goes to scramble. You move the shortcut to monitor #2 and launching
the app locks. What do you need to do?
A. Change both monitors to 256 colors. Configure the application to run
full screen
B. Change both monitors to run and optima settings. Configure the
51
application to run full screen

C. Update the drivers for Video card #1 Change #2 to 640 X 480
D. Do something else
Ans: A
or B (Info here is kind of unclear, but if answer B is to keep the
16-bit color setting and set the DOS app to Full Screen, this is the right
answer, you don't need to change the colors setting to 256.)
108. You install a USB scanner but it doesn't work. EXHIBIT shows
exclamation mark at Infrared port, but notice that the USB ports are
missing!
A: Request new BIOS from the hardware manufacturer to enable USB
ANS: A
109. You install a USB camera, but it doesn't work. The device manager
EXIHIBT shows the USB root hub entry missing. What should you do?
A. enable the USB port in the BIOS
ANS: A
110. A mouse driver is not working, then the admin installs a new-signed
mouse driver and reboots. After rebooting he looks in the device manager
and sees that the old driver is still installed. How does he fix this?
a. Use device manager to remove the original driver
ANS: A
If one of the choices is "Add/Remove Hardware", it is better to
choose this one because it will remove the device and the drivers from the
computer. Device manager will remove the device, but the drivers will
remain in the system.
111. Some question about a mouse driver not working, then the admin
installs a new signed mouse driver and reboots. After rebooting he looks
in the device manager and sees that the old driver is still installed. How
does he fix this?In other dump, the answer is: Use device manager to
remove the original driver. However, in my exam, the answers have
something to do with:
A. Configure OU policy to allow installation of drivers overwrite Local
Policy.
B. Configure Domain policy to allow installation of drivers overwrite
local policy.
C. Configure local policy to allow installation of drivers to overwrite OU
policyThe wording is not exact.
ANS: A
Note that the old mouse driver may have been installed using a
local policy, Therefore you have to configure a OU policy which is higher
than a local policy to allow installation of drivers to overwrite Local
Policy.
112. The PC picks up the installed screen card as VGA 16 colors. You cannot
change any of the colors or resolution settings. The manufacturer,
version, make etc. of the card is not shown. What to do?
A. Install a driver for the monitor.
B. Install a WDM compliant driver for the screen card and monitor.
C. Change the screen card.
D. Move the card to another slot.
ANS: B
52
113. You install 10 PC's. 6 PC's have 10/100 UTP/BNC and 4 have UTP card
and connect to the network. The PC's have UTP/BNC card don't connect. The
others do. What should you do?
A. change the settings of PC's with UTP/BNC cards to use the UTP connector
ANS: A
114. You install 10 PC's. PC 6 and 8 have a UTP card and connect to the
network. The other 7 PC's have UTP/BNC cards but do not connect. What
should you do?
A: change the settings of PC's with UTP/BNC cards to use the UTP
connector.
ANS: A
115. You have a 10Mb NIC in your computer. You install a 100Mb network card
and restart the computer. The 100mb card is not working due to a conflict
with the 10Mb card. You want only the 100Mb card to be active. What should
you do?
A. disable the 10Mbps card using disable device in the device manager
ANS: A
116. You are the administrator of your company's network. You configure a
local group named accounting to have a mandatory user profile. The
mandatory profile has been configured to include a custom logo that was
saved with 16-bit color and 1025x768 resolution. Some of the Windows 2000
Professional computers in the accounting department have standard VGA
video adapters, and others have SVGA video adapters. Several users report
that when they log on to certain Windows 2000 Professional computers, the
custom bitmap becomes very pixilated and distorted, and does not reflect
the proper color depth. You want users to be able to correctly view the
custom bitmap on any computer in the accounting department. What should
you do?
A. Change the custom bitmap to a 16-color bitmap that has 640x480
resolution, and reconfigure the mandatory user profile.
ANS: A
117. You are configuring a Windows 2000 Server computer as a Routing and
Remote Access server for a Branch office. You discover that an incorrect
driver was installed during the installation of the modem. You attempt to
remove the modem by using Phone and Modem Options in Control Panel. After
each attempt to remove the modem by using this method, the computer stops
responding. You restart the computer again. You must install the correct
driver for the modem as quickly as possible. What should you do?
A. Use the Add/Remove Hardware wizard to uninstall the modem. Restart the
server.
B. Shut down the server, remove the modem card, and restart the server.
Shut down the server again, insert the modem card, and restart the server.
C. Delete all references to modems in the registry.
D. Run the Modem troubleshooter and remove the modem when prompted.
Restart the server.
ANS: A
118. Your Windows 2000 Server computer uses a non-Plug and Play ISA modem
configured to use IRQ 5. You add a PCI modem and restart the computer.
Device Manager reports an IRQ conflict between the two modems. Both modem
are trying to use IRQ 5. You want to resolve the problem. What should you
do?
53
A. Use Device Manager to change the IRQ for the original modem to IRQ 9.
B. Use Device Manager to change the IRQ for the original modem to IRQ 10.
C. Edit the CMOS settings on the computer to reserve IRQ 5 for non-Plug
and Play devices.
D. Edit the CMOS settings on the computer to reserve IRQ 10 for non-Plug
and Play devices.
ANS: C
119. Which 3 methods can you use to install a modem under Win2000Pro?
(Choose 3)
A. Plug in a plug and play modem
B. Use the add
emove hardware program in control panel
C. Use the phone and modem options program in control panel
ANS: A, B, C
120.You want to view a list of installed multimedia devices, determine
driver versions and perform diagnostics. Which interface should you use?
A. The hardware tab of the sound and multimedia program in control
panel
ANS: A
121. You are the administrator of a Windows 2000 network. Your network
includes 75 Windows NT Workstation 4.0 computers. You are adding 50 new
PXE-compliant computers to the network. The hardware on each computer is
configured identically. You are using a RIS image to deploy Windows 2000
Professional to the 50 computers. You successfully install Windows 2000
Professional on the first 10 computers. However, you cannot install
Windows 2000 Professional on the remaining 40 computers. What should you
do?
A. Configure the DHCP Scope to add additional IP addresses.
B. Run Rbfg.exe from the RemotelristallAdmin folder on the RIS server.
ANS: A
122. You want to install windows2000 professional on 30 PXE-compliant
computers and 35 non-PXE-compliant computers. All 65 computers are
included on the current hardware compatibility list (HCL). You create a
RIS image. You load the Image on the RIS server. You then start the 65
computers. You find that the 30 PXE-Compliant computers can connect to the
RIS server. However, the 35 non-PXE-compliant computers have to connect to
the RIS server. What should you do?
A. Run Rbfg.exe to create a Non-PXE-compliant startup disk
B. Run Riprep.exe to create a non-PXE complaint startup disk
C. Grant the everyone group NTFS Read permission for the RIS image
D. Grant the Administrators group NTFS Read permission for the RIS image
Ans: A
123. You want to automate the RIS installation of a syspreped image, you
copy sysprep.exe and setupcl.exe to a SDD. It doesn't work out as planned.
What else to do (Choose 2)
a. Copy sysprep.inf to the SDD
b. Use the /pnp switch when you run sysprep.exe
ANS: A, B
124. You have a DNS server, Active directory installed, RIS server, and a
client computer that meets the net pc specs. The client computer is behind
a non bootp (it could say also Non-RFC1542) compliant router. Drag and
54
drop the appropriate items to make it work.

A. Win2k Server with RIS installed
B. DNS server
C. DHCP server (Authorized in Active Directory)
D. Win2k Domain with Active Directory
E. Client computer that meets net pc specs
F. Ability of the net pc to reach the DHCP server.
Ans: A, B, C, D, E, F
You had to drag the dchp relay agent onto the router and drag a dchp
server as well.To answer this question correctly, you need to know what is
required to install via a RIS.
125. You want to use RIS to install windows 2000 Prof to 25 systems. But
your clients cannot connect to your RIS Server. WHY? (Drag and place
figure, and select the missing server)
A. The DHCP server is missing Explanation: The Remote Installation
Service environment consists of several technologies and services within a
network containing an existing Dynamic Host Configuration Protocol (DHCP),
Domain Name System (DNS), and Active Directory. You use the Pre-Boot
eXecution Environment (PXE) DHCP-based remote boot technology to install
the operating system on the client computer from a remote source. The
remote source-the Remote Installation Services server-contains the
operating system image to be installed in either compact disc (CD) or
Remote Installation Preparation wizard (RIPrep) image format. The CD-based
option is similar to setting up a client directly from the Windows 2000
Professional CD, except that the source files reside on an available
Remote Installation Services server. You use the RIPrep option if you want
to install and configure a client computer to comply with specific
corporate desktop standards that are unique to the organization
Ans: A
126. You are the administrator of your company network. Your network is
configured as shown in the exhibit. You want to install win 2000 on 10
non-pxe compliant computers on the marketing segment on the network. The
10 computers do not have OS installed. You attempt to load the computers
using the RIS image that is on the RIS Server. You find that the computers
cannot connect to the RIS Server. You verify that the existing client
computers can connect to the server including the RIS Server. You then
check the network servers to find out that the Win NT server 4.0 running
WINS Server has stopped responding due to HDD failure. You want to enable
the computers to connect to the RIS Server. What should you do? Choose
two.
a. Repair and restore the WINS Server
b. Repair the WINS server and update the server to windows 2000 server
c. Configure the AD server to run DHCP
d. Configure static entry in WINS that points to the RIS Server
e. Create and use the RIS boot disk and run riprep.exe to create non-pxe
compliant start up disk.
ANS: C, D
127. You want to install Win2K PRO on X new computers on your company's
network. You first install Win2K PRO on one of the new computers. You log
on to the computer by using local admin account. You install MS Office 97,
a virus scanner, and other company standard applications. You then create
55
a RIS image of the computer you configured. You want to configure the RIS
image so that the standard applications will be accessible to the user
when the user first logs on to the network. What should you do?
a. Run RBFG.exe before installing the standard apps
b. Run RIPREP.exe before installing the standard apps
c. Copy the ALL USERS profile to the DEFAULT users profile
d. Copy the LOCAL ADMINISTRATOR account profile to the DEFAULT user
profile
Ans: D
128. You are upgrading 50 Win98 computers to Win2kPro. They all have the
exact same hardware and are PXE compliant. The first 10 computers install
correctly. How do you install Win2kPro to the rest?
A. Change BIOS settings
B. Add more IP addresses in the DHCP server
C. Make startup disks using RBFG.EXE
Ans: B
129. You use Windows 2000 Professional on your desktop Computer. You are
working on your company's annual financial report. You want other users on
the network to be able to modify your documents for the report. You use
Windows Explorer to share the financial report folder on the network.
Because the report contains confidential information, you want to prevent
users from enabling offline access for the network share that contains the
financial report. What should you do?
A. Use Windows Explorer to disable Offline Files.
B. Use Windows Explorer to disable caching for the reports on the network
share.
C. Use Windows Explorer to grant users Special access for the reports on
the network share.
D. Use Synchronization Manager to configure synchronization not to occur
when users are connected to the LAN connection.
ANS: B
130. You are using a Windows 2000 Professional computer. You create a
shortcut for a folder named Projects on a network share. You want to make
the shortcut to the Projects folder available when you are not connected
to the network. You attempt to configure the shortcut to be available
offline. However, you do not see an Option to make the folder available
offline. What should you do?
A. Use Windows Explorer to enable caching for the Projects folder.
B. Use Windows Explorer to configure the Projects folder on the network
share to be available for offline access.
C. Connect to the network before trying to make the shortcut available
offline.
D. Create shortcuts to each file in the Projects folder, and then make the
shortcuts to the files available offline.
ANS: A
131. You need to share a financial spreadsheet with other employees of your
company. The material is of a sensitive nature and you want to prevent the
ability of users to use offline caching. How do you do this?
A. Assign Special Permissions
B. Select Shared folder properties, caching, deselect "Allow Caching of
files in this shared folder¨
56
Ans: B
132. You are the administrator of your company's network. A user named Peter
runs windows 2000 Professional on his portable computer. Peter wants to be
able to work at home on files that were created in the office on the
company network. Prior to logging off the network and leaving the office,
Peter enables offline files. Peter calls you from home and reports that
copies of his folders and files on the network are not available on his
portable computer. What should you instruct peter to do?
A. Enable file and print sharing. Peter will be able to access his files
at home immediately.
B. Synchronize all offline files. Peter will be able to access his files
at home immediately.
C. At the office, make all files available offline. Peter will be able to
access his files the next time he logs off the network.
D. At the office, create a shortcut to the Offline Files folder. Peter
will be able to access his files the next time he logs off the network.
ANS: C
133. You are the administrator of your company's network. You receive a
request from Stephen's manager to disable Stephen's access to a network
share named Financial. Stephen's user account is the only member in a
group named Reports. The Reports group has Full Control permission to the
Financial share. You delete the Reports group. You later find out that the
manager was in error and that Stephen should have his access to Financial
share restored. What should you do?
A. Re-create Reports and re-create Stephen's user account. Use existing
NTFS permissions.
B. Re-Create Reports and grant Reports NTFS Full Control permission to
Financial. Stephen's user account will still be a member of Reports.
C. Re-create Reports and grant Reports Full Control permission to
Financial. Add Stephen's user account to Reports.
D. Re-Create Reports and add Stephen's existing user account to Reports.
Use existing NTFS permissions.
ANS: C
134. How can you quickly find out the full path descriptions to all of your
shares?
A. System tools in the computer management tool *** similar question but
long one.
Ans: A
135. Your windows 2000 professional computer has 10-shared folders that are
available to other network users. A user reports that he cannot access a
shared folder named Share A. You want to respond to the user's problem as
quickly as possible by using an administrative tool. However, you cannot
remember the server location of Share A. What should you do?
a. Use windows explorer to display the file paths of your shared folders.
b. Use store it in computer management to view local drive properties.
c. Use event viewer in computer management to search for shared folder
error messages.
d. Use System tools in computer management to display the file paths of
your shared folders.
Answer: D
136. You are the administrator of your company network. A user name Andrew
57
has limited dexterity which prevents him from using standard keyboard when
completing his daily tasks, you configure win 2000 professional to use
sticky keys and screen keyboard options. You save the accessibility
options to a shared folder on the local hard disk of Andrews's computer.
You want to configure the same option for another user Peter, you log on
to Peters computer using his local user account and you access the folder
over the network from Peters computer. You select the .acw file from the
shared folder to set up Peter's computer to use the accessibility option.
You receive an error message as follows: "there was a problem running the
file when running the accessibility wizard" what should you do?
a. Give the user on the 2nd pc read access to the shared folder on the 1st
pc
b. Copy the .acw file to c:documents and settingsdefault user
c. Copy the file to a SDD and then use it on the 2nd pc
ANS: A
137. A power surge destroys the hard disk's MBR and causes your Windows 2000
computer fail to boot afterward, how do you fix it?
A. Boot with Windows 2000 CD-Rom and select recovery console, use fixmbr
command to fix the MBR.
Ans: A
138. Which command in Recovery console will allow you to disable a service?
A. Disable
Ans: A
139. Your computer has win2000 Professional installed. Your office has a
power outrage while you are running win 2000 disk defragmenter, when you
start the computer you receive the following message "bad or missing OS".
What should you do?
a) Start the computer in safe mode and reformat the hard disk
b) Start the computer in the debug mode and reformat the hard disk
c) Start the computer using the ERD and repair the Master Boot Record
d) Start the computer by using the win2000 professional CD Rom. Then use
recovery console to repair the Master Boot Record
ANS: D
140. You install a ZIP drive into a Windows 2000 system. You install the
drivers. On reboot, the system locks. You can't get in, and even safe mode
doesn't work. How do you unload the driver to get back in to Windows 2000
professional? (Choose three)
A. Go into device manager and remove Zip drive.
B. From a command prompt run LISTSVC to disable the zip driver
C. From a command prompt run DISABLE to disable the zip driver
D. Select recovery console from the repair
E. Start the PC from CD-ROM
Ans: C, D, E
141. You work for an accounting firm. Currently all developers are running
Windows 98. The company wants to go to Windows 2000 Professional.
Programmers are going to need to code in both a Windows 98 environment and
a Windows 2000 environment. What platform can you install that will
optimize the availability of code to both environments?
A. FAT16
B. FAT32
58
C. NTFS
D. HPFS
Ans: B
142. You have 3 drives: 0,1,2. You want to put 98 on 0 and w2kp on 1 you
want to put files on 2 that can be accessed from both, open the exhibit
and place so fat 32 on 0 and 2, NTFS on 1. The question gives some stuff
about needing to have NTFS features on drive 1
A. DRIVE 0 = FAT32, DRIVE 1 = NTFS, DRIVE 2 = FAT32
Ans: A
143. Which of the following volume Property dialog box tabs do you see for
FAT32 partitions in the Disk Management utility? Choose all that apply.
A. General
B. Sharing
C. Security
D. Quota
Ans: A, B
The Security and Quota tabs are only available for NTFS
partitions.
144. Which of the following statements is true of dynamic disks in Windows
2000 Professional? Choose all that apply.
A. Dynamic disks can be recognized by Windows NT 4 or Windows 2000.
B. Dynamic disks are only supported by Windows 2000.
C. Dynamic disks support features such as simple volumes, extended
volumes, spanned volumes, and striped volumes.
D. Dynamic disks support features such as simple volumes, extended
volumes, spanned volumes, mirrored volumes, and striped volumes.
Answer: B, C
Dynamic disks can only be accessed through Windows 2000. They
do not support mirrored volumes in the Professional version of Windows
2000.
145. What utility can be used to identify areas of disk space that can be
deleted to free additional disk space?
A. Disk Cleanup
B. Disk Manager
C. Disk Administrator
D. Disk Defragmenter
Answer: A
The Disk Cleanup utility is used to identify areas of space that
may be reclaimed through the deletion of temporary files or Recycle Bin
files.
146. Scott frequently accesses and updates a large number of files. He is
noticing that the larger the files get, the longer it takes to access the
files. He suspects that the problem is related to the files being spread
over the disk. What utility can be used to store the files sequentially on
the disk?
A. Disk Cleanup
B. Disk Manager
C. Disk Administrator
D. Disk Defragmenter
Answer: D
The Disk Defragmenter utility is used to rearrange files so that
59
they are stored contiguously on the disk. This optimizes access to those
files.
147. What steps would you take to access the Disk Defragmenter utility?
A. Use Disk Administrator
B. Use Disk Manager
C. Through Programs > Accessories > System Tools
D. Through Programs > Administrative Tools > System Tools
Answer: C
You access the Disk Defragmenter utility through Start >
Programs > Accessories > System Tools > Defragmenter.
148. Windows NT 4.0 is currently on the system you are using, and you want
to install Windows 2000 Professional. Windows NT 4.0 is currently on an
NFTS partition. For some reason you have decided that you are not going to
upgrade, but rather, you are going to run this in a dual boot fashion.
What do you need to do?
A. Can't be done.
B. You need to put Windows 2000 on a separate partition from Windows NT
4.0
C. You need to upgrade Windows NT 4.0 to SP4.
ANS: C
149. Which of the following files are required to boot the Windows 2000
Professional operating system? Choose all that apply.
A. NTLDR
B. BOOT.INI
C. NTOS.EXE
D. NTDETECT.COM
Answer: A, B, D
The files that are required to boot Windows 2000 are
NTLDR, BOOT.INI, NTDETECT.COM, and NTOSKRNL.EXE. There is no boot file
called NTOS.EXE.
150. Which of the following files loads the Windows 2000 Professional
operating system?
A. NTLDR
B. NTOSKRNL.EXE
C. BOOTNT.EXE
D. NTOS.EXE
Answer: B
The NTOSKRNL.EXE file is used to load the Windows 2000
Professional operating system. NTLDR is used to control the Windows 2000
boot process. There is no boot file called BOOTNT.EXE or NTOS.EXE.
151. Which of the following options are configured through the BOOT.INI
file? Choose all that apply.
A. The location of the boot partition
B. The location of the system partition
C. The Windows 2000 boot menu
D. The default operating system that should
be loaded
Answer: A, C, D
The BOOT.INI file specifies the location of the boot
60
partition, the boot menu, and the default operating system that should be
loaded. The system partition is specified by the active partition.
152. Which of the following files is used to initialize and start the
Windows 2000 boot process?
A. NTLDR B. NTOSKRNL.EXE C. STARTNT
D. NTBOOT.EXE
Answer: A
When you install Windows 2000, the NTLDR file is copied to the
active partition. This file executes when you choose to load the Windows
2000 operating system and is used to initialize the Windows 2000 boot
process.
153. Which of the following files is used to build the operating system menu
choices that are displayed during the boot process?
A. NTLDR B. NTOSKRNL.EXE C. STARTNT D. BOOT.INI
Answer: D
The BOOT.INI file is used to build the operating system menu
choices that are displayed during the boot process. It is also used to
specify the location of the boot Partition.
154. Your computer is configured to dual-boot between Windows 98 and Windows

2000. How would you configure the computer so that Windows 98 would be the
default selection if the user did not make a choice within the specified
amount of time?
A. Through the STARTUP.INI file
B. Through the SYSTEM.INI file
C. Through Control Panel, Startup Options
D. Through Control Panel, System, Startup and Recovery
Answer: D
Through the System icon in Control Panel, you can access Startup
and Recovery options. The Default Operating System option lets you specify
which operating system will load if no user selection is made.
155. You use slipstreaming to apply a service pack to the installation files
for Windows 2000 Professional on your network share. Then, you publish a
software application that will be installed by various departments
throughout the corporation on their Windows 2000 Professional computers.
The application impacts the system state on any computer on which it gets
installed from the publication. What must you do about the new service
pack?
A. The update /slip command will correct the system files that were
affected by the installation of the application on each computer receiving
the software. It will also apply the service pack from the distribution
folder. You need to run update /slip on each Windows 2000 Professional
computer of the installed based.
B. Windows 2000 knows to automatically reinstall the correct system files
that the service pack applied after the software is installed from the
publication. You aren't required to do anything.
C. The new service pack has not yet been applied to the installed base of
Windows 2000 Professional computers, so they don't have it. You must run
update on each computer that got a Windows 2000 Professional installation
61
before the service pack was slipstreamed to the installation share.

D. You should manage the newly published software application with Windows
Installer. Get the .msi from the vendor and reinstall this application on
the network share.
Ans: C
156. You are preparing an unattended answer file for eight new Windows 2000
Professional computers. The person initiating the setups should not have
to answer questions during the installations. How is the license agreement
handled?
A. You will create the license agreement answer in the
[LicenseFilePrintData] section of the answer file.
B. Your acceptance of the license agreement answer is included as a switch
for winnt32.exe when you are using the Winnt.sif file.
C. Your acceptance of the terms of the license agreement is associated
during the computer name generation section of the answer file. Then the
agreement is tied to each computer installed.
D. You will be asked to accept the terms of the license agreement for all
unattended installations if you choose the Fully Automated option while
preparing the answer file.
Ans: D
If you are creating a fully unattended install as the question states you MUST agree
to the EULA during Setup Manager or you cannot go on. If you don't want to
answer any questions during setup there is a parameter that needs to be
added to the [Unattended] section that states OemSkipEula=Yes, and a valid
value for the ProductID on the [UserData] section needs to be entered. You
will have to create 8 different answers file with different Product ID's
for the eight computers in this case. If you use only one answer file, all
the computers will have the same Product ID. After you create the answer
file with the Setup Manager Wizard you can then open it with a text editor
and add an entry under the [UserData] section like this:[UserData]FullName
= "Your user name"OrgName = "Your organization name";It is recommended
that you avoid using spaces in the ComputerName value.ComputerName =
"YourComputer_name"; To ensure a fully unattended installation, you must
provide a value; for the ProductId key.ProductId =
"XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
157. You are upgrading a computer from Windows 98 to Windows 2000

Professional. The computer is a 400-Mhz Pentium III, and has 128 MB of RAM
nd a 10-GB hard disk. You are performing the installation by using the
Windows 2000 Professional CD-ROM. After the text mode installation portion
is complete, you restart the computer. The BIOS virus checker on your
computer indicates that your computer is infected with a Master Boot
Record virus. What should you do before you continue the installation?
A. Remove the virus checker in windows 98.
B. Disable the BIOS virus checker and restart the computer.
C. Run Fixmbr.Exe from the Windows 2000 Professional CD-ROM.
D. Modify the Boot.ini from to include a signature parameter on the ARC
path of the system partition
ANS: B
62
158. You wish to check and make sure that the hardware that is installed on
a client will be compatible with a Windows 2000 professional upgrade.
Which of the following will give you this information?
A) Run WINNT32.EXE /checkupgradeonly
B) Run WINNT.EXE /checkupgradeonly
C) Run chkdsk.exe
D) There is no way to do this other than to take inventory of the hardware
installed and verify it on the Hardware Compatibility List (HCL)
ANS: A
159. You want to upgrade 150 computers from Windows NT Workstation 4.0 to
Windows 2000 Professional. You create a Unattend.txt file by using Setup
Manager. You copy the file to a floppy disk. You then start the
installation on a test Computer by using the Windows 2000 Professional
CD-ROM. You insert the floppy disk after the computer starts. Although you
had set the user interaction level to full unattended mode, you are
prompted for all the required parameters. You want to ensure that the
unattended installation does not prompt you for input. What should you do?
A. Add a [Data] section to Unattend.txt, and set the Unattendedlnstall
parameter to Yes.
B. Add a [Unattend] section to Unattend.txt, and set the OEMPreInstaIl
parameter to Yes.
C. Rename Unattend.txt on the floppy disk to Winnt.sif.
D. Create a $OEM$$l folder on the hard disk of the test Computer, and
copy Unattend.txt to the folder.
ANS: C
160. You are upgrading two windows NT4 computers to Windows 2000. Computer 1
completes the upgrade with no problems. During the upgrade of computer 2,
you experience a power loss and cannot boot into NT4. You want to use
Computer 1 to help Computer 2 recover. How can this be done?
A. Do an across the network install
B. Run MAKEBT32.EXE to make diskettes to start your machine.
C. Copy the boot files from computer 1 to a floppy, boot to the floppy and
continue the setup of computer2.
Ans: B
161. You want to upgrade some PCs in your company. They have different
Hardware and use different peripherals. How can you check the
compatibility while minimizing your work?
a. Install W2k on all the machines and see what happens.
b. Copy winnt32.exe to a floppy disk and run it on all the machines with
the /checkupgradeonlyQ switch. - This is not a spelling mistake; they
actually did put a Q at the end of that switch)
c. Use setup manager to create an unattend file, and then modify the
WIN9XUPG section.
ANS = C (Check the Windows White Paper titled "Upgrading your corporate
Windows 9x Desktops to Windows 2000 Professional". Answer B is a catch -
typical Microsoft tactics. If you put the winnt32.exe on a floppy and
execute it, it won't work. Also, the question here doesn't state anything
about Windows 9X system, but based on the choices given here, C is the
63
only answer.)
162. You have acquired a new Pentium III computer with two blank hard drives,
a 40X CD Rom drive, an AGP display adapter, and a fast Ethernet network
adapter. All hardware is on the HCL. You want to achieve these result:
Install win2000pro on the computer
Minimize the time required to install win2000pro
Choose a file system to enable maximum security of data on the computer
Have the computer join your domain
Your proposed solution is to start the computer, access the Bios, set the
computer to boot from the CD Rom drive, save changes, and restart the
computer. When Setup runs, complete the necessary tasks and specify the
NTFS partition type. After restarting the computer again, restore the
original boot disk configuration in the Bios. When prompted specify the
appropriate domain name.Which result does the proposed solution? (Choose
3)
A. Win 2000 pro is installed on computer
The specify file system enable security
Have the computer join your domain
Ans: A
the job. The company's Administrator moves all of his home folders files
have the Encrypting File System (EFS) enabled. When the Manager attempts
to open Kevin's files, he is denied access. What should be done, so that
the Manager can access those files with least administrative burden?
a. Log on to the network as a Recovery Agent. Decrypt the files for the
manager.
b. Grant the Manager the NTFS Take Ownership permission to the files.
Ans: A
Why? Read the topics "File encryption overview" and "Encrypting
File System and data recovery" on the Win2KPro online help. Once a file is
encrypted NOBODY else can open it, the only exception is the Recovery
Agent who can do it. Even if the manager has the Take Ownership permission
he won't be able to open it.)
164. You are the administrator of your company's network. A user named
Veronica uses a shared windows 2000 Professional computer. The computer is
a member of a workgroup. Veronica has encrypted five files on the computer
to ensure the security of the files. Two of these encrypted files are
needed for an important meeting. However, Veronica is out of the office
until next week. You need access to the files immediately. You also need
to ensure that Veronica can log on when she returns. You want to
accomplish this with the least amount of administrative effort. You log on
to Veronica's computer by using the local Administrator account. What else
should you do?
A. Open the two files. Do nothing further.
B. Turn off encryption for the two files. Do nothing further.
C. Backup the two files and then restore them. Turn off encryption on the
restored files.
D. Change Veronica's password. Log on by using her user name and new
password. Then open the two files.
64
ANS: A
(In a workgroup environment, the local Administrator is the
Recovery Agent by default.)
165. You encrypt three files to ensure the security of the files. You want
to make a backup copy of the three files and maintain security setting.
You have the option of backing up to either the network or a floppy disk.
What should you do?
A. Copy the files to a network share on a NTFS volume. Do nothing further.
B. Copy the files to a network share on a FAT32 volume. Do nothing
further.
C. Copy the files to a floppy disk that has been formatted by using
Windows 2000 Professional. Do nothing further.
D. Place the files in an encrypted folder. Then copy the folder to a
floppy disk.
ANS: A
Only NTFS keeps encryption
200 windows 2000 Professional computers and 15 windows 2000 server
computers. Users on the network save their work files in home folders on a
network server. The NTFS partition that contains the home folders has
Encrypting File System (EFS) enabled. A user named John leaves the
company. You move all of the files from John's home folder to his
manager's folder. When the manager attempts to open any of the files, she
receives the following error message; "Access denied." You want the
manager to be able to access the files. What should you do?
a. Grant the manager NTFS Full control permission to the files.
b. Grant the manager NTFS Take Ownership permission the files.
c. Log on to the network as a Recovery Agent. Decrypt the files for the
manager.
d. Log on to the network as a member of the Backup Operators Group.
Decrypt the fields for the manger.
ANS: C
the job. The company's Administrator moves all of his home folder files to
his Manager's home folder. The NTFS partition that contains the home
folders has the Encrypting File System (EFS) enabled. When the Manager
attempts to open Kevin's files, he is denied access. What should be done,
so that the Manager can access those files with least administrative
burden?
A. Grant the Manager NTFS Full Control permission to the files.
B. Grant the Manager the NTFS Take Ownership permission to the files.
C. Logon to the network as a Recovery Agent. Decrypt the files for the
Manager.
D. Logon to the network as a member of Backup Operators group. Decrypt the
files for the Manager.
ANS: C
75 windows 2000 professional computers and eight Windows 2000 Server
65
computers. Users on the network drive save their work files in home
folders on a network server. The NTFS partition that contains the home
folders has Encrypting File System (EFS) enabled. The partition also has
disk quotas defined. A user named Candy reports that she cannot save any
files to her home folder. She also cannot update files in her home folder.
When she attempts to save files to the folder she receives the following
error message "insufficient disk space". Other users are not experiencing
this problem with their home folders. You want to enable Candy to save
files in her home folder. What should you do?
A. Log on to the network as a Recovery Agent. Decrypt all of candy's files
in her home folder.
B. Log on to the network by using the domain Administrator account. Grant
Candy Full control permission to her home folder.
C. Use Windows Backup to archive and remove old files on the server.
D. Increase the server a disk quota entry for Candy to accommodate the
additional files.
ANS: D
169. Each user in your network has his/her own user directory. Jane copies a
file to her user directory and receives the message "insufficient space."
She finds that she cannot even add data to a file and save it. Others are
not having any problems. What should you do?
a. Increase the Quota Limit for Jane
b. Defragment the hard drive
c. Confirm that NTFS compression has been enabled
d. Add Jane to the domain users group
e. Confirm that backup is not running
ANS: A
170. Julie is trying to save a file that is 2MB in size. When she tries to
save the file, she gets an error message that the disk is out of space.
When the administrator checks available disk space, it is determined that
there is more than 4GB of free disk space. What is the most likely cause?
A. The disk needs to be defragmented.
B. Julie does not have the NTFS permissions she needs to access the folder
where she is trying to save the file.
C. Julie has exceeded her disk quota.
D. The folder is encrypted and Julie does not have the key required to
write to the folder.
Answer: C
If Julie is getting "out of space" errors and the disk has free
space, it is likely that the disk has disk quotas applied and Julie has
exceeded her quota limitation.
171. Which of the following statements is true for disk quota management in
Windows 2000 Professional?
A. Quotas can only be set for all users of a volume.
B. Quotas can only be set for specific users or groups of a volume.
C. Quotas can be set for all new users of a volume or set individually for
users of a volume.
D. Quotas are only set for all users at the computer level through a group
policy.
66
Answer: C
You cannot specify a quota for a group. Quotas are set for all
new users of a volume or set individually for users of a volume.
172. Sticky key Question: How do you turn off the Automatic Accessibility
option?
A. Control Panel, Accessibility Options, and General Tab
ANS: A
173. You have configured accessibility options for Tom. Everything works fine. Tom
leaves his computer and comes back for an hour and none of the
accessibility options work anymore. What should you do?
A. In accessibility options on the general tab disable "turn off
accessibility features after idle for xx minutes."
ANS: A
174. You are creating a dial-up connection for Internet access. The wizard
cannot access the default Internet Service Providers (ISP) with either of
the numbers provided. What is your alternate method for setting up the
connection?
A. Configure the dial-up connection to negotiate with the server using
Challenge-Handshake Authentication Protocol (CHAP).
B. You can choose the option to set up the Internet connection manually if
you know the ISP's phone number and your account and password already.
C. You need to provide a known IP address before attempting to connect to
the ISP server.
D. Your ISP is requiring Data Encryption. Configure the dial-up connection
to use it.
ANS: B
175. You install Windows 2000 Professional on your portable computer. You
configure your computer to join the CORP domain. You now create a new
dial-up connection to connect to the company's remote access server that
is in the CORP domain. You want authentication to be based on the logon
credentials that you use when you log on to the portable computer. What
should you do? (Choose two.)
A. Configure the security options to enable EAP.
. Configure the security options to require secured passwords.
C. Configure the security options to allow unsecured passwords.
D. Configure the security options to use the Windows logon name and
password.
E. Configure the dialing options to include the Windows logon domain.
F. Configure the dialing options to not prompt for name and password.
ANS: B, D
176. You create a dial-up connection to your Internet service provider

