TestKing 70-293 v21

70-293

Planning and Maintaininga Microsoft Windows Server 2003 Network Infrastructure

Version 21.0

¨

70 - 293

Leading the way in IT testing and certification tools, www.testking.com

- 2 -

Important Note, Please Read Carefully

Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything.

Further Material For this exam TestKing also provides: * Online Testing. Practice the questions in an exam environment. Try a demo: http://www.testking.com/index.cfm?pageid=724* Study Guide. Concepts and labs. Provides a foundation of knowledge.

Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

1. Go to www.testking.com2. Click on Member zone/Log in3. The latest versions of all purchased products are downloadable from here. Just click the links.

For most updates, it is enough just to print the new questions at the end of the new version, not the whole document.

FeedbackFeedback on specific questions should be send to [email protected]. You should state: Exam number and version, question number, and login ID.

Our experts will answer your mail promptly.

CopyrightEach pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws.

http://www.testking.com

http://www.testking.com/index.cfm?pageid=724


mailto:[email protected]

70 - 293


- 3 -

Table of Contents

Table of Contents.................................................................................................................................................... 3 Topic 1: Planning and Implementing Server Roles and Server Security (21 Questions)....................................... 6

Part 1: Configure security for servers that are assigned specific roles. (3 questions) ........................................ 6Part 2: Plan a secure baseline installation. .......................................................................................................... 9

A: Plan a strategy to enforce system default security settings on new systems. (2 questions)....................... 9 B: Identify client operating system default security settings. (1 question)................................................... 12C: Identify all server operating system default security settings. (1 question)............................................. 13

Part 3: Plan security for servers that are assigned specific roles. Roles might include domain controllers, Web servers, database servers, and mail servers....................................................................................................... 14

A: Deploy the security configuration for servers that are assigned specific roles. (8 questions) ................. 14 B: Create custom security templates based on server roles. (5 questions) ................................................... 24

Part 4: Evaluate and select the operating system to install on computers in an enterprise. (1 question).......... 30 Topic 2: Planning, Implementing, and Maintaining a Network Infrastructure (36 Questions)............................ 32

Part 1: Plan a TCP/IP network infrastructure strategy...................................................................................... 32 A: Analyze IP addressing requirements. (2 questions)................................................................................. 32 B: Plan an IP routing solution. (1 question).................................................................................................. 34 C: Create an IP subnet scheme. (2 questions)............................................................................................... 35

Part 2: Plan and modify a network topology. ................................................................................................... 37 A: Plan the physical placement of network resources. (1 question) ............................................................. 37B: Identify network protocols to be used. (1 question)................................................................................. 39

Part 3: Plan an Internet connectivity strategy. (1 question) .............................................................................. 39 Part 4: Plan network traffic monitoring. Tools might include Network Monitor and System Monitor. (1 question)............................................................................................................................................................ 42 Part 5: Troubleshoot connectivity to the Internet. ............................................................................................ 44

A: Diagnose and resolve issues related to Network Address Translation (NAT). (0 questions).................. 44 B: Diagnose and resolve issues related to name resolution cache information. (0 questions) ..................... 44 C: Diagnose and resolve issues related to client configuration. (0 questions).............................................. 44

Part 6: Troubleshoot TCP/IP addressing........................................................................................................... 44 A: Diagnose and resolve issues related to client computer configuration. (2 questions) ............................. 44 B: Diagnose and resolve issues related to DHCP server address assignment. (7 questions)........................ 47

Part 7: Plan a host name resolution strategy. .................................................................................................... 59 A: Plan a DNS namespace design. (0 questions).......................................................................................... 59 B: Plan zone replication requirements. (2 question)..................................................................................... 59 C: Plan a forwarding configuration. (3 question) ......................................................................................... 62 D: Plan for DNS security. (2 questions) ....................................................................................................... 65 E: Examine the interoperability of DNS with third-party DNS solutions. (3 questions) ............................. 67

Part 8: Plan a NetBIOS name resolution strategy............................................................................................. 73 A: Plan a WINS replication strategy. (0 questions)...................................................................................... 73 B: Plan NetBIOS name resolution by using the Lmhosts file. (0 questions)................................................ 73

Part 9: Troubleshoot host name resolution. ...................................................................................................... 73 A: Diagnose and resolve issues related to WINS and DNS services. (7 questions)..................................... 73


70 - 293


- 4 -

B: Diagnose and resolve issues related to client computer configuration. (1 questions) ............................. 81 Topic 3: Planning, Implementing and Maintaining Routing and Remote Access (17 Questions) ....................... 83

Part 1: Plan a routing strategy........................................................................................................................... 83 A: Identify routing protocols to use in a specified environment. (1 question) ............................................. 83 B: Plan routing for IP multicast traffic. (0 questions)................................................................................... 84

Part 2: Plan security for remote access users. ................................................................................................... 84 A: Plan remote access policies. (3 questions)............................................................................................... 84 B: Analyze protocol security requirements. (0 questions)............................................................................ 88 C: Plan authentication methods for remote access. (8 questions)................................................................. 88

Part 3: Implement secure access between private networks. ............................................................................ 98 A: Create and implement secure VPN connections. (1 question)................................................................. 98B: Create and implement an IPSec policy. (2 questions)............................................................................ 100

Part 4: Troubleshoot TCP/IP routing. Tools might include the route, tracert, ping, pathping, and netsh commands and Network Monitor. (2 questions)............................................................................................. 103

Topic 4: Planning, Implementing, and Maintaining Server Availability (24 Questions)................................... 106 Part 1: Plan services for high availability. ...................................................................................................... 106

A: Plan a high availability solution that uses clustering services. (3 questions) ........................................ 106 B: Plan a high availability solution that uses Network Load Balancing. (3 questions).............................. 108

Part 2: Identify system bottlenecks, including memory, processor, disk, and network related bottlenecks. (5 questions) ........................................................................................................................................................ 112 Part 3: Implement a cluster server. (4 questions)............................................................................................ 119 Part 4: Manage Network Load Balancing. Tools might include the Network Load Balancing Monitor Microsoft Management Console (MMC) snap-in and the WLBS cluster control utility. (4 questions) ........ 124 Part 5: Plan a backup and recovery strategy. .................................................................................................. 129

A: Identify appropriate backup types. Methods include full, incremental, and differential. (1 question).. 129 B: Plan a backup strategy that uses volume shadow copy. (1 question)..................................................... 131 C: Plan system recovery that uses Automated System Recovery (ASR). (3 questions)............................. 132

Topic 5: Planning and Maintaining Network Security (19 Questions)............................................................... 137 Part 1: Configure network protocol security................................................................................................... 137

A: Configure protocol security in a heterogeneous client computer environment. (0 questions) .............. 137 B: Configure protocol security by using IPSec policies. (0 questions) ...................................................... 137

Part 2: Configure security for data transmission. (0 questions)...................................................................... 137 Part 3: Plan for network protocol security. ..................................................................................................... 137

A: Specify the required ports and protocols for specified services. (3 questions)...................................... 137 B: Plan an IPSec policy for secure network communications. (2 questions) ............................................. 140

Part 4: Plan secure network administration methods. ..................................................................................... 143 A: Create a plan to offer Remote Assistance to client computers. (1 question) ......................................... 143 B: Plan for remote administration. (1 question).......................................................................................... 145

Part 5: Plan security for wireless networks. (3 questions) .............................................................................. 146 Part 6: Plan security for data transmission...................................................................................................... 151

A: Secure data transmission between client computers to meet security requirements. (2 questions)....... 151 B: Secure data transmission by using IPSec. (7 questions) ........................................................................ 153

Part 7: Troubleshoot security for data transmission. Tools might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in. (0 questions)........................................................ 165


70 - 293


- 5 -

Topic 6: Planning, Implementing, and Maintaining Security Infrastructure (26 Questions) ............................. 166 Part 1: Configure Active Directory directory service for certificate publication. (3 questions)..................... 166 Part 2: Plan a public key infrastructure (PKI) that uses Certificate Services. ................................................ 169

A: Identify the appropriate type of certificate authority to support certificate issuance requirements. (3 questions) .................................................................................................................................................... 169 B: Plan the enrollment and distribution of certificates. (8 questions)......................................................... 175C: Plan for the use of smart cards for authentication. (6 questions) ........................................................... 185

Part 3: Plan a framework for planning and implementing security. ............................................................... 195A: Plan for security monitoring. (3 questions)............................................................................................ 195 B: Plan a change and configuration management framework for security. (0 questions) .......................... 198

Part 4: Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services. (3 questions) ....................................................................................... 198

Topic 7: Miscellaneous (34 Questions) .............................................................................................................. 202

Total Number of Questions: 177


70 - 293


- 6 -

Topic 1: Planning and Implementing Server Roles and Server Security (21 Questions)

Part 1: Configure security for servers that are assigned specific roles. (3 questions)

QUESTION NO: 1 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain testking.com. The network contains two Windows Server 2003 domain controllers, two Windows 2000 Server domain controllers, and two Windows NT Server 4.0 domain controllers.

All file servers for the finance department are located in an organizational unit (OU) named Finance Servers. All file servers for the payroll department are located in an OU named Payroll Servers. The Payroll Servers OU is a child OU of the Finance Servers OU.

TestKing�s written security policy for the finance department states that departmental servers must have security settings that are enhanced from the default settings. The written security policy for the payroll department states that departmental servers must have enhanced security settings from the default settings, and auditing must be enabled for file or folder deletion.

You need to plan the security policy settings for the finance and payroll departments.

What should you do?

A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.

B. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.

C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to apply the Hisecws.inf security template to computer objects, and link it to the Payroll Servers OU.

D. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and link it to the Finance Servers and to the Payroll Servers OUs. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.


70 - 293


- 7 -

Answer: B Explanation:The Securews.inf template contains policy settings that increase the security on a workstation or member server to a level that remains compatible with most functions and applications. The template includes many of the same account and local policy settings as Securedc.inf, and implements digitally signed communications and greater anonymous user restrictions.

Audit Object Access A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these, you must enable this policy and you must enable auditing on the resource that you want to monitor. For example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or folder, and then add the users or groups whose access to that file or folder you want to audit.

Incorrect Answers: A, C: The Compatws.inf security template is designed for Windows NT compatible applications that require

lower security settings in order to run. These settings are lower than the default settings. D: The Payroll Servers OU is a child OU of the Finance Servers OU. GPO settings applied to parent OUs are

inherited by child OUs; therefore we don�t need to link the GPO to both the Finance Servers OU and the Payroll Servers OU.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 9 and 10.

QUESTION NO: 2 You are the network admin for TestKing. Your network contains 50 application servers that run Windows Server 2003.

The security configuration of the application servers is not uniform. The application servers were deployed by local administrators who configured the setting for each of the application servers differently based on their knowledge and skill. The application servers are configured with different authentication methods, audit settings and account policy settings.

The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application server role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings.


70 - 293


- 8 -

You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements. What should you do?

A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf template

B. Apply the Application.inf template and then the Hisecws.inf template. C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template D. Apply the Setup.inf template and then the application.inf template

Answer: A. Explanation:The servers currently have different security settings. Before applying our modified settings, we should reconfigure the servers with their default settings. This is what the security.inf template does. Now that our servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now we can apply our custom settings using the application.inf template.

Incorrect Answers: B: The hisecws.inf template would overwrite the custom application.inf template. C: Same as answer A. Also, the setup.inf security template doesn�t exist. To return a system to its default

security settings, we use the security.inf template. D: The setup.inf security template doesn�t exist. To return a system to its default security settings, we use the

security.inf template.

Reference:Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

QUESTION NO: 3 Your network contains Terminal servers that host legacy applications that require users to be members of the Power Users group in order to run them.

A new company policy states that the Power Users Group must be empty on all servers. You need to maintain the ability to run legacy applications on your servers when the new security requirement is enabled.

What should you do?

