Microsoft 70-291 Practice Exam

43 Questions | By Nuzcruzr | Updated: Mar 21, 2022 | Attempts: 144

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

Managing and Maintaining a Windows Server 2003 Network Infrastructure

Questions and Answers

1.

You are the administrator of your company's DNS servers. The primary DNS server, which is named Jupiter, runs Windows Server 2003. A Windows 2000 Server DNS server named Mars hosts a secondary DNS zone for the Active Directory domain. Jupiter has been configured to allow zone transfers to Mars. Mars is configured with the default zone transfer settings. Some of your users complain that they cannot access some hosts by name. You decide to use System Monitor on Mars to determine whether it receives zone transfers from Jupiter.
- A.
  
  On XYZ -PR01, run the net session comand.
- B.
  
  On XYZ -PR01, run the netstat command.
- C.
  
  On XYZ -PR01, run the netsh command.
- D.
  
  On XYZ -PR01, run the netstcap command
Correct Answer
D. On XYZ -PR01, run the netstcap command

Explanation
Explanation: Netstcap.exe is a command line tool that could be opened to capture the network traffic. A filter can be created to be ud during the capture to determine the MAC address the print jobs are sent to. The Network Monitor Capture Utility (netstcap.exe) can be used to capture network traffic in Network Monitor.

Rate this question:
2.

You are the network administrator for a single Active Directory domain named internaldom.com. A Windows Server 2003 computer named DNSA is the only DNS server in the domain. It hosts only the internaldom.com domain. Users report that resolving DNS names has slowed considerably over the past several weeks. You decide to research the problem. Your first plan of action involves finding out whether the problem lies with DNSA. What should you do?
- A.
  
  Use the DNS Event Log to monitor for DNS Event ID 2 and 3.
- B.
  
  Use System Monitor to monitor the Network Interface: Bytes Total/sec counter.
- C.
  
  Enable debug logging on DNSA. Configure the log to capture Request and Response packets.
- D.
  
  Enable debug logging on DNSA. Configure the log to capture Outgoing and Incoming packets.
- E.
  
  Use System Monitor to monitor the DNS: Dynamic Update Received/sec, DNS: Total Query Received/sec, and DNS: Total Response Sent/sec counters.
Correct Answer
E. Use System Monitor to monitor the DNS: Dynamic Update Received/sec, DNS: Total Query Received/sec, and DNS: Total Response Sent/sec counters.

Explanation
Explanation: You should use System Monitor to monitor the DNS: Dynamic Update Received/sec, DNS: Total Query Received/sec, and DNS: Total Response Sent/sec counters. System Monitor will actually report statistical information regarding the DNS server. This statistical information will help you to determine if performance on DNSA is not what it should be. The Dynamic Update Received/sec counter displays the total number of dynamic update requests received by the DNS server. The Total Query Received/sec counter displays the average number of queries received by the DNS server each second. The Total Response Sent/sec counter displays the average number of responses sent by the DNS server each second.

You should not use the DNS Event Log to monitor for DNS Event ID 2 and 3. Event 2 indicates that the DNS server has started. Event 3 indicates that the DNS server has shut down. These events will not help you to determine the cause of performance problems on DNSA.

You should not use System Monitor to monitor the Network Interface: Bytes Total/sec counter. This counter tells you if problems exist on the network, not if problems exist with DNSA.

You should not enable debug logging on DNSA and configure the log to capture Request and Response packets. Debug logging logs more specific information than statistical information. While it can be used to record information on certain types of packets, it is not the tool to use if diagnosing performance problems.

You should not enable debug logging on DNSA and configure the log to capture Outgoing and Incoming packets. Debug logging logs more specific information than statistical information. While it can be used to record information on certain types of packets, it is not the tool to use if diagnosing performance problems.
Debug logging has several different logging categories: Queries/Transfers, Response Packets, Request Packets, Updates, and Notifications. The Notification category is not logged by default and must be explicitly enabled.

Rate this question:
3.

You are an administrator for your company network. The network is configured as a single Active Directory domain. Your company is starting a new project, and a group of employees from several departments, including the IT department, has been assigned to the project. The IT employees who are assigned to the project will be responsible for common administrative tasks, such as managing user accounts, groups, and Group Policy links. The authority of the IT employees should be restricted to the administration of the users and resources that are assigned to the project. You must assign the required level of administrative authority to the IT employees who are assigned to the new project. You want to perform this task with the least amount of administrative effort. What should you do?
- A.
  
  Create a new domain, move the appropriate users and computers to the new domain, and assign the appropriate IT department employees to the Domain Admins group in the new domain.
- B.
  
  Create a new user group, add the appropriate users and computers to the new group, and assign the appropriate IT employees to the Account Operators built-in group
- C.
  
  Create a new Active Directory site, move the appropriate users and computers to the new site, and delegate control of the site to the appropriate IT employees.
- D.
  
  Create a new OU, move the appropriate users and computers into the OU, and delegate control of the OU to the appropriate IT department employees.
Correct Answer
D. Create a new OU, move the appropriate users and computers into the OU, and delegate control of the OU to the appropriate IT department employees.

Explanation
Explanation: In this scenario, you should move all users, computers and other resources that are assigned to the project to a new organizational unit (OU), and delegate control of the appropriate tasks in the OU to the IT employees who are assigned to the project. You can delegate several common administrative tasks, such as the creation, management and deletion of user and group accounts, as well as the management of Group Policy links within the OU, to specified users or groups. To perform this task, you should create a new OU, right-click it, select Delegate Control, and follow the instructions of the Delegation of Control wizard.

You should not create a new domain, move the appropriate users and computers to the new domain, and assign

Rate this question:
4.

You are the network administrator for I-Technic Industries. The network contains Windows XP Professional and Windows Server 2003 computers. You have two Windows 2003 domain controllers named DC1 and DC2 that are responsible for a single domain named itechind.com. Your primary DNS server is installed on a domain controller named DC1.itechind.com. You have one secondary DNS server installed on a member server named Srv2.itechind.com. You want to ensure that updates can be made to any server. You also want to optimize and simplify the management of DNS replications and zone transfers. What should you do?
- A.
  
  Promote Srv2.itechind.com to a domain controller.
- B.
  
  On DC1.itechind.com, add Srv2.itechind.com to the notify list.
- C.
  
  On DC1.itechind.com, set the Time to Live (TTL) value in the SOA record to a higher value.
- D.
  
  Remove the DNS Server service from Srv2.itechind.com. Install the DNS Server service on DC2.itechind.com. Convert the zone hosted by DC1.itechind.com to an Active Directory-integrated zone.
Correct Answer
D. Remove the DNS Server service from Srv2.itechind.com. Install the DNS Server service on DC2.itechind.com. Convert the zone hosted by DC1.itechind.com to an Active Directory-integrated zone.

Explanation
Explanation: In this scenario, you should move all users, computers and other resources that are assigned to the project to a new organizational unit (OU), and delegate control of the appropriate tasks in the OU to the IT employees who are assigned to the project. You can delegate several common administrative tasks, such as the creation, management and deletion of user and group accounts, as well as the management of Group Policy links within the OU, to specified users or groups. To perform this task, you should create a new OU, right-click it, select Delegate Control, and follow the instructions of the Delegation of Control wizard.

You should not create a new domain, move the appropriate users and computers to the new domain, and assign the appropriate IT department employees to the Domain Admins group in the new domain. Creating a new domain would require more resources and administrative effort than is necessary. One or more additional computers would have to be configured as domain controllers, and all appropriate user and computer accounts would have to be moved from their existing domains to the new domain. Additionally, the administration of a two-domain forest would require more effort than a single-domain forest.

You should not create a new user group, add the appropriate users and computers to the new group, and assign the appropriate IT employees to the Account Operators built-in group.

If you assigned the IT employees from the project team to the Account Operators group in the existing domain, you would enable them to manage the accounts of most users and computers in the domain, which would give the IT employees more administrative authority over user accounts than is necessary. However, members of the Account Operators group cannot manage Group Policy links.

You should not create a new Active Directory site, move the appropriate users and computers to the new site, and delegate control of the site to the appropriate IT employees. Active Directory sites are intended to group computers based on their common connectivity and physical location. Sites are not administrative or security units, and they can include resources that belong to different domains. Sites contain computers, not users. It is not possible to assign control over user accounts by delegating control over a site.

Rate this question:
5.

You are the network administrator for I-Technic Industries. The network contains Windows XP Professional and Windows Server 2003 computers. You have two Windows 2003 domain controllers named DC1 and DC2 that are responsible for a single domain named itechind.com. Your primary DNS server is installed on a domain controller named DC1.itechind.com. You have one secondary DNS server installed on a member server named Srv2.itechind.com. You want to ensure that updates can be made to any server. You also want to optimize and simplify the management of DNS replications and zone transfers. What should you do?
- A.
  
  Promote Srv2.itechind.com to a domain controller.
- B.
  
  On DC1.itechind.com, add Srv2.itechind.com to the notify list.
- C.
  
  On DC1.itechind.com, set the Time to Live (TTL) value in the SOA record to a higher value.
- D.
  
  Remove the DNS Server service from Srv2.itechind.com. Install the DNS Server service on DC2.itechind.com. Convert the zone hosted by DC1.itechind.com to an Active Directory-integrated zone.
Correct Answer
D. Remove the DNS Server service from Srv2.itechind.com. Install the DNS Server service on DC2.itechind.com. Convert the zone hosted by DC1.itechind.com to an Active Directory-integrated zone.

Explanation
Explanation: You should remove the DNS Server service from Srv2.itechind.com. Next you should install the DNS Server service on DC2.itechind.com. Finally, you should convert the zone hosted by DC1.itechind.com to an Active Directory-integrated zone. Converting the zone hosted by DC1.itechind.com to an Active Directory-integrated zone ensures that updates can be made to any server. In addition, using this zone type, zone transfers occur automatically as part of Active Directory replication.

You should not promote Srv2.itechind.com to a domain controller. You already have another domain controller that is used as part of your DNS structure. This solution does not change the zone type, which is necessary to achieve your goals.

You should not add Srv2.itechind.com to the notify list on DC1.itechind.com. This only ensures that DC1.itechind.com contacts Srv2.itechind.com when changes are made to the DNS database. It does not change the zone type, which is necessary to achieve your goals.

You should not set the Time to Live (TTL) value in the start of authority (SOA) record on DC1.itechind.com to a higher value. This setting only affects the amount of time a server can cache information for a zone.

Rate this question:
6.

You are the network administrator for a large shoe manufacturer. The network consists of a single Active Directory domain containing Windows Server 2003 computers and Windows XP Professional client computers. You have configured several Group Policy Objects (GPOs) to enforce IPSec for certain types of communications on your network. FileSrv1 provides file services for confidential corporate data. A GPO is supposed to encrypt all communication involving FileSrv1. However, it has recently been discovered that some files have been compromised. Management has asked you to view all IPSec settings applied through GPOs to FileSrv1. You must also be able to determine the GPO to which an active IPSec policy is assigned. Which two tools should you use? (Choose two. Each correct answer presents part of the solution.)
- A.
  
  Netdiag.exe
- B.
  
  IP Security Monitor console
- C.
  
  IP Security Policy Management console
- D.
  
  Resultant Set of Policy (RSoP) console
- E.
  