(ISP). You configure the Security tab and the Networking tab of the
Internet Connection via MSN Properties dialog box as shown in the exhibit.
You attempt to connect to the ISP. You view the status change from Dialing
to Verifying user name and password. After several seconds, the status
changes to Disconnecting. You are then disconnected from the Computer you
dialed. You verify that your user name and password are entered correctly.
67
You want to enable your Computer to connect to your ISP. What should you
do?
A. Configure your connection to enable data encryption.
B. Configure your connection to use the UNIX SLIP server.
C. Configure your connection to allow unsecured passwords.
D. Instruct your ISP to configure your account to support Multilink.
ANS: C
77. You dial-in to your company's network from home. You find that you can
access resources on the first subnet (where the dial-in server is located)
but you cannot go beyond that. What dial-in parameter would you have to
change?
A. Use default gateway on remote network
ANS: A
178.Your remote access clients are complaining that their connection to the
server is too slow and that they are unable to work productively.
Currently most of the users are dialing in over analog modems.
Unfortunately higher speed methods of Internet access such as DSL and
cable modem are not available to most of these users. You decide instead
to install additional modems in the computers of the users who will
remotely access your company's network so that they will be able to
connect to the server using multiple modems simultaneously. What
additional software configuration must you do on your Remote Access
Servers to ensure that this will work properly?
A. Configure Routing and Remote Access (RRAS) to support the Remote
Authentication Dial-In User Service (RADIUS).
B. Enable dual callback.
C. Enable multilink.
D. Install the Bandwidth Allocation Protocol (BAP).
E. Install the Extensible Authentication Protocol (EAP).
Answer: C
179. You are using Windows 2000 professional at home with a smart card
installed. You want to connect to you RAS server to pick up e-mail. What
protocol will you need?
A. EAP B. PPTP C. IPSec D. NETBEUI
Ans: A
180. You are using a DIALUP connection. You want to insure that your
PASSWORD is encrypted. What protocols from the list below would you
disable?
A. PAP B. SPAP C. MSCHAP D. MSCHAP V1
E. MSCHAP V2 F. CHAP
Ans: A
Keywords dialup and password must be encrypted not whole session.
PAP is the only protocol that does not encrypt the password.
181.You are using a DIALUP connection. You are DIALING into a remote server
you do not know what type of server it is, but you want the entire session
encrypted. What protocols from the list below would you disable?
A. PAP B. SPAP C. MSCHAP D. MSCHAP V1
68
E. MSCHAP V2 F. CHAP
Ans: A, B
MSCHAP, MSCHAP V1, MSCHAP V2 are for encrypting whole
sessions to dial in connections in a MICROSOFT world. CHAP is for
encrypting whole sessions to dial in connections in a NON-MICROSOFT
182. You are creating a dial-up connection on your Windows 2000 Professional
portable computer to connect to your customer's dial-up server. You are
not sure which type of server your customer is using for dial-up
connections. You want to ensure that your dial-up connection
authentication is secure and that your logon information is not sent in
plain text. You view the Advanced Security Settings dialog box as shown in
the exhibit. Which option or options should you disable in the Advanced
Security Settings dialog box? (Choose all that apply.)
A. Unencrypted password (PAP)
B. Shiva Password Authentication Protocol (SPAP)
C. Challenge Handshake Authentication Protocol (CHAP)
D. Microsoft CHAP (MS-CHAP)
E. Microsoft CHAP Version 2 (MS-CHAP v2)
F. For MS-CHAP based protocols; automatically use my Windows logon name
and password (and domain, if any)
ANS: A, B
183. You are using a DIALUP connection to connect to a WINDOWS 2000 RAS
SERVER. You want the whole session encrypted. What protocols from the list
below would you disable?
A. PAP B. SPAP C. MSCHAP D. MSCHAP V1 E. MSCHAP V2
F. CHAP
Ans: A, B, D, F
PAP SPAP CHAP are not used because you are dialing into a
pure WINDOWS 2000 System. D is wrong because you only have MSChap and
MSChap v2.
184 You have a smart card and must choose the correct protocol for
authentication.
A. EAP Ans: A
185. Tough "choose all that apply" question about RRAS and enabling "Smart
Card Support". It shows a picture of the RRAS Authentication screen. I
know you need to enable EAP for smart cards, but what about MS-Chap,
MS-Chap v2, and "Use Windows Logon Name and Password"? I hate the choose
all that apply questions.
A. EAP Ans: A
186. You install Windows 2000 professional on your computer at home. You
create a new dial-up connection to connect to your company's remote access
server. You configure the connection to use both of your external modems
and to use multi-link to bind the modems together. You start the dial-up
connection and connect to the remote access server. You notice that only
one of the modems is connected to the remote access server. What should
you do?
69
A. Configure the dial-up connection to use a SLIP connection

B. Configure the company's remote access server to accept multi-link
connections
C. Replace your modems with new modems that support multi-link
D. Grant your user account multi-link permission on the company's remote
access
ANS: B
187. You install a second modem on a Windows 2000 Server computer

configured with Routing and Remote Access. Dial-in users report that they
are unable to connect to the server by using this new modem. What can you
do to help find out the cause of the problem? (Choose Three.)
A. Use the Diagnostics tab in Phone and Modem Options in Control Panel to
query the modem.
B. Use device Manager to identify any port resource conflicts.
C. Use the Routing and Remote Access snap-in to find out whether the ports
for both modems are operational.
D. From a command prompt, run the Net Config Server command.
E. From a command prompt, run the Net Statistics command.
F. Use Regedit32 to view the Error Control value in the
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRemoteAccess Key.
ANS: A, B, C
188. A user calls you because she cannot find the files she needs on a
network shared folder. You learn from her that she is looking with
Explorer for the n:compositedivisionprojects folder. What do you need
to do so she can see the files?
A. You instruct her to type \server namecompositedivisionprojects
filename in her application software.
B. Tell the user to click the Start button, and run the \servername.
Using that route, she can click down to the target folder.
C. Give the user an access control entry for the needed folder, projects.
D. Give the user "list folder contents" permission to the network shared
folder using a security group.
ANS: C
189. You are the administrator of a Windows 2000 network. You purchase 25
new portable computers that have a preinstalled version of Windows 98. You
upgrade the 25 new computers to Windows 2000 Professional. You want to
remove the Logoff Option from the Start menu on the 25 new Computers.
Which two methods can you use to accomplish your goal? (Choose two)
A. On the Advanced tab of the Taskbar & Start Menu dialog box, clear the
Display Logoff Option.
B. On the Advanced tab of the Taskbar & Start Menu dialog box, clear the
Administrative Tools Option.
C. On the General tab of the Taskbar & Start Menu dialog box, clear the
Personalized Menus option. Log off and then log on to the Computers.
D. Use a Local Computer Policy that will not include the Logoff option on
the Start menu.
E. Use the User Profiles tab within the properties of My Computer to
change the profile from a local profile to a roaming user profile.
70
ANS: A, D
190. You are the administrator of a Windows 2000 Professional computer that
is shared by several users in the sales department. User accounts have
been created for current users. Current users can log on to the computers.
To accommodate new users, you add two new users accounts named user7 and
user8 to computer5. When user7 attempts to log on to the computer, she
receives the following error message: "Windows cannot copy file
c:documents and SettingsDefault User to location C:Documents and
SettingsUser7. Contact you network administrator. Detail - Access is
denied." When User8 attempts to log on to the computer, he receives the
same type of error message. You want to allow the two new users, as well
as other users in the sales department, to be able to log on to the
computer. Which two methods can you use to accomplish your goal? (Choose
two.)
A. Add the user7 and user8 user accounts to the DACL for the Profiles
shared folder on the network server.
B. Add the User7 and User8 user accounts to the DACL for the C:documents
and SettingsDefault user folder.
C. Add the Everyone group to the DACL for the C:documents and
SettingsDefault user folder.
D. Add a group Policy object (GPO) for the Sales OU that redirects user
profiles to a shared folder.
E. Log on by using the local Administrator account and create new folders
for User7 and User8 in the C:documents and settings folder.
F. Select the allow inheritable permissions from parent to propagate to
this object option on the c:documents and Settingsdefault user folder,
and reset the permissions on all child objects.
G. Move and retain permissions and compressions
Ans: B, F
191. Maria is a member of local administrators group. Administrator rights

to assist you with administering the server, creating backups and running
user manager. Some users complaints that she read and change their docs
and sensitive data. You want Maria to have fewer rights. What rights
should you give?
A. Remove Maria from Admin group. Add her to Power user and Backup
operator
B. Leave her as Administrator and choose "deny" on Users files
Ans: A
192. You are the administrator of a network supporting Windows 2000

Professional computers connected to a Windows 2000 Server domain. You have
assigned permissions to the appropriate network and printer resources to
the Developers group. Ten new users have been hired, and you are
installing ten new computers to run Windows 2000 Professional. You want
the new users to have these capabilities:Log on to any computer in the
domain and run the same applications.Log on to any computer in the domain
and receive the same display settings.Log on to any computer in the domain
and access the same network connections.Log on to any computer in the
domain and receive the same printer connections.Your proposed solution is
71
to configure the computers to join the domain, create ten new domain user
accounts, add them to the Developers group, and configure a roaming user
profile for each user.Which results does the proposed solution provide?
(Choose all that apply.)
a) Users can log on to any computer in the domain and run the same
applications.
b) Users can log on to any computer in the domain and receive the same
display settings.
c) Users can log on to any computer in the domain and access the same
network connections.
d) Users can log on to any computer in the domain and receive the same
printer connections.
ANS: B, C, and D
20 Windows 2000 Server Computers in the contoso.com domain. Your network
also has 250 Windows 98 Computers. You want to perform a clean
installation of Windows 2000 Professional on all of the Windows 98
Computers. All of the Windows 98 Computers are identical models and are
PXE Compliant. You want to accomplish the following goals:-
An unattended installation of Windows 2000 Professional will be performed.
- An unattended installation of company-standard applications will be
performed during the installation of Windows 2000 Professional.
- Each Computer will be assigned a unique Security Identifier Descriptor
(SID).
- The unattended installation script will be modified so that the
Computers automatically join the Contoso.com domain.
You take the following actions:-
Install Windows 2000 Professional on a Windows 98 Computer named Computer
- Install and configure company-standard applications on Computer l.
- Use Setup Manager on Computer 1 to create a Unattend.txt file based on
the current Configuration, including domain membership.
- Start the remaining Windows 98 computers, and then install Windows 2000
Professional. Use the Unattend.txt file to provide the settings for the
installation.Which result or results do these actions produce? (Choose all
that apply.)
A. An unattended installation of Windows 2000 Professional is performed.
B. An unattended installation of company-standard applications is
performed during the installation of Windows 2000 Professional.
C. Each Computer is assigned a unique SID.
D. The unattended installation script is modified so that the Computers
automatically join the contoso.com domain.
ANS: A, C, D
194. One user leaves your company and another gets his position. How can you
give the same permissions and restrictions to him while minimizing your
work? The old user must have no further access.
a. Rename the user account and change the password.
b. Copy the old account to the new account and then delete the old
account.
c. Copy the old user profile to the new user account.
72
d. Delete the old account. Create a new account and place it in all the
groups that the old account was in. Manually re-assign all the user
specific rights and permissions from the old account to the new account.
ANS: A
195. You are an administrator of your company's network. You want to perform
routine upgrades on your Windows 2000 Server computer. You use your
non-administrator user account in the domain to log on to the server. You
want to update all of the critical system files and patched on the server
in the shortest possible time. What should you do?
A. Run Windows Update.
B. Run System File Checker.
C. Log on as an Administrator and run Windows Update.
D. Log on as an Administrator and run System File Checker.
ANS: C
196. You are the administrator of your company's network. Your company has
offices in Hong Kong, Madrid, New York, Paris, and Tokyo. A user named
Carmen works in the New York office, but she often travels to the Madrid
office. Carmen uses the Multilanguage version of Windows 2000 Professional
on her portable Computer. She needs to able to access both an English and
Spanish user interface, input locale, and keyboard layout/IME. When Carmen
is in the New York office, she logs on to the network by using the Carmen
Eng user account. She is given the English user interface, input locale,
and keyboard layout/IME. When she is in the Madrid office, she logs on to
network by using the Carmen Spanish user account. She is then given the
Spanish user interface, input locale, and keyboard layout/IME. Carmen
reports that when she logs on to the network by using the Carmen Eng user
account, she is not allowed to add any languages to her Computer other
than English (US), which is already installed. What should you do?
A. Add the Spanish keyboard layout/IME for the Carmen eng user account
profile.
B. Add the English keyboard layout/IME for the Carmen span user account
profile.
C. Reconfigure the Group Policy object for the Carmen eng user account to
allow her to change languages on her computer.
D. Reconfigure the Group Policy object for the Carmen span user account to
allow her to change languages on her Computer.
ANS: C
197. You are the administrator of your company's network. You run the
Multilanguage version of Windows 2000 Professional on 1500 computers.
Users can choose Chinese, English (US), German, Japanese, or Spanish as
their language environment. A user named Suzanne wants to change her
computer desktop and user interface from English to Japanese. She reports
that she used Regional Options in Control Panel to install Japanese as a
language preference. However, her computer desktop and user interface
remain in English. What should you instruct Suzanne to do?
A. Set Japanese as the default language by using Regional Options in
Control Panel.
b. Set Japanese as the default locale and keyboard layout/IME language by
73
using Regional Options in Control Panel.

C. Select Japanese by using Regional Options in Control Panel. Then log
off and log back on.
D. Select Japanese in the locale and keyboard layout/IME settings on the
taskbar. Then install the code page conversion table.
ANS: C
198. Kristin works between 2 offices. From her laptop, she logs into her
Boston account using her login "Bost_Eng¨. She only has the English
version available. When Kristin logs into her Mexico account "Mex_Span¨,
she only has Spanish language available. Kristin logs in to the Bost_Eng
account and needs to use Spanish. She tries to install Spanish but is not
able to. You are the network administrator, how to address this problem so
that Kristen can use English and Spanish from her Bost_Eng account?
A. Change her settings in the OU to allow Kristin to use Spanish
B. Giver her appropriate permissions to allow her to install the Spanish
language option.
Ans: B
199. You run the English (US) edition of windows 2000 professional on your
computer. You are developing a product installation document that has text
in both English and Spanish. The word processing program you are using is
a Windows 16-bit character-based application. You start the word
processing program and complete the English Portion of the document. You
then install Spanish as a language group by using Regional Options in
Control Panel. However, you cannot use Spanish to complete the Spanish
portion of your document. What should you do?
A. Save and close the word processing program. Select Spanish by using
the locate indicator on the taskbar, and restart the word processing
program.
Ans: A
200. You are the administrator of your computer's network. Your company is
based in Russia and conducts the majority of its business in Russian.
Users in your company create, view, and edit documents in English (US),
French and Spanish to communicate with vendors internationally users run
the Russian localized edition of windows 2000 professional on their
desktop and portable computer. A user named Katrin wants to create a word
processing document in both English and Spanish by using Notepad in
windows 2000 professional. She requests your assistance in enabling
English and Spanish on her computer. What should you do?
A. Instruct Katrin to select the desired input locale for either English
or Spanish within Notepad.
B. Instruct Katrin to select the input locale indicator on the taskbar and
select either English or Spanish
C. Instruct Katrin to use Regional Options in Control Panel to add input
locales and keyboard layouts/IME for both English and Spanish.
D. Create a local computer policy for Katrin's computer to include both
English and Spanish.
ANS: C, D
74
201. You are the administrator of a Windows 2000 network for Pamell
Aerospace. You upgrade 10 computers from Windows 98 to Windows 2000
Professional. You want the computers to join the pamellaerospace.com
domain. What should you do?
A. Log on to one of the Computers and create 10 unique Computer accounts
in Active Directory.
B. Log on to each Computer and create the Computer account for each
Computer when prompted to do so.
C. Log on to each Computer by using the domain Administrator account, join
the domain, and then create the computer account for each Computer when
prompted to do so.
D. Reconfigure TCP/IP on each Computer to ensure that the computers are on
the same subnet as the domain controller for the parnellaerospace.com
domain.
ANS: D
(Why not C, check this out)
202. You are the administrator of the Coho Vineyard network. The network
consists of 10 Windows 2000 Advanced Server computers and 250 Windows 2000
Professional computers. Your company has two domains: cohovineyard.com and
westcoastsales.com. The company's intranet site is on a Windows 2000
Advanced Server computer named ServerA. ServerA is on the cohovineyard.com
domain and is running Internet Information Services (IIS) and Microsoft
Proxy Server 2.0. You want to configure the Windows 2000 Professional
Computers in the westcoastsales.com domain to access the intranet site.
You want users to be able to connect to the intranet site by using the URL
http://servera/ rather than its fully qualified domain name. What should
you do?
A. Add cohovineyard.com to the Domain Suffix Search Order on the
computers.
B. Add westcoastsales.com to the Domain Suffix Search Order on the
computers.
C. Add westcoastsales.com to the exceptions list in the proxy server
settings on the computers.
D. Configure the proxy server settings on the computers to bypass the
proxy server for intranet addresses.
ANS: A
Explanation:To get to ServerA from outside the domain a computer
has to resolve the name to an IP address. If using DNS, it needs the fully
qualified domain name, which consists of the computer name appended to the
domain name...like this - servername.domainname.com. When you use the
Domain Suffix Search Order option, it will try to resolve the name ServerA
with the DNS. When it fails, it will append the listed domain names on the
end and try to resolve it then. This means that when a user types in the
server name only, it will successfully resolve it to
ServerA.cohovineyard.com - it's like a short cut. Go to the TCP/IP
properties, Advanced Button, DNS Tab, and then note the "Append these DNS
Suffixes (in order)". Whatever Domain Names you have at your company can
be added here. They will be appended after the ServerA server name and
resolved, one after another.
75
203. Based on the exhibit: three computers pc1, pc2, pc3 and a DHCP server
on the sales segment of the network. The pc1, pc2, and the DHCP server all
have TCP/IP and have IP addresses (192.168.10.31, -32, -34), subnet mask
(255.255.255.0) configured. They all have the wrong default gateway
192.168.10.20, while the router was labeled with 192.168.10.60. PC1, PC2,
and the DHCP server also have NWLINK 802.2. PC3 has NWLINK 802.3 only, no
IP. Then, there is a router. The development segment is at the other side
of the router and was configured with IP address 192.168.10.x, subnet mask
(255.255.255.0), and default gateway that match the router. PC1 and PC2
couldn't see computers on the development segment, PC3 couldn't see
anybody. What should you do to make everybody on both subnets can see
everybody else on both subnets (select 2).
A. Change the IP configuration on the DHCP server to have the right
default gateway address. Install TCP/IP with default settings on PC3.
Ans: A
204. TCP/IP diagram question: 4 PC's on one side of the router. 3 configured
with TCP/IP and NWLink 802.2 and fourth PC with NWLink 802.2. Their
gateway configuration is wrong the other side is all TCP/IP configured
correctly to the router. What are the two best things to get them all
talking together?
A. The DHCP server was handing out bad gateway addresses
B. Configure the Nwlink PC to use DHCP
C. Configure the Nwlink PC to use 802.2
D. Configure everyone to use NETBEUI
Ans: A, C
205. You are trying to copy big files from a UNIX server to WIN2K computer
(running TCP/IP). You do the copy in explorer. The files are 100 MB each,
and you need to copy 20 of them. The copying always aborts. What should
you do to resolve the problem?
A. Install network monitor agent, use performance console and review all
counters for TCP/IP.
B. Install network monitor agent, use performance console and review
Fragmented Datagrams/Sec.
C. Install SNMP and monitor TCP/IP counters.
D. Install simple TCP/IP protocol and monitor Fragmented Data
Ans: B
206. You are installing Windows 2000 Professional on 25 computers. You want
to prevent users from installing device drivers that might cause computers
to become unstable. You want users to be able to install device drivers
only for devices that are included on the current Hardware Compatibility
List (HCL). What should you do?
A. Create a Local Computer Policy to enable Windows File Protection.
B. Create a Local Computer Policy to prevent users from installing device
drivers.
C. Add Users to the Power Users local group rather than to the
Administrators group.
D. Enable driver signing to prevent the installation of unsigned drivers,
76
and set driver signing as a system default.

ANS: D
207. You are an administrator in a company that has Windows 2000

professional systems. Your users have been installing unsupported USB
drivers on to their systems causing them to lock up and fail. You want to
insure that only drivers that are in the HCL can be installed. What must
be done? (Choose 2)
A. Ignore - Install all files, regardless of file signature
B. Warn - Display a message before installing an unsigned file
C. Block - Prevent installation of unsigned files
D. Apply setting as system default
Ans: C, D
208. Roger is a new user in your company whom you have just created an
account for. Rogers logs on to his computer for the first time and is
annoyed by the background that has been configured for his account. He
attempts to change the background and is successful. After working for a
couple of hours he logs off his computer and heads to lunch. When he
returns from lunch, he logs on to his computer and notices that he now has
the original background again. You receive a call from Roger who would
like to know why this happened. What is the most likely explanation?
A. Roger does not have the appropriate permission to the bitmap file for
the background he wishes to use. You must have at least Read permission to
the file containing the background you wish to use.
B. Roger is not a member of the Power Users group. In order to make
permanent changes to user settings, you must be a member of this group.
C. Roger's account has been configured with a mandatory profile. In this
case, the user can still modify the desktop, but the changes are not saved
when the user logs off.
D. Roger's account is a member of the Guest Users group. Members of the
Guest Users group automatically have their changes discarded upon logoff.
Answer: C
209. A user has a laptop which he uses offline and online. You want to
change the users profile to roaming. When you attempt to change the
setting. The "change to roaming" option is grayed out. How do you address
this problem?
A. In control panel, system, change profile to roaming
B. Have him log back into the network then see if option is not grayed
out.
C. None of these choices are right. The grayed out option means that
the profile is a local profile and can't be converted to roaming. See the
topic "To switch between a roaming and local user profile" in the W2KPro
online help and see the topic "To create a roaming user profile" in the
W2KServer online help.
Answer: C
210. You want to change the location of a users roaming profile from
c:documents and settings to a network share \pdcusers<users name> how
do you do this?
77
A. On the server configure user properties and place the path as

\pdcusers\%username%
Ans: A
211. Sandy has a Windows 2000 Professional system. Today she is visiting
another department, and is using a Windows NT 4.0 system. She wants to
print a document but is missing her printer. You want her to be able to
print from any computer she logs in at. What can you do to insure that she
has this ability?
A. Create a roaming profile
Ans: A
212. Sandy has a roaming profile set up for her Windows 2000 Professional
system. Today she is visiting another department, and is using a Windows
NT 4.0 system. All of her roaming profile stuff is missing. What's the
problem?
A. Create a roaming profile (Win 2000 profiles DO roam to an NT 4.0. See
the topic "User profiles overview" on the W2KServer online help.)
Ans: A
213. Your network currently has a mixture of Windows 2000 Professional,

Windows 95 and Windows 98 clients. The clients are distributed between
four different subnets. Although you eventually plan to migrate your
Windows 95 and Windows 98 clients to Windows 2000 Professional, the
migration probably will not happen for at least another year. In the
meantime you would like to allow all of the clients to be able to connect
to all of the other clients and share data and printers. However, you want
to minimize the amount of administration that must take place when a new
computer is added to the network or when a computer's IP address is
changed. What would be the best method of allowing these clients to
interact using user-friendly NetBIOS names?
A. Create a DHCP server for the network and configure all of the client
computers to use the DHCP server.
B. Create a DNS server for the network and configure all of the client
computers to use the DNS server.
C. Create a WINS server for the network and configure all of the client
computers to use the WINS server.
D. Configure all of the client computers to support multicasting.
E. Configure all of the client computers to use Automatic Private IP
Addressing (APIPA).
F. Implement HOSTS files on all of the client computers.
G. Implement LMHOSTS files on all of the client computers.
Answer: C
214. You are creating two custom Microsoft Management Consoles (MMCs) for
use on your company's network. The first console will be called
"topadmin.msc" and will be used by top-level administrators to perform
daily tasks on the network. The second console will be called
"levelone.msc" and will be used to entry-level members of the support
staff to perform limited troubleshooting functions. You would like the
users of "topadmin.msc" to have the ability to make changes to the MMC
78
including the ability to add or remove snap-ins, create new windows,

create taskpad views and tasks, add items to the Favorites list, and view
all portions of the console tree. You would like users of "levelone.msc"
to have full access to the console tree and all window management
commands. However, you want to prevent them from adding or removing
snap-ins and from changing the console properties. Which of the following
would be the best solution to achieve these objectives?
A. Configure "topadmin.msc" with an access level of "Author mode" and
"levelone.msc" with an access level of "User mode - limited access,
multiple window"
B. Configure "topadmin.msc" with an access level of "Author mode" and
"levelone.msc" with an access level of "User mode - full access"
C. Configure "topadmin.msc" with an access level of "User mode - full
access" and "levelone.msc" with an access level of "Author mode"
D. Configure "topadmin.msc" with an access level of "User mode - full
access" and "levelone.msc" with an access level of "User mode - limited
access, multiple window"
Answer: B
215. You have a Windows 95 computer with a Pentium 133, 64 MB of RAM, 2 GB

of hard disk space, and a CD-ROM. The network adapter is not PXE boot ROM
compliant. You want this computer to use Dfs since that will be a standard
for everyone on the upgraded network. What should you do to enable Dfs on
this machine?
A. Create a remote installation boot disk by running rbfg.exe. Upgrade the
system to Windows 2000 Professional from the network installation source.
B. Use the PCI empty slot to add a new PXE boot ROM-compliant network
adapter, set the BIOS to start from the network adapter card, and upgrade
to Windows 2000 Professional.
C. Create the four boot floppies to run startup and use the CD-ROM drive
to finish the upgrade to Windows 2000 Professional since this CD-ROM is
too old to be bootable device.
D. Install Internet Exploer (IE) 4.01 or later and enable the Active
Desktop components. Install the Directory Service Client.Once again none
of these answers are correct. DFS was available in NT 4.0 but is enhanced
in W2k. DFS is NOT supported by DOS, Windows 3.1, or any other non Windows
OS. It is supported in Windows 9x and higher so A, B, and C does not need
to be done. In order for it to work in a 9X environment, you must download
and install the proper DFS client software from MS website, not a
Directory Service client, nor do you need to use Active Desktop components
as D says.
Ans: A
216. You are the administrator of a Windows 2000 network. Users in the
engineering department run Windows 2000 Professional on their desktop
Computers. The size of the department has recently expanded from five
users to 10 users. Users need to be able to update files in a shared
folder named CommonData. The folder is stored on a FAT 16 partition on one
of the Windows 2000 Professional Computers on the network. The files in
CommonData are published in the Active Directory so that other users in
the company can refer to them. The network also uses Distributed File
79
System (DFS) to simplify access to its user data. Users in the engineering
department report that when they try to access CommonData, they receive
the following error message: "CommonData is not accessible. No more
connections can be made to this remote Computer at this time." You want to
ensure that users can access the files. What should you do?
A. Move CommonData to FAT32 partition on the host Computer, and share it
again.
B. Move CommonData to an NTFS partition on the host computer, and share it
again.
C. Increase the user limit on the network share to the maximum allowed.
D. Increase the Clients Cache this Dfs referral value on the Dfs leafnode
that describes the data.
ANS: D
217. You install the boot volume D on your Windows 2000 Server computer on
dynamic Disk 0. You mirror volume D on dynamic Disk 1. One year later,
during routing server maintenance, you open Disk Management and find that
the status of volume D is Failed Redundancy. The status of Disk 1 is
Online (Errors). A symbol with an exclamation point appears in the
graphical view of the disk. You want to return the status of the boot
volume to Healthy. What can you do? (Choose two.)
A. Break the mirror, delete the volume on Disk 1, and re-create the
mirror.
B. Replace Disk 1, copy the data from the boot volume to the new disk, and
then use Disk Management to rescan the disks.
C. Replace Disk 1, Ensure that the new disk is a basic disk, and repair
the volume.
D. Reactivate the mirror on Disk 1.
E. Convert Disk 1 to a basic disk, and reconvert it to a dynamic disk.
ANS: A, D
218. Your Windows 2000 Server computer contains a stripe set with parity on
a four-disk array. You convert the strip set with parity to a dynamic
RAID-5 volume. Six months later, users report that disk access on the
server is slower than it had been on the previous day, you use Disk
Management and discover that the status of the third disk in the array is
Missing. You want to recover the failed RAID-5 volume. What should you do
first?
A. Replace the third disk and restart the server. Use disk Management to
repair the volume.
B. Ensure that the third disk is attached to the server and has power. Use
Disk Management to reactivate the disk.
C. Ensure that the third disk is attached to the server and has power. Use
Disk Management to repair the volume.
D. Install a new disk and create a single extended partition on the new
disk. Restart the computer and allow Windows 2000 to automatically repair
the volume on the extended partition.
ANS: B
See the topic "Repairing a dynamic RAID-5 volume" on the W2KServer
online help.
80
219. You are the administrator of a Windows 2000 domain that has three
domain controllers. Each day, you use Windows Backup to perform full
backups of each domain controller. You run a script to make changes to
account information in Active Directory. As a result of errors in the
script, the incorrect user accounts are modified. Active Directory
replication then replicates the changes to the other two domain
controllers. You want to revert Active Directory to the version that was
backed up the previous day. What should you do?
A. On a single domain controller, use Windows Backup to restore the System
State data. Shut down and restart the computer.
B. Shut down and restart a single domain controller in directory services
restore mode. Use Windows Backup to restore the System State data. Run the
Ntdsutil utility. Restart the computer.
C. Shut down and restart a single domain controller by using the Recovery
Console. Use Windows Backup to restore the System State data. Exit the
Recovery Console. Restart the computer.
D. Shut down and restart each domain controller by using the Recovery
Console. Use Windows Backup to restore the Sysvol folder. Exit the
Recovery Console. Restart the computer.
ANS: B
See the topic "Restoring a domain controller" on the W2KServer
online help.
220. Your network contains NetWare 4.0 Servers. You have successfully
installed Client Service for NetWare on Windows 2000 Professional
computers, and Gateway Service for NetWare on Windows 2000 Server
Computers. You recently added a new Windows 2000 Server computer to the
network and installed Gateway Service for NetWare on it. However, the
server is unable to connect to any NetWare servers. What should you do on
the new Windows 2000 Server computer to resolve this problem?
A. Enable NWLink NetBIOS.
B. Configure the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol to
use the correct Ethernet frame type.
C Install RIP routing for IPX.
D Install the SAP Agent.
ANS: B
221. Which of the following options is not an event type logged in the
Windows 2000 Professional Event Viewer utility?
A. Information
B. Critical
C. Warning
D. Error
Answer: B
The event types logged in Event Viewer are Information, Warning,
and Error. Success Audit and Failure Audit events are also logged when
events have been audited for success or failure. There is no event called
Critical
----------------------------------………………..--------------------------------------
81
1. You maintain a single stand alone Windows 2003 Server for a small business. You want
to install a legacy SCSI controller in this server.
You install the board but it fails to work. You notice in system manager that there is a
yellow warning with an exclamation mark next to the SCSI controller icon.
You suspect that there may be an IRQ conflict with another installed legacy device, an old
soundcard.
How should you configure the SCSI controller?
A. SELECT THE SCSI CONTROLLER IN THE DEVICE MANAGER.FROM THE
RESOUCES TAB, DISABLE AUTOMATIC SETTINGS THEN SCROLL
THROUGH THE DIFFERENT IRQs INTIL YOU FIND ONE THAT DOESN'T
CONFILCT.
2. Dennis is administrator for Power Tech Inc. Due to security reasons, he wants to log on
using a non administrative account, but run his applications under his regular
administrator account. Which logon option should he enable?
A.SECONDARY LOGON
SECONDRARY LOGON WILL ALOW DENNIS TO LOGON USING A NON-
ADMINISTRATIVE ACCOUNT BUT RUN HIS APPLICATIONS UNDER HIS
ADMINISTRTIVE ACCOUNT.
3. You have configured several users to be able to connect to one of your servers using
Terminal Services, and you have configured redirection of client printers.
You want users to be able to print to their local printers from a remote connection.
However, your users report they are unable to print to their locally configured printers.
What should you do?
A. ENABLE THE CLIENT/SERVER DATA REDIRECTION SETTING IN GROUP
PLOICY FOR EVERY TERMINAL SERVER CLIENT COMPUTER.
IF SET TO DISABLED; THIS WILL OVERRIDE THE DATA REDIRECTION SETTINGS
ON THE TERMINAL SERVER. ANSER D WILL ONLY CONTROL OUTGOING
TERMINAL SERVER CONNECTIONS TAHT ORIGINATE FROM THE TERMINAL
SERVER.
4. Your boss asks you to implement a UNIX server to function with your Windows 2003 IIS
server. The first request from the UNIX server seems to work fine, but after that all
requests receive 404 File Not Found error messages from the IIS Server.
What could be the problem?
A. STATIC FILE CACHE STORES FILENAMES USING UPPERCASE
THE STATIC CACHE IS STORING FILES USING UPPERCASE, WHEREAS THE UNIX
REQUESTS ARE CASE SENSITIVE.
5. You are the network administrator for Acme Inc. There are several remote offices spread
over the globe, each one is configured as an Active Directory site.
Several uses are having problems accessing file servers in the Spain office. You can
connect perfectly however using Terminal Services. You check the permissions and they
are fine.
What should you do?
A. ADD SOME WINDOWS 2003 SERVER LICENSES TO THE SITE LICENSE
SERVER FO RTHE SPAIN SITE.
YOU SIMLY NEED TO ADD SOME LICENSES TO THIR SITE LICENSE SERVER. WE
CAN BE SURE OF THIS BY THE FACTTHAT YU CAN ACESS IT VIA TERMINAL
SERVICES.
82
6. You install a new print server for your company. You attach a printer and install the
drivers. But when you try to print, the page comes out garbled or doesn’t print correctly.
What could be the problem?
A. YOU ARE USING AN INCORRECT DRIVER.