A. Add the domain users global group to the Remote Desktop Users built-in group in the domain B. Add the domain users global group to the Remote Desktop Users local group on each terminal server


70 - 293


- 9 -

C. Modify the compatws.inf security template settings to allow members of the local users group to run the applications. Import the security settings into the default Domain Controllers Group Policy Object.

D. Modify the compatws.inf security template settings to allow members of the local users group to run the applications. Apply the modified template to each terminal server

Answer: D Explanation:The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000 users are members of the Power Users group in order to run applications not certified for Windows 2000, this may be too insecure for some environments. Some organizations may find it preferable to assign users, by default, only as members of the Users group and then decrease the security privileges for the Users group to the level where applications not certified for Windows 2000 run successfully. The compatible template (compatws.inf) is designed for such organizations. By lowering the security levels on specific files, folders, and registry keys that are commonly accessed by applications, the compatible template allows most applications to run successfully under a User context. In addition, since it is assumed that the administrator applying the compatible template does not want users to be Power Users, all members of the Power Users group are removed.

Incorrect Answers: A, B: Global group is a group that is available domainwide in any domain functional level, so why would you

add to another group. C: The Compatws.inf template is not intended for domain controllers, so you should not link it to a site, to the

domain, or to the Domain Controllers OU

Reference:Dan Holme, and Orin Thomas MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Glossary.

Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 9.

Part 2: Plan a secure baseline installation.

A: Plan a strategy to enforce system default security settings on new systems. (2 questions)


70 - 293


- 10 -

QUESTION NO: 1 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains an organizational unit (OU) named Servers that contains all of TestKing�s Windows Server 2003 resource servers. The domain also contains an OU named Workstations that contains all of TestKing�s Windows XP Professional client computers.

You configure a baseline security template for resource servers named Server.inf and a baseline security template for client computers named Workstation.inf. The Server.inf template contains hundreds of settings, including file and registry permission settings that have inheritance propagation enabled. The Workstation.inf template contains 20 security settings, none of which contain file or registry permissions settings.

The resource servers operate at near capacity during business hours.

You need to apply the baseline security templates so that the settings will be periodically enforced. You need to accomplish this task by using the minimum amount of administrative effort and while minimizing the performance impact on the resource servers.

What should you do?

A. Create a Group Policy object (GPO) and link it to the domain. Import both the Server.inf and the Workstation.inf templates into the GPO.

B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group Policy object (GPO).

C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Create a Group Policy object (GPO) and link it to the Workstations OU. Import the Workstation.inf template into the GPO.

D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO).

Answer: C Explanation:The question states that you need to apply the baseline security templates so that the settings will be periodically enforced. To accomplish this you must create a scheduled task so that the performance impact on resource servers is minimized. The question also states that Workstation.inf is a baseline security template for client computers. Therefore, the GPO has to be linked to the OU that contains the client computers, and the Workstation.inf template must be imported to the said GPO so that it can be applied.


70 - 293


- 11 -

Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in scripts and batch files to automate security template deployments.

You can create a baseline security configuration in a GPO directly, or import a security template into a GPO. Link the baseline security GPO to OUs in which member servers� computer objects exist.

Incorrect Answers: A: GPOs process security templates from the bottom up; therefore, by import both the Server.inf and the

Workstation.inf templates into a single GPO, we would ensure that the settings in the security template imported last are applied in cases where there are conflicting settings. If we apply this to the domain, then all computers would have the same settings.

B, D: The Default Domain Policy Group Policy object (GPO) is applied only to the Domain Controllers group.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 10.

Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 9.

QUESTION NO: 2 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed.

TestKing is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers.

You are planning a baseline security configuration for the Web servers. The company�s written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled:

SMTPTelnet

Your plan for the baseline security configuration for Web servers must comply with the written security policy.

You need to ensure that unnecessary services are always disabled on the Web servers.


70 - 293


- 12 -

What should you do?

A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Web Servers OU.

B. Create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Web Servers OU.

C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU.

D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU.

Answer: C Explanation:Windows Server 2003 installs a great many services with the operating system, and configures quite a few with the Automatic startup type, so that these services load automatically when the system starts. Many of these services are not needed in a typical member server configuration, and it is a good idea to disable the ones that the computer doesn�t need. Services are programs that run continuously in the background, waiting for another application to call on them. Instead of controlling the services manually, using the Services console, you can configure service parameters as part of a GPO. Applying the GPO to a container object causes the services on all the computers in that container to be reconfigured. To configure service parameters in the Group Policy Object Editor console, you browse to the Computer Configuration\Windows Settings\Security Settings\System Services container and select the policies corresponding to the services you want to control.

Incorrect Answers: A: The logon script would only run when someone logs on to the web servers. It�s likely that the web servers

will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at

regular intervals.


B: Identify client operating system default security settings. (1 question)

QUESTION NO: 1 You are the network admin for TestKing. All servers run Windows Server 2003.


70 - 293


- 13 -

Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest critical updates installed. You run the mbsaclie.exe /hf command from a server named server1.

When you scan a server named TestKingB you receive the following error message stating Error 200, System not found, Scan failed.

When you ping TestKingB you receive a reply.

You need to ensure that you can scan TestKingB by using the mbsacli.exe /hf.

What should you do?

A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security analyzer folder on server1

B. Ensure that the Server service is running on TestKingB C. Install IIS common files on Server1 D. Install the latest version of IE on TestKingB

Answer: B Explanation:From Microsoft: Error: 200 - System not found. Scan not performed. This error message indicates that mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error, verify that this computer is on the network and that the host name and IP address are correct. We know that the computer is on the network because we can successfully ping it. Therefore, the cause of the problem must be that the Server service isn�t running.

Incorrect Answers: A: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with

Server1.C: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with

Server1.D: The version of IE that comes with Windows Server 2003 is sufficient, and therefore does not need to be

upgraded.

Reference:http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q303/2/15.asp&NoWebContent=1

C: Identify all server operating system default security settings. (1 question)


http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q303/2/15.a

70 - 293


- 14 -

QUESTION NO: 1 You are the network administrator for TestKing�s Active Directory domain. TestKing�s written security policy was updated and now requires a minimum of NTLM v2 for LAN manager authentication.

You need to identify which Operating Systems on your network do not meet the new requirement

Which OS would require an upgrade to the OS or software to meet the requirement?

A. Windows 2000 Professional B. Windows Server 2003 C. Windows XP Professional D. Windows NT Workstation with service pack 5 E. Windows 95

Answer: E. Explanation:Windows 95 does not natively support NTLM v2 authentication. To enable it, you would need to install the Directory Services Client software.

Incorrect Answers:A, B, C, D: Windows 2000 Professional, Server 2003, XP Professional, and NT Workstation with service pack

5 natively supports NTLM v2 authentication.


Part 3: Plan security for servers that are assigned specific roles. Roles might include domain controllers, Web servers, database servers, and mail servers.

A: Deploy the security configuration for servers that are assigned specific roles. (8 questions)

QUESTION NO: 1 You are a network administrator for TestKing Inc. The network consists of a single Active Directory forest as shown in the exhibit.


70 - 293


- 15 -

TestKing�s written security policy requires that all domain controllers in the child1.testking.com domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group.

You need to configure the domain controllers in the child1.testking.com domain to meet the new security requirements.

Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) on the child1.testking.com domain.

B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.testking.com domain.

C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1.testking.com domain.

D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.testking.com domain.

E. Run the system key utility (syskey) on each domain controller in the child1.testking.com domain. In the Account Database Key dialog box, select the Password Startup option.

F. Run the system key utility (syskey) on each domain controller in the child1.testking.com domain. In the Account Database Key dialog box, select the Store Startup Key Locally option.

Answer: C, E Explanation:


70 - 293


- 16 -

Secure (Secure*.inf) Template The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses. In order to apply Securews.inf to a member computer, all of the domain controllers that contain the accounts of all users that log on to the client must run Windows NT 4.0 Service Pack 4 or higher.

The system key utility (SYSKEY) A security measure used to restrict logon names to user accounts and access to computer systems and resources. By running the syskey utility with the Password startup option, the account information in the directory services is encrypted and a password needs to be entered during system start. The start of the Domain Controllers is therefore restricted to everybody with this password.

Incorrect Answers: A: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be

used to reapply the root directory permissions to other volumes. B: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be

used to reapply the root directory permissions to other volumes. D: We need to apply the policy to the domain controllers container, not the entire domain. F: The System Key Utility (syskey) is used to encrypt the account password information that is stored in the

SAM database or in the directory services. By selecting "Store Key locally" the computer stores an encrypted version of the key on the local computer. This doesn�t help in controlling the start of the Domain Controllers.

Reference:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/syskey_concept.asp

QUESTION NO: 2 You are a network administrator for TestKing. The network consists of a single Active Directory forest. All domain controllers run Windows Server 2003.

The bank decides to provide access to its mortgage application services from a real estate agency that has offices throughout the country. You install a TestKing domain controller in each real estate agency office.

You need to further protect the domain controllers� user account databases from unauthorized access. You want to achieve this goal by using the minimum amount of administrative effort.


A. Use the system key utility (syskey) with the most secure security level on the domain controllers.


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs

70 - 293


- 17 -

B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the GPO to the domain controllers.

C. Create a Group Policy object (GPO), configure the Network security: LAN Manager authentication level security option to the Send NTLMv2 response only\refuse LM setting, and apply the GPO to the domain controllers.

D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply the GPO to the domain controllers.

Answer: A, B Explanation:On domain controllers, password information is stored in directory services. It is not unusual for password � cracking software to target the Security Accounts Manager (SAM) database or directory services to access passwords for user accounts. The System Key utility (Syskey) provides an extra line of defence against offline password � cracking software. Syskey uses strong encryption techniques to secure account password information that is stored in directory services. Mode 3 is the most secure Syskey utility, because it uses a computer-generated random key and stores the key on a floppy disk. This disk is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer.

Secure (Secure*.inf) Template The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses.

Incorrect Answers: C:D: DC Security.inf templates contain a large number of settings, and in particular a long list of file-system

permission assignments. For this reason, you should not apply these templates to a computer by using group policies.

Reference:Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296.

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional.


70 - 293


- 18 -

TestKing has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information.

The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular, you want to configure stronger password settings, audit settings, and lockout settings. You want to minimize interference with the proper functioning of the legacy applications.

You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers.

What should you do?

A. Apply the Setup security.inf template to the domain controllers. B. Apply the DC security.inf template to the domain controllers. C. Apply the Securedc.inf template to the domain controllers. D. Apply the Rootsec.inf template to the domain controllers.

Answer: C Explanation:Securedc.inf This template contains policy settings that increase the security on a domain controller to a level that remains compatible with most functions and applications. The template includes more stringent account policies, enhanced auditing policies and security options, and increased restrictions for anonymous users and LanManager systems.

Incorrect Answers: A: This template allows you to reapply the default security settings. B: The DC security.inf template is available to undo security template policy settings. D: Rootsec.inf contains only the default file system permissions for the system drive on a computer running

Windows Server 2003. You can use this template to restore the default permissions to a system drive that you have changed, or to apply the system drive permissions to the computer�s other drives.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington 98052-6399, Chapter 10.

J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.

Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd,and Laura Hunter, MCSA/MCSE Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System,


70 - 293


- 19 -

Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 9

QUESTION NO: 4 You are the administrator of the TestKing company network. The network consists of a single active directory domain named testking.com. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional.

The company purchases 10 new servers to function as file servers for the domain.

You install Windows Server 2003 on the new servers. The computer accounts for the file servers are located on an OU named File Servers. A security expert configures one of the servers named TKFile1 with various security settings. You need to apply and maintain the same security settings on the remaining 9 servers. You need to do this by using the minimum amount of administrative effort.

What should you do? (Choose two)

A. Use disk imaging software to take an image of TKFile1. Apply the disk image to the remaining 9 servers.

B. Use gpedit.msc to create a new Group Policy object (GPO). Manually configure the GPO with the same security settings as TKFile1. Link the GPO to the File Servers OU.

