70-291

2/10/2015 70-291

file:///C:/ce/08mar/08/Quiz/aqua/examv/70-291.htm 1/34

True/False

Indicate whether the sentence or statement is true or false.

1. A DHCP server that is located on a member server and that is a member of a workgroup must be authorized before it can respond to DHCPDISCOVER messages?

2. The DHCP Server service is installed on Microsoft Windows Server 2003 by default.

3. A DHCP database is a distributed database similar to a DNS database?

4. Microsoft Windows Server 2003 DHCP Server supports both automatic and manual backups?

5. When you install Microsoft Windows Server 2003, DNS is installed automatically.

6. Host computers typically use iterative queries.

7. A Microsoft Windows Server 2003 domain that utilizes an Active Directoryintegrated DNS zone can have a secondary DNS server running on a member server.

8. When a file that has been encrypted using EFS is copied from one folder on an NTFS file system drive to another folder on an NTFS drive, the file will remain encrypted?

9. Communication partners using IPSec require identical security policies.

10. SUS can be installed only on an NTFS file system partition.

11. A remote access connection must be authorized before authentication can take place?

Multiple Choice

Identify the letter of the choice that best completes the statement or answers the question.

12. APIPA addresses come from which address range?

a. 172.16.0.0 through 172.31.255.255b. 169.254.0.0 through 169.254.255.255

c. 10.0.0.0 through 10.255.255.255

d. 192.168.0.0 through 192.168.255.255

13. What is the default lease period for a DHCP server running on Microsoft Windows Server 2003?

a. 24 hours

b. 3 daysc. 8 days

d. 5 days

14. When a Microsoft Windows XP client that is configured to use a DHCP server initializes, what type of message will it broadcast first?

a. DHCPREQUEST

b. DHCPINFORMc. DHCPDISCOVER

d. DHCPNACK

15. From a DHCP server, a client receives an address that has a lease period of 6 days. At what point will the client first attempt to renew the lease?

a. 1 day

Name: ID: Email:

70-291

2/10/2015 70-291


b. 5 daysc. 2 days

d. 3 days

16. When a DHCP-enabled client is unable to contact a DHCP server and begins using an APIPA address, when will the client attempt to contact a DHCP server again?

a. Every 30 minutes

b. Every 5 minutesc. Never

d. Every 10 minutes

17. An administrator has configured a DHCP server on a computer that is running Microsoft Windows Server 2003 in an Active Directory domain. A scope has been configured that has a valid range of addresses from

192.168.1.1 through 192.168.1.254. DHCP-enabled clients begin to initialize, and all receive addresses beginning with 169.256.x.x. What is the most reasonable step that the administrator should perform to allow the

DHCP server to begin responding to DHCP requests?

a. Publish the DHCP server in Active Directory directory service.b. Reboot the client computers.

c. Start and stop DHCP service on the clients.d. Authorize the DHCP server in Active Directory.

18. A valid range of addresses and associated configuration options that a DHCP server is configured to assign to DHCP-enabled clients is referred to as a what?

a. DHCP scopeb. Client reservation

c. Client leased. Scope option

19. If a client on a routed network is not on the same segment as the DHCP server, which of the following can be configured to allow the client to obtain DHCP addressing information from the DHCP server?a. DHCP helper address

b. Default gatewayc. DHCP proxy

d. DHCP relay agent

20. A network administrator has a single Class C address space, which is 194.10.10.0. The network consists of 150 users who are logged on to the network at all times and 150 sales users who have portable computers andwho are periodically logged on to the network for short intervals. What recommendation would you make with regard to the lease period?a. Extend the default lease period to 10 days.

b. No action is required; you should have an adequate number of addresses.c. Decrease the default lease period to 1 day.d. Decrease the default lease period to 8 days.

21. You administer a network that has 75 client computers configured to dynamically receive IP address configuration. The DHCP server has been configured using a DHCP scope with a configured IP address range of

170.34.32.1 to 170.34.32.255 and a 24-bit mask. The network consists of a Microsoft Windows Server 2003 domain and Microsoft Windows XP clients configured as DHCP clients. Users of the client computerscannot access other computers or resources on the network. Which of the following options should you use to resolve the problem?

a. Activate the scope.b. Reboot the DHCP server.c. Increase lease duration.

d. Change the ending IP address to 170.34.38.255.e. Re-create the scope using a subnet mask of 255.255.244.0.

22. While creating a DHCP scope, you create an exclusion range for the printers on your network. You also create client reservations for each printer. None of the printers receives an IP address from DHCP. How should you

resolve the problem?a. Remove address reservations for the printers.b. Remove the exclusion range for the printers.

c. Disable address conflict detection.

2/10/2015 70-291


d. Enable address conflict detection.

23. You configure a DHCP scope with a 15-day lease period and a 21-bit subnet mask. How can you change the lease period so that it is unlimited with the least amount of administrative effort and DHCP server downtime?

a. Delete the existing scope and use the New Scope Wizard to create a new scope. Specify an unlimited lease period.b. Edit the properties of the scope within the DHCP console, and change the lease period to unlimited.c. Delete the existing scope and use the Scope Wizard to create a new scope. When the wizard is complete, edit the properties of the new scope to reflect an unlimited lease period.

Activate the new scope.d. Disable the existing scope and edit the properties of the scope within the DHCP console. Change the lease period to unlimited.

24. DHCP is based heavily on which protocol?

a. Address Resolution Protocol (ARP)b. Reverse Address Resolution Protocol (RARP)c. Bootstrap Protocol (BOOTP)

d. Domain Name System (DNS)

25. You add new computers to your DHCP-enabled network; soon after, you discover that users have occasional problems accessing resources on the network using TCP/IP. Which of the following solutions could solve thisproblem?

a. Add additional IP addresses to the DHCP scope to include enough addresses for all computers.b. Authorize the DHCP server in Active Directory directory service.c. Create a new scope to include the new client computers.

d. Change the problematic client computers to use NetBIOS H mode broadcasting.

26. You are the network administrator for Wingtip Toys. Your network consists of 85 desktop client computers and 55 portable computers, all of which run on Microsoft Windows XP Professional. Only 20 of the users of theportable computers are ever in the office at the same time. Wingtip Toys purchased a subnetted Class B address space with a 25-bit mask. All users require Internet access while in the office. How should you configureDHCP?

a. Create two scopes that have different lease durations.b. Create manual reservations for all portable computer users.

c. Create one scope that has two user classes, each with different lease durations.d. Create one scope that has two vendor classes, each with different lease durations.

27. You are the administrator of a Microsoft Windows Server 2003 network. The network consists of two Windows Server 2003 computers named Toledo and Cleveland and 275 Microsoft Windows XP Professionalcomputers. Toledo is a DHCP server. The DHCP server provides the TCP/IP configuration for all Microsoft Windows XP computers. Toledo and Cleveland have manually configured IP addresses. Toledo frequentlyhosts multicast-based video and audio conferences. You want to dynamically allocate multicast addresses. How should you configure the network?

a. On the DHCP server, create and activate a multicast scope with a range of Class D addresses.b. On Toledo, configure routing and remote access to enable the Internet Group Membership Protocol (IGMP) routing protocol in proxy mode on the LAN interface.c. Enable router discovery on the Windows XP Professional computers.d. Add a route for network destination 224.0.0.0 and mask 224.0.0.0 on the Windows XP Professional computers.

28. When would a client computer receive a DHCPNACK message?a. When a DHCP server receives a request from a client to renew a lease and is in the process of completing the renewalb. When a DHCP server receives a request from a client to renew a lease but cannot renew the leasec. When a DHCP client must acknowledge the receipt of a DHCPOFFERd. When a DHCP client accepts a lease

29. You are the administrator of a Microsoft Windows Server 2003 network that consists of two subnets that are connected by a router. Active Directory directory service is implemented on the network. The DHCP server isinstalled on subnet 1, and the DHCP relay agent has been enabled on subnet 2. Clients on subnet 1 receive the correct IP configuration, but clients on subnet 2 receive addresses in the 169.254.x.x range with a subnetmask of 255.255.0.0. Of the following options, which is the most likely reason that clients on subnet 2 are not receiving the correct configuration?

a. The DHCP relay agent is not installed on the DHCP server.

b. The DHCP server is not authorized in Active Directory.c. The DHCP relay agent is configured with an incorrect IP address for the DHCP server.d. The DHCP relay agent has not been activated.

2/10/2015 70-291


30. As a network administrator, you are deploying DHCP on your Microsoft Windows Server 2003 network. You want to ensure that all of your print devices receive the same IP address each time they initialize. What step

should you take to ensure that DHCP assigns the same address to the print devices?a. Configure client reservations for each print device interface.b. Configure a lease that will never expire.c. Configure address exclusion for the print devices.d. Statically configure the IP address for all print devices.