YOU ARE MOST LIKELY USING AN INCORRECT DRIVER.
7. You want to delegate responsibility for some basic administrative tasks in the TRAINING
OU to Melanie, who is an intern in your company.
You log on to Melanie’s computer as Melanie, and you use the Run As command to load
Active Directory Users and Computers using your credentials. You then assign Melanie to
the PWADMINS group which has permissions to modify user account credentials in the
TRAINING organizational unit. You then close Active Directory Users and Computers.
When Melanie attempts to modify a user password, she is denied access. What should
you do?
A. INSTRUCT MELANE TO LOG OFF THEN LOG IN AGAIN.
MELANIE'S OLD ACCOUNT CREDENTIALS ARE CACHED IN MEMORY AND
REQUIRE THAT SHE OBTAINS A NEW TOKEN. SHE CAN ACCOMPLISH THIS MOST
EASILY Y LOGGING OFF AND BACK IN AGAIN.
WINDOWS 2003 INTERIM MODE.

WINDOWS 2003 INTERIM MODEIS THE CORRECT CHOICE TO ALLOW WINDOWS
NT 4.0 AND WINDOWS 2003 SERVERR TO COEXIST TOGETHER. WINDOWS 200
MIXED MODE WOULD ALSO ALLOW THIS,BUT THE QUESTIN DIDN;T SPECIFY
THAT THERE WAS NEEDTO PROVIDE SUPPORT FOR WINDOWS 2000 SERVERS.
8. Which command allows you to scan files while your computer is still switched on?
A. SFC /SCANNOW
SFC /SCANNOW WILL BEGIN SCANNING SYSTEM FILES IMMEDIATELY.
9. How would you create an OU named SIMPSON from the command line?
DSADD OU "OU=SIMPSON,DC=SIMPDOMAIN,DC=COM"
THE ABOVE SYNTAX WILL CREATE AN OU NAMED SIMPSON FROM THE COMMAND
LINE.
Where is cached Universal Group information stored?
A. When Universal Group caching is enabled, the user's Universal Group membership is
stored in the msDS-Cached-Membership attribute of the user's account, and the current
time is written to the msDS-Cached-Membership-Time-Stamp value along with msDS-
Site-Affinity to identify the user's logon site the first time he or she logs on. Only the
msDS-Site-Affinity attribute is replicated between domain controllers (DCs); the
timestamp and list of group SIDs aren't replicated and are stored only on the
authenticating DC. The next time the user logs on, the system reads the SIDs from the
msDS-Cached-Membership attribute instead of consulting a Global Catalog (GC),
assuming the msDS-Cached-Membership-Time-Stamp is within the staleness time period
(7 days by default). If the cached membership information is stale, the system consults a
GC for Universal Group membership information and updates the msDS-Cached-
Membership and msDS-Cached-Membership-Time-Stamp attributes. The cached
information is updated every 8 hours by default, and as many as 500 Error! Hyperlink
83
reference not valid. will refresh in each refresh cycle. To modify the default values
associated with cached Universal Groups, perform these steps:
1. Start the registry editor (regedit.exe).
2. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Para
meters\ registry subkey.
3. From the Edit menu, select New - DWORD Value and enter the name of one of
the values in TABLE 3. Press Enter. Double-click the new value and set it to the
desired value. Click OK.
4. Close the registry editor.
How can I enable anonymous Lightweight Directory Access Protocol (LDAP)

connections under Windows Server 2003?
A. By default, connections to Active Directory (AD) must bind via a set of credentials so
that they can perform a meaningful directory search. If you have applications that can't
authenticate, you can enable anonymous LDAP connections. To do so, perform these
steps:
5. Start adsiedit.msc, which is part of the Windows 2000 or later support tools.
(Start, Run, adsiedit.msc).
6. Expand the Configuration container. Expand Services - Windows NT.
7. Right-click "CN=Directory Service" and select Properties.
8. Double-click the dSHeuristics attribute.
9. If the value is Not Set, set it to 0000002. If the value field isn't blank, change the
seventh character of the string to 2 (e.g., if the value is 001, you'd change it to
0010002). Click OK.
10. Close ADSI Edit.
After the change has replicated to all domain controllers (DCs), Windows 2003 will allow
anonymous LDAP connections. However, ACLs on the data in AD still apply, so to let
anonymous users view objects, you need to grant them Anonymous logon access rights.
For example, to let anonymous users view an OU's contents, grant "Anonymous logon"
the List Contents right.
How can I enable the List Object security option in Active Directory (AD)?
A. By default, users can view the content of organizational units (OUs). You can prevent
users from viewing OU content by removing the List Contents right for that OU, or you
can use the List Object permission to explicitly select which objects in an OU are
viewable by particular users or groups.
To enable the List Object option, perform these steps on a domain controller (DC) or on a
machine that has adsiedit.msc installed. (ADSI Edit is part of the Windows 2000 or later
support tools.)
11. Start adsiedit.msc (Start, Run, adsiedit.msc).
12. Expand the Configuration container. Expand Services - Windows NT.
13. Right-click "CN=Directory Service" and select Properties.
84
14. Double-click the dSHeuristics attribute.

15. If the value is Not Set, set it to 001. If the value field isn't blank, change the third
character of the string to 1, as the figureshows. Click OK.
Now when you select an object's advanced security properties, a new List Object property
is displayed, as the figure at figure shows.
You need to ensure that you set the List Object right not only on the objects you want to
be visible but also on the OU containing the objects. Remember to remove the List
Contents permission from the container for users whom you don't want to view the entire
contents. For example, by default the Authenticated Users group has List Contents
permission, so you'd need to remove that right to allow the more granular List Object
capability.
Be careful when using the List Object functionality because it makes DCs perform extra
work. The DC must check every object in a container to determine whether the object
should be visible instead of merely checking the container for a general list or "not list"
option.
How can I turn off compression for Active Directory (AD) intersite replication.
A. Replication between sites is normally compressed, which uses up extra processing on

the domain controllers (DCs) but saves network bandwidth. If you have very fast links
between sites and would rather use extra bandwidth than CPU cycles to compress the
traffic perform the following:
17. Start the Adsiedit tool by typing the command
Adsiedit.msc
Adsiedit is a support tool, so you must have installed the Windows Support Tools
from the Windows 2000 Server or later CD-ROM (support\tools folder).
18. Expand the Configuration container, then expand CN=Sites and CN=Inter-Site
Transports. Select CN=IP.
19. The right pane of the Adsiedit tool lists your site links. Right-click the site link for
which you want to turn off compression and select Properties from the context
menu.
20. Double-click the Option attribute.
21. If the Option value is currently <Not Set>, enter 4 and click OK. If it has a value
you need to derive it’s new value, To do so, convert the current value to binary
and then use the OR function to combine it with 0100. For example, a current
value of 1 is 0001 in binary. If you OR 0001 with 0100, you get 0101, which,
converted to decimal, is 5. Therefore, you enter a value of 5
How can I enable notification-based replication between Active Directory (AD)

sites?
A. Typically, when you make a change on a domain controller (DC), the DC will notify
its replication partners within the site. DCs in other sites must wait for the regular
replication cycle. If you have sites that are connected by a very fast medium and want
85
notification-based replication between those sites, you can make a change to the site link
to enable intersite notification-based replication by performing the following steps:
22. Start the Adsiedit tool by typing the command
Adsiedit.msc
Adsiedit is a support tool, so you must have installed the Windows Support Tools
from the Windows 2000 Server or later CD-ROM (support\tools folder).
23. Expand the Configuration container, then expand CN=Sites and CN=Inter-Site
Transports. Select CN=IP.
24. The right pane of the Adsiedit tool lists your site links. Right-click the site link for
which you want to enable notification and select Properties from the context
menu.
25. Double-click the Option attribute.
26. If the Option value is currently <Not Set>, enter 1 and click OK. If it has a value,
you need to derive its new value. To do so, convert the current value to binary and
then use the OR function to combine it with 0001. For example, a current value of
4 is 0100 in binary. Then you OR 0100 with 0001 and get 0101, which, converted
to decimal, is 5. Therefore, you enter a value of 5.
You can perform this change only for IP links, not SMTP links, and it will result in more
traffic over the link.
How are password changes communicated between Active Directory (AD)

sites?
A. When a domain controller (DC) carries out a password change, the change is forwarded to the
PDC Flexible Single-Master Operation (FSMO) role holder for the domain. This change isn't an
urgent replication but instead is a separate communication that notifies the PDC FSMO outside of
regular replication connections. When a client uses an incorrect password to initiate an
authentication request, before failing the authentication, the DC that received the authentication
request asks the PDC FSMO to verify the password and confirm whether a new password is in
use. If so, the FSMO communicates the password to the DC outside of normal replication cycles
(out of band). This communication for verifying incorrect passwords is for any DC in the domain,
not just those within a local site. If you don't see this behavior, it's possible that someone has
turned off the password-change PDC communication for DCs in sites not local to the PDC
emulator. The process for doing so is described in the FAQ "How can I stop password changes
from being pushed to the PDC FSMO over WAN links?"
( http://www.windowsitpro.com/articles/index.cfm?articleid=21788 ). Firewall restrictions can
also block the password-verification default behavior
I'm receiving errors from DCs in my domain, which state that the target Principal
Name is incorrect or that access is denied when I attempt to replicate AD data or to
perform some domain-modification functions. What's going on?
86
A. I recently experienced this problem when I started a DC that I hadn't used for a while
and wanted to demote, but the demotion kept failing. The problem was that the DC's
computer account with the domain had expired and its services could no longer
communicate with other DCs in the domain. I solved the problem by resetting the DC's
account. To do so, perform these steps:
27. Log on to the DC that's having the problems.
28. Ensure that the Windows Support Tools are installed (We'll be using the Netdom
tool, which is part of the support tools.)
29. Start the Microsoft Management Console (MMC) Computer Management snap-in
(Start, Programs, Administrative Tools, Computer Management).
30. Scroll down to the "Services and Applications" section and select the Services
subleaf.
31. Double-click the Kerberos Key Distribution Center (KDC) service.
32. Set its startup type to Disabled and click OK.
33. Reboot the DC.
34. When the DC restarts, open a command prompt and run this command:
netdom resetpwd /server: <PDC FSMO role holder of domain>
/userd:<domain administrator> /passwordd:<domain admin password>
35. You should see a confirmation message stating that the machine account has been
reset.
36. Restart the Computer Management snap-in.
37. Scroll down to the "Services and Applications" section and select the Services
subleaf.
38. Double-click the KDC service.
39. Set its startup type to Automatic and click OK.
40. Reboot the DC.
The DC should now function correctly.
How can I use a script to create a list of domains that an Active Directory (AD)
domain trusts?
A. Using the Active Directory Services Interface (ADSI) you can use a script like the
following sample to query objects from AD--such as trustedDomain objects from a
domain's system container--and thereby obtain a list of all the trusted domains.
Option Explicit
Dim objConnection, objChild
Set objConnection =
GetObject("LDAP://vs2003dstdc1.dest.test/cn=system,dc=dest,dc=test")
objConnection.Filter = Array("trustedDomain")
87
For Each objChild In objConnection

WScript.Echo objChild.Name
Next
Wscript.Echo "Operation Completed"
Ensure that you replace the "Set objConnection" Lightweight Directory Access Protocol
(LDAP) connection string with one for your domain. For example, if a domain controller
(DC) is DC1 in domain savilltech.com, the line would read:
Set objConnection =
GetObject("LDAP://dc1.savilltech.com/cn=system,dc=savilltech,dc=com")
Do I need to take any special steps when restoring a backup of my Relative

Identifier (RID) master?
A. Remember that the RID master is responsible for allocating RIDs (in batches of 500)
to all domain controllers (DCs) in a domain. If the RID master is incorrectly restored
(e.g., from an old backup), it might assign RID pools that it has already issued, resulting
in duplicate SIDs being created in the domain. Therefore, I recommend that you give the
RID master Flexible Single-Master Operation (FSMO) role to a different DC instead of
restoring the RID master.
If you do restore the RID master, be aware that if you have more than one DC in the
domain, the RID master must be able to contact one of them before its RID role will be
started. In a disaster recovery situation, this requirement might be a problem because no
other DCs would be available. Microsoft documents the steps to work around this
problem at http://support.microsoft.com/?kbid=839879.
Where are universal groups stored?
A. Universal groups are stored in the Global Catalog (GC), but does an additional
database exist that stores only universal groups and is replicated among all GCs?
Remember, GCs store a full copy of their local domain's partition and a subset of the
domain database of every other domain in the forest (the only attributes stored are those
defined in the partial attribute set). There is no additional database on top of the partial
Error! Hyperlink reference not valid. of every domain. Universal groups are created in
a container within a specific domain, and their member attributes are replicated as part of
the partial database stored on GC servers, whereas the member attributes of regular
groups (e.g., global, local) aren't replicated as part of the partial database. Therefore, the
partial database copy that's stored on every GC server knows the membership of every
universal group from every domain in the forest. This functionality lets GCs store
universal groups. The universal group membership is stored in the domain in which the
universal group was created, and the partial copy of the domain is stored on every GC
throughout the forest.
You can use the ADSI Edit tool to view this setup by performing these steps:
41. Start ADSI Edit (Start, Run, adsiedit.msc).
42. Right-click the root of ADSI Edit and select "Connect to".
88
43. Enter a name for the connection (e.g., Partial Retail Domain), as the figure shows.
In the Connection Point section, select "Select or type a Distinguished Name or
Naming Context" and enter the distinguished name (DN) of the partition to view
(e.g., dc=retail,dc=savilltech,dc=com). In the Computer section, enter the name of
the GC server that isn't a domain controller (DC) for the partition you selected.
44. Click Advanced.
45. Under Protocol, select Global Catalog and click OK.
46. Click OK at the main dialog box.
47. Expand the new partition under ADSI Edit until you see the container that holds
the universal group you want to view.
48. Right-click the universal group and select Properties.
49. Notice that the member attribute contains the users from all domains. If you look
at a group that isn't a universal group, its member attribute will be empty.
How can I use the ADSI Edit tool to check my domain and forest modes?
A. Domain and forest modes are defined by a combination of three values: For the
domain mode, you need to check the msDS-Behavior-Version and nTMixedDomain
attributes of the Domain container; for the forest mode, you check the msDS-Behavior-
Version attribute of the Partitions container, which you'll find in the Configuration object
of the Forest root. To view these attributes perform these steps:
50. Start ADSI Edit (Start, Run, adsiedit.msc). This tool is part of the Windows 2000
and later Support Tools so make sure you have these tools installed.
51. Expand the Domain branch. Right-click the domain name and select Properties
from the context menu. (If the domain you want isn't displayed, select "Connect
to..." from the root context menu and enter the domain information, including
credentials for a connection.)
52. Click the Attribute Editor tab and scroll down to view the msDS-Behavior-
Version and nTMixedDom values. These are the domain-specific values.
53. Expand the Configuration object at the root of adsiedit and expand the
Configuration container specific to your forest. Right-click the CN=Partitions
container and select Properties.
54. Click the Attribute Editor tab to view the msDS-Behavior-Version value, as the
figure shows. Click OK.
Q. Should I define a "catch-all" subnet for my Active Directory (AD) sites?
A. Sites are defined in terms of IP subnets, and when you have multiple physical sites,
you need to associate all existing IP subnets at each location with the correct AD site.
Doing so ensures that clients at those sites will use resources at their local site when
possible. If for some reason (usually by mistake) a subnet hasn't been defined, a client
that has an IP address within that subnet range doesn't belong to a site and therefore will
use any domain controller (DC) in the organization instead of a DC that's local to the
client's site.
89
To ensure that all clients within your organization are associated with a local site, you can
create a catch-all subnet and link it to your main corporate or hub site. For example, if all
my subnets were within the Class B range of 10.1.x.x, I could define a 10.1.0.0/16 subnet
and link it to the corporate site. Any subnet that wasn't specifically defined and linked to
other sites will cause clients that have IP addresses in those missed ranges to "think"
they're in the corporate site. Although not ideal, this approach is better than having a
client that doesn't belong to a site and possibly using DCs in remote, slowly linked
locations.
Creating a catch-all subnet doesn't typically present a problem because the client's site is
based on the most specific match, not the first match. For example, if the following site
definitions exist:
 Corporate: 10.1.1.0/24, 10.1.2.0/24 and 10.1.0.0/16
 London: 10.1.3.0/24
 Dallas: 10.1.4.0/24
and a client has an address of 10.1.3.25, although that address is within the 10.1.0.0/16
range, it actually belongs to the London site (10.1.3.0/24), which is a more specific match
(more bits used for the subnet). This catch-all subnet can also be a savior if your network
team decides to add new subnets. The catch-all provides you some safety, although you
should still keep your site definitions as accurate as possible to ensure that clients use
local resources when they can.
Q. How can a client computer determine which site it belongs to?
A. A client computer ascertains which site it currently resides in when the computer
starts. As part of the initial startup traffic, clients attempt to locate a domain controller
(DC) for their domain. (This search occurs early in the startup process; if you use DHCP,
it occurs just after the address is leased or renewed.) If the client currently has no
DynamicSiteName registry value--which indicates the site in which the client was located
when it was last started--the client performs a generic DNS query for any Lightweight
Directory Access Protocol (LDAP) service by using the DNS query format
_ldap._tcp.dc._msdcs.
If the client previously resided in a site and therefore has a DynamicSiteName registry
value, the DNS query tries to find a DC in that site by using the following query format:
_ldap._tcp.._sites.dc._msdcs.
When the client finds a DC, the client issues a UDP LDAP request asking for Netlogon-
service information from the DC; the DC returns a SearchResponse (4) message, which
lists the DC's local site and the client's site name, according to the client's IP address, if
the queried DC isn't from the client's current local site. If the DNS query can't match a
client's IP address to a defined site, it doesn't return a recommended site, only the DC's
current site. The following sample packets show three types of DNS query responses. The
first example shows the results of a client querying a DC that's within the client's IP-
calculated site:
00000020 30 84 00 00 00 8B 0.....
00000030 02 01 02 64 84 00 00 00 82 04 00 30 84 00 00 00
...d.......0....
00000040 7A 30 84 00 00 00 74 04 08 6E 65 74 6C 6F 67 6F
z0....t..netlogo
00000050 6E 31 84 00 00 00 64 04 62 17 00 00 00 FD 01 00
n1....d.b.......
90
00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F
.h..1<..O.C....O
00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D
..savilltech.com
00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18
....savdaldc01..
00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56
.SAVILLTECH..SAV
000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73
DALDC01...Dallas
000000B0 00 C0 50 05 00 00 00 FF FF FF FF 30 84 00 00 00
..P........0....
000000C0 10 02 01 02 65 84 00 00 00 07 0A 01 00 04 00 04
....e...........
000000D0 00
The next example shows the results of a client querying a DC that isn't local to the client's
site:
00000020 30 84 00 00 00 90 0.....
00000030 02 01 02 64 84 00 00 00 87 04 00 30 84 00 00 00
...d.......0....
00000040 7F 30 84 00 00 00 79 04 08 6E 65 74 6C 6F 67 6F
0....y..netlogo
00000050 6E 31 84 00 00 00 69 04 67 17 00 00 00 7D 01 00
n1....i.g....}..
00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F
.h..1<..O.C....O
00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D
..savilltech.com
00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18
....savdaldc01..
00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56
.SAVILLTECH..SAV
000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73
DALDC01...Dallas
000000B0 00 05 41 6C 6C 65 6E 00 05 00 00 00 FF FF FF FF
..Allen.........
000000C0 30 84 00 00 00 10 02 01 02 65 84 00 00 00 07 0A
0........e......
000000D0 01 00 04 00 04 00 ......
Notice that the query initially returns a site named Dallas, then returns a second site,
Allen. In this case, Dallas is the site of the DC (savdaldc01), but the response is telling
the client that it should instead find a DC in the Allen site (which it would find via a DNS
query specifying the Allen site).
The final sample packet shows the response when the DNS query can't match the client's
IP address with sites defined in the Active Directory (AD):
00000020 30 84 00 00 00 8A 0.....
00000030 02 01 02 64 84 00 00 00 81 04 00 30 84 00 00 00
...d.......0....
00000040 79 30 84 00 00 00 73 04 08 6E 65 74 6C 6F 67 6F
y0....s..netlogo
00000050 6E 31 84 00 00 00 63 04 61 17 00 00 00 7D 01 00
n1....c.a....}..
00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F
.h..1<..O.C....O
00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D
..savilltech.com
91
00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18
....savdaldc01..
00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56
.SAVILLTECH..SAV
000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73
DALDC01...Dallas
000000B0 00 00 05 00 00 00 FF FF FF FF 30 84 00 00 00 10
..........0.....
000000C0 02 01 02 65 84 00 00 00 07 0A 01 00 04 00 04 00
...e............
Notice in these examples that if the client's IP address matches the queried DC's site, a
"P" (preferred) character appears after the site name, as line 19 in the first example
shows; if there's no match, the "P" doesn't appear and because the preferred site name is
blank, the response means the DNS query found no matching site. Thus the client doesn't
reside within the boundary of any known site and will therefore randomly use any
existing DC.
You can also determine a client's site either by running the command
nltest /dsgetsite
or by using the following code in a script:
Set oSysInfo = CreateObject("ADSystemInfo")
MsgBox oSysInfo.SiteName
To reset the client and discover information about the client's site, run the following
command:
nltest /sc_reset:domain-name\local-dc
It's important that client machines don't have IP addresses outside of defined sites.
Certain services, such as the Microsoft Exchange System Attendant, won't start if the
site's membership can't be discovered.
Q. How does Windows process logon scripts that you define via Group Policy?
A. Group Policy lets you define scripts at multiple levels (i.e., site, domain,
organizational unit--OU). You can define multiple scripts at each level by using multiple
Group Policy Object (GPO) links or by defining multiple scripts in one GPO. You can
also define a logon script at the User-object level. The scripts you define run in the order
in which the GPOs are applied, so site-level scripts run first, then domain-level scripts,
OU-level scripts, and finally User-object scripts. However, the scripts don't run in series;
they run parallel. Therefore, you can't rely on GPO application order to set the
precedence of actions performed in logon scripts because the scripts might run at
different speeds and finish at different times. You also need to ensure that your logon
scripts don't overwrite the actions of other logon scripts. Remember that logon scripts
that run via Group Policy run in the background; you can't see them execute. You can,
however, change this behavior by modifying a GPO setting, as I explain in the FAQ
"How can I configure Group Policy-based scripts to display when they're executed?"
Q. How can I enable complex passwords on my Windows Server 2003 Active

Directory (AD) domain?
92
A. On a new Windows 2003 domain, complex password creation is enabled by default;

however, to configure complex passwords for an upgraded domain or to simply modify
the password settings, perform these steps:
56. Open the Group Policy Object (GPO) that's linked at the domain level. For
example, open the Microsoft Management Console (MMC) Active Directory
Users and Computers snap-in, right-click the domain, select Properties, select the
Group Policy tab, select the GPO, then click Edit. Doing so opens Group Policy
Editor (GPE). Remember that password policies are part of the Account Settings
group and take effect only when you set them at domain level; they won't be
implemented if you set them at site or organizational unit (OU) levels.
57. Select Computer Configuration, Windows Settings, Security Settings, Account
Policies, Password Policy.
58. Double-click the relevant settings and set them to the settings you want (e.g.,
Password must meet complexity requirements," "Minimum password length,"
"Maximum password age"). The figure shows the default settings for a new
Windows 2003 domain, which are a good baseline.
59. Close GPE.
Q. How can I quickly search for shared folders that are published in Active
Directory (AD)?
A. To quickly search AD for published shared folders, you can run the command
rundll32 dsquery,OpenQueryWindow
Executing this command opens the Find dialog box, which provides in the drop-down
lists the option to find Shared Folders and where to search. The Figure shows search
results displayed in the Find dialog box. In pre-Windows XP versions, you could access
this dialog box fairly easily via Explorer or My Network places. However, accessing the
Find dialog box is a little more complicated in XP, so you might want to create a shortcut
to the previous Rundll32 command.
Q. How can I run a report that displays the last password change for all accounts in a
container?
A. The last-password-change date is stored in the user class's Active Directory (AD)
pwdLastSet attribute as a large (Error! Hyperlink reference not valid.) integer, which
means the date must be converted so that it can be read and displayed in a usable "date"
format. To perform the conversion, I modified a script by Richard Mueller so that it
searches for all users in the passed root distinguished name and outputs their last-
password-change date to a screen. You can download the script,
listuserpasslastchange.vbs, or copy and paste the following script into a text file.
' John Savill
' This is based on Richard Mueller's script on Interger8Date
' conversion, which is copyrighted as below.
' Copyright (c) 2003 Richard L. Mueller
93
' Hilltop Lab Web site - http://www.rlmueller.net

'
' I simply changed it to output all objects in a passed DN.
Option Explicit
Dim strLdapPath, objConnection, objChild

Dim lngTZBias, objUser, objPwdLastSet
Dim objShell, lngBiasKey, k
' Check that all required arguments have been passed

If Wscript.Arguments.Count < 1 Then
Wscript.Echo "Arguments required. For example:" & vbCrLf _
& "cscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test"
Wscript.Quit(0)
End If
strLdapPath = Wscript.Arguments(0)
' Obtain local Time Zone bias from machine registry.

Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\"_
& "TimeZoneInformation\ActiveTimeBias")
If UCase(TypeName(lngBiasKey)) = "LONG" Then
lngTZBias = lngBiasKey
ElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then
lngTZBias = 0
For k = 0 To UBound(lngBiasKey)
lngTZBias = lngTZBias + (lngBiasKey(k) * 256^k)
Next
End If
Set objConnection = GetObject("LDAP://" & strLdapPath)

objConnection.Filter = Array("user")

Set objPwdLastSet = objChild.pwdLastSet
WScript.Echo objChild.Name & vbTab & _

Integer8Date(objPwdLastSet, lngTZBias)
Next
Function Integer8Date(objDate, lngBias)

' Function to convert Integer8 (64-bit) value to a date, adjusted for
' local time zone bias.
Dim lngAdjust, lngDate, lngHigh, lngLow
lngAdjust = lngBias
lngHigh = objDate.HighPart
lngLow = objdate.LowPart
' Account for error in IADslargeInteger property methods.
If lngLow < 0 Then
lngHigh = lngHigh + 1
End If
If (lngHigh = 0) And (lngLow = 0) Then
lngAdjust = 0
94
End If
lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _
+ lngLow) / 600000000 - lngAdjust) / 1440
' Trap error if lngDate is ridiculously huge.
On Error Resume Next
Integer8Date = CDate(lngDate)
If Err.Number <> 0 Then
On Error GoTo 0
Integer8Date = #1/1/1601#
End If
On Error GoTo 0
End Function
To run the script, use the syntax
cscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test
You'll see output that's similar to this:
CN=Bruce Wayne 11/17/2003 1:30:14 PM
CN=Clark Kent 11/17/2003 1:31:30 PM
CN=Hal Jordan 12/6/2004 2:52:56 PM
CN=Wally West 3/17/2003 9:04:45 AM
Q. Can I use the .local or .pvt top-level domain (TLD) names as part of an Active
Directory (AD) tree name?
A. Companies often use a .local or .pvt TLD to name an AD tree. However, as I explain
shortly, it's better to use a standard naming method--for example, create a name by using
a subdomain of your company's DNS address space (e.g., if your company's DNS domain
is ntfaq.com, you could name your AD tree ads.ntfaq.com). When you use this method,
though, you must remember that the DNS information for the AD tree is hosted on
internal DNS servers, not on your external DNS servers. This means that external users
can't see information about your internal infrastructure because external users can access
only the external DNS server, which has no information about your internal
infrastructure. Alternatively, if you want to create a second-level name for your AD
domain, reserve another name--for example, ntfaq.net--but don't set your AD domain to
the same name as your external name, to avoid causing confusion in name resolution.
If you're determined to use a nonstandard TLD in your domain name, avoid the use of
.local or .pvt because they aren't reserved. Instead, use one of these reserved top-level
domains:
 .test
 .example
 .invalid
 .localhost
Q. How can I quickly obtain a list of the domain controllers (DCs) in my Active
Directory (AD) domain?
A. You can output a list of all DCs in a domain by running the Nltest command (which is
included in the Support Tools) and specifying the /dclist parameter. The following sample
command generates a list of all DCs in the savilltech.com domain:
95
nltest /dclist:savilltech.com
Q. How can I revoke delegated Active Directory (AD) permissions?
A. You can revoke permissions on all containers under a passed root--for example, a
domain or an organization unit (OU)--by using the Dsrevoke tool, which I describe in
FAQ "How can I view the Error! Hyperlink reference not valid. of Active Directory
(AD) permissions delegations?" To revoke permissions, you use the command syntax that
I provided in that FAQ but replace the /report switch with the /remove switch, like this:
dsrevoke /remove /root:ou=testing,dc=demo,dc=test demo\helpdesk
After you run Dsrevoke, the access control entries (ACEs) that match your criteria are
displayed on screen, like this:
ACE #1
Object: OU=testing,DC=demo,DC=test
Security Principal: DEMO\HelpDesk
Permissions:
READ PROPERTY
WRITE PROPERTY
ACE Type: ALLOW
ACE does not apply to this object

ACE inherited by all child objects of class User
ACE #2
Permissions:
EXTENDED ACCESS
ACE Type: ALLOW

# of ACEs for demo\helpdesk = 2
Do you want to remove the above listed ACEs (y/n): y

All ACEs successfully removed
To remove the ACEs, you must enter "y" (yes) at the prompt. You can then confirm the
removal by running Dsrevoke to output a report:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk
The command outputs this message:
No ACEs for demo\helpdesk
Q. How can I view the state of Active Directory (AD) permissions delegations?
A. Windows Server 2003 and Windows 2000 Server provide helpful wizards for
delegating permissions to users in AD. However, no wizard lets you view existing
delegations. To do so, you must manually view the security settings that have been
applied on containers and objects.
96
Microsoft recently released a tool that makes it easier to view existing permissions
delegations. You can download the tool--called Dsrevoke--at Microsoft Web site.
Dsrevoke reports on the permissions for a domain and/or organizational units (OUs) and
also lets you remove permissions. For example, the following sample Dsrevoke
command checks for permissions on the HelpDesk group in the demo domain and
specifies the Testing OU in the demo.test domain:
dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk
The command displays these onscreen messages:
ACE #1
Permissions:
READ PROPERTY
WRITE PROPERTY
ACE Type: ALLOW

ACE #2
Permissions:
EXTENDED ACCESS
ACE Type: ALLOW

# of ACEs for demo\helpdesk = 2

You can see in the output that the HelpDesk group has several access control entries
(ACEs) for the Testing OU; however, the output information doesn't provide the exact
permissions for the HelpDesk group. To determine this information, you must first enable
the Advanced view in the Microsoft Management Console (MMC) Active Directory
Users and Computers snap-in. Then, at the container's Properties page, select the Security
tab and click the Advanced button. To view a group's permissions, select the Permissions
tab, then select the group and click Edit, as the Figure shows. In this example, the
HelpDesk group has permissions to reset passwords and to force a password change.
Dsrevoke is most effective when delegation has been defined by using roles--that is, users
are placed in a group, and the group is given permissions at a domain or OU level,
instead of via individual objects
Q. How can I install a domain controller (DC) from backup media by using a Dcpromo
answer file?
A. To create a DC from a backup during the Dcpromo process, add these two entries to
the answer file:
ReplicateFromMedia=Yes
ReplicationSourcePath=<media_source_path>
Your answer file entries should look something like this:
97
[Unattended]
UnattendMode=FullUnattended
[DCInstall]
AllowAnonymousAccess=No
AutoConfigDNS=No
DatabasePath=<Db_Path>
LogPath=<Log_Path>
SysVolPath=<SysVol_Path>
Password=<User_Pwd>
UserDomain=<Net_Bios_Domain_Name>
UserName=<User_Name>
ReplicaDomainDNSName=<DNS_Domain_Name>
CriticalReplicationOnly=No
ReplicaOrNewDomain=Replica
SafeModeAdminPassword=<safe_mode_pwd>
RebootOnSuccess=Yes
ReplicateFromMedia=Yes
ReplicationSourcePath=<media_source_path>
ConfirmGC = Yes
Q. What entry should I add to a Dcpromo answer file to specify that a domain
controller (DC) should also be made a Global Catalog (GC)?
A. To specify that a DC should also be made a GC during the Dcpromo process (which
can be useful when you install a new DC from media that contains data copied from a
GC), add the following entry to the answer file:
ConfirmGC = Yes
Q. How do I set a domain to interim mode?
A. Typically, when you upgrade a domain from Windows NT Server 4.0 to Windows
Server 2003 and the domain is the first one in a new forest, during the upgrade you can
set the domain and forest mode to interim. Interim mode has advantages over Windows
2000 Server native mode--for example, interim mode has no 5000-group membership
limit and provides Knowledge Consistency Checker (KCC) and topology enhancements.
If you're creating a new domain, you can set the domain and forest mode to interim by
using the ADSI Edit tool. (You can't use the typical Active Directory--AD--management
snap-ins to do this.) To set the domain and forest mode to interim for a new domain,
follow these steps:
60. Start the ADSI Edit tool (Start, Run, adsiedit.msc).
61. Expand the Configuration partition of the forest root--for example,
CN=Configuration,DC=demo,DC=test.
62. Right-click CN=Partitions, then click Properties.
63. Select the msDS-Behavior-Version attribute, then click Edit.
64. In the Value field, which the Figure shows, type 1 and click OK.
When you check the forest and domain level, it will now be displayed as Windows Server
2003 interim. Be aware, though, that after you make this change you can't go back to
mixed mode and thus can no longer add Windows 2000 DCs to the domain.
98
Q. How can I check which domain controllers (DCs) are acting as bridgeheads for a
site?
A. The Intersite Topology Generator (ISTG) decides which of a site's DCs will act as the
site's bridgehead servers (in Windows Server 2003, you can use multiple DCs for each
replicated naming context). One way to check which DCs are acting as bridgehead
servers for a site is to view the connection objects by using the Microsoft Management
Console (MMC) Active Directory Sites and Services snap-in, which shows the DCs each
DC is replicating with.
The best method for determining which DCs are acting as bridgehead servers is to use the
Repadmin tool and specify the bridgeheads server parameter. To do so, enter the
command
repadmin /bridgeheads
You'll then see on-screen messages similar to those that the Figure shows.
Q. How can I create an HTML view of my organizational unit (OU) structure?
A. To answer this, I modified the script in the FAQ "How can I create a summary of the
contents of the organizational units (OUs) in my environment?" so that it outputs to a
HTML file and includes the total number of OUs and the maximum depth of OUs that it
found. Download the code and extract the oulisthtmlgraph.vbs file from oulist.zip. (The
zip file also contains oulisthtml.vbs, an earlier version of the script that doesn't output
HTML graphics.) In addition, oulist.zip contains five image files, which you should place
in a folder named "images" in the directory where your output HTML file will be stored.
(Placing the image file in this location ensures that Microsoft Internet Explorer (IE) can
find the graphics when it opens the HTML file.) The figure shows an example of the
script's HTML output
Q. How can I create a summary of the contents of the organizational units (OUs) in
my environment?
A. I recently needed to quickly document a client's OU structure for a domain and had to
include in the documentation the number of users, groups, computers, and contacts in
each OU. To achieve this, I wrote a short script--oulist.vbs--that uses Microsoft Active
Directory Service Interfaces (ADSI) to interrogate Active Directory (AD) and produce a
report that details the specified container's content. To use oulist.vbs, you can either save
the following code into a file (name it oulist.vbs) or download the script.
Option Explicit
Dim strLdapPath, objConnection, objChild, dtmCreate

Dim totalUsers, totalComputers, totalGroups, totalContacts
totalUsers=0
totalGroups=0
totalComputers=0
totalContacts=0
99
' Check that all required arguments have been passed.

& "cscript oulist.vbs ou=test,dc=demo,dc=test"
Wscript.Quit(0)
End If
Wscript.Echo " " & strLdapPath
call GetDetail(strLdapPath," ")
WScript.Echo vbCrLf & " Totals: " & totalUsers & " users " & _
totalGroups & " groups " & totalComputers & " computers " & _
totalContacts & " contacts"
Function GetDetail(strLdapPathNow, indent)
Dim userCount, groupCount, computerCount, contactCount
userCount=0
groupCount=0
computerCount=0
contactCount=0
Set objConnection = GetObject("LDAP://" & strLdapPathNow)
if objChild.class = "user" then

userCount=userCount+1
totalUsers=totalUsers+1
end if
if objChild.class = "group" then

groupCount=groupCount+1
totalGroups=totalGroups+1
end if
if objChild.class = "computer" then

computerCount=computerCount+1
totalComputers=totalComputers+1
end if
if objChild.class = "contact" then

contactCount=contactCount+1
totalContacts=totalContacts+1
end if
Next
WScript.Echo indent & "(" & userCount & " users " & groupCount _
& " groups " & computerCount & " computers " _
& contactCount & " _
contacts)"
100
objConnection.Filter = Array("organizationalUnit")
WScript.Echo indent & "- " & objChild.Name

call GetDetail(objChild.Name & "," & strLdapPathNow, _
indent & " ")
Next
End Function
Oulist.vbs calls the GetDetail function to check the content of the passed container. The
script then checks for OUs in the current container and, for each OU it finds, calls the
function again. A process that calls itself is known as a recursive process. Running
oulist.vbs produces output on screen that's similar to the following:
C:\scripts>cscript oulist.vbs dc=savilltech,dc=net
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
dc=savilltech,dc=net
(0 users 0 groups 0 computers 0 contacts)
- OU=Domain Controllers
- OU=test
- OU=subtest1
- OU=subsubtest1
- OU=subsubtest2
- OU=subtest2
- OU=subsub2test1
- OU=subsub2test2
- OU=subsubsubtest
Totals: 1 users 1 groups 4 computers 1 contacts

Operation Completed
It's important to use the Cscript command; if you don't specify Cscript, every line of text
in the output will pop up in a dialog box.
Q. Can I add a Windows Server 2003 domain controller (DC) to a Windows 2000 Server
domain?
A. If you have only Win2K Server DCs in a domain and attempt to run Dcpromo from a
Windows 2003 server so that it can join the domain, the command will fail and the error
message that the figure at
http://www.windowsitpro.com/articles/images/install2003dcinto2000foresterror.gif shows
101
will be displayed. Before you can make a Windows 2003 server a DC in an existing
Win2K Server domain, you must run the forest and domain preparation utility--Adprep--
which you can find in the \i386 folder on the Windows 2003 CD-ROM--by running the
commands
adprep /forestprep
adprep /domainprep
Be aware that these commands alter the schema and configuration of your forest and
domain--especially if you have Microsoft Exchange 2000 Server installed--which can
cause problems with the Windows 2003 forest preparation. (I'll cover the steps you need
to take to avoid such problems in an upcoming FAQ.)
Q. How can I configure the replication interval within an Active Directory

Application Mode (ADAM) site?
A. By default, all your ADAM replicas are in the same site. Because replication within a
site is based on notification--that is, when a server has a change, it notifies its replication
partners of the update--by default changes should be replicated almost instantly. A
replication schedule exists for intrasite replication; however, this schedule applies only
when no update-based replication has occurred within the standard replication time
interval. To modify the default replication interval within a site, perform these steps:
65. Start the ADAM ADSI Edit tool (Start, Programs, ADAM, ADAM ADSI Edit).
66. If ADAM ADSI Edit doesn't open the Configuration partition by default, connect
to it by right-clicking the ADAM ADSI Edit root in the treeview pane and
selecting "Connect to"; otherwise, go to step 4.
67. At the dialog box that the figure at Figure shows, enter a connection name of
"Configuration." (Leave the default server name and port number unless you
changed the port during installation.) Under Connect to the following node, select
"Well-known naming context" and choose "Configuration." Click OK.
68. Expand the Configuration partition, expand sites, and select the site name (which
by default is Default-First-Site-Name--the same as with Active Directory--AD).
69. Right-click CN=NTDS Site Settings in the right pane and select Schedule from
the displayed context menu.
70. In the Schedule window, which the figure at Figure shows, you can set the default
replication interval (if no update replications have occurred). By default, the
interval is once per hour.
71. Click OK.
Q. How can I manually force a replication of an Active Directory Application Mode

(ADAM) partition?
A. You can use the ADAM version of Repadmin to force a replication by performing the
following steps:
72. Start an ADAM tools command prompt (Start, Programs, ADAM, ADAM Tools
Command Prompt).
73. Type the command
repadmin /syncall localhost:389 <partition name>
102
You'll need to change the port number in the command if you've assigned the
ADAM instance a different port.
Messages similar to the following will be displayed:
Syncing partition: cn=App1,o=Savilltech,c=US
CALLBACK MESSAGE: The following replication is in progress:
From: adamtest1.savilltech.com:389
To : adamtest2.savilltech.com:389
CALLBACK MESSAGE: The following replication completed successfully:
From: adamtest1.savilltech.com:389
To : adamtest2.savilltech.com:389
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
This shows a successful replication.
Q. How can I add a user to a group by using Microsoft Active Directory Service
Interfaces (ADSI) in a script?
A. You can use VBScript code that's similar to the following snippet, which adds a user to
a group by using the user's distinguished name (DN):
Set grp = GetObject("LDAP://cn=testgrp,ou=testing,dc=savilltech,dc=com")
Set oUser = GetObject("LDAP://cn=user1,ou=testing,dc=savilltech,dc=com")
grp.Add(oUser.AdsPath)
grp.SetInfo
Q. How can I use Microsoft Active Directory Service Interfaces (ADSI) to disable a
user account?
A. Assuming that you've already defined an objUser variable in a VBScript script that
points to the user you want to disable, you can disable a user account by adding the
following code to your script:
objUser.AccountDisabled = True
objUser.SetInfo
Q. How can I use Microsoft Active Directory Service Interfaces (ADSI) to check a
user's enabled or disabled state?
A. Each user object has an AccountDisabled property. To check whether an account is

disabled, you can run a simple script that uses a True or False condition statement, such
as this:
If objChild.AccountDisabled Then
objDisabledStat = "Y"
Else
objDisabledStat = "N"
End If
Q. How can I create a file that contains all user profiles that were created before a
specific date?
A. Recently, I had a client who had an Error! Hyperlink reference not valid. unit (OU)
that served as a temporary holding container for recently created user Error! Hyperlink
103
reference not valid.. Ideally, the OU shouldn't hold accounts for more than one month.
Over time, the OU had accumulated more than 50,000 accounts, and the client wanted to
delete from it all accounts older than 60 days.
I used a two-phase approach to meet the client's request. First, I created a text file
(userlist.txt) to hold a list of all the accounts older than 60 days. The entries in the file are
distinguished name (DN) of objects. Then, I wrote the listusersolder.vbs script, which
used the information in that file to output the list of accounts that are more than 60 days
old. I used another script, which I provide in the FAQ "How can I delete from Error!
Hyperlink reference not valid. (AD) user accounts that are listed in a file?" (FAQ), to
delete all accounts in the file. You can download listusersolder.vbs at Code. Save the
script as listusersolder.vbs. Remember to modify the script to include information
specific to your installation.
'listusersolder.vbs
' John Savill 19 August 2004
Option Explicit
Dim strFilePath, strLdapPath, strDate, objFSO, objFile, objConnection,

objChild, dtmCreate, selectedDate

Wscript.Echo "Arguments required. _
For example:" & vbCrLf & "cscript listusersolder.vbs _
ou=test,dc=demo,dc=test 6/10/2004 c:\temp\UserList.txt"
Wscript.Quit(0)
End If
strDate = Wscript.Arguments(1)
selectedDate = DateValue(strDate)
strFilePath = Wscript.Arguments(2)
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Open the file for write access.

Set objFile = objFSO.OpenTextFile(strFilePath, 2, True, 0)
If Err.Number <> 0 Then
On Error GoTo 0
Wscript.Echo "File " & strFilePath & " cannot be opened"
Wscript.Quit(1)
End If
On Error GoTo 0


objChild.GetInfoEx Array("createTimeStamp"), 0
dtmCreate = objChild.Get("createTimeStamp")
if dtmCreate < selectedDate then

WScript.Echo objChild.Name & vbTab & dtmCreate & " *"
objFile.WriteLine objChild.distinguishedName & "|" & dtmCreate
104
else
WScript.Echo objChild.Name & vbTab & dtmCreate
end if
Next
' Close file connection

objFile.Close

To run listusersolder.vbs, you pass it the name of a root-level container to check for
accounts older than the date passed, an "older-than" date, and the name of a file to output
the old accounts to, as the following sample command shows:
cscript listusersolder.vbs ou=testing,dc=demo,dc=local 6/10/2004
c:\temp\list.txt
You'll see output on screen that's similar to this:
Error! Hyperlink reference not valid. (R) Windows Script Host Version
5.6
Copyright (C) Error! Hyperlink reference not valid. 1996-2001. All
rights reserved.
CN=Barry Allen 6/2/2004 10:59:32 PM *

CN=Bruce Wayne 6/11/2004 6:30:40 PM
CN=Clark Kent 6/2/2004 10:55:14 PM *
CN=DeleteMe 8/19/2004 4:02:04 PM
Operation Completed
Notice that any account that was created before 6/10/2004 has an asterisk (*) next to it.
The contents of the list.txt file look like the following:
CN=Barry Allen,OU=testing,DC=demo,DC=local|6/2/2004 10:59:32 PM
CN=Clark Kent,OU=testing,DC=demo,DC=local|6/2/2004 10:55:14 PM
In the text file, a pipe character (|) separates the account and its creation time.
Q. How can I delete from Active Directory (AD) user accounts that are listed in a
file?
A. To delete the accounts listed in the file that I created in the FAQ, "How can I create a
file that contains all user profiles that were created before a specific date?" (FAQ), ), I
first created a text file that included information in the following format:
|[optional info after the pipe]
|[optional info after the pipe]
etc.
For example:
CN=test1,OU=testing,DC=demo,DC=local|6/2/2004 10:59:32 PM
CN=test2,OU=testing,DC=demo,DC=local|6/2/2004 10:55:14 PM
A pipe character (|) must follow the account's distinguished name (DN); the script ignores
what follows the pipe.
I then wrote the delusersfromfile.vbs script, which deletes the accounts listed in the file.
You can download the script at Code. Save the script as delusersfromfile.vbs. Remember
to modify the script to include information specific to your installation.
Option Explicit
105
Dim strFilePath, objFSO, objFilesTarget, sUser, objParent, sLine, aLine,

_
sDN, oUser

& "cscript delusersfromfile.vbs c:\temp\UserList.txt"
Wscript.Quit(0)
End If
strFilePath = Wscript.Arguments(0)
Const ForReading = 1
Set objFSO = CreateObject("scripting.filesystemobject")

Set objFilesTarget = objFSO.OpenTextFile(strFilePath,ForReading,True)
Do While objFilesTarget.AtEndOfStream <> True

sLine = objFilesTarget.ReadLine
aLine = split(sline, "|",-1,1)
sDN = aLine(0)
sUser = "LDAP://" & sDN
wscript.echo sUser
Set oUser = GetObject(sUser)

Set objParent = GetObject(oUser.parent)
objParent.Delete "User", (oUser.Name)
Loop
Set oUser = Nothing

To run delusersfromfile.vbs, at a command prompt enter
cscript delusersfromfile.vbs c:\temp\list.txt
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
LDAP://CN=test1,OU=testing,DC=demo,DC=local
LDAP://CN=test2,OU=testing,DC=demo,DC=local
After executing delusersfromfile.vbs, you could run a script to verify whether the
accounts have been deleted. For example, you could run the listusersolder.vbs script that I
discuss in "How can I create a file that contains all user profiles that were created before
a specific date?"; the list that the script outputs should be empty of old accounts.
Q. How can I create a list that includes all user profiles in a particular container and
the date and time they were created?
106
A. I've created the following Error! Hyperlink reference not valid., listusers.vbs, which
passes the name of a Lightweight Error! Hyperlink reference not valid. Protocol
(LDAP) container, then uses this name to generate a list all user profiles in the container
and their creation date (GMT). You can download the script at Code. Save the script as
listusers.vbs. Remember to modify it to include information specific to your installation.
'listusers.vbs
' John Savill 19 August 2004
Option Explicit
Dim strLdapPath, objConnection, objChild, dtmCreate

& "cscript listusers.vbs ou=testing,dc=demo,dc=test"
Wscript.Quit(0)
End If


objChild.GetInfoEx Array("createTimeStamp"), 0
dtmCreate = objChild.Get("createTimeStamp")
WScript.Echo objChild.Name & vbTab & dtmCreate
Next

I place the cscript command at the beginning of the call to the listusers.vbs file.
Specifying cscript forces the script to run in the CScript (i.e., command window)
environment. If you don't specify cscript, each user in the list will be displayed in a
dialog box. In the sample code here, the passed LDAP container is an Error! Hyperlink
reference not valid. unit (OU) called testing (ou=testing) in the demo.local domain
(dc=demo,dc=local).
To run the script, at a command prompt enter
cscript listusers.vbs ou=testing,dc=demo,dc=local
Error! Hyperlink reference not valid. (R) Windows Script Host Version
5.6
Copyright (C) Error! Hyperlink reference not valid. 1996-2001. All
rights reserved.
CN=Barry Allen 6/2/2004 10:59:32 PM

CN=Bruce Wayne 6/11/2004 6:30:40 PM
CN=Clark Kent 6/2/2004 10:55:14 PM
CN=DeleteMe 8/19/2004 4:02:04 PM
Operation Completed
107
Q. How can I verify that my Active Directory Application Mode (ADAM) partition
replica addition worked?
A. On the replica Error! Hyperlink reference not valid., open the ADAM version of the
Error! Hyperlink reference not valid. Error! Hyperlink reference not valid. Console
(MMC) ADSI Edit snap-in (Start, Programs, ADAM, ADAM ADSI Edit) and connect to
the replicated partition by following these steps:
74. Start the ADAM ADSI Edit tool on the replica server.
75. Right-click the ADAM ADSI Edit root in the treeview pane and select "Connect
to."
76. Enter a connection name and leave the server name as localhost and the port as
389 (unless you changed the port during installation).
77. Under "Connect to the following node," select the "Distinguished name (DN) or
naming context" option, which the figure at Figure shows, and enter the name of
the partition you've replicated.
78. Click OK.
If the replica addition works, ADSI Edit should now display the contents of your
partition. It's a good idea to create an object in one copy of the replica and make sure it's
replicated to the other members of the replica set. If the partition isn't cached, it hasn't
replicated. If this occurs, you could try stopping and starting the ADAM service on the
replica system, then try to reconnect.
Q. How can I add an Active Directory Application Mode (ADAM) replica to an

existing ADAM instance?
A. ADAM lets you replicate partitions between ADAM servers. Like trees in an AD
forest, the ADAM servers must share a common configuration and schema to replicate a
partition. To add a replica to an existing ADAM instance, perform the following steps:
79. Double-click adamsetup.exe.
80. At the "Welcome to the Active Directory Application Mode Setup Wizard" screen,
click Next.
81. Select the "I accept the terms in the license agreement" option and click Next.
82. Under the installation options, select to install "ADAM and ADAM
administration tools" and click Next.
83. You can now select the type of instance to create--a new unique instance or a
replica of an existing instance. Select the "A replica of an existing instance"
option and click Next.
84. Enter the instance name for this ADAM installation. This name, with the prefix
ADAM_ appended to it, names the service--for example, if you enter the name
portal1, the service name is ADAM_portal1. Click Next. To simplify matters, you
might want to give this instance the same name as the instance you're replicating
from.
85. Next, you're asked to specify the Lightweight Directory Access Protocol (LDAP)
ports to use. Enter you port numbers you want and click Next. For more
information about LDAP ports, see the FAQ "How do I install Active Directory
Application Mode (ADAM)?"
108
86. At the window that the figure at Figure shows, enter the existing server name and
the number of its LDAP port that you want to join. (Specify a host or DNS name
for the server name, not an IP address.) Click Next.
87. You're asked for credentials to be used to add this ADAM instance to the existing
configuration set. Either select the current logged-on account or enter an account
to use; click Next.
88. A list of partitions that are available on the existing ADAM server is displayed.
Select the partitions you want to replicate and click Next.
89. Proceed with the steps as if you're performing a unique ADAM installation, as
described in "How do I install Active Directory Application Mode (ADAM)?".
Q. How can I install Active Directory Application Mode (ADAM)?
A. Download the ADAM installation file at

http://www.microsoft.com/windowsserver2003/adam/default.mspx and execute it. The
file self-expands to a folder you select. Navigate to the selected folder and perform the
following steps:
90. Double-click adamsetup.exe.
91. At the "Welcome to the Active Directory Application Mode Setup Wizard" screen,
click Next.
92. Select the "I accept the terms in the license agreement" option and click Next.
93. Under the installation options, select to install "ADAM and ADAM
administration tools" and click Next.
94. In the window that the figure at Figure shows, you can select the type of instance
to create--a new unique instance or a replica of an existing instance. Select the "A
unique instance" option and click Next.
95. Enter the instance name for this ADAM installation. This name, with the prefix
ADAM_ appended to it, names the service; for example, if you enter the name
portal1, the service name is ADAM_portal1. Click Next to display the window
that the figure at Figure shows.
96. Next, you must specify the Lightweight Directory Access Protocol (LDAP) ports
to use. By default, the ports are 389 for regular communications and 636 for
Secure Sockets Layer (SSL)-encrypted LDAP communications. If you're
installing ADAM on an existing domain controller (DC), these ports are already
in use, so you'll have to select other ports. Also, if you're installing a second
instance of ADAM on a system and the first instance already uses ports 389 and
636, you'll need to select different port numbers. The recommended custom ports
start at 50000, so you could use 50000 for LDAP and 50001 for SSL. Enter your
port numbers and click Next.
97. You're then asked whether you want to create an application partition. If you
select "Yes, create an application directory partition", you must enter a valid
partition name--for example,
"cn=App1,o=Savilltech,c=US"
Click Next.
109
98. Choose the location for the database files and recovery files. You can accept the
defaults (C:\program files\microsoft adam\<instance name>\data) or enter a
custom location. Click Next.
99. Specify the account to run the ADAM service. In most cases you can use the
default, "Network service account." Click Next. When the machine on which
you're installing ADAM isn't in a domain and you select the Network service
account, the wizard tells you that ADAM won't be able to replicate with other
machines.
100. Next, you're prompted to specify the ADAM default administrator. By
default, this is the current user; alternatively, you can select "This account" and
specify a different user or group--for example, the Domain Admins group. Click
Next.
101. At the window that the figure at Figure shows, you can select the LDAP
Data Interchange Format (LDIF) files to load. LDIF files define attributes and
classes that will be added to your schema. For example, you can add the MS-
InetOrgPerson type (i.e., the InetOrgPerson user definition). Select the "Import
the selected LDIF files for this instance of ADAM" option, add the .ldf files you
want to import to the "Selected LDIF files" list, and click Next.
102. At the summary screen, click Next.
103. After the ADAM installation is done, click Finish.
ADAM is now installed. You can check your installation by starting the ADAM ADSI
Edit tool and making sure you can connect. If you run the command
net start
at a command prompt, you'll see a service listed that's the name of your instance (without
the ADAM_ prefix). If you received an error during installation about creating a folder in
the \windows\adam folder, simply manually create an empty \adam folder under the
\windows folder and retry the installation.
Q. Why can I use only the NetBIOS domain name and not the DNS domain name to join a
computer to a domain that's been upgraded from Windows NT Server 4.0 to Windows
Server 2003 or Windows 2000 Server?
A. After you've upgraded an NT-based domain to Active Directory (AD), you should be able to use either
the domain's NetBIOS name (e.g., savilltech) or its DNS name (e.g., savilltech.com) to join computers to
the domain. If you can join a computer to the domain only by using its NetBIOS name, an incorrect DNS
configuration might be the source of the problem. You can check a system's DNS configuration by entering
the following lines at the command prompt. (The text that's enclosed in quotes represents messages that are
displayed after you type the indicated commands.)
nslookup
"Default Server: omega.savilltech.com
Address: 10.0.0.1"
set type=srv
_ldap._tcp.savilltech.com
"Server: omega.savilltech.com
Address: 10.0.0.1"
"_ldap._tcp.savilltech.com SRV service location:

priority = 0
weight = 100
110
port = 389
svr hostname = omega.savilltech.com
omega.savilltech.com internet address = 10.0.0.1"
exit
Instead of _ldap._tcp.savilltech.com, enter _ldap._tcp, followed by your DNS domain name. If the
nslookup command finds DNS records, your system's DNS configuration is probably correct. If nslookup
finds no DNS records, check your DNS entries and, if they're correct, check the DNS server itself.
If your DNS configuration is in order, your domain controllers (DCs) might have the NT4Emulator registry
entry enabled, which means they're emulating NT 4.0 DCs and thus won't respond to AD-style requests.
You can test whether NT4Emulator is enabled on your DCs by configuring the neutralize NT4Emulator
option on the client you're trying to join to the domain:
Start the registry editor (regedit.exe).

Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetlogonParameters subkey.
From the Edit menu, select New and click DWORD Value.
Enter the name NeutralizeNT4Emulator and press Enter.
Double-click the value and set it to 1. Click OK.
Close the registry editor.
You don't need to restart the computer or log off; just try again to join the computer to the domain by using
the DNS domain name. If the computer joins the domain successfully, you must either disable the
NT4Emulator on the DCs or configure the NeutralizeNT4Emulator value on all machines on which you
want to use the DNS name for the domain.
Q. How can I determine whether my new Global Catalog (GC) is ready to service
clients?
A. When you enable a domain controller (DC) as a GC, the DC can't start offering a GC
service immediately. If you have multiple domains, the GC has to replicate information
from another GC or for other domains before it can start functioning as a GC. By default,
the new GC will wait at least 5 minutes before offering itself as a GC. You can check the
Directory Service event log for event ID 1119, which confirms the server is now a GC.
If you want to automatically check the status of a new GC, you can create the following
VBScript script on the DC:
Set objRootDSE= GetObject("LDAP://RootDSE")
Wscript.Echo "GC ready: " & objRootDSE.Get("isGlobalCatalogReady")
Save the code in a file called gcready.vbs. Then, to run the script, enter the command
cscript gcready.vbs
Q. How can I check the status of the Relative Identifier (RID) pool on a domain
controller (DC)?
A. Windows gives every DC a pool of RIDs and adds to the pool as necessary in batches
of 500. To check the range of RIDs in a current pool, run the command
dcdiag /v /test:ridmanager
where /v specifies verbose mode and /test:ridmanager tells the command to run only the
RID Manager test and not the other default tests.
The command displays the next RID that will be allocated to an object created on the DC
and the range of currently allocated RIDs, as in the following sample output:
Testing server: Gotham\VPC2003DC1MN
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
111
Test omitted by user request: NCSecDesc

Test omitted by user request: NetLogons
Test omitted by user request: Advertising
Test omitted by user request: KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2608 to 1073741823
* omega.savilltech.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2108 to 2607
* rIDPreviousAllocationPool is 2108 to 2607
* rIDNextRID: 2156
......................... VPC2003DC1MN passed test RidManager
In this example, the range of RIDs that can be allocated is from 2108 to 2607, and the
next RID that will be allocated is 2156, which means that the pool contains 451
unallocated RIDs (2607-2156).
Notice that in this sample output, rIDAllocationPool and rIDPreviousAllocationPool are
the same. That won't always be the case, however. rIDPreviousAllocationPool is the pool
that RIDs are currently being taken from for object SID allocation. When more than a
specified percentage of RIDs in this pool have been allocated (50 percent for Windows
2000 Service Pack 4--SP4--and later), the OS asks the DC that holds the RID Flexible
Single-Master Operation (FSMO) role for another batch of RIDs to add to
rIDAllocationPool. When rIDPreviousAllocationPool is totally depleted, the OS Error!
Hyperlink reference not valid. the RIDs from rIDAllocationPool into
rIDPreviousAllocationPool and starts using the copied RIDs as needed. This process
ensures that a temporary interruption in Error! Hyperlink reference not valid. with the
RID FSMO DC doesn't prevent DCs from creating new objects because their RID pools
are exhausted.
Q. Can I change the Relative Identifier (RID) of a built-in object?
A. The RID values are hard-coded in the Windows OS code through header files and
shouldn't be changed. Even if you did manage to change a RID, much of the internal OS
code refers to the built-in objects by their RIDs instead of their names. Thus, changing
the RIDs could cause a lot of problems for your Windows systems.
Q. What are the Relative Identifiers (RIDs) of a domain's built-in accounts?
A. Every object in a domain has a SID, which consists of the domain's SID and a RID.
For built-in objects, such as built-in Error! Hyperlink reference not valid., these RIDs
are hard-coded. The table at Table lists the built-in objects, their RIDs, and the object
type. The fact that RIDs are hard-coded explains why merely renaming, say, the Domain
Administrator object doesn't often thwart an intruder, who can simply locate the account
by using the RID 500. However, you can create a honeypot by renaming the Domain
Administrator account and creating a new account called Domain Administrator that has
no permissions. You can use the bogus Domain Administrator account to fool hackers
into attacking it, then log the attacks and delay any real damage to the bona fide Domain
Administrator account.
Q. What's the DNS _msdcs zone for the forest root domain used for?
112
A. Active Directory (AD) uses DNS as its locator service to support the various types of
services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight
Directory Access Protocol (LDAP). Other non-Microsoft services can be advertised in the
DNS, including--but not restricted to--non-Microsoft implementations of LDAP and GC.
However, sometimes clients might need to contact a Microsoft-hosted service. For that
reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records
that are registered by Microsoft-based services. The Netlogon process dynamically
creates these records on each domain controller (DC). The _msdcs subdomain also
includes the globally unique identifier (GUID) for all domains in the forest and a list of
GC servers.
If you install a new forest on a system that runs Windows Server 2003 and let the
Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called
_msdcs.<forest name> on the DNS server. This zone is configured to store its records in a
forestwide application directory partition, ForestDNSZones, which is replicated to every
DC in the forest that runs the DNS service. This replication makes the zone highly
available anywhere in the forest.
DNS FAQs
Q. How can I specify a forwarding condition for a DNS domain?
A. To specify conditional forwarding for a DNS domain, perform these steps:

104. Log on as a domain administrator on each DNS server for which you want
to add conditional forwarding.
105. Start the Error! Hyperlink reference not valid. Management Console
(MMC) DNS snap-in (Start, Programs, Administrative Tools, DNS).
106. Right-click the DNS server and select Properties.
107. Select the Forwarders tab.
108. Click the New button in the DNS domain section.
109. Enter the name of the DNS domain to which the forwarding will apply--
for example, savilltech.net--and click OK.
110. Enter the IP addresses of the DNS servers in the forwarded DNS domain
by typing the addresses one at a time in the Add field and clicking Add. You
113
should add multiple entries for the DNS servers that service the zone for which
you're forwarding. After you finish entering addresses, click OK.
After you've enabled conditional DNS forwarding, you should test whether it's working
by performing a DNS resolution request for hosts that are in the DNS domains for which
you've configured conditional forwarding. For example, to perform a test, you can use the
Nslookup command to query DNS for records that would be serviced in the forwarded
DNS domain.
Q. What's conditional DNS forwarding?
A. Windows 2000 Server DNS can forward DNS resolution requests that a DNS server
can't resolve locally. This forwarding occurs when the request is for a domain for which
the DNS server isn't authoritative and the request isn't in the DNS server's cache waiting
to be forwarded to another DNS server. The ability to forward DNS resolution requests is
a global setting that applies to all unresolvable addresses.
Windows Server 2003 offers the ability to forward unresolvable requests to different
DNS servers. Depending on the domain in which the request originated and whether the
request matches multiple defined forwarding rules, the DNS server uses the IP address
that corresponds to the forwarding rule that most closely matches the resolution request.
For example, if a DNS server has forwarding configured as the table shows, the DNS
server will forward a request for host143.marketing.ntfaq.com to 192.168.40.40, because
that IP address is a closer match to marketing.ntfaq.com than it is to ntfaq.com.
Conditional DNS forwarding is a useful feature that avoids the usual recursive nature of
DNS resolution requests, in which DNS must first find DNS servers for .com, then
ntfaq.com, and so on. If you have a large namespace, you might consider using
conditional DNS forwarding to speed up resolution requests. This feature is also useful
for connecting two organizations, especially if one organization uses a nonstandard
namespace--for example, savilltech.local--that the typical DNS name-resolution process
would never find.
Q. How can I use the name domain.com for a domain when that name is hosted on a
DNS server that doesn't support service records?
A. Ideally, you'd migrate the DNS zone to a new Windows-based DNS server. If that isn't
possible, don't use domain.com for your Active Directory (AD) domain. Instead, use
either ads.domain.com or, if ads.domain.com isn't practical, domain.net.
There's no reason to use domain.com. However, if you must use it and can't move the
domain to another DNS server, you can delegate the four core subdomains that AD uses
to a Windows DNS server. These subdomains are
 _msdcs.domain.com
 _sites.domain.com
 _tcp.domain.com
 _udp.domain.com
You'd create subdomains as new zones on your Windows DNS server and enable
dynamic update. These zones would then contain all the service records that AD needs.
114
However, you'd still need to manually add a host (A) record in the main DNS zone for
domain.com for each domain controller's (DC's) IP address (e.g., domain.com IN A
128.10.20.12) and one host record per DC. Adding these records is easy, although you
must remember to update the A record if your IP addressing changes.
Q. How can I merge multiple primary versions of the same DNS zone for different
servers into one Active Directory-integrated zone?
A. Only one primary version of the DNS zone should exist for zones that aren't Active
Directory-integrated. If necessary, you can create additional secondary versions of zones
on other DNS servers to support fault tolerance and load balancing.
If you have multiple primary versions of a zone that isn't Active Directory-integrated,
those zones won't replicate or remain synchronized. Here are the possible actions that can
occur when you move these multiple versions into Active Directory (AD) for storage:
 After the first DNS server stores its zone information in AD, all subsequent DNS
servers lose their DNS zone content and use the first DNS server's zone
information in AD.
 As each DNS server is modified to store its information in AD, the new DNS zone
data overwrites the existing DNS zone data in AD.
 As each DNS server is modified to store its information in AD, the new DNS
server's data merges with the existing data.
When you opt to integrate the second instance of the zone (or any subsequent instance of
the zone on a different DNS server) in AD--as explained in the FAQ "How can I change
how DNS information is stored on a DNS server?"
(http://www.winnetmag.com/articles/index.cfm?articleid=43104)--you can choose
between the first and second options. In the Active Directory Service box, which the
figure at Figure shows, you must select either "Discard the new zone, and load the
existing zone from Active Directory" or "Overwrite the existing zone in Active Directory
with the new zone." After you make your selection, click OK, then click OK again to
confirm it.
Q. How can I change how DNS information is stored on a DNS server?
A. In Windows Server 2003, DNS information can be stored in the following ways:
 in the usual zone file type storage
 in the Active Directory (AD) domain partition
 in a domain-specific application partition that's replicated only to DNS servers in
the domain
 in a forestwide application partition that's replicated only to DNS servers in the
forest
 in a custom application partition that an administrator manually creates
To change how DNS information is stored, perform the following steps:
(MMC) DNS snap-in (Start, Programs, Administrative Tools, DNS).
2. Expand the "Forward Lookup Zones" leaf.
115
3. Right-click the zone whose storage you want to modify and select
Properties.
4. Select the General tab. You'll see a figure like the one at Figure.
5. Click the Change button to the right of the Type: entry.
6. The Change Zone Type dialog box is displayed. To store DNS information
in an AD domain partition, select the "Primary zone" zone type. (You must
select "Primary zone" to use any option other than file-type storage.)
Select the "Store the zone in Active Directory (available only if the DNS
server is a domain controller)" check box and click OK.
7. If you've opted to store the data in AD, you can now change how it's
replicated. To do so, click the Change button to the right of the
Replication: entry on the zone properties General tab; the Change Zone
Replication Scope dialog box will appear.
8. You can choose to replicate the data to all DNS servers in the forest, to the
domain, or to all DCs in the domain. After you select an option, click OK.
9. Click OK on the zone properties General tab to accept the changes.
In a multi-DNS server environment, how do I configure the DNS servers to resolve

both local and remote hosts?
A. Windows 2000, Windows NT, and Windows 9x let you identify multiple DNS servers.
So, for example, you might have a local DNS server on your network and a remote DNS
server if you connect to the Internet. In this situation, if you list your local DNS server
first, you might not be able to resolve remote names, and if you list the remote DNS
server first, you might not be able to resolve local names.
In a multiple DNS server environment, if a client queries the first DNS server and that
server doesn't respond, the client will query the second DNS server. If the first DNS
server (e.g., a local DNS server that doesn't know about a remote host) responds with an
unknown host, then the client won't query other DNS servers. Instead, the client will
resort to using other methods (e.g., LMHOSTS, WINS) to resolve the domain name.
To work around this problem, you need to configure your machines to forward DNS
information, which typically means configuring local DNS server information on the
clients and configuring the local DNS servers to forward unknown requests to the remote
DNS servers.
After I promote my Windows 2000 domain controller (DC), its DNS suffix doesn't
match the domain name. How can I fix this problem?
A. After you run DCPromo, you might receive a NetLogon event (ID 5781) or other
dynamic registration errors in the System event log indicating failure to dynamically
register DNS records.
116
You can't rename the computer on the Network Identification tab. To correct this
namespace problem, complete the following steps:
111. Use DCPromo to demote the DC to a member server.

112. In the Control Panel, double-click System, click the Network
Identification tab, and select the Change primary DNS suffix when domain
membership changes option.
113. Run DCPromo to promote the member server to a DC.
If you haven't run DCPromo yet, complete these steps:
10. After upgrading to Win2K, use regedt32 to navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Param
eters.
11. Set the data value of the SyncDomainWithMembership Value Name to 1. If you
must add this Value Name, it is a REG_DWORD data type.
To avoid this namespace problem when you perform future updates, you can use How
can I use slipstreaming to install Windows 2000 and a service pack at the same time?
How can I enable my web site to be accessible as ntfaq.com instead of

www.ntfaq.com?
A. We are all used to entering www.<domain> for a web site, such as

www.serverfaq.com, however www is just a normal DNS host record and if you want
your site to be accessible as just <domain>, e.g. yahoo.com just create a blank host
record.
In Windows 2000 to create a blank host record for the domain perform the following:
114. Start the DNS MMC snap-in (Start - Programs - Administrative Tools -
DNS)
115. Expand the server - forward lookup zones - DNS domain
116. Right click on the domain and select 'New Host'
117. Leave the name blank and just enter the IP address (check the create
associated pointer record box)
Click here to view image
118. Click Add Host
A new host record will be listed of the form:
(same as parent folder) Host <ip address>
To do this on NT 4.0 for the domain ntfaq.com at address W.X.Y.Z, do the following:
12. Stop the DNS service:
C:\> net stop dns
13. Edit the file ntfaq.com.dns (found at %systemroot%\system32\dns\*.dns)
14. Find a record that looks like:
www IN A W.X.Y.Z
15. Add the following record below:
@ IN A W.X.Y.Z
16. Save the file
17. Restart DNS Service
C:\> net start DNS
117
How can I configure DNS to use a WINS server?
A. Is is possible to configure the DNS to use a WINS server to resolve the host name of a
Fully Qualified Domain Name (FQDN).
119. Start DNS manager (Start - Programs - Administrative Tools - DNS
Manager)
120. Right click on the zone you wish to Error! Hyperlink reference not
valid. with the WINS server and select properties
121. Click the "WINS Lookup" tab
122. Select the "Use WINS Resolution" check box and then enter the WINS
server IP address and click ADD
123. Click OK when finished
How do I turn off Dynamic DNS?
A. By default, the TCP/IP stack in NT 5.0 Beta 2 (and later builds) attempts to register it's
Host (A) record with it's DNS server. This makes sense in an all NT (Windows 2000)
environment. But if you are using a static, legacy DNS server, the DNS guys might not
like all the 'errors' this shows up on their server since the DNS servers will not understand
these "updates".
You will get errors such as:
 Dnsapi
 Failed to register network adapter with settings
 Sent update to server
To make the clients stop attempting to publish their DNS names/addresses to the DNS
server perform the following:
124. Log on to each client as Administrator
125. Start the registry editor (regedit.exe)
126. Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Param
eters
127. From the Edit menu select New - DWORD value
128. Enter a name of DisableDynamicUpdate and press Enter
129. Double click on the new value and set to 1. Click OK
If you have multiple adapters in the machine you may not want to disable for all so
instead of setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Di
sableDynamicUpdate to 1, set as 0 and then move to the sub key Interfaces\<interface
name> and create the DisableDynamicUpdate value there and set to 1.
If you needed to perform this on a large number of machines you should create a reg
script or set from the login script.
How do I configure a forwarder on DNS 5.0?
118
A. If you create a DNS server on your network but are not the main DNS server, i.e. your
Error! Hyperlink reference not valid. has a central main DNS server, you will want to
forward queries your DNS server cannot service to that DNS server.
This is because only certain servers in your network will have access to DNS servers
outside your network (due to firewalls etc) and thus your (departmental?) DNS server
cannot access the DNS servers higher up in the DNS hierarchy. To configure a forward
perform the following:
130. Start the DNS Management MMC snap-in (Start - Programs -
Administrative Tools - DNS Management)
131. Right click on the DNS server and select Properties
132. Select the "Forwarders" tab
133. Check the "Enable forwarder(s)" box
134. Enter the IP address of the DNS server and click Add
135. Click OK
136. Close the DNS Management snap-in
If you are missing the forwarder tab or its not available see Q. I am missing the
forwarder and Root Hints tabs in DNS 5.0
How do I enable DNS round robin resolution?
A. Recent Windows NT service packs introduced LocalNetPriority which tries to return

Host resources that are local to the requestor instead of using round robin however round
robin can be enabled as follows:
138. Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parame
ters
139. From the Edit menu select New - DWORD Value
140. Enter a name of LocalNetPriority and press Enter
141. Double click the new value and set to 0 to disable LocalNetPriority and re-
enable round robin. Click OK
142. Close the registry editor
143. Stop and restart the DNS service
DNS resolution of a valid domain fails on NT.
A. if you are running NT4 DNS with either SP4 or SP5 installed you may find a domain
that resolves on Unix DNS servers server times out when you do an NSLOOKUP on NT.
This is a known bug and a Quick Fix Engineering patch for NT bug 267085 is available
from Error! Hyperlink reference not valid. support or wait for SP6 to come out.
How can I force a Windows 2000 domain controller to re-register its DNS entries?
A. To re-register the domain controller DNS entries perform one of the following:
119
144. Stopping & start the netlogon service which will reregister all SRV records
in
the netlogon.dns file.
145. Netdiag /fix will also do this.
146. Ipconfig /registerdns
How can I stop DNS Cache pollution?
A. DNS cache pollution can occur if Directory Naming Service (DNS) "spoofing" has
been encountered. The term "spoofing" describes the sending of non-secure data in
response to a DNS query. It can be used to redirect queries to a rogue DNS server and can
be malicious in nature.
Windows NT DNS can be configured to filter out responses to unsecured records by
performing the following:
148. Move to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameter
s
149. From the edit menu select New - DWORD value
150. Enter a name of SecureResponses and press Enter
151. Double click the new value and set to 1. Click OK
The following is taken from Knowledge base article Q198409 which helps understand
this more:
"Examples: DNS server makes MX query for domain.samples.microsoft.com to
samples.microsoft.com's DNS server. The samples.microsoft.com DNS server responds
but includes A record for A.ROOT-SERVERS.NET giving its own address. The rogue
DNS server has then gotten itself set up as a root server in your DNS server's cache. Less
malicious, but more common, are referral responses (or direct responses from BIND, see
WriteAuthorityNs for discussion) that contain records for the DNS of an ISP: Authority
section:
new.samples.microsoft.com NS ns.new.samples.microsoft.com.
new.samples.microsoft.com NS ns.isp.samples.microsoft.com.
Additional section:
ns.new.samples.microsoft.com. A 1.1.1.1
ns.isp.samples.microsoft.com. A 2.2.2.2
NOTE: The address record for the ISP happens to be old\stale. If SecureResponses is on,
records that are not in a subtree of the zone queried are eliminated. For example, in the
example above, the samples.microsoft.com. DNS server was queried, so the all the
samples.microsoft.com records are secure, but the ns.isp.microsoft.com. A record is not in
the sample .microsoft.com. subtree, and is not cached or returned by the DNS server."
D H C P FAQs
120
How often do DHCP servers authorize with Active Directory (AD)?
A. Before a Windows 2000 Server or later DHCP server that's either part of a domain or
on a network that has an AD domain can start its DHCP service, the service must be
authorized with AD. When the DHCP service starts, it queries AD to confirm its
authorization status and continues to query AD every 60 minutes thereafter to confirm
that it's still authorized.
DHCP servers that are members of a workgroup send out DHCPINFORM messages
asking other DHCP servers on the network to respond. If a DHCP server that's part of an
AD domain responds, the DHCP service won't start.
You can change the 60-minute authorization check by performing this registry change:
152. Start the registry editor (regedit.exe).
153. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer
\Parameters registry subkey.
154. From the Edit menu, select New, DWORD value.
155. Enter the name RogueAuthorizationRecheckInterval and press Enter.
156. Double-click the new value and set it to the number of minutes between
authorization checks (e.g., 120 for 2 hours) and click OK.
To disable DHCP server authorization checks, perform these steps:
18. Start the registry editor.
19. Navigate to the
\Parameters subkey.
20. From the Edit menu, select New, DWORD value.
21. Enter the name DisableRogueDetection and press Enter.
22. Double-click the new value and set it to 1. Click OK.
How do I run the DHCP service on a domain controller (DC) by using an account
other than the DC's account?
A. After you install DHCP on a DC, for security purposes you might want to configure
the DHCP service to run under a specific set of credentials other than the DC's computer
account. When running on the DC account, the DHCP service could overwrite dynamic
records that shouldn't be modified (e.g., the DC's service records), thereby posing a
potential security risk.
You can reduce this risk by running the DHCP service under alternate credentials, which
you configure by running this command:
netsh dhcp server set dnscredentials <username> <domain> <password>
You can use any account with this command; just make sure to set its password to not
expire.
Why is my Windows XP DHCP client address set to 0.0.0.0?
121
A. You might experience a problem with the DHCP client address if you uninstall
Symantec's Norton AntiVirus but leave the application listed as a dependency for the
DHCP service. If you check the System log, you might notice the following error:
Error 7003 - DHCP service failed to start because dependency service
SYMTDI will not start.
To resolve this problem, perform the following steps:
157. Start a registry editor (e.g., regedit.exe).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
registry subkey.
159. Double-click DependOnService.
160. Remove SYMTDI from the list, then click OK.
161. Restart the computer for the changes to take effect.
How can I configure my DHCP clients to request unicast responses from my DHCP
server?
A. Unicast is any network Error! Hyperlink reference not valid. between a single
sender and a single receiver. DHCP server responses typically use multicast
communication to Error! Hyperlink reference not valid. to all DHCP clients within a
limited broadcast address (e.g., 255.255.255.255). However, you can configure the
registry on Windows NT 4.0 or later DHCP servers to let clients request a unicast
response, rather than a multicast response, from the DHCP server by performing the
following steps:
\Parameters registry subkey.
164. Double-click IgnoreBroadcastFlag (or create this value of type DWORD if
it doesn't already exist).
165. Set IgnoreBroadcastFlag to 1 to ignore the DHCP client request flag and
always multicast responses or 0 to let the client choose between unicast or
multicast, then click OK.
167. Reboot the server.
Pre-NT 4.0 DHCP versions will ignore this registry setting.
How do I enable DHCP server logging?
A. To enable enhanced DHCP logging, perform the following steps:

168. Start the DHCP administration tool (go to Start, Programs, Administrative
Tools, and click DHCP).
169. Right-click the DHCP server, and select Properties from the context menu.
170. Select the General tab.
122
171. Select the "Enable DHCP audit logging" check box.
172. Click OK.

Windows 2000 will now create a DHCP log file in the %systemroot%\system32\dhcp
directory for each day using a DhcpSrvLog.XXX file format.
Common audit codes that might appear in the log include
 00—The log was started.
 01—The log was stopped.
 02—The log was temporarily paused due to low disk space.
 10—A new IP address was leased to a client.
 11—A lease was renewed by a client.
 12—A lease was released by a client.
 13—An IP address was found to be in use on the network.
 14—A lease request could not be satisfied because the scope's address pool was
exhausted.
 15—A lease was denied.
 16—A lease was deleted.
 17—A lease was expired.
 20—A BOOTP address was leased to a client.
 21—A dynamic BOOTP address was leased to a client.
 22—A BOOTP request could not be satisfied because the scope's address pool for
BOOTP was exhausted.
 23—A BOOTP IP address was deleted after verifying that it wasn't in use.
The DHCP Server uses codes above 50 for Rogue Server Detection information.
I used the DHCPEXIM tool to migrate a DHCP scope between machines. Now, why
is the system not granting any new IP leases?
A. The DHCPEXIM tool (from the Windows 2000 Resource Kit, Supplement 1) lets you
move scopes from one DHCP server to another. However, a bug causes the new scope not
to grant IP leases. To resolve this problem, perform the following steps:
173. Start regedit.exe.
174. Go to
HKEY_Local_Machine\Software\Microsoft\DhcpServer\Configuration\Subnets\
[IP address subnet]\IpRanges\[IP address start].
175. Double-click RangeFlags.
176. Set RangeFlags to 1, 2, or 3 where
 1 = DHCP only
 2 = BootP only
 3 = Both (DHCP and BootP)
177. Click OK.
178. Close regedit.
123
Why is my DHCP server not releasing client address leases?
A. A known problem exists with the Windows 2000 DHCP server that causes the server
to ignore a lease release request from a client on another subnet because releasing the
lease causes the DHCP server to use its own IP address instead of the client's. This
problem occurs if you haven't defined a scope for the DHCP server's primary interfaces
local subnet. To work around this problem, create a scope for the local subnet (you don't
have to activate it).
You can also manually delete the leases. Perform the following steps:
(MMC) DHCP snap-in (Start, Programs, Administrative Tools, DHCP).
180. Select the Scope that contains the leases to be deleted.
181. Select the Address Leases container.
182. Right-click the lease to be deleted and select Delete.
183. Click OK to the confirmation.
How do I configure a client to use DHCP?
A. For NT workstation and Windows95 follow the instructions below:

184. Start the Network Control Applet by clicking on Network from Control
Panel (Start - Settings - Control Panel) or right click on Network Neighborhood
and select Properties
185. Click on the Protocol tab
186. Select TCP/IP and click Properties
187. Select "Obtain an IP address from a DHCP Service". DHCP settings will
only override IP address and subnet mask locally configured. If you have
configured DNS, WINS etc locally then the DHCP configuration will not
overwrite it.
For Windows 98:
23. Start the Network Control Applet by clicking on Network from Control Panel
(Start - Settings - Control Panel) or right click on Network Neighborhood and
select Properties
24. Select 'TCP/IP -> Adapter' and click Properties
25. Select the 'IP address' tab
26. Select "Obtain an IP address automatically".
For a Windows 2000 machine perform the following:
1. Right click on 'My Network Places' and select Properties
2. Right click on 'Local Area Connection' and select Properties
3. Select 'Internet Protocol (TCP/IP)' and click Properties
4. Select 'Obtain an IP address automatically" (and repeat for DNS) and click OK
What is DHCP?
A. DHCP stands for Dynamic Host Configuration Protocol and is used to automatically
configure a host during boot up on a TCP/IP network and also to change settings while
the host is attached.
124
This means that you can store all the available IP addresses in a central database along
with information such as the subnet mask, gateways, DNS servers etc.
The basics behind DHCP is the clients are configured to use DHCP instead of being given
a static IP address. When the client boots up it sends out a BOOTP request for an IP
address. A DHCP server then offers an IP address that has not been assigned from its
database, which is then leased to the client for a pre-defined time period.
If the DHCP client is Windows 2000 and no offer is made and IP auto configuration has
not been disabled the client will attempt to find and use an IP address not currently in use
otherwise TCP/IP will be disabled
How do I install the DHCP Server Service?
A. The DHCP server service can only be install on a NT Server.

188. Start the Network Control Applet by clicking on Network from Control
Panel (Start - Settings - Control Panel) or right click on Network Neighborhood
and select Properties
189. Click on the Services tab and click Add
190. Select "Error! Hyperlink reference not valid. DHCP Server" and click
OK
191. You will be prompted to insert the NT Server installation CD or say where
the i386 directory is
192. A warning that all local adapters must use a static IP address and click OK
193. Click Close and select Yes to reboot
Under Windows 2000 to install perform the following:
27. Start the Add/Remove Programs Control Panel applet (Start - Settings - Control
Panel - Add/Remove Programs)
28. In the left hand pane click 'Add/Remove Windows Components"
29. Click the 'Components' button to start the Components wizard
30. Click Next
31. Select 'Networking Services' and click Details
32. Check the 'Dynamic Host Configuration Protocol (DHCP)' option and click OK
33. Click Next and the relevant files and services will be configured.
34. Click Finish when all operations have completed
35. Click Close to the Add/Remove Programs dialog
How can I compress my DHCP database?
A. NT Server ships with a utility called JETPACK.EXE which can be used to compact
DHCP and WINS databases. To compact your DHCP database perform the following:
194. Start a command prompt (cmd.exe)
195. Enter the following commands
cd %SystemRoot%\SYSTEM32\DHCP
e.g. cd d:\winnt\system32\dhcp
net stop DHCPSERVER
jetpack DHCP.MDB TMP.MDB
net start DHCPSERVER
125
Note: While you stop the DHCP service, clients using DHCP to receive a TCP/IP address
will not be able to start this protocol and may hang.
Jetpack actually compacts DHCP.MDB into TMP.MDB, then deletes DHCP.MDB and
Error! Hyperlink reference not valid. TMP.MDB to DHCP.MDB! Simple :-)
For more information, see Knowledge base article Q145881 at
http://support.microsoft.com/support/kb/articles/q145/8/81.asp
How can I move a DHCP database from one server to another?
A. Perform the steps below on the server that currently hosts the DHCP Server service.
Be warned that while doing this no DHCP clients will be able to start TCP/IP so this
should be done outside working hours.
196. Log on as an Administrator and stop DHCP (Start - Settings - Control
Panel - Services - Error! Hyperlink reference not valid. DHCP server - Stop).
197. You also need to stop DHCP from starting again after a reboot so start the
Services Control Panel applet and select Microsoft DHCP Server and click
Startup. From the startup choose disabled and click OK.
198. Copy the DHCP directory tree %systemroot%\system32\DHCP to a
temporary storage area for use later.
199. Start the registry editor (regedt32.exe)
200. Move to
\Configuration
201. From the Registry menu, click Save Key. Create a name for this key, for
example dhcpcfg.bck
Optionally if you want to remove DHCP from the source machine totally delete the
DHCP directory (%systemroot%\system32\dhcp) and then delete the DHCP Service
(Start - Settings - Network - Services - Microsoft DHCP Server - Remove)
On the new DHCP server perform the following
36. Log on as an Administrator
37. If the server does not have the DHCP server service installed, install it (Start -
Settings - Control Panel - Network - Services - Add - DHCP Server)
38. Stop the DHCP service (Start - Settings - Control Panel - Services - Microsoft
DHCP server - Stop).
39. Delete the contents of %systemroot%\system32\dhcp
40. Copy the backed up DHCP directory tree from the storage area to %systemroot
%/system32/dhcp, but rename the file system.mdb to system.src. You may not
have this file if you are using NT 4.0, skip this step.
41. Start the registry editor (regedt32.exe)
42. Move to
\Configuration and select it
43. From the registry menu select restore
44. Located the file dhcpcgf.bck you saved from the original machine and click open
45. Click Yes to the warning
126
47. Reboot the machine
How do I create a DHCP Relay Agent?
A. A. If you have routers separating some of your DHCP clients from the DHCP server
you may have problems if they are not RFC compliant. This can be solved by placing a
DHCP relay agent on the local network area which is not actually a DHCP server which
communicates on behalf of the DHCP Server. The DHCP Relay Agent must be a
Windows NT Server computer.
203. On the NT Server log on as an Administrator
204. Start the Network control panel applet (Start - Settings - Control Panel -
Network)
205. Click the Services tab and click Add
206. Select "DHCP Relay Agent" and click OK
207. Type the path of the files (e.g. d:\i386) and click OK
208. You will be asked if you wish to add IP address to the DHCP servers list,
click Yes
209. Click the DHCP relay tab and click Add
210. In the DHCP Server field enter the IP address of the DHCP Server and
click Add
211. Click OK
212. Restart the computer
Email this Article Printer-Friendly Reader Comments Subscribe to Windows IT Pro RSS feed
[January 9, 2000]
How can I backup the DHCP database?
John Savill
InstantDoc #13476
John Savill's FAQ for Windows
IT Jobs at Dice
Search 65k+ new IT jobs daily. Tech jobs at top companies.
A. The DHCP database backs itself up automatically every 60 minutes to the %SystemRoot
%\System32\Dhcp\Backup\Jet directory. This interval can be changed:
Start the registry editor

Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInter
val
Double click on BackupInterval and set to the number of minutes you want the backup to be performed.
Click OK
Close the registry editor
Stop and restart the DHCP server service (Start - Settings - Control Panel - Services - DHCP Server - Start
and Stop)
You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.
How can I restore the DHCP database?
127
A. Perform one of the following:

213. When the DHCP Server service starts, if an error is detected in the
database it will automatically restore the backup version
214. Edit the registry and set
\Parameters\RestoreFlag to 1, restart the DHCP Server service, this will restore
the backed up version and set RestoreFlag back to the default 0
215. Stop the DHCP Server service, copy the files from %SystemRoot
%\System32\Dhcp\Backup\Jet to %SystemRoot%\System32\Dhcp and then start
the DHCP Server service.
How do I reserve a specific address for a particular machine?
A. A. Before performing this you will need to know the hardware address of the machine
and this can be found by entering the command
ipconfig /all
Look for the line
Physical Address. . . . . . : 00-60-97-A4-20-86
Now at the DHCP server perform the following
216. Log on as an Administrator
217. Start the DHCP Server management software (Start - Programs -
Administrative Tools - DHCP Manager)
218. Double click on the DHCP server, e.g. *Local Machine*
219. Select the light bulb and from the Scope menu select "Add Reservations"
220. In the Add Reserved Clients dialog box you should enter the IP address
you wish to reserve and in the "Unique Identifier" box enter the hardware address
of the client machine (got from the ipconfig /all). Do not enter the hyphens, e.g.
006097A42086
Also enter a name for the machine (and a comment if you wish) and click Add
221. Click close when you have added all the reservations
What registry settings control the DHCP log in Windows 2000?
A. DHCP has always had auditing abilities for DHCP however these abilities have been
expanded in 2000 to reduce problems CAUSED by the log files. These improvements
will stop log files filling to take up whole partitions and cause system problems.
The following keys are all located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Param
eters
Value Name Type Description
The partition and directory for the audit
DhcpLogFilePath REG_SZ logs to be written to. Make sure you write
the entire path
DhcpLogMinSpace REG_DWO If free space falls below this number (in
128
OnDisk RD megabytes) audit logging is stopped

DhcpLogDiskSpace REG_DWO Number of times the audit log is written to
CheckInterval RD before checking for free disk space
DhcpLogFileMaxSiz REG_DWO Maximum size in megabytes the logs can
e RD grow to. By default it is 7.
How do I authorize a DHCP server in Windows 2000?
A. Any user running Windows 2000 server could install the DHCP server service causing
potential problems and so Windows 2000 adds the concept of authorizing the servers with
the Active Directory before they can service client requests. If the server is not authorized
in the Active Directory then the DHCP service will not be started.
To Authorize a server perform the following:
222. Logon as a member of the Enterprise Administrators group
223. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools -
DHCP)
224. Select the DHCP root, right click and select 'Browse authorized servers'
225. A list of authorized DHCP servers will be displayed. Click Add
226. Enter the name or IP address of the DHCP server and click OK.
227. Click Close
The red arrow Click here to view image over the DHCP server should now change to a
green one if you select refresh (it may take a few minutes).
How do I create a DHCP scope in Windows 2000?
A. A DHCP scope is a range of addresses that can be assigned to clients and can also
optionally provide information about DNS servers, WINS etc.
DHCP scopes are configured using the DHCP MMC snap-in as follows:
DHCP)
229. Right click on the server and select New - Scope from the context menu
230. The scope creation wizard will be started, click Next
231. Enter a name and comment for the scope. Click Next
232. Enter the address range to use, for example from 200.200.200.1 to
200.200.200.15 (remember the host part cannot be 0). Also enter the subnet mask
as either the number of bits used or the actual mask, e.g. 24 is the same as
255.255.255.0. Click Next
129
233. You can specify addresses to be excluded either by range, e.g.