C. Use gpedit.msc to create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU.

D. On the PDC Emulator, use Security Configuration and Analysis to export the security settings to a security template.

E. On TKFile1, use Security Configuration and Analysis to export the security settings to a security template.

Answer: C, E Explanation:The easiest way to configure multiple computers with multiple security settings is to use a GPO. In this question, we have a computer configured with the required settings. We can use the Security Configuration and Analysis to export the security settings to a security template. We can then import the template into a Group Policy Object and apply the settings to the File Servers OU.

Incorrect Answers: A: This could work (if we changed the computer names and SIDS), but there is a catch in the question. The

question states that you need to apply and maintain the security settings contained in the security template


70 - 293


- 20 -

to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings are maintained.

B: This is a long way of doing it. Exporting the settings to a security template would be easier. D: This would have no effect on the file servers.

Reference:Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System

QUESTION NO: 5 You are the administrator of the TestKing company network. The network consists of a single Active Directory domain testking.com. The network includes 30 servers running Windows Server 2003 and 2000 client computers running Windows XP Professional.

20 member servers are located in an organisational unit (OU) named Servers. 10 domain controllers are in the default Domain Controllers container. All 2000 client computers are located in an organisational unit (OU) named Clients.

The member servers are configured with the following security settings:

Logon events must be audited. System events must be audited. Passwords for local user accounts must meet complexity requirements. Passwords must be changed every 30 days. Password history must be enforced. Connections to the servers must be encrypted.

The written security policy states that you need to be able to verify the custom security settings during audits. You need to deploy and refresh the custom security settings on a routine basis.

What should you do?

A. Create a custom security template and apply it by using a Group Policy linked to the Servers OU. B. Create a custom security template and apply it by using a Group Policy linked to the domain. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS.

Answer: A Explanation:The easiest way to deploy multiple security settings to a group of Windows 2003 computer is to create a security template with all the required settings and import the settings into a GPO. In this case, the security


70 - 293


- 21 -

settings apply to local accounts on the servers. This means that we can apply the settings with a GPO assigned to an Organisation Unit containing the servers.

Incorrect Answers: B: The security settings need to apply to the member servers only. Applying the GPO to the domain would

affect all computers in the domain. C: We need a security template, not an administrative template. D: We cannot use imaging in this way.


QUESTION NO: 6 TestKing has a single active directory domain named TestKing.com.

The company�s written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed.

You create a security template named fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using fileserver.inf and receive the results shown in the exhibit.

***MISSING***

You want to make only the changes that are required to meet the requirements. Which two actions should you take?

A. Correct the maximum application log size setting on the file server B. Correct the maximum security log size setting on the file server C. Correct the maximum system log size setting on the file server D. Correct the retention method for application log setting on the file server E. Correct the retention method for the security log setting on the file server F. Correct the retention method for the system log setting for the file server

Answers: B, E.


70 - 293


- 22 -

QUESTION NO: 7 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. TestKing�s perimeter network contains 50 Web servers that host the company�s public Internet site. The Web servers are not members of the domain.

The network design team completed a new design specification for the security of servers in specific roles. The network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings.

You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort.

What should you do?

A. Create a custom security template named Web.inf that contains the required security settings. Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU. Apply Web.inf to the WebServers OU.

B. Create a custom security template named Web.inf that contains the required security settings, and deploy Web.inf to each Web server by using Security Configuration and Analysis.

C. Create an image of a Web server that has the required security settings, and replicate the image to each Web server.

D. Manually configure the required security settings on each Web server.

Answer: B Explanation:The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings using the Security Configuration and Analysis tool.

Incorrect Answers: A: The web servers aren�t members of the domain. Therefore they cannot be moved to an OU in Active

Directory. C: We cannot use imaging in this way. D: This is a long way of doing it. A security template would simply the task.



70 - 293


- 23 -

QUESTION NO: 8 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com.

The company plans to deploy 120 Windows Server 2003 member servers as file servers in the domain. The new file servers will be located in a single organizational unit (OU) named File Servers.

The security department provides you with a security template that must be applied to the new file servers.

You need to apply and maintain the security settings contained in the security template to the new file servers. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. On a reference computer, use the Local Security Settings console to import the security template. Use imaging technology to install and configure the new file servers based on the configuration of the reference computer.

B. On a reference computer, run the secedit command to apply the security template. Make use of imaging technology to install and configure the new file serves based on the configuration of the reference computer.

C. Create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO.Link the GPO to the File Servers OU.

D. On the PDC emulator master in the domain, run the secedit command to apply the security template.

Answer: C Explanation:We have a security template with the required security settings. We can simply import the template into a Group Policy Object and apply the settings to the File Servers OU.

Incorrect Answers: A: This would work, but there is a catch in the question. The question states that you need to apply and

maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings �maintained�.

B: This would work, but there is a catch in the question. The question states that you need to apply andmaintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings �maintained�.

D: This would have no effect on the file servers.

Reference:


70 - 293


- 24 -

Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

B: Create custom security templates based on server roles. (5 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003.

The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication.

You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits.

What should you do?

A. Create a custom security template and apply it by using Group Policy. B. Create a custom IPSec policy and assign it by using Group Policy. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS.

Answer: A Explanation:The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings into a group policy. We can also use secedit to analyse the current security settings to verify that the required security settings are in place.

Incorrect Answers: B: An IPSec policy will not configure the required auditing policy. C: We need a security template, not an administrative template. D: This will create multiple identical machines. We cannot use RIS images in this scenario.


70 - 293


- 25 -

QUESTION NO: 2 Tess King is a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 12 domain controllers and 50 servers in the application server roles. All servers run Windows Server 2003.

The application servers are configured with custom security settings that are specific to their roles as application servers. Applications servers are required to audit account logon events, object access events, and system events. Application servers required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication.

Tess needs to deploy and refresh the custom security settings on a routine basis. She also needs to be able to verify the customer security settings during audits.

What actions should Tess King take?

A. She should create a custom security template and apply it by using Group Policy. B. She should create a customer IPSec policy and assign it by using Group Policy. C. She should create and apply a custom Administrative Template. D. She should create a custom application server image and deploy it by using RIS.

Answer: A Explanation:A security template is a physical file representation of a security configuration that can be applied to a local computer or imported to a Group Policy Object (GPO) in Active Directory. When you import a security template to a GPO, Group Policy processes the template and makes the corresponding changes to the members of that GPO, which can be users or computers.

A Group Policy Object (GPO) is a collection of configuration parameters that you can use to create a secure baseline installation for a computer running Windows Server 2003. To deploy a GPO, you associate it with an Active Directory container, and all the objects in the container inherit the GPO configuration settings. Audit and Event Log policies enable you to specify what information a computer logs, how much information the computer retains in logs, and how the computer behaves when logs are full. Windows Server 2003 loads many services by default that a member server usually doesn�t need. You can use a GPO to specify the startup type for each service on a computer. GPOs include a great many security options that you can use to configure specific behaviours of a computer running Windows Server 2003.

Incorrect Answers: B: IPSec is required to secure network traffic, not application servers. C: Administrative templates are used to provide settings required to allow for the performance of

administrative tasks. Security templates are used to provide security settings, such as minimum password lengths.


70 - 293


- 26 -

D: Custom application server images deployed through RIS are used to install automate the installation of operating systems with applications pre-installed. It is not used to apply security settings.

Reference:J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Glossary.

Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 9.

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. TestKing has an internal network and a perimeter network. The internal network is protected by a firewall. Application servers on the perimeter network are accessible from the Internet.

You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web pages.

The network design requires that custom security settings must be applied to the application servers. These custom security settings must be automatically refreshed every day to ensure compliance with the design.

You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements.

What should you do?

A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO). B. Create a task on each application server that runs Security and Configuration Analysis with

Baseline1.inf every day. C. Create a task on each application server that runs the secedit command with Baseline1.inf every day. D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the secedit

command with Baseline1.inf.

Answer: C Explanation:


70 - 293


- 27 -

Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in scripts and batch files to automate security template deployments.

Incorrect Answers: A, D: The Default Domain Policy Group Policy object (GPO) is applied to the domain controllers. We need to

configure the application servers, not the domain controllers. B: Security and Configuration Analysis analyzes the security settings. It doesn�t apply it.


QUESTION NO: 4 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains a Windows Server 2003 member server named TestKingSrvA. The network also contains a Windows XP Professional computer named Client1. You use Client1 as an administrative computer.

You plan to use Microsoft Baseline Security Analyzer (MBSA) on Client1 to analyze TestKingSrvA. However, the recent application of a custom security template disabled several services on TestKingSrvA.

You need to ensure that you can use MBSA to analyze TestKingSrvA.

Which two services should you enable?

To answer, select the appropriate services to enable in the dialog box.


70 - 293


- 28 -

Answer:

Explanation:The Remote Registry and Server services should be enabled.The following are the requirements for a computer running the tool that is scanning a remote machine(s):

Windows Server 2003, Windows 2000, or Windows XPInternet Explorer 5.01 or greaterAn XML parser (MSXML version 3.0 SP2 or later) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.01 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not


70 - 293


- 29 -

install the XML parser that is bundled with the tool, see the notes below on obtaining an XML parser separately.The IIS Common Files are required on the computer on which the tool is installed if performing remote scans of IIS computers.

The following services must be enabled: Workstation service and Client for Microsoft Networks.

The following are the requirements for a computer to be scanned remotely by the tool: Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), or Windows Server 2003IIS 4.0, 5.0, 6.0 (required for IIS vulnerability checks)SQL 7.0, 2000 (required for SQL vulnerability checks)Microsoft Office 2000, XP (required for Office vulnerability checks)

The following services must be installed/enabled: Server service, Remote Registry service, File & Print Sharing

Reference:From the readmefile for MBSA

QUESTION NO: 5 You are a consultant for several different companies. You design the security policies for the computers running Windows 2003 Server and Windows 2000 Professional in your customers' networks.

You use these security policies to configure a server named Server1. You want to deploy the security configuration on Server1 to computers in your customer's networks by using the least amount of administrative effort.

What should you do first?

A. Create a Group Policy Object (GPO) that configures the security settings for all computers to match the settings on Server1, and then link the GPO to the domain. Export the console list to a file.

B. In the Security Configuration and Analysis snap-in, analyze Server1 and export the security template in a file.

C. In the System Information snap-in, save the system summary as a system information file. D. In the Security Templates snap-in, export the console list to a file.

Answer: B Explanation:We can use the Security Configuration and Analysis snap-in to export all the security settings from a computer to a template file. This will enable us to apply the same security settings to other computers. We can apply the template to other computers either by using the Security Configuration and Analysis snap-in (for single computers) or by importing the template into a group policy object (for multiple computers).


70 - 293


- 30 -

Incorrect Answers: A: You have already manually configured the settings on Server1. It would be quicker to export them to a

template file, rather than manually enter the settings into a GPO. C: The system summary does not contain the security settings. D: The console list does not contain the security settings.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 13-57 to 13-65, 13-70-13-80.

Part 4: Evaluate and select the operating system to install on computers in an enterprise. (1 question)

QUESTION NO: 1 You are a network administrator for TestKing. The network consists of an intranet and a perimeter network, as shown in the work area. The perimeter network contains:

One Windows Server 2003, Web Edition computer named TestKing1. One Windows Server 2003, Standard Edition computer named TestKing2. One Windows Server 2003, Enterprise Edition computer named TestKing3. One Web server farm that consists of two Windows Server 2003, Web Edition computers.

All servers on the perimeter network are members of the same workgroup.

The design team plans to create a new Active Directory domain that uses the existing servers on the perimeter network. The new domain will support Web applications on the perimeter network. The design team states that the perimeter network domain must be fault tolerant.

