Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory

Errata for Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory




The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question Note Update



Version Location Description Submitted By Date Submitted Date Corrected
Printed, PDF, Safari Books Online, Other Digital Version
Page 1
Throughout text

Adding Domain Users to Print Operators flags accounts with adminSDHolder. It is better to use Group Policy to grant log on locally rights to Domain Users for the purposes of the book practices.

Note from the Author or Editor:
This is an error that must be corrected in the book. Details will be forthcoming. I am submitting this errata entry to test the functionality of the Errata site and responses.

Dan Holme  Feb 10, 2012 
Printed, PDF, Safari Books Online, Other Digital Version
Page 1
Entire Book

Dear readers: Please note that you should NOT copy-and-paste commands from the PDF or other e-Book format of the Training Kit. PDFs and e-Book files contain hidden characters such as nonbreaking spaces and line breaks that will cause unexpected errors. The exercises and sample commands have been tested by TYPING commands as shown.

Dan Holme
O'Reilly Author 
Feb 12, 2012 
Printed, PDF, Safari Books Online, Other Digital Version
Page 1
Entire book

Dear readers: In the practice exercises of the 70-640 Training Kit, you log on to domain controllers with user accounts that are not members of Domain Administrators or the domain’s Administrators group. Therefore, you must give all user accounts the right to log on locally to the domain controllers in your practice environment. In the Training Kit, we use a shortcut to provide this right: We guide you to add Domain Users to the Print Operators group, which has the right assigned by default. Unfortunately, in limited circumstances, this shortcut can lead to problems with certain exercises. Therefore, instead of adding Domain Users to the Print Operators group, follow the steps in the article, “Grant a Member the Right to Logon Locally,” at http://technet.microsoft.com/en-us/library/ee957044(WS.10).aspx to grant the Allow Logon Locally right to the Administrators and Domain Users groups. If you will use Remote Desktop Services to connect to the domain controller—rather than logging on locally—grant the Allow Logon Through Remote Desktop Services right. This is for the practice environment only. In a production environment, you should not grant users the right to log on to domain controllers.

Dan Holme
O'Reilly Author 
Feb 12, 2012 
PDF
Page 5
The picture

The picture on pages: 5, 619, 732, 772, 835 are corrupted and are not readble. Probably all pictures with the same pattern are affected. Please fix.

forsyte  Jun 18, 2012  Jul 27, 2012
PDF
Page 5
Figure 1-1

The text on the this figure has an incorrect font issue. Shows up correctly in the printed manual. Everthing in the boxes is scrambled.

Note from the Author or Editor:
To be checked by production.

Anonymous  Nov 29, 2012  Jul 27, 2012
Printed, PDF
Page 10
1st bullet point (regarding Trees)

The section that reads: "For example, if the treyresearch.net forest contains two domains, treyresearch.net and antarctica.treyresearch.net, those domains constitute a contiguous portion of the DNS namespace, so they are a single tree. If, conversely, the two domains are treyresearch.net and proseware.com, which are not contiguous in the DNS namespace, the domain is considered to have two trees." Needs to have its last sentenced changed to read: "If, conversely, the two domains are treyresearch.net and proseware.com, which are not contiguous in the DNS namespace, the FOREST is considered to have two trees." This is because a DOMAIN cannot be made up of multiple trees, only a FOREST can be made up of multiple trees.

Note from the Author or Editor:
The errata item is valid. Change: ... the domain is considered to have two trees. to ... the forest is considered to have two trees. Thanks for writing!

Anonymous  Dec 22, 2011  Feb 17, 2012
Printed, PDF
Page 29
steps 4 and 7 in Exercise 2

On page 28, steps 4 and 7 in Exercise 2 include invalid command line swtiches for the shutdown command. Change: "4. Restart by typing shutdown –r –t 0." To: "4. Restart by typing shutdown /r /t0." Change: "7. Restart by typing shutdown –r –t 0, and then log on again as Administrator." To: "7. Restart by typing shutdown /r /t0, and then log on again as Administrator."

Note from the Author or Editor:
Correct as suggested

hamed.zargham  Aug 11, 2011  Nov 18, 2011
PDF
Page 29
Exercise 2 point 2

I suggest to type the following command to find the name of the interface, previous to point 2 from exercise netsh interface show interface Sometimes it can exist more than one interface or the name could be in other language

Note from the Author or Editor:
Thank you for writing. You are correct--especially with non-English versions of Windows, the name could be different. Add the following text below the code blocks in Step 2, prior to Step 3: If you receive an error, check that your network interface is called "Local Area Connection" by typing netsh interface show interface. Replace "Local Area Connection" in the commands shown above with the correct name of your network connection. SEE FORMATTING AND STYLES IN ERRATA WORD DOCUMENT.

Marcelo Gabelic  Dec 27, 2011  Feb 17, 2012
Printed, PDF
Page 29
Exercise 2, Step 12

Instruction states: Type oclist and confirm that the DNS server role is installed. When executed as stated, list scrolls immediately to the end, leading new users the tedious task of scrolling back thru powershell, increasing the possibility of missing ihe 'installed' line. May we suggest adding |more, such that the list will now scroll page by page, allowing the student to more readily see the various options, and aid in finding the installed role. Thus, change: Type oclist and confirm that the DNS server role is installed. to: Type oclist |more and -using the space bar to page through- confirm that the DNS server role is installed.

Note from the Author or Editor:
Good idea. Please add to the next reprint.

