Exam 220-602: CompTIA A+ IT Technician Exam RSS Feed

With hundreds of practice questions and hands-on exercises, CompTIA Network+ Certification Study Guide, Fourth Edition covers what you need to know-and shows you how to prepare-for this challenging exam.

• 100% complete coverage of all official objectives for the CompTIA Network+ exam
• CertCam video training by the author guides you through difficult topics and exercises
• Inside the Exam sections highlight key exam topics covered
• Two-Minute Drills provide quick review at the end of every chapter
• Simulated exam questions match the format, tone, topics, and difficulty of the real exam

Covers all the exam topics, including:

Basic Network Concepts * Network Protocols and Standards * Networking Components * Subnetting and Routing * TCP/IP Utilities * Wireless Networking * Remote Connectivity * Wide Area Network Technologies * Network Implementation * Network Maintenance and Support * Network Security * Network Troubleshooting

CD-ROM includes:

• Complete MasterExam practice testing engine, featuring: One full practice exam; Detailed answers with explanations; Score Report performance assessment tool
• CertCam video training
• Electronic book for studying on the go
• With free online registration: Bonus downloadable MasterExam practice test

PrepLogic's Exam Manuals meet the unique needs of people working on their IT certification training. "IT certifications are incredibly important these days. People need every break they can get if they want to get certified and meet all of their other obligations," said PrepLogic President Jay Gandee. "Our Exam Manuals for Amazon Kindle allow people to train for their exams while traveling to work, on lunch hours, late nights after the kids are in bed. People will be surprised how much they use these guides."

The A+ Essentials (220-701) Exam Manual provides coverage for the first of two exams required for the CompTIA A+ certification. A+ Practical Application (220-702) covers the second exam required for certification. The special Amazon Kindle book reader format includes complete text and illustrations, and allows users to make notes, change text orientation and size, all in a device that weighs less than a small stack of paper.

A user or administrator who has Read permission for a GPO but does not have Write permission cannot use the Group Policy Object Editor to see the settings that it contains. Write access is required to open a GPO.

5.  Click OK. To delegate control of GPO creation, complete the following steps:

1.      Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.      In the console tree, click Users.

3.      In the Name column in the details pane, double-click Group Policy Creator Owners.

4.      In the Group Policy Creator Owners Properties dialog box, click the Members tab.

5.      In the Members tab, click Add, and then type the name of each user or security

group to whom you want to delegate creation rights in the Enter The Object

Names To Select box. Click OK.

6.      In the Group Policy Creator Owners Properties dialog box, click OK.

7.      Execute the procedure for delegating control of GPO object linking (shown next).

By default, nonadministrators cannot manage links, and unless you execute the

procedure for delegating GPO object linking, they cannot use the Active Directory

Users And Computers console to create a GPO.

To delegate control of GPO object linking, complete the following steps:

1.      Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.      Right-click the OU to which you want to delegate the right to link GPOs, and then

click Delegate Control.

3.      On the Welcome To The Delegation Of Control Wizard page, click Next.

4.      On the Users Or Groups page, click Add.

5.      In the Select Users, Computers, Or Groups dialog box, type the user or group for

which you want to delegate administration in the Enter The Object Names To

Select box, and then click OK. Click Next on the Users Or Groups page.

6.      On the Tasks To Delegate page, click Delegate The Following Common Tasks and

select the Manage Group Policy Links check box, and then click Next.

7.      On the Completing The Delegation Of Control Wizard page, review your selec¬

tions. Click Finish.

Note If there is a conflict between the computer configuration settings and the user configuration settings, the user configuration settings are applied because the user settings are

more specific.  :

GPO processing order for the St. Paul OU = 1, 2, 3, 4, 5 GPO processing order for the Columbus OU = 1, 2, 6, 7

Figure 10-6    How Group Policy is applied for the contoso.com domain Group Policy Inheritance

In general, Group Policy is passed down from parent to child containers within a domain. Group Policy is not inherited from parent to child domains. Group Policy is inherited in the following ways:

•       If a policy setting is configured (set to Enabled or Disabled) for a parent OU, and

the same policy setting is not already configured for its child OUs, the child OUs

inherit the parent's policy setting.

•       If a policy setting is configured (set to Enabled or Disabled) for a parent OU, and

the same policy setting is configured for a child OU, the child OU's Group Policy

setting overrides the setting inherited from the parent OU.

•       If any of the policy settings of a parent OU are set to Not Configured, the child OU

does not inherit them.