31. You are a network administrator and you have statically assigned IP addresses to each of your network servers. What should you do to ensure that DHCP does not assign the addresses you have statically assigned to thenetwork servers?a. Exclude the addresses of the servers from the DHCP scope.

b. Create client reservations for the network servers.c. Set the lease to never expire.d. No action is required. DHCP will recognize that the addresses are in use and will not assign them again.

32. You must deploy DHCP on your network. The network has three physical segments that are separated by a Microsoft Windows Server 2003 server that is configured to act as a router. You configure three subnets, or

multinets, using the following range of addresses: Subnet 1: 172.16.1.0 through 172.16.1.254 Subnet 2: 172.16.2.0 through 172.16.2.254 Subnet 3: 172.16.3.0 through 172.16.3.254How should you define the three address ranges on the DHCP server?

a. Create one scope that includes all of the address ranges and use DHCP relay agents.b. Define a superscope that includes a separate scope for each address range.c. Create a scope for each subnet; no further action is required.d. Configure DHCP on three computers, one for each subnet.

33. You are the administrator of a Microsoft Windows Server 2003 network. The network consists of two Windows Server 2003 computers, named server 1 and server 2, and 200 Microsoft Windows XP Professional clientcomputers. Server 2 is a DHCP server that provides the TCP/IP configuration of all the Windows XP Professional computers. Server 1 frequently hosts multicast-based video and audio conferences. Several clients reportthat they do not receive any multicast communications. You ask your assistant to troubleshoot this problem by using the Ipconfig command on one of the client computers to verify that the client is receiving a multicastaddress from the DHCP server. Which of the following addresses would indicate that the client is receiving a multicast address from the DHCP server?a. 192.168.239.4

b. 172.16.237.4c. 237.10.10.4d. 10.1.1.1

34. You are a network administrator and have been asked to configure a DHCP relay agent. What option in Administrative Tools would you use to complete this task?a. DHCP management consoleb. DHCP relay managerc. Routing And Remote Accessd. DNS

35. Your Microsoft Windows Server 2003 network has 100 clients and uses DHCP with a scope that is configured to issue an internal address in the range of 192.18.1.0 through 192.168.1.254. You have been asked to setthe DCHP lease period to the longest possible setting. What should you do?a. Keep the DHCP lease period at the default length of 8 days.b. Set the DHCP lease period to 60 days.

c. Set the DHCP lease period to unlimited.d. Set the DHCP lease period to 999 days.

36. A client that runs Microsoft Windows XP with default settings will rely on DHCP to update which type of records in DNS?

a. A resource recordsb. SRV resource records

2/10/2015 70-291


c. PTR resource recordsd. Both SRV and PTR resource records

37. Secure dynamic updates are available in which type of DNS zone?a. Standard primaryb. Secondaryc. Active Directoryintegrated

d. Standard primary and secondary

38. Which command should you use to force a client to renew its DNS registration?a. Ipconfig /renewb. Ipconfig /renewdns

c. Ipconfig /alld. Ipconfig /registerdns

39. How often will Microsoft Windows Server 2003 perform an automatic backup of the DHCP database if the default settings are not altered?

a. Every 24 hoursb. Every 30 minutesc. Every 120 minutesd. Every 60 minutes

40. Which DHCP management process is used to recover unused space in the DHCP database?a. Reconcilingb. Compactingc. Restoringd. Removing

41. You are a network administrator of a Microsoft Windows Server 2003 network that has Microsoft Windows 2000 and Microsoft Windows XP clients. The network runs DHCP and DNS with default settings. How willthe DNS server receive updates of client A and PTR resource records?a. Client computers will update both A and PTR records dynamically.b. Client computers will depend on DHCP to update both A and PTR records.

c. Client computers will update the A records, and the DHCP server will update the PTR records.d. Client computers will update the A records. The PTR records will not be updated if default settings are used.

42. Your Microsoft Windows Server 2003 domain has Microsoft Window XP and Microsoft Windows 98, Second Edition clients. Your network runs DHCP and DNS. You notice that none of the Windows 98 clients can

be contacted using their host names. What change should you make?a. Remove the DNS server and install a WINS server.b. Choose the DHCP option to dynamically update the DNS and PTR records only if requested by DHCP clients.c. Choose the DHCP option to dynamically update the preWindows 2000 clients.d. Choose the DHCP option to dynamically update DNS A and PTR records for DHCP clients that do not request updates.

43. You are a network administrator of a Microsoft Windows Server 2003 domain that is configured to use secure dynamic updates for DNS. The network clients have just been updated from Microsoft Windows NT 4 toMicrosoft Windows 2000, and the DHCP server has been set to never update DNS on behalf of clients (the DHCP servers original setting was to always update DNS). You notice that the Windows 2000 clients do notupdate DNS. Which of the following could be the cause of the problem?a. The DNS zones are incorrectly set to Active Directoryintegrated.

b. The DHCP server is not a member of the DnsUpdateProxy security group.c. The DNS server is not a member of the DnsUpdateProxy security group.d. The Windows 2000 clients should be upgraded to Microsoft Windows XP Professional.

44. You must perform a manual backup on a DHCP server named DHCP1. You would like the backup file to be stored on a computer named Server1. Which of the following steps must you take to complete this task?

a. In the Advanced tab of the DHCP server properties page, specify the Universal Naming Convention, or UNC, path to the correct location on the remote server.

2/10/2015 70-291


b. In the DHCP server properties page, specify a local path to initially store the back-up, and then copy the backup file to the correct location on the remote server.c. You cannot specify a path for a manual backup. The backup file will always be stored in the %systemroot%\System32\Dhcp\Backup\New directory.d. Set the properties on the DHCP server to always store backup files on Server1.

45. You are the network administrator of a Microsoft Windows Server 2003 network that has 1,200 DHCP clients. You notice that the Dhcp.mdb file is 35 megabytes in size. What action can you take to improve theperformance of DHCP?a. Perform an offline compaction of the DHCP database using the Jetpack utility.b. Do nothing. A 35-megabyte Dhcp.mdb file is acceptable.c. Manually delete some of the older entries in the DHCP database.

d. Perform an online compaction of the DHCP database.

46. When DHCP audit logging ends at 12:00 A.M. and there is a current log file with the same name that has been modified within the last 24 hours, what action will DHCP take in regards to the current log file?a. The log file is overwritten.b. A new log file is automatically saved under a different file name.c. New logging activity is appended to the current log file.d. The new log file is not saved.

47. You have audit logging enabled on your DHCP server with the default settings.It is 12:00 A.M., and the DHCP server has performed a disk check and has determined that DHCP audit files are currently using 50 megabytes of disk space. The current audit file is 10 megabytes, and 15 megabytes offree space is available on the disk. How will the DHCP server handle the current file?

a. The current file is saved and an administrative alert is listed in the Event Viewer.b. Logging ceases and the DHCP server will continue to perform disk checks until more than 20 megabytes of free space is available.c. The file is saved with no additional action.d. DHCP automatically compacts the file and writes it to the disk.

48. Your DHCP database has recently been restored from a manual backup. The manual backup file did not contain all of the current records. After restoring the database, you notice that no active leases are displayed in theDHCP console. What additional step should you take?a. Stop and restart DHCP.b. Delete the manually restored database and restore from an automatic copy.c. Reboot the DNS server.d. Reconcile the DHCP database.

49. You have been asked to perform an offline compaction of the DHCP database on one of your Microsoft Windows Server 2003 DHCP servers. What command-line tool would you use to accomplish this?a. The Compact utilityb. The Compress utilityc. The Jetpack utilityd. The Dhcpcompress utility

50. As a network administrator, you must perform a manual restore of the DHCP database. When prompted, you chose the folder that contained the automatic backup files; however, you were unsuccessful in restoring thedatabase. What is the most likely cause of this problem?a. The automatic backup files were too old to restore.b. You cannot manually restore a file that was created through the automatic backup process.c. To restore a file that was created through the automatic backup process, you must specify an automatic restore in the DHCP console.

d. Manual restores are not permitted in DHCP.

51. When you perform a backup of the DHCP database, which of the following items are backed up?a. All scopes, superscopes, and multicast scopes

b. Client reservationsc. Leasesd. Optionse. All of the above

2/10/2015 70-291


52. Your Microsoft Windows Server 2003 network is set to allow only secure dynamic updates. Your network clients were running Microsoft Windows NT 4 until you upgraded them to Microsoft Windows XP two daysago. DHCP is set to dynamically update DNS on behalf of the Window NT 4 clients. Since the update, you notice that none of the Windows XP clients will update their A resource records in DNS records. What is themost likely cause of this?

a. Windows XP clients cannot update DNS resource records.b. The DHCP server is not a member of the DnsUpdateProxy security group.c. Windows XP cannot send secure dynamic updates.d. The DHCP server is not set to the default configuration.

