Microsoft Windows NT Server 4.0 Network.docx

Supporting Maintaining a Microsoft Windows NT Server Network QUESTION You are the administrator of a Windows NT domain You recently used Syskey exe on a BDC named server ServerA is backed up once each week and a new emergency Repair Disk is created at the same time You shut down ServerA and cannot restart it You cannot locate the floppy disk that contains the Syskey encryption key What should you do so that you can start ServerA Start serverA by choosing the safe mode option and use Windows NT backup to restore ServerA's registry from the most recent backup tape that was created before Syskey exe was used Start serverA by choosing the safe mode option and use Windows NT backup to restore ServerA's registry from the first recent backup tape that was created after Syskey exe was used Run the emergency repair process by using the most recent ERD that was created before Syskey exe was used Run the emergency repair process by using the ERD that was created after Syskey exe was used Answer C Explanation In order to back off the process you need to restore the SAM as well as the key Running the emergency repair process with the older ERD will properly regress the syskey Incorrect Answers A B Windows NT does not have a safe mode startup This is available in Windows and Windows That aside restoring the registry is not enough the SAM the accounts database would need to be restored also The emergency repair process should accomplish this D Assuming that a new ERD was created after the syskey operation this would put you right back where you were a system that can't start and no encryption key to start it QUESTION You are the lead administrator of a Windows NT server network Occasionally an assistant administrator temporarily adds a user account to the Domain Admins group and then forgets to remove that user account when the need for the extra permissions has passed You want to ensure that unwanted additional to your Domain Admins group are periodically removed and that any existing user accounts that are accidentally removed are added back to the group You want to accomplish these tasks by using the least amount of administrative effort What should you do Create a batch file that deletes the Domain Admins group and then re-creates it and adds the appropriate user accounts as members Configure the Task Scheduler service on the PDC to run this batch file every Monday and Thursday Create a batch file that deletes the Domain Admins group and then re-creates it and adds the appropriate user accounts as members Configure the Task Scheduler service on your client computer to run this batch file every Monday and Thursday Create a security template that lists the Domain Admins group as a restricted group that has the appropriate user accounts as members Configure the Task Scheduler service on the PDC to run the command-line version of Security Configuration Manager so that it applies the template every Monday and Thursday D Create a security template that lists the Domain Admins group as a restricted group that has the appropriate user accounts as members Every Monday and Thursday on your client computer run the GUI version of Security Configuration Manager to apply the template to the PDC Answer A Explanation As much as I don't like this this is the best choice I don't like it because if the procedure fails you better have a backup way into the system because the Domain Admins could end up empty if the procedure fails after the delete Anyway this solution will work Running the task on different days and not every day does the periodic cleanup is less often and there is less of an exposure for failure Since Monday and Thursday are the same options in ALL the choices we don't need to address that Finally we want procedure to occur on the PDC so that it will run even of the network is down Incorrect Answers B Running the procedure on the client is a security risk anyone who can compromise the client can also compromise the entire network Workstations are not always kept in secure locations Also even if the workstation was secured it might not always be up as some people physically turn off the machine after-hours Finally if the network is down or the workstation is unplugged the procedure will not run where if it runs on the PDC it will always have access to the SAM database Example Supposed my user account was added to Domain Admin and I knew this procedure ran and when I could go to the client disconnect the network cable and the update does not occur I have now subverted the security C D Restricted groups were introduced in Windows It does not exist in Windows NT If it did it would have to be added with Service Pack or later Note that authenticated users were added in SP Since this is a NT server network which implies NT then we can't use this option QUESTION Two weeks ago you became the lead administrator of an existing Windows NT domain Success and failure auditing of Logon and Logoff events is enabled for the domain Success and failure auditing of file and object access events is also enabled Every Friday afternoon an assistant administrator backs up each of the event logs and archives them to CD-ROM Your event logs are each configured to have a maximum size of KB and they are configured so that events in the log are not overwritten On Thursday at P M during a week when almost everyone in the company has been working longer than usual your PDC fails and displays the following stop error STOP C Audit Failed An Attempt to generate a security audit failed You restart the PDC but after approximately five minutes it stops again and displays the same message You need to restore the PDC to full functionality What three courses of action should you take Each correct answer presents part of the solution Choose Three On BDC start User manager for Domains In the Audit Policy dialog box click the Do Not Audit option button Restart the PDC and log on to it as Administrator Use Event Viewer to archive the PDC's system log Use Event Viewer to archive the PDC's security log Use Event Viewer to configure Event Log Wrapping to overwrite events older than seven days for the PDC's system log Use Event Viewer to configure Event Log Wrapping to overwrite events older than seven days for the PDC's security log Use Event Viewer to configure the PDC's system log to have a maximum log size of KB Use Event Viewer to configure the PDC's security log to have a maximum log size of KB Answer B D H Explanation If the CrashOnAuditFail registry key is set to and the Security Event log is full on a computer running Windows NT the following blue screen error message may be displayed STOP C Audit Failed An attempt to generate a security audit failed This occurs when the security log is full since the PDC failed you must log onto the PDC You must work with the security log and not the system log since it is the security log at issue here So you would want to archive the FULL security log and since it is not large enough make it larger Incorrect Answers A The recovery must be done on the failing system C Must work with Security Log not System Log Must work with Security Log not System Log Wrapping the security log has a potential of losing security audit records This is not good security practice Must work with Security Log not System Log QUESTION You are the Administrator of one of Certkiller 's Windows NT domains You are modifying a security template that was created by the administrator of one of the company's other domain The template contains password policy settings that represent the company's minimum standards for password policy When you finish modifying the template it will be applied to all domain controllers in every domain in the company You have the template open in security configuration manager on your PDC You are modifying a portion of the Security option section of the template You analyze your domain's current settings against the template's settings The results of the analysis are shown in the exhibit You want to ensure that the level of security on the servers in your domain will not be weakened after you apply the modified template Which four changes should you make to the template Each correct answer presents part of the solution Choose four Set the Audit use of all user rights including Backup and Restore attribute to Enable Set the change administrator account name to attribute to Bos Set the change Guest account name to attribute to G yt Set the Digitally sign server-side communication when possible attribute to Enabled Set the Digitally sign server-side communication when possible attribute to Disabled Set the Disallow enumeration of account names and shares by anonymous users attribute to Enabled Set the Forcibly logoff when logon hours expire attribute to disabled Answer B C D F Explanation The wrong answers below will weaken the level of security on the domain Incorrect Answers A It is not even applicable E You want to attempt to digitally sign is possible G If it is disabled it will leave someone logged in after the attribute is expired QUESTION You are the administrator of a Windows NT domain In user manager for domains you enable auditing as shown in the following table Audit event Success Failure Logon and Logoff X File and Object Access X Use if User Rights X Security Policy Changes X X Process Tracking X X On a member server named Sea you enable access and failure auditing for the Everyone group on a shared folder named BusPlans Three days later you examine the event logs on sea and you notice that no audit events are listed for the BusPlans folder You want to audit all successful and failed attempts to access the BusPlans folder What should you do Enable failure auditing of File and Object Access event for the domain Enable failure auditing of Use of User Rights event for the domain Enable success and failure auditing of file and object access events on sea Enable success and failure auditing of Use of User Rights events on Sea Answer C Explanation A member server requires auditing to be enabled directly on the server itself Domain auditing which is set on a Domain Controller does not apply in this case Also your thinking in this type of situation should be Why weren't there any Successes logged were all the accesses failures It should be apparent that either no one is accessing the folder at all or all accesses were failures Try to reason these issues when looking at the question Incorrect Answers A A member server requires auditing to be enabled directly on the server itself Domain auditing which is set on a Domain Controller does not apply in this case B D Regardless of where the settings are performed Use of ser Rights does not apply to use of a file It is a file being used since we are auditing a shared folder QUESTION You are the administrator of a Windows NT server network Auditing is configured to audit individual accesses to the confidential data files on your network Your audit logs are backed up and then cleared every Monday morning Last Friday a security breach occurred on a confidential data file on one of your network servers which is named Server The security log on Server contained no Audit events after last Wednesday morning You decide to use Security configuration manager to edit a security template and to apply the template to all servers that contain confidential data You want the template to have appropriate settings so that all events for which auditing is enabled will be successfully recorded in your audit logs You plan to continue to back up and then clear your audit logs every Monday morning You start security configuration Manager and you import the Hisecdc inf template You analyze server 's current settings against the template's settings The settings for event logs portion of the template and the results of the analysis are shown in the exhibit Which two changes should you make to the template Each correct answer presents part of the solution Choose two Set the maximum log size for security log attribute to KBytes Set the maximum log size for system log attribute to KBytes Set the Restrict guest access to security log attribute to Disabled Set the Retention method for security log attribute to Do Not overwrite events Set the Retention method for system log attribute to Do not overwrite events Set the Shutdown system when security audit log becomes full attribute to Enabled Answer D F Explanation The problem here is that the security log got overwhelmed and data got lost To prevent this loss the security log should be increased in size set to not overwrite and if really critical stop everything before data gets lost With answer D we prevent the loss of data by preventing entries from being overridden By answer F we stop everything before we end up losing stuff The template did not configure either of these two options and left us to keep the file around for days but when the file was full the recording stopped This is why we only had a couple of days in the log Also note that since we are talking security here we don't really care about the application logs The answers about application logs are thrown in to confuse you and see if you know which log has to be configured Incorrect Answers B E We don't really care about the system log we need to preserve the security log to prevent loss of audit records C We want to restrict guest access We don't want the guest account poking around the security log and see what is and isn't being audited QUESTION You are the administrator of a Windows NT domain that contains Windows NT server computers and Windows NT Workstation computers You train users on the use of strong passwords and you configure your domain's account policy to require users to use at least eight characters in their passwords However you discover that you can guess the passwords However you discover that you can guess the passwords for five of the users You want to prevent users from using simple passwords that can be easily guessed What should you do Use Syskey exe on each domain controller and click the store Startup key Locally option button Use Syskey exe on each domain controller and click the password Startup option button Configure