Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory

Errata for Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory




The errata list is a list of errors and their corrections that were found after the product was released.

The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.


Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question Note Update



Version Location Description Submitted By Date Submitted
Printed, PDF Page 12,22
Fourth point, Lesson Review Question #1

On page 12 it states: "Additionally, the domain controller must be configured with a DNS server address to perform name resolution." Page 22 has a question regarding the successful creation of a Win08 DC, yet D is an incorrect answer because the reader is supposed to assume that the AD installation wizard will install/configure it despite no previous mention of this fact. This seems a bit strange considering the third point on page 12 went out of its way to state it "must" be configured. Page 12 should probably be re-worded to something along the lines of "Additionally, the domain controller must be configured with a DNS server address to perform name resolution. In the absence of a DNS server, the Active Directory Installation Wizard will install and configure DNS service on the domain controller.", as stated in the answer on page 921.

Aray Gerami  Oct 26, 2012 
Printed Page 24
2da. line

Active Directory Certificate Services is not supported in Windows Server 2008 core installation

carlos mejia  Feb 17, 2012 
Printed Page 28
Step 10

The command: net user administrator * should be referenced. I was not prompted to change password on login after install. The above command changes the admin password

Michael Wiles  May 03, 2012 
Printed Page 29
Point 6

If yout type only what the book says: netdom join %computername% /domain:contoso.com the comand not works and fail, you must add user and password of the domain in Server01 pc: netdom join %computername% /domain:contoso.com /userd:contoso.com\administrator /passwordd:P@assword

Raúl  Jun 12, 2012 
Printed Page 29
Exercise 2, Step 2

In Exercice 2 step 2 the gateway address is typed as "10.0.0.1 1" with a space between the last two ones.The command does not produce any errors,but it misconfigure the server with a dfault gateway of 10.0.0.1 instead of the intended address of 10.0.0.11. The ip adress should be typed without spaces between the numbers.

Jaime Ortiz  Aug 19, 2012 
Printed Page 29
Exercise 2, Step 6

If you use the command as typed in step 6,you will get an error message saying "unknown username or bad password".This is because the command is missing the parameter to specify the domain user account and password.

Jaime Ortiz  Aug 19, 2012 
Printed Page 29
1st paragraph

It says in the excercise Server01 needs to be running, but how do I do that ? I have server 2008 standard installed on partion1 I have servercore installed on partition 2 How do I run Server01 when I'm working on another partition ? do I need to run servercore with vmware ( If so how does it work) I have no experience whatsoever with VMWARE

Anonymous  Aug 21, 2012 
Printed Page 29
Exersise 2 point 7.

Change: Restart by typing: shutdown /r /t0 in: shutdown /r /t 0 There must be a space between the /t end the 0

Theone72  Dec 10, 2012 
Printed Page 29
Exercise 2 Lines 4 & 7

Lines 4 & 7 of Exercise 2 give shut down command of 'shutdown /r /t0' There must be a space between the /t & its value. 'shutdown /r /t 0'

William Sawyer  Jan 21, 2013 
Printed Page 31
Review question 2

Page 31 review question 2: Answer is in my viwe not correct, the AD CS can be installed on a core server according to the MS page http://gallery.technet.microsoft.com/scriptcenter/Setup-Certification-bd2aff3e

Microsoft Press  May 22, 2013 
PDF Page 42
Top of Page

The tip at the top of page 42 offers a suggestion on reducing the steps necessary to have a shortcut request administrative credentials, however that is for local administrator access, not for the domain admin access required to administer active directory objects. I have researched this and there does not appear to be a reliable solution for this that I have found. Even configuring the shortcut to use the runas command does not work with saved mmc consoles during my testing. I also found a script posted on a Microsoft blog that does not work either.

Abraham Guerrero  Jun 29, 2012 
PDF Page 58
1st paragraph

Extract from the book: "You do not need to enter the full name; you can enter either the user’s first or last name, or even just part of the first or last name." Here must be Display name (or User logon Name (pre-Windows 2000) ) instead of "last name". Select dialog box will not found anything if you try to search by last name.

