MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory

Errata for MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory




The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question Note Update



Version Location Description Submitted By Date Submitted Date Corrected
Printed

Page 649 Incorrect guidance for restoring a DC from a snapshot This section contains in accurate guidance about how to restore a DC on a VM. For more updated guidance, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/dd363545(WS.10).aspx

Microsoft Press  Jul 13, 2010 
Printed
Page 28

Steps 4 and 7 contain incorrect command switches On page 28, steps 4 and 7 in Exercise 2 include invalid command line swtiches for the shutdown command. Change: "4. Restart by typing shutdown –r –t 0." To: "4. Restart by typing shutdown /r /t0." Change: "7. Restart by typing shutdown –r –t 0, and then log on again as Administrator." To: "7. Restart by typing shutdown /r /t0, and then log on again as Administrator."

Microsoft Press  Jul 13, 2010 
Printed
Page 28

dns should be dnsserver On page 28, the command given in step 2 of exercise 2 is incorrect. Change: "netsh interface ipv4 set dns name="Local Area Connection"" To: "netsh interface ipv4 set dnsserver name="Local Area Connection""

Microsoft Press  May 06, 2010 
Printed
Page 29

Command incorrect On page 29, in Step 3 of Exercise 3 the command to add and configure the AD DS role is partially incorrect. Change: "dcpromo /unattend /replicaOrNewDomain:replica /replicaDomainDNSName:contoso.com /ConfirmGC:Yes /UserName:CONTOSOAdminsitrator /Password:* /safeModeAdminPassword:P@ssword" To: "dcpromo /unattend /replicaornewdomain:replica /replicaDomainDNSName:contoso.com /ConfirmGC:Yes /UserName:Administrator /userDomain:Contoso /Password:* /safeModeAdminPassword:P@ssword"

Microsoft Press  May 06, 2010 
Printed
Page 90

Command line incorrect On page 90, the first line of the command under the third paragraph is incorrectly formatted. Change: "DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName" To: "DN,objectClass,sAMAccountName,givenName,sn,userPrincipalName"

Microsoft Press  Jul 13, 2010 
Printed
Page 92

Incorrect information regarding LDIFDE On page 92, the 4th line down in the Exam Tip box includes incorrect information about importing passwords. Change: "Neither command enables you to import a user’s password." To: "LDIFDE is the only command that enables you to import a user's password."

Microsoft Press  May 06, 2010 
Printed
Page 94

"%username%" should be "$username$" On page 94, in the command under Step 2 an incorrect token is used. Change: dsadd user "cn=Mike Fitzmaurice,ou=People,dc=contoso,dc=com" -samid mike.fitz –pwd * -mustchpwd yes –hmdir \server01users%username%documents -hmdrv U:To: dsadd user "cn=Mike Fitzmaurice,ou=People,dc=contoso,dc=com" -samid mike.fitz –pwd * -mustchpwd yes –hmdir \server01users$username$documents -hmdrv U:

Microsoft Press  Jul 13, 2010 
Printed
Page 94

Command line incorrect On page 94, the first line of the command under Step 1 is incorrectly formatted. Change: "DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName" To: "DN,objectClass,sAMAccountName,givenName,sn,userPrincipalName"

Microsoft Press  May 06, 2010 
Printed
Page 95

Three should be two On page 95, the second sentence of step 5 refers to three users rather than two. Change: "The three users are imported." To: "The two users are imported."

Microsoft Press  Jul 13, 2010 
Printed
Page 112

Command incorrect On page 112, the command under Step 7 is misspelled and will not function. Change: "set-exceutionpolicy remotesigned" To: "set-executionpolicy remotesigned"

Microsoft Press  May 06, 2010 
Printed
Page 121

"user" missing from command On page 121, the first full command on the page is missing the word "user". Change: dsmod "cn=Tony Krijnen,ou=People,dc=contoso,dc=com" –office "Amsterdam"To: dsmod user "cn=Tony Krijnen,ou=People,dc=contoso,dc=com" –office "Amsterdam"

Microsoft Press  Jul 13, 2010 
Printed
Page 122

DSMOD should be DSQUERY On page 122, the first sentence of the third paragraph is incorrect. Change: "The DSMOD USER command searches Active Directory for users whose names end with Mitchell." To: "The DSQUERY USER command searches Active Directory for users whose names end with Mitchell."