Achim Berger  Feb 28, 2013  Nov 22, 2013
Printed, PDF
Page 30
Step 3 of Exercise 3

On page 30, in Step 3 of Exercise 3 the command to add and configure the AD DS role is partially incorrect. Change: "dcpromo /unattend /replicaOrNewDomain:replica /replicaDomainDNSName:contoso.com /ConfirmGC:Yes /UserName:CONTOSO\Adminsitrator /Password:* /safeModeAdminPassword:P@ssword" To: "dcpromo /unattend /replicaornewdomain:replica /replicaDomainDNSName:contoso.com /ConfirmGC:Yes /UserName:Administrator /userDomain:Contoso /Password:* /safeModeAdminPassword:P@ssword"

Note from the Author or Editor:
While the command works as written, the following change should be made to conform with Technet documentation for dcpromo.exe syntax Change: "dcpromo /unattend /replicaOrNewDomain:replica /replicaDomainDNSName:contoso.com /ConfirmGC:Yes /UserName:CONTOSO\Adminsitrator /Password:* /safeModeAdminPassword:P@ssword" To: "dcpromo /unattend /replicaornewdomain:replica /replicaDomainDNSName:contoso.com /ConfirmGC:Yes /UserName:Administrator /userDomain:Contoso /Password:* /safeModeAdminPassword:P@ssword"

hamed zargham  Aug 11, 2011  Nov 18, 2011
Printed, PDF, Safari Books Online, Other Digital Version
Page 31
Question 2

NOTE FROM THE AUTHOR: Question 2 is incorrect. The question was intended to be about Active Directory Federated Services (AD FS): Correction (page 31, Lesson 2, Question 2) SERVER02 is running Server Core. It is already configured with the AD DS role. You want to add Active Directory Federated Services (AD FS) to the server. What must you do? Answer options remain the same. For the correct answer (so I don't spoil the surprise), see the errata for page 922.

Note from the Author or Editor:
This errata was submitted by the author. It is correct.

Dan Holme
O'Reilly Author 
Aug 07, 2011  Sep 23, 2011
Printed, PDF
Page 52
line before step 9

at page 52 , at line before step 9 , it reads : " The DNS name of your Active Directory domain will always be available, because a suffix and cannot be removed. " !!!

Note from the Author or Editor:
Grammatical error. Change text of the last sentence before Step 9 to The DNS name of your Active Directory domain will always be available as a UPN suffix and cannot be removed.

hamed zargham  Oct 07, 2011  Feb 17, 2012
Printed
Page 86
1st paragraph

Practice 2 asks for Barbara Mayer of the Help desk group to reset a password of a user in the same OU as her (User Accounts) - this is expected to work since Help Desk group was delegated Reset Password permissions on the User Accounts OU. However, the book (bottom of page 85) asks to add Domain Users to the Print Operators group so they can log onto Domain Controllers; by doing this, every domain user is now in a protected group and therefore user ACLs no longer inherit from their parent OU (this takes a few minutes to take effect). In this case, the ACL does not contain the Help Desk group anymore and therefore Barbara does not have the permissions to reset passwords - this exercise will fail. Removing domain users from the Print Operators group fixes issue. (resetting acls to default as well).

Note from the Author or Editor:
Readers: see note at http://oreilly.com/catalog/errata.csp?isbn=0790145314413 listed for Page 1.

matthew grossman  Oct 31, 2011  Feb 17, 2012
Printed, PDF
Page 91
center of the page

at page 91 , center of the page , information about DSMove command is defective. it is better to change : " DSMove Moves an object to a new container or OU " to " DSMove Moves an object to a new container or OU. DSMove is also used to rename Objects like user accounts , Groups and OUs. "

Note from the Author or Editor:
Change text on page 91: • DSMove Moves an object to a new container or OU or rename and object. SEE FORMATTING AND STYLES IN ERRATA WORD DOCUMENT

hamed zargham  Sep 24, 2011  Feb 17, 2012
Printed, PDF
Page 107
second paragraph from the bottom

at page 107 , second paragraph from the bottom " For example, to get help, including examples, about the New-ADGroupMember cmdlet..." to " For example, to get help, including examples, about the Get-ADGroupMember cmdlet..."

hamed zargham  Jan 29, 2012  Feb 17, 2012
PDF
Page 113
6th paragraph

States that 'md' is an alias for the New-Item cmdlet. However, 'md' is an alias for the mkdir command, seen by <get-alias md> and 'ni' is the only alias for the New-Item cmdlet. A bit confusing and misleading as <get-help md> exposes the New-Item documentation. It also seems that the parameter -itemtype in not optional as suggested, and an error will result if this is not specified eg. ni -name "OU=test12" organizationalunit gives an error Not sure if I have lost the plot here, and happy to be corrected :) If it is valid perhaps categorize this as Minor Technical Mistake.

Note from the Author or Editor:
You are partially correct, and to make the issue more confusing, what you are really spotting here is a change from PowerShell v1 (in Windows Server 2008, when the book was originally authored) and v2 (in R2, for this revision) that we missed. md is an alias for the mkdir *function* (not command). The -itemtype is optional (you can validate this by typing md NewDirectory). New-Item (NI) is a cmdlet and requires the -itemtype parameter. mkdir, as a function, calls new-item and adds the -itemtype parameter as Directory. You can see this by typing gc function:\mkdir and examining the function itself. Confused? You're not alone ;-) There's a nice blog entry on the issue at http://powershell.com/cs/blogs/aleksandar/archive/2009/02/06/do-you-know-the-aliases-for-the-new-item-cmdlet.aspx REVISION REQUEST for next reprint: Page 113 Formatting: follow example in current printing To create a new OU for Contractors in the User Accounts OU, type the following: md "ou=Contractors" Md is an alias for the mkdir function, which itself is a wrapper around the New-Item cmdlet. The syntax is familiar to anyone who has used Command Prompt. But the result is a new OU named Contractors in the User Accounts OU.

Adam Stawski  May 23, 2012  Jul 27, 2012
PDF
Page 122
Exercise 4 Step 5

OU Employees already exsists Command will not complete successfully

Note from the Author or Editor:
In Step 5, change "ou=Employees" to "ou=New Hires" in Step 8, change Employees and Contractors to Employees, Contractors and New Hires

Matthew Wandell  Sep 07, 2011  Sep 23, 2011
Printed, PDF
Page 122
Exercise 5 Part 2

Extra space in -UserPrincipalName "linda.mitchell @contoso.com" and "scott.mitchell @contoso.com"

Note from the Author or Editor:
Change Exercise 5, Step 2 to remove space before @ in two instances: New-ADUser -Path ""ou=User Accounts,dc=contoso,dc=com"" -Name ""Linda Mitchell"" -SAMAccountName ""linda.mitchell"" -UserPrincipalName ""linda.mitchell@contoso.com"" New-ADUser -Path ""ou=User Accounts,dc=contoso,dc=com"" -Name ""Scott Mitchell"" -SAMAccountName ""scott.mitchell"" -UserPrincipalName ""scott.mitchell@contoso.com"" SEE FORMATTING AND STYLES IN ERRATA WORD DOCUMENT

Jesus Velasquez  Nov 29, 2011  Feb 17, 2012
PDF
Page 133
in middle of page

In the example of syntax of DSMOD say: dsmod user UserDN [-upn UPN][-fn FirstName][-mi Initial][-ln LastName][-dn DisplayName] [-email EmailAddress] but -dn does not exist as dsmod command line, this must be: [ -display Displayname ] Like this example: dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display <DisplayName>] ......