all domain controllers to use Passfilt dll Configure all client computers to use Passfilt dll Answer C Explanation The passfilt dll will enforce strong passwords Passwords cannot contain the username or part of the username must contain characters from out of different groups Uppercase Lowercase Numbers and Special Characters and must be at least characters in length The utility is enabled by modification of a registry key which should be done on the PDC and any BDC that may be promoted to a PDC Incorrect Answers Syskey is a utility used to encrypt the passwords in the SAM database It protects passwords it does not control the generation of the passwords nor does it enforce policies Syskey is a utility used to encrypt the passwords in the SAM database It protects passwords it does not control the generation of the passwords nor does it enforce policies This utility is configured on the Domain Controllers not the Clients QUESTION You are the administrator of a Windows NT domain in one of Certkiller 's branch offices You receive a security template from company headquarters The template contains password policy settings that represent the company's minimum standards for password policy You open the template in security Configuration Manager on your PDC and you analyze your domain's current settings against the template's settings The results of the analysis are shown in the exhibit You do not want to simply apply the template to your PDC because some of your local standards might be higher than those in the template You need to increase security on your domain in order to meet the company's minimum standards Which two solutions should you take Each correct answer presents part of the solution Choose two Configure passwords to expire in days Allow passwords to contain at least eight characters Use Passprop exe from the Windows NT Server Resource Kit to configure your domain to require strong passwords Do not require users to log on in order to change their passwords Answer A B Explanation The stored configuration settings middle column is the company's minimum standards and the analysed system settings is the current settings in place in the system The objective is to change the settings WITHOUT applying the actual template so the weaker security parameters have to be applied by hand The first is to change the password maximum age from days to days The second is to increase the minimum size of the password from to characters A longer password is harder to crack so we take the company standard Incorrect Answers The domain is already configured for stronger passwords this is not needed It is more secure to force users to logon to change passwords This would weaken security if we made the change QUESTION You are the administrator of a Windows NT domain that contains Windows NT server computers and Windows NT workstation computers All users have administrative privileges on their Windows NT workstation computers You install security configuration manager on your client computer and you use it to customize a template that you want to apply to all of the Windows NT workstation computers in the domain You want to use the least amount of administrative effort when applying the customized template Which three actions should you take Each correct answer presents part of the solution Choose three Place the customized template in the NETLOGON share folder on the PDC Place Secedit exe Esent dll and Secedll dll in the NETLOGON shared folder on the PDC Install both the GUI version and the command-line version of security configuration manager on each client computer Install only the command-line version of security configuration manager on each client computer Use security configuration manager on each client computer to apply the customized template Add a statement to each user's logon script that runs Secedit exe to apply the customized template Answer A B F Explanation We CK going to use a technique where we can use a logon script to perform the update In order to do this we put the template and utility into the NETLOGON folder since this folder will be available during logon We then add the secedit commands to the logon scripts to apply the template We run the command line secedit program to this Incorrect Answers We could do this but this is a lot of work and we would have to visit every workstation Try this in a company with workstations and maybe you will finish before you retire from the company You want to use the least amount of administrative effort and this isn't the way Also we don't want the users running the SCM Security Control Manager and modifying the template remember that everyone has administrative privilege on their workstation We could do this but this is a lot of work and we would have to visit every workstation Try this in a company with workstations and maybe you will finish before you retire from the company You want to use the least amount of administrative effort and this isn't the way We could do this but this is a lot of work and we would have to visit every workstation Try this in a company with workstations and maybe you will finish before you retire from the company You want to use the least amount of administrative effort and this isn't the way Note C D E represent manual labor to visit each workstation and get the job done but it is a lot of work A B F is an automated method and less work QUESTION You are the administrator of a Windows NT domain that contains Windows NT server computers and Windows NT workstation computers You use Security configuration manager to create and customize a security template named Securews inf During the weekend you apply the new security template to all of the client computers in the domain On Monday morning users report that some of their applications no longer function correctly You need to restore the client computers to full functionality as quickly as possible What should you do Uninstall Security Configuration Manager from each client computer in the domain On each client computer in the domain delete the securews inf template and rename the Compws inf template as Securews inf Use Secedit exe to apply the Hisecws inf template to each client computer Use Secedit exe to apply the Basicwk inf template to each client computer Answer D Explanation The Basicwk inf template represents the default configuration of a Windows NT workstation out of the box By applying this template we regress back to the original security settings This assumes that a different template was not applied previously and that this is the first attempt to lockdown security Incorrect Answers Security configuration manager SCM is a tool used to change the registry Once the registry is changed it stays changed until the SCM is run again and a configuration is executed Deleting the SCM and the templates after the fact does not change the registry back Templates are not used until applied using the Security Control Manager Once applied the templates are not used Renaming the templates deleting them adding new ones all will not affect the running of the system They must be applied using the configure this computer task Hisecws is a high security template which has settings which lock down the workstation Applying this template might not affect the workstations or make matters worse QUESTION You are the administrator of a network that consists of three Windows NT domains which are named ROMEHQ LONDON and PARIS The three domains contain Windows NT server computers Windows NT workstation computers and Windows Professional computers The domains are configured as a complete trust domain model You have a Web server farm that consists of member servers in the LONDON domain You want to allow five designated users from each domain to fully administer any of the web servers You do not want these users to be able to administer other servers in any domain Which two actions should you take Each correct answer presents part of the solution Choose two In each domain create a local group named WebAdmin and add the five users to this group In each domain create a global group named WebAdmin and add the five users to this group In each domain create a universal group named WebAdmin and add the five users to this group Add the WebAdmin group from each domain to the Administrator groups in the LONDON domain Add the WebAdmin group from each domain to the Domain Admin groups in the LONDON domain Add the WebAdmin group from each domain to the Power Users group on each web server Add the WebAdmin group from each domain to the administrators group on each web server Answer B G Explanation Since the web servers might not be in the same domain as the user account user account crosses domain boundaries we need to define a global group For example a user from domain ROMEHQ needs to access the web servers in LONDON The trust relationships are there since we have a complete trust model Now we need to now decide where to assign these new Global Groups The question indicates to fully administer any of the web servers so we need to add the WebAdmin global group to the administrators group for each web server Remember the Web server farm contains member servers not domain controllers So we can set up administration rights and permissions by assigning to each individual member server Incorrect Answers A We have to cross domain boundaries we need to use Global Groups Hey this is Windows NT - we don't have Universal Groups If we do this then the web administrators can administer anything in the LONDON domain which is too much power We only want them to administrator the web servers If we do this then the web administrators can administer anything in the LONDON domain which is too much power We only want them to administrator the web servers Power users have limited administrative authority on the member servers We want full administrative rights on each of those web servers QUESTION You are the new network administrator for a small company The network consists of three Windows NT domains which are named SALES MKT and ACCT You have no documentation that describes how the domains are configured or what trust relationships exist A user named Jenny is an employee in the sales department Jenny is using an available computer in the accounting department today because her computer would not start Jenny reports that she cannot log on to the network by using her normal user account of SALES Jenny Until now she has always been able to log on to the network by using her account You go to the computer that Jenny is using and you verify that she cannot log on to the network When you log on by using the user account ACCT administrator you can log on successfully You examine Jenny's account and decide that she should be able to log on to the network You want to allow jenny to log on to the network by using this computer You also want to ensure that users are able to log on to the network by using any client computer in the company What should you do A Configure a complete trust domain model Configure the MKT and ACCT domains to trust the SALES domain Create an account for Jenny in the ACCT domain Create a computer account for Jenny's computer in the SALES domain Answer A Explanation We don't know where the accounts are and if they are spread across all three domains then each domain needs to trust the other two domains because the user account could be in any of the three These leads to a complete trust model Incorrect Answers This is not a full solution For example suppose the user account is in MKT and the user tries to use a computer in ACCT we need ACCT to trust MKT The proposed solution does not provide that trust relationship This does solve anything First the duplicate account that was just created does not have the same access and permissions as the original account in the SALES domain The SID will be different and it will appear that Jenny account is different person Second this does no solve the required solution that any user can use any machine to logon The problem is not with the computer account and we still did not solve the required solution that any user can use any machine to logon QUESTION You are the administrator of a Windows NT server network that contains Windows Professional computers You are creating a system policy for the network The network currently has no system policies Certkiller has a new company logo and the executives want you to configure all of the client computers to use the new logo as the desktop wallpaper You create a system policy file that contains a group policy for the Everyone group The group policy is configured to use the new logo as the desktop wallpaper You need to ensure that the Windows Professional computers will use the new group policy What should you do Place the system policy file in the NETLOGON shared folder on the PDC Place the system policy file in the home directory of each Windows Professional user account Place the system policy file in a shared folder on a server Modify the registry on each Windows Professional computer to configure the system policy's NetworkPath value Place the system policy file in the C Documents and Settings Default User folder on each Windows Professional computer Modify the registry on each Windows Professional computer to configure the system policy's NetworkPath value Answer A Explanation Even on Windows the system policy is added to the NETLOGON folder By adding the policy to the NETLOGON folder the Windows workstations will pick it up Since the Windows workstations can authenticate via a BDC these policy files should be replicated to the NETLOGON folder of all domain controllers within the domain Incorrect Answers System policy is taken off the domain controller and applied to the clients It is not taken from the workstation This is not an approved or standard method of applying system policy and would require too much system administration This is not an approved or standard method of applying system policy and would require too much system administration There would also be a possibility of subverting the policy and since it would be user based would have required additional administration each time a user was added Also even if this was doable