Microsoft Press  Jul 13, 2010 
Printed
Page 122

"%username%" should be "$username$" On page 122, the second full command and fourth full paragraph down contain an incorrect token. Change: "dsquery user "ou=People,dc=contoso,dc=com" | dsmod user -hmdir "\server01users%username%documents" –hmdrv "U:" As mentioned in Lesson 1, the special %username% token can be used to represent the sAMAccountName of user objects when using DS commands to configure the value of the -email, -hmdir, -profile, and -webpg parameters." To: "dsquery user "ou=People,dc=contoso,dc=com" | dsmod user -hmdir "\server01users$username$documents" –hmdrv "U:" As mentioned in Lesson 1, the special $username$ token can be used to represent the sAMAccountName of user objects when using DS commands to configure the value of the -email, -hmdir, -profile, and -webpg parameters."

Microsoft Press  May 06, 2010 
Printed
Page 122

dsget example is incorrect and needs to be replaced On page 122, the dsget example at the bottom of the page is not correct and needs to be replaced. Change: "To display the pre-Windows 2000 logon names of all users in the Sydney office, use this command: dsquery user –office "Sydney" | dsget user –samid" To: "To display the pre-Windows 2000 logon names of all users whose description is "Accountant," use this command: dsquery user -desc "Accountant" | dsget user -samid"

Microsoft Press  May 06, 2010 
Printed
Page 123

Parenthesis missing from VBScript example On page 123, the first VBScript example at the top of the page is missing the closing parenthesis. Change: Set objUser=GetObject("LDAP://cn=Jeff Ford,ou=People,dc=contoso,dc=com"To: Set objUser=GetObject("LDAP://cn=Jeff Ford,ou=People,dc=contoso,dc=com")

Microsoft Press  Jul 13, 2010 
Printed
Page 124

"office" should be "physicalDeliveryOfficeName" On page 124, the last 2 VB script examples on the page are incorrect. Change: $objUser.PutEx(1, "office", 0) $objUser.SetInfo() To:$objUser.PutEx (1, "physicalDeliveryOfficeName", 0) $objUser.SetInfo()Change: objUser.PutEx 1, "office", 0 objUser.SetInfo()To: objUser.PutEx 1, "physicalDeliveryOfficeName", 0 objUser.SetInfo()

Microsoft Press  May 06, 2010 
Printed
Page 127

Unnecessary space in script On page 127, the 3rd script example from the bottom contains an unneccesarry space. Change: $objUser=[ADSI]”LDAP://UserDN” $objuser.psbase.InvokeSet(‘Account Disabled’ ,$true) $objuser.SetInfo()To: $objUser=[ADSI]”LDAP://UserDN” $objuser.psbase.InvokeSet(“AccountDisabled” ,$true) $objuser.SetInfo()

Microsoft Press  Jul 13, 2010 
Printed
Page 127

Code example is missing a line of code to function correctly On page 127, the VBScript code example near the bottom of the page is missing a line of code. Change: Set objUser = GetObject("LDAP://UserDN") objUser.AccountDisabled=TRUETo: Set objUser = GetObject("LDAP://UserDN") objUser.AccountDisabled=TRUE objUser.SetInfo()

Microsoft Press  May 06, 2010 
Printed
Page 133

Incorrect information regarding deleting and creating user accounts On page 133, the first sentence in the 4th bullet point down in the Lesson Summary is incorrect. Change: "When you delete a user account, you cannot create an account with the same name; the new account will not belong to the same groups or have the same resource access." To: "When you delete a user account, you can create an account with the same name; but the new account will not belong to the same groups or have the same resource access."

Microsoft Press  Jul 13, 2010 
Printed
Page 137

"Chapter" should be "Lesson" On page 137, the first bullet point on the page references an incorrect location. Change: "In Chapter 2, you examined a script that can use a .csv file to create users. Modify the script to import users from your .csv file. Construct attributes such as userPrincipalName and displayName in the script, as the sample in Chapter 2 illustrated." To: "In Lesson 2, you examined a script that can use a .csv file to create users. Modify the script to import users from your .csv file. Construct attributes such as userPrincipalName and displayName in the script, as the sample in Lesson 2 illustrated."

Microsoft Press  May 06, 2010 
Printed
Page 152

"Options" should be "Object Types" On page 152, the second sentence of the 3rd bullet point contains an incorrect name for a button. Change: "If you want to add computers to a group, you must click the Options button and select Computers." To: "If you want to add computers to a group, you must click the Object Types button and select Computers."