53. Your DHCP database is corrupt, and you are forced to perform a manual restore. The database restore was successful. The week after the restore, you ask one of your junior administrators to make a change to theDHCP server. The junior administrator is not a member of the Administrators group, but has been given permissions to administer the DHCP database. Your assistant reports that she is not able to administer the DHCPdatabase. What is the most likely reason the assistant cannot administer the database?a. Security credentials are not backed up by DHCP. After you perform a restore, you must reconfigure security credentials associated with the DHCP database.b. Only members of the Administrators group can administer the DHCP server.c. You incorrectly assigned permissions to the junior administrators user account.d. The junior administrator must be a member of the Domain Administrator group to administer the DHCP server.

54. You are concerned about the size of your DNS database. You made changes to your DHCP server a month ago and have noticed that your DNS server database is growing. You have not added any new client computersto the network. You investigate and determine that the database has resource records for clients that are no longer on your network. What should you do to correct this problem?a. Compact the DNS database.b. Reconcile the DHCP database.c. Manually delete each of the old records from the database.d. Configure the properties of DHCP to remove the clients resource records from DNS when the DHCP lease expires.

55. You have been asked to configure a DHCP server or your network. Your network will utilize the Secure Dynamic Update feature available in Microsoft Windows Server 2003. Your network consists of 5 domaincontrollers, 2 member servers, and 100 Microsoft Windows XP Professional clients. The DHCP server should be installed on which type of computer?a. A domain controllerb. A member server

c. A Microsoft Windows 2000 Professional clientd. Any one of the above

56. Which action must be taken if you want to configure a DHCP server to update both A resource records and PTR resource records on behalf of a Microsoft Windows NT 4 client?

a. No action is required.b. In the DNS tab of the DHCP server properties dialog box, select c. Dynamically Update DNS A And PTR Records For DHCP Clients That Do Not Request Updates.c. Which action must be taken if you want to configure a DHCP server to update both A resource records and PTR resource records on behalf of a Microsoft Windows NT 4 client?d. In the DNS tab of the DHCP server properties dialog box, select Always Dynamically Update DNS A And PTR Records.e. Register the client as a dynamic host with the DHCP server.

57. You suspect that the DHCP database has become inconsistent on one of the scopes. Which tool can you use to check database integrity and reconcile the database for that scope?

a. The DHCP consoleb. The Netdiag command-line utilityc. The Nbtstat command-line utilityd. The Netstat command-line utility

58. You have not modified the default settings for DNS on the DHCP server that is running the Microsoft Windows Server 2003 operating system. Which of the following client records will be updated in DNS by the DHCPserver? (Assume that the clients are running Microsoft Windows XP.)a. The PTR resource recordb. The A resource recordc. Both the PTR and the A resource records

d. Neither the PTR nor the A resource record

59. For a zone in which only secure dynamic updates are allowed, you have configured your DHCP server to perform dynamic updates on behalf of Microsoft Windows NT 4 clients. All other dynamic DNS settings on the

2/10/2015 70-291


DHCP server have the default settings. After you migrate the clients to Microsoft Windows XP, you find that their A resource records are no longer being updated. What is the most likely explanation for this problem?a. Secure Dynamic Updates must be disabled when client operating systems are upgraded.b. The DHCP server is not a member of the DnsUpdateProxy security group.c. The Windows XP clients have not been rebooted after the upgrade from Windows NT 4.d. The default DHCP configuration will not allow Windows XP clients to update resource records.

60. Your Microsoft Windows Server 2003 domain has three DHCP servers and is configured for secure dynamic updates. All of your DHCP servers are also domain controllers and all three are members of theDnsUpdateProxy security group. You have recently learned that this configuration presents security risks that are unacceptable under your companys security policy. What could you do to improve security whilecontinuing to allow clients and DHCP servers to securely update resource records in DNS?a. Remove the DHCP server from the DnsUpdateProxy security group.b. Place all DHCP servers on member servers.c. Disable Secure Dynamic Updates.d. Configure DHCP to always dynamically update DNS A and PTR records.

61. While reviewing DHCP server logs, you notice several entries with event ID 15, which indicates that a lease was denied. You would like to determine how long this has been occurring and what is causing this error. TheDHCP server has been online for only three weeks. To begin troubleshooting this problem, you ask your assistant to provide you with the DHCP logs from the previous three weeks. Your DHCP server has loggingenabled with the default configuration. Your assistant reports that he cannot locate DHCP logs for the past three weeks. What is preventing your assistant from obtaining these logs?a. The assistant user account does not have adequate privileges.b. The DHCP server is not a member of the DnsUpdateProxy security group.

c. A DHCP server with default configuration keeps logs for only seven days.d. DHCP logs are erased every 24 hours.

62. You are the network administrator of a Microsoft Windows Server 2003 network. The network has 1,000 clients of which 300 are running Microsoft Windows 98. You are experiencing an unusually high level of duplicate

address assignments. What could you do to eliminate this problem with the least amount of administrative effort?a. Upgrade all Windows 98 clients to Microsoft Windows XP.b. Enable server-based conflict detection on the DHCP server.c. Enable secure dynamic updates.d. Upgrade all Windows 98 clients to Microsoft Windows 2000.

63. You are a network administrator of a Microsoft Windows Server 2003 network. Your network is configured to use secure dynamic updates. Users complain that they cannot communicate with one of the MicrosoftWindows XP clients on your network using the clients host name. While troubleshooting this problem, you discover that there is not an A resource record for the client in the DNS database. All configurations appear to becorrect. What action could you take to force the Windows XP client to register with the DNS server?a. Type ipconfig /registerdns at the command prompt on the Windows XP client computer.

b. Type ipconfig /renew at the command prompt on the Windows XP client computer.c. Type ipconfig /registerdns at the command prompt on the DNS server.d. Type ipconfig /renew at the command prompt on the DNS server.

64. Host name resolution on a Microsoft Windows Server 2003 network uses DNS to map which two items to one another?a. Host name to IP addressb. FQDN to MAC addressc. Host name to MAC addressd. FQDN to IP address

65. Internet namespace has a hierarchical structure with the root domain located at the top of the structure. What is used to represent the root domain?a. .comb. .educ. .netd. dot (.)

66. A host must communicate with a server on the same network. The host has the IP address of the server. What process will DNS use to obtain the name of the server?a. Standard lookupb. Forward lookup

2/10/2015 70-291


c. Reverse lookupd. Inverse lookup

67. Your Microsoft Windows Server 2003 network is running DNS. The network has a DNS server with a standard primary zone and two DNS servers hosting standard secondary zones. You must make a manual entry inthe DNS database, and you would like this entry to replicate to all other DNS servers on the network. You must make the entry on which DNS server?a. You can make the entry on any of the DNS servers.b. You can make the entry on one of the servers that hosts a standard secondary DNS zone.c. You can make the entry on only the server that hosts the primary DNS zone.d. The update must be made on both secondary servers.

68. You are the administrator of a Microsoft Windows Server 2003 domain. Your domain has three DNS servers, which are located on domain controllers. Currently, you can create updates on only one of the DNS servers.You would like to be able to make changes to the DNS database on any of the three DNS servers, and you want these changes to replicate to all other DNS servers in your domain. You should make which configurationchange?a. Convert all DNS servers to primary DNS servers.b. Convert all DNS server zones to Active Directoryintegrated zones.

c. This cannot be accomplished.d. Create forwarding entries on the DNS servers with secondary zone files.

69. Microsoft Windows Server 2003 has three options for Active Directoryintegrated zone replication. Which of the following is not available as a replication option in Windows Server 2003?

a. Replicate to all DNS servers in the forest.b. Replicate to all domain controllers in the domain.c. Replicate to all domain controllers that are DNS servers in the same domain.d. Replicate to all domain controllers that are also DNS servers in the entire forest.

70. You are the administrator at Lucerne Publishing. You administer the books.lucernepublishing.com Microsoft Windows Server 2003 Active Directory domain. Active Directoryintegrated DNS is configured on all domaincontrollers in the domain. You configure a member server, ServerA, to host an internal Web site for the intranet. You want employees to access this Web site using the URL books.internal.lucernepublishing.com. Whatshould you do?a. Create a CNAME resource record called books, and specify internal.lucernepublishing.com as the target host.b. Create a new zone called internal.lucernepublishing.com. Create a CNAME resource record called books in that new zone, and specify ServerA.books.lucernepublishing.com as

the target host.

c. Create a CNAME resource record called books.internal, and specify ServerA.books.lucernepublishing.com as the target host.d. Create a CNAME resource record called internal, and specify ServerA.books.lucernepublishing.com as the target host.