•       Policy settings are inherited as long as they are compatible. If a policy setting con¬

figured for a parent OU and a policy setting configured for a child OU are compatible, the child OU inherits the parent's policy setting, and the child's policy

setting is also applied. For example, if the parent OU's policy setting causes a certain folder to be placed on the desktop and the child OU's policy setting calls for

an additional folder, the users in the child OU see both folders.

•       If a policy setting configured for a parent OU is incompatible with the same policy

setting configured for a child OU (for example, if the setting is enabled in the parent OU and disabled in the child OU), the child OU does not inherit the policy set¬

ting from the parent OU. Only the setting configured for the child OU is applied.

Off the Record As stated in this section, group policies apply to computer and user

accounts. A common misconception is that group policies can be applied to groups. Although

group policies do not apply to groups, group membership can affect the application of Group

Policy. For example, if a user or computer account belongs to a group that is specifically    ;

denied the ability to apply Group Policy, that account will not receive the Group Policy. This concept is known as filtering GPO scope with security groups, and is discussed in Lesson 3.

To create a specific desktop configuration for users, you create GPOs, which are collections of Group Policy settings. Each computer running Microsoft Windows Server 2003 has one local GPO and can, in addition, be subject to any number of nonlocal (Active Directory-based) GPOs.

Local GPOs

One local GPO is stored on each computer whether or not the computer is part of an Active Directory environment or a networked environment. A local GPO affects only the computer on which it is stored. However, because the local GPO settings can be overridden by nonlocal GPOs, the local GPO is the least influential if the computer is in an Active Directory environment. In a non-networked environment (or in a networked environment lacking a Microsoft Windows 2000 or Windows Server 2003 domain controller), the local GPO's settings are more important because they are not overridden by nonlocal GPOs. By default, only nodes under Security Settings are con¬figured for local GPOs; settings in other parts of a local GPO's namespace are not enabled or disabled. The local GPO is stored in %Sjstemroo/%\System32\GroupPolicy.

Nonlocal GPOs

Nonlocal GPOs are created in Active Directory and must be linked to a site, domain, or OU in order to be applied to either users or computers. To use nonlocal GPOs, you must have a Windows 2000 or Windows Server 2003 domain controller installed. By default, when Active Directory directory service is set up, two nonlocal GPOs are created:

•       Default Domain Policy   This GPO is linked to the domain, and it affects all

users and computers in the domain (including computers that are domain control¬

lers) through Group Policy inheritance. For more information, refer to the section

on Group Policy inheritance later in this lesson.

•       Default Domain Controllers Policy   This GPO is linked to the Domain Con¬

trollers OU, and it generally affects only domain controllers, because computer

accounts for domain controllers are kept exclusively in the Domain Controllers OU.

Nonlocal GPOs are stored in %Systemroot%\Sysvol\Domain Name\Po\icies\GPO GUID\Adm, where GPO GUID is the GPO's globally unique identifier. This lesson dis-cusses nonlocal GPOs unless otherwise specified.

You are one of several network administrators for Contoso Pharmaceuticals. One of your network users tells you that they've attempted to log on several times, but they keep getting the same error message telling them that the domain controller is down. You know that the domain controller is fine, so you go to the user's desktop to see the error message.

Before you can see the error message, you need to create the problem. Perform the following steps to create the problem:

1.      Log on to Server2 using the domain administrator user name and password.

Demote Server2 to Member Server using Dcpromo and the DemoteContoso.txt

answer file. The answer file is located on the Supplemental CD-ROM in the \70-

294\Labs\Chapter09 folder.

2.      Log on to Serverl using the domain administrator user name and password.

3- Open Active Directory Users And Computers. Click on the Computers container. You should see SERVER2 in the right windowpane.

4. Select and right-click the SERVER2 icon and click Reset Account. When prompted about resetting the computer account, click Yes, and then click OK.

5- Go to Server2. Try to log on to the domain using the contoso.com domain administrator user name and password. You should see the following error message: "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance."

Now you've created the problem. In the Troubleshooting Lab in Chapter 4, you learned how to reset a computer password using the Netdom utility. You now realize that using the Active Directory Users And Computers interface is not the appropriate place to reset an existing computer password. The only reason to perform the steps above would be if you just reinstalled Server2 and wanted to configure a new password for that account. To fix this issue, you remove Server2 from the domain and then join the domain once again.

1.      To correct this issue, you must log on as a local administrator to SERVER2 (Local).

2.      Click Start, right-click My Computer, click Properties. The System Properties dialog

box opens.

3.      Click the Computer Name tab and then click the Change button. The Computer

Name Changes dialog box opens. In the Member Of section, click Workgroup. Type the name WORKGROUP into the text box. Click OK. The Computer Name Changes dialog box appears.