Note from the Author or Editor:
Thank you for writing! You are correct. The sample code in the middle of page 133 that currently reads [-dn DisplayName] should be [-display DisplayName] and in the first line of the following parpagraph the following change must be made: Each parameter, -display for example,

Marcelo Gabelic  Dec 27, 2011  Feb 17, 2012
Printed, PDF
Page 137
4th Paragraph

Passwords cannot be reset or entered via Windows PowerShell using the "Set-ADUser cmdlet’s &#8209;AccountPassword ". On page 115 of your book you state the correct method, Set-ADAccountPassword.

Note from the Author or Editor:
Change text on page 137 To reset a user’s password by using Windows PowerShell, use the Set-AccountPassword cmdlet, as explained in Lesson 2.

Anonymous  Nov 29, 2011  Feb 17, 2012
PDF
Page 156
Figure 4-5

The group that has been granted read permissions on the ACL for the 3 folders in Fugure 4-5 is Sales, but should be ACL_Sales Folders_Read group.

Note from the Author or Editor:
The reader is correct that the screenshots show the incorrect group name. It should be the ACL_Sales Folders_Read group, rather than the Sales group, in the screenshot. Screenshots will be revised in the next edition of the book.

Chris Hill  Feb 06, 2012 
Printed, PDF
Page 159
understanding Group Type

at page 159 , under the understanding Group Types , in line 4, about Distribution groups , we read : " they do not have SIDs " but when we get properties on a distribution Group , on attribute editor tab we see that there is objectSid attribute which has value.

Note from the Author or Editor:
On page 159, in the second paragraph under “Understanding Group Types,” remove the following text: —they do not have SIDs—

hamed zargham  Oct 18, 2011  Feb 17, 2012
Printed, PDF
Page 163
line 9 (Availability section )

as you know , universal groups can have permissions to resources located in other forests so at page 163 , in line 9 (Availability section ) , change Additionally, a universal group can be used to manage resources—for example, to assign permissions—anywhere in the forest. to Additionally, a universal group can be used to manage resources—for example, to assign permissions—anywhere in the forest and also trusted forests.

Note from the Author or Editor:
Change text on page 163: Additionally, a universal group can be used to manage resources—for example, to assign permissions—anywhere in the forest and in trusting forests.

hamed zargham  Oct 18, 2011  Feb 17, 2012
PDF
Page 192
after point 8.

The task says To delegate the ability to manage membership for all groups in an OU, perform the following steps: 1. In the Active Directory Users And Computers snap-in, click the View menu and make sure Advanced Features is selected. 2. Right-click the group’s name and choose Properties. In this point say Group's but the exercise is for all Groups of the OU The point 2 must be change by: 2. Right-click on the OU name that you want delegate to manage membership for all gropus inside this OU and choose Properties.

Note from the Author or Editor:
Thank you for writing. You are correct. Step 2 on page 192 should read: 2. Right-click the OU and choose Properties. Thanks for writing!

Marcelo Gabelic  Dec 28, 2011  Feb 17, 2012
Printed, PDF, Safari Books Online, Other Digital Version
Page 200
First question

the questions is Your company is conducting a meeting for a special project. The data is particularly confidential. The team is meeting in a conference room, and you have configured a folder on the conference room computer that grants permission to the team members. You want to ensure that team members access the data only while logged on to the computer in the conference room, not from other computers in the enterprise. What must you do? My questions is: The folder on conference room computer its a shared folder? If not then why you says access only while logged on to computer and not from other computers? Don't supposed that information is only on this computer? Do you can explain more specificly the question? I can't understand the example.

Note from the Author or Editor:
Change text on page 200 to: Your company is conducting a meeting for a special project. The data is particularly confidential. The team is meeting in a conference room, and you have configured a folder on the conference room computer that grants permission to the team members. The folder is a subfolder of a shared folder to which all employees have access. You want to ensure that team members access the data only while logged on to the computer in the conference room, not from other computers in the enterprise. What must you do?

Marcelo Gabelic  Dec 28, 2011  Feb 17, 2012
Printed
Page 203
Practice 2 - 2nd Command

Suggested Practices - Practice 2 The second cammand ask you to perform a query and then do a dsmod to add the users from that query to the All Users group you created in Line 1. Written dsmod group "CN=User Accounts,OU=Groups,DC=contoso,DC=com" -addmbr It should say dsmod group "CN=All Users,OU=Groups,DC=contoso,DC=com" -addmbr

Note from the Author or Editor:
Thank you for the feedback! You are absolutely correct!

Anonymous  Aug 09, 2011  Sep 23, 2011
Printed, PDF
Page 219
third bullet point

in page 219 in the 3rd bullet point , 2nd line it states : "_for example, CN=Client Computers,DC=contoso,DC=com." as we know , we can't creat any container ( for example Client computers container ) in active directory. we can just creat OUs, so change " CN=Client Computers,DC=contoso,DC=com." to " OU=Client Computers,DC=contoso,DC=com."

Note from the Author or Editor:
The errata is reasonable and worth changing. change --for example, CN=Client Computers to --for example, OU=Client Computers

hamed zargham  Aug 26, 2011  Nov 18, 2011
Printed
Page 221
Middle of page, 3rd bullet item (reference to Help Desk)

The Help Desk was already created in the Admins OU back in Chapter 2, Exercise 4, Step 13 (on page 68). It can't be created again in this exercise and put in the Admins\Groups OU, because it already exists (an error message results if you try to create it again for this exercise). Should the Help Desk be left where it is in Admins or moved to Admins\Groups? Does the actual location make any difference?

Note from the Author or Editor:
On page 221, replace the following text: Some of these objects were created in practices in earlier chapters, and some are new for this chapter. With the following text: Some of these objects were created in practices in earlier chapters. If the objects already exist, move them to the locations indicated.