200.200.200.5 to 200.200.200.7 and click Add, or just enter a Start address and
click Add, e.g. 200.200.200.12 to exclude a single address. Click Next
234. You can now configure the lease time for the address. Setting too large
will mean you will lose the use of addresses if the client machine is inactive for
long periods of time, too short and you will generate unnecessary traffic renewing
the address. The default 8 days is fine. Click Next
235. The wizard gives the option to configure the most common DHCP
options. Select Yes and click Next
236. Enter the address of the gateway, and click Add. You can enter several.
Click Next when all are entered.
237. Enter the DNS domain, e.g. savilltech.com and the DNS server addresses.
Click Next
238. Enter the WINS server addresses and click Add. Click Next
239. You will then be asked if you wish to activate the scope. Select your
answer and click Next
240. Click Finish to the wizard
The new scope will now be listed and the status as either Active or Inactive.
If you selected to not activate the scope it can be manually activated by right clicking on
the scope, select 'All Tasks' and select Activate. The activation is immediate. Likewise
you can deactivate by selecting deactivate
How do I change the DHCP address lease time in Windows 2000?
130
A. To modify the DHCP lease duration from the normal 8 days perform the following:
DHCP)
242. Expand the server
243. Right click the scope whose lease time you wish to change and select
Properties
244. Select the General tab
245. At the bottom of the window you can select lease duration either
Unlimited or a finite time.
246. Click Apply then OK
My Windows 2000 DHCP client has an IP address not in any scopes, how?
A. Error! Hyperlink reference not valid. have tried to make Windows 2000 as easy to
setup on a small network as possible and by default and machines installed are setup to
use DHCP. On a very small network you may not have a DHCP server and rather than the
machines failing to initialize TCP/IP Microsoft has added code so that the machines will
use an address not in use on the local network in the class B address range 169.254.x.x.
This IP address range is reserved for internal use only and so should not clash with any
131
"real" IP addresses on your network. The MacOS uses the same address range for its
DHCP clients when a DHCP server cannot be contacted as does Windows 98 Second
Edition.
This DHCP address allocation uses conflict detection via a NetBIOS naming Error!
Hyperlink reference not valid. over DHCP so each machine gets an IP address from the
169.254.x.x range which is not in use. The actual address initially chosed in random.
If any of your machines have a 169.254.x.x address it just means they could not contact a
DHCP server so check your network connectivity.
This automatic IP addressing is known as Automatic Private IP Addressing (APIPA).
DFS FAQs
Q. Where is fault-tolerant (i.e., domain-based) Dfs information stored?
A. Unlike standalone Dfs roots and namespaces, which store their information in the
registry, domain-based Dfs namespaces store their information in Active Directory (AD).
The exact location in AD is the DFS-Configuration object--yes, it's one object--which is
why any change to the Dfs structure causes the entire Dfs namespace to be replicated to
all domain controllers (DCs) in the domain AD partition's System container. You can
view this object by using a tool such as ADSI Edit.
Q. How can I ensure that my mobile Dfs clients access link targets from an updated
link-target list?
A. When a client accesses a link in a Dfs hierarchy, the client obtains a list of link targets
sorted by site location (i.e., link targets in the client's local site are listed first). The client
then attempts to access the first link target on the list and, if it's successful, uses that link
target until one of the following things happens:
 The computer is restarted.
 The client cache is cleared.
 The Time To Live (TTL) on the referral expires.
If the client continues to access a link target, the TTL for the referral continues to be
reset, which means the client never checks back with the Dfs server for an updated link
target list.
Usually, if a client moves from one location to another, the user restarts the computer.
Doing so causes the client to requery the Dfs server for the list of referrals to link targets.
This list is reordered according to the client's new site location, thereby letting the client
use a link target in its new site. However, if the user puts the client computer into
hibernation instead of restarting it, the link-target list isn't updated. The client laptop
continues to use its referral cache to access data, so the TTL never expires; thus, the client
132
can never use a more local version of the data. It's important that mobile users shut down
their laptops when they change locations so that Dfs can function correctly.
Q. How do I enable the Dfs restricted same-site target selection option?
A. To enable the restricted same-site target selection option, you need to use the Dfsutil
tool on each root server. First, run dfsutil.exe to obtain a list of roots in the domain. For
example, to obtain a list of the roots in the domain demo.test, you'd enter the command
dfsutil /domain:demo.test /view
After you've determined the root name, you enable same-site Dfs target selection by
running the Dfsutil command with the /insite switch. The command you use should look
similar to this:
dfsutil /root:\\demo.test\shared /insite /enable
Here, the Dfs root is \\demo.test\shared. To check whether same-site Dfs target selection
was enabled successfully, run the Dfsutil command again:
dfsutil /root:\\demo.test\shared /insite /display
This command should display the message "Insite Referrals ENABLED."
To disable same-site Dfs target selection, run the second command again, but use the
/disable switch instead of the /enable switch. You must restart the Dfs service on each Dfs
root server to effect this change. Be aware that for links that point to another Dfs domain-
based namespace, the Dfsutil command ignores the /insite setting so that clients can
access links outside of their local site.
Q. What are the Dfs target-selection methods in Windows Server 2003?

A. Windows 2003 provides three options for directing Dfs clients to targets for a link:
 Default target selection: This is the default method, which randomly selects a Dfs
target in the requesting computer's local site from the available Dfs targets for the
link. If no local targets exist in the requesting site, the target-selection process
randomly chooses a target from any site in the forest, regardless of its physical
proximity to the requesting computer.
 The Windows 2003 site-identification process offers improvements over Windows
2000 Server Dfs site identification. In Win2K Server Dfs, the target-selection
process obtains the link-target site by querying the link-target server. However,
older OSs such as Windows NT Server 4.0 don't know this information, so the
target-selection process in Win2K Server can't identify a site if it includes targets
that are NT 4.0 or earlier systems. In Windows 2003, the Dfs server uses the IP
address of the target links to determine their location relative to the requesting
client, then points the client to a local link target. This method lets the target-
selection process recognize older systems (by their IP address) and include them
as potential link targets.
 Restricted same-site target selection: This option, which also exists in Win2K
Server, lets an administrator set Dfs so that clients are never directed to a Dfs
target outside of their local site. This restriction solves the problem of clients
being directed to targets that are physically far from the client, which would
133
require large amounts of bandwidth, but also means that if the target-selection
process can't find a local target for a link, the client can't access the data.
 Least-expensive target selection: This is a new method in Windows 2003. You can
enable this method as long as the domain controller (DC) that's acting as the
Intersite Topology Generator (ISTG) for each site containing Dfs servers is
running Windows 2003. When no link targets are available in the local site, this
method finds link targets that are "closest" in terms of site costs (i.e., the most
efficient path to a target) instead of randomly choosing a target from anywhere in
the enterprise. This method is far more bandwidth-efficient than the Default
Target Selection method.
Q. How can I check the size of a Dfs namespace?
A. You use the Dfsutil command and specify the /view switch to display the current size
of a Dfs namespace, for example
dfsutil /root:\\demo.test\shared /view
where \\demo.test\shared is the root name. After you execute the command, you'll see
messages on screen similar to these:
Domain Root with 2 Links
[Blob Size: 922 bytes]
You can estimate the size of a Dfs namespace by using the following values as guides:
 Root: approximately 300 bytes
 Each root target: approximately 150 bytes
 Each link in the root: approximately 320 bytes
 Each link target: approximately 120 bytes
Of course, comments will increase Dfs namespace size, so if disk space is a problem, try
to keep comments as short as possible.
Q. What's the maximum size of a Dfs namespace?
A. An Active Directory (AD)-integrated Dfs namespace has a maximum size of 5MB,

which is space enough for approximately 5000 links. A standalone Dfs namespace has a
supported limit of 50,000 links.
Q. How many Dfs roots can a server that runs Windows Server 2003 or Windows
2000 Server hold?
A. There are two types of Dfs roots: standalone roots and Active Directory-integrated
roots. Both Windows 2003- and Win2K Server-based Active Directory (AD) solutions
can hold multiple Active Directory-integrated Dfs roots, meaning that AD can hold more
than one root regardless of the server version. However, each root must have one or more
targeted servers to "present" the root on behalf of the domain--a requirement that creates
some limitations.
All versions of Win2K Server can host only one root per server. Thus, if you have
multiple roots in Win2K AD, you need multiple Win2K Server Dfs servers, each of which
134
presents one of the roots. Windows Server 2003, Standard Edition is also limited to one
root. However, Windows Server 2003, Enterprise Edition and Windows Server 2003,
Datacenter Edition can host multiple Dfs roots with no set limit.
How does the site-costing feature differ between Windows Server 2003 Dfs and
Windows 2000 Dfs?
A. To begin, let's define site costing. A client that accesses a DFS namespace begins by
connecting DFS root targets and the client site's own link targets. If all the client site
targets are unavailable, the client attempts to randomly connect to the rest of the DFS root
targets. Giving preference to the client site's link targets is part of a process called site
costing and it exists in Windows 2003 Dfs and Win2K Dfs. This functionality is always
enabled.
Microsoft added to Windows 2003 Dfs a new feature called closest site selection that's
very similar to site costing. With closest site selection mode enabled, a client that
accesses a DFS namespace begins by trying to connect DFS root targets and the client
site's own link targets. However, if all client site targets are unavailable, the client
attempts to randomly connect to targets in the next closest site, and so on. For closest site
selection to work on link targets, Intersite Topology Generator (ISTG) must be running
on Windows 2003, and for closest site selection to work on link and root targets, all
domain controllers (DCs) must be running Windows 2003.
To enable closest site selection in Windows 2003, you must use the version of the
Dfsutil.exe command-line tool that will ship with Windows 2003. To enable closest site
selection, type
Dfsutil /Root:\\<DfsServerName>\<DfsRootName> /SiteCosting /Enable
To enable closest site selection for SYSVOL, you must create a registry key on all DCs.
To create the key, perform the following steps:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs\Paramet
ers registry subkey.
249. From the Edit menu, select New, DWORD Value.
250. Enter the name SiteCostedReferrals, then press Enter.
251. Double-click the new value, set it to 1 to enable closest site selection, then
click OK.
253. Reboot the machine for the change to take effect.
If you move a Win2K DFS server to a new site, the Win2K server won't automatically
refresh its site-related information. You can prevent this problem by removing the DFS
server from the original site as a root target, then adding it to the new site as a root target.
Windows 2003 can migrate from one site to another without experiencing the same
problem because the OS can discover site information dynamically. Thanks to reader Atul
for providing this information.
What is Distributed File System?
135
A. Distributed File System (or Dfs) is a new tool for NT server that was not completed in
time for inclusion as part of NT 4.0, but is now available for download. It basically
allows Administrators to simulate a single server share environment that actually exists
over several servers, basically a link to a share on another server that looks like a
subdirectory of the main server.
This allows a single view for all of the shares on your network, which could then simplify
your backup procedures as you would just backup the root share, and Dfs would take care
of actually gathering all the information from the other servers across the network.
You do not have to have a single tree (Dfs directory structures are called trees), but rather
could have a separate tree for different purposes, i.e. one for each department, but each
tree could have exactly the same structure (sales, info. etc).
How do I create a new folder as part of the Dfs?
A. Once Dfs is installed a new application, the Dfs Administrator, is created in the
Administrative Tools folder. This app should be used to manage Dfs. To add a new area
as part of the Dfs tree follow the procedures below:
254. Start the Dfs Administrator application (Start - Programs - Administrative
Tools - Dfs Administrator)
255. Select "Add to Dfs" from the Dfs menu
256. Enter the name of folder you want an existing share to be known as
257. Next select what it should point to, you can either type the path, or use
Browse.
258. Click Add
259. Close the Dfs Administrator
How do I create a Dfs root volume in Windows 2000?
A. Windows 2000 currently supports one Dfs root per server however this will be
expanded in future versions of the operating system/service packs.
The Distributed File System has its own DFS Error! Hyperlink reference not valid.
Management Console snap-in which has a shortcut on the Administrative Tools folder.
To create a new Dfs root perform the following:
260. Start the Distributed File System MMC snap-in (Start - Programs -
Administrative Tools - Distributed File System)
261. Right click on the Distributed File System root and select ‘New Dfs
Root…’
262. The Dfs root creation wizard will be started, click Next to the introduction
screen
263. The next screen gives the option of a fault-tolerant Dfs root which uses the
Active Directory to store the information or a standalone Dfs root if the Active
Directory is not available or not wanted. Select ‘Create a domain Dfs root’ and
click Next
136
Select a domain to use. A list of available domains will be displayed and the
current domain will be selected as the current choice. Click Next. This screen is
not displayed if you are not creating a fault-tolerant Dfs root.
264. You will need to select a server to host the Dfs root (a domain member if
fault tolerant) and must be running the Dfs service. The current server will be
selected but can be changed by typing a domain name or click Browse. Click
Next
265. The next stage is to select a share to act as the Dfs root. A list of existing
shares will be displayed or you can select to create a new share by entering a
share name and location. Click Next
266. Each Dfs root requires a unique name and will, by default, be the name of
the share although you can change this. You can also select to add the new Dfs
root to the current console. Click Next
267. A summary screen will be displayed showing the domain, server, share
and Dfs root name. Click Finish to create the Dfs root
268. Once complete a success message will be displayed. Click OK
How can I add a replica Dfs root volume in Windows 2000?
A. If your Dfs root was created as a fault-tolerant Dfs root you may add other Dfs servers
as part of the Dfs root replica set.
To add a new Dfs root replica member perform the following:
270. Right click on the root you wish to add a replica to and select ‘New Root
Replica’
271. You will be asked for a server that will host a copy of the Dfs root. Click
Next
272. As when creating the original you need to either select an existing share or
create a new folder and share. Click Finish
273. Click OK to the success confirmation
These root replicas will all contain the Dfs root information by utilitizing and replicating
via the Active Directory. You can actually see the Dfs information using the Active
Directory Users and Computers snap-in, select Advanced Features view, System, Dfs.
How can I add a child node to Dfs in Windows 2000?
137
A. Once your Dfs root is created the next step is to populate with child nodes/leafs which
actually link to information.
To add a new Dfs child node or Dfs link as its now called perform the following:
275. Right click on the root you wish to add a replica to and select ‘New Dfs
Link’
276. You will need to enter a location and name for the child node, a UNC for
the destination and a comment. You can also select the amount of time clients
cache the request.
277. Click OK
Any subdirectories of the child leaf will also be published to the Dfs with the parent
directory, for example if a share, ntfaq, was added as a child node to Dfs, any
subdirectories of that share would be viewable on the Dfs tree as children of the
documents Dfs entry.
How can I add a replica child node to Dfs in Windows 2000?
A. The Windows 2000 version of Dfs allows child replica sets to be created in which a
single Dfs leaf points to multiple shares on different servers the File Replication Service
will keep the contents of all shares in sync with each other. This allows fault tolerance
AND load balancing.
Members of a node replica set must:
278. All be members of the domain
279. Use NTFS 5.0
280. Must be on different servers. You cannot replicate between shares on the
same server.
To add a new Dfs child replica member perform the following:
48. Ensure an up-to-date copy of the resource to which a new replica member is to be
added is placed in the new share which will join the set
49. Start the Distributed File System MMC snap-in (Start - Programs - Administrative
Tools - Distributed File System)
50. Right click on the child node you wish to add a replica to and select ‘New
Replica’
51. You will need to enter the UNC of the new share and you have the option for
- Manual replication
- Automatic replication
’Manual replication’ is useful if the contents are read-only documents which do
not often change. Joint replication will replicate the contents of the shares with all
members in the replica set. Click OK
52. The replication set topology dialog will be shown. Check replication has been
enabled and click OK
Multi-master replication is used except on the first replication path where the contents of
the Primary server is copied to the other members. Any content currently in the other
138
shares is moved to a NtFrs-PreExisting subdirectory (but a checksum is performed and if

the files match with the primary servers share they are moved back into the main
directory to save network bandwidth in copying them from the Primary server).
Replication is every 15 minutes by default.
Group policy FAQs
Under which user accounts do the various Group Policy scripts run?
A. Group Policy supports four main types of scripts: computer startup, computer
shutdown, user logon, and user logoff. The computer startup and shutdown scripts
execute under the local system account; user logon and logoff scripts run as the current
user account.
browse list.
automatically.
139

implement ICS.
browse list.
automatically.
implement ICS.
140
browse list.
automatically.
implement ICS.
ACTIVE DIRECTORY ADMINISTRATION TIPS

Where does your client's security policy actually come from?
Gary Olsen
07.18.2005
Rating: -4.15- (out of 5)
Did you know that it is possible for your clients to get domain-enforced security settings that are completely
different from what you have defined in your domain policy?
The application of Group Policy is, for the most part, pretty straight
141
forward. Computer settings apply to computers, and user settings

apply to users, right? Well, actually, clients do not get their account
security policy directly from the domain policy; it comes from the
domain controller's local policy. I've found few administrators who
understand this principle, yet it is crucial in the design of a company's
security policy and for troubleshooting security issues such as
password requirements and account lockout.
Let's see how it works.
Basics
There are a few basic principles we need to remember.
1. Account security settings are only applied from policy at the domain level. Microsoft recommends
you put these security settings in the default domain policy. It is possible to put account security
settings in multiple policies at the domain level, and they will be processed according to normal
Group Policy Object (GPO) priority using the "last writer wins" rule. However, having conflicting
settings in multiple policies doesn't make sense and creates problems when troubleshooting. It is
therefore a good idea to apply security just to a single GPO whether that is the default domain
policy or a special purpose GPO, called something like "Domain Security Policy."
2. It is possible to define security in GPOs applied to organizational units (OUs), but they will only
apply to the local security policy of clients that are members of the domain. When a user logs in to
the domain, he or she will get the security settings from the domain policy -- not the local policy
(see #3).
3. Domain controllers provide security settings to domain users at logon time. This is a critical (and
confusing) concept. The user's machine doesn't pull the security settings from the GPO at startup
as it does for other machine settings. The client gets the security settings when the user is
validated.
4. The security settings that domain controllers apply to clients upon a successful user logon are
those that are stored in the DC's local secedit.sdb security database.
5. The DC gets the Account Security settings from the domain policy and applies them to its local
.sdb. Note that this applies only to the account security settings, not to any other policy setting.
6. DCs replicate their local .sdb with each other. (Honest!)
What does all this mean?

The easiest way to demonstrate this is to point out what happens if
you choose to block inheritance at the Domain Controllers OU, which
some organizations do. If you block inheritance, your Account Policy
settings will not get to the DC's secedit.sdb (see #1 and #5 above)
and, thus, will not be applied to the client (see #3 above).
For example, suppose you had defined a password length of 8
characters in the default domain policy prior to blocking inheritance --
so the DCs have that value defined in their local secedit.sdb. Then you
set the Block Inheritance option at the Domain Controllers OU. Later
you have a corporate mandate to change the password minimum
length to 10.
Here's what will happen if you set the Block Inheritance option on the
Domain Controllers OU as just described:
First, log on to a client with a domain account and reset the password
to an 8-character password. It works, but it shouldn't because the
policy says 10 -- right? Run GPresult/v (assuming the client is XP) and
142
the password length will be 10. Table 1 shows this graphically,

assuming the user logged on with a domain account, along with other
Account Policy settings.
Domain policy DC secedit.sdb Local policy Effective setting for the
Setting
value value setting user
Password length 10 8 10 8
Password
24 5 24 5
history
Table 1. These are the effective settings when users log on
with a domain account when Block Inheritance has been
enabled on the Domain Controllers OU.
Note: In Windows 2000 Pro, the local security policy GUI had a column
called "Effective Settings." This is not shown in XP. The term "Effective
Settings" used here refers to the actual settings that will affect the
user, depending on whether the person logs in as a local user or a
domain user.
From this table, you can see that if the user logs on with a domain
account, he or she will get the policy from the DC that is stored in the
DC's secedit.sdb.
Table 2 shows what users experience if they log on to a local account.
Domain policy DC secedit.sdb Local policy Effective setting for the
Setting
value value setting user
Password length 10 8 10 10
Password
24 5 24 24
history
Table 2. These are the effective settings when users log on
with a local account when Block Inheritance has been enabled
on the Domain Controllers OU.
You can see that this is very confusing. For all intents and purposes it
appears that the client gets the domain policy values but the effective
setting is different. When logged into a local user account, the user
gets the local security policy, which is populated with the domain
policy settings imposed on the client. However, when logged into the
domain account, the user gets the settings that the DC has in its
secedit.sdb. The DC's secedit.sdb has the last settings it received from
the domain policy before the Block Inheritance option was enabled.
When Block Inheritance is enabled, the new settings -- defined in the
domain policy -- cannot be populated to the DCs. Thus, when the client
contacts the DC, it gets the settings the DC knows about, which are
different from what the actual policy specifies.
Why do it?
So, if blocking inheritance at the Domain Controllers OU causes such
mayhem, why do it? Many companies deploy a number of GPOs at the
domain level for such things as desktop lockdown. Obviously, you
don't' want to apply lockdown policies to DCs. Enabling Block
Inheritance at the Domain Controllers OU prevents miscellaneous
settings from applying to domain controllers. There are better designs
143
that would prevent this, such as putting the lockdown policies in OUs
but, in some cases, Block Inheritance is a good option.
How to make it work
You have to block inheritance on the Domain Controllers OU, but that
messes up the security policy. So, how do we make it all work
together? Here are your options:
 Set the No Override option on the GPO where the security settings are defined. This will force the
account settings to the Domain Controllers OU in spite of the Block Inheritance setting.
OR
 On a DC, define the local security settings so the account policies are what you want for the
domain. It seems that the DCs will replicate this among themselves. I don't know if it is safe to
assume this always happens, so I always check the other DC's secedit.sdb to make sure the
change is made.
OR
 Use security filtering so lockdown policies don't apply to DCs.
For my money, setting the No Override option is easiest, but remember that it will also enforce other policy
settings defined in that GPO. Therefore, I would recommend the following:
 Define a single-purpose GPO called Account Security Policy.
 Configure the Account Security settings (Password, Account Lockout, Kerberos) as desired.
 Enable the No Override option on the Account Security Policy GPO.
What about Kerberos settings?

Just as the password length was set (from an actual client case I
worked on), the same principle applies to all Account Policy settings --
Password, Account Lockout and Kerberos. For instance, in another case
the administrator had somehow set the Kerberos "Maximum Tolerance
for Computer Clock Synchronization" setting to "Not Defined" (default
is 5 minutes), which applied it to the DC. Then they blocked inheritance
on the Domain Controllers OU. That setting defines the time skew
allowed between clients for Kerberos to successfully authenticate (the
default being 5 minutes). I don't know why they set it to "Not Defined."
When set to Not Defined, the skew is zero (0), thus authentication
would always fail because the clocks between the client and DC would
never perfectly match. In addition to failed client logons, replication
failed as well. The company chose to modify the DC's secedit.sdb and
set the time skew to five minutes rather than setting No Override on
the domain security policy, and it fixed the problem.
Note that Kerberos settings can only be defined at the domain level.
Look in the Default Domain Controller Policy, and you won't see the
settings.
Conclusion
If you never block inheritance on the Domain Controllers OU, you won't
ever see this problem. Nevertheless, it is good to understand this
situation so you'll know how the security policy gets applied and are
ready for such a situation. If you are ever presented with an edict from
"up above" to block inheritance on this OU, you will be prepared to
explain the ramifications rather than calling support when users
complain that they can't log on.
144
Questions prepared by Laxman
1. What are different types of fiber connectors and how they are useful.
Insertion Repeatability Fiber Type Applications

Connector
Loss
Datacom,
0.20 dB SM, MM
0.50-1.00 dB Telecommunications
FC
0.20-0.70 dB 0.20 dB SM, MM Fiber Optic Network
FDDI
0.15 db (SM) High Density

0.2 dB SM, MM
0.10 dB (MM) Interconnection
LC
High Density
0.30-1.00 dB 0.25 dB SM, MM
Interconnection
MT Array
145
0.20-0.45 dB 0.10 dB SM, MM Datacom
SC
0.20-0.45 dB 0.10 dB SM, MM Datacom
SC Duplex
Typ. 0.40 dB Typ. 0.40 dB

(SM) (SM) Inter-/Intra-Building,
SM, MM
Typ. 0.50 dB Typ. 0.20 dB Security, Navy
ST (MM) (MM)
2. What is the difference between signle mode and multimode fiber .( it is not
physical difference you need to justify your answer in terms of signal passing
and transievers)
A. Multimode fiber has a relatively large light carrying core, usually 62.5 microns or larger
in diameter. It is usually used for short distance transmissions with LED based fiber optic
equipment. Single-mode fiber has a small light carrying core of 8 to 10 microns in
diameter. It is normally used for long distance transmissions with laser diode based fiber
optic transmission equipment
What is the maximum distance fiber optic transmitters can operate at?
It depends on which LuxLink™ model you purchase. Normal transmission

distances can vary from a fraction of a mile to 40 miles (60 Kilometers) or more.
The maximum transmission distance depends on output optical power of the
transmitter, the optical wavelength utilized, the quality of the fiber optic cable and
the sensitivity of the optical receiver. In general single-mode based systems
operate over longer distances than multimode systems. The approximate
transmission distances for LuxLink™ systems are indicated in the table
below.
-No. Wavelength Fiber Type Connector

Transmission Distance covered**
-1 850 nm multimode ST up to 2 miles (3 Km)
-3 1310 nm multimode ST up to 6 miles (10 Km)
-7 1310 nm single-mode FCPC up to 20 miles (30 Km)
-8* 1310 nm single-mode ST up to 20 miles (30 Km)
146
-9 1550 nm single-mode FCPC up to 40 miles (60 Km)
3. What is the technical difference between cat5, cat5 e and cat 6 (not length and capacity
) it should be in terms of frequency range it operates and attenuation etc..)
Category 5, 5 E, 6 and 7 Performance Specification Chart
Proposed
Category 5
Category 6 Category 7
and Class D
Category 5E Class E Class F
Parameter with additional
('568-A-5) (Performance at (Performance at
requirements TSB95
250 MHz shown 600 MHz shown
and FDAM 2
in parentheses) in parentheses)
Specified frequency range 1-100 MHz 1-100 MHz 1-250 MHz 1-600 MHz
21.7 dB 20.8 dB
Attenuation 24 dB 24 dB
(36 dB) (54.1 dB)
39.9 dB 62.1 dB
NEXT 27.1 dB 30.1 dB
(33.1 dB) (51 dB)
37.1 dB 59.1 dB
Power-sum NEXT N/A* 27.1 dB
(30.2 dB) (48 dB)
18.2 dB 41.3 dB
ACR 3.1 dB 6.1 dB
(-2.9 dB) (-3.1 dB)**
15.4 dB 38.3 dB
Power-sum ACR N/A 3.1 dB
(-5.8 dB) (-6.1 dB)**
17 dB 23.2 dB
ELFEXT 17.4 dB ffs***
(new requirement) (15.3 dB)
14.4 dB 20.2 dB
Power-sum ELFEXT 14.4 dB ffs***
(new requirement) (12.3 dB)
8 dB* 12 dB 14.1 dB
Return loss 10 dB
(new requirement) (8 dB) (8.7 dB)
548 nsec 504 nsec

Propagation delay 548 nsec 548 nsec
(546 nsec) (501 nsec)
Delay skew 50 nsec 50 nsec 50 nsec 20 nsec
Can you tell me the difference between Cat5, 5E & Cat 6?

Cat 5e and Cat 6 are now here as ratified standards. Cat5 and Cat5e systems both
have bandwidth capabilities of 100Mhz. However additional parameters are tested on
Cat5e systems to ensure they can support transmissions up to Gigabit Ethernet using
all four pairs of the cable. Traditionally network systems, with few notable
exceptions, have been carried on only two of the available pairs.
Cat6 systems have a bandwidth of 200Mhz (characteristics are defined to 250Mhz).

The improved performance of a Cat6 system could support Gigabit Ethernet
transmission using only 2 pairs of the cable. This is likely to may make Gigabit
interfaces cheaper when running on Cat6 systems although the cost of Gigabit
Ethernet interfaces to run on Cat5e has already reduced considerably.
5. Justify why three hardisks required for raid 5?

RAID Concept
RAID (Redundant Array of Independent Disks) is an acronym first used in a 1988. RAID boxes
provide the user a way to access multiple individual hard disks as if they were one larger disk,
147
spreading data access out over the multiple disks, which reduces the risk of losing all data if one
drive fails. This process improves disk access time.
In simpler terms, a RAID unit with eight bays, populated with 200Gb disks, can appear to a
server as a single, 1.6Tb disk, or can be configured to recover data if a disk goes bad.
NAS Concept
NAS (Network Attached Storage) also provides mass data storage, but interfaces to a network
utilizing an IP address and an Ethernet interface. While NAS units can utilize RAID technology,
including data redundancy, they are not RAID devices. NAS units often contain an internal O/S
element which allows network interaction.
Why use RAID?
Typically RAID is used in large file servers, transaction of application servers, where data
accessibility is critical, and fault tolerance is required. Nowadays, RAID is also being used in
desktop systems for CAD, multimedia editing and playback where higher transfer rates are
needed.
RAID Levels
RAID 0: Also known as "Disk Striping", this is technically not a RAID level since it provides no
fault tolerance. Data is written in blocks across multiple drives, so one drive can be writing or
reading a block while the next is seeking the next block.
The advantages of striping are the higher access rate, and full utilization of the array capacity.
The disadvantage is there is no fault tolerance - if one drive fails, the entire contents of the
array become inaccessible.
RAID 1: Known as "Disk Mirroring" provides redundancy by writing twice - once to each drive.
If one drive fails, the other contains an exact duplicate of the data and the RAID can switch to
using the mirror drive with no lapse in user accessibility. The disadvantages of mirroring are no
improvement in data access speed, and higher cost, since twice the number of drives is
required. However, it provides the best protection of data since the array management software
will simply direct all application requests to the surviving disk members when a member of disk
fails.
148
RAID 3: RAID level 3 stripes data across multiple drives, with an additional drive dedicated to
parity, for error correction/recovery.
RAID 5: RAID level 5 is the most popular configuration, providing striping as well as parity for
error recovery. In RAID 5, the parity block is distributed among the drives of array, giving a
more balanced access load across the drives. The parity information is used to recovery data if
one drive fails, and is the reason this method is the most popular. The disadvantage is a
relatively slow write cycle (2 reads and 2 writes are required for each block written). The array
capacity is N-1, with a minimum of 3 drives required.
149
RAID 0+1: This is stripping and mirroring combined, without parity. The advantages are fast
data access (like RAID 0), and single ¡V drive fault tolerance (like RAID 1). RAID 0+1 still
requires twice the number of disks (like RAID 1).
RAID Data Transfer Minimum Drive

Common Name Description Array's Capacity Data Reliability
Level Capacity Required
Data distributed
across the disks
in the array. No (N)
0 Disk striping Low Very High 2
redundant disks
information
provided.
All data 1*
1 Disk mirroring Very High High 2
duplicated disks
Data sector is
subdivided and
distributed
across all data
Highest of all
Parallel transfer disk.
3 (N-1) disks Very High listed alter- 3
disks with parity Redundant
natives
information
stored on a
dedicated parity
disk.
Data sectors are

distributed as
Independent with disk
access Array stripping,
5 (N-1) disks Very High Very High 3
without rotating redundant
parity information is
interspersed with
user data.
150
Combined
¡§striping and
mirroring
Disk-Striping + function without
0+1 (N/2) disks Very High High 4
Disk-Mirroring parity. Fast data
access and single
drive fault
tolerance.
6. How do you troubleshoot problems related to Group Policies?
7. What is the reason for using layer3 switches or high end switches as core
switch’s why can't we use a distribution layer switch or access layer switch in that
location.
8. What is the use of Nating?
9.If a network has 172.*.*.* ip and is getting connected to Internet what additional
parameters need to be added at router?
10. Why we could not rebuild the data if we 2 out of 3 hard disks failed in a raid 5
volume.
13. What is the time interval in which ADS will replication can we change that?
14. Why can't we keep both global catalogue and infra structure master on the same
server?
The Infratructure Master should not be on the same server that acts as a Global
Catalog server.
The reason for this is the Global Catalog contains information about every object in
the forest. When the Infrastructure Master, which is responsible for updating Active
Directory information about cross domain object changes, needs information about
objects not in it's domain, it contacts the Global Catalog server for this information.
If they both reside on the same server, then the Infratructure Master will never
think there are changes to objects that reside in other domains because the Global
Catalog will keep it contantly updated. This would result in the Infrastructure Master
never replicating changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue
19.types of backup and differences

Part 3: Choosing a Backup Type
When backing up your Windows XP/2000 computer with the Backup