  Microsoft Baseline Security Analyzer (MBSA)
Correct Answer(s)
B. IP Security Monitor console
D. Resultant Set of Policy (RSoP) console

Explanation
Explanation: You should use the IP Security Monitor console to view all IPSec settings applied through GPOs to FileSrv1. You should use the Resultant Set of Policy (RSoP) console to determine the GPO to which an active IPSec policy is assigned.

You should not use Netdiag.exe. Netdiag.exe can view all IPSec settings applied through GPOs to Windows XP and 2000 computers and can determine the GPO to which an active IPSec policy is assigned for Windows XP and 2000 computers.
You should not use the IP Security Policy Management console. The IP Security Policy Management console is used to view all IPSec settings applied through GPOs to Windows XP computers.

You should not use Microsoft Baseline Security Analyzer (MBSA). MBSA is a graphical and command-line interface that can perform local or remote scans of Windows systems. MBSA uses the HFNetChk tool technology to scan for missing security updates and service packs for Windows, IE, IIS, SQL, Exchange, and Windows Media Player. It does not test any IPSec policy settings.

Rate this question:
7.

You are a network administrator for your company. The network consists of two Active Directory domains in a single forest. The network spans two locations that are connected through a dial-up link. All servers on the network run Windows Server 2003. All computers in the central office belong to the verigon.com domain and are configured to use Server1 as the preferred DNS server. Server1 hosts a primary zone for the verigon.com domain. All computers in the branch office belong to the branch.verigon.com domain and are configured to use Server2 as the preferred DNS server. Server2 hosts a primary zone for the branch.verigon.com domain. All computers in both offices must always be able to resolve names of any computer on the network, even when the dial-up link between the two offices is disconnected. What should you do?
- A.
  
  On Server1, create a secondary zone for the branch.verigon.com domain. On Server2, create a secondary zone for the verigon.com domain.
- B.
  
  Configure Server1 and Server2 to perform conditional forwarding to each other.
- C.
  
  On Server1, create a delegation for the branch.verigon.com domain. On Server2, create a delegation for the verigon.com domain.
- D.
  
  On Server1, create a stub zone for the branch.verigon.com zone. On Server2, create a stub zone for the verigon.com zone.
Correct Answer
A. On Server1, create a secondary zone for the branch.verigon.com domain. On Server2, create a secondary zone for the verigon.com domain.

Explanation
Explanation: The only solution that will work even when the dial-up link between the two offices is disconnected is to create a secondary zone for the other domain on each of the two DNS servers. A secondary zone will have a replica of the primary zone, which will help in name resolution even if the link is down. On Server1, you should create a secondary zone for the branch.verigon.com domain and specify Server2 as the master server. On Server2, you should create a secondary zone for the verigon.com domain and specify Server1 as the master server. When the WAN link is connected, Server1 and Server2 will perform zone transfers to populate or update the secondary zones. Each of the servers will be able to resolve names in both domains, even when the WAN link is temporarily disconnected.

If you created stub zones or configured conditional forwarding, then each of the two DNS servers would have to query the other one across the WAN link to resolve names in the other domain. A delegation can be created in a parent domain for a child domain. Therefore, you cannot create a delegation on Server2 for the verigon.com domain.

Rate this question:
8.

You are a remote employee for your company. Your home network is connected to the Internet through a cable modem. The company 's written security policy requires that all remote employees configure Internet Explorer on their home computers to reject cookies from all Web sites except your company's Web site. You must comply with the company policy. On your Windows XP Professional computer at home, you start Internet Explorer and select Internet Options from the Tools menu. In the Internet Options sheet, you must configure the appropriate settings that define the handling of cookies. Which of the following tabs should you select?
- A.
  
  General
- B.
  
  Security
- C.
  
  Privacy
- D.
  
  Content
- E.
  
  Connections
Correct Answer
C. Privacy

Explanation
Explanation: You can control how Internet Explorer handles cookies on the Privacy tab of the Internet Options sheet. On this tab, you can move the slider to set an automatic cookie-handling behavior. The six available settings range from Accept All Cookies, which is the least secure setting, to Block All Cookies, which is the most secure setting. You can also click Advanced and specify custom cookie-handling settings that override the automatic cookie-handling behavior. You can click Edit and specify exceptions to the general rules; in particular, you can specify URLs of the Web sites whose cookies should always be accepted, such as your company's URL, and you can specify URLs of the Web sites whose cookies should always be blocked.

A cookie is a small text file that a Web server can save on a Web client computer. A cookie can contain information about your personal preferences on the Web, custom searches, authentication credentials, and so on. HTTP is a stateless protocol; it does not contain a built-in mechanism for a Web server to maintain a client's session information. Each time a Web client requests a Web page from a server, the server has no knowledge of the client's previous requests. Cookies can be understood as reminders that enable Web servers to recognize a client and to keep track of the client's activities on the Web site.

None of the other tabs will let you configure how Internet Explorer handles cookies.

On the General tab, you can specify a home page, color, font, language and accessibility preferences, and you can delete saved cookies and other temporary files.

On the Security tab, you can configure security settings for Web content zones.

On the Content tab, you can set content ratings, manage certificates, and configure autocomplete settings and personal profile information.

On the Connections tab, you can manage dial-up and VPN connections and proxy server settings. You can also specify automatic configuration and automatic proxy detection settings.

On the Programs tab, you can specify default programs for various Internet services, such as HTML editing, e-mail, and newsgroups.

On the Advanced tab, you can configure miscellaneous settings that define various aspects of Internet Explorer appearance and behavior.

Rate this question:
9.

You administer your company's network, which consists of a single Active Directory domain and several sites. All servers run Windows Server 2003, and all client computers run Windows XP Professional. Name resolution is provided by DNS servers. DHCP servers provide TCP/IP configurations to client computers. Servers are assigned static TCP/IP configurations. A written company policy mandates that all access to the Internet be directed through only by an Internet Security and Acceleration (ISA) server at each site. Currently, computers are manually configured to use the ISA server at their location. Several portable computers that run Windows XP Professional have been purchased for 40 users who will travel between sites. You want to configure the DHCP servers so that the portable computers will be automatically configured to use the appropriate ISA server computer for the site at which they are located. For each site, you create an autoconfiguration file and store it on a local intranet Web server. Which DHCP option should you configure?
- A.
  
  003 Router
- B.
  
  006 DNS Servers
- C.
  
  015 DNS Domain Name
- D.
  
  252 WPAD
Correct Answer
D. 252 WPAD

Explanation
Explanation: You should configure the 252 WPAD DHCP option. Web Proxy Auto Discovery (WPAD) enables computers to discover the address of the local ISA server through a process called autodiscovery. The Automatically detect settings option should be enabled in Internet Explorer on the client computers. When a computer is started, a DHCP server will provide the URL to the location on an intranet Web server where the autoconfiguration script is stored. Internet Explorer will connect to that URL, download and execute the script, which will configure Internet Explorer with the appropriate proxy server settings.

The 003 Router DHCP option is used to configure a default gateway address for DHCP client computers. The 006 DNS Servers option is used to configure client computers with one or more DNS server addresses for name resolution. You might choose to configure these options on DHCP servers to facilitate the configuration of portable computers as their users move between sites. However, these options are irrelevant to the task in this scenario.

The 015 DNS Domain Name option is used to configure client computers with the domain name that should be appended to unqualified host names before those names are submitted to a DNS server for resolution. If the 252 WPAD DHCP option referenced the intranet Web server that contained the auto-configuration script by the server's unqualified name, then client computers would append the domain names from their DNS suffix search list before attempting to resolve the server's name. By default, the DNS suffix search list contains only the primary DNS suffix and any connection-specific suffixes. The primary DNS suffix is usually the name of the Active Directory domain to which the computer belongs. If the intranet Web server at each site in this scenario belonged to a different domain, then a portable computer would not be able to resolve the names of the Web servers from the domains other than the one to which that portable computer belonged. To address this problem, you would configure the 015 DNS Domain Name option on the DHCP server at each site with the name of the appropriate domain. In this scenario, the network consists of a single Active Directory domain, and the scenario does not indicate whether the intranet Web server's name in the URL in the 252 WPAD DHCP option is unqualified. Therefore, you do not need to configure the 015 DNS Domain Name DHCP option in this scenario.

Rate this question:
10.

You are your company's network administrator. The network contains Windows Server 2003, Windows 2000 Server, and Windows XP Professional computers, and is connected to the Internet. You use Internet Protocol Security (IPSec) on your network to protect all data. You suspect that certain IPSec policies are not being assigned to the Windows 2000 Server computers. You must view the name of the active IPSec policies that are being used by each computer. Which tool should you use?
- A.
  
  Netsh
- B.
  
  Netdiag
- C.
  
  Ipseccmd
- D.
  
  IP Security Monitor console
- E.
  
  Group Policy Verification tool
Correct Answer
B. Netdiag

Explanation
Explanation: You should use netdiag to view the name of the active IPSec policies that are being used by Windows 2000 Server computers. You could also use the Internet Protocol (TCP/IP) properties or ipsecmon.exe.

You should not use netsh. This tool could be used if you were viewing information on Windows Server 2003 computers.

You should not use ipseccmd. This tool could be used if you were viewing this information on Windows XP Professional computers.

You should not use the IP Security Monitor console. This tool could be used if you were viewing information on Windows Server 2003 or Windows XP Professional computers.

You should not use the Group Policy Verification tool. This tool allows you to view the group policy to which an IPSec policy is assigned.

Rate this question:
11.

You administer your company's network. Your company maintains a public Web site on a Windows Server 2003 IIS 6.0 Web server that is named WebSrv. You can administer WebSrv only remotely because it is hosted by a third party. Normally, you perform administrative tasks from your workstation on the company network. You also want to be able to manage WebSrv from your home. You do not have a high-speed Internet connection at home. To access WebSrv from your home, you will first dial in to the corporate network. This connection is very slow, and you have difficulty using IIS Manager. You want to be able to make configuration changes to IIS on WebSrv quickly to minimize the impact on Internet users.
- A.
  
  Enable BITS server extensions on WebSrv
- B.
  
  Enable FrontPage server extensions on WebSrv.
- C.
  
  Configure WebSrv to support WebDAV.
- D.
  
  Use Notepad to directly edit the IIS metabase.
Correct Answer
D. Use Notepad to directly edit the IIS metabase.

Explanation
Explanation: Normally, you should use IIS Manager to administer IIS. However, IIS Manager does not work well over slow connections. If you are familiar with the structure of the IIS metabase, then you can implement configuration changes to IIS by directly editing the metabase file. The IIS metabase consists of two XML text files: the Metabase.xml file, which contains IIS configuration settings, and the MBSchema.xml file, which defines the logical structure of the metabase. To manage IIS configuration, you should make direct changes to the Metabase.xml file by using any text editor, such as Notepad. By default, the Metabase.xml file cannot be edited and written to while IIS is running. To be able to edit the Metabase.xml file while IIS is running, you should connect to WebSrv from your company network and use IIS Manager to select Enable Direct Metabase Edit in the IIS Properties sheet for WebSrv. When this option is enabled, the metabase configuration file can be edited without stopping IIS, and changes are applied to IIS immediately.

None of the other three features are directly related to managing IIS over a slow connection.

Background Intelligent Transfer Service (BITS) is a technology that allows you to minimize bandwidth requirements by ensuring that files are transferred when the bandwidth consumption is relatively low.