Arlen Ball  Dec 22, 2011  Feb 17, 2012
Printed, PDF
Page 227
3rd paragraph

The section that starts with 'If the computer's DN' and finishes with 'DSQuery.' Is incorrect. You cannot add multiple computers using the dsadd computer command as described. For example: This fails: dsadd computer "cn=fredpc,cn=computers,dc=contoso,dc=com" "cn=fredpc2,cn=computers,dc=contoso,dc=com" The other described methods also fail. The syntax of the dsadd computer command clearly shows there is no [...] beside the <dn> parameter: Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof <Group ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}] Resolution: Remove the section.

Note from the Author or Editor:
The reader is correct. Replace the section under the heading CREATING COMPUTERS WITH DSADD with the following: The DSAdd command was used in previous chapters to create objects in Active Directory. To create computer objects, simply type dsadd computer ComputerDN where ComputerDN is the distinguished name (DN) of the computer, such as “CN=Desktop123,OU=Desktops,DC=contoso,DC=com”. If the computer’s DN includes a space, surround the entire DN with quotation marks. The DSAdd Computer command can take the following optional parameters after the DN parameter: • -samid ComputerName • -desc Description • -loc Location If you type DSAdd Computer /?, the help text for the command states the following: If you enter multiple values, the values must be separated by spaces (for example, a list of computer distinguished names). This is not accurate. You cannot use the DSAdd Computer command to add multiple computers with a single command. SEE FORMATTING AND STYLES IN ERRATA WORD DOCUMENT

Chris  Sep 12, 2011  Feb 17, 2012
Printed
Page 234
line 5, command line

Suggested command to move a computer is the following: dsmove "CN=DESKTOP153,OU=Computers,DC=contoso,DC=com" -newparent "OU=Clients,DC=contoso,DC= com" dsmove failed:CN=DESKTOP153,OU=Computers,DC=contoso,DC=com:Directory object not found. However the Computers container should be referenced by CN not as an OU otherwise the command will fail: dsmove "CN=DESKTOP153,CN=Computers,DC=contoso,DC=com" -newparent "O U=clients,dc=contoso,dc=com" dsmove succeeded:CN=DESKTOP153,CN=Computers,DC=contoso,DC=com

Note from the Author or Editor:
Page 234, code sample at top of page, change OU=Computers to CN=Computers

Anonymous  Feb 12, 2012  Feb 17, 2012
Printed, PDF
Page 349
Step 8.

The wording of step 8 is very confusing. Several people I have talked to have had issues with this. It should say something like: On the 'Select Server Roles' page review the options and click Next. On the 'Select Client Features' page review the options and click Next. On the 'Select Administration And Other Options' page review the options and click Next. On the 'Select Additional Services' page review the options and click Next. On the 'Handling Unspecified Services' page review the options and click Next. Or alternatively something like: Review but not not change the following pages of the wizard: Select Server Roles, Select Client Features, Select Administration And Other Options; Select Additional Services; and Handling Unspecified Services.

Note from the Author or Editor:
Change step 8 to: Explore the settings that were discovered on SERVER01, but do not change any settings, on the following pages of the wizard: Select Server Roles, Select Client Features, Select Administration And Other Options; Select Additional Services; and Handling Unspecified Services.

Chris  Sep 15, 2011  Sep 23, 2011
, Printed, PDF, Safari Books Online, Other Digital Version
Page 394
4th-5th paragraphs

Original text: Three settings are related to account lockout. The first of these settings, Account Lockout Threshold, determines the number of invalid logon attempts permitted within a time specified by the second of these settings, Account Lockout Duration. If an attack results in more unsuccessful logons within that time frame, the user account is locked out. When an account is locked out, Active Directory denies logon to that account, even if the correct password is specified. An administrator can unlock a locked user account by following the procedure you learned in Chapter 3. You can also configure Active Directory to automatically unlock the account after a delay specified by a third setting, the Reset Account Lockout Counter After policy setting. Should be: Three settings are related to account lockout. The first of these settings, Account Lockout Threshold, determines the number of invalid logon attempts permitted within a time specified by the second of these settings, Reset Account Lockout Counter After. If an attack results in more unsuccessful logons within that time frame, the user account is locked out. When an account is locked out, Active Directory denies logon to that account, even if the correct password is specified. An administrator can unlock a locked user account by following the procedure you learned in Chapter 3. You can also configure Active Directory to automatically unlock the account after a delay specified by a third setting, the Account Lockout Duration policy setting.

Note from the Author or Editor:
The errata and suggested correction is accurate.

Forsyte  Jul 22, 2011  Sep 23, 2011
Printed, PDF
Page 411
bottom of the page

at page 411, at the bottom of the page , 2 lines to end , it reads : " Replication is one way (from a writable domain controller to a RODC). " to prevent misunderstanding , it would be more accurate to change that sentence to : " between Writable DC and RODC , Replication is one way (from a writable domain controller to a RODC). "

Note from the Author or Editor:
Change text page 411, 3 lines from the bottom, to the following, losing the parentheses: Replication is one way, from a writable domain controller to the RODC.

hamed zargham  Oct 07, 2011  Feb 17, 2012
Printed, PDF
Page 412
first line

at page 412 , at the end of the first line , it is better to change : " finally, RODCs, unlike writable DCs, have a local administrators group " to " finally, RODCs, unlike writable DCs, have some local groups including a local administrators group "

Note from the Author or Editor:
Change text on page 412, end of first line, to: Finally, RODCs, unlike writable DCs, have some local groups, most notably a local Administrators group.

hamed zargham  Sep 24, 2011  Feb 17, 2012
Printed
Page 413
Point #2

On page 413 in point #2, it states... "2. Right-click the name of the forest and choose Properties." The word forest should be replaced by domain.

Note from the Author or Editor:
Change page 413, step 2, to the following: In the console tree, right-click the root node, Active Directory Domains And Trusts [Server Name], and then click Properties.

Jeff Martin  Oct 06, 2011  Feb 17, 2012
Printed, PDF
Page 425
1st paragraph

I cannot find information about Service Configuration Manager (SCM). Should this be Service Control Manager (SCM) as in http://technet.microsoft.com/en-us/library/dd349449(WS.10).aspx ?

Note from the Author or Editor:
On page 425, in the first paragraph, change Service Configuration Manager (SCM) to Service Control Manager (SCM).

Otto ter Haar  Nov 16, 2011  Feb 17, 2012
Printed, PDF
Page 466
third paragraph under " DNS Devolution "

at page 466 , in the third paragraph under " DNS Devolution " topic , it reads : " Note that devolution will not work if a global suffix list is configured through Group Policy or if the Append parent suffixes of the primary DNS suffix check box is selected in the Advanced TCP/IP Settings for the IPv4 or IPv6 properties of a network connection " terrible mistake ! you should change " is selected " to " is not selected ". so change the hole phrase to : " Note that devolution will not work if a global suffix list is configured through Group Policy or if the Append parent suffixes of the primary DNS suffix check box is not selected in the Advanced TCP/IP Settings for the IPv4 or IPv6 properties of a network connection "

Note from the Author or Editor:
If the Append parent suffixes of the primary DNS suffix check box is NOT selected in the Advanced TCP/IP Settings for IPv4 or IPv6 properties of a network connection, then DNS Devolution will not work. See http://technet.microsoft.com/en-us/library/ee683928%28WS.10%29.aspx for more information.

hamed zargham  Oct 20, 2011  Nov 18, 2011
Printed, PDF
Page 486
last paragraph

at page 486 , at the last paragraph in the sentence : "if you are using site-local addresses in your network, you might type fe80::/64 as the address scope" change the word "site-local" to "link-local"

Note from the Author or Editor:
The word should indeed be link-local as site-local is no longer in use in the industry.

hamed zargham  Sep 24, 2011  Nov 18, 2011
Printed, PDF, Safari Books Online, Other Digital Version
Page 513
Last paragraph

On page 513, in the last paragraph, change \Sources\Adprep to Support\Adprep

Dan Holme
O'Reilly Author 
Feb 12, 2012  Feb 17, 2012
Printed, PDF, Safari Books Online, Other Digital Version
Page 514
Two locations

On page 514, in the first instance of step 2, change \Sources\Adprep to Support\Adprep On page 514, in the second instance of step 2, change \Sources\Adprep to Support\Adprep

Dan Holme
O'Reilly Author 
Feb 12, 2012  Feb 17, 2012
Printed, PDF
Page 516
second line under " installing a new windows server 2008 child domain

at page 516 , second line under " installing a new windows server 2008 child domain, it reads : " If you have an existing domain, you can create a new child domain by creating a Windows Server 2008 R2 domain controller. Before you do, however, you must run Adprep /forestprep,as described in the “Installing the First Windows Server 2008 R2 Domain Controller in an Existing Forest or Domain” section. " this general sentence is not true. only if we have one or more windows 2003 domain controllers in our AD network ,we should perform Adprep /forestprep . so it will be better to change that sentence to this : " If you have an existing domain, you can create a new child domain by creating a Windows Server 2008 R2 domain controller. Before you do, however,if you have one or more windows 2003 domain controllers in your AD network, you must run Adprep /forestprep,as described in the “Installing the First Windows Server 2008 R2 Domain Controller in an Existing Forest or Domain” section. "

Note from the Author or Editor:
Thank you for writing! The errata item is valid. Change the first paragraph on page 516 to: If you have an existing domain, you can create a new child domain by creating a Windows Server 2008 R2 domain controller. Before you do, however, if you have one or more Windows Server 2003 domain controllers in your forest, you must run adprep /forestprep, as described in the “Installing the First Windows Server 2008 R2 Domain Controller in an Existing Forest or Domain” section.

hamed zargham  Dec 22, 2011  Feb 17, 2012
PDF
Page 520
In the Quick Check Question Box

In the book when you give the answer to the question in the the quick-check box the answer is incomplete. The answer stated: You must run Adprep.exe /rodcprep to prepare the domain for the RODC. You must then prestage the RODC account, delegating to the manager the ability to attach the domain controller to the account. The manager will run Dcpromo.exe with the UseExistingAccount option to attach the server; but first, the server must be removed from the domain and placed in a workgroup. You don't state that in order to join the RODC to a 2003 domain, there must be a Read-Write 2008 Domain Controller available in the network in order for replication to the RODC to occur. RODCs can only replicate from 2008 servers. You must either upgrade one of the 2003 servers to 2008/2008 R2 or add a 2008/2008 R2 domain controller. You must also run adprep /forestprep and adprep /domainprep /gpprep on a 2003 domain prior to doing any of this.

Note from the Author or Editor:
You are correct that there are other steps related to adding an RODC to a domain, specifically: you must run adprep /forestprep and adprep /domainprep /gpprep; and you must have one writable DC running Windows Server 2008 or Windows Server 2008 R2. Quick Check elements are designed to test your understanding of a more granular technical point, in this case the issues related to delegation of administrative credentials, rather than a broader set of procedures. In a future edition, we will refine this Quick Check to be more targeted, to avoid any concern about whether additional steps are required.

John A. Suggs  Aug 03, 2011  Sep 23, 2011
Printed
Page 554
Practice 2

The Suggested Practice 2 is written "Run Adprep /forest and Adprep /domain /gpprep from the Windows Server 2008 R2 instalation DVD \Sources\Adprep folder." It's incorrect "\Sources\Adprep" should be "\Support\Adprep"

Note from the Author or Editor:
On page 554, in the paragraph for Practice 2, change \Sources\Adprep to Support\Adprep On page 513, in the last paragraph, change \Sources\Adprep to Support\Adprep On page 514, in the first instance of step 2, change \Sources\Adprep to Support\Adprep On page 514, in the second instance of step 2, change \Sources\Adprep to Support\Adprep

Felipe Pereira Arantes  Oct 20, 2011  Feb 17, 2012
Printed, PDF, Safari Books Online, Other Digital Version
Page 566
last line

RFC has been updated. The Sentence "The underscore characters are a requirement of RFC 2052" Should be changed to "The underscore characters are a requirement of RFC 2782"