Utility, you have several options for what type of backup to perform.
In fact, these are common options in nearly any backup software.
Three of the choices are the most common types of backup: Normal
(usually referred to as "Full"), Differential, and Incremental. Windows
Backup also provides two other choices: Daily, and Copy
151
In order to fully understand how these backup types differ, it is

necessary to know something about file "attributes." Attributes are
settings, sometimes called "bits" or "flags," that each file on your
system has. The concept of file attributes dates all the way back to the
earliest DOS days, and attributes are still used to mark files today.
There are many attributes that can be set on a file, but the most
commonly used attributes are ones such as
 R - marking the files as read only
 S - marking the file as a system/secret file
 H - marking the file as hidden
 A - marking the file as ready for archiving
These attributes can be viewed by viewing the properties of a file, or
by showing the Attributes column in Windows Explorer. To show this
column, simply right-click an existing column heading in an Explorer
window, and choosing the Attributes heading.
When a file is changed in any way - even just renamed - the "A"
attribute is set, or "turned on." This indicates that the file has changed
since the last time it was backed up. During a normal backup, this
attribute will be "turned off." That is how this attribute is used for the
other types of backup, described below:
Normal Backup
During a Normal type of backup, every file on the system is backed
up, and the Archive bit is turned off. Actually, there are certain files
that are not backed up, as specified in the Registry (see this Tip-of-
the-Day for more information). This backup takes the longest to
perform, but is the most complete type of backup, and the easiest to
restore from. In order to do a full system restore, you would first
install the Windows XP/2000 operating system, then restore the files
from the latest Normal (full) backup.
Incremental Backup
During an Incremental type of backup, only files that have the Archive
bit turned on are backed up. In other words, only files that have been
changed since the last backup will be backed up. After being backed
up, the Archive bit will be turned off on each file. This type of backup
is usually the quickest, since the number of files that change on a
system are generally a small percentage. It can be the longest backup
type to restore from, however. In order to do a full system restore,
you would first install the Windows XP/2000 operating system, then
restore the files from each Incremental backup that was performed, in
order (that's important), starting with the files from the most recent
Normal backup, if one was performed. For this reason, Incremental
backups are generally used only in conjunction with Normal backups.
Differential Backup
A Differential backup type is similar to Incremental, in that it backs up
152
only files that have the Archive bit turned on. It differs in that after
backing files up, it leaves the Archive bit alone, and does not turn it
off. This means that files that have been changed will be backed up
during each Differential backup until either a Normal or Incremental
backup is performed to turn the Archive bit off. This backup takes the
same or somewhat longer than an Incremental backup, but is much
easier to restore from. In order to do a full system restore, you would
first install the Windows XP/2000 operating system, then restore the
files from only the most recent Differential backup. If a Normal backup
was performed, you would restore the files from that backup, and then
restore from the most recent Differential backup.
Daily
The Daily backup type is sort of an Differential off-shoot. In this
backup type, only files that were changed (have the archive bit on),
during the current day are backed up, and the Archive bit is left
unchanged. This backup type is generally not used as part of a
recovery program, because in order to do a full system restore, you
would have to have a Normal backup, and then a Daily backup from
each and every day since the Normal backup.
Copy
A Copy type of backup is similar to a Normal backup, except that it
leaves the Archive bit unchanged. This backup type can be used to
back up any selected files, regardless of whether or not the Archive bit
is turned on, and will leave the Archive bit the same as before the
backup. This is most commonly used between Normal and Incremental
backups.
These different backup types can be used with a custom backup
regimen or schedule to fit your time and storage capacity needs and
limitations.
20. explain about FSMO roles
There are five different FSMO roles and they each play a different function in making Active
Directory work:
 PDC Emulator - This role is the most heavily used of all FSMO roles and has the widest
range of functions. The domain controller that holds the PDC Emulator role is crucial in a
mixed environment where Windows NT 4.0 BDCs are still present. This is because the PDC
Emulator role emulates the functions of a Windows NT 4.0 PDC. But even if you've
migrated all your Windows NT 4.0 domain controllers to Windows 2000 or Windows Server
2003, the domain controller that holds the PDC Emulator role still has a lot to do. For
example, the PDC Emulator is the root time server for synchronizing the clocks of all
Windows computers in your forest. It's critically important that computer clocks are
synchronized across your forest because if they're out by too much then Kerberos
authentication can fail and users won't be able to log on to the network. Another function
of the PDC Emulator is that it is the domain controller to which all changes to Group Policy
are initially made. For example, if you create a new Group Policy Object (GPO) then this is
first created in the directory database and within the SYSVOL share on the PDC Emulator,
and from there the GPO is replicated to all other domain controllers in the domain. Finally,
all password changes and account lockout issues are handled by the PDC Emulator to
ensure that password changes are replicated properly and account lockout policy is
153
effective. So even though the PDC Emulator emulates an NT PDC (which is why this role is
called PDC Emulator), it also does a whole lot of other stuff. In fact, the PDC Emulator role
is the most heavily utilized FSMO role so you should make sure that the domain controller
that holds this role has sufficiently beefy hardware to handle the load. Similarly, if the PDC
Emulator role fails then it can potentially cause the most problems, so the hardware it runs
on should be fault tolerant and reliable. Finally, every domain has its own PDC Emulator
role, so if you have N domains in your forest then you will have N domain controllers with
the PDC Emulator role as well.
 RID Master - This is another domain-specific FSMO role, that is, every domain in your
forest has exactly one domain controller holding the RID Master role. The purpose of this
role is to replenish the pool of unused relative IDs (RIDs) for the domain and prevent this
pool from becoming exhausted. RIDs are used up whenever you create a new security
principle (user or computer account) because the SID for the new security principle is
constructed by combining the domain SID with a unique RID taken from the pool. So if you
run out of RIDS, you won't be able to create any new user or computer accounts, and to
prevent this from happening the RID Master monitors the RID pool and generates new
RIDs to replenish it when it falls beneath a certain level.
 Infrastructure Master - This is another domain-specific role and its purpose is to ensure
that cross-domain object references are correctly handled. For example, if you add a user
from one domain to a security group from a different domain, the Infrastructure Master
makes sure this is done properly. As you can guess however, if your Active Directory
deployment has only a single domain, then the Infrastructure Master role does no work at
all, and even in a multi-domain environment it is rarely used except when complex user
administration tasks are performed, so the machine holding this role doesn't need to have
much horsepower at all.
 Schema Master - While the first three FSMO roles described above are domain-specific,
the Schema Master role and the one following are forest-specific and are found only in the
forest root domain (the first domain you create when you create a new forest). This means
there is one and only one Schema Master in a forest, and the purpose of this role is to
replicate schema changes to all other domain controllers in the forest. Since the schema of
Active Directory is rarely changed however, the Schema Master role will rarely do any
work. Typical scenarios where this role is used would be when you deploy Exchange Server
onto your network, or when you upgrade domain controllers from Windows 2000 to
Windows Server 2003, as these situations both involve making changes to the Active
Directory schema.
 Domain Naming Master - The other forest-specific FSMO role is the Domain Naming
Master, and this role resides too in the forest root domain. The Domain Naming Master role
processes all changes to the namespace, for example adding the child domain
vancouver.mycompany.com to the forest root domain mycompany.com requires that this
role be available, so you can't add a new child domain or new domain tree, check to make
sure this role is running properly.
To summarize then, the Schema Master and Domain Naming Master roles are found only in the
forest root domain, while the remaining roles are found in each domain of your forest. Now let's
look at best practices for assigning these roles to different domain controllers in your forest or
domain.
FSMO Roles Best Practices

Proper placement of FSMO Roles boils down to three simple rules:
 Rule One: In your forest root domain, keep your Schema Master and Domain Naming
Master on the same domain controller to simplify administration of these roles, and make
sure this domain controller contains a copy of the Global Catalog. This is not a hard-and-
fast rule as you can move these roles to different domain controllers if you prefer, but
there's no real gain in doing so and it only complicates FSMO role management to do so. If
for reasons of security policy however your company decides that the Schema Master role
must be fully segregated from all other roles, then go ahead and move the Domain Naming
Master to a different domain controller that hosts the Global Catalog. Note though that if
you've raised your forest functional level to Windows Server 2003, your Domain Naming
Master role can be on a domain controller that doesn't have the Global Catalog, but in this
154
case be sure at least to make sure this domain controller is a direct replication partner with
the Schema Master machine.
 Rule Two: In each domain, place the PDC Emulator and RID Master roles on the same
domain controller and make sure the hardware for this machine can handle the load of
these roles and any other duties it has to perform. This domain controller doesn't have to
have the Global Catalog on it, and in general it's best to move these two roles to a machine
that doesn't host the Global Catalog because this will help balance the load (the Global
Catalog is usually heavily used).
 Rule Three: In each domain, make sure that the Infrastructure Master role is not held by a
domain controller that also hosts the Global Catalog, but do make sure that the
Infrastructure Master is a direct replication partner of a domain controller hosting the
Global Catalog that resides in the same site as the Infrastructure Master. Note however
that this rule does have some exceptions, namely that the Infrastructure Master role can
be held by a domain controller hosting the Global Catalog in two circumstances: when
there is only one domain in your forest or when every single domain controller in your
forest also hosts the Global Catalog.
To summarize these three rules then and make them easy to remember:
 Forest root domain - Schema Master and Domain Naming Master on the same machine,
which should also host the Global Catalog.
 Every domain - PDC Emulator and RID Master on the same machine, which should have
beefy hardware to handle the load.
 Every domain - Never place the Infrastructure Master on a machine that hosts the Global
Catalog, unless your forest has only one domain or unless every domain controller in your
forest hosts the Global Catalog.
If the Infrastructure Master runs on a Global Catalog server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is
because a Global Catalog server holds a partial replica of every object in the forest. As a
result, cross-domain object references in that domain will not be updated and a warning to
that effect will be logged on that DC's event log.
Why infrastructure master should not placed on server which contains GC
The Infratructure Master should not be on the same server that acts as a Global
Catalog server.
The reason for this is the Global Catalog contains information about every object in
the forest. When the Infrastructure Master, which is responsible for updating Active
Directory information about cross domain object changes, needs information about
objects not in it's domain, it contacts the Global Catalog server for this information.
If they both reside on the same server, then the Infratructure Master will never
think there are changes to objects that reside in other domains because the Global
Catalog will keep it contantly updated. This would result in the Infrastructure Master
never replicating changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue.
21. what is protocol used in terminal server and what is that port no?
A. Terminal server uses remote desktop protocol and it port no. is 3389
22.what is the ADS Port

445
23.what is Kerberos Port
155
88
24.differences between NTLM and Kerberos

RFC 1510 “The Kerberos Network Authentication Service (V5)” defines an authentication process
which provides a method for verifying the identities of principals (workstation users and network
servers) on an open network. For authentication purposes, clients use Kerberos tickets, which
represent the client’s network credentials. Clients obtain the tickets from the Kerberos Key Distribution
Center (KDC), and they present these tickets when a network connection is established. Kerberos
represents the client’s identity by using the domain name, user name, and password.
The Windows 2000 security infrastructure also supports the following primary security protocols:
 Windows NT LAN Manager (NTLM) authentication protocol is provided to support Windows

NT version 4.0 and earlier. NTLM will continue to be supported and used for pass-through
network authentication, remote file access, and authenticated Remote Procedure Call (RPC)
connections to previous versions of Windows NT.
Distributed Password Authentication (DPA) is the shared secret authentication protocol

that is used by many Internet membership organizations, such as MSN and CompuServe.
This authentication protocol is part of Microsoft Commercial Internet System (MCIS)
services and is specifically designed to allow users to use the same Internet membership
password to connect to various Internet sites that are part of the same membership
organization. The Internet content servers use the MCIS authentication service as a back
end Internet service, and users can connect to multiple sites without reentering their
passwords
24. what LDAP and it port
Light Weight Directory Access Protocol (LDAP) is an open network protocol standard
designed to provide access to distributed directories. LDAP provides a mechanism for
querying and modifying information that resides in a directory information tree (DIT). A
directory information tree typically contains a broad range of information about different
types of network objects including users, printers, applications, and other network
resources. LDAP is described through four basic models: Information, Naming,
Functional, and Security. The combination of these models introduces a nomenclature
that describes entries and their attributes, and provides methods to query and manipulate
their values
Ports
LDAP utilizes either a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) to
connect from the client to the DSA. This connection occurs over a socket. Table 2 below lists different
end points that provide a range of functionality.
Table 2. LDAP Connection End Points
Function Port
156
LDAP 389
LDAP Secure Sockets Layer (SSL) 636
Global Catalog (GC) 3268
Global Catalog Secure Sockets Layer 3269
25.Explain about Replication in inter site and Intrasite
Replication
Active Directory replication between domain controllers is managed by the system

administrator on a site-by-site basis. As domain controllers are added, a replication path
must be established. This is done by the Knowledge Consistency Checker (KCC), coupled with
Active Directory replication components. The KCC is a dynamic process that runs on all
domain controllers to create and modify the replication topology. If a domain controller fails,
the KCC automatically creates new paths to the remaining domain controllers. Manual
intervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each
domain controller retains a copy of the entire directory for that particular domain. As changes
are made in one domain controller, the originator communicates these changes to the peer
domain controllers. The directory data itself is stored in the ntds.dit file.
Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct
replication within a site. Replication between sites can utilize either RPC or the Simple Mail
Transfer Protocol (SMTP) for data transmission. The default intersite replication protocol is
RPC.
Intersite and Intrasite Replication

There are distinct differences in internal and intersite domain controller replication. In theory,
the network bandwidth within a site is sufficient to handle all network traffic associated with
replication and other Active Directory activities. By the definition of a site, the network must
be reliable and fast. A change notification process is initiated when modifications occur on a
domain controller. The domain controller waits for a configurable period (by default, five
minutes) before it forwards a message to its replication partners. During this interval, it
continues to accept changes. Upon receiving a message, the partner domain controllers copy
the modification from the original domain controller. In the event that no changes were noted
during a configurable period (six hours, by default), a replication sequence ensures that all
possible modifications are communicated. Replication within a site involves the transmission
of uncompressed data.
NOTE
Security-related modifications are replicated within a site immediately. These changes
include account and individual user lockout policies, changes to password policies, changes
to computer account passwords, and modifications to the Local Security Authority (LSA).
Replication between sites assumes that there are network-connectivity problems, including
insufficient bandwidth, reliability, and increased cost. Therefore, the Active Directory permits
the system to make decisions on the type, frequency, and timing of intersite replication. All
replication objects transmitted between sites are compressed, which may reduce traffic by 10
to 25 percent, but because this is not sufficient to guarantee proper replication, the system
administrator has the responsibility of scheduling intersite replication.
Replication Component Objects

Whereas the KCC represents the process elements associated with replication, the following
comprise the Active Directory object components:
157
 Connection object. Domain controllers become replication "partners" when linked

by a connection object. This is represented by a one-way path between two domain
controller server objects. Connection objects are created by the KCC by default. They
can also be manually created by the system administrator.
 NTDS settings object. The NTDS settings object is a container that is automatically
created by the Active Directory. It contains all of the connection objects, and is a child
of the server object.
 Server object. The Active Directory represents every computer as a computer

object. The domain controller is also represented by a computer object, plus a
specially created server object. The server object's parent is the site object that
defines its IP subnet. However, in the event that the domain controller server object
was created prior to site creation, it will be necessary to manually define the IP
subnet to properly assign the domain controller a site.
When it is necessary to link multiple sites, two additional objects are created to manage the
replication topology.
 Site link. The site link object specifies a series of values (cost, interval, and
schedule) that define the connection between sites. The KCC uses these values to
manage replication and to modify the replication path if it detects a more efficient
one. The Active Directory DEFAULTIPSITELINK is used by default until the system
administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary
estimate of the actual cost of data transmission as defined bandwidth. The interval
value sets the number of times replication will occur: 15 minutes to a maximum of
once a week (or 10080 minutes) is the minimum; three hours is the default. The
schedule interval establishes the time when replication should occur. Although
replication can be at any time by default, the system administrator may want to
schedule it only during off-peak network hours.
 Site link bridges. The site link bridge object defines a set of links that communicate
via the same protocol. By default, all site links use the same protocol, and are
transitive. Moreover, they belong to a single site link bridge. No configuration is
necessary to the site link bridge if the IP network is fully routed. Otherwise, manual
configuration may be necessary.
Preventing Data Replication Collision

The Active Directory issues a unique identifier known as the Update Sequence Number (USN),
which is given to every change made to an object. This number is incrementally changed
whenever the object is modified. Each property of an object is also issued a USN. A source
domain regularly communicates USN sequence changes to the peer domain controller. The
latest USN is then registered in each domain controller to ensure the freshness of an object's
current state. The Active Directory uses a timestamp only when changes are made at
approximately the same time to the same object. At this point, in order to avoid data
collisions, the change with the latest timestamp will be replicated by default. In all other
cases, the Active Directory disregards the timestamping process.
158
27.Difference between IMAP4 and POP3
POP3 IMAP
Since email needs to be downloaded into Since email is kept on server, it would
desktop PC before being displayed, you gain the following benefits for IMAP
may have the following problems for access:
POP3 access:  No need to download all email
 You need to download all email when using other desktop PC to
again when using another desktop check your email.
PC to check your email.
 May get confused if you need to  Easier to identify the unread
check email both in the office and email.
at home.
The downloaded email may be

deleted from the server
depending on the setting of your
email client.
All messages as well as their attachments A whole message will be downloaded

will be downloaded into desktop PC only when it is opened for display from
during the 'check new email' process. its content.
Mailboxes can only be created on desktop Multiple mailboxes can be created on the
PC. There is only one mailbox (INBOX) desktop PC as well as on the server.
exists on the server.
Filters can transfer incoming/outgoing Filters can transfer incoming/outgoing

messages only to local mailboxes. messages to other mailboxes no matter
where the mailboxes locate (on the server
or the PC).
Outgoing email is stored only locally on Outgoing email can be filtered to a

the desktop PC. mailbox on server for accessibility from
other machine.
Messages are deleted on the desktop PC. Messages can be deleted directly on the
Comparatively, it is inconvenient to clean server to make it more convenient to
up your mailbox on the server. clean up your mailbox on the server.
Messages may be reloaded onto desktop The occurrence of reloading messages

PC several times due to the corruption of from the server to PC is much less when
system files. compared to POP3.
159
28.What is the Port Nos of SMTP.IMAP,POP3

FTP 20,21
TELNET 23
SMTP 25
DNS 53
DHCP 67,68
POP3 110
IMAP 143
LDAP 389
HTTP 80
KERBEROS 88
NETBIOS 139/137
WINS 42
29.How to find ADS Installations successful or not?
The following to be checked for verification of ADS

Check SRV resources records have been created properly by examining DNSB
database.These folders will exists in Domain folder
_msdcs
_sites
_tcp
_udp
2. Verify that SYSVOL structure in %systemroot%sysvol contains subfolder

Domain
Staging
Staging Areaa
Sysvol
3.check the necessary shares Netlogon and sysvol are created

4.verify the database ( ntds.dit) and log files ( Edb.*,Res*.log) are created
30.About ADS sites and services
31.What is Difference between DNS and WINS
Table 12.1 WINS Versus DNS
160
WINS DNS
The purpose is to resolve NetBIOS names to The purpose is to resolve host names to IP
IP addresses. addresses.
Names are flat and 15 characters long. Names are hierarchical in nature.
Name registration is dynamic and happens Name registration is static and has to be
automatically. done manually.
Supports incremental replication of the data, Doesn't support incremental replication of
which means that only changes in the data between DNS servers. This means the
database are replicated between WINS whole database has to be replicated every
servers. time.
Supports DHCP. Doesn't support DHCP.
Doesn't support email routing or additional Supports other TCP/IP application services
TCP/IP application services. such as email routing.
32.What is Use of Host File
Hosts file or LMHosts file, what’s the difference? Here is an article that might clear things up (as
mud anyway).
Name Resolution for Windows Networking

For TCP/IP and the Internet, the globally known system name is the computer's host name,
appended with a DNS domain name (for example, rhit.microsoft.com). This defaults to the
computer name (NetBIOS name) defined during Windows 95 Setup. The default name can be
changed in the DNS dialog box when you are configuring TCP/IP properties.
Computers use IP addresses to identify each other, but users usually find it easier to work with
computer names. A mechanism must be available on a TCP/IP network to resolve names to IP
addresses. To ensure that both the name and the address are unique, the computer using
Microsoft TCP/IP registers its name and IP address on the network during system startup.
Computers running Microsoft TCP/IP on the network can use one or more methods for name
resolution in TCP/IP internetworks, as summarized in this section.
Broadcast name resolution.
Computers running Microsoft TCP/IP can use broadcast name resolution, which is a NetBIOS-
over-TCP/IP mode of operation defined in RFC 1001/1002 as b-node. This method relies on a
computer making IP-level broadcasts to register its name by announcing it on the network. Each
computer in the broadcast area is responsible for challenging attempts to register a duplicate
name and for responding to name queries for its registered name.
LMHOSTS or HOSTS files.
An LMHOSTS file specifies the NetBIOS computer name and IP address mappings; a HOSTS file
specifies the DNS name and IP address. On a local computer, the HOSTS file (used by Windows
Sockets applications to find TCP/IP host names) and LMHOSTS file (used by NetBIOS over TCP/IP
to find NetBIOS computer names) can be used to list known IP addresses mapped with
corresponding computer names. LMHOSTS is used for name resolution in Windows 95 for
internetworks where WINS is not available.
· The HOSTS file is used as a local DNS equivalent to resolve host names to IP addresses.
· The LMHOSTS file is used as a local WINS equivalent to resolve NetBIOS computer names to
IP addresses.
Each of these files is also known as a host table. Sample versions of LMHOSTS (called
LMHOSTS.SAM) and HOSTS files are added to the Windows directory when you install Windows
95 with TCP/IP support. These files can be edited using any ASCII editor, such as WordPad or
Edit. To take advantage of HOSTS or LMHOSTS, DNS must be enabled on the computer. For
information about setting up and using HOSTS and LMHOSTS files, see Appendix G, "HOSTS and
LMHOSTS Files for Windows 95."
161
Windows Internet Name Service.

Computers running Microsoft TCP/IP can use WINS if one or more Windows NT Server computers
configured as WINS servers are available, containing a dynamic database for mapping computer
names to IP addresses. WINS can be used in conjunction with broadcast name resolution for an
internetwork, where other name resolution methods are inadequate. WINS is a NetBIOS-over-
TCP/IP mode of operation defined in RFC 1001/1002 as h-node or m-node; WINS clients default
to h-node. Notice that WINS is a dynamic replacement for the LMHOSTS file. For more
information, see "Using WINS for Name Resolution" later in this chapter.
Domain Name System name resolution.
DNS provides a way to look up name mappings when connecting a computer to foreign hosts
using NetBIOS over TCP/IP or Windows Sockets applications such as FTP. DNS is a distributed
database designed to relieve the traffic problems that arose with the first growth explosion on
the Internet in the early 1980s. A DNS name server must be configured and available on the
network. Notice that DNS replaces the functionality of the HOSTS file by providing a dynamic
mapping of IP addresses to host names used by TCP/IP applications and utilities. For more
information, see "Using DNS for Name Resolution" later in this chapter.
Windows 95 provides support for multiple DNS servers and up to two WINS servers. Support for
either service can be configured automatically from a DHCP server, manually in Windows 95
Setup, or after Setup by using the Network option in Control Panel.
Name Resolution with Host Files

For computers located on remote subnets where WINS is not used, the HOSTS and LMHOSTS
files provide mappings for names to IP addresses. This name-resolution method was used on
internetworks before DNS and WINS were developed. The HOSTS file can be used as a local DNS
equivalent; the LMHOSTS file can be used as a local WINS equivalent.
Note
Sample versions of LMHOSTS and HOSTS files are added to the Windows NT
\systemroot\System32\drivers\Etc directory when you install Microsoft TCP/IP.
HOSTS
Microsoft TCP/IP can be configured to search HOSTS (the local host table file) for mappings of
remote host names to IP addresses. The HOSTS file format is the same as the format for host
tables in the 4.3 Berkeley Software Distribution (BSD) UNIX /etc/hosts file. For example, the
entry for a computer with an address of 192.102.73.6 and a host name of mfg1.widgets.com
looks like this:
192.102.73.6 mfg1.widgets.com
You can create the file by using a text editor — for example, Notepad — to create, and change
the HOSTS file because it is a simple text file. (An example of the HOSTS format is provided in
the file named HOSTS.sam in the Windows NT %systemroot%\System32\Drivers\Etc directory.
This is only an example file; do not use this file as the primary HOSTS file.)Edit the sample
HOSTS file (created when you install TCP/IP) to include remote host names and IP addresses for
each computer with which you will communicate.
LMHOSTS
The LMHOSTS file is a local text file that maps IP addresses to NetBIOS computer names. It
contains entries for Windows-networking computers located outside the local subnet. The
LMHOSTS file is read when WINS or broadcast name resolution fails; resolved entries are stored
in a local cache for later access.
For example, the LMHOSTS table file entry for a computer with an address of 192.45.36.5 and a
162
computer name of mrp2 looks like this:
192.45.36.5 mrp2
You can create the file by using a text editor — for example, Notepad — to create, and change
the LMHOSTS file because it is a simple text file. (An example of the LMHOSTS format is provided
in the file named LMHOSTS.sam in the Windows NT %systemroot%\System32\Drivers\Etc
directory. This is only an example file; do not use this file as the primary LMHOSTS file.)Edit the
sample LMHOSTS file (created when you install TCP/IP) to include remote NetBIOS names and IP
addresses for each computer with which you will communicate.
The LMHOSTS file is typically used for small-scale networks that do not have servers
38.What is Global Catalog.
The global catalog is a distributed data repository that contains a

searchable, partial representation of every object in every domain in
an Active Directory forest. The global catalog is stored on domain
controllers that have been designated as global catalog servers and is
distributed through multimaster replication. Searches that are directed
to the global catalog are faster because they do not involve referrals to
different domain controllers.
In addition to configuration and schema directory partition replicas,

every domain controller in a Windows 2000 Server or Windows
Server 2003 forest stores a full, writable replica of a single domain
directory partition. Therefore, a domain controller can locate only the
objects in its domain. Locating an object in a different domain would
require the user or application to provide the domain of the requested
object.
The global catalog provides the ability to locate objects from any
domain without having to know the domain name. A global catalog
server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only
replica of all other domain directory partitions in the forest. The
additional domain directory partitions are partial because only a
limited set of attributes is included for each object. By including only
the attributes that are most used for searching, every object in every
domain in even the largest forest can be represented in the database
of a single global catalog server.
Note
•
A global catalog server can also store a full, writable replica of an
application directory partition, but objects in application directory
partitions are not replicated to the global catalog as partial, read-only
163
directory partitions.
The global catalog is built and updated automatically by the Active

Directory replication system. The attributes that are replicated to the
global catalog are identified in the schema as the partial attribute set
(PAS) and are defined by Microsoft. However, to optimize searching,
you can edit the schema by adding or removing attributes that are
stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results

in full synchronization (update of all attributes) of the global catalog.
Windows Server 2003 reduces the impact of updating the global
catalog by replicating only the attributes that change.
Global Catalog Dependencies and

Interactions
Global catalog servers have the following dependencies and
interactions with other Windows Server technologies:
•
Active Directory installation. When Active Directory is installed on the
first domain controller in a forest, the installation application creates
that domain controller as a global catalog server.
• Active Directory replication. The global catalog is built and
maintained by Active Directory replication:
•
Subsequent to forest creation, when a domain controller is
designated as a global catalog server, Active Directory replication
automatically transfers PAS replicas to the domain controller,
including the partial replica of every domain in the forest other
than the local domain.
•
To facilitate intersite replication of global catalog server updates,
Active Directory replication selects global catalog servers as
bridgehead servers whenever a global catalog server is present in
a site and domains that are not present in the site exist in other
sites in the forest.
•
Domain Name System (DNS). Global catalog server clients depend on
DNS to provide the IP address of global catalog servers. DNS is
164
required to advertise global catalog servers for domain controller

location.
•
Net Logon service. Global catalog advertisement in DNS depends on
the Net Logon service to perform DNS registrations. When replication
of the global catalog is complete, or when a global catalog server
starts, the Net Logon service publishes service (SRV) resource
records in DNS that specifically advertise the domain controller as a
global catalog server.
•
Domain controller Locator: When a global catalog server is requested
(by a user or application that launches a search over port 3268, or by
a domain controller that is authenticating a user logon), the domain
controller Locator queries DNS for a global catalog server.
In the following diagram, global catalog interactions include tracking a

global catalog server through the following interactions, which are
indicated by boxes:
•
Active Directory installation of a new forest: Global catalog
creation occurs during Active Directory installation of the first domain
controller in the forest.
•
Net Logon registration: Resource records are registered in DNS to
advertise the domain controller as a global catalog server.
• Active Directory replication:
•
When a new domain controller (DC2) is created and an
administrator designates it as a global catalog server, replication of
the PAS from DC1 occurs.
•
DC1 in DomainA replicates changes for DomainA to DC2, and DC2
replicates updates to data for DomainB to DC1.
• DC location: The dotted lines enclose the processes whereby two
clients locate a global catalog server by querying DNS:
•
A through C: (A) ClientX sends a query to the global catalog, which
prompts (B) a DNS query to locate the closest global catalog
server, and then (C) the client contacts the returned global catalog
server DC2 to resolve the query.
•
1 through 5: (1) ClientY logs on to the domain, which prompts (2) a
165
DNS query for the closest domain controllers. (3) ClientY contacts
the returned domain controller DC3 for authentication. (4) DC3
queries DNS to find the closest global catalog server and then (5)
contacts the returned global catalog server DC2 to retrieve the
universal groups for the user.
Interactions with Other Windows Technologies
The global catalog solves the problem of how to locate domain data
that is not stored on a domain controller in the domain of the client
that requires the information. By using different ports for standard
LDAP queries (port 389) and global catalog queries (port 3268), Active
Directory effectively separates forestwide queries that require a global
catalog server from local, domainwide queries that can be serviced by
the domain controller in the user’s domain.
44.Explain about trees,domains.ous.sites.