a policy added AFTER the user was created would never be picked up The Default User is only used as a template when a new user is added to the system Policies would never be updated QUESTION You are the user account administrator for a Windows NT domain Ninety percent of your users work in a call center that runs three eight -hour shifts seven days a week The employee turnover rate is high You are constantly creating user accounts for new employees All users in the call center have the same group memberships and profile settings You want to simplify the process of creating new user accounts Which two courses of action should you take Each correct answer presents part of the solution Choose two Create a new user account named Template and configure it with the appropriate group memberships and profile settings Configure the Template account as a global account Create a new user account named Template and configure it with the appropriate group memberships and profile settings Configure the Template account as a local account In user manager for Domains select the Template account and then create a new local group named Template In user manager for domains select the Template account and then on the User menu click New User Name the new account as desired In user manager for domains select the Template account and then on the User menu click copy Name the new account as desired Answer A E Explanation The objective is to reduce the repetition of configuring parameters home directories and other items for the user Then you copy the template and only enter the user details which is userid name and password Since this is a Domain user we want a Domain account which is global Do not confuse a Global Account with a Global Group Incorrect Answers You do not want a account local to the server where the template is generated Remember user manager for domains can run on any machine and does not need to be performed on a domain controller There are no default templates distributed with Windows NT You must create a template from scratch first This operation would create a new user from scratch without the pre-configuration in the template It would be as if the template never existed in the first place QUESTION You are the network administrator for Humongous Insurance which is acquiring a company name WoodGrove Bank The Humongous Insurance network consists of three Windows NT domains The WoodGrove Bank network consists of two Windows NT domains The two networks are shown in the exhibit Click the exhibit button The Humongous Insurance domains are configured as a single master domain model and the Woodgrove bank domains are configured as a complete trust domain model All shared network resources on the Humongous Insurance network are in the resource domains and user accounts are in the master domain You install network connections between Humongous Insurance and Woodgrove bank All network administration will be performed from the CORP domain You want users in both companies to be able to connect to shared resources in the resource domains Before you assign specific permissions for resources you need to configure the trust relationships between the two networks You want to accomplish this task by using the smallest number of trust relationships required Which three actions should you take Each correct answer presents part of the solution Choose three Configure one-way trust relationships so that the SUBPRIME domain trusts the HQ and CPAPER domains Configure one-way trust relationships so that the EQUITY domain trusts the HQ and CPAPER domains Configure two-way trust relationships between the CORP domain and the HQ and CPAPER domains Configure one-way trust relationships so that the CORP domain trusts the HQ and CPAPER domains Configure one-way trust relationships so that the HQ and CPAPER domains trust the CORP domain Configure two-way trust relationships between the SUBPRIME domain and the HQ and CPAPER domains Configure two-way trust relationships between the RQUITY domain and the HQ and CPAPER domains Answer A B E Explanation Resource domains must trust Account domains in order for accounts in the trusted domain to be accepted in the trusting domains Accounts are in CORP HQ and CPAPER SUBPRIME and EQUITY already trust CORP They need to trust HQ and CPAPER This is covered in A B Since the Administrators in CORP will manage HQ and CPAPER we need HQ and CPAPER to trust CORP This is covered in E Incorrect Answers C F G Windows NT does not have two way trusts and if it did it poses unnecessary additional trusts which is not needed D CORP does not have resources therefore this trust is not required QUESTION You are the administrator of a Windows NT domain You recently configured the domain so that users are required to change their passwords every days Now some of the users report that when they log on they receive the following message Your password will expire in days Do you want to change it now when these users attempt to change their passwords they receive the following error message The password on this account cannot be changed at this time You want to enable users to change their passwords when prompted How should you configure the Account policy for your domain Allow passwords to be changed after a minimum of days Configure passwords to expire in days Do not require users to log on in order to change their passwords Do not require that password history be kept Answer A Explanation Let's do some math If the passwords have to expire in days and the users are told they have days left then the passwords are days old The fact that we can't change them indicates that the minimum is greater than days We need to drop the minimum down so that the passwords can be changed Incorrect Answers This makes it impossible to change the passwords The passwords would immediately expire on every machine since it is obvious that the passwords are at least days old If the minimum password age was no reached yet then you have situation where the password has to be changed but it isn't old enough to allow the change This is a serious conflict Even if the user has permission to change the password without logging on this problem will not change The problem is not related to the password history The password history is only used to enforce complex passwords It dos not affect the expiration time of the password itself QUESTION You are the administrator of a network that consists of two Windows NT domains which are named CHICAGO and BOSTON The domains are configured as a complete trust domain model Both domains contain Windows NT server computers and Windows NT workstation computers Five members of the help desk staff have user accounts in the CHICAGO domain These five users need to be able to reset passwords for users in both domains You want to assign these five users the minimum permissions that will allow them to reset passwords Which two courses of action should you take Each correct answer presents part of the solution Choose two Create a global group named ResetPW in the CHICAGO domain Add the appropriate help desk user accounts to this group Create a local group named ResetPW in the CHICAGO domain Add the appropriate help desk user account to this group Add the ResetPW group to the Administrator group in both domains Add the ResetPW group to the Account Operators local group in both domains Add the ResetPW group to the Administrators group on all client computers Add the ResetPW group to the local power users group on all client computers Answer A D Explanation Ad users to GLOBAL groups not LOCAL groups The minimum security level required is Account Operator Incorrect Answers Do not add users to local groups Local groups are not used to cross domains This gives too much rights We want minimum permissions and rights This does not accomplish anything In order to reset domain passwords you would need to be a domain level account operator or administrator not a client level This does not accomplish anything In order to reset domain passwords you would need to be a domain level account operator or administrator not a client level QUESTION You are the administrator of a network that consists of two Windows NT domains which are named VHHICAGO and DENVER The domains are configured as a complete trust domain model Each domain contains Windows NT server computers and Windows NT workstation computers You hire a new assistant administrator named Marie She will be responsible for creating configuring and managing all printers on all servers in both domains Marie has a user account in the DENVER domain You want to assign Marie the fewest permissions possible What should you do Add Marie's user account to the server operators group in each domain and add Marie's user account to the Administrators group on each member server Add Marie's user account to the server operators group in each domain and add Marie's user account to the power Users group on each member server Add Marie's user account to the server operators group in each domain and add Marie's user account to the Users group on each member server Add Marie's user account to the Print operators group in each domain and add Marie's user account to the Users group on each member server Add Marie's user account to the Print operators group in each domain and add Marie's user account to the Power Users group on each member server Add Marie's user account to the Print operators group in each domain and add Marie's user account to the Administrators group on each member server Answer E Explanation In order to just manage the print servers and print operations Marie just needs to be added to the Print Operators group which allows he to manage printers on Domain Controllers In order to manage the printers on the member servers being a Power User will give sufficient rights to manage the printers there Incorrect Answers This option gives Marie too much rights everywhere This option gives Marie too much rights in the domain This option gives Marie too much rights in the domain and not enough rights on the member servers This option is correct for the domain but not enough rights on the member servers F This option is correct for the domain but too much rights for the member servers QUESTION You are the administrator of a network that consists of four Windows NT domains The domains are configured as a complete trust domain model Each domain contains at least servers Server backups are currently performed by the administrator of each server You want to allow any user account from any domain to back up any domain controller or member server in any domain You want to assign the minimum rights necessary for accomplishing the backups Which three courses of action should you take Each correct answer presents part of the solution Choose three In each domain create a local group named Backup Add to this group the user accounts in that domain that will perform backups In each domain create a global group named Backup Add to this group the user accounts in that domain that will perform backups In each domain create a Universal group named Backup Add to this group the user accounts in that domain that will perform backups Add the backup group from each domain to the Backup Operators group in every domain Add the backup group from each domain to the Backup Operators group in each member server in each domain Add the backup group from each domain to the Domain Admins group in every domain Answer B D E Explanation Users are added to Global Groups in each domain Global groups can cross domain boundaries and this is the recommended sequence user to global groups We then add this global group to the domain Backup Operators which gives the ability to backup and restore data on Domain Controllers This does NOT allow access to the member servers so we add the global group to each and every member server Incorrect Answers A Local groups are not used to traverse domain boundaries Adding users to the local group is not the proper design even when all th resources are in the SAME domain C This is Windows NT not Windows We don't have Universal groups yet F This would provide too much permission and rights The question says minimum rights QUESTION You are the administrator of a Windows NT server computer that hosts Certkiller 's Internet web site Your site receives approximately hits per day Site visitors report that they occasionally receive connection error messages when they attempt to connect to the web site You notice that the web site responds very slowly every two or three hours During one of the slowdowns you run performance Monitor and receive the results shown in the exhibit You want to eliminate the slowdowns and enable users to connect to the web site without receiving connection error messages What should you do Configure Microsoft index server to run index catalog builds during off-peak hours Reconfigure the web site as a virtual directory under the default Microsoft Internet Information Server web site Configure the web site to run with performance settings for more than hits per day Configure the web site to run at an Application Protection level of high Answer A C Explanation If we look at the bottom of the page we see the process cidaemon running and absorbing a lot of CPU resources This utility is used to build the index in index server and is a very resource consumption hog This is a utility that should be run off hours and not during the day and the schedule should be changed We are seeing this at the bottom entry We also see that over the seconds time period Graph Time assuming the default of one second interval that we need to set the performance settings for the web site at over per day Incorrect Answers B The location of the website on the disk should not make a difference We are not monitoring disk activity so we don't even know if we have a disk problem D We don't see any indication that the application protection level is impacting performance If it was we can't tell from the variables being used QUESTION You are the WebMaster of Certkiller 's internet web site The web site is hosted by a Windows NT server computer You create an FTP site to allow users to upload and download documents You want