Aleksandr Zhelnitskiy  Jan 24, 2013 
Printed, PDF Page 70
13th point

On the 13th point of (chapter 2, exercise 6) it is written that the saved query would show users from both the User Accounts OU and Admins OU but actually the output of this query is only the "guest " user.

trivender  Jun 06, 2012 
Printed Page 85
Last Paragraph

The technet documentation has been followed to the tee. If I browse to the Domain Users Group and add it, an error is generated. The error says - "Windows cannot process the object with the name "Domain Users" because of the following error - The specified domain either does not exist or could not be contacted. If I type in "CONTOSO\Domain Users" manually and also add Administrators manually, the information saves but when I try and logon as bmayer, I see the error message "You cannot log on because the log on method you are using is not allowed on this computer. Please see your network administrator for more information. This is obviously going to hold me up for the remaining 900 pages as it says you need to log on locally for many exercises. Need a fix for this ASAP as just spent the last hour trying to sort it but to no avail. So the technet article isn't good enough. Why Oh Why haven't the instructions been included in detail in the book??? As someone who is fairly new to all this I expect everything to be layed out precisely and not have to find stuff on the internet.

Anonymous  May 22, 2012 
Printed Page 85
Last Paragraph

In the last paragraph, the link provided for the "Grant a Member the Right to Logon Locally should be updated to from http://technet.microsoft.com/en-us/library/ee957044WS.10).aspx to http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

Jack Smith  Jan 16, 2013 
Printed Page 86
Practice 1

In Practice 1 first error is that you have to log on to CONTOSO domain as barbara mayer (CONTOSO\bmayer), in SERVER01 as the book says yo can't log on (SERVER01\bmayer). Second error is that if you try to reset the password of any user you get an 'Access denied' error due to in page 85 the book says that you add Domain Users group to Print Operators group. When you do that all users get an extra protection even if you leave the print operators group. Solution: just add only barbara mayer to print operators group (in order to can logon to CONTOSO), create a new user un User accounts OU and then try to reset their password--> now works.

Raul  Jun 14, 2012 
Printed, PDF Page 106
5th paragraph

at page 106 , at 5th paragraph , change : " To list all processes running on a computer, type the following command: Get-Service " to " To list all processes running on a computer, type the following command: Get-Process "

hamed zargham  Mar 12, 2012 
Printed Page 114
Bottom of page, the new-aduser using the instance $user

Throws a password error "The password does not meet the length...". Did I miss a step about turning password complexity off or is this from some other issue. Thanks!

Robert Cowling  Oct 03, 2012 
Printed Page 122
Exercise 4 Step 5

"Type the following command to create an OU called Employees in the User Accounts OU" Should be: "Type the following command to create an OU called New Hires in the User Accounts OU"

Anonymous  Feb 20, 2013 
Printed Page 122
Exercise 5

Step 1-3 does not show any kind of confirmation after typing each command in that exercise so it does not show anything as suppose too in Number 4 step. I tried it serveral times. All you get after each line of command is the double >> (arrows)

Eric Acosta  Sep 03, 2013 
Safari Books Online 140
3rd sentence from the top of the page

The book states that "In Windows PowerShell, you can use the Move-ADObject or Move-Item cmdlets to move a user to another OU." But, Move-Item cannot be used for Active Directroy items.

Hwal Park  Jul 16, 2012 
Printed, PDF Page 163
Universal Groups - Membership at the top

P163 No mention of computers as members of Universal Groups but on P164 says computers can be members of Universal Groups. Which is correct?

Anonymous  May 25, 2012 
PDF Page 164, 927
table 4-1 in 164 and Answer for question 3 on 927

Table 4-1 states that Global group can contain users, computers, and Global groups from the same domain. Answers for question 3 on page 927 state that users from a different domain in the same forest and users from a trusted external domain can be members of Global group. Which is right?

Hwal Park  Jul 18, 2012 
PDF Page 174, 927
Chatper 4, Lesson 1, Answer 3

The Chapter 4, Lesson1, Question 3 Reads: You have created a global security group in the contoso.com domain named Corporate Managers. Which members can be added to the group? (Choose all that apply.) A. Sales Managers, a global group in the fabrikam.com domain, a trusted domain of a partner company B. Sales Managers, a global group in the tailspintoys.com domain, a domain in the contoso.com forest C. Linda Mitchell, a user in the tailspintoys.com domain, a domain in the contoso.com forest D. Jeff Ford, a user in the fabrikam.com domain, a trusted domain of a partner company E. Mike Danseglio, a user in the contoso.com domain F. Sales Executives, a global group in the contoso.com domain G. Sales Directors, a domain local group in the contoso.com domain H. European Sales Managers, a universal group in the contoso.com forest On the answers page, the correct answers are listed as C,D,E, and F Shouldn't the answers read E and F only? Options C and D are not in the same domain of the Gloal Group being created.

Anonymous  Jun 01, 2012 
PDF Page 176
DSadd -memberof bullet point

The -memberof attribute is listed as "-member of" with an incorrect space between member and of.

Ronan Fahy  Mar 28, 2012 
Printed, PDF Page 182
Exercise 2 description

At the description of exercise 2 you write: "DSAdd can create a group, and even populate its membership, with a single command." The command you write below does not use the -members parameter to populate membership. So either delete the sentence above or change the command to add some existing members to the group.

Vassilis Stathopoulos  Oct 11, 2012 
PDF Page 188
2nd par

While discussing the "protect object from accidental deletion" option, you say: "This is one of the few places in Windows in which you must click OK instead of Apply. Clicking Apply does not modify the ACL based on your selection." This is not strictly speaking true - it implies that ONLY if you click OK does the ACL get updated. It is true that at the point you click Apply, it does not perform the update, but even if you click Apply and then click Cancel, the ACL is updated as can be verified when you next open the object and view its ACL.

Ronan Fahy  Mar 28, 2012 
Printed Page 190
Shaded area "NOTE Click OK"

Similar to the error already mentioned on page 188... clicking Apply by itself does not immediately apply the change to the ACL. But in addition to the OK button, clicking Apply and then the X in the upper-right corner or the Cancel button also updates the ACL. When you reopen properties for the group you'll notice that the Managed By tab reflects the change even if you never click OK. Also the Allow::Write Members permission is checked even though you never clicked on OK. So the text should reflect that the Apply button does not work as one might expect. The ACL does not immediately reflect the change you've made. Either click OK to implement the change or if you select Apply you'll need to also click Cancel or close the properties dialog box using the X in the upper right corner. Then, when you re-open the Properties for the group you will find the changes have stuck.

Russ  Jan 30, 2014 
Printed, PDF Page 195
Account Operators Description

On P195 printed and PDF the Account Operators description needs to state that it can shut down servers (assuming that it can???). The answer to Q3 on P929 needs careful review in both PDF and printed versions as it's different in both and actually STILL incorrect in both (Check the wording in the printed answer 3a!!!).

Lenny Davis  May 25, 2012 
Printed, PDF Page 203
Practive 3

On the first part of typing the command to add members I got the error, "dsget failed:Directory object not found." After removing OU=Groups, for the dsget command, the command succeeded. Also, on the second command, to add the members back, on the dsmod section I had to remove, "OU=Groups" to get the command to succeed.

Anonymous  Mar 29, 2012 
PDF Page 203
United Kingdom

See confirmed Errata for P203, PDF version still incorrect. Should read:- dsquery user "OU=User Accounts,DC=contoso,DC=com" | dsmod group "CN=All Users,OU=Groups,DC=contoso,DC=com" -addmbr NOT dsquery user "OU=User Accounts,DC=contoso,DC=com" | dsmod group "CN=User Accounts,OU=Groups,DC=contoso,DC=com" -addmbr

Lenny Davis  May 25, 2012 
Printed Page 208
3rd section 'The Default Computers Container'

Sentence reads 'you cannot create an OU within a container so you cannot subdivide the Computers OU'. The Computers object type is 'container', it is not a OU.

Anthea Jack  Mar 19, 2012 
Printed Page 227
Bottom

The last section of the page "Creating Computers with NetDom" contains no information about netdom. Instead, text from the previous section about DSAdd is repeated here.

Jeremy Peake  Apr 06, 2012 
Printed Page 227
Section titled "Creating Computers with NetDom"

The section titled "Creating Computers with NetDom" does not contain any information regarding this command. Instead, it contains the corrected information for the section titled "Creating Computers with DSAdd" which was a result of the errata submitted by Chris on September 12, 2011, and supposedly "corrected" on February 17, 2012. The publisher placed the corrected information in the wrong section, and removed the instruction material for using NetDom to create computers in AD.

Derek Hansell  Aug 04, 2012 
Printed Page 227
Creating Computers wtih NetDom Section

The previously suggested corrections for the: Creating Computers with DSAdd section have been applied to the: Creating Computers with NetDom section. This has resulted in duplicate material for the DSAdd process, and no information at all for the NetDom process. The text (page 228 - paragraphs above "Creating Computers with Windows PowerShell) also includes commentary unlikely to have been intended for inclusion in the instructions.

Victoria  Jan 31, 2013 
Printed Page 227
From title: Creating Computers with NetDom

Found in a revised and updated version with errata changes included (purchased 2013) Under the Creating Computers with NetDom title the same text from above in the section titled Creating Computers with DSAdd repeats itself. I have been also referring to an older PDF version of the 70-640 (2008 R2) and the NetDom section is correct in this. Surprised to see this considering was correct in an older version. Thanks.

Eli  Feb 23, 2013 
Printed Page 227
United Kingdom

CREATING COMPUTERS WITH NETDOM The wording under this header is a copy of the wording under CREATING COMPUTERS WITH NETDOM, this is obviously wrong. example wording should be:- To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Syntax netdom add <Computer> {/d: | /domain:} <Domain> [{/ud: | /userd:}[ <Domain>\]<User> {/pd: | /passwordd:}{ <Password>|*}] [{/s: | /server:} <Server>] [/ou: <OUPath>] [/dc] [/help | /?] example netdom add /d:devgroup.example.com mywksta /OU:OU=Dsys,OU=Workstations,DC=contoso,DC=com Note: If you do not specify the /ou parameter, netdom creates the account in the Computers container.

Paul McCherry  Sep 24, 2013 
Printed, PDF Page 230
Exercise 4

The exercise instructs the user to perform the New-ADComputer cmdlet in Windows Powershell to add a computer named "DESKTOP154". The command will fail at in the standard Powershell window. The user must either start the Active Directory Module for Windows Powershell, or run the 'import-module activedirectory' cmdlet first, in order for the command to work.

greenstarthree  Sep 30, 2013 
Printed Page 260
Back up and Restore from Back up section

Its specified that GPO links are also backed up, when backing up GPO. And can be restored, when restoring. That is not true. Links are part of the OU (gpLink attribute), and not the GPO itself.

Shabaz Hussain  Jun 26, 2012 
PDF Page 261
GPO replication paragraph 3

If the reverse happens, and the GPO replicates to a domain controller before the GPC" Shouldn't GPO here be GPT?

Ronan Fahy  Feb 14, 2012 
PDF Page 261
4th paragraph

The book says that the Group Policy Verification Tool (gpotool) is available at the Microsoft Download Center. OK. No problem. But there is no version of gpotool for Windows Server 2008 and also for the R2. The gpotool is part of the Windows Resource Kits for the Windows Server 2003, and there isn't a version for Windows Server 2008 R2. Also i need to say that this book is amazing and it is helping me so much!!!

Marcos Turato  Jun 28, 2012 
PDF Page 269
Bottom of page

Incorrect location given for the Policies folder when creating the central store. The correct location is \\contoso.com\SYSVOL\sysvol\contoso.com\Policies\

Jose  Apr 12, 2012 
Printed Page 281
3rd paragraph

When you say "A GPO that is applied later in the process, because it has higher precedence, overrides settings applied earlier in the process. This default order of applying GPOs is illustrate in Figure 6-8.". it's wrong. It's exactly the opposite. And also the figure confirm this.

Anonymous  Dec 12, 2012 
Printed Page 281
3rd paragraph

I've send you this wrong errata warning: ----------------------------------------------------------------------------------------- "When you say "A GPO that is applied later in the process, because it has higher precedence, overrides settings applied earlier in the process. This default order of applying GPOs is illustrate in Figure 6-8.". it's wrong. It's exactly the opposite." ----------------------------------------------------------------------------------------- The text is ok, sorry. But the figure is wrong. ERRATA: GPO processing order for Contractors OU = 1,2,3,4,5 CORRECT: GPO processing order for Contractors OU = 5,4,3,2,1 ERRATA: GPO processing order for Laptops OU = 1,2,6,7 CORRECT: GPO processing order for Laptops OU = 7,6,2,1 Otherwise, by reading the uncorrect text, it seems that first domain policy setting are applied, and local gpo's are applied later. Thanks and sorry again.

Anonymous  Dec 12, 2012 
Printed Page 281
3rd paragraph

I was too tired, i don't know how to excuse me again. Please delete the warning from "anonymous" about page 281, 3rd paragraph, 12 Dec 2012. There aren't errors in this page. Thanks.

Anonymous  Dec 12, 2012 
Printed, PDF Page 286, 299
Note on page 286 and 299 Lesson Summary, fifth point

The wrong crictical statement on page 286: NOTE USE GLOBAL SECURITY GROUPS TO FILTER GPOs GPOs can be filtered only with global security groups—not with domain local security groups. Page 299 - Lesson Summary, fifth point - Only global security groups can be used to filter GPOs. You could filter GPO with all 3 security group scopes (Domain Local, Global, Universal) in parent domain of Group. For Example, in test domain Adatum.com, 3 different GPOs, each filters with different Security Scope Group. All GPOs work fine and applied!

Alex  Nov 11, 2013 
PDF Page 296
Point 7

There is "Expand User Configuration\Policies\Administrative Templates\Control Panel" Should be "Expand User Configuration\Policies\Administrative Templates\Personalization"

PT  Feb 21, 2012 
Printed, PDF Page 309
United Kingdom

Excercise 2, no 5. Had to remove quotes for this command to work.

Lenny Davis  May 26, 2012 
Printed, PDF Page 315
Practice 4

The suggested method to prevent a domain level GPO (CONTOSO Standards) from applying a screen saver by denying the computer account the Apply Group Policy permission, will not have the suggested/desired effect. The domain level GPO is still inherited by the computer account and therefore one of it's GPOs. While the computer account is unable to apply the domain level GPO (as expected) the user that logs on WILL be able to apply the domain level GPO. Thus the screen saver policy will still take effect. This can be verified by explicitly denying a test user permission to apply the domain level GPO. The computer OU either needs to block inheritance or otherwise not inherit the domain level GPO (i.e. move it to the user accounts OU). Alternatively overriding the settings for the screensaver in the computer OU GPO to 'disabled' would have the same effect as it has a higher precedence in this example (i.e. no enforcement). In any of the mentioned situations, denying the computer account 'apply' permissions will have no real effect as the user is the security principle that provides authentication for GPO application.

Andrew Morgan  Jan 01, 2013 
Printed, PDF Page 350
Exercise 5

Step 5 fails giving the same response as Step 4 Copy the .xml file to have the same name, but with the spaces removed, correct the parameter - still as Step 4 Remove the Quotes around the filename - It Works Eg - FAILS - scwcmd transform /p:”DC Security Policy.xml” /g:”DC Security Policy” FAILS - scwcmd transform /p:”DCSecurityPolicy.xml” /g:”DC Security Policy” WORKS - scwcmd transform /p:DCSecurityPolicy.xml /g:”DC Security Policy” Note: scwcmd.exe Version 6.1.7601.17514

Anonymous  May 24, 2012 
PDF Page 409
Question 1

Question 1. There is not correct answer, because questions are wrong. The end of answer B should be ".... Default Domain Controllers Policy GPO".

PT  Sep 19, 2012 
PDF, ePub, Mobi, Safari Books Online, Other Digital Version Page 409
Question 1

All options, A/B/C/D, for question 1 mention defining an Audit Policy in the Default Domain Policy GPO, however as answers A and B mention auditing Account Logon Events, the setting should be defined in the Default Domain CONTROLLERS Policy GPO, as is suggested as a best practice in the Training Kit. Answers A and B in question 1 should be changed to: "... in the Default Domain Controllers Policy GPO."

Adam Throp  Oct 27, 2013 
Printed, PDF Page 414
United Kingdom

Under Heading "Running ADPrep /RODCPrep" If you are upgrading an existing forest to include domain controllers running Windows Server 2008 or Windows Server 2008 R2, you must run ADPrep /RODCPrep Shouldn't this read Windows server 2003, as per steps on bottom of page 412?

Lenny Davis  May 27, 2012 
PDF Page 425
5th paragraph

on page 425 5th paragraph the autor writes about Managed Service Accounts: After you create a domain account for a service, you can assign the account to the service on more than one system. For example, an enterprise backup service can be configured to run on multiple servers under a single domain account. MSA can be linked only to one computer at time, as described by the autor on page 429 2nd paragraph: Each managed service account can be used on only one computer. Services on multiple computers cannot use a single managed service account

Bruno Centonze  Dec 26, 2013 
Printed Page 475
After point 23 of excersize 4

After point 23 of excersize 4, the final DS should be created, but I get the error "Directory Configurationm Information indicates that the domain "northwindtraders.com" already exist. Do you want to reinstall the domain?... If I select "yes", this message is coming back over and over; if I select "No", the generation of DS is aborted. I'm running SERVER10 and SERVER20 on MS HYPER-V, and they can communicate with eachother (configured both servers with static IPs in the same IP-Range..). I tried to find known issues about this, but could not find anything. Did I miss something, or is this issue unknown to you? Thanks Rienus van Hees Switzerland

Rienus van Hees  Mar 23, 2012 
Printed Page 475
After point 23 of excersize 4

I just found out how to solve the problem; I justed the same MS HYPER-V VHD Files to "clone" the servers used in the excersize. "This problem occurs when you are using cloned virtual machines that have the same SID. You can renew your SID using a tool. Please consult this website: http://technet.microsoft.com/en-us/s.../bb897418.aspx Could be interesting to notice ;-) Greetings Rienus van Hees

Anonymous  Mar 23, 2012 
Printed, PDF Page 500
Step 11

On Step 11, the command line is dnscmd /config /enableglobalnamessupport 1 The correct statement should be dnscmd <servername> /config /enableglobalnamessupport 1 where <servername> is SERVER10, SERVER20, SERVER30

Tom Lam  Oct 21, 2013 
Printed Page 508
Line 3, first paragraph.

"...and a member server named SERVER02, with a full installation of Windows Server 2008 R2." At the beginning of the book we do a core installation of SERVER02, so this line left me a bit confused because there's a clear distinction between "Full Installation" and "Server Core Installation" in the Windows 2008 R2 setup. SERVER02 is removed in Exercise 4, Chapter 2, Lesson 2 but due to the naming of the server (SERVER02) it did slightly confuse me until I saw the actual exercises for Chapter 10. Perhaps it could be more clear to some future readers if this particular full installation was renamed to something other than SERVER02.

Aray Gerami  May 28, 2012 
Printed, PDF Page 523
United States

To perform this exercise, you need a second server running Windows Server 2008 full installation. The server must be named SERVER02, and it should be joined to the contoso.com domain. Its configuration should be as follows: - Computer Name: SERVER02 - Domain Membership: contoso.com - IPv4 address: 10.0.0.12 - Subnet Mask: 255.255.255.0 - Default Gateway: 10.0.0.1 - DNS Server: 10.0.0.11 The problem is that this exercise should be performed on a member server, not a domain controller. Running dcpromo on a domain controller will not allow you to create an answer file, it will demote the domain controller.

Hank Lambert  Sep 09, 2012 
Printed, PDF Page 525
Exercise 2 Step 5

The command does not appear to work. I receive the error:- "You must supply the name of the domain to which this user account belongs" I have copied and pasted the command from the Adobe file into Notepad and ensured it's one big line.

Lenny  May 31, 2012 
Printed Page 537
Step 6.

Wrong syntax: Should be naming master instead of domain naming master

Jón Arnar  Feb 22, 2012 
Printed Page 601
Chapter summary

Within a site, domain controllers replicate quickly, using a topology generated by the Knowlegde Consistency Checker (KCC), which is adjusted dynamically to ensure effective intersite replication. Intersite replication should be intrasite replication.

René Vögler  Jan 20, 2013 
Printed Page 607
NOTE section, bottom of the page.

The author states, "It's important to note that raising a functional level is a one-way operation: you cannot lower a domain or forest functional level." Starting with 2008 R2 you can indeed roll back, but only as far as Windows Server 2008 DFL and FFL. You cannot roll back any earlier than Windows Server 2008 and you would need to be at Windows 2008 R2 (or higher) DFL or FFL in order to roll back. An additional requirement is that you have not enabled the Active Directory Recycle Bin. http://technet.microsoft.com/library/understanding-active-directory-functional-levels(v=WS.10).aspx http://social.technet.microsoft.com/wiki/contents/articles/850.how-to-revert-back-or-lower-the-active-directory-forest-and-domain-functional-levels-in-windows-server-2008-r2.aspx

Russell Halfar  Feb 17, 2014 
Printed, PDF Page 609
2nd and 3rd paragraph

The second paragraph lists the following supported OS's The Windows 2000 Native domain functional level =============================================== Supported operating systems: Windows 2000 Server Windows Server 2003 ****************** Windows Server 2008 Windows Server 2008 R2 ################################################## The third paragraph lists the following supported OS's Windows Server 2003 domain functional level =============================================== Supported operating systems: Windows Server 2003 ****************** Windows Server 2003 R2 ****************** Windows Server 2008 Windows Server 2008 R2 ################################################## It is very unlikely that "Windows Server 2003 R2" is not supported in "Windows 2000 Native" domain functional level so it should either not have been mentioned in paragraph 3 or it should have been mentioned in paragraph 2, to mention it in one but not in the other is misleading. On this Microsoft Technet web page: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx Windows Server 2003 is the only "2003" server OS mentioned, they choose not to mention 2003 R2. Hope this helps someone. Rob. (Scotland)

Robert Brown  Apr 16, 2012 
PDF Page 609
1st paragraph

Explanation of 'lastLogonTimestamp' attribute in Windows 2003 functional level states that this attribute is replicated within the domain. This is not true - each DC maintains its own value of this attribute and does not replicate it.

Rastislav Habala  Jun 21, 2012 
Printed Page 611
Top of the page "IMPORTANT ONE-WAY OPERATION"

Author states, "Raising the domain functional level is a one-way operation. You cannot roll back to a previous domain functional level." This is true for all functional levels prior to Windows Server 2008 R2. Starting in R2 you can revert back only as far as Windows Server 2008 DFL or FFL. http://technet.microsoft.com/library/understanding-active-directory-functional-levels(v=WS.10).aspx Refer to the section called "Guidelines for raising domain and forest functional levels" and in particular note the "Rollback options" in the 2 tables. One table addresses Current domain functional level while the other table addresses Current forest functional level. Step-by-Step how-to... http://social.technet.microsoft.com/wiki/contents/articles/850.how-to-revert-back-or-lower-the-active-directory-forest-and-domain-functional-levels-in-windows-server-2008-r2.aspx

Russell Halfar  Feb 17, 2014 
Printed, PDF Page 617
Question 3, option C

On question 3, option C, it should say 'domain' rather than 'forest'. Fine grained password polices only require 2008 domain functional level. Note that the answer for this question displays 'domain' in the latest printing. However the latest PDF that came with the latest printing has the answer including the word 'forest', and the older printed texts have 'forest'. Answers are on page 953. The latest printed edition we have has the date: [2011-09-23] Printed on the 4th page of the book.

Chris Harrow  Mar 26, 2012 
Printed Page 619
Figure 12-3

The child domain in Figure 12-3 is shown as CORP.CONTSO.COM. It is expected to be CORP.CONTOSO.COM so that it is an accurate depiction of the Forest structure in the picture.

Tim  May 20, 2013 
Printed Page 712
Working with Windows Reliability Monitor

I'm not sure if I am doing something wrong. The issue may be that I am using Windows Server 2008 R2 and the text is reflecting instructions for (and showing screenshots of) Windows Server 2008. In my installation of R2 I am not finding Reliability Monitor "located under the Diagnostic\Reliability and Performance\Monitoring Tools node in Server Manager" "Reliability and Performance" appears to have been replaced with "Performance" I have Performance Monitor listed under Monitoring Tools, but Reliability Monitor is absent. The tool can still be accessed by typing "reliability" into the START searchbox, or by going through Control Panel and clicking the link for "View Reliability History" in Action Center.

Russell Halfar  Feb 18, 2014 
Printed Page 845
Table 16-1

Processor requirment is written "One Pentium, 4.3 GHz or higher " under both the requirement and recommended columns. It should be " One Pentium 4, 3 GHz or higher "

Anonymous  Nov 11, 2012 
Printed, PDF Page 923
at the top of the page, answer D to question 1 of lesson 1

at the page 923 , at the top of the page, answer D to question 1 of lesson 1 , " D. Incorrect: DSMOD USER with the -p switch can be used to reset a user’s password; however...... ". this sentence has problem and will lead to mislearn. change it to " D. Incorrect: DSMOD USER UserDN -pwd -u -p switch can be used to reset a user’s password; however...... ".

hamed zargham  Feb 19, 2012 
PDF Page 925
Lesson 3 Question 1

The book says that answer 'a' is incorrect because the users are in two OUs. However, you can update the description field on objects that are in different OUs as along as you do it from the query section of ADUC. In fact, this is the only field that you can update from the queries section which made this question seem as if it were testing for knowledge of that fact.