Domain : A domain is group of computers that share a common directory
database .Every domain must have a unique name and all the resources inside
the domain are managed by the domain administrator
A domain can contain any no. of domain controllers inside it.
166
Organization Unit : It is a container used to group objects in a logical hierarchy

according to the needs of the organization .
OU hierarchy can be created on the basis of ;
Administrative model
Departmental structure
Geographical locations
Trees :A Tree is hierarchy of domains sharing a same namespace

.domains follow a parent /child relationship in tree.When a new domain is added
to the root domain .the new domain become the child domain and root become
the parent domain.and two way transitive trusts are created by default between
all the domains of a tree.
Domain Controller : it is a windows 2000 server running active directory.
Site : A site is collection of subnets connected by a high speed link

.Replication Topology is managed by creating sites.
33.Explain about browser services and its advantages

34.DNS trouble Shooting and its tools
Domain Name System (DNS)
You must configure DNS correctly to ensure that Active Directory will function properly.
For a more in-depth treatment of DNS configuration for Active Directory, see the
following Microsoft Knowledge Base article:
237675 (http://support.microsoft.com/kb/237675/EN-US/) Setting Up the Domain Name
System for Active Directory
Review the following configuration items to ensure that DNS is healthy and that the
Active Directory DNS entries will be registered correctly: • DNS IP configuration
• Active Directory DNS registration
• Dynamic zone updates
• DNS forwarders
DNS IP Configuration
An Active Directory server that is hosting DNS must have its TCP/IP settings configured
properly. TCP/IP on an Active Directory DNS server must be configured to point to itself
to allow the server to register with its own DNS server. To view the current IP
configuration, open a command window and type ipconfig /all to display the details. You
can modify the DNS configuration by following these steps: 1. Right-click My Network
Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the DNS tab. Configure the DNS information as
follows: a. Configure the DNS server addresses to point to the DNS server. This should
be the computer's own IP address if it is the first server or if no dedicated DNS server will
be configured.
167
b. If the resolution of unqualified names setting is set to Append these DNS suffixes (in
order), the Active Directory DNS domain name should be listed first (at the top of the
list).
c. Verify that the DNS Suffix for this connection setting is the same as the Active
Directory domain name.
d. Verify that the Register this connection's addresses in DNS check box is selected.
5. At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and
then type ipconfig /registerdns to register the DNS resource records.
Start the DNS Management console. There should be a host record (an "A" record in
Advanced view) for the computer name. There should also be a Start of Authority (SOA
in Advanced view) record pointing to the domain controller (DC) as well as a Name
Server record (NS in Advanced view).
Active Directory DNS Registration
The Active Directory DNS records must be registering in DNS. The DNS zone can be
either a standard primary or an Active Directory-integrated zone. An Active Directory-
integrated zone is different from a standard primary zone in several ways. An Active
Directory-integrated zone provides the following benefits: • The Windows 2000 DNS
service stores zone data in Active Directory. This causes DNS replication to create
multiple masters, and it allows any DNS server to accept updates for a directory service-
integrated zone. Using Active Directory integration also reduces the need to maintain a
separate DNS zone transfer replication topology.
• Secure dynamic updates are integrated with Windows security. This allows an
administrator to precisely control which computers can update which names, and it
prevents unauthorized computers from obtaining existing names from DNS.
Use the following steps to ensure that DNS is registering the Active Directory DNS
records: 1. Start the DNS Management console.
2. Expand the zone information under the server name.
3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's
DNS zone, click Properties, and then verify that Allow Dynamic Updates is set to Yes.
4. Four folders with the following names are present when DNS is correctly registering
the Active Directory DNS records. These folders are labeled:
_msdcs
_sites
_tcp
_udp
If these folders do not exist, DNS is not registering the Active Directory DNS records.
These records are critical to Active Directory functionality and must appear within the
DNS zone. You should repair the Active Directory DNS record registration.
To repair the Active Directory DNS record registration: • Check for the existence of a
Root Zone entry. View the Forward Lookup zones in the DNS Management console.
There should be an entry for the domain. Other zone entries may exist. There should not
be a dot (".") zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone
identifies the DNS server as a root server. Typically, an Active Directory domain that
needs external (Internet) access should not be configured as a root DNS server.
168
The server probably needs to reregister its IP configuration (by using Ipconfig) after you
delete the dot ("."). The Netlogon service may also need to be restarted. Further details
about this step are listed later in this article.
• Manually repopulate the Active Directory DNS entries. You can use the Windows 2000
Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the
Windows 2000 Support tools. At a command prompt, type netdiag /fix.
To install the Windows 2000 Support tools: 1. Insert the Windows 2000 CD-ROM.
2. Browse to Support\Tools.
3. Run Setup.exe in this folder.
4. Select a typical installation. The default installation path is Systemdrive:\Program
Files\Support Tools.
After you run the Netdiag utility, refresh the view in the DNS Management console. The
Active Directory DNS records should then be listed.
NOTE: The server may need to reregister its IP configuration (by using Ipconfig) after
you run Netdiag. The Netlogon service may also need to be restarted.
If the Active Directory DNS records do not appear, you may need to manually re-create
the DNS zone.
• After you run the Netdiag utility, refresh the view in the DNS Management console. The
Active Directory DNS records should then be listed.Manually re-create the DNS zone: 1.
Start the DNS Management console.
2. Right-click the name of the zone, and then click Delete.
3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the
deleted zone.
4. Right-click Forward Lookup Zones, and then click New Zone.
5. The New Zone Wizard starts. Click Next to continue.
6. Click the appropriate zone type (either Active Directory-integrated or Standard
primary, and then click Next.
7. Type the name of the zone exactly as it appears in Network Identification, and then
click Next.
8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to
finish the New Zone Wizard. The newly created zone appears in the DNS Management
console.
9. Right-click the newly created zone, click Properties, and then change Allow Dynamic
Updates to Yes.
10. At a command prompt, type net stop netlogon, and then press ENTER. The Netlogon
service is stopped.
11. Type net start netlogon, and then press ENTER. The Netlogon service is restarted.
12. Refresh the view in the DNS Management console. The Active Directory DNS
records should be listed under the zone.
169
If the Active Directory DNS records still do not exist, there may be a disjointed DNS
namespace. If you suspect that there is a disjointed DNS namespace, see the "Disjointed
DNS Namespace" section in this article.
Dynamic Zone Updates
Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can
configure this by right-clicking the name of the zone, and then clicking Properties. On the
General tab, the Allow Updates setting should be set to Yes, or for an Active Directory-
integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed,
all host registration must be completed manually.
DNS Forwarders
To ensure network functionality outside of the Active Directory domain (such as browser
requests for Internet addresses), configure the DNS server to forward DNS requests to the
appropriate Internet service provider (ISP) or corporate DNS servers. To configure
forwarders on the DNS server: 1. Start the DNS Management console.
2. Right-click the name of the server, and then click Properties.
3. Click the Forwarders tab.
4. Click to select the Enable Forwarders check box.
NOTE: If the Enable Forwarders check box is unavailable, the DNS server is attempting
to host a root zone (usually identified by a zone named only with a period, or dot (".").
You must delete this zone to enable the DNS server to forward DNS requests. In a
configuration in which the DNS server does not rely on an ISP DNS server or a corporate
DNS server, you can use a root zone entry.
5. Type the appropriate IP addresses for the DNS servers that will accept forwarded
requests from this DNS server. The list reads from the top down in order; if there is a
preferred DNS server, place it at the top of the list.
6. Click OK to accept the changes.
The SRV records have a format which follows the following convention:
_service._protocol.DNSDomainName where DNSDomainName designates a
Windows 2000 domain that DNS is authoritative for. Since Active Directory
servers are accessed using LDAP service over TCP, then most entries will start
with the prefix _ldap._tcp
For example, let's consider a ficticious domain test.swynk.com, with two

Windows 2000 sites called EastCoast and WestCoast. In the proper working
environment, DNS server would contain:
- an SRV record for each of domain controllers in the domain in the form:
_ldap._tcp.test.swynk.com
- an SRV record for each domain controller in each site (this allows clients to
locate domain controllers local to the site, in which they reside) in the form:
_ldap._tcp.EastCost._sites.test.swynk.com and
_ldap._tcp.WestCoast._sites.test.swynk.com.
- an SRV record for PDC emulator operation master for the domain, in the form:
_ldap._tcp.pdc._msdcs.test.swynk.com
170
- an SRV record for each global catalog server in the domain, in the form:
_ldap._tcp.gc._msdcs.test.swynk.com
- an SRV record for each global catalog in each site (this allows clients to locate
global catalog servers local to the site, in which they reside), in the form:
_ldap._tcp.EastCoast._sites.gc._msdcs.test.swynk.com and
_ldap._tcp.WestCoast._sites.gc._msdcs.test.swynk.com
There also would be CNAME records referencing GUID (Globally Unique

Identifier) for each domain controller in the test.swynk.com domain in the form:
_ldap._tcp.DCGUID.domains._msdcs.test.swynk.com
where DCGUID is the GUIDs of the Active Directory object representing this
domain controller.
NSLOOKUP.EXE
NSLOOKUP allows you to run quick queries for records existing on a particular
DNS server. This can be done in one of two modes:
- interactive mode - for a single query lookup. For example, in order to find A
record for win2kserver01.test.swynk.com on the DNS server 172.16.0.1, you
would run:
nslookup win2kserver01.test.swynk.com 172.16.0.1
which would return:
Server: win2kdns.test.swynk.com
Address: 172.16.0.1
Name: win2kserver01.test.swynk.com
Address: 10.0.0.102
- non-interactive mode - for multiple record query, with a number of

enhancements (for example a debugging feature). The non-interactive mode is
run by typing at the command prompt:
nslookup - DNS_IP_Address
where DNS_IP_Address is the IP Address of the DNS server you want to query.
This will display the > prompt, from which you can run nslookup specific
commands. The examples below show how to get the listing of records described
in the previous section:
SRV records for domain controllers in the test.swynk.com domain:
> set type=SRV

> _ldap._tcp.test.swynk.com
SRV records for domain controllers within the EastCost site of the
test.swynk.com domain:
> set type=SRV
171
> _ldap._tcp.EastCoast._sites.test.swynk.com
PDC emulator operation master for the test.swynk.com domain
> set type=SRV

> _ldap._tcp.pdc._msdcs.test.swynk.com
global catalog servers in the test.swynk.com domain:
> set type=SRV

> _ldap._tcp.gc._msdcs.test.swynk.com
global catalog server in the EastCost site of the test.swynk.com domain:
> set type=SRV

> _ldap._tcp.EastCoast._sites.gc._msdcs.test.swynk.com
DNSCMD.EXE
DNSCMD.EXE is located in the \SUPPORT\TOOLS folder on the Windows 2000
installation CD. It is a command line utility which offers a wide range of DNS
management functions. For example, you can use it to list the DNS settings,
such as whether the server is using fast zone transfer method (a feature referred
to using the term BINDSecondaries):
dnscmd.exe 172.16.0.1 /info BindSecondaries

Query result: Dword: 1 (00000001)
Command completed successfully.
This setting can be changed using the following command:
dnscmd.exe 172.16.0.1 /config /BindSecondaries 0

Registry property BindSecondaries successfully reset.
To illustrate some of DNSCMD.EXE potentials, I'll cover its ability to manage the
process of aging of DNS records. Aging allows automated scavenging of stale
records that haven't been refreshed within a configurable time interval. Aging can
be set on a per server, per zone, and per record basis. The following examples
modify the configuration of the aging process on the DNS server 172.16.0.1:
- setting default refresh interval for the server 172.16.0.1 to 168 hours (7 days)
dnscmd.exe 172.16.0.1 /config /DefaultRefreshInterval 168

Registry property DefaultRefreshInterval successfully reset.
- setting default norefresh interval for the server 172.16.0.1 to 168 hours (7 days)
172
dnscmd.exe 172.16.0.1 /config /DefaultNoRefreshInterval 168

Registry property DefaultNoRefreshInterval successfully reset.
- setting scavenging period for the server 172.16.0.1 to 168 hours (7 days)
dnscmd.exe 172.16.0.1 /config /ScavengingInterval 168

Registry property ScavengingInterval successfully reset.
Command completed successfully
- setting No Refresh interval for test.swynk.com zone
dnscmd.exe 172.16.0.1 /config test.swynk.com /NoRefreshInterval 168

Registry property RefreshInterval successfully reset.
- setting refresh interval for test.swynk.com zone
dnscmd.exe 172.16.0.1 /config test.swynk.com /RefreshInterval 168

Registry property RefreshInterval successfully reset.
- setting scavenging servers (servers allow to scavenge the zone

test.swynk.com) - option available only through DNSCMD.EXE
dnscmd 172.16.0.1 /ZoneResetScavengeServers test.swynk.com 172.16.0.1

New scavenge servers:server Count = 1
server[0] => 172.16.0.1
Reset scavenging servers on zone test.swynk.com successfully.
You can also list records within a specific zone, in a similar way this was done
previously with NSLOOKUP.EXE command. For example, here are the ways to
list:
- all the domain controllers in the EastCoast site of the test.swynk.com domain
dnscmd.exe 172.16.0.1 /EnumRecords test.swynk.com

tcp.EastCoast._sites.test.swynk.com. /Continue
Returned Records:
_gc [Aging:3509520] 600 SRV 0 100 3268 win2kserver01.test.swynk.com.
_kerberos [Aging:3509520] 600 SRV 0 100 88 win2kserver01.test.swynk.com.
_ldap [Aging:3509521] 600 SRV 0 100 389 win2kserver01.test.swynk.com.
173
where numbers appearing to the left of the server name designate port numbers
used by appropriate protocols: 389 standard LDAP queries 3268 LDAP queries
against global catalog server 88 Kerberos for TCP authentication
- all domain controllers in the test.swynk.com zone.
dnscmd 172.16.0.1 /EnumRecords test.swynk.com

_tcp.pdc._msdcs.test.swynk.com. /Continue
Returned records:
_ldap [Aging:3509521] 600 SRV 0 100 389 win2kserver01.test.swynk.com.
Windows 2000 WMI DNS Provider

DNS WMI Provider creates and populates WMI classes, which reference
information contained in DNS zones and their resource records. The provider can
be used to manipulate DNS servers, zones, and individual records. All necessary
files are downloadable from the Microsoft FTP Site at
ftp://ftp.microsoft.com/reskit/win2000/dnsprov.zip.
To install the provider, after extracting the content of the zip file, copy the
dnsschema.mof to %systemroot%\system32\wbem\mof folder. The file should
get automatically compiled and moved to the Good subfolder. Then copy the
dnsprov.dll to the %systemroot%\system32\wbem folder and register it with the
operating system by running: regsvr32 dnsprov.dll. You should get the
confirmation of the successfull registration.
You can review the classes created by the MOF file compilation by either
checking the documentation provided with the source files or by running any of
the utilities included with WMI SDK (such as CIM WMI Studio) or WbemTest.exe,
available on any computer with WMI installed (any Windows 2000 computer).
DNS Provider populates a separate namespace in the WMI hierarchy -
root\MicrosoftDNS. The namespace contains about 30 DNS related classes.
Along with the provider dll and MOF file, the downloaded zip file contains several
VBScript examples, which allow you to accomplish most of the DNS related
management tasks. For example, dnsserver.vbs can be used to:
- stop DNS server

cscript //nologo dnsserver.vbs stop
- start DNS server

cscript //nologo dnsserver.vbs start <
- restart DNS server
script //nologo dnsserver.vbs restart
- list DNS server configuration

cscript //nologo dnsserver.vbs LIST
174
- list zones on the DNS server

cscript //nologo dnsserver.vbs zone
- modify the configuration of the DNS server

cscript //nologo dnsserver.vbs modify
With dnszones.vbs, you can create, modify, add, delete, pause, update, resume,
reload, and refresh DNS zones.
dnsrecord.vbs allows you to add, delete, modify, and list resource records.
36.Explain about DHCP and about Super Scope

Dynamic Host Configuration Protocol was derived from the Internet standard Bootstrap Protocol
(BOOTP) (RFCs 951 and 1084), which allowed dynamic assignment of IP addresses (as well as
remote-booting of diskless work stations). In addition to supporting dynamic assignment of IP
addresses, DHCP supplies all configuration data required by TCP/IP, plus additional data required for
specific servers.
As noted, this makes life easier for the network administrator, who can now manually configure just
one machinethe DHCP server. Whenever a new host is plugged into the network segment that is
served by the DHCP server (or an existing host is turned back on), the machine asks for a unique IP
address, and the DHCP server assigns it one from the pool of available IP addresses.
This process, shown in Figure 1 below, involves just four steps: The DHCP client asks for an IP
address (DHCP Discover), is offered an address (DHCP Offer), accepts the offer and requests the
address (DHCP Request), and is officially assigned the address (DHCP Acknowledge).
Figure 1. DHCP automates the assignment of IP addresses
To make sure addresses are not wasted, the DHCP server places an administrator-defined
time limit on the address assignment, called a lease. Halfway through the lease period,
the DHCP client requests a lease renewal, and the DHCP server extends the lease. This
means that when a machine stops using its assigned IP address (for example, on being
175
moved to another network segment or being retired), the lease expires, and the address is
returned to the pool for reassignment.
Super Scope :
Using superscopes
A superscope is an administrative feature of DHCP servers running Windows
Server 2003 that you can create and manage through the DHCP console. Using a
superscope, you can group multiple scopes as a single administrative entity. With
this feature, a DHCP server can:
• Support DHCP clients on a single physical network segment (such as a single

Ethernet LAN segment) where multiple logical IP networks are used. When more
than one logical IP network is used on each physical subnet or network, such
configurations are often called multinets.
• Support remote DHCP clients located on the far side of DHCP and BOOTP relay
agents (where the network on the far side of the relay agent uses multinets).
In multinet configurations, you can use DHCP superscopes to group and activate
individual scope ranges of IP addresses used on your network. In this way, the
DHCP server computer can activate and provide leases from more than one scope to
clients on a single physical network.
Superscopes can resolve certain types of DHCP deployment issues for multinets,
including situations in which:
• The available address pool for a currently active scope is nearly depleted, and
more computers need to be added to the network. The original scope includes the
full addressable range for a single IP network of a specified address class. You need
to use another IP network range of addresses to extend the address space for the
same physical network segment.
• Clients must be migrated over time to a new scope (such as to renumber the
current IP network from an address range used in an existing active scope to a new
scope that contains another IP network range of addresses).
• You want to use two DHCP servers on the same physical network segment to
manage separate logical IP networks.
39.What is Schema master

Understanding that all resources in Active Directory are represented by objects, and
that all objects have attributes, we can now understand that the schema contains the
definitions for all these objects and attributes. Put another way, the schema is the
rules that govern what objects can be in the directory, and what attributes those
objects can have.
176
An Active Directory forest can have only one schema, and all domains in that forest
share the same schema. This ensures that all objects in the forest conform to the
same set of rules. The schema can be changed, or extended, to include new
definitions. The schema is protected from unauthorized changes by permissions,
similar to other Active Directory objects.
The schema is made up of two things: object classes, and attributes.
Object Classes:
We know that there are objects represented in Active Directory, such as the user
"Bob," or the printer "Accounting." These objects are examples of the object classes
"User" or "Printer." Every object that can be created in AD is an example of a object
class. So one of the things that the schema is made up of is a list of all of the
possible object classes. Every new object that is created must belong to an object
class in this list.
Attributes:
A list of all of the possible attributes for object classes is the second part of the
schema. These attributes are defined just once in this list, but can be used in
multiple object classes. For instance, the attribute "Location" may be used for the
object classes of both printers and computers, but it is defined only once in the
schema. By defined, we mean that it is given a unique name, as well as a syntax.
The syntax tells what data type the attribute is. The schema keeps track of which
attributes are used with each object class, so that when a new object of the class
"User" is created, it will have all of the same attributes as all the other user objects
(full name, telephone, etc.).
The schema itself is actually stored inside Active Directory, as opposed to being read
in from a text file, as is common with some databases or directories. According to
Microsoft, this has three advantages:
 The schema is dynamically available to user applications, so they can read it

and discover what object classes and attributes are available for use.
 The schema is dynamically updateable, so that an application can extend the
schema (add object classes and attributes) "on the fly."
The schema can be protected using DACLs (discretionary access control lists),
enabling only authorized users to make schema changes.
there is one and only one Schema Master in a forest, and the purpose
of this role is to replicate schema changes to all other domain
controllers in the forest. Since the schema of Active Directory is rarely
changed however, the Schema Master role will rarely do any work.
Typical scenarios where this role is used would be when you deploy
Exchange Server onto your network, or when you upgrade domain
controllers from Windows 2000 to Windows Server 2003, as these
situations both involve making changes to the Active Directory
schema.
51.what is use of stub zone in DNS?
177
A stub zone is like a secondary zone in that it obtains its resource records from other name servers
(one or more master name servers). A stub zone is also read-only like a secondary zone, so
administrators can't manually add, remove, or modify resource records on it. But the differences
end here, as stub zones are quite different from secondary zones in a couple of significant ways.
First, while secondary zones contain copies of all the resource records in the corresponding zone on
the master name server, stub zones contain only three kinds of resource records:
 A copy of the SOA record for the zone.
 Copies of NS records for all name servers authoritative for the zone.
 Copies of A records for all name servers authoritative for the zone.
That's it--no CNAME records, MX records, SRV records, or A records for other hosts in the zone
So while a secondary zone can be quite large for a big company's network, a stub zone is always
very small, just a few records. This means replicating zone information from master to stub zone
adds almost nil DNS traffic to your network as the records for name servers rarely change unless
you decommission an old name server or deploy a new one. And to make replication even more
efficient, stub zones don't use UDP as traditional DNS zone transfers do. Instead, stub zones use
TCP, which supports much larger packet sizes than UDP. So while a typical zone transfer might
involve many UDP packets flooding the network, stub zone transfer only involves a few packets at
most. Also, while most DNS servers can be configured to prevent zone transfers to secondary zones
from occurring, stub zones request only SOA, NS, and A records for name servers, all of which are
provided without restriction by any name server since these records are essential for name
resolution to function properly. Finally, since stub zones can be integrated within Active Directory
(secondary zones can't), they can make use of Active Directory replication to propagate their
information to all domain controllers on your network.
In our previous scenario, stub zones can be used instead of secondary zones to reduce the amount
of zone transfer traffic over the WAN link connecting the two companies. To do this, the
administrator for Company A would simply log on to one of the domain controllers, open the DNS
console, and create a new stub zone that uses one or more of Company B's name servers as
master name servers. By making this stub zone an Active Directory Integrated zone, the stub zone
will then be automatically replicated to all other domain controllers on Company A's network. Now
when a client on Company A's network wants to connect to a resource on Company B's network,
the client issues a DNS query to the nearest Company A domain controller, which then forwards the
query to one of Company B's name servers to resolve.
49.what is difference between basic disc and dynamic disk?
As you probably know, Windows NT supports four primary partitions per physical
hard disk, one of which can be an extended partition. Of course, you can create
logical drives within the extended partition. Windows 2000 (Win2K) follows the
same strategy: You can have a maximum of four primary partitions, one of which
can be an extended partition with logical drives. However, Win2K supports two
new disk configuration types—basic disk and dynamic disk—which you must
understand to effectively configure and troubleshoot Win2K disk storage.
Basic Disk
A Win2K basic disk, which is similar to the disk configuration we're used to in NT,
is a physical disk with primary and extended partitions. As long as you use an
appropriate format, Win2K, NT, Windows 9x, and DOS can access basic disks.
Unlike in NT, you don’t need to commit changes or restart your computer to get
Disk Management changes to take effect.
178
Dynamic Disk
A Win2K dynamic disk is a physical disk that doesn't use partitions or logical
drives. Instead, it contains only dynamic volumes that you create in the Disk
Management console. Regardless of what format you use for the file system,
only Win2K computers can access dynamic volumes directly. However,
computers that aren't running Win2K can access the dynamic volumes remotely
when connected to the shared folders over the network. In NT, what we call sets
(e.g., mirrored sets, striped sets) are in Win2K called volumes (e.g., mirrored
volumes, striped volumes).
With dynamic disks, we can create fault-tolerant volumes such as striped,

mirrored, and RAID-5 volumes. In addition, we can extend volumes and make
changes to the disk without rebooting the computer. If you want to take
advantage of these features, especially software fault- tolerant features, you
must upgrade to dynamic disk.
Upgrading to Dynamic Disk

You use Win2K's Disk Management to upgrade a basic disk to a dynamic disk.
Click Start and go to Programs, Administrative Tools, Computer Management.
You’ll find Disk Management under Storage, as Screen 1 shows. Click the gray
area where you see the disk icon and the word Basic. Right-click and select
Upgrade to Dynamic Disk. Note that you can’t dual-boot to another OS if you
upgrade to dynamic disk, which typically isn't a big deal for servers, but it's
something to think about for Windows 2000 Professional (Win2K Pro) machines.
For all practical purposes, upgrading to a dynamic disk is a one-way process.

Although it's possible to convert a dynamic disk with volumes to a basic disk,
you'll lose all your data. Therefore, you must first save your data, convert the disk
to basic, and then restore your data.
Comparing Basic Disk to Dynamic Disk

When you install Win2K on a computer, the system automatically configures the
hard disks as basic disks. You can convert a basic disk to a dynamic disk using
Disk Management, but you can't extend a basic disk. In other words, you can
only extend volumes you created after you converted the disk to a dynamic disk.
You can create primary and extended partitions on a basic disk, and, as I
mentioned earlier, you can create an extended partition with logical drives on a
basic disk. A dynamic disk can contain simple, spanned, mirrored, striped, and
RAID-5 volumes. You can also extend a simple or spanned volume on a dynamic
disk.
Win2K doesn't support dynamic disks on laptops, and, unless you're using an
older machine that's not Advanced Configuration and Power Interface (ACPI)-
compliant, the Upgrade to Dynamic Disk option won’t be available. Dynamic
disks have some additional limitations. You can’t install Win2K on a dynamic
volume you created from raw space on a dynamic disk. You can install Win2K on
179
a dynamic volume that you upgraded from a basic disk, but you can’t extend
either the system or the boot partition. Any troubleshooting tools that are unable
to read the dynamic Disk Management database will work only on a basic disk.
You can use NTFS, FAT32, or FAT16 on a basic or a dynamic disk. Because the
upgrade from basic to dynamic is per physical disk, all volumes on a physical
disk must be either basic or dynamic. As I mentioned earlier, you don’t need to
save changes in Disk Management (as you do in NT’s Disk Administrator) or
restart your computer when you upgrade from a basic to a dynamic disk.
However, if you upgrade your startup disk or upgrade a volume or partition, you
must restart your computer.
Basic and dynamic disks are a new way of looking at hard disk configuration. If
you're migrating to Win2K from NT, the dynamic disk concept might seem
strange initially, but you’ll find that once you understand the differences and the
pros and cons, working with dynamic disks is not complicated.
New questions & Answers:
1. What’s the difference between local, global and universal groups? Domain
local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains.
Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal
groups are allowed only in native-mode Windows Server 2003 environments.
Native mode requires that all domain controllers be promoted to Windows Server
2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are
applied to Local machines, Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist,
it has the highest priority among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot
%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority? The computer settings take
priority.
180
9. You want to set up remote installation procedure, but do not want the user to
gain access over it. What do you do? gponame–> User Configuration–>
Windows Settings–> Remote Installation Services–> Choice Options is your
friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting
policies
11. How can you restrict running certain applications on a machine? Via group
policy, security settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What
do you do? A .zap text file can be used to add applications using the Software
Installer, rather than the Windows Installer.
13. What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus,
it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in
previous products? Group Policy in Windows Server 2003 determines a users
right to modify network and dial-up TCP/IP properties. Users may be selectively
restricted from modifying their IP address and other network configuration
parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure
you check Block inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user
preferences that are not stored in maintained portions of the Registry. If the group
policy is removed or changed, the user preference will persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration -
Administrative Templates - System - Group Policy - enable - Enforce Show
Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications,
and stored files for users, particularly those who move between workstations or
those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native
NTFS provides extensive permission control on both remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both
have support for sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as
Read & Execute, but not inherited by files within a folder. However, newly
created subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to
read it. Can he access it? It is possible for a user to navigate to a file for which
he does not have folder permission. This involves simply knowing the path of the
file object. Even if the user can’t drill down the file/folder tree using My
Computer, he can still gain access to the file using the Universal Naming
181
Convention (UNC). The best way to start would be to type the full path of a file
into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will
have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will
be denied access, regardless of other group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$,
Drive$, IPC$, NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS
(Distributed File System) installations? The standalone server stores the Dfs
directory tree structure or topology locally. Thus, if a shared folder is inaccessible
or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active
Directory, which is replicated to other domain controllers. Thus, redundant root
nodes may include multiple connections to the same data residing in different
shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a
Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access
Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active
Directory? In Partition Knowledge Table, which is then replicated to other
domain controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the
redundant copies of the file at the same time, with no file-locking involved in
DFS, changing the contents and then saving. Only one file will be propagated
through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah,
you can’t. Install a standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on
encrypted line? Time stamp is attached to the initial client request, encrypted
with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data
Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure
Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003
Server? Windows Server 2003 uses the industry standard PKCS-10 certificate
request and PKCS-7 certificate response to exchange CA certificates with third-
party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator
account? Unlimited. Remember, though, that it’s the Administrator account, not
any account that’s part of the Administrators group.
40. If hashing is one-way function and Windows Server uses hashing for storing
passwords, how is it possible to attack the password lists, specifically the ones
182
using NTLMv1? A cracker would launch a dictionary attack by hashing every

imaginable term used for password and then compare the hashes.
41. What’s the difference between guest accounts in Server 2003 and other
editions? More restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce
Password History Remembered"? User’s last 6 passwords.
37.Explain about group policies and trouble shooting tools

26.what is ADS site Connector.
40.Explain about Remote access server ( RRAS)
41.Remote Installation
42.Folder Redirection
43.ADS architecture
45.What is difference between NT and Windows 2000
46. Differences between 2k and 2k3
47.Differences between 2k server ,adv server ,data center edition, web edition
48.what is differences between windows XP and Prof.
52. What is forwarder in DNS

54.explain about performance monitor of server
55.Explain about difference logs and event in event viewer
1. What is MUTEX ?
2. What isthe difference between a ‘thread’ and a ‘process’?
3. What is INODE?
4. Explain the working of Virtual Memory.
5. How does Windows NT supports Multitasking?
6. Explain the Unix Kernel.
7. What is Concurrency? Expain with example Deadlock and Starvation.
8. What are your solution strategies for “Dining Philosophers Problem” ?
9. Explain Memory Partitioning, Paging, Segmentation.
10. Explain Scheduling.
11. Operating System Security.
12. What is Semaphore?
13. Explain the following file systems : NTFS, Macintosh(HPFS), FAT .
14. What are the different process states?
15. What is Marshalling?
16. Define and explain COM?
17. What is Marshalling?
18. Difference - Loading and Linking ?
1. User(s) are complaining of delays when using the network. What would you do?
2. What are some of the problems associated with operating a switched LAN?
3. Name some of the ways of combining TCP/IP traffic and SNA traffic over the
same link.
4. What sort of cabling is suitable for Fast Ethernet protocols?
183
5. What is a Class D IP address?

6. Why do I sometimes lose a server’s address when using more than one server?
7. What is Firewall?
8. How do I monitor the activity of sockets?
9. How would I put my socket in non-blocking mode?
10. What are RAW sockets?
11. What is the role of TCP protocol and IP protocol.
12. What is UDP?
13. How can I make my server a daemon?
14. How should I choose a port number for my server?
15. Layers in TCP/IP
16. How can I be sure that a UDP message is received?
17. How to get IP header of a UDP message
18. Writing UDP/SOCK_DGRAM applications
19. How many bytes in an IPX network address?
20. What is the difference between MUTEX and Semaphore?
21. What is priority inversion?
22. Different Solutions to dining philosophers problem.
23. What is a message queue?
24. Questions on Shared Memory.
25. What is DHCP?
26. Working of ping, telnet, gopher.
27. Can I connect two computers to internet using same line ?
Networking
1.Explain about OSI layers
2.Explain about TCP/IP implementation
3.Explain about class full and class less address
4.Explain about IP Address and Class
5.what is difference between switch and hub
6.what is difference between layer 2 and layer 3 switch
7.what is difference between layer 3 switch and Router
8.what is Routed protocol and routing protocol
9.Difference between RIP ,IGRP and EIGRP
10.What is difference between link state and Distance sector
11.explain about ISDN channels
12.Explain about leased line modems and it voltages
13.what is static and dynamic routing
14.Explain about Lan technologies
184
15.Explain About Wan technologies

15. what kind of loops available and explain them?
16. If a serial interface on a router has a status of line protocol down and protocol
down.
17. what is the command used for creating access lists
18. how do you monitor broad cast based traffic on the switch
185

Win2000interview Questions Dump0

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Win2000interview Questions Dump0

Caricato da

Copyright:

Formati disponibili

Prepared By Ranjit Kumar Bendalam,Hyderabad,A.P, India.

1. In Winnt4.0 what is the Database Name?

4. You are Creating Domain (Win2000 server) In your Home.(It is Single

5. Tell me Domain Wide Roles?

7 You have a Windows 2000 server.On Monday you Take a Normal

8 What is Kerberos?If It is Failed Which Protocol Will Work?

9 What Is the DataBase File Name In Active Directory?

NTDS.DIT (New Technology Of Directory Service.Directory Information Tree)

10 In Enterprise Network Users are Login in different systems and

11 What IS the ICMP Tools?

12 One System Already Installed Win2000 server and Domain.Whether It

13 What Is the Port Number Of Wins (Windows Internet Naming Service)?

15 Dc and Adc By Default What Is the Replication Time?

16 How Many Hives On the Registry? What Are They?

17 How Can I Enable the Schema Master in Win2003 Server?

18 What Is the Difference Between Subnetting and CIDR?

18 In Dns How Many Root Servers We Have?

19 your Created Group policies, Login Scripts By Default Where it will

20If Any Changes Made in Group Policies What is The command to

21 How Can I Convert Fat To Ntfs?

22 What Is the Extra Feature Added In Win2k Advanced Server?

23 Windows 2000 server Supports Maximum Memory Upto?

24 How Many Primary Partitions We can Create in Win2000 Server?

25 What is the Difference Between Winnt4.0 Server Mirroring And

26 How Can I Create BootDisk Of Winnt Or Win2k Server?

27My Win2k Prof System Getting one error in Bluescreen

28 I have a 4 Scsi HardDisks .I Configured these 4 Harddisks in Raid5

29 In Remote Installation Service What is the Answer File Name?

30 Emergency Repair Disk Contains?

31 What is Reqirement Protocols to Install the Microsoft Exchange server?

32 WinXp Stands For?

6. What are the accessibility features in Windows 2000? StickyKeys, FilterKeys

Microsoft Win32 interview questions

Windows Server 2003 IIS and Scripting interview

Windows Server 2003 Active Directory and Security

20. How do you fight tattooing in 2003 installations? User Configuration -

more interview questions - all Windows interview questions

Windows Server 2003 interview and certification

application or setup program and selecting Properties –> Compatibility –>

modification of an existing structural type or the use of one or more

1. How can you authenticate between forests?

Windows 2000 always uses NTLM for authentication between

Tech Interviews comment by Anonymous

1. Describe how the DHCP lease is obtained.

It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection

The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP

3. We’ve installed a new Windows-based DHCP server, however, the users do

The server must be authorized first with the Active Directory.

5. What authentication options do Windows 2000 Servers have for remote

PAP, SPAP, CHAP, MS-CHAP and EAP.

NWLink (Novell), NetBEUI, AppleTalk (Apple).

8. What is binding order?

9. How do cryptography-based keys ensure the validity of data transferred

Each IP packet is assigned a checksum, so if the checksums do not match on both

10. Should we deploy IPSEC-based security or certificate-based security?

11. What is LMHOSTS file?

Use the domain recovery agent.

Active Directory Backup and Restore

Dot Before and Dot After Means…….

The Context Should be Like this:

If there is no OU pls remove the ou Context ….

First you Take the backup of Systemstate.

The Same Procedure Will Work….

The 169.254.. netmask is assigned to Windows machines running 98/2000/XP