to assign user names and passwords to each user who is authorized to access the site You also want to hide the FTP site from users who might be randomly trying to access FTP sites on various servers Which three actions should you take Each correct answer presents part of the solution Choose three configure the FTP site to use port configure the FTP site to use port configure the FTP site to disallow anonymous access configure the FTP site to allow anonymous access configure the FTP site to assign the Read and Write permissions for the IUSR FTP account configure the FTP site to assign the Read and write permissions for each FTP user account Answer B C F Explanation Port is unused and by setting the FTP port to it is assigned to a port not assigned to FTP A hacker would have to scan all the ports or find this port by accident To assign usernames and passwords to each account you probably no longer want anonymous access so this should be disabled Finally you configure permissions for each account The way FTP works under IIS and IIS is that if a user signs in under a username their home directory is automatically set to a directory that is the same as the username Incorrect Answers A Port is the standard assigned port for FTP You want to hide it and using Port leaves the port out in the open With the requirement to have usernames and passwords you want to lock down the FTP site This usually includes disabling anonymous access otherwise anyone can bypass the account security The IUSR FTP is the anonymous user account this is not the account you want to use Actually you want to disable anonymous access QUESTION You are the administrator of a Windows NT server network Three of the Windows NT server computers on the network are named ServerA ServerB and ServerC The network also contains Windows Professional client computers and UNIX servers A portion of the network is shown in the exhibit Click the exhibit button ServerA is a DHCP server that is configured to use a DHCP scope of to All of the UNIX servers are configure to use static IP addresses and the Windows Professional computers are configured to use DHCP Every day users report that they cannot connect to the network when they first start their computers The users usually receive the following error message The system has detected an IP address conflict with another system on the network The local interface has been disabled More details are available in the system event log Consult your network administrator to resolve the conflict Each user can connect to the network after waiting about minutes and restarting the computer You want to enable users to connect to the network and log on successfully without having to wait and restart their computers What should you do Change the DHCP scope on ServerA to to Change the DHCP scope on ServerA to exclude the addresses of the UNIX servers Configure the WINS server address on all of the Windows Professional computers to Configure the DNS server address on all of the Windows Professional computers to Answer B Explanation The UNIX servers have IP addresses that overlap the scope range For example one UNIX machine uses which falls in the scope What we need to do is make reservations for the UNIX machines or customize the scope to exclude those addresses One other thing that is broken in this question and not addressed could be a typo is that a broadcast address should never be in a scope Incorrect Answers A Changing the scope in this way does not correct the overlap C D The configuration of a WINS or DNS server address does not affect the assigned IP address When this error occurs two machines have the same IP address and is caused by DHCP giving out an address that is in use DNS and WINS don't assign addresses and changing the clients' pointer to them does not affect the situation QUESTION You are the administrator of a Windows NT server computer named Server A ServerA is routing and remote access server for your network ServerA is connected to the Internet and is configured to provide virtual private network connections to your intranet You want to prevent unauthorized users from gaining access to your network by using VPN connections on server You want to ensure that only VPN connections are used on serverA What should you do Configure the VPN connection on computers that connect to serverA to require data encryption Configure the VPN connection on computers that connect to serverA to use the Extensible Authentication Protocol Configure Routing and Remote access service on ServerA to disable IP forwarding Configure TCP IP on serverA to enable PPTP filtering for the network adapter that is connected to the Internet Answer D Explanation By filtering the PPTP protocol Point To Point Tunneling protocol on the Internet connection PPTP is the protocol for VPN in Windows NT if you block the protocol then you can't set up a VPN to or from the Internet Since there are no default filters in effect all is open the network adapter to the Intranet will allow VPNs so VPNs will work on the Intranet Incorrect Answers Data encryption will protect the data on a session but it does not prevent unauthorized users from creating a VPN This authorization will control connections on the Intranet since it is the Intranet client computers being modified This still does not prevent outside users from attempting to establish a VPN This can interfere with the operation of the server which is running as a router Even without IP forwarding an unauthorized user can still establish a VPN to the server and hack it QUESTION You are the administrator of a Windows NT server network that contains Windows Professional computers The network is divided into five TCP IP subnets and each subnet has its own Windows NT server computer You add a Windows NT server computer named ServerA to one of the subnets and you configure the DHCP server service on Server A You create a DHCP scope for each of the subnets You configure all of the client computers to use DHCP When the client computers start only computers on the same subnet as ServerA can obtain DHCP addresses You want to allow all of the client computers to obtain their TCP IP configurations from Server A You want to accomplish this task by using least amount of administrative effort What should you do Configure the DHCP server service on each Windows NT server computer and assign an IP scope for each subnet Configure the DHCP server service on serverA to exclude the IP addresses of the routers from the subnet scopes you have defined Configure the DHCP relay agent on each Windows NT server computer Configure a WINS service on each Windows NT server computer Answer C Explanation This is a classic question which appears in many forms on many different exams Unless it is stated that the router between the subnets is capable of supporting the passing of BootP traffic DHCP packets will not traverse the router This is because the DHCP packets are broadcasts packets and routers do not pass broadcasts The question says using the least amount of administrative effort What is needed is to configure a DHCP relay network on all subnets where the DHCP server does not exist Incorrect Answers This will actually work but the question says using the least amount of administrative effort and setting up a relay agent is less effort than setting up a new DHCP server This needs to be done but this is not the problem Without the relay agent you can't assign any addresses If you did accidentally assign a router IP address to a workstation the workstation would detect a duplicate IP address and not use it If the router IP addresses are not excluded or reserved in the scope then there will be trouble later on But the problem as described in the question is that the DHCP records are not passing the router and the relay agent will fix the problem WINS is not the answer WINS does name resolution If you do not have a DHCP assigned IP address when the DHCP client is activated on each workstation then it would even be unlikely that you could even reach the WINS server This problem is not related to WINS QUESTION You are the administrator of Certkiller 's Internet web server The web server is a Windows NT server computer that hosts five public web sites One of these five sites is Certkiller 's public web site You want to allow employees to download company documents from the web server when the employees are away from the office You want to protect the security of each employee's user name and password when employees are accessing the documents You also want to ensure that only employees can access the documents What should you do Create an FTP site and configure it to allow only Windows NT server connections Create an FTP site and configure it to allow only anonymous user connections Create a new web site configure it to use Windows NT Challenge Response authentication and enable directory browsing Configure Certkiller 's web site to use Windows NT Challenge Response authentication and enable directory browsing Answer C Explanation This question leaves C D as a toss-up The FTP options that are provided won't work That leaves using HTTP So use the current Web Site or create a new site Suppose you use the same site Enabling directory browsing can only be done on a directory by directory basis If all the documents were in the same directory then a virtual directory could be used and security placed on that directory Documents spread through the site would be harder to control Creation of an entire new website can be easier to control with less opportunities of security exposures caused by a bad configuration Using a different web site is not required and more work but is safer security wise and this is why C is chosen Incorrect Answers FTP only supports usernames and passwords which are transmitted in the clear There is no way to determine or control which clients actually connect In order to use usernames and passwords to control access you would require non-anonymous access and to make the server secure would want to disable the anonymous connections This may work but may not be as secure QUESTION You are the Webmaster for an Internet hosting company The company uses Windows NT server computers and Microsoft Internet Information Server to host multiple web sites in each server Microsoft index server is also used to provide indexing and searching services Each server hosts approximately individual web sites The hosted web sites are performed in a web site to return for only that web site What should you do Re-create hosted web sites by using virtual directories Re-create hosted web sites by placing them under the default web site Create an index server catalog for each hosted web site and assign a catalog to each hosted web site by using the web site's IP address Create a single index server catalog for the default web sites and add the name of each hosted web site to the server's Noise enu file Answer C Explanation We want to configure the Index server so that users are able to search individual web sites In order to accomplish this we must create an index server catalog for every Web site Note Microsoft Index Server is integrated with Microsoft Internet Information Server IIS and the Windows NT Server operating system to allow Web searching on corporate intranets and Internet sites Incorrect Answers A B We must configure the Index Server not the IIS server D If we create just a single index server catalog we would only be able to search all the web sites not the individual web sites QUESTION You are the administrator of a network that consists of a single Windows NT domain The domain contains Windows NT server computers and Windows Professional computers A Windows NT server computer named ServerA provides DHCP WINS and DNS services The DNS service is used to provide name resolution for access to the company's intranet web site The domain also contains UNIX client computers that use UNIX-based DNS service The UNIX DNS server is configured to forward unresolved named resolution requests to ServerA's DNS service You want to enable the UNIX computers to access new Windows NT server computers when they are added to the network You want the UNIX computers to be able to connect to the Windows NT server computers by using host names rather than IP addresses You want to accomplish this task by using the least amount of ongoing administrative effort What should you do Configure the WINS service to have static mappings for each UNIX client computer Configure ServerA's DNS service to use WINS name resolution Configure ServerA's WINS service to use the UNIX DNS server as a push partner Configure a HOSTS file on ServerA that contains an entry for each Windows NT server computer Answer B Explanation Assuming that all the Windows NT Servers are configured to be WINS clients each server will be registered with WINS By having the DNS server on ServerA ask the WINS server for the addresses we get the current address of the new servers The Unix servers will use DNS and contact ServerA's DNS server If the new Windows NT servers are not registered in DNS they will be in WINS and the name to IP address will get resolved Incorrect Answers First this is a very intensive as the number of workstations increase Second we didn't accomplish the task We can access the UNIX client by name but this does not provide the ability of the Unix clients on discovering the new Windows NT servers The Windows NT servers need to be resolved through DNS and this is accomplished under this solution WINS and DNS are not partners The databases are completely different and are not interchanged It doesn't matter if it is a Windows NT DNS or a UNIX DNS this is not a feature For a host file to be usable for this solution we would need to put the HOSTS file on every UNIX client not Server Even with proper placement of the file this is still prohibitive because we would need to update the HOSTS file on every UNIX client each time we add a new server This is why DNS was invented in the first place QUESTION You are the administrator of a Windows NT domain The domain contains Windows NT server computers and Windows Professional computers The domain uses DNS and WINS for name resolution