FrontPage server extensions is the feature that enables Web developers to author Web sites by using the FrontPage application.

WebDAV is an HTTP-based file sharing protocol.

Rate this question:
12.

You are responsible for administering your company's network. The network consists of a single Active Directory domain. All servers run Windows Server 2003. The company's written security policy stipulates that the system, security, and application event logs on all domain controllers must be periodically archived and manually cleared. Each log should not exceed 100 MB in size. Events must never be overwritten in any of the event logs. You must comply with the company's policy and ensure that your assistants, who have the authority to perform administrative tasks on domain controllers, cannot change the size and retention settings for event logs. What should you do?
- A.
  
  Configure NTFS permissions for event log files so that only you can access them.
- B.
  
  Configure the appropriate log size and retention settings in the Default Domain Controllers Policy GPO.
- C.
  
  Add your assistants' user accounts to the Backup Operators group in the domain.
- D.
  
  Create a script that will configure the appropriate log size and retention settings by editing the Registry. Run the script on each domain controller.
Correct Answer(s)
B. Configure the appropriate log size and retention settings in the Default Domain Controllers Policy GPO.
D. Create a script that will configure the appropriate log size and retention settings by editing the Registry. Run the script on each domain controller.

Explanation
Explanation: In this scenario, you should configure the appropriate size and retention settings for the event logs in the Default Domain Controllers Policy GPO, which is the default GPO that is linked to the Domain Controllers organizational unit (OU). By default, all domain controllers reside in this OU. Most of the settings that can be configured on individual computers locally can also be implemented through Group Policy objects (GPOs). Generally, GPO settings override the corresponding locally configured settings. Thus, to apply the same configuration settings to multiple computers simultaneously and to prevent the administrators who manage those computers locally from changing those settings, you should implement the requisite configuration by using a GPO.

You should not configure NTFS permissions for event log files so that only you can access them. NTFS file-level permissions for event log files cannot be used to control the size and retention settings for event logs.

You should not add your assistants' user accounts to the Backup Operators group in the domain. Members of the built-in domain local Backup Operators group can back up and restore data on domain controllers regardless of their NTFS permissions. Configuring membership in this group is irrelevant to implementing the requisite size and retention settings for event logs.

If you configured event log size and retention settings by running a script that modified the Registry on domain controllers, then the assistants who have enough authority to manage event logs would also be able to change the size and retention settings.

Rate this question:
13.

You administer your corporate network, which consists of a single Active Directory domain named cdpres.com. The relevant portion of the network is depicted in the following image: The network contains three Windows Server 2003 domain controllers, twenty-five Windows Server 2003 member servers, and one hundred Windows 2000 Professional client computers. Server01 hosts the corporate intranet Web site. Server03 provides client computers with TCP/IP settings, and Server02 hosts the standard primary DNS zone for the cdpres.com domain. Computers in the domain are configured to query Server02 for name resolution. To access the intranet Web site, users type server01.cdpres.com in the Address bar in Internet Explorer. To make access to the intranet Web site more intuitive, you want to enable users to use the name www.cdpres.com. Additionally, users should be able to access the intranet site by its IP address. Which resource record should you add?
- A.
  
  Server01 A 192.168.10.10
- B.
  
  Www CNAME server01.cdpres.com
- C.
  
  @ MX 1 server01.cdpres.com
- D.
  
  _ldap._tcp SRV 10 0 389 server01.cdpres.com
Correct Answer
B. Www CNAME server01.cdpres.com

Explanation
Explanation: In this scenario, users can access the intranet Web site on Server01 by using the FQDN server01.cdpres.com. This name is already mapped to the server's IP address, and no action is required to enable users to access the intranet Web site on Server01 by using its IP address of 192.168.10.10. To enable users to access the intranet Web site by using a different name, such as www.cdpres.com, you should use an Alias (CNAME) record to map this name to the registered name of server01.cdpres.com. You should add the following resource record to Server02:

www CNAME server01.cdpres.com

You can also use a CNAME record when you want to move resources from one server to another transparently to users. For example, you can map the name of the old server to the name of the new server to allow users to continue accessing the moved resources with the name of the original server, even though that server has already been removed from the network.

You should not add any other records that are presented in the choices. An A record is used to map a name to an IP address. The following resource record associates Server01 with its IP address:
server01 A 192.168.10.10

The A record for Server01 should already exist on Server02 because users currently access Server01 by name, and this is an indication that that name is mapped to the correct IP address. An MX record identifies an SMTP server that is responsible for delivery of e-mail in a specific DNS domain. The following MX record indicates that Server01 is an SMTP server:
@ MX 1 server01.cdpres.com

An SRV record indicates that a server provides the service specified in the record. The following SRV record indicates that Server01 provides the LDAP service on TCP port 389:
_ldap._tcp SRV 10 0 389 server01.cdpres.com

Rate this question:
14.

You are the network administrator for a single Active Directory domain. The domain contains 1,000 Windows XP Professional client computers and 20 Windows Server 2003 computers. Internet Protocol Security (IPSec) is implemented on your network. You suspect that a user has been changing the IPSec policies on your network. You must determine which user is making IPSec policy changes. In addition, you want to identify any users who are attempting to make changes. What should you do?
- A.
  
  Enable success auditing for the Audit logon events audit policy for your domain.
- B.
  
  Enable success auditing for the Audit policy change audit policy for your domain.
- C.
  
  Enable success auditing for the Audit privilege use audit policy for your domain.
- D.
  
  Enable success and failure auditing for the Audit logon events audit policy for your domain.
- E.
  
  Enable success and failure auditing for the Audit privilege use audit policy for your domain.
Correct Answer
E. Enable success and failure auditing for the Audit privilege use audit policy for your domain.

Explanation
Explanation: You should enable success and failure auditing for the Audit policy change audit policy for your domain. This will allow you to identify the user making the IPSec policy changes as well as identify any users attempting to make changes.

You should not enable success auditing for the Audit logon events audit policy for your domain. This policy only audits each time a user logs on or logs off a computer.

You should not enable success auditing for the Audit policy change audit policy for your domain. This will only identify the user making the IPSec policy changes. It will not identify any users attempting to make changes.

You should not enable success auditing for the Audit privilege use audit policy for your domain. This policy audits each instance of a user exercising a user right.

You should not enable success and failure auditing for the Audit logon events audit policy for your domain. This policy audits each time a user attempts to log on or log off a computer or successfully logs on or logs off a computer.

You should not enable success and failure auditing for the Audit privilege use audit policy for your domain. This policy audits each successful instance of a user exercising a user right and each failed attempt to exercise a user right.

Rate this question:
15.

You are your company's network administrator. A portion of your network is shown in the image: IIS1 is your company's intranet server. A limited number of individuals should be editing files on this computer. You must be able to monitor all communication with IIS1. Your monitoring solution must minimally affect the performance of IIS1. In addition, you need to ensure that only Administrators on Subnet 1 are able to monitor network activity using Network Monitor. You want to accomplish this with the least amount of administrative effort. What should you do? (Choose two. Each correct answer presents part of the solution.)
- A.
  
  Install Network Monitor on IIS1.
- B.
  
  Install the Network Monitor Driver on IIS1.
- C.
  
  Install the Systems Management Server version of Network Monitor on MON1.
- D.
  
  Select Identify Network Monitor Users on the Tools menu in Network Monitor
- E.
  
  Select Show Address Names on the Options menu in Network Monitor..
Correct Answer(s)
C. Install the Systems Management Server version of Network Monitor on MON1.
D. Select Identify Network Monitor Users on the Tools menu in Network Monitor

Explanation
Explanation: You should install the Systems Management Server version of Network Monitor on MON1. In addition, you should select Identify Network Monitor Users on the Tools menu in Network Monitor. The System Management Server version of Network Monitor is the version you need to be able to monitor remote computers.

You should not install Network Monitor on IIS1. This would have a more adverse affect on the performance of IIS1 than simply installing the Network Monitor Driver.

You should not install the Network Monitor Driver on IIS1. The Systems Management Server version of Network Monitor will properly monitor all traffic on its subnet without the need to install the Network Monitor Driver.

You should not install the Network Monitor Driver on Router1 for the same reason. This solution would possibly enable users to monitor communication with Router1. You should not install the Systems Management Server version of Network Monitor on Router1.

You should not install the Network Monitor Driver on Client13 and Client14 because you are not concerned with communication with these client computers.

You should not select Show Address Names on the Options menu in Network Monitor. This option displays user-designated computer names. Although this information is helpful, you are not concerned with the computer names. You need to ensure that only administrators on Subnet 1 are using Network Monitor.

You should not select Resolve Addresses from Names on the Tools menu in Network Monitor. This option is only available with the version of Network Monitor included in Microsoft Systems Management Server (SMS).

You cannot install the Systems Management Server version of Network Monitor on Client13 or Client14. These client computers are Windows XP Professional computers. They can only have the Network Monitor Driver installed.

Rate this question:
16.

You administer your company's e-mail servers. Your company has decided to purchase a new Windows Server 2003 computer that will run Microsoft Exchange Server 2003 and provide e-mail services on the internal network. You want to ensure that users on the internal network can access the new e-mail server by using its fully qualified domain name (FQDN). The server will not be used to receive Internet e-mail. At a minimum, which DNS resource record is required for the new e-mail server?
- A.
  
  A
- B.
  
  CNAME
- C.
  
  HINFO
- D.
  
  MX
- E.
  
  NS
Correct Answer
A. A

Explanation
Explanation: At a minimum, a Host (A) record must be created on your DNS servers. An A record is used to associate a computer name or a FQDN to an IP address. A records are the most common type of DNS resource records. A computer running Windows 2000 or later can automatically register its A resource record with the DNS server by using the DHCP Client service. Therefore, the new Windows Server 2003 computer will register its A record automatically. A records for computers running legacy Windows operating systems must be configured manually, or they can be automatically configured by proxy by a Windows Server 2003 DHCP server. The following is an example of an A record:
mailserver04 A 192.168.44.33

An Alias (CNAME) record maps one FQDN to another. It can be used when it is necessary to reference a computer by more than one name. For example, a computer named mailserver04.verigon.com is registered in the verigon.com domain. To enable users to refer to that computer by the name mail.domain1.com, you should create the following CNAME record in the verigon.com domain.
mailserver04 CNAME mail.domain1.com.

You should not create a CNAME record in this scenario because the scenario does not indicate that the new Exchange server will be referenced by more than one name.

A Host Information (HINFO) record is used to specify a computer's CPU and operating system. This record is optional; it is not required in this scenario. The following is an example of an HINFO record.
mailserver04 HINFO SUN-4/390 SUNOS 4.0

A Mail Exchanger (MX) record is used to specify an SMTP server that is responsible for delivering e-mail in a specific DNS domain. When multiple SMTP servers are available, a preference value is used to determine the preferred e-mail server. The server with the lowest preference value is given the highest priority; if this server is unavailable, then the server with the next lowest preference value will be used. The following is an example of an MX record with a preference value of 10 in the domain named telstar.com. This record indicates that mailserver04. tsmail.com is the SMTP server for the telstar.com domain.
@ MX 10 mailserver04.tsmail.com.

You should not create an MX record in this scenario because the new Exchange server is not intended to receive Internet e-mail. MX records are not required to support e-mail clients within an Exchange organization.