4.      Enter the local administrator name and password and click OK.

5.      Click OK to confirm that your computer is now a member of the workgroup

named WORKGROUP. Click OK to confirm that a restart is required.

6.      Click OK in the System Properties dialog box.

7.      Click Yes when prompted to restart your computer.

8.      Once Server2 restarts, log on as the local administrator once again. Then join the

domain contoso.com as described in Chapter 2, "Installing and Configuring Active

Directory." Once you restart the system again, you'll be able to log on using the

domain administrator name and password.

9.      Promote Server2 to domain controller by using the Dcpromo command with the

ContosoReplica.txt answer file. The answer file is located on the Supplemental

CD-ROM in the \70-294\Labs\Chapter09 folder.

Changing Inherited Permissions

There are three ways to make changes to inherited permissions:

•       Make the changes to the parent object, and then the object inherits these permissions.

•       Assign the opposite permission (Allow or Deny) to the security principal to over¬

ride the inherited permission.

•       Clear the Allow Inheritable Permissions From The Parent To Propagate To This

Object And All Child Objects. Include These With Entries Explicitly Defined Here

check box in the Advanced Security Settings dialog box for the object. Then, you

can make changes to the permissions or remove users or groups from the Permissions Entries list. However, the object no longer inherits permissions from the parent object.

Selective Authentication

In Chapter 4, "Installing and Managing Domains, Trees, and Forests," you learned that in Windows Server 2003, you can determine the scope of authentication between two domains that are joined by an external trust or a forest trust. Recall that an external trust must be explicitly created by a systems administrator between Windows Server 2003 domains that are in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. The trust is non-transitive. A forest trust is explicitly created by a systems administrator between two forest root domains. The trust is transitive between two forests only. Both trusts can be one- or two-way.

You can set selective authentication differently for outgoing and incoming external and forest trusts. These selective trusts allow you to make flexible access control decisions between external domains and forest-wide.

If you use domain-wide authentication on the incoming external or forest trust, users in the second domain or outside forest would have the same level of access to resources in the local domain or forest as users who belong to the local domain or forest. For example, if DomainA has an incoming external trust from DomainB and domain-wide authentication is used, any user from DomainB would be able to access any resource in DomainA (assuming that they have the required permissions). Simi¬larly, if ForestA has an incoming forest trust from ForestB and forest-wide authentica¬tion is used, any user from ForestB "would be able to access any resource in ForestA (assuming they have the required permissions).

If you set selective authentication on an incoming external or forest trust, you need to manually assign permissions on each resource to which you want users in the second domain or forest to have access. To do this, set the Allowed To Authenticate permission on an object for that particular user or group from the external domain or forest.

Off the Record Whoami is a command line utility that displays information about the currently logged on user. You can use this utility to learn about a specific user account before you begin to troubleshoot a resource access problem. The Whoami /all command can be used to the view the SID, group memberships, and specific permissions of a user account. Whoami is included in Windows Server 2003. Although the utility is not available in the default installations of Windows 2000 or Microsoft Windows XF? you can install it from the Resource Kit CD for each of those products. Windows Server 2003 stores a list of user access permissions, called the access control list (ACL), for every Active Directory object. The ACL for an object lists who can access the object and the specific actions that each user can perform on the object. Windows Server 2003 offers a fine degree of control over access to a wide variety of objects. To provide a security principal with access to an object, you add the security principal to the ACL of the object. Then you can adjust the specific permissions that the security principal has for the object.

Permissions

You set permissions to either Allow or Deny. Deny permissions take precedence over all other permissions. For example, if you deny permission to a user to gain access to an object, the user will not have that permission, even if you allow the permission for a group of which the user is a member. The object type determines which permissions you can select. For example, you can assign the Reset Password permission to a security principal for a user object but not for a printer object. For each object type, there is a group of standard permissions and a group of more detailed special permissions.

Standard permissions are the most frequently assigned. You can view the standard permissions in the Security tab in the Properties dialog box for an object, shown in Figure 9-6.

To view the standard permissions for an object, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users And Computers. On the View menu, ensure that Advanced Features is selected. Right-click the object for which you want to view standard permissions and click Properties.

2. In the Properties dialog box for the object, click the Security tab. Click the appropriate security principal in the Group Or User Names box to view the assigned standard permissions.

Important    You must select Advanced Features on the View menu to be able to access the Security tab.

Table 9-3 lists the basic standard permissions that are available for most objects (some object types have additional standard permissions) and the type of access that each permission allows.