ServerA is a Windows NT server computer that provides a DNS service The DNS service is used to provide name resolution for access to the company's intranet web sites and Internet web sites You want to provide fault tolerance for he DNS service on Server A What should you do Configure another server as a caching-only DNS server Configure another server as a secondary DNS server Configure ServerA's DNS service to use a WINS server as a push partner Configure ServerA's DNS service to use WINS name resolution Answer B Explanation For fault tolerance you install a secondary DNS server and point the clients to both the primary and secondary If the primary goes down the requests will time out and the secondary will be contacted The secondary holds a copy of the zone database and can do searches to look up information Incorrect Answers A A caching-only server does not have its own copy of the zone It builds a dynamic copy of the database by making requests and saving the results A reboot of the caching-only server will lose the cached information If the primary goes down and it does not have the necessary information because it hasn't been cached yet then the server will fail to resolve the name This is not fault tolerant DNS and WINS do not share databases and can't be partners If the only DNS server in the network is down there will be no response to DNS calls A client will not ask a WINS server for information if the DNS server is down The WINS server is not a partner to DNS for fault tolerance QUESTION You are the administrator of a network that consists of a single Windows NT domain The domain contains Windows NT server computers UNIX servers and Windows Professional client computers The client computers are configured to use DHCP and WINS You are adding a new UNIX server named Server to the network You want users to be able to connect to Server by using its name rather than its IP address What should you do Create an internet Group WINS record that points to the IP address of server Create a Unique WINS record that points to the IP address of Server Configure the Network DHCP scope to include the IP address of Server in its range Configure the network DHCP scope to use server as a DNS server Answer B Explanation The client computers are already using WINS for name resolution Since WINS is used for NETBIOS name resolution the Unix server is probably going to be running a SMB client such as SAMB We want a unique static entry Incorrect Answers A unique entry is required C Adding the IP address of the Unix server to the scope range of IP addresses should not be done unless the Unix server is a DHCP client This is not a recommended configuration having a server as a DHCP client Doing this even properly still does not provide the ability to access the Unix server by name D The question did not say that Server was a DNS server We would have to make Server a DNS server configuring and activating the service If NETBIOS functions were required then the WINS entry would still be required QUESTION You are the administrator of a Windows NT domain The domain contains Windows NT server computers and Windows Professional computers You are responsible for supporting all of the computers in the domain Another group in Certkiller manages the network routers A portion of your network is shown in the exhibit A user named Marc is using the computer named client Marc reports that he cannot access a resource on Server You verify that you can connect to ServerA from the computer named Sophia You want to find out whether cleint can connect to server What should you do On Client run the Ping command to test the address of On Client run the tracert commend to test the address of On ServerA run the ping command to test the address of On serverA run the tracert command to test the address of Answer B Explanation A tracert command will attempt to access the device and report along the way each hop There is only one hop here since there is only one router in the path The tracert will provide information whether the packets can reach the router go through the router and eventually reach the server Tracert is a diagnostic tool used for network troubleshooting The IP address is the address of ServerA so we are trying to check connectivity FROM Client to Server We also want to note that Sophia is also on a different subnet than Server By being able to access ServerA from Sophia we know that ServerA is operational otherwise the server could have crashed and be down We know that there is some activity in the router since Sophia has to go through the router to reach Server However since Sophia is on a different subnet than Client there could still be a router problem as the routing table could be bad Incorrect Answers The IP address of isn't even on the network Pinging that address doesn't accomplish anything C D Being able to reach from ServerA to Client doesn't prove anything For example incorrect routing tables in the router could cause a problem These tables could be correct in one direction and bad for the other direction We know that ServerA can communicate with the router because Sophia can contact Server This rules out ServerA having a bad default gateway specification QUESTION You are the administrator of a network that contains Windows NT server computers and NetWare x servers A Windows NT server computer named ServerA is the Routing and Remote Access Server for your network ServerA has a -port analog -Kbps modem card installed Routing and Remote Access Service is configured to use the modem card for incoming analog connections Users connect to serverA by using portable computers that have PC card modems A user named Marc was recently assigned dial-in permissions to server A Marc reports that every time his computer dials into serverA he receives confirmation that his user name and password were verified and then ServerA disconnects You want to enable Marc to dial in successfully What should you do Configure serverA to use DHCP leases for dial-in users and configure the DHCP scope to use the local default gateway Configure serverA to use TCP IP NetBEUI and NWLink IPX SPX Compatible Transport for the dial-in ports Configure Marc's account so that it has no restrictions for logon hours Configure Marc's account to disable callback Answer D Explanation The most likely problem is that callback is enabled and RRAS is probably calling back the wrong number Everything connects OK then a disconnect would indicate that the RRAS server disconnects and is getting ready to call back Incorrect Answers This does not have to be an IP issue Since there are Netware x servers which only function using IPX an IP address may not be needed and the lck of one being assigned should not drop the connection If the required protocols were missing then there would be a message that the server did not have those protocols enabled for RRAS If there were a restriction Marc would have gotten a message indicating so QUESTION You are the administrator of a Windows NT server network You are adding a new Windows NT server computer named serverA to the network A portion of the network is shown in the Network configuration exhibit Click the exhibit button You install and begin to test Server A You logon to Cleint and connect to a shared folder on serverA You then log on locally to serverA and attempt to connect to a shared folder on serverB by using the path serverB share You receive the following error message the network path ServerB Share could not be found You run the ipconfig command on serverA and receive the results shown in the IP configuration exhibit Click the exhibit button You need to ensure that serverA can connect to ServerB What should you do Force serverB to replicate ServerA's Ch record to all other WINS servers Configure serverB to use serverA as a pull partner Configure serverA to use as its primary and secondary WINS address Configure serverA to use as the default gateway Answer C Explanation As we can see from the output of the ipconfig command the server is configured to point to the WINS server on but if you look at the diagram the WINS server is at and it is the DNS server that I at Incorrect Answers A B The problem here is not that we need to configure or force replication At this point until serverA points to a valid WINS server any customization of the replication services is premature B Partnerships between WINS servers where databases are exchanged and updated only occurs between WINS servers and there is not indication that serverA is a WINS server D The default gateway configuration was correct Changing to this value is definitely wrong since the default gateway MUST be on the same subnet as the node in this case serverA which requires a network we are class C subnet mask QUESTION You are the administrator of a Windows NT server network Certkiller plans to deploy Windows Professional to client computers during the evening The installations will be performed from shared folders You have four Windows NT servers available for this purpose The servers are named Files Files Files and Files You want to ensure that the installation files are available on several file servers and you want the client computers to provide automatic load balancing across the available file servers What should you do Install Remote Installation Services on all four file servers Configure the Directory Replicator Service on all four file servers to replicate the installation files to each server Install distributed file system on Files and then configure a Dfs root Create three replicas on files that each point to one of the remaining file servers Ensure that your DNS server contains an A record for each file server and then enable DNS round robin Answer D Explanation By using round robin on the DNS server requests are sent to the each of the four file servers in rotating order This provides the automatic load balancing Incorrect Answers RIS is a Windows function requiring Windows Server an Active Directory We are running Windows NT which does not support RIS This might distribute the files but does not provide load balancing Windows NT does not have DFS replicas that are load balancing QUESTION You are the administrator of a Windows NT server computer named FS FS contains two hard disks which are named drive C and drive D Drive C has a -GB capacity and is formatted with the FAT file system Drive D has a -GB capacity and is formatted with the NTFS file system You place several documents in C Docs You plan to access these documents from the server console but you want to ensure that the documents are available on the network to all members of the Domain Users group You do not want these users to modify any files What should you do A Share C Docs as docs Ensure that the Protected Storage Service is set to start automatically Log on by using the Local system account Share C Docs as docs Create a Microsoft Internet Information Server virtual directory that points to FS Docs Configure the virtual directory as read-only Share C Docs as Docs Configure the files in C Docs as read-only Share C Docs as Docs Remove the Everyone group from the permissions on Docs Assign the domain users group the Read permission for Docs Answer D Explanation This is the correct way to do it By default when the share is created it will have the Everyone group with full control You need to remove this and add the Domain Users as read-only Incorrect Answers There is no protected storage service and you can't logon to the system account Sharing the DOCS will be with full control by default and anyone can read and write or erase those files Using IIS in this case will allow everyone including non-domain users example guests to read the docs which is too loose of a security model Using IIS is also a lot of work The reason is that you do not assign file and directory security in IIS you do it in NTFS and the C disk is FAT FAT does not support individual permissions on Directories and or files Everyone has access locally and via a Share unless the permissions are explicitly set in the definition of the share itself QUESTION You are the administrator of a Windows NT server computer named FS Company files are stored on FS in the E Files Company Folder which is shared as CompFiles The shared folder was created by using the default permissions Permissions for the files in E Files Company Finance are assigned as shown in the following table Group Permissions Domain None users Accounting Read Acct Write Managers Delete Finance Full control Interns No access Marketing No access A user named Andrea is a member of the Domain users Accounting and Interns groups The Interns group is used only to restrict access to the files in E Files Company Finance Drive M on Andrea's computer is mapped to FS CompFiles Andrea needs to modify the files in M Finance on a regular basis She reports that she cannot access any files in the finance folder You need to ensure that Andrea can modify the appropriate files You want to assign her the minimum permissions necessary and you want to avoid assigning her additional permissions for other files on FS Which two actions should you take Each correct answer presents part of the solution Choose two Remove Andrea's user account from the Accounting group Remove Andrea's user account from the Interns group Add Andrea's user account to the AcctManagers group Add Andrea's user account to the finance group Add Andrea's user account to the marketing group Assign the Accounting group the Read Write and Delete permissions for FS CompFiles Assign the Interns group the Read permissions for FS CompFiles Answer B C Explanation The first answer B should not be a surprise nothing changed When you have No Access for a directory and files nothing overrides it so we need to get Andrea out of the Interns group to get rid of the no access By adding AcctManagers Andrea can now write to the files since she needs to modify them Incorrect Answers A She still needs access to the accounting group to read the files in M Finance Adding her to the Finance group is overkill she will have more permissions than needed including the ability to change the permissions Marketing has no access to the directory and adding he