MCSE 70-293 Exam Quiz Test 2

The Web Edition of Windows Server 2003 cannot function as a domain controller because it is specifically designed for hosting websites and web applications. It does not have the necessary features and capabilities to manage and control a domain.

A differential backup job type does not reset the archive bits on the files that it copies to the backup medium. This means that only the files that have been modified since the last full backup will be included in the differential backup, without affecting the archive bit status of the files. This allows for a more efficient backup process, as it only backs up the changes made since the last full backup.

The correct answer is "Nlb drainstop". This command is used to shut down NLB operations on a cluster server without interrupting transactions currently in progress. It allows for a graceful shutdown of NLB operations, ensuring that ongoing transactions are not disrupted.

To prevent brute force attempts at password penetration, it is necessary to modify the default setting of the Account Lockout Threshold policy. This policy determines the number of failed login attempts allowed before the account is locked. By setting a lower threshold, such as 3 or 5, the account will be locked after a few unsuccessful attempts, making it difficult for attackers to guess the password through repeated login attempts. This helps to enhance the security of the system and protect against unauthorized access.

Disabling the "Store Passwords Using Reversible Encryption" policy ensures that passwords are not stored in a format that can be easily reversed or decrypted. This means that even if an attacker captures the packets containing the passwords, they will not be able to analyze or use the intercepted passwords. This policy modification enhances the security of user passwords and prevents interception.

Group policies in Windows Server 2003 can be used to enforce password length requirements for users. By configuring the appropriate group policy settings, administrators can specify a minimum password length that users must adhere to when creating or changing passwords. This helps to enhance the security of the system by ensuring that passwords are not easily guessable or susceptible to brute-force attacks.

Increasing the Periodic Announcement Interval setting will reduce the amount of RIP traffic passing over the T-1 link to the home office. This setting determines how often the router sends updates to its neighboring routers. By increasing the interval, the router will send updates less frequently, resulting in less RIP traffic being transmitted over the link.

Using a single network interface adapter in multicast mode would be the most economical option for this scenario. Multicast mode allows multiple servers to receive the same network traffic simultaneously, reducing the need for additional network interface adapters. This mode also enables Network Load Balancing Manager to configure all the servers in the NLB cluster from one of the web servers, simplifying the management process. Since there is little noncluster communication required between the web servers, using a single network interface adapter in multicast mode would provide the necessary functionality while minimizing costs and complexity.

A root CA obtains its own certificate from itself because it is the highest level of authority in a certificate hierarchy. Root CAs are responsible for issuing and signing certificates for subordinate CAs and other entities in the certificate chain. Since they are the topmost authority, they generate their own certificate to establish trust and authenticity within the certificate infrastructure. This self-signed certificate serves as the foundation for issuing and validating certificates throughout the system.

Smart card logon certificates can only be issued by an enterprise certification authority. This type of certificate is used for authentication purposes and allows users to securely log in to a computer or network using a smart card. It provides an additional layer of security by requiring the physical presence of the smart card, making it difficult for unauthorized individuals to access sensitive information.

A digital certificate is a digital document that verifies the authenticity and identity of the sender. It includes various pieces of information such as the validity period, signature algorithm identifier, and public key. However, the private key is not included in a digital certificate. The private key is kept confidential by the certificate holder and is used for decrypting data that has been encrypted with the corresponding public key. Including the private key in the certificate would compromise the security of the encryption system.

The approximate total amount of volatile data that one might have to back up each day is 160 GB.

LTO (Linear Tape-Open) tape drive devices have the greatest capacity compared to QIC (Quarter-Inch Cartridge), DAT (Digital Audio Tape), and DLT (Digital Linear Tape) devices. LTO technology is known for its high storage capacity, fast data transfer rates, and reliability. It is designed to handle large amounts of data, making it a popular choice for backup and archival purposes in enterprise environments. QIC, DAT, and DLT devices have lower capacities compared to LTO, and may not be able to accommodate as much data.

To restore the default security settings of the domain controllers and implement the highest possible level of security, the administrator should apply the "DC Security.inf" template first, followed by the "Hisecdc.inf" template. The "DC Security.inf" template will restore the default security settings, and then the "Hisecdc.inf" template will further enhance the security by implementing the highest possible level of security configurations.

Based on the information given in Table 6-1, the DLT (Digital Linear Tape) would be the best type of magnetic tape drive for this network if you want to use only a single tape for daily incremental backups.

Installing a Fibre Channel adapter in each server and connecting them all to a Fibre Channel switch is the recommended storage hardware configuration for a 4-node database server cluster. This configuration allows for a high-speed, dedicated connection between each server and the storage devices through the Fibre Channel switch. It provides better performance, scalability, and flexibility compared to using a single SCSI bus or SCSI hub. Additionally, using Fibre Channel adapters and a switch allows for easier management and maintenance of the storage infrastructure.

Enabling the Audit Process Tracking policy is likely to require changing the Maximum Security Log Size value because this policy tracks and audits the creation and termination of processes on a system. This can generate a large amount of log data, especially in environments with high process activity. Therefore, increasing the Maximum Security Log Size value would be necessary to ensure that enough log space is available to store the audit information generated by this policy.

N+I failover policy provides the best compensation for multiple node failures. In this policy, there are N active nodes and I spare nodes, where N is the number of active nodes required to handle the workload and I is the number of spare nodes available for failover. If any active node fails, one of the spare nodes takes over its workload, ensuring that the system remains operational even with multiple node failures. This policy offers high availability and redundancy, making it the most effective in compensating for multiple node failures.

You can associate a Group Policy Object (GPO) with a Domain, Site, or Organizational Unit (OU) in Active Directory. A GPO allows you to define and enforce specific settings and configurations for users and computers within these objects. By associating a GPO with a domain, site, or OU, you can ensure that the defined policies are applied to the appropriate users and computers within the specified scope. A GPO cannot be associated with a computer or container object in Active Directory.

Secedit.exe and The Security Configuration and Analysis snap-in are both tools that can be used to compare the templates supplied by the consultant with the security configurations already created on the servers. These tools allow for analysis and configuration of security settings, making them suitable for this task. The Security Templates snap-in and The Group Policy Object Editor console are not specifically designed for this purpose and may not provide the same level of functionality and accuracy in comparing security configurations.

The given correct answer states that the PKI design described satisfies the goals for the network's internal users but not for the external users. This means that while the design may be effective for securing internal communications and access, it may not provide the same level of security and functionality for external users. This could be due to limitations in the design or implementation of the PKI system that prevent it from adequately addressing the needs and requirements of external users.

The effective value of the audit policy for a computer object in the Infrastructure container is "Failure only". This is because the policy is configured to audit failures only in the Infrastructure organizational unit, which is a child of the Servers organizational unit. The configuration in the child organizational unit overrides the configuration in the parent organizational unit, resulting in the policy being set to audit failures only for the computer object in the Infrastructure container.

The settings in the new template come from the snap-in's currently loaded database. This means that the template will include the security settings that are currently configured in the snap-in's database.

The Certification Authority console is used by an administrator to manually issue certificates to clients of a stand-alone CA. This console provides a user interface for managing the CA and performing tasks such as issuing, revoking, and renewing certificates. It allows the administrator to manually generate and issue certificates to clients, ensuring that the appropriate security measures are in place. The other options mentioned, such as the Certificates snap-in, the Web Enrollment Support interface, and the Certificate Templates snap-in, are not used for manually issuing certificates in this scenario.

Enabling the Minimum Password Age policy and setting its value to 28 would prevent users from immediately changing their passwords back again. This policy would require users to wait for a minimum period of 28 days before they can change their passwords again. Changing the Enforce Password History value to 10 would also prevent this practice by keeping track of the previous 10 passwords used by each user and not allowing them to reuse any of those passwords.

When the Security Options policy, Microsoft Network Server: Digitally Sign Communications (Always), is enabled on a computer running Windows Server 2003, users will not be able to view the print queues on the server. This policy enhances security by requiring all communications to be digitally signed, but it restricts the ability to view print queues on the server. Users can still submit jobs to a print queue, install printer drivers stored on the server, and create printer shares on the server.

To create a composite security configuration and implement it on all web servers, you should modify the values of the policies corresponding to the current computer settings you want to use in the new database you created. After modifying the values, export the database to a new template and apply it to the Web servers' organizational unit object. This will combine the settings from the template with the settings already configured on the computer, allowing you to create a composite security configuration for all the web servers.

The N+I failover policy ensures that the entire database is constantly available without any server running multiple partitions, even if two servers fail. By splitting the database into two partitions and assigning each one to an active server, the workload is distributed. If one server fails, the active server can fail over to the remaining server, ensuring continuous availability. This policy allows for redundancy and load balancing, making it an effective choice for maintaining database availability.

Audit Process Tracking is the correct answer because this audit policy enables the tracking of processes and programs that are running on a system. It records information about the start and end of processes, including the name of the process, the user account that initiated the process, and the time the process was started and ended. By enabling this policy, administrators can determine what applications were running at the time of a security event, providing valuable information for investigating and responding to security incidents.

To accomplish the objective of deploying a baseline security configuration for the member servers using group policies, the following tasks must be performed:

1. Create a new organizational unit: This is necessary to organize and manage the member servers separately from other objects in the Active Directory.

2. Move the computer objects representing the member servers: By moving the computer objects to the newly created organizational unit, you can ensure that the group policies are applied specifically to these servers.

3. Create a new GPO: A new Group Policy Object (GPO) needs to be created to define the baseline security configuration settings for the member servers.

4. Apply a GPO to an organizational unit: The newly created GPO should be linked and applied to the organizational unit containing the member servers, so that the defined security configuration gets applied to those servers only.

Modifying the domain GPO is not required in this scenario as the objective is to apply the baseline security configuration to the member servers only.

The information given states that "None of the three administrators has correctly configured the new domain controllers with the appropriate security settings." This means that all three domain controllers are not correctly configured. Therefore, the correct answer is "Two of the three domain controllers are correctly configured with the appropriate security settings; the other one is not."

Granting the R&D users permission to use the Smartcard Logon, Basic EFS, and IPSec certificate templates ensures that only the employees in the R&D department receive certificates for smart card logons, EFS, and IPSec. This option specifically grants the necessary permissions for the desired certificates, ensuring that only the R&D users have access to them.

The user is unable to access the print queue due to the "Unable to connect. Access denied." error message. However, when the person logging in from their workstation with the user's account, they are able to access the print queue normally. This suggests that the issue is specific to the user's workstation. The correct answer states that the "Microsoft Network Client: Digitally Sign Communications (Always)" security option is enabled on the user's workstation. This security option could be causing the access denied error when trying to connect to the print server.

Changing the certificate type does not increase the burden on the CA's processor because it does not involve any additional computational operations or complex calculations. Changing the certificate type simply involves modifying the format or structure of the certificate, which can be done without significant impact on the CA's processor. In contrast, increasing the key length, increasing the certificate's lifetime, and issuing new keys with each certificate renewal all require additional processing power and resources from the CA.

The correct answer is Neither because demand-dial routing is not required for either Router01 or Router02.

not-available-via-ai

The correct answer is to create a Group Policy Object for each organizational unit and apply the appropriate template to it using the Group Policy Object Editor console. This is the correct procedure to apply security templates to the organizational units. The Security Templates snap-in is used to create the templates, but they are applied using Group Policy Objects. The Security Configuration and Analysis snap-in is used to analyze the security settings, not to apply the templates. Secedit.exe is a command-line tool that can be used to apply security settings, but it is not the recommended method for applying templates in this scenario.

The root CA and the intermediate CAs can safely be taken offline after the initial deployment of the PKI. This is because the root CA is responsible for issuing and signing the certificates for the intermediate CAs, and the intermediate CAs are responsible for issuing and signing the certificates for the issuing CAs. Once the certificates are issued and signed, they can be used by the issuing CAs to issue certificates to end entities. Therefore, the root CA and intermediate CAs can be taken offline without affecting the ability of the issuing CAs to issue certificates.

ICMP stands for Internet Control Message Protocol. It is a network protocol used by network devices to send error messages and operational information about network conditions. In System Monitor, selecting the ICMP performance object would allow monitoring of the number of TCP/IP error messages transmitted and received by a computer. This is because ICMP is responsible for transmitting and receiving error messages related to TCP/IP communication. The other options, such as Network Interface, TCPv4, and UDPv4, are not specifically designed to monitor TCP/IP error messages.

You can apply the desired policy settings to the Domain Controllers container by either modifying the existing GPO in the container or creating a second GPO specifically for the container. Modifying the existing GPO allows you to directly add or change the policy settings in the container. Creating a second GPO gives you the flexibility to have separate policy settings for the Domain Controllers container without affecting the existing GPO.

DNS servers might be accessible from the Internet, and DHCP and WINS servers are not. This is a correct reason because DNS servers are often exposed to the public internet, making them more vulnerable to attacks or unauthorized access. On the other hand, DHCP and WINS servers are typically only accessible within the local network, reducing the potential risks.

DNS server failures can have an immediate effect on network client performance. This is also a correct reason because DNS is responsible for translating domain names into IP addresses, allowing clients to access websites and services. If the DNS server malfunctions or becomes unavailable, clients will not be able to access the desired resources, leading to a significant impact on network performance.

By enabling the "Network Access: Do Not Allow Anonymous Enumeration Of SAM accounts and Shares" security option, the GPO adds protection from Internet intruders by preventing them from anonymously enumerating SAM accounts and shares. This helps to secure sensitive information and restrict unauthorized access. Additionally, by enabling the "Accounts: Rename Administrator Account" security option, the GPO adds another layer of protection by changing the default administrator account name, making it more difficult for intruders to guess the username and gain unauthorized access.

Increasing the default value specified in the Maximum Security Log Size policy would prevent the domain controller from shutting down because it would allow for more events to be logged before the log becomes full. Disabling the Audit: Shut Down System Immediately If Unable To Log Security audits security option would also prevent the shutdown because it would not force the system to shut down if it is unable to log security audits.

To capture as much auditing information as possible, you should enable the Security Options policy, "Audit: Audit the Use Of Backup and Restore Privilege." This policy will audit any usage of the backup and restore privilege on the domain controllers. Additionally, you should increase the default value of the Event Log policy, "Maximum Security Log Size." This will ensure that the security log can capture a larger amount of auditing information.

Infrastructure servers and web servers require superior network performance because they handle a large amount of network traffic. Infrastructure servers are responsible for managing and maintaining the network infrastructure, such as DNS and DHCP servers, and need a fast and reliable network connection to handle the demands of multiple clients. Web servers host websites and need to deliver content quickly to users, so they also require a high-performance network connection to handle the incoming requests and deliver the web pages efficiently.

Members of the Users group can create new files in the Documents And Settings folder, as well as in their own home folder. They do not have permission to create new files in the root folder or the Windows folder.

Changing the "Reset Account Logon Counter After" value to 60 minutes would make it harder for intruders to penetrate user passwords by trial and error because it would increase the time required between consecutive login attempts, reducing the number of attempts an intruder can make within a given time frame. Enabling the "Password Must Meet Complexity Requirements" policy would also make it harder for intruders to penetrate user passwords by trial and error because it would require users to create passwords that meet certain complexity criteria, making them more difficult to guess or crack.

To receive certificates from an enterprise CA using auto-enrollment, a user must have permission to use certificate templates. This is necessary in order to request and receive the appropriate certificate. Additionally, the user must have access to Active Directory, as this is where the certificate information is stored and managed. Access to the Certificates snap-in is not necessary for auto-enrollment, as the process is automated and does not require manual intervention. Membership in an organizational unit to which administrators have applied a Group Policy Object may be beneficial, but it is not a requirement for auto-enrollment.

not-available-via-ai

not-available-via-ai