A name server (NS) record is used to specify the host name of a DNS server that is authoritative for the domain. Because the new server is not a DNS server, an NS record is not required. The following is an example of an NS record in a domain named txglobal.com; this record indicates that nameserver04.txglobal.com is an authoritative server for the txglobal.com domain.
@ IN NS nameserver04.txglobal.com.

Pointer (PTR) records are used for reverse DNS lookups to resolve IP addresses to host names. The in-addr.arpa domain is used for reverse lookups. Computers that can automatically register A records can also automatically register PTR records. Because nothing in the scenario specifies that reverse lookups are required, a PTR record is not necessary. The following is an example of a PTR record in the 44.168.192.in-addr.arpa domain; this record maps the IP address 192.168.44.33 to the host name mailserver04.tsmail.com.
33 PTR mailserver04.tsmail.com.
A start of authority (SOA) record is used to specify DNS zone properties, such as primary server and refresh interval information. In this scenario, an SOA record is not required for the new Exchange server because it is not a DNS server. The following is an example of an SOA record.
tsmail.com IN SOA nameserver04.tsmail.com. admin.tsmail.com ( 1 ; serial number 14400 ; refresh [4h] 1800 ; retry [30m] 43200 ; expire [12h] 1800 ) ; min TTL [30m]

Rate this question:
17.

You are the network administrator for a large electronics company, which is a division of Verigon Incorporated. The network contains only Windows Server 2003 and Windows XP Professional computers in a single Active Directory domain named verigonelec.com. Several companies purchase your products for resale. These companies connect to your network over a VPN using Windows XP Professional computers that are not members of your domain and need access to a Windows Server 2003 file server named FS1. To protect confidential data, you have implemented the Secure Server IPSec policy on all servers and the Client IPSec policy on all client computers. The computers owned by the purchasers have had the Client IPSec policy applied. However, you have noticed that the purchaser connections are not encrypted. You must ensure that the purchaser connections are encrypted without compromising your domain security. What should you do?
- A.
  
  Change the IPSec policy on FS1 to Server.
- B.
  
  Add the purchaser computers to the verigonelec.com domain.
- C.
  
  Configure FS1 and the purchaser computers to use Kerberos authentication.
- D.
  
  Create a trust between the verigonelec.com domain and the purchaser domains.
- E.
  
  Implement a certificate authority (CA) and configure FS1 and the purchaser computers to use certificates.
Correct Answer(s)
A. Change the IPSec policy on FS1 to Server.
E. Implement a certificate authority (CA) and configure FS1 and the purchaser computers to use certificates.

Explanation
Explanation: You should implement a certificate authority (CA) and configure FS1 and the purchaser computers to use certificates. This option has the least possibility of causing security risks. With the current configuration, Kerberos authentication is used, which only works if all computers involved are part of the same Active Directory forest.

You should not change the IPSec policy on FS1 to Server. Doing so could possibly permit unencrypted traffic to
FS1.

You should not add the purchaser computers to the verigonelec.com domain. This option can possibly cause security risks because the purchaser computers would have direct access to your network.

You should not configure FS1 and the purchaser computers to use Kerberos authentication. Kerberos authentication only works if the computers involved are part of the same Active Directory forest.

You should not create a trust between the verigonelec.com domain and the purchaser domains. This option can possibly cause security risks because the purchaser computers could have direct access to your network.

Rate this question:
18.

You are the network administrator for a single Active Directory domain named verigon.com. Your domain contains two thousand Windows 2000 Professional desktop computers, five hundred Windows 2000 Professional notebook computers, and two hundred and fifty Windows XP Professional notebook computers. All computers are configured with dynamically-assigned IP addresses. The notebook computers are frequently moved across subnets. Your network has three Windows Server 2003 DNS servers. DNS1 is the primary DNS server. DNS2 and DNS3 are secondary DNS servers. Users are complaining that they are having trouble resolving the DNS names of some of the notebook computers when they attempt to access files on these computers. You must ensure that the verigon.com domain contains the appropriate DNS information for all of the notebook computers. What should you do?
- A.
  
  Log in as a member of the Domain Admins global group. In the properties of DNS1, enable aging and scavenging.
- B.
  
  Log in as a member of the Domain Admins global group. Configure the verigon.com zone as an Active Directory-integrated zone.
- C.
  
  Log in as a member of the Domain Admins global group. In the properties of the verigon.com domain, enable aging and scavenging.
- D.
  
  Log in as a member of the Domain Admins global group. In the properties of DNS1, enable aging and scavenging. In the properties of the verigon.com domain, enable aging and scavenging.
Correct Answer
A. Log in as a member of the Domain Admins global group. In the properties of DNS1, enable aging and scavenging.

Explanation
Explanation: You should log in as a member of the Domain Admins global group, enable aging and scavenging in the properties of DNS1, and enable aging and scavenging in the properties of the verigon.com domain. Aging and scavenging is used to remove outdated or stale resource records. Aging and scavenging must be enabled on both the primary DNS server and the primary DNS zone. Aging and scavenging is not enabled by default.

You should not log in as a member of the Domain Admins global group and configure the verigon.com zone as an Active Directory-integrated zone. Simply configuring the verigon.com zone as an Active Directory-integrated zone is not sufficient. Aging and scavenging would still need to be enabled.

You should not log in as a member of the Domain Admins global group and enable aging and scavenging in the properties of the verigon.com domain. Aging and scavenging would also need to be enabled on DNS1.

Rate this question:
19.

You are the administrator for your company's Windows 2003 domain. You have three Domain Name System (DNS) servers on your network. While doing routine maintenance on the DNS server named MAIN, you notice a DNS warning message in the Event Viewer, as shown in the image: You ping DNS1 and receive a reply. What should you do next?
- A.
  
  Clear the DNS server cache on MAIN.
- B.
  
  Clear the DNS server cache on DNS1.
- C.
  
  Stop and restart the DNS service on DNS1.
- D.
  
  Stop and restart the DNS service on MAIN.
- E.
  
  Run the ipconfig /flushdns command at DNS1.
Correct Answer
C. Stop and restart the DNS service on DNS1.

Explanation
Explanation: You should stop and restart the DNS service on DNS1. More than likely, the DNS server service on DNS1 is not running. Even if it is, you should stop and restart the service because it is not working correctly.

On the DNS server named MAIN, you receive a DNS warning message in the Event Viewer which states that MAIN cannot connect to a DNS server named DNS1. When you receive this message, the first thing you should do is ping the server in question (DNS1). Because you received a reply, you know DNS1 is functioning properly on the network. Because the server is answering the ping, you then need to troubleshoot the DNS server itself. Stopping and restarting the DNS service would be the first troubleshooting step to perform.

You should not flush or clear the cache on either system. This only removes the data that is currently located there. The service then accepts new entries. If DNS1 is already having trouble communicating and the problem has not been fixed, it will not be entered in the cache.

You should not run the ipconfig /registerdns command on either system. This refreshes all Dynamic Host Configuration Protocol (DHCP) leases and registers any related DNS names. If the server is not communicating, DHCP information cannot be refreshed.

You should not run the ipconfig /flushdns command on either system. This flushes the computer DNS cache and resets it. Flushing the DNS cache will not help the DNS server communicate.

Rate this question:
20.

You are your company's network administrator. The network contains Windows Server 2003, Windows 2000 Server, Windows XP Professional, and Windows 2000 Professional computers in a single Active Directory domain named goliath.com as shown in the following image: All domain controllers run Windows Server 2003. The company's written security policy states that file and folder access on all server computers in the domain must be monitored for failures. You create a customer security template named FFAccess. You need to configure the FFAccess security template to enforce the written security policy of your company for all server computers in the domain. You must accomplish this with the least amount of administrative effort. What should you do? (Choose all that apply. Each correct answer presents part of the solution.)
- A.
  
  Apply the FFAccess security template to the Servers OU.
- B.
  
  Apply the FFAccess security template to the Clients OU.
- C.
  
  Apply the FFAccess security template to the Domain Controllers OU.
- D.
  
  Apply the FFAccess security template to the goliath.com domain.
- E.
  
  On the FFAccess security template, enable the Audit object access policy for failures.
Correct Answer(s)
A. Apply the FFAccess security template to the Servers OU.
C. Apply the FFAccess security template to the Domain Controllers OU.
E. On the FFAccess security template, enable the Audit object access policy for failures.

Explanation
Explanation: You should enable the Audit object access policy for failures on the FFAccess security template. Then you should apply the FFAccess security template to the Domain Controllers OU and to the Servers OU. This will ensure that the audit policy is applied to all server computers in the domain.

You should not apply the FFAccess security template to the Clients OU. The company security policy states that only the servers in the domain need to be audited for this event.

You should not apply the FFAccess security template to the 2000 servers OU. You should apply the security template at the highest level possible in the Active Directory structure to ease administrative effort.

You should not apply the FFAccess security template to the 2003 servers OU. You should apply the security template at the highest level possible in the Active Directory structure to ease administrative effort.

You should not apply the FFAccess security template to the goliath.com domain. This would cause the audit policy to be applied to all computers in the domain, not just the servers.

You should not enable the Audit privilege use policy for failures on the FFAccess security template. This audit policy audits each instance of a user exercising a user right.

You should not enable the Audit directory service access policy for failures on the FFAccess security template. This audit policy audits each instance of a user accessing Active Directory object.

Rate this question:
21.

You are a network administrator of your company's Active Directory domain, which consists of four Windows Server 2003 domain controllers and 75 Windows XP Professional computers. The company's written security policy mandates that network administrators must log on with their regular domain user accounts. When a higher level of privileges is required to perform an administrative task, administrators should use the runas command to launch the required application with a specially created account that has the rights to perform the specific task. Name resolution failures begin occurring on your network. You log on to one of your domain controllers by using your non-administrative domain user account. Next, you attempt to run Replication Monitor by using an administrative user account named RM1 by issuing the runas /user:rm1 replmon command. After you enter the password for RM1, the following error is displayed: RUNAS ERROR: Unable to run - replmon 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. You inspect the services on the domain controller to determine the reason that you cannot start Replication Monitor. Failure of which service is most likely to prevent you from starting Replication Monitor?
- A.
  
  Secondary Logon
- B.
  
  Net Logon
- C.
  
  DNS Client
- D.
  
  DNS Server
Correct Answer
A. Secondary Logon

Explanation
Explanation: The most likely reason that you cannot start Replication Monitor by using the RM1 account is because the Secondary Logon service is stopped and disabled. Secondary Logon enables a user to issue the runas command to run a command or start an application using another user account's security context. When the command has completed or the application is closed, the alternative security context is released; if you start other programs, they will run under the security context of the currently logged on user account.

The Net Logon service is responsible for authenticating remote users and services. However, you are logged on locally. Therefore, the Net Logon service is not preventing you from starting Replication Monitor.

The DNS Client service is responsible for locating Active Directory domain controllers and for resolving and caching resolved DNS names locally. The DNS Server service is responsible for answering name resolution queries from DNS clients. DNS updates will not occur if the DNS Server service is stopped; therefore, replication might be failing in this scenario because the DNS Server service has stopped. However, even if the DNS Server service or the DNS Client service were stopped, but the Secondary Logon service were running, you would still be able to use the runas command to start Replication Monitor.

Rate this question:
22.