You need to select which server or servers on the perimeter network need to be configured as domain controllers.

Which server or servers should you promote?

To answer, select the appropriate server or servers in the work area.


70 - 293


- 31 -

Answer:

Explanation:We know that web editions cannot be domain controllers, and we want fault tolerance, which means two Domain Controllers. The answer is to promote the two servers that aren�t running Web Edition to Domain Controllers (Testking2 and Testking3).

Reference:MS training kit 70-290 chapter one lesson 1;�the server belongs to a domain but cannot be a domain controller�


70 - 293


- 32 -

Topic 2: Planning, Implementing, and Maintaining a Network Infrastructure (36 Questions)

Part 1: Plan a TCP/IP network infrastructure strategy.

A: Analyze IP addressing requirements. (2 questions)

QUESTION NO: 1 You are the network administrator for TestKing.com. TestKing has 20,000 users in 20 physical locations worldwide. TestKing is expecting to grow by 50 percent the next five years. TestKing recently became a subsidiary of Humongous Insurance. Humongous Insurance has five other subsidiaries. Humongous Insurance has 100,000 users in 100 physical locations worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries integrate into this network.

The network design team at TestKing provides you with a network design for integrating into the Humongous Insurance network. The design specifies that TestKing will use a single block of IP network numbers to assign IP addresses to its network.

You need to plan the IP address space to meet the design specification. You need to request a block of IP addresses from Humongous Insurance that will accommodate all TestKing users. To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance address space, you want to request the smallest block of IP addresses that meets the design specification.

What should you do?

A. Request a 10.0.0.0 block of IP addresses with an 8-bit subnet mask from Humongous Insurance. B. Request a 10.0.0.0 block of IP addresses with a 16-bit subnet mask from Humongous Insurance. C. Request a 10.0.0.0 block of IP addresses with a 24-bit subnet mask from Humongous Insurance. D. Request a 10.0.0.0 block of IP addresses with a 32-bit subnet mask from Humongous Insurance.

Answer: B We have 20,000 users in 20 locations which would give us an average of 1,000 users per location. We need to make provision for a 50% growth so that makes in 1,500 users per location. We need to integrate this network with the Humongous Insurance network which uses the 10.0.0.0 network. This means we must use the 10.0.0.0 network.

Subnetting is the process of shifting the subnet mask so as to increase or decrease the number of bits reserved for the network addresses. In this instance we are using a Class A address, so the number of clients is important.


70 - 293


- 33 -

A simple formula of 2(32-n)-2, where n is the number of bits in the subnet mask, can be used to calculate the number of hosts a network will support.

The best subnet mask would be a 21-bit mask which would give us 2,097,150 networks with 2046 clients per network. However, a 21-bit subnet mask is not offered as an option so we must use the next best subnet mask which would be 16. This would give us 65,534 networks with 65,534 clients per network.

Incorrect Answers: A: The default subnet mask for a Class A network is and 8 bit subnet mask of 255.0.0.0. This provides a total

of 254 networks with 16,777,214 clients per network. This provides us with too mush clients as we want the smallest block of IP addresses that meets the design specification.

C: A 24-bit subnet mask would give us 16,777,214 networks with 254 clients per network. This would be too few clients per network.

D: We cannot use a 32-bit subnet mask as this is not a valid subnet mask.

Reference:Thomas Shinder and Debra Littlejohn Shinder, Planning and Maintaining a Windows Server 2003 Network

Infrastructure: Exam 70-293, Syngress, 2003, pp. 173-180.

QUESTION NO: 2 You are the network administrator for TestKing. The company has a main office and two branch offices. The network in the main office contains 10 servers and 100 client computers. Each branch office contains 5 servers and 50 client computers. Each branch office is connected to the main office by a direct T1 line.

The network design requires that company IP addresses must be assigned from a single classful private IP address range. The network is assigned a class C private IP address range to allocate IP addresses for servers and client computers.

TestKing acquires a company named Acme. The acquisition will increase the number of servers to 20 and the number of client computers to 200 in the main office. The acquisition is expected to increase the number of servers to 20 and the number of client computers to 200 in the branch offices. The acquisition will also add 10 more branch offices. After the acquisition, all branch offices will be the same size. Each branch office will be connected to the main office by a direct T1 line. The new company will follow the TestKing network design requirements.

You need to plan the IP addressing for the new company. You need to comply with the network design requirement.

What should you do?

A. Assign the main office and each branch office a new class A private IP address range. B. Assign the main office and each branch office a new class B private IP address range.


70 - 293


- 34 -

C. Assign the main office and each branch office a subnet from a new class B private IP address range. D. Assign the main office and each branch office a subnet from the current class C private IP address range.

Answer: C Explanation:After the expansion the situation will be:

Main officeNeed 220 IP, 20 for servers and 200 for clients

Branch OfficesNeed 220 IP, 20 for servers and 200 for clientsWe will have 12 branch offices12 x 220 = 2640

Total for all offices is 2640 + 220 = 2860.

The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets.

Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP

address range.B: The network design requires that company IP addresses must be assigned from a single classful private IP

address range.D: The class C network doesn�t have enough IP addresses to accommodate all the computers in all the offices.

Reference:William Boswell; Inside Windows Server 2003.

B: Plan an IP routing solution. (1 question)

QUESTION NO: 1 You are the systems engineer for TestKing. TestKing has 20,000 users in a large campus environment located in London. Each department in the company is located in its own building. Each department has its own IT staff.


70 - 293


- 35 -

The company�s network is divided into several IP subnets that are connected to one another by using dedicated routers. Each building on the company�s main campus contains at least one subnet, and possibly up to five subnets. Each building has at least one router. All routers use RIP v2 broadcasts.

A new office in Dortmund has 25 users. Dortmund is connected to the main office with a Frame Relay line. Dortmund installs a server with RRAS and implements RIP v2.

Later the Dortmund admin reports that his router is not receiving routing table updates from the routers at the main office. He must manually add routing entries to the routing table to enable connectivity between the locations. You investigate and discover that the RIPv2 broadcasts are not being received at the Dortmund office. You also discover that no routing table announcements from the Dortmund office are being received at the main office.

You need to ensure that the network in the Dortmund office can communicate with the main campus network and can send and receive automatic routing table updates as network conditions change.

What should you do to the router in the Dortmund office?

A. Configure the router to use RIPv1 broadcasts B. Configure the router to use auto-static update mode C. Add the IP address ranges of the main campus network to the routers accept list and announce list D. Add the IP addresses of the main campus routers to the router�s neighbors list

Answer: D Explanation:It looks like the Dortmund router is configured to use neighbors. Therefore, we need to add the IP addresses of the main campus routers to the router�s neighbor�s list.

C: Create an IP subnet scheme. (2 questions)

QUESTION NO: 1 You are the administrator of the TestKing company network. The network consists of a single Active Directory domain testking.com. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional. The office uses a single class C private IP address range.

The company announces a major expansion. TestKing will open 12 branch offices. The 12 branch offices will connect to the existing office by direct T1 lines. Each branch office will have the same number of computers as the main office.


70 - 293


- 36 -

You need to plan the IP addressing for the new company. You want to assign all company IP addresses from a single classful private IP address range.

What should you do?

A. Assign each office a new class C private IP address range. B. Assign each office a new class B private IP address range. C. Assign each office a subnet from a new class B private IP address range. D. Assign each office a subnet from the current class C private IP address range.

Answer: C Explanation:The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets.

Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP

address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP

address range. D: The class C network doesn�t have enough IP addresses to accommodate all the computers in all the offices.


QUESTION NO: 2 You are the network administrator for TestKing.com. TestKing has offices in New York, Copenhagen, and Ankara. The network consists of a single Active Directory domain and three sites. The sites are named NYsite, CopSite, and AnkSite.

TestKing is adding a new division at the New York office for publishing fiction books. You create a new organizational unit (OU) named Fiction for the fiction division. You add a new network segment and subnet for the fiction division. You plan to place new Windows XP Professional computers for the fiction division in the new subnet. You also plan to add a new domain controller to NYSite.

You need to ensure that users in the fiction division use the domain controllers in the New York office when logging on to the network.


70 - 293


- 37 -

What should you do?

A. Decrease the metric for the default gateway on the new Windows XP Professional computers. B. Create a new subnet object for the new subnet.

Add the new subnet object to NYSite. C. Configure the location attribute for the new Windows XP Professional computers to be NYSite. D. Move the domain controller objects for the domain controllers in the New York office to the Fiction OU.

Answer: B Explanation:Subnets can be associated with a site by using subnet objects. This will ensure that users on a particular subnet log on to a domain controller in a particular site.

Incorrect Answers: A: this won�t accomplish anything C: The location attribute is for information only. It will not link the computer to the site. D: This will give the administrators of the Fiction OU control over the domain controllers in the New York

office. It won�t ensure that the users on the new subnet logon to the domain controller in the New York office.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-297); Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure, 2004, p. 5-8.

Part 2: Plan and modify a network topology.

A: Plan the physical placement of network resources. (1 question)

QUESTION NO: 1 You are a network administrator for TestKing. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The network contains a single DHCP server that services two subnets named SubnetTK1 and SubnetTK2, as shown in the work area. All servers and the administrator client computer have manually assigned IP addresses. All other client computers are DHCP clients.

The router on your network fails and is replaced by another router. After the router is replaced, client computers on SubnetTK2 cannot receive IP addressing from the DHCP server.


70 - 293


- 38 -

You need to configure an appropriate host to be a DHCP relay agent.

Which component should you use?

To answer, select the appropriate component in the work area.

Answer: Select the Print Server. Explanation:DHCP relay agents intercept DHCP Discover packets and forward them to a remote DHCP server whose address has been preconfigured. Although DHCP Relay Agent is configured through Routing And Remote Access, the computer hosting the agent does not need to be functioning as an actual router between subnets.

Reference:J. C. Mackin, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 9.


70 - 293


- 39 -

B: Identify network protocols to be used. (1 question)

QUESTION NO: 1 You are a network administrator for TestKing. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional computers, and 150 Windows XP Professional computers.

According to the network design specification, the Kerberos version 5 authentication protocol must be used for all client computers on the internal network.

You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network.

What should you do?

A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic.

B. Replace all Windows 98 computers with new Windows XP Professional computers. C. Install the Active Directory Client Extension software on the Windows 98 computers. D. Upgrade all Windows 98 computers to Windows NT workstation 4.0.

Answer: B Explanation:By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use Kerberos as their authentication protocol. Windows 98 doesn�t support Kerberos authentication. Therefore, we need upgrade the Windows 98 computers.

Incorrect Answers: A: This won�t enable the Windows 98 clients to use Kerberos authentication.C: The Active Directory Client Extension software doesn�t enable Windows 98 clients to use Kerberos

authentication.D: Windows NT 4.0 doesn�t support Kerberos authentication.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

Part 3: Plan an Internet connectivity strategy. (1 question)


70 - 293


- 40 -

QUESTION NO: 1 You are the security analyst for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. The network currently does not have a connection to the Internet.

You are in the process of designing an Internet connection solution for TestKing. TestKing�s Internet security policy includes the following requirements:

Traffic that originates from outside the TestKing network must never be passed to the TestKing intranet.Internal TestKing resources must not be directly accessible from the Internet. TestKing�s public Web site must not contain any confidential TestKing information. TestKing�s public Web site must be accessible from the Internet, even in the event of the failure of any TestKing-owned network component.

You design a network solution that provides strict access control to the TestKing intranet by means of a firewall. Your new design includes a perimeter network, which contains resources that external users or computers might need to access. Your design also includes three computers running intrusion-detection software: ISD1, IDS2, and IDS3.

You now need to plan the placement of five servers on the network in accordance with TestKing�s Internet security policy.

How should you place the servers to comply with the security policy?

To answer, drag the appropriate server role to the correct network location in the Network Diagram.