Table 9-3   Basic Standard Permissions and Type of Access Allowed

If an object is published and listed in Active Directory, you can locate it by using the Find option on the Active Directory Users And Computers console. The Find option enables you to search for users, contacts, groups, computers, printers, shared folders, OUs, remote installation servers, and remote installation clients. Find also provides the capability to build custom search queries and to perform common administrative queries for users, contacts, and groups. Using Find, you enter various search criteria, which are used to create a Lightweight Directory Access Protocol (LDAP) query to search the global catalog to locate Active Directory objects.

To locate Active Directory objects, complete the following steps:

1.      Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2.      In the console tree, right-click the domain, OU, or container in which you want to

search, and click Find.

3. In the Find dialog box, shown in Figure 9-1, select the object type for which you want to search in the Find list. Ensure that the domain, OU, or container in -which you want to search is selected in the In list. Note that the object type you select invokes a tab by the same name underneath the Find list. The contents of this tab change depending on the object type selected. If you want to begin your search now, click Find Now. Otherwise, proceed to the next step to provide additional criteria to filter your search.

Note    If you choose the Custom Search option in the Find list, the Find option builds the LDAP query or allows you to enter your own LDAP query based on parameters you enter in the Advanced tab. For example, the LDAP query OU=*er* searches for OU names containing "er" and returns the Domain Controllers OU.

4.  Enter additional criteria to filter your search. There are two ways you can provide additional criteria:

Q   Enter the appropriate information in the tab for the object type you selected.

Q Click the Advanced tab, shown in Figure 9-2, and select the attribute for which you want to search in the Field list. Select the methods available to further define the search for an attribute in the Condition list. Then type the value for the condition of the field (attribute) that you are using to search the directory in the Value box. Click Add to add the advanced search criteria to the box beneath the Add button.

5. Click Find Now. The search results are displayed in the box at the bottom of the Find dialog box using the search criteria you entered, as shown in Figure 9-3.

6. Click Clear All to begin a new search or close the dialog box and the Active Directory Users And Computers tool.

1.      What object is created automatically in the IP container when you install Active

Directory on the first DC in a domain?

The DEFAULTIPSITELINK site link.

2.      You specified a preferred bridgehead server for your network. It fails and there are

no other preferred bridgehead servers available. What is the result?

If no other preferred bridgehead servers are specified or no other preferred bridgehead servers are available, replication does not occur to that site even if there are servers that can act as bridgehead servers.

3.      Why is it seldom necessary to create site link bridges?

If site link transitivity is enabled, which it is by default, creating a site link bridge has no effect. Therefore, it is seldom necessary to create site link bridges.

4.      Which type of replication does the connection schedule control?

Intrasite replication.

5.      Which of the following protocols should you use when network connections are

unreliable?

a.      IP

b.      SMTP

c.      RFC

d.      DHCP

The correct answer is b. Choose SMTP replication when network connections are unreliable or not always available. SMTP site links communicate asynchronously, meaning each replication transaction does not need to complete before another can start, because the transaction can be stored until the destination server is available.

6. You have a high-speed Tl link and a dial-up network connection in case the Tl link is unavailable. You assign the Tl link to have a cost of 100. What cost value should you assign to the dial-up link?

a.      0

b.      50

c.      100

d.      150

The correct answer is d. Higher costs are used for slow links (the dialup connection), and lower costs are used for fast links (the Tl connection). Because Active Directory always chooses the connection on a per-cost basis, the less expensive connection (Tl) is used as long as it is available.

You must make available multiple copies of DNS data or zone information. These copies provide backup, redundancy, and load balancing. The information needs to be the same on each server, and the traditional method of synchronization is to provide one zone replication between primary and secondary DNS servers. That is, all changes to zone data are made on the primary DNS server and replicated to one or more secondary servers. An alternative method is provided by Windows Server 2003 and Windows 2000 DNS services when they are installed as Active Directory Integrated. In this case, zone information is shared using Active Directory replication.

The early DNS servers on the network that became the Internet were configured to allow zone replication to any DNS server. This configuration is not the one to use on your DNS servers today. Many years ago, there were few DNS servers, and letting everyone know how to reach you on the Internet was most important. No one envisioned that they would need to protect this knowledge.

Note Dnscmd.exe is a utility that can be used at the command line or incorporated into a script. If many DNS servers must be secured, writing a script that includes these commands is useful. Dnscmd commands are identified in the practice.

For today's networks, however, there is no reason to leave this opportunity for information theft open. If you expose your internal DNS data via zone replication, an intruder might use a zone transfer to find out information about the servers on your network, such as the names and IP addresses of domain controllers, mail servers, internal web servers and databases, and more. This information might be used to mount an attack against critical or sensitive servers on your network.

Securing DNS zone replication must be done. If Windows Server 2003 DNS servers are used, use one of the following configurations: