PrepAway - Latest Free Exam Questions & Answers

What should you identify?

Your network contains an Active Directory forest named contoso.com.

The forest contains two domains named contoso.com and child.contoso.com and two sites
named Site1 and Site2. The domains and the sites are configured as shown in following table.

When the link between Site1 and Site2 fails, users fail to log on to Site2.
You need to identify what prevents the users in Site2 from logging on to the
child.contoso.com domain.
What should you identify?

PrepAway - Latest Free Exam Questions & Answers

A.
The placement of the global catalog server

B.
The placement of the infrastructure master

C.
The placement of the domain naming master

D.
The placement of the PDC emulator

Explanation:
The exhibit shows that Site2 does not have a PDC emulator. This is important because of
the close interaction between the RID operations master role and the PDC emulator role
The PDC emulator processes password changes from earlier-version clients and other
domain controllers on a best-effort basis; handles password authentication requests
involving passwords that have recently changed and not yet been replicated throughout the
domain; and, by default, synchronizes time. If this domain controller cannot connect to the
PDC emulator, this domain controller cannot process authentication requests, it may not be
able to synchronize time, and password updates cannot be replicated to it.

18 Comments on “What should you identify?

    1. Bod says:

      I agree with CmokniGa. You must and can only have one PDC per domain and per child domain. As the child.contoso.com already has a PDC there can’t be another one! The global catalogue will direct logon requests to the closest DC for authentication.




      0



      0
      1. Axel says:

        But the problem states that you should identify the issue, not to “fix it”. That being said, answer D is the correct one, the location of the PDC emulator is causing the trouble.




        0



        0
    1. robber says:

      funny how ppl can misread documentation. using the same quote but with a few more lines text as you quoted.

      Global Catalog and Domain Logon Support
      In a native-mode domain, a Global Catalog server is a requirement for logging on to the domain. For this reason, it is advisable to have at least one Global Catalog server in a site. If a Global Catalog is not available in a site and there is another Global Catalog server in a remote site, the server in the remote site can be used for the logon process.

      So definitely a GC is needed. > A

      The exception that you quoted:
      If no Global Catalog is available in any site, the logon process proceeds with cached logon information.
      Requires that you 1. have a cached credential and 2. are allowed to use cached credentials (which can be disabled by policy).

      Then again if you have a GC and you’ve just changed your pw you can’t reach the PDC emulator which will make your logon fail as well. But the primary problem is just not having a GC in site 2.




      1



      0
      1. Viktor Filipov says:

        Hi Robber,

        We can easily exclude A option here. The question asks what is the wrong placement.
        And if we have WAN link down, we need to make sure that not only Site2 user have to be able to login but Site1 users as well.
        So, if we get the Global Catalog role from DC1 and move it to DC4, in site 2, that would mean we are leaving site1 one without Clobal catalog server and therefore if we have WAN link down, site1 users won’t be able to login.
        That way I am excluding A as a correct answer. The other FMSO role that has something to do with authentication is the PDC emulator.




        0



        0
    1. TechGuy says:

      There is no mention of PASSWORD (CHANGES). The correct answer regards placement. If the answer were PDC, then SITE1 would have the same problem, no? The clients are trying to find a global catalog for the FOREST. They have to traverse the (DOWN) wan link to hit the closest (ONLY) global catalog server for the forest. Place another GC in site 2, and you’re good.

      THE CORRECT ANSWER IS GLOBAL CATALOG SERVER.

      https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx

      During an interactive domain logon, the domain controller authenticates the user by verifying the user’s identity, and also provides authorization data for the user’s access token by determining all groups of which the user is a member. Because the global catalog is the forestwide location of the membership of all universal groups, access to a global catalog server is a requirement for authentication in a multidomain forest. A global catalog server is also required for applications such as Microsoft Exchange Server.
      For more information about other reasons why a global catalog server is required, see the FAQ on the Ask the Directory Services Team blog (http://blogs.technet.com/b/askds/archive/2011/09/30/friday-mail-sack-super-slo-mo-edition.aspx#gc).
      An ideal distribution of the global catalog is to have at least one global catalog server in each AD DS site. When a global catalog server is available in a site, the authenticating domain controller is not required to communicate across a WAN link to retrieve global catalog information. It is recommended make all domain controllers be global catalog servers.




      0



      0
  12. Silvio says:

    I’m sorry to disagree. It is correct that you can only have one PDC per child domain, but it must be placed on the right location.
    In this case, DC3 (PDC Emulator for child domain) should be in Site2 and not Site1.
    The issue happens when the link between the two sites is down, which means users from cild domain have no access to the PDC Emulator.
    The answer is D, and it does not mean we have to ADD a PDC Emulator, juste move it to the other site.




    0



    0

Leave a Reply