70 - 293


- 41 -

Answer:


70 - 293


- 42 -

Explanation:We must ensure that traffic from outside the TestKing network never passes to the TestKing intranet and that internal TestKing resources aren�t directly accessible from the Internet. In addition, the public Web site must be accessible from the Internet even in the event of the failure of any TestKing-owned network component.

To ensure that traffic from outside the TestKing network never passes to the TestKing intranet but can access the public web site, we should place the Web server outside the firewall. For security reasons, services that require access to the Internet should be placed in the perimeter network. These include Email forwarders and VPN servers. File servers that store user folders, and email servers that store mailboxes should be placed in the intranet.

Part 4: Plan network traffic monitoring. Tools might include Network Monitor and System Monitor. (1 question)


70 - 293


- 43 -

QUESTION NO: 1 You are the administrator for TestKing. The network consists of a single active directory domain named TestKing.com. All servers run windows server 2003

When the network was designed, the design team set design specifications. After the network was implemented, the deployment team set baseline specifications. The specifications for broadcast traffic are:

The design specifications requires that broadcast traffic must be 5 percent or less of total network trafficThe baseline specifications showed that the broadcast traffic is always 1 percent or less of the total network traffic during normal operation

You need to monitor the network traffic and find out if the level of broadcast traffic is within the design and baseline specs. You decide to use network monitor. After monitoring for 1 hour, you observe the results shown in the exhibit:

You need to report the results of your observations to management.


70 - 293


- 44 -

Which 2 actions should you take?

A. Report that broadcast traffic is outside of the baseline specs B. Report that the broadcast traffic is outside of the design specs C. Report that the broadcast traffic is within the design specs D. Report that the broadcast traffic is within the baseline specs

Answers: A, B

Part 5: Troubleshoot connectivity to the Internet.

A: Diagnose and resolve issues related to Network Address Translation (NAT). (0 questions)

B: Diagnose and resolve issues related to name resolution cache information. (0 questions)

C: Diagnose and resolve issues related to client configuration. (0 questions)

Part 6: Troubleshoot TCP/IP addressing.

A: Diagnose and resolve issues related to client computer configuration. (2 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains two IP subnets connected by a Windows Server 2003 computer running Routing and Remote Access. All servers run Windows Server 2003. All client computers run Windows XP Professional.

Each subnet contains a domain controller. Each subnet contains a DHCP server, which provides TCP/IP configuration information to the computers on only its subnet. The relevant portion of the network is shown in the exhibit.


70 - 293


- 45 -

You recently implemented a Microsoft Internet Security and Acceleration (ISA) Server 2000 array on the network to provide Internet connectivity. The ISA Server array uses Network Load Balancing on the internal adapters. The array�s Network Load Balancing cluster address is 172.30.32.1. You configure the DHCP server on Subnet1 to provide the array�s Network Load Balancing cluster address as the default gateway. You configure the DHCP server on Subnet2 to provide the IP address 172.30.64.1 as the default gateway for Subnet2.

Users on Subnet2 report that they cannot connect to Internet-based resources. They can successfully connect to resources located on Subnet1. Users on Subnet1 can successfully connect to Internet-based resources. You investigate and discover that no Internet requests from computers on Subnet2 are being received by the ISA Server array.

You need to provide Internet connectivity to users on Subnet2.

What should you do?

A. Configure the DHCP server on Subnet2 to provide the address 172.30.32.1 as the default gateway. B. Configure the DHCP server on Subnet2 to provide the address 172.30.32.2 as the default gateway. C. On the Routing and Remote Access server, add a default route to 172.30.32.1. D. On the Routing and Remote Access server, add a default route to 131.107.72.17.



70 - 293


- 46 -

The routing and remote access server knows how to route traffic between subnet 1 and subnet 2. However, it doesn�t know how to route traffic to the internet. We can fix this by adding a default route on the routing and remote access server. The default route will tell the routing and remote access server that any traffic that isn�t destined for subnet1 or subnet2 (i.e. any external destination) should be forwarded to the internal interface of the ISA server (172.30.32.1).

Incorrect Answers: A: 172.30.32.1 isn�t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as

their default gateway. B: 172.30.32.2 isn�t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as

their default gateway. Furthermore, this address isn�t the internal address of the ISA server. D: The default route needs to forward traffic to the internal interface of the ISA server.


QUESTION NO: 2 You are a network administrator for TestKing. The network consists of multiple physical segments. The network contains two Windows Server 2003 computers named TestKingSrvA and TestKingSrvB, and several Windows 2000 Server computers. TestKingSrvA is configured with a single DHCP scope for the 10.250.100.0/24 network with an IP address range of 10.250.100.10 to 10.250.100.100

Several users on the network report that they cannot connect to file and print servers, but they can connect to each other�s client computers. All other users on the network are able to connect to all network resources. You run the ipconfig.exe /all command on one of the affected client computers and observe the information in the following table:

You need to configure all affected client computers so that they can communicate with all other hosts on the network.


A. Disable the DHCP service on TestKingSrvB. B. Increase the IP address range for the 10.250.100.0/24 scope on TestKingSrvA.


70 - 293


- 47 -

C. Add global DHCP scope options to TestKingSrvA for default gateway, DNS servers, and WINS servers. D. Delete all IP address reservation in the scope on TestKingSrvA. E. Run the ipconfig.exe /renew command on all affected client computers. F. Run the ipconfig.exe /registerdns command on all affected client computers.

Answer: A, E Explanation:We can see from the exhibit that the affected computer received it�s IP configuration from TestKingSrvB. We can also see that the IP configuration has no default gateway, WINS or DNS addresses. Obviously, TestKingSrvB is misconfigured. Other client computers have no problems; it is likely that they get their IP configuration from TestKingSrvA. We can either correctly configure the DHCP service on TestKingSrvB or we can disable it and just use TestKingSrvA as the DHCP server. We need to run the ipconfig/renew command on all affected client computers so that they can update their IP configurations using TestKingSrvA as their DHCP server. Answer A is correct, because it is the only option given that tells you to disable the DHCP service on TestKingSrvB.

Incorrect Answers: B: The client computer received its IP configuration from TestKingSrvB. Therefore, the problem is likely to be

with TestKingSrvB, not TestKingSrvA. C: Some client computers have no problems; it is likely that they get their IP configuration from

TestKingSrvA. Therefore, TestKingSrvA is correctly configured. D: The client computer received its IP configuration from TestKingSrvB. Therefore, the problem is likely to be

with TestKingSrvB, not TestKingSrvA. F: The affected client computers have no DNS configuration; therefore this command will have no affect.


B: Diagnose and resolve issues related to DHCP server address assignment. (7 questions)

QUESTION NO: 1 You are a network administrator for Test King. The network consists of a single Active Directory domain named testking.com. All domain controllers and member servers run Windows Server 2003, Enterprise Edition. All client computers run Windows XP Professional.

Test King has one main office and one branch office. The two offices are connected to a T1 WAN connection. There is a hardware router at each end of the connection. The main office contains 10,000 client computers, and the branch office contains 5,000 client computers.


70 - 293


- 48 -

You need to use DHCP to provide IP addresses to the Windows XP Professional computers in both offices. You need to minimize network configuration traffic on the WAN connection. Your solution needs to prevent any component involved in the DHCP architecture from becoming a single point of failure.

What should you do?

A. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. Configure the branch office router as a DHCP relay agent.

B. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. At the branch office, configure a Windows Server 2003 computer as a DHCP relay agent.

C. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. At the branch office, configure two Windows Server 2003 computers as a DHCP server cluster.

D. At the main office, configure two Windows Server 2003 computers as DHCP servers. Configure one DHCP server to handle 80 percent of the IP address scope and the other DHCP server to handle 20 percent. Configure the branch office router as a DHCP relay agent.

Answer: C Explanation:The best fault tolerant solution here would be to implement a DHCP server cluster in each office. The Windows Server 2003 DHCP Server service is a cluster-aware application, which is an application that can run on a cluster node and that can be managed as a cluster resource. These applications use the Cluster API to receive status and notification information from the server cluster. You can implement additional DHCP (or MADCAP) server reliability by deploying a DHCP server cluster using the Cluster service. This service is the essential software component that controls all aspects of server cluster operation and manages the cluster database. Each node in a server cluster runs one instance of the Cluster service provided with Windows Server 2003, Enterprise Edition. By using clustering support for DHCP, you can implement a local method of DHCP server failover, achieving greater fault tolerance. You can also enhance fault tolerance by combining DHCP server clustering with a remote failover configuration, such as by using a split scope configuration.

Another way to implement DHCP remote failover is to deploy two DHCP servers in the same network that share a split scope configuration based on the 80/20 rule.

Incorrect Answers: A: The branch office router would be a single point of failure in this solution. B: The server hosting the DHCP relay agent would be a single point of failure in this solution. D: The branch office router would be a single point of failure in this solution.

Reference:Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing.


70 - 293


- 49 -

QUESTION NO: 2 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network also contains 10 network printers. All servers have manually configured IP addresses. The client computers and network printers receive their TCP/IP configuration information from a DHCP server.

TestKing IP policy states that each of the network printers will always be configured with the same IP address. You configure a DHCP server and create a DHCP scope as shown in the exhibit.

Users report that they cannot submit print jobs to any of the network printers. You investigate and discover that none of the network printers are receiving their IP addresses from the DHCP server.

You need to ensure that the network printers receive their IP addresses from DHCP.

What should you do?

A. Remove the IP address reservations for the network printers from the DHCP scope. B. Delete the IP address exclusion range for the network printers from the DHCP scope.


70 - 293


- 50 -

C. Add the 009 LPR Servers option to the DHCP server options. D. Enable address conflict detection on the DHCP server.

Answer: B Explanation:An exclusion range is a set of one or more IP addresses, included within the range of a defined scope that you do not want to lease to DHCP clients. Exclusion ranges assure that the server does not offer to DHCP clients on your network any addresses in these ranges. Therefore, you would want to perform the action described in �B�, so that TestKing IP policy is adhered to.

Incorrect Answers:A: Using address reservations in DHCP, allows devices the ability to always have the same address. C: There are no LPR Servers mentioned in the question. D: It is an optional server-side mechanism for detecting whether a scope IP address is in use on the network.

Reference:J. C. Mackin, and Ian McLean MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Chapter 7.

Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System.

QUESTION NO: 3 You are the network administrator for TestKing. TestKing has an internal network and a perimeter network, as shown in the work area.

The internal network consists of a single Active Directory domain testking.com. The internal network contains a Windows Server 2003 domain controller named DC1, which runs the DNS Server service. The internal network also contains a Windows Server 2003 file server named Testking1, which runs the DHCP Server service. The network contains 500 Windows XP Professional computers.

The perimeter network contains a public Web server named WebTK1. The internal network is connected to the perimeter network by a firewall. The perimeter network is connected to the Internet.

You need to plan an IP address strategy. The IP address strategy must provide TCP/IP connectivity from the internal network to WebTK1. TestKing wants to reduce administrative overhead by automatically assigning IP addresses whenever possible.

You need to choose the appropriate IP addressing distribution method for the computers on the networks.


70 - 293


- 51 -

To answer, drag the appropriate IP addressing distribution method or methods to the correct computer or computers in the work area.

Answer:


70 - 293


- 52 -

QUESTION NO: 4 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network consists of three physical subnets, which corresponds to the three buildings on TestKing�s campus, as shown in the Network Diagram exhibit.


70 - 293


- 53 -

All servers have manually configured IP addresses. All client computers receive their TCP/IP configuration information from a DHCP server located on the Building1 subnet. The DHCP server has one scope configured for each subnet.

Users on the Building2 subnet and the Building3 subnet report that they periodically cannot connect to network resources located on any subnet. You discover that during times of high network usage, client computers in Building2 and Building3 are configured as shown in the Network Connection Details exhibit.


70 - 293


- 54 -

You need to ensure that all client computers receive valid IP addresses for their subnet even during times of high network usage.