Microsoft Press  Jul 13, 2010 
Printed
Page 155

Sales group already exists On page 155, Exercise 1 requires that you create a group called Sales and add users to it. A group called Sales was previously created in Chapter 2 and needs to be removed in order to successfully complete this exercise. Add the following Note before the first step in Exercise 1. NOTE: If you have performed the exercises in Chapters 2 and 3 the group Sales may have already been created and the user Jeff Ford may already be added to it. To perform this exercise correctly you will need to delete the Sales group prior to performing any of the steps.

Microsoft Press  May 06, 2010 
Printed
Page 156

"Distribution" should be "Security" On page 156, Step 2 of Exercise 2 references the wrong Group type. Change: "2. Change the group type to Distribution." To: "2. Change the group type to Security."

Microsoft Press  Jul 13, 2010 
Printed
Page 165

Command in Step 4 is incomplete On page 165, the command used in Step 4 is incomplete and will not work. Change: csvde –i –f "%userprofile%importgroups.csv"To: csvde –i –f "%userprofile%documentsimportgroups.csv"

Microsoft Press  May 06, 2010 
Printed
Page 174

"OU" should be "name" On page 174, Step 2 contains incorrect information. Change: "2. Right-click the groups’ OU and choose Properties." To: "2. Right-click the groups’ name and choose Properties."

Microsoft Press  Jul 13, 2010 
Printed
Page 184

Group scopes incorrect On page 184, the first bullet under Chapter Summary contains incorrect Group scope names. Change: "Group scopes (global, universal, domain local, and universal) define group characteristics related to membership, replication, and availability of the group." To: "Group scopes (global, domain local, local, and universal) define group characteristics related to membership, replication, and availability of the group."

Microsoft Press  May 06, 2010 
Printed
Page 198

Figure 5-4 is incorrect On page 198, Figure 5-4 is incorrect and should be disregarded.

Microsoft Press  Jul 13, 2010 
Printed
Page 198

Reference to Dsacls.exe should be removed On page 198, the last sentence contains an incorrect reference to Dsacls.exe. Change: "You will delegate permission to create computer objects, using the Dsacls.exe command, and you will redirect the default computer container." To: "You will delegate permission to create computer objects and you will redirect the default computer container."

Microsoft Press  May 06, 2010 
Printed
Page 209

"Create and Manage a Custom MMC" should be "Automate Importing and Creating Computer Objects" On page 209, the title of the practice is incorrect. Change: "Create and Manage a Custom MMC" To: "Automate Importing and Creating Computer Objects"

Microsoft Press  Jul 13, 2010 
Printed
Page 214

"value" misplaced in code sample On page 214, the last two lines of the last code sample are incorrect. Change: objComputer.Put "property", value objComputer.SetInfoTo: objComputer.Put "property", value objComputer.SetInfo

Microsoft Press  May 06, 2010 
Printed
Page 215

TargetOUDN should be ComputerDN and vice versa On page 215, the last code sample is incorrect. Change: Set objOU = GetObject("LDAP://TargetOUDN") objOU.MoveHere "LDAP://ComputerDN", vbNullStringTo: Set objOU = GetObject("LDAP://ComputerDN") objOU.MoveHere "LDAP://TargetOUDN", vbNullString

Microsoft Press  Jul 13, 2010 
Printed
Page 239

"GPME" should be "GPMC" On page 239, the second sentence of the second paragraph under "Creating, Linking, and Editing GPOs" contains an incorrect acronym. Change: "To delegate permission to other groups, select the Group Policy Objects container in the GPME console tree and then click the Delegation tab in the console details pane." To: "To delegate permission to other groups, select the Group Policy Objects container in the GPMC console tree and then click the Delegation tab in the console details pane."

Microsoft Press  May 06, 2010 
Printed
Page 261

"No Override" should be "Enforced" On page 261, Figure 6-11 incorrectly uses No Override near the top of the figure.Change: "No Override" To: "Enforced"

Microsoft Press  Jul 13, 2010 
Printed
Page 265

"class" should be "namespace" On page 265, the second sentence of the third paragraph is partially incorrect. Change: "Many useful classes, including Win32_Operating System, are found in a class called rootCIMv2." To: "Many useful classes, including Win32_Operating System, are found in a namespace called rootCIMv2."