in will be sure to prevent her from accessing M Finance F G These actions modify permissions of other groups and users most likely adding additional permissions We only know the permission structure of FS CompFiles Finance and not FS CompFiles Changing these permissions would not affect Finance unless Finance was inheriting permissions from the Company folder its parent QUESTION You are the administrator of a Windows NT server computer that is used as a print server You use the default settings to share a printer on the server as a CheckPrinter CheckPrinter is used for printing payroll checks A user named Carmen is Certkiller 's payroll clerk Carmen reports that some employees print documents to CheckPrinter which wastes blank checks and prevents Carmen from printing Payroll checks You need to allow only Carmen to send documents to CheckPrinter What should you do Change the share name of CheckPrinter to CheckPrinter Configure Carmen's computer to print to CheckPrinter Assign Carmen the Full Control permissions for the printer driver files Assign the Domain Users group the No Access permissions for the Printer driver files Assign Carmen the printer permission for CheckPrinter Remove the Everyone group from the CheckPrinter access control list Assign Carmen the Print permissions for CheckPrinter Assign the Everyone group the No access permission for CheckPrinter Assign Carmen the Manage documents permissions for CheckPrinter Assign the Everyone group the No access permissions for CheckPrinter Answer C Explanation The default settings will be that the everyone group has full control so you need to remove that setting You then explicitly assign Carmen access to the printer Incorrect Answers This is not a secure answer All you did is hide the share name Anyone who knows the share name can still connect and destroy checks Sometimes hiding something helps make it a little secure because knowledge would be needed But since everyone using the printer has inside knowledge finding this printer should not be difficult The correct course of action is to change the printer access permissions You can put access controls on the printer or printer share to control access Access is not controlled by access control of the print drivers themselves The print drivers are loaded by the OS Windows NT and security is not based on the user Besides that not working Carmen will most likely be a member of Domain Users and setting no access will not only lock out everyone else from using the printer but Carmen won't be able to use it herself D E The everyone group includes everyone users and guests By setting no access none including Carmen and any administrator will NOT be able to print on the printer QUESTION You are the administrator of a Windows NT server computer The server runs Microsoft Internet Information Server IIS and hosts a web site The web site is configured so that it has the default settings Company employees access the web site by means of the company intranet and the Internet The first page that employees see when they access the web site is named Default asp This page allows them to provide a user name and password The page then redirects employees to a menu of available options You want to ensure that employee user names and passwords are not transmitted over the Internet in plain text You also want to ensure that the server's performance is minimally affected by employees who access the web site You install a server encryption certificate on the server What should you do next Configure Deafult asp to disallow anonymous access Configure Default asp to require secure communications for all connections Configure the web site to require secure communications for all connections Configure the web site to allow Windows NT challenge Response authentication Answer C Explanation When configuring the security on a web site there are three options that may be selected Anonymous Basic and Integrated Windows NT Challenge Response authentication These are options used for internal security and selecting Integrated is the only option that would protect passwords as Anonymous does not use username and passwords for access control and basic transmits password in the clear EXCEPT we are concerned here with that logon scenario The Default asp active server page is collecting the username and password as page data This collection does not fall under the IIS security model IIS does not know that username and password I being collected these are not Operating System accounts This is home grown internal security such as internal security that has been built into a software package and does not integrate with Windows NT access lists This is why a certificate was needed in the first step We need to encrypt all the pages that could be carrying the information requiring protection In this case we protect the web site itself Incorrect Answers A B Security settings for either authentication or secure communications can only be configured on the Directory level either in a Web Site or a Virtual Directory It is not done on a page by page basis D Windows NT Challenge Response authentication is part of integrated security but as already explained we are not doing Operating System authentication we are performing application internal password processing QUESTION You are the new administrator of Certkiller 's Windows NT server computers A server named Web hosts a web site which is configured to use integrated security and to disallow anonymous access Company employees access the web site by means of the company intranet and the Internet An employee named Marc reports that he cannot access the web site from his home computer You verify that Marc can log onto the web site from the client computer in his office You verify that Marc is using the correct browser version on his home computer Marc's home computer connects to the Internet by using a dial-up account to an Internet Service Provider You need to ensure that Marc can access the web site from his home computer What should you do Assign the IUSR Web user account and the domain users group the read permission for the web site files Remove any permissions that are assigned to Marc's user account Configure the web site to allow anonymous access Create a new user account Verify that the user account can access the web site from your home computer Instruct marc to use the new account when he accesses the web site from his home computer Remove any IP address restrictions from the web site's directory security settings Answer D Explanation We will see below that A B C will not apply here so this leaves as a matter of elimination choice D It is possible since an ISP is being used that there could be IP restrictions that control the valid range of IP addresses For example suppose the IP restriction only allowed the Intranet and specific IP addresses of remote users assuming in this case that the home users ISP had assigned static IP addresses Marc's IP address would have to be added in the list So choice D is a feasible answer in some situations so for this case it is correct Notice the format of this question You are given a situation with a choice of answers The question does not give you enough information to zero in on the correct answer you need to know enough to eliminate the bad answers and take the choice that can work and is left This is a manner of elimination Incorrect Answers A C Marc can connect using his account from work Marc's account is already validated as having the correct access Modifying the ACL or even creating a separate user account will not fix the situation Marc can get into the site and should be able to do it from anywhere We also take notice that the question does not say anything about marc ability to signon to the network only that he cannot access the website This should indicate that marc was able to establish a connection using the dial-up line If Marc was unable to get pass establishment of the dial-up connection then creating a new userid that was tested with the dial- up might be creditable Also in the Choice A we might be assigning read permissions that allow unauthorized users to access the site - we have no idea how the site is and should be permissioned D Most of the explanation so far is basically saying that we are not dealing with a permission issue here with the ACL but we add here that if we change the Authentication to allow anonymous users then anyone can now access the site and we have decreased our security protection Also as an anonymous user we would be using the IUSR WEB user id not Marc's so Marc may have access control issues to access pages and files QUESTION You are the administrator of a Windows NT server computer The server is connected to a laser printer device which is shared as Laser The office staff uses Laser to print word processing documents and spreadsheets The accounting staff uses Laser to print financial reports These financial reports usually take a long to print The office manager informs you that the financial reports are preventing the office staff from using Laser effectively She also tells you that the financial reports can be printed on Laser in the evening when other documents are not being printed You want to allow the accounting staff to send print jobs during the day without interrupting the office staff's printing activity What should you do Create a shared printer named acct to print to the laser print device Set the priority on Acct to and the priority on Laser to Instruct the accounting staff to print the financial reports to Acct Create a shared printer named acct to print to the laser print device Set the priority on Acct to and the priority on Laser to Instruct the accounting staff to print the financial reports to Acct Write a batch file that assigns the accounting staff the Print permissions for Laser Schedule the batch file to run each morning at A M Write a second batch file that removes the print permission for laser from the accounting staff Schedule the batch file to run each evening at P M Create a shared printer named Finance to print to the laser device In the Finance printer properties configure the printer to be available from P M to A M Instruct the accounting staff to print the financial reports to Finance Create a shared printer named Reports to print to the laser print device Set the priority on reports to Instruct the account staff to print the financial reports to Reports Answer D Explanation The accounting staff are printing LONG reports which tie up the printer Since these reports do not have a high priority for turnaround we can let them print at night when no one is around To do this we create another printer Finance using the same printer device printer device pointed by Laser and restrict printing to off hours Notice that anyone printing to Laser directly can still print hours a day only print jobs directed to Finance will be restricted Incorrect Answers A B E Priority here is not appropriate All priority will do is change the order in which a print job comes off the queue For example suppose someone in accounting sends an hour print job to the printer when the queue is empty so it goes to the head of the queue and starts printing If this happens at am then the printer is totally unavailable for any other print job until after pm Changing priority does not hold off the long print jobs until off hours and can still lock out office users from using the printer during the day C This answer is almost ridiculous writing batch files to change permissions is not the accepted way to resolve this issue since there are better way to get this done Even if the batch script was used this approach does not accomplish anything What we are controlling is not when jobs can print but when jobs are submitted If everyone is working - no one should be around at pm so they can submit a print job Now these people may be working late but this script imposes the restriction that accounting can only submit the print job to the shared queue between am and pm when everyone is basically in the office working so the accounting print jobs will still conflict QUESTION You are the administrator of a Windows NT server computer named Web Web runs Microsoft Internet Information Server and hosts an Intranet web site The web site is configured so that it has the default settings You add a virtual directory named marketing to the web site The virtual directory points to the Files MktDocs shared folder which contains documents that are published by Certkiller 's marketing department You verify that users can view the documents by means of a web browser and HTTP Several months later users report that they can no longer access the documents by using HTTP Some users can access the documents on their client computers by means of the Files MktDocs shared folder You need to ensure that all users can access the documents by using the web site What should you do Assign the Everyone group the Read permissions for the files in Files MktDocs Assign the Everyone group the Read permission for Files Marketing Configure the web site to allow anonymous access and to disallow Basic authentication Configure the user account that the virtual directory uses to access Files MktDocs so that the account is not locked out and so that the password never expires Answer D Explanation We see that the Server is Web but the Shared Folder is on Files which is a different machine When we set up the virtual directory we were prompted with a username and password that would be used by Web to connect to the share If that account gets deleted locked out disabled or the password changes and we have exhausted the reties then IIS will not b able to connect to the share Incorrect Answers A B We are not dealing with a permission issue unless someone went in and changed the permissions This was a working website For both A B we could be downgrading the security settings allowing unauthorized users to see confidential data These options are not recommended and most likely will weaken the security set on those files C The question says that the site was built with default settings so anonymous access and disable Basic authentication IS THE DEFAULT so we are not changing