Dan Holme
O'Reilly Author 
Sep 23, 2011  Sep 23, 2011
Printed, PDF
Page 575
second paragraph

at page 575, at second paragraph , it reads : " When you configure universal group membership caching on a domain controller in a branch office,... " as you know , we can configure universal group membership caching only per AD site and not per domain controller. so change that sentence to : " When you configure universal group membership caching in a site in a branch office,... "

Note from the Author or Editor:
Change text on page 575 to: When you configure universal group membership caching for a branch office site, a domain controller

hamed zargham  Dec 08, 2011  Feb 17, 2012
Printed, PDF
Page 575
last paragraph , number 3

at page 575 , last paragraph , number 3 , it reads : " The NTDS Site Settings Properties dialog box, shown in Figure 11-8, exposes the Enable Universal Group Membership Caching option You can select the check box and specify the GC from which to refresh the membership cache. " if you check , you will see that from that section , you can select AD site from which to refresh the membership cache ( you can't specify the GC ) . so change that sentence to : " The NTDS Site Settings Properties dialog box, shown in Figure 11-8, exposes the Enable Universal Group Membership Caching option You can select the check box and specify the site from which to refresh the membership cache. "

Note from the Author or Editor:
Replace the text of Step 3 to the following: The NTDS Site Settings Properties dialog box, shown in Figure 11-8, exposes the Enable Universal Group Membership Caching option. When you select the option, the default of the the Refresh Cache From option, <Default>, uses the most efficient route to a site with a global catalog server. It is recommended to use <Default>. Alternately, you can select a site from which to refresh the membership cache. Ensure that the site contains a working global catalog server.

hamed zargham  Dec 08, 2011  Feb 17, 2012
Printed, PDF
Page 595
first paragraph

on page 595 , first paragraph we read : " By default, Repadmin.exe shows only intersite connections. Add the /repsto argument to see intersite connections as well." note that both words are written " intersite " which is not true.

Note from the Author or Editor:
On page 595, change the first two bullets to the following: • Displaying replication status &#8195;To display the status of inbound replication of a domain controller, type repadmin /showrepl DSA_LIST. • Displaying connection objects for a domain controller&#8195;Type repadmin /showconn DSA_LIST to show the connection objects for a domain controller. SEE FORMATTING AND STYLES IN ERRATA WORD DOCUMENT

hamed zargham  Sep 27, 2011  Feb 17, 2012
PDF
Page 669
4th paragraph

In the book we can read the following statement: Note that to stop the AD DS service, the DC must be able to communicate with another DC that is running the service. If it cannot, you will not be able to stop the service. AD DS includes automatic checks and verifications that ensure that at least one DC is available at all times; otherwise, no one will be able to log on to the network. As my testing, I can successfully disable or stop the service if the DC cannot access another Domain Controller.

Note from the Author or Editor:
In Windows Server 2008 R2, you can stop the AD DS service if another domain controller is not present, however, if another domain controller is not present, you will not be able to log on to the DC with the stopped AD DS service with domain credentials should the session be closed or locked due to a screen saver. You will also not be to use the local Domain Services Restore Mode (DSRM) password unless you previously modified the default HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior Registry key settings. For more information on the restartable AD DS service, go to http://technet.microsoft.com/en-us/library/cc732714%28WS.10%29.aspx.

Reza Alikhani  Jul 19, 2011  Sep 23, 2011
Printed, PDF
Page 674
Step number 9 and step number 10

On step 9 and step 10, we are told to click the X button at the end, but the button we are supposed to click is Enter

Note from the Author or Editor:
This button is indeed Enter.

Shabaz Hussain  Jun 19, 2012  Jul 27, 2012
Printed, PDF
Page 676
Itens 9 and 10

In each itens there is a text "..., and the click X Button", Should be click ENTER button

Note from the Author or Editor:
The button is indeed Enter.

Felipe Pereira Arantes  Oct 25, 2011  Jul 27, 2012
PDF
Page 679
3rd paragraph

We read the following statement in the book: Backups cannot be performed to tape drives or dynamic volumes, only to network drives, removable hard drives configured as basic volumes, or DVDs and CDs. As this book is for Windows Server 2008 R2, Windows Server Backup in Windows Server 2008 R2 can store backups on dynamic volumes...

Note from the Author or Editor:
Windows Server Backup can now backup to additional storage options including dynamic disks and even virtual hard drives (VHD). For more information on Windows Server Backup for Windows Server 2008 R2, go to http://technet.microsoft.com/en-us/library/ee344835%28WS.10%29.aspx.

Reza Alikhani  Jul 14, 2011  Sep 23, 2011
PDF
Page 680
First paragraph

We read the following statement in the book: Backup operators cannot create scheduled backups; only members of the local Administrators group have this privilege in Windows Server 2008 R2. In most cases, this means being a member of the Domain Admins group on DCs. Backup Operators can successfully schedule backups in Windows Server Backup in Windows Server 2008 R2...

Note from the Author or Editor:
Backup operators can create scheduled backups in Windows Server 2008 R2. In fact, Windows Server Backup was updated to simplify its operation in R2.

Reza Alikhani  Jul 14, 2011  Sep 23, 2011
Printed, PDF
Page 692
at the end of step 3

at page 692, at the end of step 3 it reads : "You can restore the data either through the command line or with Windows Server Backup. Note, however, that when you want to restore directory data, you must perform a System State restore and, to do so, you must use the command line." as we see in windows server 2008 R2, windows server backup GUI has the option to system state restore , so there is no necessity to use only command line. we can user Windows Server Backup GUI to do this restore as well. but the matter is by using windows server backup GUI, we can't make only a portion of directory as authoritative and so unable to restore only a portion of database via windows server backup GUI .

Note from the Author or Editor:
Yes indeed, in WS08 R2, you can use the graphical interface to perform the restore.

Anonymous  Oct 07, 2011  Nov 18, 2011
Printed, PDF
Page 699
Exercise 1, Number 6

6. Use Windows Explorer to view the results of the snapshot you created with Ntdusutil.exe. Should read: "Ntdsutil.exe." instead of "Ntdusutil.exe"

Note from the Author or Editor:
Indeed, the word is misspelled.

Anonymous  Sep 01, 2012  Dec 14, 2012
Printed, PDF
Page 701
Exercise 3, step 2

Original is spelled incorrectly in the path for the second folder. It is spelled correctly in step 10 of the same exercise.