Microsoft Press  Jul 13, 2010 
Printed
Page 265

GPME should be GPMC On page 265, the first sentence of the fourth paragraph refers to GPME rather than GPMC. Change: "To create a WMI filter, right-click the WMI Filters node in the GPME and choose New." To: "To create a WMI filter, right-click the WMI Filters node in the GPMC and choose New."

Microsoft Press  May 06, 2010 
Printed
Page 266

Incorrect result description of a setting On page 266, the first sentences in the 3rd and 4th bullet points under the heading "Enabling or Disabling GPOs and GPO Nodes" are incorrect. Change: "Computer Configuration Settings Disabled During computer policy refresh, computer configuration settings in the GPO will be applied." To: "Computer Configuration Settings Disabled During computer policy refresh, computer configuration settings in the GPO will not be applied." Change: "User Configuration Settings Disabled During user policy refresh, user configuration settings in the GPO will be applied." To: "User Configuration Settings Disabled During user policy refresh, user configuration settings in the GPO will not be applied."

Microsoft Press  May 06, 2010 
Printed
Page 273

computer should be user On page 273, the last sentence of step 12 is incorrect. Change: "If any user requires exemption from the policies in the CONTOSO Standards GPO, you can simply add the computer to the group." To: "If any user requires exemption from the policies in the CONTOSO Standards GPO, you can simply add the user to the group."

Microsoft Press  Jul 13, 2010 
Printed
Page 275

Additional steps needed On page 275, two steps are needed before step 21. The steps to add are: "20a. Click the Add button in the Security Filtering section 20b. Type the group name, Domain Users, and click OK."

Microsoft Press  May 06, 2010 
Printed
Page 280

"Gpupdate.exe" should be "Ggpresult.exe" On page 280, the command in the Quick Check Answer bullet point is incorrect. Change: "The Group Policy Results Wizard and Gpupdate.exe can be used to perform your top analysis on a remote system." To: "The Group Policy Results Wizard and Gpresult.exe can be used to perform your top analysis on a remote system."

Microsoft Press  Jul 13, 2010 
Printed
Page 294

"Computer Configuration"" should be "Computer ConfigurationPolicies"" On page 294, step 1 at the bottom of the page contains an incorrect path. Change: "In Group Policy Management Editor, navigate to Computer ConfigurationWindows SettingsSecurity SettingsRestricted Groups." To: "In Group Policy Management Editor, navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups."

Microsoft Press  May 06, 2010 
Printed
Page 346

5136 should be 4662 On page 346, the second sentence of step 19 contains an incorrect Event ID. Change: "You should see both a Directory Service Access event (Event ID 5136) and a Directory Service Changes event (Event ID 5136)." To: "You should see both a Directory Service Access event (Event ID 4662) and a Directory Service Changes event (Event ID 5136)."

Microsoft Press  Jul 13, 2010 
Printed
Page 364

"Security Settings" should be "Windows SettingsSecurity Settings" On page 364, step 6 of Exercise 1 is incorrect. Change: "Expand Computer ConfigurationPoliciesSecurity SettingsAccount Policies, and then select Password Policy." To: "Expand Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount Policies, and then select Password Policy."

Microsoft Press  May 06, 2010 
Printed
Page 365

"DomainAdmins" should be "Domain Admins" On page 365, step 11 is missing a space between Domain and Admins. Change: "11. In the Edit Attributes box, type CN=DomainAdmins,CN=Users,DC=contoso,DC=com and click OK." To: "11. In the Edit Attributes box, type CN=Domain Admins,CN=Users,DC=contoso,DC=com and click OK."

Microsoft Press  Jul 13, 2010 
Printed
Page 383

"Ddsmgmt.exe" should be "dsmgmt.exe" On page 383, the first sentence in the second paragraph includes an incorrectly spelled command. Change: "You can configure administrative role separation by using the Ddsmgmt.exe command." To: "You can configure administrative role separation by using the dsmgmt.exe command."

Microsoft Press  May 06, 2010 
Printed
Page 400

Figure 9-3 uses an incorrect header On page 400, in the last box to the right in Figure 9-3 the heading is incorrect. Change: "Internal Network" To: "External Network"

Microsoft Press  Jul 13, 2010 
Printed
Page 416

Question 5 in Quick Check needs to be removed On page 416, question 5 in the Quick Check at the bottom of the page hasn't been covered up until this point in the book. It should be removed.

