All questions for this chapter refer to the following case.
Case 1: Melody Music
Melody Music is a musical instrument manufacturer with locations in North America, Asia, and Europe. It consists of three divisionsguitars, electronics, and percussionand these divisions are spread across the three continents.
Melody Music has a Windows NT 4.0 server infrastructure with a single accounts domain and resource domains for each continent's operations. Client computers are predominantly Windows 98, with some NT 4.0 Workstations at the headquarters office in Los Angeles.
10Mbps twisted-pair Ethernet is used at all Melody Music locations.
Melody Music has decided to implement Windows 2000 and Active Directory in all locations, including the joint venture factory in Germany. It has registered the DNS domain name melodymusic.com, which it intends to use for internal as well as external naming.
Current WAN Connectivity
The company has four facilities in North America, connected by full T-1 links. The two European plants are connected to each other with a 256Kbps circuit, and the two Asian facilities are linked with a 256Kbps virtual private network (VPN). All these links are relatively underutilized.
The headquarters office in Los Angeles is connected to both the European and Asian locations via a 64Kbps link. This circuit is heavily used, especially during Los Angeles business hours.
Proposed WAN Connectivity
No changes are proposed at this time, although management has recognized that the 64Kbps circuit between Europe, North America, and Asia will need to be upgraded eventually.
Directory Design Commentary
CIO: Each of the divisions outside of North America enjoys a fairly autonomous existence, with little intervention from the home office. IT, however, is currently centralized in Los Angeles. Melody Music plans to grant the local network administrators much greater authority in the future, however.
CEO: Melody Music has entered into a joint venture with Klavier, AG, a German manufacturer of pianos. The joint venture makes pianos for sale under the MK Pianos brand. MK Pianos is located in a former Klavier factory, and employees are paid by Melody Music. Melody Music management needs full access to MK Pianos' information.
Melody Music currently has no Internet presence.
Melody Music has registered the melodymusic.com domain name, will set up email servers, and will develop a Web site.
What should the name of the forest root domain be?
The correct answer is c. Melody Music intends to use the melodymusic.com domain name for internal as well as external namespaces. Because of this requirement, answer a is incorrect; it places the Active Directory domain below the root. Answer b is incorrect because it is the name of another company and is not at all appropriate as the forest root. Answer d is the DNS name of the Melody Music Web site, so that is incorrect as well.
Melody Music management decides to create an Internet presence for the joint venture company, MK Pianos, and registers the DNS domain name mkpianos.com. How should the Active Directory design be modified for this new domain?
Create a child domain of melodymusic.com called mkpianos. melodymusic.com.
Create a child domain of melodymusic.com called melodymusic.mkpianos.com.
Create a new domain tree with a root domain of mkpianos.com.
Create a new forest with a root domain of mkpianos.com.
The correct answer is c. Because mkpianos.com is a different DNS namespace from Melody Music, it is best to create a new domain tree rather than use the approach suggested by answer a. Answer b is incorrect because the child and parent domain names are reversed. Because Melody Music management requires full access to MK Pianos' data, including Active Directory contents, answer d is also incorrect.
How many child domains should be created off the forest root domain?
Threeone for each continent
Threeone for each division
The correct answer is c. Because each of the continents is relatively autonomous, and there are definite WAN considerations, this solution is better than answer d. Answer a is incorrect because Melody Music's business is organized by continent, with autonomy granted to each of the local operations, and WAN speed and capacity issues exist as well. Finally, answer b is incorrect because mkpianos.com is a different namespace from melodymusic.com.
In which domain will the Enterprise Admins and Schema Admins groups be created?
The correct answer is a. The root domain of the forest should be melodymusic.com, and the forest root is the only domain to have the Enterprise Admins and Schema Admins groups. Answer b is incorrect because, although mkpianos.com might be a root domain, it is not the forest root. The same is true for answers c and d, which are also incorrect. na.melodymusic.com is a child domain, not the forest root.
What type of trust relationship exists automatically between melodymusic.com and mkpianos.com?
Two-way, transitive Kerberos trust
One-way, nontransitive NTLM trust
The correct answer is b. A two-way Kerberos trust is automatically created between root domains of a disjoint namespace in the same forest, which means that answer a must be incorrect. No one-way trusts are automatically created in Windows 2000, so answer c is incorrect. Answer d is also incorrect because cross-link trusts are manually created between domains that do not have a direct trust relationship between them. Cross-link trusts speed Kerberos credential validation by shortening the validation path through the forest.
Melody Music has decided that a small administrative group on each continent should have control over all Active Directory resources. Control will be assigned on a divisional basis. Based on this plan, arrange the entities below in order, from the domain through lowest-level OU.
The correct answer is as follows:
Note that Continent is a domain, and all other entities are OUs.
As part of the migration planning process, the Melody Music Active Directory design team has listed a number of issues, both business and technical. Place the issues in list two under the appropriate issue type in list one. You can use the same issue more than once.
Type of issue:
Active Directory Design Issues:
The correct answer is as follows:
Overlap exists on these lists because many issues require both a business and a technical approach.
Melody Music management is considering changes in how the company is run that will result in more centralized control. However, a consultant has told Melody Music management that it might need to completely redo the Active Directory design because permissions from OUs in top-level domains are not inherited by like-named OUs in lower-level domains. Is the consultant correct in her statement?
The correct answer is a. The consultant is right. Permissions do not flow across domain boundaries, regardless of what the OUs are named.
A new office is opened in Sydney, Australia, and the IT director wants to know whether a new domain should be created for the Australian continent. Business plans call for an expansion of operations to include 2,000 employees at three locations in two years. What factors should the IT director consider in making his decision? [Select all that apply.]
Security requirements specific to Australia
Number of employees
Local administration of resources
The size of Active Directory
Replication traffic and wide area link availability
The correct answers are a and e. Security policis are set at the domain level, so if any requirements specific to the Australian operation exist, a separate domain should be considered. Also, if wide area links are slow, congested, or unreliable, a new domain will allow use of the SMTP protocol for Active Directory replication over the slow link.
Answers b and d are incorrect. The tested limits of Active Directory are over 50 million objects, so creating additional domains to handle 2,000 additional employees is unnecessary.
Finally, answer c is incorrect because administration can be delegated at the OU level, thus eliminating the need to create a domain to achieve administrative granularity.
Klavier AG launches a successful hostile takeover of Melody Music soon after Melody's successful implementation of Windows 2000. Because it has not yet begun its own Windows 2000 implementation, Klavier management decides to simply rename the melodymusic.com domain klavier.de. Will this approach work?
The correct answer is b. Renaming domains is impossible at this point, and the forest root domain, which in this case is melodymusic.com, may never be renamed.