What should you do?

A. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each DHCP server, configure identical scopes for each subnet.

B. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each DHCP server, configure a single subnet-specific scope.

C. Configure one DHCP relay agent on the Building2 subnet and one on the Building3 subnet to forward DHCP requests to the Building1 subnet DHCP server.

D. Configure an administrative template in the Default Domain Policy Group Policy object (GPO) to disable Automatic Private IP addressing (APIPA) on the client computers.

Answer: B Explanation:DHCP is a service that, when installed and configured correctly, will take a massive administration burden off any network administrator or engineer. DHCP works with the assignment of IP addresses on your network. In other words, when you want your network clients to communicate with any device on the network, they need to speak the same protocol and be assigned with a unique logical address. This address (called an IP address) allows for this.


70 - 293


- 55 -

Scope is the pool of Internet Protocol (IP) addresses on a given subnet that a Dynamic Host Configuration Protocol (DHCP) server is configured to assign to clients when using the automatic or dynamic allocation method. A subnet is a group of computers on a Transmission Control Protocol/Internet Protocol (TCP/IP) network that share a common network identifier. In some cases, a TCP/IP network is divided into multiple subnets by modifying the subnet mask and designating some of the host identifier bits as subnet identifier bits.

Incorrect Answers: A: Configuring identical scopes on two separate networks will create a network address conflict. C: DHCP Relay agents are used when the router cannot pass DHCP requests; however, the problem in this case

only occurs during times of high network usage. A DHCP Relay agent won�t resolve this problem. D: APIPA is used automatically when the DHCP client cannot located the DHCP server. If we disable APIPA

on all client computers, we would need to configure each computer with alternative IP configuration.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

QUESTION NO: 5 You are the network administrator for TestKing.com. The relevant portion of the network is shown in the exhibit.

All servers run Windows Server 2003. Each subnet of the network contains 100 Windows XP Professional computers. Each subnet also contains a DHCP server, which provides TCP/IP configuration information to all computers on its local subnet. You create and configure Subnet3 for a new department at your company.


70 - 293


- 56 -

Users in Subnet3 report that they cannot connect to resources located on servers in Subnet1 and Subnet2. When they attempt to connect to these resources, they receive the following message: �Server not found�. The users can successfully connect to resources located on servers in Subnet3.

Users in Subnet1 and Subnet2 report that they cannot connect to resources located on servers in Subnet3. When they attempt to connect to these resources, they receive the following error message: �Server did not respond in a timely manner�. The users can successfully connect to resources in both Subnet1 and Subnet2.

You need to ensure that all client computers can connect to server-based resources an all subnets.

What should you do?

A. Configure the DHCP server in Subnet3 to provide a subnet mask of 255.255.255.0 B. Configure the DHCP servers in Subnet1 and Subnet2 to provide a subnet mask of 255.255.0.0. C. Configure the Testking2 Interface E1 to use a subnet mask of 255.255.0.0. D. Configure the IP address of the Testking2 Interface E0 as the default gateway for Subnet3. E. Configure the IP address of the Testking2 Interface E1 as the default gateway for Subnet2.

Answer: A

Incorrect Answers: B: The subnet mask for Subnet1 and Subnet2 are correctly configured. D, E: The IP addresses for interfaces E0 and E1 on TestKing2 are correctly configured.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 2

QUESTION NO: 6 You are the administrator of a network at TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 98. All Windows 98 computers have the Active Directory Client Extensions software installed.

The network consists of three physical subnets. Each subnet contains a domain controller and a server that runs DHCP. Each subnet also contains a server that runs both the DNS Server service and the WINS


70 - 293


- 57 -

service. All client computers receive their TCP/IP configuration from the DHCP server that is located on their local subnet.

All of the Windows 98 computers are located on a single subnet. The DHCP scope on this subnet is configured with the options shown in the exhibit.

All DHCP servers are configured with similar options.

Users of the Windows 98 computers report that they cannot connect to resources on the Windows Server 2003 computers located on any subnet. When they attempt to connect to a shared resource by using \\servername\sharename in the Run command, they receive the following error message: �Server not found�. The users can successfully connect to Web-based resources located on the same servers.

When you attempt to connect to the servers by using the ping command on an affected Windows 98 computer you can connect successfully. The users of the Windows XP Professional computers do not report the same problems.

You need to ensure that the users of the Windows 98 computers can connect to shared resources on the Windows Server 2003 computers.

What should you do?

A. On the affected subnet�s DHCP server, configure the scope options to use the Windows 98 vendor class. B. On the affected subnet�s DHCP server, remove the WINS/NBT Node Type from the scope options. C. On each DHCP server, remove the Microsoft Disable NetBIOS Option from the scope options. D. On each DHCP server, add the NetBIOS over TCP/IP NBDD DHCP scope option to the scope options.


70 - 293


- 58 -

Answer: C Explanation:The main advantage of disabling NetBIOS is improved network security. NetBIOS as a service stores information about network resources that can be collected by any host through broadcast-based queries. Feasibly, this information could be exploited by a malicious intruder. Another advantage of disabling NetBIOS is that doing so can simplify administration by reducing the number of naming infrastructures that you must configure, maintain, and support.

Incorrect Answers: A: Vendor Classes are used to identify DHCP clients according to their vendor and hardware configuration

type. This determines what options are available for you to give to your DHCP client. This won�t change the options shown in the exhibit.

B: This cannot be removed, as there are servers on each subnet running the WINS service.D: Only if all the computers on your network are running Windows 2000 or later and no applications are using

Net-BIOS, is it possible to remove WINS servers and disable the NetBIOS Over TCP/IP (NetBT) protocol on your computers.

Reference:J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Chapter 4.

James Chellis, Paul Robichaux, and Matthew Sheltz MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide Chapter 5

QUESTION NO: 7 You are the network admin for TestKing. Your network contains 3 subnets. All servers have manually assigned IP addresses while all clients are configured to receive an address from a DHCP server. The DHCP server is located in Site 1. The DHCP server has a scope configured for each subnet.

Users in site 2 and site 3 are complaining that periodically they cannot connect to resources located on any subnet. You discover that during times of peak usage users are receiving an IP address in the 169.254.x.x address range.

You need to ensure that all client computers receive an address from their subnet even during times of peak usage.

What should you do?

A. Install one DHCP server in site 2 and site 3. On each DHCP server, configure identical scopes for each subnet


70 - 293


- 59 -

B. Install one DHCP server in Site 2 and Site 3. On each DHCP server configure a single subnet specific scope

C. Configure a DHCP Relay agent on Site 2 and Site 3 D. Configure a GPO on the domain that disables APIPA

Answer: B Explanation:It appears that during times of peak usage, the DHCP server and/or the subnet containing the DHCP server cannot cope with the load. The clients in sites 2 and 3 are unable to receive an IP configuration from the DHCP server and so configure themselves with an APIPA configuration. We can ease the load on the DHCP server and subnet 1 by installing DHCP servers in Site 2 and Site 3. The DHCP servers must be configured with a single scope specific to the subnet.

Incorrect Answers: A: We cannot have DHCP servers with identical scopes. This would lead to duplicate IP addresses on the

network.C: The clients can connect to the DHCP server during less busy times. Therefore, a DHCP Relay Agent is

either already installed or isn�t required. D: Disabling APIPA won�t ease the load on the DHCP server.

Reference:J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Chapter 4.

Part 7: Plan a host name resolution strategy.

A: Plan a DNS namespace design. (0 questions)

B: Plan zone replication requirements. (2 question)

QUESTION NO: 1 You are the security analyst for TestKing.com. The network consists of TestKing�s intranet and a perimeter network. The networks are separated by a firewall. TestKing�s intranet consists of a single Active Directory domain named corp.testking.com. The perimeter network consists of a DNS domain named testking.com. The perimeter network contains publicly accessible Web servers.


70 - 293


- 60 -

The intranet contains a Windows Server 2003 DNS server named Testking1. Testking1 hosts an Active Directory-integrated primary zone for the corp.testking.com domain. Testking1 also hosts a secondary zone that is not integrated with Active Directory for the testking.com domain. The perimeter network contains a Windows Server 2003 DNS server named Testking2. Testking2 is authoritative for the testking.com DNS domain, which contains the resource records for the publicly accessible servers. Testking1 is configured to forward requests to Testking2. Testking2 is configured with root hints.

TestKing�s written DNS security includes the following requirements:

The internal DNS namespace must never be accessible by external users or computers. External users must not be able to retrieve zone information from either DNS server.

You need to plan a DNS security solution that meets the DNS security policy requirements. Your solution must not adversely affect required or allowed name resolution functions in the network.

What should you do?

A. On Testking2, allow zone transfers to only servers listed in the Name Servers list. Disable recursion on Testking1.

B. On Testking2, allow zone transfers to only servers listed by IP address. On Testking1, do not allow zone transfers.

C. On Testking1, allow zone transfers to only servers listed in the Name Servers list. Disable recursion on Testking2.

D. On Testking1, allow zone transfer to only servers listed by IP address. On Testking2, do not allow zone transfers.

Answer: A Explanation:Zone transfer data can be protected by specifying the IP addresses of the DNS servers that you allow to participate in zone transfers. If you do not do this, a potential intruder can simply install a DNS server, create a secondary zone, and request a zone transfer from your primary zone. The intruder then has a complete copy of your zone and all the information in it. To limit zone transfers on a Windows Server 2003 DNS server, you open the DNS console, display the Properties dialog box for a primary zone and then click the Zone transfers tab to display the dialog box shown in Figure 4-15. Select the Allow Zone Transfers check box and then choose either the Only To Servers Listed On The Name Servers Tab or the Only To The Following Servers option button. You can then specify the IP addresses of the DNS servers that contain your secondary zones, in either the IP Address text box or the Name Servers tab.

When the Disable Recursion option is enabled, however, the DNS Server service does not answer the query for the client but instead provides the client with referrals, which are resource records that allow a DNS client to perform iterative queries to resolve an FQDN. This option might be appropriate, for example, when clients need to resolve Internet names but the local DNS server contains resource records only for the private namespace.


70 - 293


- 61 -

Incorrect Answers: B: For a secondary DNS server to operate, it has to copy the information in the primary DNS server�s zone

files to its own zone files to ensure that its database of names and IP addresses is up-to-date. C: This is incorrect because Testking 2 contains the resource records for the publicly accessible servers. D:


J. C. Mackin, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter

QUESTION NO: 2 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains three domains. Each domain contains domain controllers that run Windows 2000 Server and domain controllers that run Windows Server 2003. The DNS Server service is installed on all domain controllers. All client computers run Windows XP Professional.

You need to add an additional DNS zone that is hosted on at least one DNS server on each domain. You want to configure the zone to allow secure updates only.

What should you do?

A. Configure the new zone on DNS servers in the root domain. Configure stub zones that refer to DNS servers in another two domains.

B. Configure the new zone as a primary zone on one DNS server. Configure other DNS servers in the three domains as secondary servers for this zone. Enable the DNS Security Extensions (DNSSEC) protocol.

C. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains. Store the zone data in the DNS directory partition named DomainDNSZones.

D. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains. Store the zone data in the DNS directory partition named ForestDNSZones.

Answer: D Explanation:To enable secure updates, we need an Active Directory integrated zone. To replicate to the DNS servers in the other domains, the zone must be installed on a Windows 2003 domain controller in each domain. During the configuration of the zone, you can select the option to replicate the zone information to all domain controllers in the forest; this will store the zone data in the DNS directory partition named ForestDNSZones.


70 - 293


- 62 -

Incorrect Answers: A: We need Active Directory integrated zones, not stub zones. B: Secondary zones are not writeable and so cannot accept updates. C: If we store the zone data in the DNS directory partition named DomainDNSZones, it will only be replicated

in a single domain, not the entire forest.

References: MS Press: MCSA/MCSE self-paced training kit (Exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, 2004, pp. 5-25, 6-22.