Microsoft Press  May 06, 2010 
Printed
Page 470

"performed by" missing On page 470, the second sentence of the "Attach the server to the RODC account" is missing the phrase "performed by." Change: "These steps can be the users or groups specified when the RODC account was prestaged; these users do not require any privileged group membership." To: "These steps can be performed by the users or groups specified when the RODC account was prestaged; these users do not require any privileged group membership."

Microsoft Press  Jul 13, 2010 
Printed
Page 471

"attache" should be "attach" On page 471, the second to the last dcpromo command on the page is partially incorrect. Change: dcpromo /useexistingaccount:attache /unattend:"c: odcanswer.txt"To: dcpromo /useexistingaccount:attach /unattend:"c: odcanswer.txt"

Microsoft Press  May 06, 2010 
Printed
Page 517
Paragraph 2

Wrong RFC specified The Sentence "The underscore characters are a requirement of RFC 2052" Should be changed to "The underscore characters are a requirement of RFC 2782"

Note from the Author or Editor:
Errata is correct. RFC has been updated. The Sentence "The underscore characters are a requirement of RFC 2052" Should be changed to "The underscore characters are a requirement of RFC 2782"

Brian Habel  Jun 12, 2011 
Printed
Page 518

"TCP" should be "UDP" On page 518, the last sentence of the first bullet point references an incorrect protocol. Change: "Microsoft clients use only TCP, but UNIX clients can use TCP." To: "Microsoft clients use only TCP, but UNIX clients can use UDP."

Microsoft Press  Jul 13, 2010 
Printed
Page 522

"object" and "attribute" need to be reversed On page 522, the first sentence in the last paragraph is partially incorrect. Change: "Traditionally, replicas have been complete replicas, containing every object of an attribute, and replicas have been writable on all DCs." To: "Traditionally, replicas have been complete replicas, containing every attribute of an object, and replicas have been writable on all DCs."

Microsoft Press  May 06, 2010 
Printed
Page 566

"forest" should be "domain" On page 566, answer C of Question 3 is incorrect. Change: "C. Raise the forest functional level." To: "C. Raise the domain functional level."

Microsoft Press  Jul 13, 2010 
Printed
Page 620

"Dsbutil.exe" should be "DSDButil.exe" On page 620, the 8th tool down in Table 13-2 is spelled incorrectly. Change: "Dsbutil.exe (installed with AD LDS and AD DS)" To: "DSDButil.exe (installed with AD LDS and AD DS)"

Microsoft Press  May 06, 2010 
Printed
Page 621

Description of Repadmin.exe tool incorrect On page 621, in Table 13-2 the description for Repadmin.exe is incorrect. Change: "Troubleshoot and diagnose replication between DCs that use the File Replication Service (FRS), which is the system used when the forest does not run in Windows Server 2008 full functional mode." To: "Repadmin helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems."

Microsoft Press  Jul 13, 2010 
Printed
Page 624

Incorrect information regarding AD DS features On page 624, the last sentence of the last paragraph on the page incorrectly states that AD DS has four features that enable you to recover information without resorting to backups. The last bullet also needs to be removed. Change: "However, AD DS includes four features that enable you to recover information without resorting to backups:" To: "However, AD DS includes three features that enable you to recover information without resorting to backups:" Remove the following bullet point: "The backup and restore feature supported by Windows Server Backup."

Microsoft Press  May 06, 2010 
Printed
Page 656

NTDS should be originalntds On page 656, the first sentence of step 2 contains an incorrect path. Change: "Also, make sure both a C:Temp folder and a C:NTDS folder exist on your server and that both folders are empty." To: "Also, make sure both a C:Temp folder and a C:originalntds folder exist on your server and that both folders are empty."

Microsoft Press  Jul 13, 2010 
Printed
Page 656

Backslash needs to be removed before command On page 656, the 5th command down under step 5 incorrectly places a backslash before the command. Change: cd windows tdsTo: cd windows tds

Microsoft Press  May 06, 2010 
Printed
Page 672

resources should be utilization On page 672, the last sentence of the second paragraph of the "Working with Windows System Resource Manager" section refers to processor resources rather than processor utilization. Change: "This means that when processor resources are low, WSRM does not affect any application." To: "This means that when processor utilization is low, WSRM does not affect any application."

Microsoft Press  May 06, 2010 
Printed
Page 797

private should be public On page 797, the second-to-last sentence of the "Rights account certificate (RAC)" section of Table 16-3 refers to the computer's private key rather than public key. Change: "The private key is encrypted with the computer’s private key." To: "The private key is encrypted with the computer’s public key."