71. When a client queries a DNS server and requests the best answer that the DNS server can provide using only its own database, which type of query has been performed?a. Recursiveb. Standardc. Iteratived. Secondary

72. To perform a recursive query, the DNS server must have the location of the root level DNS servers. By default, Microsoft Windows Server 2003 stores the root hints in which file?a. Root.dnsb. Roothints.dnsc. Forwarders.dns

d. Cache.dns

73. When a DNS server that is configured to perform recursive queries cannot resolve a name or is not authoritative for the namespace, it must contact a higher-level DNS server. What will the DNS server use to locate DNSservers that are higher in the DNS hierarchy?a. Root hints

b. WINSc. SMTPd. Recursion

2/10/2015 70-291


74. Which type of DNS server contains a copy of the zone file and can respond to client queries but cannot be directly updated?a. Primary name server

b. Secondary name serverc. Master name serverd. Caching-only name server

75. Your company uses a Microsoft Windows Server 2003 network that runs DNS. You would like to improve name resolution, but you do not want to increase replication traffic. What can you do to accomplish this?a. Add an additional primary name serverb. Add an additional secondary name serverc. Add a caching-only name serverd. Add a WINS server

76. While viewing your DNS database, you see the following resource record: na.contoso.com. IN NS nadcl.na.contoso.com.What is the purpose of this resource record?a. To identify a name serverb. To identify an Internet serverc. To identify an individual hostd. To identify an entire domain

77. For communication to exist on a TCP/IP network using DNS, each host must be identified by a resource record in the DNS database. Which type of DNS resource record is used to identify individual hosts?a. PTR recordsb. A recordsc. NS recordsd. SOA records

78. You must configure DNS to hide detailed information about your network but to still provide name resolution and access to your resources. What step can you take to accomplish this?a. Disable DNS and use WINS.b. Delete the DNS database and create a host file on all domain controllers.c. Use CNAME records in DNS to hide the identity of resources.

d. DNS cannot hide the identity of network resources.

79. A ____ record is the A record in the parent zone for an authoritative DNS server hosting the child zone for the delegated subdomain.a. Glueb. PTRc. SOA

d. Host

80. DNS servers perform iterative queries in the process of completing a recursive query. What do the DNS servers do with the information learned from the iterative queries?a. The information is discarded.b. The information is sent to the client to use with the next query.

c. The DNS server caches the information for use with future queries.d. The information is used to update the Cache.dns file.

81. You are a network administrator for a Microsoft Windows Server 2003 network. To improve performance, you would like to reduce iterative queries by specifying where your DNS server forwards queries. What should

you do to accomplish this?a. Configure standard forwarders with the address of the DNS servers to which requests should be forwarded.b. Configure root hints pointing to the domains you want to resolve.c. Configure conditional forwarding with the addresses of the DNS servers to which requests should be forwarded.d. This cannot be accomplished.

2/10/2015 70-291


82. You are an administrator for a complex Microsoft Windows Server 2003 network that has several DNS servers. Your network performance has degraded, and you are concerned because most of your business is doneover the Internet. You surmise that DNS traffic is part of the problem. How can you reduce DNS traffic on your network?a. Create a forwarding, or forward-only, server.b. Upgrade all Microsoft Windows NT 4 clients to Microsoft Windows XP.c. Configure your DNS server to perform only recursive queries.d. Add a WINS server to your network.

83. You administer a private Microsoft Windows Server 2003 network that has a standard primary DNS server and a standard secondary DNS server. Both servers are used to resolve internal DNS names. Your networkhas an external DNS server that is separated from the internal network by a firewall. Internal users complain that they cannot resolve names on the Internet. What should you do to resolve this problem?a. Edit the Cache.dns file.b. Configure the internal DNS servers to forward requests to the external DNS server.c. Remove the firewall.d. Configure a PTR record to the external DNS server on the internal DNS servers.

84. You are the administrator of a network that has three Microsoft Windows Server 2003 domain controllers and one Microsoft Windows NT 4 member server named Server Four. One of the Windows Server 2003domain controllers hosts the primary DNS zone, and the Windows NT 4 member server acts as a secondary DNS server. You would like to convert your DNS structure to include only Active Directoryintegrated zones.What step must you take to accomplish this?a. Open the DHCP console on each server and choose Active DirectoryIntegrated for the zone type.

b. Delete the primary and secondary DNS zone files and reinstall DNS.c. Upgrade the Windows NT 4 member server to a Windows Server 2003 domain controller.d. The zone type cannot be changed.

85. You discover that an administrator has adjusted the default Time To Live (TTL) value for your companys primary DNS zone to 5 minutes. Which of the following is the most likely effect of this change?a. Resource records cached on the primary DNS server expire after 5 minutes.b. DNS clients have to query the server more frequently to resolve names for which the server is authoritative.c. Secondary servers initiate a zone transfer every 5 minutes.

d. DNS hosts reregister their records more frequently.

86. Which DNS tool can be used from the command line to perform most DNS management functions?a. DNScmd

b. Nslookupc. DNSLintd. Ipconfig

87. You are the administrator for a Microsoft Windows 2003 network. Users complain that they can access local resources but have difficulty accessing Internet resources. Which type of test should you run from the DNSconsole to troubleshoot this problem?a. Recursive query to another DNS serverb. Iterative query to a local DNS serverc. Forward lookup query to the WINS serverd. Ping your local DNS server

88. One of your Microsoft Windows XP clients issues an unsuccessful query for a remote domain. You suspect that the Cache.dns file that contains the root hints for your DNS server might contain inaccurate entries. Whatcould you do to test and verify that your DNS server is configured with the correct root hints?a. Issue an iterative query to your local DNS server.b. Open the folder named Root Hints and verify each IP address.c. Issue a recursive query to another DNS server.d. Query your WINS server for the address of the root server.

89. Which DNS management tool can be used to verify the consistency of a particular group of DNS resource records on multiple DNS servers?a. DNSLintb. Dnscmdc. Nslookup

2/10/2015 70-291


d. Ipconfig

90. You are the network administrator for contoso.com, which uses the default settings for clients running Microsoft Windows XP and Microsoft Windows NT 4. Your Windows XP clients are configured to use DNS forname resolution, and your Windows NT 4 clients are configured to register with a WINS server. Your Windows XP clients cannot communicate with the Windows NT 4 clients by NetBIOS name. What could you do so

that your Windows XP clients can communicate with the Windows NT 4 clients by NetBIOS name?a. Configure your WINS server to forward name queries to the DNS server for name resolution.b. Configure a HOSTS file on the WINS server with the NetBIOS names to IP address mapping for each Windows NT 4 client.c. Install a secondary DNS server for the Windows NT 4 clients.d. Configure your DNS server to forward name queries to the WINS server for name resolution.

91. Which command would you enter at the command prompt to display the contents of the DNS resolver cache?a. Ipconfig /allb. Ipconfig /dnsc. Ipconfig /displaydnsd. Ipconfig /show

92. Replication Monitor is a tool that monitors Active Directory replication. Which command is issued at the command prompt to start the Replication Monitor?a. Replmonb. Startc. Repld. Replication Monitor cannot be started from the command prompt.

93. Which command can be issued at the command prompt to purge the DNS resolver cache?a. Ipconfig /clearcache

b. Ipconfig /deletecachec. Ipconfig /flushdnsd. Ipconfig /flushcache

94. Which of the following is not a DNS management tool?a. Nslookupb. Dnscmdc. DNSLint

d. DNSmgt

95. As a system administrator, you perform a manual test on your DNS server. The results indicate that the iterative query was successful, but the recursive query failed. Which of the following is most likely the problem?a. Invalid root hints.b. The DNS server service is stopped.c. All root hints are valid.d. DNS monitoring is disabled.

96. You are a network administrator and you have been asked to determine the FQDN associated with 207.1.1.19. Which command will provide the requested information?

a. Nslookup FQDN 207.1.1.19.b. Nslookup domain.c. Nslookup 207.1.1.19.d. Nslookup cannot perform this function.

97. You are a network administrator of a Microsoft Windows Server 2003 network. Your primary DNS server runs on a Windows Server 2003 server named DNS1. To allow fault tolerance, you have a secondary DNSserver that runs on a UNIX server named DNS2. To perform maintenance, you take the primary DNS server offline. While the primary DNS server is offline, users complain that they cannot access resources on yournetwork. What should you do to correct this problem?a. Enable round robin on DNS1.b. Enable netmask ordering on DNS2.

2/10/2015 70-291


c. Select the BIND Secondaries option on the DNS Advanced Server Properties page on DNS1.d. Select the BIND Secondaries option on the DNS Advanced Server Properties page on DNS2.

98. You are the network administrator for Wingtip Toys. Your internal DNS server runs on a Microsoft Windows Server 2003 server. Your company maintains three Web servers that handle catalog sales. All three Webservers maintain identical content and respond to the host name www.wingtiptoys.com. You would like to ensure that load balancing occurs among the three Web servers. Which action should you take to accomplish this?a. Enable round robin on the three Web servers.b. Enable round robin on the Advanced DNS Server Properties page of the DNS server.c. Configure each of the three Web servers with unique host names.d. Windows Server 2003 does not contain a load-balancing feature.