C: Plan a forwarding configuration. (3 question)

QUESTION NO: 1 You are the network administrator for TestKing. The network contains Windows Server 2003 computers and Windows XP Professional computers.

TestKing deploys two DNS servers. Both DNS servers run Windows Server 2003. One DNS server is inside of the corporate firewall, and the other DNS server is outside of the firewall. The external DNS server provides name resolution for the external Internet name of TestKing on the Internet, and it is configured with root hints. The internal DNS server hosts the DNS zones related to the internal network configuration, and it is not configured with root hints.

You want to limit the exposure of the client computers to DNS-related attacks from the Internet, without limiting their access to Internet-based sites.

Which two actions should you take? (Each correct answer presents part of the solution. (Choose two)

A. Configure the client computers to use only the internal DNS server. B. Configure the client computers to use both DNS servers. List the internal DNS server first. C. Configure the firewall to allow only network traffic on the DNS ports. D. On the internal DNS server, disable recursion. E. On the internal DNS server, configure the external DNS server as forwarder. F. On the internal DNS server, add the external DNS server as the only root hint.

Answer: A, F Explanation:Install one server on your perimeter network, for Internet name resolution, and another on your internal network, to host your private namespace and provide internal name resolution services. Then configure the internal DNS server to forward all Internet name resolution requests to the external DNS server. This way, no


70 - 293


- 63 -

computers on the Internet communicate directly with your internal DNS server, making it less vulnerable to all kinds of attacks. The root hints are a DNS server�s list of root name server addresses, which it uses to resolve names outside its domain.

Incorrect Answers:B: The internal DNS server is not configured with root hints, so it will not be able to resolve names outside its

domain. C: Clearly this is incorrect, as it will not limit the exposure of the client computers to DNS-related attacks from

the Internet D: If disable recursion is enabled, the internal DNS server still needs root hints for referrals. E: A DNS server designated by other internal DNS servers to be used to forward queries for resolving external

or offsite DNS domain names. This will also not work, , as the internal DNS server does not have root hints


QUESTION NO: 2 You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest root domain is contoso.com.

Contoso, Ltd., recently merged with another company named TestKing, whose network consists of a single Active Directory forest. The functional level of the TestKing forest is Windows Server 2003. The forest root domain for TestKing is testking.com. You need to create a forest trust relationship between the two forests. Each company has dedicated connections to the Internet.

You need to configure DNS to support the forest trust relationship. You want to maintain Internet name resolution capability for each company�s network.

What should you do?

A. Configure the contoso.com DNS servers to forward to the testking.com DNS servers. Configure the testking.com DNS servers to forward to the contoso.com DNS servers.

B. Configure conditional forwarding of testking.com on the contoso.com DNS servers to the testking.com DNS servers. Configure conditional forwarding of contoso.com on the testking.com DNS servers to the contoso.com DNS servers.

C. Configure a standard primary zone for testking.com on one of the contoso.com DNS servers. Configure a standard primary zone for contoso.com on one of the testking.com DNS servers.

D. Configure an Active Directory-integrated zone for testking.com on the contoso.com DNS servers. Configure an Active Directory-integrated zone for contoso.com on the testking.com DNS servers.


70 - 293


- 64 -

Answer: B Explanation:A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Incorrect Answers: A: We don�t want ALL resolution requests to be forwarded to the other DNS servers. C: We can�t host primary zones on multiple servers. D: We can�t host Active Directory integrates zones on DNS servers in different forests.

References: MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 4-58, 4-61.

Sybex: Mastering Windows Server 2003, 2003, pp. 8-9, 460-464.

Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, pp. 367-369

QUESTION NO: 7 You are the network administrator for Acme. The network consists of a single Active Directory forest root domain named acme.com. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named DC1.acme.com is the Active Directory-integrated DNS server for acme.com. All servers and client computers in the acme.com domain use DC1.acme.com as their DNS server for name resolution.

Acme acquires a company named TestKing. The TestKing network consists of a single Active Directory forest root domain named testking.com. The functional level of this domain is Windows Server 2003. A Windows Server 2003 domain controller named DC1.testking.com is the Active Directory-integrated DNS server for testking.com. All servers and client computers in the testking.com domain use DC1.testking.com as their DNS server for name resolution.

You create a two-way forest trust relationship with forest-wide authentication between acme.com and testking.com.

You need to ensure that all users in both companies can log on to both forest root domains. You need to achieve this goal without adversely affecting Internet access.


70 - 293


- 65 -

What should you do?

A. Set the Stub Zone as the zone type for the acme.com domain on DC1.acme.com and for the testking.com domain on DC1.testking.com.

B. Select the Do not use recursion for this domain check box on DC1.testking.com and on DC1.acme.com.

C. Add the fully qualified domain name (FQDN) and the IP address of DC1.testking.com to the Root hintslist in DC1.acme.com. Add the FQDN and the IP address of DC1.acme.com to the Root hints list on DC1.testking.com.

D. Configure conditional forwarding on DC1.acme.com to forward all requests for resources in the testking.com domain to DC1.testking.com. Configure conditional forwarding on DC1.testking.com to forward all requests for resources in the acme.com domain to DC1.acme.com.

Answer: D Explanation:To log on to a computer in acme.com with a user account in testking.com, the acme.com DNS server needs to be able to locate a domain controller in testking.com to authenticate the login. You can use Conditional forwarding which enables a DNS server to forward DNS queries based on the DNS domain name in the query. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name.

Incorrect Answers: A: A stub zone is a copy of a zone containing only those resource records necessary to identify the authoritative

DNS servers for the master zone B: Recursion is the process of a DNS server querying other DNS servers on behalf of an original querying

client. If recursion is disabled, the client performs iterative queries by using root hint referrals from the DNS server. Iteration refers to the process of a DNS client making repeated queries to different DNS servers.

C: Root hints is a list of preliminary resource records used by the DNS service to locate servers authoritative for the root of the DNS domain namespace tree.

ReferenceServer Help

Sybex, Mastering Windows Server 2003, 2003, pp. 451.

D: Plan for DNS security. (2 questions)

QUESTION NO: 1


70 - 293


- 66 -

You are a network administrator for TestKing. The internal network has an Active Directory-integrated zone for the testking.org domain. Computers on the internal network use the Active Directory-integrated DNS service for all host name resolution.

The TestKing Web site and DNS server are hosted at a local ISP. The public Web site for TestKing is accessed at www.testking.com. The DNS server at the ISP hosts the testking.com domain.

To improve support for the Web site, TestKing wants to move the Web site and DNS service from the ISP to the company�s perimeter network. The DNS server on the perimeter network must contain only the host (A) resource records for computers on the perimeter network.

You install a Windows Server 2003 computer on the perimeter network to host the DNS service for the testking.com domain. You need to ensure that the computers on the internal network can properly resolve host names for all internal resources, all perimeter resources, and all Internet resources.


A. On the DNS server that is on the perimeter network, install a primary zone for testking.com. B. On the DNS server that is on the perimeter network, install a stub zone for testking.com. C. Configure the DNS server that is on the internal network to conditionally forward lookup requests to the

DNS server that is on the perimeter network. D. Configure the computers on the internal network to use one of the internal DNS servers as the preferred

DNS server. Configure the TCP/IP settings on the computers on the internal network to use the DNS server on the perimeter network as an alternate DNS server.

E. On the DNS server that is on the perimeter network, configure a root zone.

Answer: A, C Explanation:By configuring a primary zone for testking.com on a DNS server in the perimeter network, we have a DNS server that can resolve requests for the www.testking.com website. To enable users on the LAN to quickly resolve testking.com resources, we can configure conditional forwarding on the internal testking.org server so that requests for testking.com resources get forwarded straight to the perimeter network DNS server.

Incorrect Answers: B: A stub zone is no good to us here. The perimeter DNS server must be authoritative for the testking.com

domain. Therefore, we need a primary zone on the perimeter DNS server. D: As long as the internal DNS servers are working, the external DNS server will never be used. Internal

clients will not be able to resolve www.testking.com. E: There is no need to configure a root zone on the perimeter network DNS server.

Reference:





70 - 293


- 67 -

Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

QUESTION NO: 2 You are the network administrator for TestKing. TestKing has a main office in San Francisco and branch offices in London and Vancouver. The network consists of a single Active Directory domain testking.com. The network contains four Windows Server 2003 domain controllers. There are two domain controllers in the main office and one in each branch office. The domain controllers are DNS servers.

Network services are monitored centrally from the main office. You review the DNS server event logs remotely from the main office during the monthly maintenance routine. During the monthly maintenance, you find out that some of the DNS event history is missing.

You need to ensure that all DNS event history is retained until you manually clear it.

How should you modify each domain controller?

A. Use DNS Manager to select the All Events option on the Event Logging tab in the DNS Server properties.

B. Use DNS Manager to select the Do not overwrite events option on the General tab in the DNS Events properties.

C. Use Event Viewer to set the Maximum log size to 512 KB in the DNS Server properties. D. Use Event Viewer to select the Do not overwrite events option in the Application properties.

Answer: D

Reference:Dan Holm and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290); Managing and Maintaining a Microsoft Windows Server 2003 Environment, 2004, pp. 12-5, 12-34.

E: Examine the interoperability of DNS with third-party DNS solutions. (3 questions)

QUESTION NO: 1


70 - 293


- 68 -

You are the systems engineer for TestKing GmBh. The network consists of three Windows NT 4.0 domains in a master domain model configuration. The servers on the network run either Windows NT Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server 4.0.

The network also contains 10 UNIX-based application servers. All host name resolution services are provided by a UNIX-based server running the latest version of BIND, which currently hosts the zone for the testking.com domain. All NetBIOS name resolution services are provided by two Windows 2000 Server WINS servers.

The company is in the process of migrating to a single Windows Server 2003 Active Directory domain-based network. The new domain is named testking-ad.com, and it will be hosted in an Active Directory-integrated zone that is stored on the domain controllers. Servers that are not domain controllers will not be updated at this time. The migration plan requires that all computers must use DNS to resolve host names and computer redundancy for the Windows-based DNS servers.

You upgrade the domain controllers in the master domain to Windows Server 2003. You also migrate all user and computer accounts to the new Active Directory domain. The DNS zone on the Windows Server 2003 computers is configured as shown in the exhibit.

You now need to configure the required redundancy between the Windows-based DNS servers and the UNIX-based DNS server. You need to ensure that there will be no service interruption on any of the DNS server computers.


A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based DNS server as the master server.

B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS server as the master server.

C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS server as the master server.


70 - 293


- 69 -

D. Add a delegation in the testking.com zone that delegates authority of the testking-ad.com zone to a Windows Server 2003 DNS server.

E. Configure the testking-ad.com zone to not replicate WINS-specific resource records during zone transfers.

Answer: B, E Explanation:This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers. We can provide this by configuring the UNIX DNS server to resolve names in the testking-ad.com domain. With a secondary zone on the UNIX DNS server, it will be able to resolve host name resolutions requests in the testking-ad.com domain. The testking-ad.com DNS is configured to query WINS if required. When configuring a UNIX DNS server with a secondary zone, we should configure the zone to not replicate WINS-specific resource records during zone transfers.

Incorrect Answers: A: This would provide redundancy for the UNIX server; the question isn�t asking for that. C: This won�t provide any redundancy. D: Testking-ad.com isn�t a subdomain of testking.com so no delegation is required.


QUESTION NO: 2 You are the systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. A Windows Server 2003 computer named TESTKINGDNS1 functions as the internal DNS server and has zone configured as shown in the exhibit.


70 - 293


- 70 -

The network is not currently connected to the Internet. TestKing maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named testking.com. The testking.com zone is hosted by a UNIX-based DNS server named UNIXDNS, which is running the latest version of BIND.