Note from the Author or Editor:
The path in step 2 should be C:\OriginalNTDS.

Anonymous  Feb 06, 2012  Jul 27, 2012
Printed, PDF
Page 722
Exercise 1, Step 6

Exercise 1 is done on SERVER10, which is a DC in the treyresearch.net domain. Step 6 requests that you use CONTOSO\Administrator. Should this instead be TREYRESEARCH.NET\Administrator?

Note from the Author or Editor:
The login name should be TreyResearch\Administrator in step 6.

Anonymous  Feb 06, 2012  Feb 17, 2012
PDF
Page 731
Last paragraph

We read the following statement on the book: For information on creating a new forest and migrating its contents from one forest to another, look up Windows Server 2008 R2: The Complete Reference by Ruest and Ruest (McGraw-Hill Osborne, 2008 R2). As my research, the Windows Server 2008 R2: The Complete Reference has no been published or exist yet. So I think the team have replaced Windows Server 2008 to Windows Server 2008 R2 entirely to publish the second edition!!

Note from the Author or Editor:
Windows Server 2008 R2: The Complete Reference has does not exist. The current edition is for Windows Server 2008 only.

Reza Alikhani  Jul 14, 2011  Sep 23, 2011
PDF
Page 742
4th paragraph

As the books says, we can install AD LDS role by using the following command: start /w ocsetup DirectoryServices-ADAM-ServerCore It's Ok but as the book is about Windows Server 2008 R2, it is better (I think) to use the following command instead: Dism /online /enable-feature /featurename:DirectoryServices-ADAM-ServerCore Reference: http://technet.microsoft.com/en-us/library/ee441260%28WS.10%29.aspx Thanks

Note from the Author or Editor:
Good suggestion. In fact, Windows Server 2008 R2 administrators should get used to the DISM command since it is designed to replace OCSetup in future Server Core versions of Windows Server. For more information on DISM and additional installation and control options, go to http://technet.microsoft.com/en-us/library/dd744382%28WS.10%29.aspx.

Reza Alikhani  Jul 19, 2011  Sep 23, 2011
Printed, PDF
Page 747
First Entry on Table 14-3

The dll file that needs to be registered is incorrectly spelled Schmmgnt.dll. It should be Schmmgmt.dll.

Note from the Author or Editor:
Yes, the dell is misspelled in Table 14-3. It should be schmmgmt.dll.

Anonymous  Feb 08, 2012  Feb 17, 2012
PDF
Page 751
Last paragraph

In page 751 we can see the following statement: Any additional LDIF files you need for the instance. Place these files in the %SystemRoot%\ADAM folder... The bullet of this sentence has been removed... Thanks

Note from the Author or Editor:
The last item on page 751 should be in bullet format as it forms part of the list begun on page 749.

Reza Alikhani  Jul 30, 2011  Sep 23, 2011
Printed, PDF
Page 754
Step 2

If you type cd windows\adam you get error message that states there is no such path available. Line should be: cd %systemroot%\adam or the original line with backslash cd \windows\adam

Note from the Author or Editor:
Yes, indeed. The command should be cd \windows\adam. Thanks

Anonymous  Jul 08, 2013  Nov 22, 2013
Printed, PDF
Page 761
second bullet

The Powershell command to remove user from instance doesn't work : Remove-ADUser -identity 'username' -server 'servername:port' -path 'distinguishedname of the path where the user is located' I got an error saying " A parameter cannot be found that matches parameter name 'path'." The command work without error if "path" is changed in "partition". So the correct command should be : Remove-ADUser -identity 'username' -server 'servername:port' -partition 'distinguishedname of the instance partition'

Fabio Maccari  Nov 04, 2012  Dec 14, 2012
Printed, PDF
Page 765
step 10

at page 765 , at step 10 , it reads : " Click OK to close the dialog box. In this case, you do not perform all activities. You only move SERVER04 to the new site link. " the word "site link" at the end of the sentence may lead to misunderstanding, so in my opinion it would be better to change the sentence to : " Click OK to close the dialog box. In this case, you do not perform all activities. You only move SERVER04 to the Servers container of the new site "

Note from the Author or Editor:
Remove the word "link" at the end of the sentence.

hamed zargham  Feb 08, 2012  Jul 27, 2012
Printed, PDF
Page 781
1st paragraph

The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all features.

Note from the Author or Editor:
Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only.

Anonymous  Jun 07, 2012 
Printed, PDF
Page 794
Last paragraph on page

When referring to the checkbox "Allow administrator interaction when the private key is accessed by the CA": "The last option on the page provides further protection for the root CA. By selecting this option, you ensure that use of the CA will require administrative access and will work only with this level of access." This explanation seems to be incorrect, and the option should not be selected for this lab. http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx: "If you are using a custom CSP that requires strong private key protection, click Allow administrator interaction when the private key is accessed by the CA. The CSPs included with Windows Server do not require this setting to be enabled."

Note from the Author or Editor:
Using this option will allow administrators to work with third-party CSPs.

Jørn-Morten Innselset  Sep 23, 2011  Nov 18, 2011
Printed, PDF
Page 796, 803, 958
Exercise 2 - Point 1, Lesson Review - Question 1, and answer to said Question - Lesson 1 B

On Page 796 for installation of an Enterprise Issuing CA, it specifically states that: "You need local administrative access rights only, but for the purposes of this exercise, the domain administrator account will also work" This implies that you can carry out the Enterprise installation with a local admin account when you can't, and there doesn't seem to be any mention of the fact that you must be using a domain account until you lookup the answer for the Chapter 15, Lesson 1 question.

Note from the Author or Editor:
You need domain administrator rights to install an Enterprise CA. The phrase under item 1. should read: "You need domain administrator access rights to perform this operation."