anything here QUESTION You are the administrator of a Windows NT server computer named FS FS is used as a file server and has security configuration manager installed FS contains several shared folders which were created by using the default settings The share HRDocs points to D Documents HRDocs An employee named Bruno is a member of the HR group and the Operations group Bruno reports that he cannot modify the documents in FS HRDocs from his Windows Professional computer You log on to the FS server console to examine the permissions for D Documents HRDocs The folder permissions are assigned as shown in the following table Group Permissions Domain Read Allow users HR Full Control Allow Operations Write Deny Read and Execute Allow You need to ensure that Bruno can read and modify the files in FS HRDocs What should you do Add Bruno's user account to the list of permissions for D Documents HRDocs and then assign Bruno the Full Control Allow permission Create a domain user group named Operations Add the Operations group to the list of permissions for D Documents HRDocs and then assign the group the Full Control Allow permission Add Bruno's user account to the Operations group Remove Bruno's user account from the Operations group Remove all user accounts except Bruno's from the operations group Add Bruno's user account to the list of permissions for D Documents HRDocs and then assign Bruno the Write Allow permission Answer C Explanation If you belong to any group that has no access then you combined permissions is no access Bruno is a member of the operations group which is denied write access to the directory and files We need to remove Bruno from the Operations Group Incorrect Answers Bruno has a deny and no matter what else you do the no access takes precedence Bruno has a deny and no matter what else you do the no access takes precedence D Bruno has a deny and no matter what else you do the no access takes precedence In this case you need to remove Bruno not the other users QUESTION You are the administrator of a Windows NT server computer named Public which is a member of a Windows NT domain named CORP Public runs Microsoft Internet Information Server and hosts an FTP site The FTP site is configured so that it has the default settings The site's home directory is C Inetpub Ftproot You need to use Public to allow a specific customer to upload and download files You do not want this customer to have any other type of access You do not want anyone else to have this type of access You need to configure Public to support these requirements Which three actions should you take Each correct answer presents part of the solution Choose three Create a user account named Customer on Public Create a user account named Customer in CORP Assign the IUSR Public user account the appropriate NTFS permissions for C Inetpub Ftproot Assign customer the appropriate NTFS permissions for C Inetpub Ftproot Configure the FTP site to allow anonymous access Configure the FTP site to disallow anonymous access Answer A D F Explanation We are going to disable anonymous access so that only a user with a valid userid can get onto FTP We restrict that access by creating a userid and setting NTFS permissions to the FTP directory The user will be unable to do anything else since we set NTFS permissions This account is only valid on the member server PUBLIC so the user would not be able to access anything else anywhere in the domain Incorrect Answers This could accidentally provide too much access and is not required unless the IIS server was installed on a Domain Controller Since the question just says server we can assume that it is a member server If the question should change or vary realize that if the question specifically says Domain Controller then we need a domain account not a local account Domain Controllers do NOT have local accounts IUSR Public is the account for the anonymous user We will be blocking anonymous access so no one else can access the web site FTP site so this is NOT the ID that we need to add permissions Allowing anonymous access which is already done it is the default is NOT what we wish to do here We want to block anonymous access because we don't want just anybody getting into the site We need to disable anonymous access QUESTION You are the administrator of a Windows NT server computer The computer is used as a print server and shares printers The server contains two hard disks which are named drive C and Drive D Drive C has a -GB capacity and contains all of the operating system files Drive D has a -GB capacity and contains no files During a maintenance inspection you notice that drive C has only MB of free disk space You need to make space available on drive C and prevent the drive from filling up again What should you do Disable the creation of memory dump files when a STOP error occurs Configure the server to place spooled print jobs in a folder on drive D stop and restart the Print Spooler service Create a new disk quota limit on volume C to deny space to users who exceed their quota limit Pause the Print Spooler service In the shared printer properties use a smaller file type for the print mode Restart the print spooler service Answer B Explanation Since Drive D is the larger drive we should move the SPOOL to that drive And even if the users fill up that drive instead the Operating System Windows NT will not be impacted by a full drive This is why we use partitioning to separate data from the Operating System to prevent a full drive from crashing the system Incorrect Answers A I doubt we are running GB of ram where a memory dump filled up the drive There is no indication that we even took a dump The most likely cause of this situation was the spool filling up and even if we were taking dumps it would be better to move the spool anyway This is Windows NT we don't support Natively disk quotas In Windows disk quotas apply to individual files not print spool and even if it did take users sending small print job and you could still fill up GB without tripping the quota with K users you could probably fill up the entire GB too There is no smaller file type QUESTION You are the administrator of a Windows NT server computer The computer is used as a print server and has several shared printers A user reports that she cancelled a print job several hours ago but the job continues to appear in the print queue You examine the print queue and discover that the print job is cancelling Several other print jobs are waiting in the print queue You need to remove the cancelled print jobs and ensure that the other print jobs print Which three courses of action should you take Each correct answer presents part of the solution Choose three Stop the print spooler service Stop the server service Log on to the server as an administrator and delete the print job file from the spool folder Log on to the server as an administrator and cancel the print job in the print queue Log on to the server as an administrator and delete the printer port Re-create the printer port and assign it to the shared printer Start the Print Spooler service Start the server service Answer A C F Explanation We have a stuck print job and usually recycling the print spooler service will clear it up We need to delete the job otherwise it will restart on the printer In most cases this problem was caused by the print job itself corrupted file and if we don't delete it then it may restart and tie up the queue again Incorrect Answers B G Changing the server service will not fix the problem and may cause other problems Stopping the server service will prevent users from using the shared folders and printers on the machine This only prevents submission and management of the print jobs However it does not affect the print queue which is stuck We have to work with the spooler service - that is where the print job is stuck D The print job is already cancelled We need to delete it to make sure it does not re-queue after recycling the print spooler E Adding and deleting the port will not correct the problem We need to work with the print spooler which is the software where the print job is hung QUESTION You are the administrator of a Windows NT server computer You perform tape backups of the server as shown in the following table Evening Time Backup type Sunday P M Full backup Monday Wednesday and P M Incremental back up Friday Tuesday and Thursday P M Differential backup You use two sets of six tapes to perform your backups and you alternate sets every week You use a different tape for each backup and overwrite the tape as necessary On Thursday at P M the server's hard disk fails You need to restore as much data as possible from the backup tapes You also want to complete the restoration as quickly as possible What should you do Perform the restoration by using the Sunday backup then the Monday backup and then the Wednesday backup Perform the restoration by using the Monday backup then the Tuesday backup and then the Wednesday backup Perform the restoration by using the Sunday backup and then the Tuesday backup Perform the restoration by using the Sunday backup then the Wednesday backup and then the Tuesday backup Answer A Explanation Three things to note here First We must always do a Full restore when a hard drive is replaced Second the tapes must be applied restored in the order that the backups were taken finally we don't mix Incremental with Differential backups We need Wednesday's restore to bring the drive back so we will also need Monday's incremental too Incorrect Answers We need to start with the Sunday we need to do a full restore In this case we lost Wednesday's data so we don't have as much recovery as we would like Don't mix the backups and this is the wrong order too QUESTION You are the administrator of a Windows NT server computer named server that has service pack a installed Server runs a business application that must be available at all times You install a new SCSI device that was provided by the computer manufacturer You restart server During the startup process server stops and you receive a STOP error message You need to return Server to full functionality as quickly as possible What should you do A Use a parallel installation of Windows NT server to restart Server Reinstall service Pack a Use a Windows NT server CD-ROM to restart server in recovery mode After Setup completes restart the computer Use the Last Known Good configuration setting to restart server Use the Recovery Console to restart server Use an older copy of the device driver file to overwrite the new file Restart the server Answer C Explanation You must read the wording of the question very carefully especially since Microsoft may add a variation to the question or this question was not copied correctly This question says a SCSI device This solution should work for a device such as a SCSI Tape Controller It will NOT work for a SCSI Controller Card which is imbedded more into the operating system and would not be disabled by using Last Known Good Also take note in this question that it says that a NEW device was installed This solution most likely will NOT work if the question said NEW device drivers for an existing SCSI device These require external action where we can't bring up the system on its own Incorrect Answers Re-installation of Service Pack a might be required if the device drivers from the manufacturer regressed the service This will not get us up in the quickest possible time Especially if you have to do the parallel installation right now which could take an hour or two - at minimum Unless you have a Windows NT Server CDROM at Service Pack a Microsoft does not distribute Windows NT this way you get the service packs separate this process will regress the entire service pack Once you re-boot the service pack has to be re-installed and you might not get the system up anyway And this would not be the fastest way to get up and running again Recovery Console is provided via Windows but if we did have recovery console we could use it here since recovery console will support a Windows NT system However using an older copy of the device driver is not the answer First we added the device we did not upgrade the drivers Second there is no telling if the regression to an older device driver will fix the problem QUESTION You are the administrator of a Windows NT server network Certkiller plans to deploy Windows Professional to client computers on your network From the Windows Professional CD-ROM you copy the contents of the i folder to D Win p i on a Windows NT server computer named Apps You share D Win p as Proinstall You receive a CD-ROM that contains the most recent Windows service pack You want all new Windows Professional deployments to include the service pack You want to deploy the service packs by using the least amount of administrative effort What should you do on Apps Run the Update exe s D Win p command from the service pack CD-ROM Install remote installation services Configure RIS to deploy the service pack at the same time that Windows Professional is deployed Copy the contents of the service pack CD-ROM to D Win p i Click yes if you are prompted to overwrite existing files Copy the contents of the service pack CD-ROM to D Win Sp Install Windows Professional on a client computer and then run the Apps Proinstall sp Update exe command from that computer Answer A Explanation Windows allows you to update an image using the update exe command After running the update command the Windows Professional image will be at the new service pack Any deployment after applying the service pack will automatically have the maintenance applied which eliminates the need to apply the service pack separately Incorrect Answers RIS is only supported on Windows Active Directory Domain The service pack structure is a little more complicated You might manage to replace files but there is more going on in the service pack apply that needs to be checked and changed in the original image so we need to run the update exe This process would allow us to apply the service pack off a network drive But it would be two step first build the system then apply the service pack where Choice A is one step