You are your company's network administrator. The network contains a single Active Directory domain. All Windows Server 2003 computers are contained in the Servers organizational unit (OU). All Windows XP Professional client computers are contained in the Clients OU. A user named Mark must be able to configure TCP/IP protocol settings on a Windows Server 2003 computer named SrvN. You do not want to grant Mark more permissions than is necessary. What should you do?
- A.
  
  Add Mark's user account to the Power Users local group on SrvN.
- B.
  
  Add Mark's user account to the Administrators local group on SrvN.
- C.
  
  Add Mark's user account to the Server Operators domain local group in the domain.
- D.
  
  Add Mark's user account to the Network Configuration Operators local group on SrvN.
- E.
  
  Add Mark's user account to the Network Configuration Operators domain local group in the domain.
Correct Answer
D. Add Mark's user account to the Network Configuration Operators local group on SrvN.

Explanation
Explanation: You should add Mark's user account to the Network Configuration Operators local group on SrvN. Members of the Network Configuration Operators local group can make changes to TCP/IP settings and can release and renew TCP/IP address leases.

You should not add Mark's user account to the Power Users local group on SrvN. Members of this group can create user and group accounts and modify and delete the user and group accounts they created. They can also create and administer shared resources.

You should not add Mark's user account to the Administrators local group on SrvN. This would grant him more permissions than necessary, because members of this group have full control over the server.

You should not add Mark's user account to the Server Operators domain local group in the domain. This would grant him permissions on all computers in the domain.

You should not add Mark's user account to the Network Configuration Operators domain local group in the domain. This would allow Mark to edit the TCP/IP settings for all computers in the domain.

Rate this question:
23.

You administer a Windows 2003 network. A portion of the network structure is shown in the exhibit. TCP/IP is the only network protocol. The network ID is 196.123.88.0/27. This is the only set of IP addresses your company owns. All TCP/IP information is assigned to client computers on subnet A and subnet B by DHCP1. A separate scope with all available addresses is created on DHCP1 for each subnet. You recently added new Windows XP Professional clients to each subnet on the network. Now users from both subnets report that they cannot always access the network. After varying periods of time, they reboot their computers and are able to successfully connect to the network. Other computers on both subnets are continuing to operate normally and have full access to network resources. In addition, laptops are periodically being used for one day on the network when people visit from out of town. To investigate the situation, you check the IP configuration on one of the new computers, named Client30, that is experiencing trouble. You discover that the IP address of this computer is 169.254.0.5. You must resolve this problem. What should you do?
- A.
  
  Shorten the lease duration for both scopes.
- B.
  
  Add new addresses to the existing DHCP scopes.
- C.
  
  Shorten the lease duration for the subnet B scope only.
- D.
  
  Assign static IP addresses to the new Windows XP Professional clients.
- E.
  
  Configure both scope options to include the Perform Router Discovery option.
Correct Answer
A. Shorten the lease duration for both scopes.
24.

You are your company's network administrator. Your network consists of a single Active Directory domain. The DHCP service is installed on a Windows Server 2003 computer named DHCP1. DHCP1 has been authorized in Active Directory. A single scope has been defined on DHCP1 with 200 IP addresses: 204.29.82.10 through 204.29.82.209. While performing routine maintenance, you notice a DHCP Jet database error in the Event Log on DHCP1. Later in the day, users report that IP addresses are not being delivered to client computers. You must ensure that DHCP can operate normally. What should you do?
- A.
  
  Shorten the lease duration for both scopes.
- B.
  
  Add new addresses to the existing DHCP scopes.
- C.
  
  Shorten the lease duration for the subnet B scope only.
- D.
  
  Assign static IP addresses to the new Windows XP Professional clients.
- E.
  
  Configure both scope options to include the Perform Router Discovery option.
Correct Answer
A. Shorten the lease duration for both scopes.

Explanation
Explanation: You should shorten the lease duration for both scopes. The problem you experienced indicates that there are not enough IP addresses available for leasing and that the lease duration of the IP addresses is too long. Because it was stated that the 196.123.88.0/27 range was all that your company owned, shortening the lease duration is the only valid solution.

You should not add new addresses to the existing DHCP scopes. This option is invalid because it was specifically stated that the 196.123.88.0/27 range was all that your company owned.

You should not shorten the lease duration for the subnet B scope only. Because the problem occurs with computers on both subnets, changing the lease length on the subnet B scope only will not be a complete solution.

You should not assign static IP addresses to the new Windows XP Professional clients. This solution may provide immediate connectivity for computers experiencing problems, but is not a viable solution for a network where DHCP is chosen to provide IP configurations. However, using static IP addresses on some of the computers would cause conflicts in the DHCP scope.

You should not configure both scope options to include the Perform Router Discovery option. This option will only allow DHCP clients to discover their own routers. Because other computers are receiving leases, it is not likely that routing is a problem. Setting this option is not likely to affect the connectivity problems presented in this scenario.

If a DHCP server is not found or if a lease configuration fails, a Windows 2003 computer uses Automatic Private IP Addressing (APIPA) to automatically configure TCP/IP. When APIPA is used, Windows 2003 determines an address to use in the Microsoft-reserved IP addressing range between 169.254.0.1 and 169.254.255.254. This address is used until a DHCP server is located. The subnet mask will be set to 255.255.0.0.

Rate this question:
25.

You are the network administrator for a large company. The network contains Windows XP Professional and Windows Server 2003 computers as shown in the exhibit. (Click the Exhibit(s) button.) DHCPA provides DHCP services to the entire network and has three scopes configured, one for each subnet. DNSA provides DNS services to the entire network. You want to configure DHCPA so that it assigns the appropriate options to DHCP clients for the DNS server and router. What should you do?
- A.
  
  At DHCPA, configure the server option 003 with the IP address of the router. For each scope, configure the scope option 006 with the IP address of the DNS server.
- B.
  
  At DHCPA, configure the server option 006 with the IP address of the router. For each scope, configure the scope option 003 with the IP address of the DNS server.
- C.
  
  At DHCPA, configure the server option 006 with the IP address of the DNS server. For each scope, configure the scope option 003 with the IP address of the local router.
- D.
  
  At DHCPA, configure the server option 003 with the IP address of the DNS server. For each scope, configure the scope option 006 with the IP address of the local router.
Correct Answer
C. At DHCPA, configure the server option 006 with the IP address of the DNS server. For each scope, configure the scope option 003 with the IP address of the local router.

Explanation
Explanation: You should configure the server option 006 at DHCPA with the IP address of the DNS server, and for each scope you should configure the scope option 003 with the IP address of the local router. The 006 option is the DNS server option and should be configured at the server level, because all computers will use the same DNS server. The 003 option is the router option and should be configured at the scope level, because each subnet will use a different router (default gateway) address.

You should not configure the server option 003 at DHCPA with the IP address of the router, and configure the scope option 006 for each scope with the IP address of the DNS server. The router configuration is not the same for all client computers. The router (default gateway) address is different for each subnet configured. It is not necessary to configure the 006 option for each scope, because all client computers will use the same DNS server.

You should not configure the server option 006 at DHCPA with the IP address of the router, and configure the scope option 003 for each scope with the IP address of the DNS server. The 006 option is for DNS server configuration, not router configuration. The 003 option is for router configuration, not DNS server configuration.

You should not configure the server option 003 at DHCPA with the IP address of the DNS server, and configure the scope option 006 for each scope with the IP address of the local router. The 006 option is for DNS server configuration, not router configuration. The 003 option is for router configuration, not DNS server configuration.

Rate this question:
26.

You are the network administrator for AccuTrak Distributors. The network contains Windows XP Professional and Windows Server 2003 computers in a single Active Directory, named accudist.com. A Windows Server 2003 computer named RAS1 is configured as a router and connected to several branch offices. You have implemented IPSec routing through RAS1. You must ensure that all packets routed through RAS1 are using IPSec. The company security policy states that the data portion of all packets passing through RAS1 must be encrypted. You must ensure that mutual authentication IPSec is not used. What should you do?
- A.
  
  Use Network Monitor on RAS1. Capture all packets, and filter the packets based on the Internet Protocol (IP).
- B.
  
  Use Network Monitor on RAS1. Capture all packets, and filter the packets based on the Layer Two Tunneling protocol (L2TP).
- C.
  
  Use Network Monitor on RAS1. Capture all packets, and filter the packets based on the Authentication Header (AH) protocol.
- D.
  
  Use Network Monitor on RAS1. Capture all packets, and filter the packets based on the Encapsulating Security Payload (ESP) protocol.
Correct Answer
C. Use Network Monitor on RAS1. Capture all packets, and filter the packets based on the Authentication Header (AH) protocol.

Explanation
Explanation: You should use Network Monitor on RAS1, capture all packets, and filter the packets based on the Authentication Header (AH) protocol. The AH protocol is an IPSec protocol that is used to configure IPSec for mutual authentication only. It does not perform any encryption. As a result, any packets using AH would not fit the company's security policy. After you identified the computers using AH, you could configure them to comply with the company's security policy.

You should not use Network Monitor on RAS1, capture all packets, and filter the packets based on the Internet Protocol (IP). This will simply display all IP traffic. IP traffic is not IPSec traffic.

You should not use Network Monitor on RAS1, capture all packets, and filter the packets based on the Layer Two Tunneling protocol (L2TP). This will simply display all L2TP traffic. The scenario said nothing about using L2TP over IPSec.

You should not use Network Monitor on RAS1, capture all packets, and filter the packets based on the Encapsulating Security Payload (ESP) protocol. The ESP protocol is an IPSec protocol that is used to configure IPSec for data encryption. This configuration would simply show you all the packets that are using IPSec as expected. It would not show you the packets that are using the incorrect form of IPSec.

Rate this question:
27.

You administer a Windows Server 2003 domain. All servers run Windows Server 2003, and all client computers run Windows 2000 Professional with Service Pack 4. You need to modify the Default Domain Policy GPO settings to configure Automatic Updates to automatically download updates from a Windows Server Update Services (WSUS) Server named WSUS01 and install the updates on all domain computers. You want downloaded updates to be installed every Sunday at 1:00 P.M. You browse to the Windows Update node of the Default Domain Policy GPO and display the Settings tab of the Configure Automatic Updates Properties dialog box. You enable Automatic Updates. Which settings should you select on the Settings tab to properly configure Automatic Updates for domain computers? (Choose all that apply. Each correct choice presents part of the solution.)
- A.
  
  Select option 3 - Auto download and notify for install in the Configure automatic updating drop-down list box.
- B.
  
  Select option 4 - Auto download and schedule the install in the Configure automatic updating drop-down list box.
- C.
  
  Select option 0 - Every day in the Scheduled install day drop-down list box.
- D.
  
  Select option 1 - Sunday in the Scheduled install day drop-down list box.
- E.
  
  Select the 13:00 option in the Scheduled install time drop-down list box.
Correct Answer(s)
B. Select option 4 - Auto download and schedule the install in the Configure automatic updating drop-down list box.
D. Select option 1 - Sunday in the Scheduled install day drop-down list box.
E. Select the 13:00 option in the Scheduled install time drop-down list box.

Explanation
Explanation: On the Settings tab of the Configure Automatic Updates Properties dialog box, you should configure the following settings: 1.option 4 - Auto download and schedule the install in the Configure automatic updating drop-down list box 2.option 1 - Sunday in the Scheduled install day drop-down list box 3.the 13:00 option in the Scheduled install time drop-down list box
You should select option 4 - Auto download and schedule the install in the Configure automatic updating drop-down list box, which configures Automatic Updates to automatically download and install updates.
You should select option 1 - Sunday in the Scheduled install day drop-down list box, which configures Automatic Updates to install updates every Sunday at the specified time.
Finally, you should select the 13:00 option in the Scheduled install time drop-down list box to configure Automatic Updates to install updates at 1:00 P.M.
You should not select option 3 - Auto download and notify for install, which would configure Automatic Updates to automatically download updates and notify the user to install the downloaded updates.
You should not select option 0 - Every day, which would configure Automatic Updates to install updates every day at the specified time.
You should not select the 01:00 option in the Scheduled install time drop-down list box. This list box displays times in 24-hour format, so the 01:00 setting is 1:00 A.M, not 1:00 P.M.

Rate this question:
28.

You are your company's network administrator. The network contains Windows Server 2003 and Windows XP Professional computers in a single Active Directory domain. You have implemented Internet Protocol Security (IPSec) on the entire network to protect corporate data. You recently created an Internet Key Exchange (IKE) filter. You then deployed this filter on the router connecting the network to the Internet. You now want to view statistical information about this filter only. You open the IP Security Monitor console. Where should these statistics be viewed?
- A.
  
  In the Statistics folder of the Main Mode folder
- B.
  
  In the Statistics folder of the Quick Mode folder
- C.
  
  In the Generic Filters folder of the Main Mode folder
- D.
  
  In the Specific Filters folder of the Main Mode folder
- E.
  
  In the Generic Filters folder of the Quick Mode folder
Correct Answer
D. In the Specific Filters folder of the Main Mode folder

Explanation
Explanation: You should view these statistics in the Specific Filters folder of the Main Mode folder. The Specific Filters folder is for viewing certain filters only. The Main Mode folder shows information from the IKE.

You should not view these statistics in the Statistics folder of the Main Mode folder. You would probably have to search extensively for the information you need.

You should not view these statistics in the Statistics folder of the Quick Mode folder. The Quick Mode folder shows information about the IPSec driver, not about IKE.

You should not view these statistics in the Generic Filters folder of the Main Mode folder. The Generic Filters folder is for viewing all generic filters, not specific ones.

You should not view these statistics in the Generic Filters folder of the Quick Mode folder. The Generic Filters folder is for viewing all generic filters, not specific ones. In addition, the Quick Mode folder shows information about the IPSec driver, not about IKE.

You should not view these statistics in the Specific Filters folder of the Quick Mode folder. The Quick Mode folder shows information about the IPSec driver, not about IKE.

Rate this question:
29.

You are the security administrator for your company. The company has recently upgraded all network servers and domain controllers to Windows Server 2003. The company's network consists of a single Active Directory domain with three sites configured. You work in the main office. The company's written security policy prevents users in all sites from logging on locally to local servers. All network file servers are configured to collect auditing information. You want to view the auditing information on the file servers in all sites from your office. You need the ability to save the auditing information on the local hard disk of the file servers. What should you do?
- A.
  
  Connect to each file server using a Remote Desktop connection and use the Security and Analysis snap-in to save the .inf file on the local hard disk.
- B.
  
  Connect to each file server using a Remote Desktop connection, use Computer Management to access Event Viewer, and save the .evt file on the local hard disk.
- C.
  
  Solicit a Remote Assistance invitation from the administrator of each file server and use the Security and Analysis snap-in to save the .inf file on the local hard disk.
- D.
  
  Solicit a Remote Assistance invitation from the administrator of each file server, use Computer Management to access Event Viewer, and save the .evt file on the local hard disk.
Correct Answer
B. Connect to each file server using a Remote Desktop connection, use Computer Management to access Event Viewer, and save the .evt file on the local hard disk.

Explanation
Explanation: You should connect to each file server using a Remote Desktop connection, use the Computer Management console to access Event Viewer, and save the .evt file on the local hard disk.

Windows Server 2003 provides two opportunities for remotely controlling computers: Remote Desktop for Administration and Terminal Server. Remote Desktop for Administration replaces what was previously called Remote Administration mode. Terminal Server now encompasses what was previously called Application Server mode. Remote Desktop for Administration allows for management of Windows Server 2003 computers by providing users with up to two remote sessions (in addition to the console session). This feature does not require a Terminal Server Client Access License (CAL) and is simple to configure. Simply access the System Properties dialog box on the server, select the Remote tab, and enable the Allow users to connect remotely to this computer option. Users that can access the computer remotely should be placed in the Remote Desktop Users group.

To save the auditing information to the local hard disk of the file servers, you can access Event Viewer using the local Computer Management console on each file server. Security log files created by Event Viewer are saved using the .evt file extension.

You should not connect to each file server using a Remote Desktop connection and use the Security and Analysis snap-in to save the .inf file on the local hard disk. The .inf extension indicates information files, which specify the installation information for your service profiles. For instance, security templates include policy settings and are saved using the .inf extension. Event Viewer log files are saved using the .evt extension.

You cannot use either option that requires you to solicit a Remote Assistance invitation from the administrator of each file server. The company's written security policy prevents users from logging on locally to the servers. You must log onto a computer to send a Remote Assistance invitation.

You should be aware that you can use also the Computer Management console or Event Viewer on a local computer to connect to a remote computer and perform the duties required in this scenario. You are not required to use a Remote Desktop connection to access this console on the remote computer.

Rate this question:
30.

You administer a Windows Server 2003 Active Directory domain for your company. The domain is divided into two subnets. SubnetA uses the network address 192.168.12.0/24, and SubnetB uses the network address 192.168.14.0/24. All domain controllers and member servers are Windows Server 2003 computers, and all clients are Windows 2000 Professional computers. Clients in SubnetA obtain TCP/IP settings from a DHCP server named DHCPA, which resides in SubnetA. Clients in SubnetB cannot obtain DHCP settings at all, even though you configured a scope for SubnetB on DHCPA. Your need to enable clients on SubnetB to automatically obtain TCP/IP settings from DHCPA. What should you install on SubnetB?
- A.
  
  A primary DNS server
- B.
  
  An SUS server
- C.
  
  A DHCP relay agent
- D.
  
  A master DNS server
- E.
  
  An SMTP server
Correct Answer
C. A DHCP relay agent

Explanation
Explanation: You should install a DHCP relay agent on SubnetB. DHCP clients use broadcasts to find a DHCP server and request TCP/IP settings. Typically, these broadcasts cannot cross routers. A DHCP relay agent is a computer that listens for DHCP client broadcasts and sends them to the router on the local subnet, which can then transmit the DHCP requests to a remote network segment. Some routers are RFC 1542-compliant, which means that they can transmit DHCP client broadcasts without the aid of a DHCP relay agent. You can use the ip relay add dhcpserver command in the routing context of the netsh command to configure a network interface as a DHCP relay agent. This command can be used in a batch file to configure multiple interfaces on a single computer or multiple computers as DHCP relay agents
A primary Domain Name System (DNS) server hosts the master copy of a DNS zone database. A secondary DNS server contains a read-only copy of a DNS zone database, which it obtains from a master DNS server.

A Software Update Services (SUS) server can be configured to provide network computers with updates downloaded from the Windows Update Web site. A Simple Mail Transfer Protocol (SMTP) server provides e-mail message services for e-mail clients.

Rate this question:
31.

You administer a network that consists of 75 computers running Windows Server 2003, Windows XP Professional, and Windows 2000 Professional. All client computers are located on the same network segment. All servers are assigned static IP addresses from the range of 192.168.0.0/24. Routing occurs only between the internal network and the Internet. All client computers are configured to receive IP addresses from a single DHCP server. No backup DHCP server exists on your network. The client computers are not configured with an alternate static IP address configuration. The DHCP server fails. What will happen to the computers on your network after the IP address leases expire?
- A.
  
  All of the client computers will no longer be configured with an IP address and will no longer be able to communicate with one another.
- B.
  
  All of the client computers will keep the IP addresses that were originally leased to them until the DHCP server comes back online.
- C.
  
  All of the client computers will assign themselves new IP addresses and will be able to communicate with one another, but they will not be able to communicate with the servers.
- D.
  
  All of the client computers will assign themselves new IP addresses and will be able to communicate with one another and with the servers.
Correct Answer
C. All of the client computers will assign themselves new IP addresses and will be able to communicate with one another, but they will not be able to communicate with the servers.

Explanation
Explanation: All of the client computers will assign themselves new IP addresses and will be able to communicate with one another, but they will not be able to communicate with the servers. DHCP client computers that run Windows Server 2003, Windows XP, Windows 2000, Windows Me or Windows 98 can use Automatic Private IP Addressing (APIPA) to assign themselves IP addresses. If a DHCP server cannot be contacted to renew an IP address lease, then the IP address is released when the lease expires. Windows Server 2003 and Windows XP computers support an alternate static TCP/IP configuration. If no alternate static configuration has been specified, then those computers that can use APIPA will assign themselves new IP addresses in the range of 169.254.0.0/16. Those computers will be able to communicate with each other only within the same network segment because APIPA addresses are not routable.
The client computers in this scenario will not be able to communicate with the servers because the servers are assigned static IP addresses in a different subnet range, and the one router on the network is configured to only route traffic between the 192.168.0.0/24 subnet and the Internet. When the DHCP server comes back online, the computers that receive their IP addresses dynamically will receive new leases from the DHCP server. You can verify the IP address that has been assigned to a computer by issuing the ipconfig /all command from a command prompt.

To view the addresses that are leased on your network, use the Address Leases node for the particular scope in the DHCP console.

Rate this question:
32.

You administer your company network. All servers on the network run Windows Server 2003, and all client computers run Windows XP Professional or Windows 2000 Professional. You add a DNS server to the network and then configure the network's DHCP server to automatically provide the IP address of the new DNS server to all of the DHCP client computers. You ask all of the network users to verify that the DHCP server has updated their computers' TCP/IP configurations to reflect the new DNS server's IP address. Which command should users type at a command prompt?
- A.
  
  Ipconfig /all
- B.
  
  Dnslint
- C.
  
  Dnscmd
- D.
  
  Netstat -a
Correct Answer
A. Ipconfig /all

Explanation
Explanation: Users should type ipconfig /all at the command prompt to display a computer's TCP/IP configuration information. The ipconfig command displays information such as the IP address, subnet mask and default gateway of the network adapters that are installed. When the /all switch is used, more detailed TCP/IP configuration information is displayed, including the computer's host name, the primary DNS suffix, the node type, and whether a computer receives IP address configurations from a DHCP server. If a computer is configured to use DNS and WINS servers, then the IP addresses of those servers are also displayed.
The dnslint command can be used to troubleshoot DNS name resolution problems by verifying the existence of specified DNS records, by diagnosing delegation issues, and by verifying Active Directory replication functionality. The dnscmd command can be used to configure and manage DNS servers from a command prompt. For example, the dnscmd servername /enumzones command can be used to display the list of all zones that are hosted on a specified DNS server. The netstat command can be used to view TCP/IP statistics; the -a switch can be used to determine the open ports on a computer.

Rate this question:
33.

You are a network administrator for your company. The corporate network consists of a single Active Directory domain. All servers run Windows Server 2003. On a server named ServerB, you configure several backup jobs to back up business data on file servers. The backup jobs are configured to run under the security context of a user account named BackupUser. The backup jobs run properly for several weeks, but then you notice that none of the jobs run anymore. What is the most likely reason that the backup jobs no longer run?
- A.
  