Abraham Guerrero  Jun 29, 2012 
Printed Page 925
Lesson 3 Question 1

I add a detail to errata reported by Abraham Guerrero. If the answer 'a' was really incorrect, It's necessary to correct also the section "Managing Attributes of Multiple Users" at page 128 because it's written "Be certain that you select only objects of one class, such as users" and not "Be certain that you select only objects of one class and of one OU"

Anonymous  Mar 25, 2013 
PDF Page 929
Question 3

Wrong answer. The right answare should be A,B,C,D. Members of Account Operators group can log on locally to domain controllers in the domain and shut them down.

PT  Feb 13, 2012 
Printed, PDF Page 929
Case Scenario, Answer 3

The case scenario mentioned that "Several interns are currently working in the Marketing department, and you want to prevent them from gaining access" to the shared folders for Sliced Bread. However, in Answer 3 of the case scenario solution it appears this requirement hasn't been addressed, as it suggests granting write access to the whole Marketing group. Would the solution be to put in place a third, "Deny" domain local group and put selected Marketing interns in there?

Paul C  Mar 25, 2012 
Printed, PDF Page 929
Lesson 3, Answer 3

Replace "does not have" for "has" A. Correct: Account Operators does not have the right to shut down a domain controller. Should be: A. Correct: Account Operators has the right to shut down a domain controller.

Danny  Sep 13, 2012 
Printed Page 929
Chapter 4, Lesson 3, Question 3

The book states the following: 3. Correct Answers: A, B, C, and D A. Correct: Account Operators does not have the right to shut down a domain controller. B. Correct: Print Operators has the right to shut down a domain controller. C. Correct: Backup Operators has the right to shut down a domain controller. D. Correct: Server Operators has the right to shut down a domain controller. E. Incorrect: The Interactive special identity group does not have the right to shut down a domain controller. Instead of: 3. Correct Answers: B, C, and D A. Incorrect: Account Operators does not have the right to shut down a domain controller. B. Correct: Print Operators has the right to shut down a domain controller. C. Correct: Backup Operators has the right to shut down a domain controller. D. Correct: Server Operators has the right to shut down a domain controller. E. Incorrect: The Interactive special identity group does not have the right to shut down a domain controller. Hope this helps.

Anonymous  Nov 03, 2012 
PDF Page 933
Lesson 2 Answare 1

I think correct answer should be only C. Answer B - blocking inheritance on the OU contains all users in the Domain Admins group we prevent ALL policy settings from applying to those users, not the only Northwind Lockdown.

PT  Jul 20, 2012 
Printed, PDF Page 941
Chapter 8, Lesson 1, Question 1 (answer)

The answer to the question states: 1. Correct Answers: C, D, and E A. Incorrect: The password policies in the Default Domain Policy GPO define policies for all users in the domain, not just for service accounts. However, In the question itself (pg 403) it states: " Your Active Directory domain includes an OU called Service Accounts that contains all user accounts." Surely, changing the Default Domain Policy to require passwords with 40 characters is the simplest and most effective method here. All user accounts are in the Service Accounts OU, ergo the question is asking to change the password policy for all User accounts. Why go to the extent of creating fine-grained policy, that then applies to all users?

Phil Burchell  Jun 18, 2013 
PDF Page 944
Case scenario 2, answer 1

The answer number 1 says : Ensure that all domains are at the Windows Server 2003 domain functional level and that the forest is at the Windows Server 2003 forest functional level. On the schema master, run Adprep /rodcprep. Upgrade at least one Windows Server 2003 domain controller to Windows Server 2008. The question says thet the DC are 2003, so before you can promote a windows 2008 to DC, you need to run adprep /forestprep and adprep /domainprep, so three adprep needed to add a RODC.

Fabio Maccari  Sep 18, 2012 
PDF Page 10000000
HOSUR

THANKS

Anonymous  Jan 24, 2014