Aray Gerami  Jun 25, 2012  Jul 27, 2012
Printed, PDF
Page 807
step 8 , 5th line in second bullet point

at page 807 , step 8 , 5th line in second bullet point , it reads : "Also, use encryption to send the key to the CA." in win2008 R2 , this sentence has changed . so change : " use encryption to send the key to the CA " to " Use advanced Symmetric Algorithm to send the key to the CA "

Note from the Author or Editor:
Good catch. The proposed change is correct.

hamed zargham  Jan 29, 2012  Feb 17, 2012
Printed, PDF
Page 810
step 8

at page 810 , at the end of the step 8 it reads : "....... select Read . enroll and Autoenroll permissions in Allow column " we should not Assign Autoenroll permission to the Online responder computers According to this important note : Windows server 2008 PKI and Certificate Security by Brian komar , page 220 : " do not Assign the Autoenroll permission to the online responder computer Accounts. An online responder will request multiple OCSP signing certificates (one per revocation provider). the default autoenrollment protocol would renew only one of the OCSP Response signing certificates and archive the rest, rendering them unusable. "

Note from the Author or Editor:
Permissions should be only Read and Enroll. Online Responders should not use Autoenroll. See http://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx.

hamed zargham  Feb 13, 2012  Feb 17, 2012
Printed, PDF
Page 819
United States

Exercise 1, Step 8 says: "Under Group Or User Names, click the computer name you just added, and then, in the Permissions section of the dialog box, select the Read, Enroll, and Autoenroll permissions in the Allow column." As per a previous correction of this step in the lesson, the Autoenroll permission should not be set.

Note from the Author or Editor:
Remove Autoenroll.

Gram Parker  May 04, 2012  Jul 27, 2012
Printed, PDF
Page 903
the last sentence of the first bullet point

On page 903, the last sentence of the first bullet point refers to the incorrect port 433. Change: "Because of this, all communications occur through port 433 over HTTPS." To: "Because of this, all communications occur through port 443 over HTTPS."

Note from the Author or Editor:
Secure communications in AD FS occur on port 443, not 433.

hamed zargham  Aug 11, 2011  Sep 23, 2011
Printed, PDF
Page 922
Answer to Question 2

Question 2 on page 31 asks if AD CS is supported on Server Core. According to page 24 and the Microsoft page: http://www.microsoft.com/windowsserver2008/en/us/r2-compare-core-installation.aspx indicates that AD CS is fully supported. The answer on page 922 indicates that AD CS is not supported, and the correct answer is to reinstall Windows Server.

Note from the Author or Editor:
The errata is valid. The answer to the question, as printed, is A. The question was intended to be about Active Directory Federated Services (AD FS): Correction (page 31, Lesson 2, Question 2) SERVER02 is running Server Core. It is already configured with the AD DS role. You want to add Active Directory Federated Services (AD FS) to the server. What must you do? Correction (Page 922, Lesson 2, Question 2) Correct Answer: D A. Incorrect: AD CS not required on the same server as AD FS. B. Incorrect: AD FS is not supported on Server Core. C. Incorrect: AD RMS is not supported on Server Core. D. Correct: AD FS is not supported on Server Core, so you must reinstall the server with the full installation of Windows Server 2008 R2.

Travis Nuske  Aug 04, 2011  Sep 23, 2011
Printed, PDF
Page 927
Answer 3 from Chapter 4, Lesson 1 Review

Choices C, D, E, and F are stated to be correct. Only choices E and F are correct: This is the correct answer: 3. Correct Answers: E, and F A. Incorrect: Global groups cannot contain global groups from other domains. B. Incorrect: Global groups cannot contain global groups from other domains. C. Incorrect: Global groups can only contain items from the same domain. D. Incorrect: Global groups can only contain items from the same domain. E. Correct: Global groups can contain users in the same domain. F. Correct: Global groups can contain global groups in the same domain. G. Incorrect: Global groups cannot contain domain local groups. H. Incorrect: Global groups cannot contain universal groups. This error was also present in the First Edition of this book and is listed in the errata for that edition. Did the Second Edition proof-readers not correct errors from the First Edition errata?

Note from the Author or Editor:
The errata and the suggested correction is accurate.

Thomas Miller  Jul 21, 2011  Sep 23, 2011
Printed, PDF
Page 929
Question 3 of Lesson 3

Page 929 , Question 3 of Lesson 3 , Answers A , B , C , D are Correct. Answer A should be correct Change: "A. Incorrect: Account Operators does not have the right to shut down a domain controller." To: "A. Correct: Account Operators has the right to shut down a domain controller."

Note from the Author or Editor:
The erratum is correct. Changes, page 929 3. Correct Answers: B, C, and D should be 3. Correct Answers: A, B, C, and D and A. Incorrect: should be A. Correct:

Anonymous  Aug 11, 2011  Sep 23, 2011
Printed, PDF, Safari Books Online, Other Digital Version
Page 953
Question 3, explanation C

Page 953, question 3, explanation C should be: Windows Server 2008 domain level or higher is required for fine-grained password policies. When you raise the forest functional level, you must also raise the domain functional level, making answer C the best answer.

Dan Holme
O'Reilly Author 
Feb 12, 2012  Feb 17, 2012
Printed, PDF
Page 954
Answer C of question 3

On page 953, answer C to quesiton 3 has an incorrect explanation. Change: "C. Correct: Windows Server 2008 forest functional level is required for fine-grained password policies." To: "C. Correct: Windows Server 2008 domain functional level is required for fine-grained password policies."

Note from the Author or Editor:
The erratum is correct, and the suggested change is correct.

Anonymous  Aug 11, 2011  Sep 23, 2011
Printed, PDF
Page 954
Answer C of question 2

On page 954, in question 2 , the correct answer is just D not C. Answer C of question 2 is incorrectly marked as correct, so Change: "C. Correct: The /verify parameter verifies the health of an existing trust relationship. Some trusted users are able to access the resources, so the trust relationship is known to be healthy." To: "C. Incorrect: The /verify parameter verifies the health of an existing trust relationship. Some trusted users are able to access the resources, so the trust relationship is known to be healthy."

Note from the Author or Editor:
The errata is correct. Changes below: Page 953, Question 2 2. Correct Answers: C and D should be 2. Correct Answer: D Page 954, continuation of Question 2 C. Correct should be C. Incorrect

Anonymous  Aug 11, 2011  Sep 23, 2011
Printed, PDF
Page 957
Question 1 Correct Answer

The Correct Answer should be D. Page 957, Question 1 1. Correct Answer: C should be 1. Correct Answer: D

Note from the Author or Editor:
Indeed, the correct answer is D and should be noted at the beginning of the text.

Chun-Yeung Ng  Sep 19, 2011  Nov 18, 2011