  The password for the BackupUser account does not meet the password complexity requirements.
- B.
  
  The BackupUser account has been disabled as a result of an attempted password-guessing attack.
- C.
  
  The password for the BackupUser account has expired.
- D.
  
  The BackupUser account is not a member of the Backup Operators group on ServerB.
Correct Answer
C. The password for the BackupUser account has expired.

Explanation
Explanation: Backup jobs are run under the security context of a specified user account. Each user account in a domain is subject to password policies. The most likely reason that the backup jobs no longer run in this scenario is that the password for the BackupUser account has expired. By default, passwords are set to expire in 42 days, but an administrator can set a different expiration period. To enable the backup jobs to continue running on their schedules, you should reset the password for the BackupUser account. Additionally, you should specify the new password in the properties of one of the backup jobs. In the remaining jobs that use the BackupUser account, the password will then be changed automatically.

It is not likely that the password for the BackupUser account does not meet the password complexity requirements. All backup jobs have been functioning properly for several weeks. The scenario does not indicate that any changes to password policies or access permissions have been implemented. Hence, the password for the BackupUser account meets the length, complexity and all other password requirements, and the BackupUser account is assigned the necessary level of authority and permissions to perform the backups.

It is also not likely that the BackupUser account was disabled as a result of an attempted password-guessing attack. If a malicious individual tried to guess the password for the BackupUser account, then the account would be locked out after several unsuccessful attempts; the account would not be disabled.

It would not affect the scenario if the BackupUser account was not a member of the Backup Operators group on ServerB. Membership in the local Backup Operators group on ServerB is not required to back up data on other computers.

Rate this question:
34.

You are your company's network administrator. The network contains Windows XP Professional and Windows Server 2003 computers. A primary DNS server named DNS1 hosts an Active Directory-integrated zone named corp.com. All client computers, except those in the research department, use dynamic IP addresses assigned by a DHCP server. The research department for your company has asked you to create its own DNS server, which you name DNS-Res. You create a DNS zone named res.corp.com. You configure the client computers in the research department to use DNS-Res as their primary DNS server. You then delegate the res.corp.com child domain to DNS-Res. You must ensure that all queries for resources outside the research department and Internet-based resources are processed by DNS1. What should you do?
- A.
  
  Configure DNS-Res to use DNS1 as a forwarder.
- B.
  
  Configure DNS1 to use DNS-Res as a forwarder.
- C.
  
  Add the IP address of DNS1 to the root hints of DNS-Res.
- D.
  
  Add DNS1 to the list of DNS servers used by the clients in the research department.
Correct Answer
A. Configure DNS-Res to use DNS1 as a forwarder.

Explanation
Explanation: You should configure DNS-Res to use DNS1 as a forwarder. This will ensure that DNS-Res will forward any DNS requests for which it is not authoritative to DNS1.

You should not configure DNS1 to use DNS-Res as a forwarder. This would cause problems on your network, as DNS1 would forward any DNS requests for which it is not authoritative to DNS-Res. DNS1 should forward Internet requests to DNS servers on the Internet.
You should not add the IP address of DNS1 to the root hints of DNS-Res. Root hints should only include the IP addresses of Internet root name servers, not internal servers.

You should not add DNS1 to the list of DNS servers used by the clients in the research department. While this would ensure that research department clients could still resolve DNS queries in the event of failure on DNS-Res, it would not ensure that DNS-Res will forward any DNS requests for which it is not authoritative to DNS1.

Rate this question:
35.

You administer your company network, which consists of a single Active Directory domain. All servers run Windows Server 2003. The network is connected to the Internet. A user named Stephen reports that he is unable to log on to the domain. You review security logs on domain controllers and notice several unsuccessful logon attempts that use Stephen's user account, StephenG1. You suspect that a malicious user on the Internet might be attempting to guess Stephen's password. To reduce the likelihood of this happening in the future, you rename Stephen's account to GSte1. However, Stephen still cannot log on to the domain. You must enable Stephen to log on to the domain and access appropriate network resources immediately. You want to perform this task with the least amount of administrative effort. Which action should you perform?
- A.
  
  In the Account Lockout Policy for the domain, set the account lockout threshold value to zero.
- B.
  
  Enable Stephen's user account.
- C.
  
  Delete and re-create Stephen's user account.
- D.
  
  Unlock Stephen's user account.
Correct Answer
D. Unlock Stephen's user account.

Explanation
Explanation: A domain-level Account Lockout Policy specifies the number of times that a user can attempt to log on with an incorrect password within a specified time interval before the account is locked out. This policy also specifies the length of time that the account remains locked out. In this scenario, a hacker has probably exceeded the account lockout threshold and, thereby, caused Stephen's account to be locked out. You have renamed the account to reduce the risk of subsequent attacks against Stephen's account. However, Stephen's user account remains locked out. To enable Stephen to start using his account immediately, you should unlock it. In Active Directory Users and Computers, you should open the Properties sheet for Stephen's user account and clear the Account is locked out option on the Account tab.
If you set the account lockout threshold in a domain-level Group Policy Object (GPO) to zero, then user accounts would never be locked out. However, the accounts that are already locked out would remain locked in accordance with the Account lockout duration setting that was in effect when those accounts were locked out. You cannot enable Stephen's user account because it has not been disabled. If you deleted Stephen's user account and then created a new one, then Stephen would not be able to access all appropriate resources immediately. You would have to configure the new account with the same settings as those of the original account to enable Stephen to access the resources that he could access with his old account. If Stephen encrypted any files in the past, then he would not longer be able to access those files from his new account.

The Account lockout threshold policy is used to define the number of invalid logon attempts that are allowed before the account is locked out. Setting this policy to zero (0) prevents account lockouts from occurring no matter how many invalid attempts are made.

When the Account lockout duration policy is set to zero (0), any account that is locked can only be unlocked by an administrator. It can be configured with a value of zero (0) to 99,999. A locked account is automatically unlocked after the value entered in this setting.

The Reset account lockout counter after policy is used to define the length of time (in minutes) after which the number of invalid attempts should be reset to zero (0).

The Enforce user logon restrictions policy can be enabled or disabled. By enabling this policy, all defined user logon restrictions are enforced. The binary value for this policy is either 0 (disabled) or 1 (enabled).

Rate this question:
36.

You are the system administrator for your company. Your company has decided to deploy Windows Server Update Services (WSUS) to help administrators deploy security patches and service packs. You have been given a Windows Server 2003 computer and a Windows 2000 Server computer. Neither of these systems has any service packs installed. You need to ensure that you can install WSUS on these computers with a minimum of administrative effort. What should you do? (Choose all that apply. Each correct answer is part of the solution.)
- A.
  
  Ensure that Internet Information Services (IIS) 6.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 are installed on the Windows Server 2003 computer.
- B.
  
  Ensure that Internet Information Services (IIS) 5.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 are installed on the Windows Server 2003 computer.
- C.
  
  Ensure that Internet Information Services (IIS) 6.0, Background Intelligence Transfer Service (BITS) 1.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 are installed on the Windows Server 2003 computer.
- D.
  
  Ensure that Windows 2000 Server Service Pack 4, Information Services (IIS) 5.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows 2000 Server are installed on the Windows 2000 Server computer.
- E.
  
  Ensure that Windows 2000 Server Service Pack 4, Internet Information Services (IIS) 6.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows 2000 Server are installed on the Windows 2000 Server computer.
Correct Answer(s)
A. Ensure that Internet Information Services (IIS) 6.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 are installed on the Windows Server 2003 computer.
D. Ensure that Windows 2000 Server Service Pack 4, Information Services (IIS) 5.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows 2000 Server are installed on the Windows 2000 Server computer.

Explanation
Explanation: You should ensure that Internet Information Services (IIS) 6.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 are installed on the Windows Server 2003 computer. These are the minimum requirements for a Windows Server 2003 computer to support WSUS.

You should also ensure that Windows 2000 Server Service Pack 4, Information Services (IIS) 5.0, Background Intelligence Transfer Service (BITS) 2.0, and Microsoft .NET Framework 1.1 Service Pack 1 for Windows 2000 Server are installed on the Windows 2000 Server computer. These are the minimum requirements for a Windows 2000 Server computer to support WSUS. In addition, Windows 2000 Server requires Internet Explorer 6.0 Service Pack 1 and Microsoft .NET Framework Version 1.1 Redistributable Package.

Rate this question:
37.

You administer your company network. The network consists of a single Active Directory domain named verigon.com. All five domain controllers run Windows Server 2003 and DNS Server, and they all host an Active Directory-integrated DNS zone for the verigon.com domain. You install DNS Server on a new Windows Server 2003 member server named ServerA. You configure ServerA to host a secondary zone for the verigon.com domain. On one of the domain controllers, you open the Properties dialog box for the verigon.com DNS zone. You must designate ServerA as an authoritative server for the verigon.com zone. Which tab should you select?
- A.
  
  Start of Authority (SOA)
- B.
  
  Name Servers
- C.
  
  WINS
- D.
  
  Zone Transfers
Correct Answer
B. Name Servers

Explanation
Explanation: To indicate that ServerA hosts a zone for the verigon.com domain and to designate ServerA as an authoritative server for that domain, you should add a name server (NS) record to the zone by specifying the name and IP address of ServerA in the Name servers list on the Name Servers tab.
The Name Servers tab in this scenario, should contain one NS record for each authoritative DNS server for the zone: one NS record for each of the five domain controllers, which host the Active Directory-integrated zone for the verigon.com domain, and one NS record for ServerA, which hosts a secondary zone for the verigon.com domain.

On the Start of Authority (SOA) tab, an SOA record for a DNS zone can be configured. If a DNS zone is standard, then there is only one SOA record, which contains the name or IP address of the only primary server for that zone. If a zone is Active Directory-integrated, then there can be multiple SOA records, with one record for each primary server. The SOA record on each primary server contains that server's name or IP address. In this scenario, ServerA hosts a secondary zone; therefore, its name or IP address should not be specified in the SOA record on any of the primary servers for that zone.

The WINS tab is used to specify IP addresses of WINS servers to configure DNS to work with WINS to resolve the names that are registered with WINS, but are not registered with DNS. You should enable the Use WINS forward lookup option to configure the DNS zone to use WINS forward lookups. The Do not replicate this record option should be selected if you do not want to replicate a record. The IP addresses of the WINS servers should be entered in the IP address text box. Records obtained by the DNS server from the WINS server will be marked as authoritative and will be stored in the DNS cache, not the zone. The TTL value of these records is decreased while the records are in cache.

On the Zone Transfers tab, you can specify whether and how zone transfers to secondary DNS servers occur in a DNS zone. Secondary zones are read-only; they do not accept dynamic updates from DNS clients or manual changes from administrators. Each secondary zone is updated by using zone transfers from a master server, which can be a primary or secondary server for the zone. Zone transfers can be allowed to any DNS server, to only the servers that are specified on the Name Servers tab, or to the servers that are explicitly listed on the Zone Transfers tab. If you select Only to the following servers on this tab, then you should add the IP address of ServerA. However, specifying ServerA on the Zone Transfers tab does not designate ServerA as an authoritative server for the zone.

Rate this question:
38.