99. Your network consists of only Microsoft Windows Server 2003 servers and Microsoft Windows XP clients. To provide fault tolerance, your network has a primary DNS server and a secondary DNS server, both ofwhich use default configurations. While loading a zone file, your primary DNS server detects errors in the file. The DNS server will take which action?a. The zone file will be loaded, but the DNS Server service will not start.b. The zone file will be loaded. The errors will be logged and ignored.c. The zone file will not be loaded. The DNS server will answer queries using cached information only.d. The DNS server will not load the zone file, but will continue to attempt to load the file at five-minute intervals.

100. Your network consists of only Microsoft Windows Server 2003 servers and Microsoft Windows XP clients. To provide fault tolerance, your network has a primary DNS server and a secondary DNS server, both ofwhich use default configurations. Which action can you take to prevent your DNS server from loading a zone file that contains errors?a. On the Advanced DNS Server Properties page, select the Fail To Load If Bad Zone Data option.

b. No action is required. The DNS server will not, by default, load a file containing errors.c. Install all DNS servers as secondary DNS servers.

d. On the Advanced DNS Server Properties page, select the Do Not Load Zone File With Errors option.

101. When clients query your DNS server, instead of receiving a definitive answer, they receive referrals to other DNS servers. You would like your DNS server to return a definitive answer to client queries. Which actionshould you take to accomplish this?a. This cannot be accomplished; DNS servers always return referrals to other DNS servers to clients.b. Update the Cache.dns file.c. Select the option to disable iterative queries on the Advanced DNS Server Properties page.d. Clear the Disable Recursion option on the Advanced DNS Server Properties page.

102. A DNS server running on a Microsoft Windows Server 2003 network is, by default, configured to load zone data on startup from which locations?a. File and registryb. Disk and registry

c. Active Directory directory service and registryd. Registry only

103. Your Microsoft Windows Server 2003 network has Microsoft Windows 2000 Professional and Microsoft Windows XP Professional clients. Your DNS server is configured to allow dynamic updates. Your DNSdatabase appears to have many outdated records, and you suspect that they are a result of mobile users not properly shutting down their client computers. Which process should you use to automatically cleanse your DNSdatabase of stale resource records?a. Run the Ipconfig /flushdns command.b. Enable aging and scavenging of DNS resource records.c. Run DNSclean from the command prompt.d. Run the Jetpack utility.

104. Which of the following is not a typical DNS security threat?a. Foot printingb. Denial of Service (DoS) attackc. Data modificationd. Redirectione. Redistribution

2/10/2015 70-291


105. Your Microsoft Windows Server 2003 network has three DNS servers running on Windows Server 2003 member servers. All DNS servers are configured to use forwarders to resolve external names and to allow zone

transfers only to servers listed in the NS resource records in their zone. Which level of DNS security is in use on this network?a. Low-level securityb. Medium-level securityc. High-level securityd. Active Directoryintegrated security

106. You are the network administrator of contoso.com. Your network has a connection to the Internet, and all of the DNS servers run on domain controllers. Your DNS zones are all Active Directoryintegrated zones. Whichlevel of DNS security is in use on this network?a. Low-level securityb. Medium-level securityc. High-level securityd. Active Directoryintegrated security

107. You are the network administrator for a large network consisting of eight domains. You have a primary DNS server named DNS1, which runs on a Microsoft Windows Server 2003 server and it hosts your standardprimary zone. You also have a UNIX server named DNS2, which hosts a secondary zone. The UNIX server runs BIND 8.2.1. What could you do to decrease zone transfer traffic between DNS1 and DNS2?a. Select the BIND Secondaries option on DNS1.b. Convert the UNIX server to BIND 4.9.4.c. Clear the BIND Secondaries option on DNS1.d. Convert the UNIX DNS server to an Active Directoryintegrated zone.

108. Which of the following is a recommended method for increasing DNS security?a. Run DNS only on member servers.b. Have all DNS servers perform recursive queries to Internet name servers.c. Use the same DNS server to resolve internal and external name queries.d. Enable forwarding to deal with requests for resources outside of the internal network.

109. Which steps should you take to enhance security when you have a multihomed DNS server?

a. Ensure that the DNS server listens and responds to name queries on all IP addresses.b. Limit the DNS server to listen for queries on only the IP address that the clients list as their preferred DNS server.c. No action is required. By default, DNS will listen for queries on only the first network adapter.d. Disable the network adapters except for the adapter that DNS is configuredto use.

110. You are a network administrator for a Microsoft Windows Server 2003 network. Your network consists of four branch offices, each of which is configured with a different IP subnet. You have enabled round robin andnetmask ordering. Each branch office has an identical intranet server named intranet.contoso.com, and all branch offices are connected through a VPN connection. All four Web servers have a unique IP address as listedhere: Web server 1 192.168.15.1/20 Web server 2 192.168.30.2/20 Web server 3 192.168.42.40/20 Web server 4 192.168.50.100/20A DNS client with the IP address 192.168.33.5 submits a query to a DNS server for the name internet.contoso.com. Which IP address will be returned to the client?a. 192.168.15.1

b. 192.168.30.2c. 192.168.42.40d. 192.168.50.100

111. Which command should you execute at the Nslookup prompt to view a list of the SRV resource records in the domain contoso.com?a. Nslookup srvb. Set debugc. Ls -t srv contoso.com

2/10/2015 70-291


d. Nslookup www.contoso.com

112. You use Nslookup to troubleshoot a name resolution problem. Which command should you enter at the Nslookup prompt to display the DNS response messages communicated from the DNS server?

a. Ipconfig /displaydns.b. Nslookup displaydns.c. Set debug.d. None. DHCP response messages are displayed by default.

113. You would like to capture and examine packet traffic that your local DNS servers send. Ideally, this information would be stored in a text file that could be opened and viewed using Microsoft WordPad. How can this beaccomplished with the least amount of administrative effort?a. Configure Event Viewer to capture all outgoing DNS packets.b. Microsoft Windows Server 2003 cannot accomplish this without the use of third-party software.c. No action is required; by default, the DNS Events Log captures this information.d. Use the DNS debug log to capture the packets. In the packet options, choose Outgoing as the specified value.

114. Which item is not managed and/or secured by network security protocols?a. Authenticationb. Authorizationc. Confidentialityd. Activatione. Nonrepudiation

115. Which statement is true about the Enterprise Admins group?

a. Each domain has an Enterprise Admins group.b. The Enterprise Admins group is located on the root domain server for each domain.

c. The Enterprise Admins group is created only in the forest root domain.d. The Enterprise Admins group is a local group on member servers.

116. You are the network administrator for the contoso.com domain. You want to assign rights to add workstations to the domain to two assistants. However, you do not want the assistants to have any other rights that are notassigned to all other domain users. What is the recommended method of accomplishing this task?a. Assign the right to add workstations to the domain to the user accounts of both assistants.b. Create a security group named Assistants. Add the user accounts of both assistants to the Assistants group, then grant the right to add workstations to the domain to the Assistants

group.c. Place the user accounts of both assistants in the Administrators group.d. Give the users the Administrator account password and have them use the Run As function to add workstations to the domain.

117. As the network administrator for the contoso.com domain, you established a security baseline and created a template with the baseline settings; this template has been applied to all computers in the domain. You now wantto verify the effectiveness of your security settings. What should you do to help determine whether your security settings are effective?a. Enable auditingb. Run Gpupdatec. Enable the Security Baseline toold. Run Secedit

118. Which of the following accurately explains the principle of least privilege?a. Give all users at least one level of permission above what they currently require to perform their job.b. Create two user accounts for each user. Assign the first user account the least amount of privileges possible. Assign the second user account full administrative privileges.c. Group objects that require the least privilege.d. A user or object should not have privileges or access to information and resources unless it is absolutely necessary.

119. How should the principle of least privilege be applied to members of the Administrator group?a. The network administrator should perform routine tasks using an account with the principle of least privilege applied. When performing administrative tasks that require elevated

permissions, the Run As feature should be utilized.

2/10/2015 70-291


b. The principle of least privilege does not apply to network administrators.c. Network administrators should perform all functions using the account with the highest level of privileges.d. Members of the Administrator group should have minimum privileges. All functions that require elevated privileges should be performed by the enterprise administrator.

120. The MMC Security Templates snap-in lists all of the built-in security templates. It has a heading labeled Setup Security. The Setup Security heading contains seven configurable areas. Which of the following items is not aconfigurable area contained in the Security Templates snap-in?a. Account Policiesb. Restricted Groupsc. File Systemd. Applications

121. You are the network administrator for a Microsoft Windows Server 2003 network that has a single domain named contoso.com. You would like to create a password policy that requires all passwords to have a minimumof eight characters. Which of the seven configurable areas in the Security Templates snap-in contains the settings that affect password policies?a. Account Policiesb. Local Policiesc. Restricted Groupsd. File System

122. You are network administrator of a Microsoft Windows Server 2003 network that must run a legacy payroll application, which is not certified by Microsoft. You install the application on a member server and apply theCompatws security template. A user named Maria, who is a member of the Local Users group, logs on to the server and attempts unsuccessfully to run the payroll application. What could you do to allow Maria to run thisapplication successfully?a. Make Marias user account a member of the Power Users group.b. Make Marias user account a member of the Domain Users group.c. Install the application on a domain controller, and apply the Compatws security template to the domain controller.d. Give Marias user account the right to log on locally to the member server.

123. Data on your network must be encrypted while it is stored on the network drives and while it is in transit across the network. You encrypted a file using EFS, but that is all you have done. Which of the following objectiveshave you met?a. The data will be encrypted only when it is stored on the disk.b. The data will be encrypted when it is stored on the disk and when it is in transit across the network.c. The data will be encrypted only when it is in transit across the network.d. The data will not be encrypted when it is stored on a disk or when it is in transit across the network.

124. You are a help desk administrator, and you just received a call from a user who complains that he is unable to encrypt a file that he just created. What is a possible reason the file cannot be encrypted?a. The file is stored on an NTFS file system partition.b. The file is located inside an unencrypted folder on an NTFS partition.c. Only the administrator can encrypt the file.

d. The file is stored on a FAT32 partition.

125. What is the result of copying a file encrypted using EFS to a folder located on a disk that is formatted using the FAT32 file system?a. The EFS encryption is lost.b. The file remains encrypted.c. An encrypted file cannot be copied from an NTFS file system partition to a FAT32 partition.d. The file remains encrypted; however, the owner is no longer able to access the file.

126. You create an unencrypted file named Test on an NTFS file system volume. Later you move the file Test into a folder that is encrypted. What effect will this move have on the file?

a. The Test file will inherit the encryption attribute of the destination folder.b. The Test file will not inherit the encryption attribute of the destination folder.c. You will be unable to move an unencrypted file into an encrypted folder.d. You will be prompted to choose whether the file will be encrypted after it is moved.

2/10/2015 70-291


127. You create a file in an encrypted folder. You later decide that multiple users must have access to this file and that encryption is no longer necessary. You move the file to an unencrypted folder and assign Read permission to

the Domain Users group. Members of the Domain Users group complain that they still cannot access the file. Which action should you take to allow the Domain Users group to access this file?a. Re-create the file in an unencrypted form.b. Restore a copy of the file from a tape backup.c. Assign the Domain Users group Read and Modify permissions for the file.d. Clear the encryption attribute for the file.

128. What command-line tool included with Microsoft Windows Server 2003 can be used to encrypt and decrypt a file or folder?a. Cipher utilityb. Secedit utilityc. Gpupdate utilityd. Encrypt utility

129. You have just been hired as the network administrator for Blue Yonder Airlines. The previous administrator left suddenly and did not provide information about the security configuration on your network. How can youeasily determine the current security settings for computers on your network with minimal administrative effort?a. Use the Microsoft Baseline Security Analyzer (MBSA).

b. Use the Security Configuration And Analysis snap-in.c. Run Secedit at the command line.d. Use the Security Templates snap-in.

130. You are the network administrator for a Microsoft Windows Server 2003 domain. All of your client computers run Microsoft Windows XP. While assisting a user, you notice that the user does not have to press

CTRL+ALT+DELETE to log on. You ask other users and learn that many of them do not have to use the CTRL+ALT+DELETE key sequence. To resolve this problem, you configure a Group Policy Object (GPO) withthe appropriate security settings on one of your Windows Server 2003 domain controllers. To test the new settings, you log on to the domain from one of the Windows XP client computers only to find that users are stillnot required to enter the CTRL+ALT+DELETE key sequence. What can you do to enforce the security settings immediately?a. Run the Refresh policy from the command line.b. Run Gpupdate /force from the command line.c. Run Secedit.d. Reboot the client computers.

131. You are the network administrator for a Microsoft Windows Server 2003 domain. You update several client computers from Microsoft Windows 98 to Microsoft Windows XP. After the update, the users report that theycan no longer run some of the applications they could use before the update. Which action can you take to allow the users to run all applications available before the update?a. Place the affected user accounts in the Administrator group.b. Apply the Securews security template to the upgraded computers, and place the affected user accounts in the Power Users group.c. Apply the Compatws security template to the upgraded computers, and place the affected user accounts in the Power Users group.d. Apply the Hisecws security template to the upgraded computers. No action is required for the user accounts.

132. The accounting manager of your company works with a file named Payroll, which contains very sensitive information. You must secure this file so that only the accounting manager can gain access to the data. Which featureof Microsoft Windows Server 2003 should you implement?a. NTFS file system permissionsb. Share permissionsc. EFSd. Compression

133. You have sensitive data in a network folder that is currently encrypted using EFS. The drive that the folder is stored on is low on space, and you would like to compress the contents of the folder. You compress the folderand all subfolders, but later you notice that the folder is not encrypted. How can you encrypt a folder using EFS and compress the contents to conserve disk space?

a. This cannot be accomplished. Encryption and compression are mutually exclusive.b. You must compress the folder first, and then encrypt it.c. Compress the folder, and then encrypt each file in the folder individually.d. Move the folder to an NTFS file system partition.

134. Which of the following best describes the purpose of authorization?a. Authorization is used to prove you are who you say you are.

2/10/2015 70-291


b. Authorization is used to determine what you can do on the network after you are authenticated.c. Authorization is used to keep data secret.d. Authorization is used to ensure that the data received is the same as the data sent.

135. You must encrypt data while it is stored on a disk and while it is in transit across the network. You have implemented EFS to encrypt the data while it is stored on the disk. Which additional technology should youimplement to encrypt the data while it is in transit across the network?a. IPSecb. Secedit utilityc. Cipher utilityd. Compress utility

136. Security configuration tools includes three snap-ins. Which of the following is not a security configuration tool?a. Security Configuration And Analysis snap-in

b. Security Templates snap-inc. Group Policy snap-ind. Security Analyzer snap-in

137. The Secedit command-line tool provides an administrator with the ability to perform functions similar to those that can be performed using the Security Configuration And Analysis snap-in. Which function cannot beperformed using Secedit?a. Configureb. Authenticatec. Analyzed. Generate rollback

138. You are the administrator of the contoso.com domain, and you would like to apply the principle of least privilege on your network by performing your day-to-day tasks logged on to the network using an account that doesnot have administrative privileges. Certain functions that you perform daily, however, require administrative privileges, and you would like to be able to accomplish these tasks without having to provide additionalcredentials. How could you accomplish specific administrative tasks without having to provide additional user credentials?a. Create a shortcut that performs the Run As function for the particular task that you would like to perform.b. Create a shortcut that logs you off the network and back on as the domain administrator.c. Right-click the task you would like to perform, and then choose Run As. When prompted to provide credentials, press ESC.d. This cannot be accomplished.

139. An employee named Maria encrypted a folder that was stored locally on her computer and that contained several important files. Maria recently left the company without unencrypting the folder or providing anyone withher private key. What is the recommended method for recovering the encrypted data?a. Have the recovery agent install his private key on Marias computer, and then remove the encryption attributes from the folder.b. Send the file to the recovery agents computer, and then remove the encryption attributes from the folder.c. Copy the file to a FAT32 partition.d. The encrypted folder cannot be recovered.

140. Which type of security attack is designed to prevent the normal use of computers or network resources?a. Packet sniffingb. DoS attackc. Man-in-the-middle attackd. Identity spoofing

141. Which of the following best describes the function of IKE?a. A standard that defines the mechanism for establishing SAsb. A standard that defines the mechanism for logging on to the Internetc. Public and private key exchange for EFS encryptiond. None of the above

142. IPSec requires that communication partners authenticate before transmitting data. What can be used to establish mutual authentication between two hosts when neither host uses Kerberos for authentication?

2/10/2015 70-291


a. NATb. EFSc. Public key certificatesd. E-mail

143. Which of the following is a command-line tool that is included in Microsoft Windows Server 2003 and can be used to monitor and manage IPSec?a. Pingb. Netshc. Oakley log

d. Event Viewer

144. You are the network administrator for a Microsoft Windows Server 2003 network that has clients running Microsoft Windows XP and Microsoft Windows 2000. You configure IPSec policies on all of the computers sonetwork traffic will be encrypted. You later discover that some, but not all, traffic is encrypted. Which of the following is the most likely reason that IPSec does not encrypt some of the traffic?a. Client computers are configured to use the Client (Respond Only) policy, not the Server (Request Security) policy.b. Servers are configured to use the Server (Request Security) policy, but not the Secure Server policy.c. Client computers are configured to use the Secure Server policy.d. Clients are configured to use the Server policy, not the Client policy.

145. Your domain consists of servers running Microsoft Windows Server 2003, clients running Microsoft Windows XP Professional, and clients running Microsoft Windows 98. Your company recently started a confidentialresearch project and all network communication related to this project must be encrypted using IPSec. All of the client computers for employees working on this project run Windows 98. After installing the server for theproject, you configure the Secure Server (Require Security) policy and apply the policy to the server using the local security policies. You then apply the Client (Respond Only) policy to the OU that contains all of the clientcomputers that are involved in this project. You discover that none of the Windows 98 clients are able to communicate with the server. What additional step must you take to allow the clients running Windows 98 tocommunicate with the server?a. Apply the Server (Request Security) policy to the client computers.b. Download the legacy IPSec client for Windows 98 from the Microsoft Web site.c. Start the IPSec Policy Agent.d. Install Network Monitor on the client computers running Windows 98.

146. You are the network administrator for a mixed-mode domain. Your network has four servers running Microsoft Windows Server 2003 and three servers running Microsoft Windows 2000. Your client computers runMicrosoft Windows 2000 Professional. Which of these computers can use Netsh to configure IPSec policies?

a. The servers running Windows Server 2003 and Windows 2000b. The client computers running Windows 2000c. The servers running Windows Server 2003 onlyd. The servers running Windows 2000 only

147. You want to analyze the main mode IPSec statistics on a member server that runs Microsoft Windows Server 2003 in your domain. The server is accessed frequently by a large number of clients, and you know there willbe a lot of statistical information. Which utility can you use to log this information for future analysis?a. Use the Netsh command-line utility.b. Use the Netdiag command-line utility.c. Use IP Security Monitor.d. Use RSoP.

148. Your network consists of a single Active Directory domain and three stand-alone servers that run Microsoft Windows 2000 Advanced Server. You configure IPSec policy to require that all communication is encrypted,and you apply the policy using Group Policy at the domain level. You discover that client computers in the domain cannot communicate with the stand-alone servers. What can you do to allow computers on the network tocommunicate with the stand-alone servers using IPSec?a. Upgrade the stand-alone servers to Microsoft Windows Server 2003.b. Implement local security policy on the stand-alone computers that require encryption for communication.c. Use Group Policy to apply Secure Server policy to the stand-alone servers.d. Create a separate domain and make the three stand-alone servers domain controllers.

149. You are the network administrator for a Microsoft Windows Server 2003 domain. You configured local security on all client and server computers with the Server (Request Security) policy. You later discover that all

2/10/2015 70-291


communication is unencrypted. What is the reason that encryption is not being used?a. A security policy has been applied using Group Policy at the domain level that does not require the use of IPSec encryption.b. Local security policies do not affect computers that are members of a domain.c. The local security policies should have been configured to use the Client (Respond Only) default security policy.d. Local security policies cannot require IPSec encryption.

150. Your Microsoft Windows Server 2003 network consists of one domain, contoso.com, and three OUs named Atlanta, New York, and Los Angeles. The Secure Server (Require Security) policy using the defaultauthentication has been applied at the domain level for contoso.com. Users in the Atlanta OU can no longer communicate with clients or servers in the New York or Los Angeles OUs. Which of the following is preventingthe communication?a. The administrator for the Atlanta domain has applied the Client (Respond Only) IPSec policy; this policy has been configured to require the use of certificates for authentication to

the Atlanta OU.

b. Security policy has been applied at the domain level when it should be applied at the OU level.c. The administrator for the Atlanta domain has applied the Server (Request Security) IPSec policy using Kerberos for authentication to the Atlanta OU.d. The administrator for the Atlanta domain has applied the Secure Server (Require Security) IPSec policy using Kerberos for authentication to the Atlanta OU.

151. You recently upgraded your server running Microsoft Windows 2000 to Microsoft Windows Server 2003. Your network utilizes IPSec for encryption. You would like to view the details of your IPSec policies. At thecommand line, you type ipsecmon and receive an error. You know that this worked before you upgraded the operating system. What can you do to view information about the IPSec policies that are active on yournetwork?a. Download the Ipsecmon utility from the Microsoft Web site.b. Run IPSec Policy Agent from the command line.c. Add the IP Security Monitor MMC snap-in.d. Add the RSoP MMC snap-in.

152. Which tool included in Microsoft Windows Server 2003 can be used to view IPSec policies that are assigned but not applied to IPSec clients?a. Ipsecmonb. RSoPc. IP Security Monitord. Ipconfig

153. Which tool included in Microsoft Windows Server 2003 can be used to view information related to IKE events?a. Event Viewer security logb. Performance Logs And Alertsc. Replmond. Event Viewer audit log

154. To encrypt network traffic, you implement IPSec on your network. You would like to record and view events related to SA establishment. Which steps can you take to record and view SA establishment events?a. Enable the Oakley log in the Microsoft Windows Server 2003 registry.

b. Configure IPSec to log SA events to the Event Viewer audit log.c. Configure IPSec to log SA events to a Microsoft Excel spreadsheet.d. Enable the Oakley log in Windows Server 2003 Administrative Tools.

155. You are the network administrator for the contoso.com domain. IPSec policy has been defined and implemented on your network to ensure that all communication is encrypted. You have not installed the IP SecurityMonitor snap-in, but you need to display the active state of IPSec policies on your network. How can this be accomplished without installing additional snap-ins?a. Run Ipsecmon from the command line.b. Use Netsh in dynamic mode to view the active state of IPSec policies.c. Use Netsh in static mode to view the active state of IPSec policies.d. This cannot be accomplished without adding the IP Security Monitor snap-in.

156. You are the network administrator for Litware, Inc., and you are responsible for the IPSec policies for the corporate network. After making several changes to your IPSec policy, you notice that all communication on yournetwork immediately ceases. For the policy change to have taken place immediately, which tool must you have used to implement the changes to the IPSec policy?a. Netsh in dynamic mode

2/10/2015 70-291


b. Netsh in static modec. IP Security Monitor snap-ind. Group Policy

157. You are the network administrator for the contoso.com domain. Your network consists of a Microsoft Windows Server 2003 domain. Your corporate security policy requires that all communication be encrypted usingIPSec. Your company has a partnership with Litware, Inc. Litware users must communicate with Contoso users; however, the Litware users are not members of the Contoso domain, and you are not certain about whichoperating system the Litware computers run. How should you configure authentication so that all communication is encrypted?a. Configure both Contoso and Litware policies to use X.509 certificates for authentication.b. Configure both Contoso and Litware policies to use NTLM for authentication.c. Configure Contoso to use Kerberos for authentication, and configure Litware to use X.509 certificates for authentication.d. Use the default authentication settings for both Litware and Contoso.

158. Your Microsoft Windows Server 2003 network uses IPSec to encrypt data communications. Client computers run either Microsoft Window XP Professional or Microsoft Windows 2000 Professional. You determine thatsome, but not all, communication is encrypted using IPSec. You would like to view the active IPSec policies that are in effect on each computer. Which tool included in Windows Server 2003 will allow you to view theactive IPSec policies applied to each type of computer?a. Ipsecmon

b. Netdiagc. IP Security Monitord. RSoP

159. Your corporate network contains 10 servers running Microsoft Windows Server 2003. Client computers run either Microsoft Windows XP Professional or Microsoft Windows NT 4. You applied the Secure Server(Require Security) IPSec policy to the OU that contains the servers, and you applied the Client (Respond Only) IPSec policy to the OU that contains the client computers. Some, but not all, users of client computers reportthat they can no longer access the network. What should you do to resolve this problem?a. Upgrade the client computers running Windows NT 4 to run Windows XP Professional.b. Apply the Server (Request Security) IPSec policy to the OU that contains the client computers.c. Apply the Secure Server (Require Security) IPSec policy to the OU that contains the client computers.d. Apply the Server (Request Security) IPSec policy to the OU that contains all of the network servers.

160. Which feature of IPSec is responsible for negotiating a mutual set of security requirements between communication partners?a. ISAKMPb. IKEc. IPSec policy agentd. IPSec SA

161. Which protocol does IPSec use to provide authentication, integrity, and anti-replay for both the IP header and the data payload?a. ESPb. IKEc. AH protocold. Kerberos

162. You are responsible for securing communication between your corporate office in Atlanta and a branch office in Orlando. Both offices utilize internal IP addressing and NAT. How must you configure IPSec to successfullysecure traffic between these two sites?a. Configure IPSec to operate in tunnel mode.b. Configure IPSec to operate in transport mode.c. NAT cannot be used in conjunction with IPSec.

d. Configure IPSec to operate in NAT mode.