Microsoft Press  Jul 13, 2010 
Printed
Page 853

433 should be 443 On page 853, the last sentence of the second bullet point refers to the incorrect port. Change: "Because of this, all communications occur through port 433 over HTTPS." To: "Because of this, all communications occur through port 443 over HTTPS."

Microsoft Press  May 06, 2010 
Printed
Page 859

"Token Signing Certificate" should be "Server Authentication" On page 859, in the Legend for Figure 17-7 "Token Signing Certificate" and "Server Authentication" are switched. Change: "Token Signing Certificate Server Authentication Client Authentication" To: "Server Authentication Token Signing Certificate Client Authentication"

Microsoft Press  Jul 13, 2010 
Printed
Page 862

Minimize should be removed On page 862, the first sentence of step 5 of the first procedure is incorrect. Change: "Paste the certificate into the Minimize Windows Explorer folder." To: "Paste the certificate into the Windows Explorer folder."

Microsoft Press  May 06, 2010 
Printed
Page 863

Claimapp should be claimapplication01 On page 863, the last sentence of the More Info box contains an incorrect path. Change: "After these files are created, copy them into the C:InetpubWwwrootClaimapp folder." To: "After these files are created, copy them into the C:InetpubWwwrootclaimapplication01 folder."

Microsoft Press  Jul 13, 2010 
Printed
Page 882

Answer marked as correct is incorrect On page 882, answer B of Lesson 2, question 1 is incorrect marked as correct. Change: "B. Correct: Dsrm is used to delete a group." To: "B. Incorrect: Dsrm is used to delete a group not members from a group."

Microsoft Press  Jul 13, 2010 
Printed
Page 882

Answers marked as correct are incorrect On page 882, answers C and D for question 3 are marked as correct when they should be incorrect. Change: "C. Correct: Global groups can contain users in the same forest. D. Correct: Global groups can contain users in trusted domains." To: "C. Incorrect: Global groups cannot contain users in the same forest. D. Incorrect: Global groups cannot contain users in trusted domains." This also applies to the corresponding Lesson Review questions on the CD

Microsoft Press  May 06, 2010 
Printed
Page 884

Answer A should be correct On page 884, Question 3 of Lesson 3 has Answer A marked as Incorrect, it should be Correct. Change: "A. Incorrect: Account Operators does not have the right to shut down a domain controller." To: "A. Correct: Account Operators has the right to shut down a domain controller." This also applies to the corresponding Lesson Review questions on the CD

Microsoft Press  May 06, 2010 
Printed
Page 888

On page 888, the answer to question 2 is incorrect On page 888, the answer given for question 2 is a repeat of the answer to question 1. Change: "2. Correct Answers: B and D A. Incorrect: The central store is used to centralize administrative templates so that they do not have to be maintained on administrators’ workstations. B. Correct: To create GPOs, the business unit administrators must have permission to access the Group Policy Objects container. By default, the Group Policy Creator Owners group has permission, so adding the administrators to this group will allow them to create new GPOs. C. Incorrect: Business unit administrators require permission to link GPOs only to their business unit OU, not to the entire domain. Therefore, delegating permission to link GPOs to the domain grants too much permission to the administrators. D. Correct: After creating a GPO, business unit administrators must be able to scope the GPO to users and computers in their OU; therefore, they must have the Link GPOs permission." To: "2. Correct Answer: B"

Microsoft Press  Jul 13, 2010 
Printed
Page 909

"forest" should be "domain" On page 909, answer C to quesiton 3 has an incorrect explanation. Change: "C. Correct: Windows Server 2008 forest functional level is required for fine-grained password policies." To: "C. Correct: Windows Server 2008 domain functional level is required for fine-grained password policies." This also applies to the corresponding Lesson Review questions on the CD

Microsoft Press  May 06, 2010 
Printed
Page 910

Answer C should be incorrect On page 910, Answer C of question 2 is incorrectly marked as correct. Change: "C. Correct: The /verify parameter verifies the health of an existing trust relationship. Some trusted users are able to access the resources, so the trust relationship is known to be healthy." To: "C. Incorrect: The /verify parameter verifies the health of an existing trust relationship. Some trusted users are able to access the resources, so the trust relationship is known to be healthy." Microsoft Press is committed to providing informative and accurate books. All comments and corrections listed above are ready for inclusion in future printings of this book. If you have a later printing of this book, it may already contain most or all of the above corrections.

Microsoft Press  Jul 13, 2010