You manage your company's Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) servers. All of the computers are running Windows Server 2003. You install the DNS Server service on one of the servers in a test lab. You want the other computers in the test lab to use this DNS server, which is named DNS-Test. All of the computers in the lab are configured as DHCP clients. A scope for this subnet is defined on a DHCP server named DHCP-10, which is on a different subnet from the lab's subnet. There is no DHCP server in the test lab, but the DHCP relay agent is enabled on one of the computers in the lab. On DHCP-10, you configure a DHCP reservation for DNS-Test, and you replace the DNS server address in the options for the lab's scope with the Internet Protocol (IP) address you reserved for DNS-Test. You restart DNS-Test and Workstation5, which is running Windows XP Professional, you log on to Workstation5, and you use the command "ipconfig /all" to verify the computer's TCP/IP configuration. You notice that the client is still configured to use the DNS server that was previously defined for the lab computers. What is the most likely reason that the client computer is still using the address of the original DNS server?
- A.
  
  The IP address of the original DNS server is defined in the TCP/IP properties of the client's network interface card.
- B.
  
  The IP address of the original DNS server is defined as a DHCP server option on DHCP-10.
- C.
  
  The lab computer is obtaining a lease from a different DHCP server than DHCP-10.
- D.
  
  The DHCP lease has not expired on the client.
Correct Answer
A. The IP address of the original DNS server is defined in the TCP/IP properties of the client's network interface card.

Explanation
Explanation: The most likely reason that the client computer is still using the address of the original DNS server is that the IP address of the original DNS server is defined in the TCP/IP properties of the client's network interface card (NIC). Any TCP/IP settings that are configured for a specific NIC override the settings obtained with a DHCP lease for the NIC.
It is not likely that the client computer is still using the address of the original DNS server because the address of the original DNS server is defined as a DHCP server option on DHCP-10. When a DHCP option, such as the address of a DNS server, is configured both as a server option and as a scope option, the value defined for the scope takes priority. Options are applied in the following order:
Server options
Scope options
Vendor class and user class options
Options defined for a reservation
It is not likely that the client computer is still using the address of the original DNS server because the lab computer is obtaining a lease from a different DHCP server than DHCP-10. When you configure a DHCP relay agent, you define the DHCP server to which the agent should forward DHCP broadcasts. Also, a DHCP server will only respond to a broadcast if the server has a scope of addresses that are valid for the subnet from which the broadcast originated.
It is not likely that the client computer is still using the address of the original DNS server because the DHCP lease has not expired on the client. When you restart a computer that is a DHCP client, the computer sends a DHCPREQUEST packet to renew its DHCP lease. The DHCP server responds with a DHCPACK packet that acknowledges the validity of the lease and provides any updated options associated with the lease.

Rate this question:
39.

You are one of the network administrators for your company. The network hosts several computers running Microsoft Windows Server 2003. Client computers are running Microsoft Windows XP Professional. One of the servers is configured as a Domain Name System (DNS) server. This server maintains the primary forward zone and reverse lookup zone for the company domain. You attempt to use the Nslookup command from your administrative workstation, Computer-01. You are unable to resolve the host name of Computer-12 to an IP address using the command. You can successfully use the command to resolve the host names of other computers on the network to IP addresses. You need to be able to resolve the host name of Computer-12 to an IP address. What should you do?
- A.
  
  Create a host (A) record for Computer-01.
- B.
  
  Create a pointer (PTR) record for Computer-12.
- C.
  
  Create a pointer (PTR) record for Computer-01.
- D.
  
  Create a host (A) record for Computer-12.
Correct Answer
D. Create a host (A) record for Computer-12.

Explanation
Explanation: When using the Nslookup command to resolve a host name to an IP address, you are performing a forward lookup. To successfully do this, a host (A) record must exist in the zone file for the host name you are trying to resolve. Therefore, to resolve the problem, a host (A) record must be created for Computer-12.
You do not need to create any resource records for Computer-01 since you are not specifying this host name in the command. You are simply running the command from Computer-01.
You do not need to create a pointer (PTR) record. This type of resource record is required to resolve an IP address to a host name. However, in this scenario, you are trying to resolve a host name to an IP address.

Rate this question:
40.

You are the administrator for a medium-sized network consisting of 30 servers running Microsoft Windows Server 2003, Standard Edition, and 1,000 computers running a mix of Microsoft Windows XP Professional and Microsoft Windows 2000 Professional. A recent security audit recommends encrypting all network traffic. This morning you implement the Secure Server IPSec policy for the Domain Controllers security policy, and the Client IPSec policy through Group Policy objects for each departmental OU. A few minutes after you complete these changes, you begin receiving an increasing number of calls from users complaining that they cannot log on or access their network files. What should you do?
- A.
  
  Change the Group Policy objects for the departmental OUs to Secure Server.
- B.
  
  Upgrade all Windows 2000 Professional computers to Windows XP.
- C.
  
  Install Directory Service Client Software on all computers running Windows 2000 Professional.
- D.
  
  Do nothing. The problem will correct itself.
Correct Answer
D. Do nothing. The problem will correct itself.

Explanation
Explanation: The problem will eventually correct itself as the OU Group Policy objects are applied to the computers and configure them to use IPSec. The domain controllers received their policies before the computers did, and they are blocking access until the computers are configured with IPSec. By default, Group Policy objects are refreshed every 90 minutes with a 30-minute offset. The exception to that is the Domain Controller OU Group Policy, which refreshes every five minutes. To avoid this problem in the future, administrators should configure the departmental OU Group Policy settings a minimum of two hours before configuring the Domain Controller OU Group Policy settings.
Windows 2000 Professional fully supports IPSec and does not need to be upgraded.
Changing the IPSec policy in the Group Policy objects will not decrease the refresh interval for the computers.
The Directory Service Client is not designed for Windows 2000 Professional, which natively supports Directory Service.

Rate this question:
41.

You are the network administrator for your company. At the company's headquarters office you are setting up a wireless local area network (WLAN) for sales representatives to use to connect to the corporate network when they visit the office. The sales representatives use laptop computers running Windows XP Professional with the most recent service packs installed. For the WLAN, you decide to create a separate Internet Protocol (IP) subnet on which you will install only an Access Point (AP) and a computer running Windows Server 2003 on which Routing and Remote Access has been enabled. You will configure the server as a virtual private network (VPN) server through which the sales representatives will access the rest of the corporate network. You will use a Remote Access Dial In User Authentication Service (RADIUS) server as the authentication server for the wireless access clients. Which protocol should you use for authentication?
- A.
  
  Challenge Handshake Authentication Protocol (CHAP)
- B.
  
  Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
- C.
  
  Microsoft Challenge Handshake Authentication Protocol - version 2 (MS-CHAP v2)
- D.
  
  Extensible Authentication Protocol - Message Digest 5 (EAP-MD5)
Correct Answer
B. Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)

Explanation
Explanation: To support the WLAN, you should use Extensible Authentication Protocol - Transport Layer Security (EAP-TLS), because EAP-TLS supports the generation of an encryption key during the authentication process. To enable support for EAP-TLS, select "Smart card or other certificate" as the EAP type. Support for EAP-TLS is enabled by default for wireless connections on a computer running Windows XP Professional, and EAP-TLS is required to support secure access for wireless clients.
You should not use Extensible Authentication Protocol - Message Digest 5 (EAP-MD5) to support the WLAN. Because EAP-TLS is enabled by default on Windows XP Professional clients and it is required to support secure access for wireless clients, you should not use EAP-MD5.
You should not use Microsoft Challenge Handshake Authentication Protocol - version 2 (MS-CHAP v2) to support the WLAN. As noted, EAP-TLS is required to support secure access. You can use MS-CHAP v2 for Point-to-Point Tunneling Protocol connections for which you plan to use the Microsoft Point-to-Point Encryption (MPPE) protocol for encryption.
You should not use Challenge Handshake Authentication Protocol (CHAP) to support the WLAN, because CHAP does not support encryption.

Rate this question:
42.

You are the network administrator for your organization. All servers have been upgraded to Microsoft Windows Server 2003. Client computers are running Microsoft Windows XP Professional. Users on the network report that AppSrv-01 is sometimes slow to respond. The server is running a business-critical application. You discover that there is an excessive amount of network traffic coming to and from the server. You want to monitor network traffic on AppSrv-01 using Network Monitor. However, you do not want any captured data overwritten, and you only want to capture header information. What should you do? (Choose two. Each answer represents part of the solution.)
- A.
  
  Configure a new capture filter.
- B.
  
  Increase the size of the buffer.
- C.
  
  Create a display filter.
- D.
  
  Select the Prompt to Save Data option from the Options menu.
- E.
  
  Decrease the frame size setting.
Correct Answer(s)
B. Increase the size of the buffer.
E. Decrease the frame size setting.

Explanation
Explanation: By default, Network Monitor has a default buffer size of 1 MB. This means that after it collects 1 MB of data, it will begin to overwrite the trace. To prevent this from happening, you should edit the Buffer Settings and increase the buffer size.
You can capture just the headers that are sent by altering the Frame Size setting. This can be done by selecting Buffer Settings from the Capture menu. The default frame size is Full, which means it captures the entire frame.
You should not select the Prompt to Save Data option from the Options menu. This only determines whether or not Network Monitor will prompt you to save data when you close a Network Monitor window.
You should not create a capture filter. This determines the type of data that Network Monitor will capture.

You should not create a display filter. This is used to filter data after a capture has been completed. It does not impact what data is captured.

Rate this question:
43.

You are the network administrator for your organization. Servers are running a mixture of Microsoft Windows Server 2003 and Microsoft Windows 2000 Server. Client computers are running Microsoft Windows XP Professional. You have recently added a Dynamic Host Configuration Protocol (DHCP) server to the network. A number of client computers on your network are unable to connect to any network resource. From a command prompt on one of the client computers, you run IPCONFIG /ALL and discover that the client computer is not obtaining an IP address from the DHCP server. At the same client computer, you run IPCONFIG /RENEW. The IPCONFIG /RENEW command reports that the DHCP server cannot be reached. From a Windows 2000 Server on the same network segment as the client computer, you are able to ping the DHCP server successfully. You examine the DHCP server and discover that the DHCP Server service is stopped. The DHCP server is a member server in an Active Directory domain. You attempt to start the DHCP Server service but are unable to do so. What is the most likely reason you are unable to start the DHCP Server service?
- A.
  
  The DHCP server is not able to perform dynamic updates to an Active Directory-integrated zone.
- B.
  
  The DHCP server is still configured as a DHCP client.
- C.
  
  The DHCP server has not been configured with a valid scope.
- D.
  
  The DHCP server has not been authorized.
Correct Answer
D. The DHCP server has not been authorized.

Explanation
Explanation: If a DHCP server is a member of an Active Directory domain, it must be authorized before it can lease IP addresses on the network. If the DHCP server has not been authorized, the DHCP service will not be able to start. An entry should appear in the System log indicating that the service cannot start because the server is not authorized.
The DHCP server is still able to communicate on the network because you can successfully ping its IP address. A DHCP server can be configured as a DHCP client, although it is not recommended. This would not cause the DHCP service to fail to start.
A DHCP server can perform dynamic updates on behalf of DHCP clients. However, the DHCP server service is not dependent on the server's ability to perform dynamic updates.
An invalid scope will not cause the DHCP server service not to start. The DHCP service will start even if a scope is not present.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 21, 2022

Quiz Edited by
ProProfs Editorial Team
Dec 10, 2008

Quiz Created by
Nuzcruzr