QUESTION You are the administrator of a company network that consists of a single Windows NT domain named CORP Certkiller 's headquarters is located in New York The company has one branch office in Boston and one branch office in San Francisco All network administrators are located at headquarters The network is configured as shown in the exhibit Users at the branch office reports the their logon scripts take a long time to run You want to reduce the time require for the logon scripts to run You also want to maintain the ability to manage all company user accounts from headquarters What should you do Install a PDC for a domain named BOSTON in the Boston office Install a PDC for a domain named SANFRAN in the San Francisco office Configure the CORP PDC to trust the two new PDCs Create user accounts on the CORP PDC Install Windows NT BDC servers in each branch office Configure directory replication to replicate the logon scripts from the CORP PDC to the two new BDCs Install a stand-alone Windows NT server computer in each branch office Configure directory replication to replicate the logon script from the CORP PDC to these two new servers Configure an LMHOSTS file so that it contains the IP addresses of the CORP PDC and BDC Place this file on the client computers at the branch offices Answer B Explanation The assumption here is that the time to run the logon scripts is being impacted by contention at the central location and network traffic across the T lines We can speed this by adding local BDCs and replicating the logon scripts to them This way HQ can still maintain the scripts and user accounts at the central office Incorrect Answers A This process could speed up logon processing but the logon scripts have to be migrated too and there is no provision here to replicate them Also we just made the environment a lot more complex by going multidomain Logon Scripts execute out of the NETLOGON folder of a BDC or PDC NOT Member servers The issue is transferring the logon scripts There is no indication that there was a slowdown in locating servers LMHOSTS would not have been the way to go if finding the server was an issue you would use WINS We have located the server so it is not a IP to NAME resolution problem QUESTION You are the administrator of a Windows NT server computer named server Server contains three -GB hard disks and MB of RAM Server has a single -MB paging file on drive C Server supports an application that Certkiller 's software developers are creating The application must be available at all times While you are running performance monitoring tools on Server you notice that users access drive C much more than the other two drives Users report that server is slower than other servers on your network You want to reduce the load on drive C and to improve the performance of Server You need to ensure that server continues to provide diagnostic information to the application developers in the event of a failure What should you do Schedule the Chkdsk utility to complete a full scan excluding a surface-level scan on drive C the next time server is restarted Restart server Configure server to perform a small memory dump to the paging file in the event of a STOP error Resize the paging file on drive C to MB Create a -MB paging file on the drive D and a -MB paging file in drive E Create a -MB paging file on drive D Remove the paging file from drive C Answer C Explanation Paging performance will be better if spreading it across multiple physical disk drives Not disk partitions on the same physical drive Since we want diagnostic information in other words a dump during failure we need a pagefile on the boot device that will hold all of RAM so we need at least MB the size of RAM on this server as the smallest pagefile for C Incorrect Answers Using Chkdsk is when the file system gets corrupted There is no evidence that the system slowness is due to a corrupted file system Usually you lose files A small memory dump does not provide as much diagnostic information as a full dump and would not solve the slowness probably due to contention of the page file unless the page file was moved somewhere else and decreased in size This may make the system faster but lack of a pagefile on C will prevent diagnostic dumps from being taken QUESTION You are the administrator of a Windows NT server computer named server A ServerA has two -GB IDE hard disks that are configured as a mirrored pair ServerA has two IDE channels Disk is the primary drive and the IDE master device for channel Disk is the shadow drive and the IDE master device for channel ServerA shuts down due to permanent failure of Disk You have a replacement disk available for this server You need to enable serverA to restart so that you can recover from he failure and reconfigure fault tolerance Which two courses of action should you take Each correct answer presents part of the solution Choose two Modify the Boot ini file on a fault-tolerance boot disk to point to multi disk rdisk Modify the Boot ini file on a fault-tolerance boot disk to point to multi disk rdisk Modify the Boot ini file on a fault-tolerance boot disk to point to multi disk rdisk Replace Disk with the replacement disk Configure the replacement disk as the IDE master device on Channel Replace Disk with disk Configure the replacement and configure it as the IDE master device on Channel Replace Disk with disk Configure the replacement disk and configure it as the IDE slave device on Channel Answer C D Explanation We have to boot the system up with a floppy because the physical disk that would be booted is now dead With the exception of Partition all the other parameters in the boot ini ARC definitions are zero relative For Channel it is Multi and for the first device Master it is rdisk Now all we need to do is boot the floppy and the system will come up We also should replace the defective drive with the replacement Incorrect Answers This definition is for the slave rdisk This definition is invalid for an IDE configuration For recovery you do not re-cable disks to change the ARC settings This answer doesn't even make sense replace with QUESTION You're the administrator of a Windows NT domain that contains a Windows NT server computer named FPS FPS is used as a file and print server The server hosts eight shared printers Each shared printer is configured to use a different print device An employee named Lilly is responsible for changing the toner cartridges adding paper and completing other maintenance tasks for five of the print devices Users often ask Lilly to move shorter print jobs to the top of the print queue and to cancel long-running print jobs so that the printers are available for immediate use However Lilly cannot change the priority of a print job or cancel a print job You need to enable Lilly to perform these tasks for the five print devices for which she is responsible but you need to prevent her from modifying the printer properties What should you do Add Lilly's user account to the Print Operators group Assign Lilly the No Access permission for the three printers for which she is not responsible Add a to the value of the Network path property on the five printers for which Lilly is responsible Assign Lilly the full control permission for the five printers for which she is responsible Assign Lilly the manage documents permission for the five printers for which she is responsible Answer D Explanation Manage documents will allow Lilly to change priority and cancel print jobs Incorrect Answers Print Operator will allow Lilly to change printer properties which is not what we want to allow This gives her two much permissions as well as permissions on new printers which have not been added yet The will hide the share and has no effect on the ACL for the device Further the will affect the share name which affect the printer not the print device Full control is too much permissions it will allow printer properties to be changed QUESTION You are the administrator of a Windows NT server computer The computer is connected to two identical print devices You create one shared printer for each print device by using the default settings One printer is shared as Executive and the other is shared as Office The president of Certkiller often has to wait for his documents to print to the Executive printer because other office employees also print to it You need to configure the printer so that the president's documents print as quickly as possible Because the office printer is too busy to accommodate all office print jobs you need to ensure that office employees can also print to the Executive printer What should you do A Add Executive as a new share name for the Executive shared printer Reconfigure the president's computer to print to Executive Add ExecStaff as a new share name for the Executive shared printer Set the permissions for the Executive shared printer to allow only the president's user account to print Reconfigure the office computers to print to ExecStaff Create a shared printer named Pres for the print device that is associated with the Executive shared printer Configure the Pres shared printer so that it has a priority of Reconfigure the office computers to print to Pres Create a shared printer named PresOnly for the print device that is associated with the Executive shared printer Configure the PresOnly shared printer so that it has a priority of Reconfigure the president's computer to print to PresOnly Create a shared printer named Staff for the print device that is associated with the executive shared printer Assign the president the manage documents permissions for the executive shared printer Assign the office staff the print permission for the Staff shared printer Configure the office computers to print to Staff Answer D Explanation Print priority can be set between and where is the highest and is the lowest We can make different printers and point those printers to the same print device In this case we create a separate printer with a priority of which is almost the highest it goes and will be higher than the default print priorities used by the office users In this scenario even though the president has to share the printer the president's jobs will always go to the head of the queue and will be the next job to print on the printer This satisfies the requirement to get the president's jobs printing as quickly as possible Incorrect Answers Adding a to the end of a share name makes that share a hidden share It will not affect the print priority nor will it affect the print permissions on the resource This scenario enforces that the president can only print to the new printer However the president's print jobs will have the default priority and will fall into line with the print jobs from the office workers The president will have to wait in line like everyone else and this does not get the president's print jobs printing as quickly as possible In this scenario the office computers will be printing with a priority of Since is almost the highest priority the president's jobs which will have a lower priority the default priority setting will go to the back of the line and will not print until there are no longer any office print jobs in the print queue Again the print device will be shared and there is no separation of priorities The president will wait in line like everyone else Now the president can manipulate the queues with this option however this is not a feasible solution QUESTION You are the administrator of Certkiller 's network The network includes two identical print devices and a Windows NT server computer The printers for these print devices are shared as Printer and Printer The server is used as a print server Users can print to both shared printers However most of the client computers are configure to use only one printer or the other Client computers in the accounting department are also configured to use Printer Users in the operations department report that the users in the accounting department often print large reports The users in the operations department must wait for their documents to be printed even though few or no documents are being printed on Printer You want to configure the printers so that the printing load from both departments is evenly distributed What should you do Create a new shared named Printer Configure printer to use both print devices in a printer pool Configure all user accounts to print to printer Configure printer to print to the same port as printer Set the priority on printer to and the priority on printer to Configure printer to print to the same port as printer Set the priority on printer and printer to Modify the registry so that printer and printer use the same folder to store spooled print jobs Answer A Explanation This will end up being the best choice Printer load balancing will allow the print jobs to print on the next available printer This also makes the printers evenly balanced Unfortunately in real life this is not the best solution because the accounting department will have long jobs on BOTH printers and still tie everything up But we are not offered solutions here that parallel real life Incorrect Answers B C We have two physical print devices each on it's own port We do not want to change either printer so that both printers are printing to the same port Doing so in this problem leaves us with only one printer working and operational D You do not want to merge print spool folders This will be a problem because there are indexes in the folder of the net spool file the files are numbered and can overlap and I will be rare that the correct answer to a Microsoft Exam will involve changing the registry in order to fix a problem QUESTION You are the administrator of a Windows NT server computer The computer is used as a file and print server and shares four printers The printers are shared as printer printer printer and printer A user reports that a document has been first in the printer print queue for several hours and that nothing is printing on the print device You examine the print queue and discover that the first job is spooling Several other print jobs are waiting in the print queue You verify that the print device