163. You are the security administrator of contoso.com, and you have been asked to secure all network communication, including communication with the Active Directory directory service during the computer startup process.You have applied the Secure Server (Require Security) security policy. Which additional step should you take to ensure that communication is encrypted using IPSec?a. Configure an IPSec policy that encrypts all Active Directory traffic, and use Group Policy to apply the policy.b. Configure a persistent policy that requires traffic to Active Directory to always be secured by IPSec.c. Configure the local security policy on all client and server computers to require encryption for all Active Directory traffic.

2/10/2015 70-291


d. IPSec cannot be used to secure Active Directory traffic.

164. What is the function of ESP?a. ESP provides certificate-based security for communicating hosts.

b. ESP provides confidentiality, authentication, integrity, and anti-replay for the IP payload only.c. ESP provides confidentiality, authentication, integrity, and anti-replay for the IP payload and the packet header.d. ESP is responsible for encrypting the packet header only.

165. Which service works with Automatic Updates to provide timely critical and noncritical system updates that can include security patches, updated drivers, and other recommended files?a. Software Updatesb. Microsoft Updatesc. Windows Updated. System Updates

166. SUS maintains several logs for monitoring purposes. Which log tracks approved and unapproved content?a. Content logb. Download logc. Synchronization logd. Approval log

167. Which protocol do client computers use to connect to the SUS server?a. RPCb. HTTPc. SUSd. RDP

168. Which feature available through Windows Update can you use to determine whether a particular hardware device is designed for use with your server that runs Microsoft Windows Server 2003?a. Windows Updateb. Automatic Updatesc. Windows Update Catalogd. Hardware Update

169. Which step must you take to install SUS on a server running Microsoft Windows Server 2003?a. Add the Software Update Services snap-in from the Microsoft Management Console.b. Add SUS installation files from Windows Support Tools, which is located on the Windows Server 2003 installation CR-ROM.c. Download the software installation files from the Microsoft Web site.d. No additional steps are necessary; SUS installs by default.

170. You configured all of your clients running Microsoft Windows XP Professional and servers running Microsoft Windows Server 2003 to automatically interact with the Windows Update Web site. You notice that all of theclient computers have an informative message stating, Updates for your computer have been downloaded from Windows Update. Click here to review these updates and to install them. It was not your intention to allowusers to decide which updates to install or when the updates will be installed. How can you configure your client computers to maintain the latest service packs and security patches without user interaction?a. Use Group Policy to enable the No Auto-Restart option for all domain computers.b. Configure the Automatic Updates settings on the clients running Windows XP Professional and the servers running Windows Server 2003 to Automatically Download The Updates

And Install Them On The Schedule That I Specify.c. Configure the Automatic Updates settings only on the servers that run Windows Server 2003 to Automatically Download The Updates, And Install Them On The Schedule That I

Specify. The servers will then update the clients when they restart.d. Have the users log on as local administrators, and the updates will be automatically installed.

171. You are the network administrator for Contoso, Ltd. You would like to configure one of your servers to automatically download updates from the Windows Update site. You log on to the server as the local administratorand open the Automatic Updates option in Control Panel, but all of the options appear dimmed. What could be the reason the Automatic Updates options are unavailable?a. You must be logged on as the domain administrator to set Automatic Updates option.b. You must open the Automatic Updates page in Administrative Tools rather than in Control Panel to configure Automatic Updates settings.

2/10/2015 70-291


c. Automatic Updates settings have been configured and assigned at the domain level using Group Policy.d. The server you are attempting to configure does not support Automatic Updates.

172. What is the recommended minimum level of RAM for a SUS server?

a. 512 MBb. 256 MBc. 1 GBd. 128 MB per SUS client

173. You are asked to install SUS on one of your Microsoft Windows 2000 domain controllers. Using a default Windows 2000 Advanced Server install and a CD that contains the SUS 1 Service Pack 1 installation files, youattempt unsuccessfully to set up the domain controller as a SUS server. Which step should you take to accomplish this task?a. SUS cannot be installed on a server running Windows 2000. The server must be upgraded to Microsoft Windows Server 2003.b. Reboot the server, and log on as the domain administrator.c. Install Service Pack 2 or higher on the server that runs Windows 2000.d. Upgrade the Windows 2000 Advanced Server to Microsoft Windows 2000 Datacenter.

174. A server that runs Microsoft Windows Server 2003 is configured as a SUS server. One of your coworkers needs to make configuration changes to SUS, but is unsure how to access the configuration options for it. Whatinstruction could you give to help your coworker make the configuration changes to the SUS server?a. Open the SUS page in Control Panel.b. Open the SUS page in My Computer.c. Open a Web browser, and enter http://susadmin in the Address box.d. Open a Web browser, and enter http://localhost/susadmin in the Address box.

175. You configured two SUS servers. Server A is configured to synchronize with the Windows Update site, and Server B is configured to synchronize with Server A. Client computers that are correctly configured to receiveupdates from Server B are not receiving any updates. While troubleshooting this problem, you realize that even though Server B is configured correctly, it does not receive updates from Server A. Which of the following isa likely cause of this problem?a. Server A is not configured to store updates locally.b. Server B is configured to store updates locally.

c. Updates are not marked as approved on Server B.d. Server B is configured with Server A as its synchronization server.

176. You configured a server running Microsoft Windows Server 2003 as a SUS server that will synchronize with the Windows Update site. The Automatic Updates process functions properly, but you are surprised to noticethat the SUS\Content directory is empty. What is the most likely reason that the SUS\Content directory is empty?a. The SUS server is configured to maintain updates locally.b. The Windows Update site does not contain any update files.c. The SUS server is configured to maintain the updated content on microsoft.com.d. Client computers have already downloaded and deleted the update files.

177. You configured a SUS server to synchronize with the Windows Update site daily at 7:00 A.M., and you configured the server to store the updates locally. Your client computers are scheduled to run Automatic Updates at12:00 P.M. daily while employees are at lunch. When you arrive at work at 8:00 A.M., one of your coworkers informs you that the contents of one of the SUS\Contents directories were accidentally deleted and that acritical security update was released this morning. The client computers must receive the security update as soon as possible. With the least amount of administrative effort, which steps could you take to allow the clientcomputers to download the critical update from the SUS server at the scheduled 12:00 P.M. time?a. Open the Software Update Services Administration Web page, and choose Schedule Synchronization from the Synchronize Server options. Schedule the SUS server to

synchronize at 12:00 P.M.b. Open the Software Update Services Administration Web page, and choose Synchronize Now from the Synchronize Server options.c. Copy the SUS\Contents file from one of the SUS clients that successfully synchronized with the SUS server prior to the deletion of the Contents folder.d. Manually configure all client computers to contact the Windows Update site for Automatic Updates.

178. Your client computers are configured to automatically download and install updates from a SUS server located on your local network. Client computers contact the SUS server, but they do not find available updates. Youare certain that the SUS server downloaded new, critical updates this morning. What could be the reason the client computers do not receive the new critical updates?a. Updates have not been marked as approved on the SUS clients.b. The Windows Update site was not available when clients contacted the SUS server.

2/10/2015 70-291


c. The client computers run Microsoft Windows XP Professional with Service Pack 1.d. Updates have not been marked as approved on the SUS server.

179. You are the network administrator for the litware.com domain. SUS has been deployed on your network so that all client computers receive critical updates from a SUS server named Server 1, which runs MicrosoftWindows 2000. For disaster recovery purposes, you back up your SUS server every Friday. Because the number of client computers on your network has increased, you must install a new, more powerful SUS server.After purchasing and installing the Windows 2000 operating system and SUS on the new server, named Server 2, you attempt unsuccessfully to restore the SUS backup file that was created the previous Friday. What isthe most likely reason you are unable to restore the SUS backup?a. A SUS restore can be performed only on a server with the same name as the server that was used to create the backup file.b. A SUS backup file can be restored only on the same computer that was used to create the backup file.c. A SUS restore can be performed only on a server running Microsoft Windows Server 2003.d. SUS does not support the restore process.

180. You are the network administrator for a Microsoft Windows Server 2003 domain with 1500 client computers. You would like all client computers and servers to automatically download updates from a SUS server namedSUS1, which is located on your local domain. With the least amount of administrative effort, how would you configure all computers in your domain to automatically contact SUS1 for updates?a. Configure Group Policy at the domain level so that all client computers contact SUS1 for Automatic Updates.b. Configure Group Policy at the OU level so that all client computers contact SUS1 for Automatic Updates.c. Configure each client computer to contact the Windows Update site using the Automatic Updates settings in Control Panel.d. Configure each client computer to contact SUS1 using the Automatic Updates settings in Control Panel.

181. You configured Group Policy at the domain level to force client computers to automatically contact a local SUS server daily to download any new update files that are available. To avoid interrupting employees, you do notwant client computers to automatically restart, even when res

Documents

70-291