The company plans to allow users of the internal network to access Internet-based resources. The company�s written security policy states that resources located on the internal network must never be exposed to the Internet. The written security policy states that the internal network�s DNS namespace must never be exposed to the Internet. To meet these requirements, the design specifies that all name resolution requests for Internet-based resources from computers on the internal network must be sent from TESTKINGDNS1. The current design also specifies that UNIXDNS must attempt to resolve any name resolution requests before sending them to name servers on the Internet.

You need to plan a name resolution strategy for Internet access. You need to configure TESTKINGDNS1 so that it complies with company requirements and restrictions.

What should you do?

A. Delete the root zone from TESTKINGDNS1. Configure TESTKINGDNS1 to forward requests to UNIXDNS.

B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the C:\Windows\System32\Dns folder on TESTKINGDNS1.

C. Add a name server (NS) resource record for UNIXDNS to your zone. Configure UNIXDNS with current root hints.

D. On TESTKINGDNS1, configure a secondary zone named testking.com that uses UNIXDNS as the master server. Configure UNIXDNS to forward requests to your ISP�s DNS servers.


70 - 293


- 71 -

Answer: A Explanation:We need to delete the root zone from the internal DNS server. This will enable us to configure the server to forward internet name resolution requests to the external DNS server (UNIXDNS). A DNS server configured to use a forwarder will behave differently than one that is not configured to use it. A DNS server configured to use a forwarder behaves as follows: When the DNS server receives a query, it attempts to resolve this query using the primary and secondary zones that it hosts and its cache.If the query cannot be resolved using this local data, then it will forward the query to the DNS server designated as a forwarder.The DNS server will wait briefly for an answer from the forwarder before attempting to contact the DNS servers specified in its root hints.

Incorrect Answers: B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don�t want the internal

DNS server to query the root DNS servers, so we don�t need the cache.dns file. C: Unixdns already has root hints. An NS record on the internal DNS server won�t fulfill the requirements of

the question. D: We don�t need a secondary zone on the internal DNS server. All external resolution requests must be

forwarded to the external DNS server.


QUESTION NO: 3 You are the system engineer for TestKing. The internal network consists of a Windows NT 4.0 domain. The company maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named testking.com. The testking.com zone is hosted by a UNIX-based DNS server running BIND 4.8.1.

TestKing is planning to migrate to a Windows Server 2003 Active Directory domain-based network. The migration plan states that all client computers will be upgraded to Windows XP Professional and that all servers will be replaced with new computers running Windows Server 2003.

The migration plan specifies the following requirements for DNS in the new environment:

Active Directory data must not be accessible from the Internet. The DNS namespace must be contiguous to minimize confusion for users and administrators. Users must be able to connect to resources in the testking.com domain.


70 - 293


- 72 -

Users must be able to connect to resources located on the Internet. The existing UNIX-based DNS server will continue to host the testking.com domain. The existing UNIX-based DNS server cannot be upgraded or replaced.

You plan to install a Windows Server 2003 DNS server on the internal network.

You need to configure this Windows-based DNS server to meet the requirements specified in the migration plan.

What should you do?

A. Create a primary zone named ad.testking.com as your Windows-based DNS server. Create a delegation record for the new zone on the UNIX-based DNS server. Configure forwarders on your Windows-based DNS server.

B. Create a primary zone named ad.testking.com on the UNIX-based DNS server. Create a secondary zone on your Windows-based DNS server for the ad.testking.com domain.

C. Create a primary zone named testking-ad.com on your Windows-based DNS server. Create a secondary zone on the UNIX-based DNS server for the testking-ad.com domain.

D. Create a primary zone named testking-ad.com on the UNIX-based DNS server. Create a stub zone on the Windows-based DNS server for the testking-ad.com domain. Configure conditional forwarders on your Windows-based DNS server for the testking-ad.com and testking.com domain.

Answer: A Explanation:A primary zone contains the master copy of the zone database, where administrators make all changes to the zone�s resource records. If the Store �The Zone In Active Directory� (Available Only If DNS Server Is A Domain Controller) check box is cleared, the server creates a primary master zone database file on the local drive. This is a simple text file that is compliant with most non-Windows DNS server implementations.

To delegate a zone means to assign authority over portions of your DNS namespace to subdomains within this namespace. A zone delegation occurs when the responsibility for the resource records of a subdomain is passed from the owner of the parent domain to the owner of the subdomain.

The Forwarders tab of the DNS server properties dialog box allows you to forward DNS queries received by the local DNS server to upstream DNS servers, called forwarders. This tab also allows you to disable recursion for select queries (as specified by domain).

Reference:Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 7 and 8.


70 - 293


- 73 -

J. C. Mackin, and Ian McLea, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Chapter 5.

Part 8: Plan a NetBIOS name resolution strategy.

A: Plan a WINS replication strategy. (0 questions)

B: Plan NetBIOS name resolution by using the Lmhosts file. (0 questions)

Part 9: Troubleshoot host name resolution.

A: Diagnose and resolve issues related to WINS and DNS services. (7 questions)

QUESTION NO: 1 You are a network administrator for TestKing.com. The network consists of a Windows NT 4.0 domain. All servers run Windows NT Server 4.0 and all client computers run Windows NT Workstation 4.0. TestKing has two offices that are connected by a 56-Kbps WAN connection. All computers are configured to use WINS for name resolution and network browsing capability between the two offices.

TestKing is planning to upgrade the domain controllers to Windows Server 2003 and to deploy Windows Server 2003 and Windows XP Professional computers. You need to maintain name resolution and network browsing support during and after the upgrade process.

You need to allow users of Windows NT Workstation 4.0 and Windows XP Professional computers to browse and connect to both Windows NT Server 4.0 and Windows Server 2003 computers. You need to minimize name resolution traffic across the WAN connection.

What should you do?

A. Install a Windows Server 2003 DNS server at each office. Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both WINS and DNS for name resolution. Configure all Windows Server 2003 computers to use WINS.

B. Install a Windows Server 2003 DNS server at only one office.


70 - 293


- 74 -

Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both WINS and DNS for name resolution. Configure all Windows Server 2003 computers to use WINS

C. Upgrade the WINS servers at each office to Windows Server 2003. Install a Windows Server 2003 DNS server at only one office and configure it to use WINS lookup. Configure all Windows Server 2003 computers to use WINS.

D. Upgrade the WINS servers at each office to Windows Server 2003. Install a Windows Server 2003 DNS server at each office. Configure each DNS server to use WINS lookup. Configure all Windows Server 2003 computers to use WINS.

Answer: A Explanation:A DNS server provides host name resolution by translating host names to IP addresses (forward lookups) and IP addresses to host names (reverse lookups). WINS provides computer name resolution by translating NetBIOS names to IP addresses. It is not necessary to install Windows Internet Name Service (WINS) unless you are supporting legacy operating systems, such as Windows 95 or Windows NT. Operating systems such as Windows 2000 and Windows XP do not require WINS, although legacy applications on those platforms may very well require NetBIOS name resolution.

Incorrect Answers: B: The question requires name resolution and network browsing support, during and after the upgrade process,

to be maintained in both offices.

Reference:Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment.

QUESTION NO: 2 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com that has two child domains: domain1.testking.com and domain2.testking.com. All domain controllers run Windows Server 2003. All domain controllers are configured as DNS servers.

You use a proxy firewall to isolate your network from the Internet. You configure the DNS servers in the testking.com domain as internal DNS root servers. All client computers are configured with the proxy firewall client software.

You need to allow users to resolve host names on both the internal network and the Internet.

What should you do?


70 - 293


- 75 -

A. Configure the internal DNS root servers to use Active Directory-integrated stub zones to resolve DNS queries for domain1.testking.com and domain2.testking.com.

B. Configure all client computers to use a Web browser automatic configuration script. C. Configure the DNS servers in the child domains to use the internal DNS root servers as forwarders. D. Configure the DNS servers in the child domain with root hints that point to the internal DNS root servers

in the testking.com domain.

Answer: D Explanation:If you are using the DNS service on a private network, you can edit or replace the root hints file with similar records that point to your own internal root DNS servers. If you are configuring a DNS server within a large private namespace, you can use the Root Hints tab, in DNS server properties, to delete the Internet root servers and specify the root servers in your network instead.

Incorrect Answers: A: Stub zones are used to keep all the NS resource records from a master zone current. B: This option does not resolve name resolution. C: This will only allow users to resolve host names on the internal network.

Reference:J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Chapter 4 and 5.

QUESTION NO: 3 TestKing uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used.

A user Tess on a server named TestKing2 reports that when she runs a script to transfer files to a server named TestKing5, she receives the following error stating �Unknown Host TestKing5

You use TestKing2 to troubleshoot the problem. The results of your troubleshooting show that the nslookup utility replies with an address of 192.168.1.8. When you try to ping TestKing5, the reply times out and shows a different IP address.

You need to allow Tess on TestKing2 to use the script on TestKing5.

What should you do?

A. Re register TestKing5 with WINS B. On TestKing5 run the ipconfig /registerdns command


70 - 293


- 76 -

C. On TestKing2 run the ipconfig /flushdns command D. On TestKing2, purge and reload the remote NetBIOS cache name table

Answer: A Explanation:The nslookup utility replies with an address of 192.168.1.8. This is probably the correct address, but when you ping TestKing5, it times out and shows a different IP address. This is an incorrect address that was resolved using a WINS lookup. As the address in the WINS database is wrong, we need to re-register TestKing5 with WINS.

Incorrect Answers: B: The address of TestKing5 stored in DNS is likely to be correct, so it doesn�t need to be re-registered. C: Nslookup returns an address of TestKing5 that is likely to be correct. We know this because the ping test

fails with a different IP address. Therefore, the locally cached IP address is likely to be correct, so the cache doesn�t need to be cleared.

D: We would need to purge the local NetBIOS name cache, not the remote cache.


QUESTION NO: 4 You are the network admin for Contoso. The network consists of a single active directory domain named contoso.com. The domain is supported by an active directory integrated zone that allows only secure updates.

The contoso.com domain is configured as two active directory sites named Mainoffice and Branch1. Branch1 contains a single windows server 2003 domain controller named server1 that is not a DNS server. There is a single subnet of 192.168.10.0/24 in branch1 that contains all client computers and servers in the site.

Branch 1 is connected to Mainoffice by a single low bandwidth WAN connection that is often saturated. Users in Branch1 are normally authenticated by server1. Users in Branch1 report that they are experiencing unusually long logon times. You discover that Branch1 users are being authenticated by domain controllers in MainOffice. You run the nslookup command to query the SRV records for Branch1 and receive the output shown in the following table:

Server hostname Server1.contoso.com Server1.contoso.com internet address 192.168.10.65

You run the ipconfig command on server1 and receive the following:


70 - 293


- 77 -

IP address 192.168.10.32 Subnet mask 255.255.255.0 Default Gateway 192.168.10.1

You want server1 to resume authenticating all clients in Branch1. What should you do?

A. Run the ipconfig.exe registerdns command on server1 B. Run the ipconfig.exe /flushdns command on server1 C. Stop and restart the Netlogon service on server1 D. Stop and restart the Netlogon service on clients in Branch1

Answer: CExplanation:The DNS record shows the wrong IP address for Server1. We need to configure the DNS with the correct information. Because server1 is a domain controller, we need to register the A records and the SRV records. The Net Logon service on a domain controller registers the DNS resource records required for the domain controller to be located in the network every 24 hours. To initiate the registration performed by Net Logon service manually, you can restart the Net Logon service.

Incorrect Answers: A: This command will only register the A records. The client computers locate the domain controller by

querying SRV records. B: This will flush the local DNS client cache. This won�t solve the problem. D: We need to restart the Netlogon service on server1, not the clients.

Reference:J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.

QUESTION NO: 5 You are a network administrator for Woodgrove Bank. All servers run Windows Server 2003. The company uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used.

A user on a server named Server2 reports that when she attempts to map a network drive to a shared folder on a server named Server5 by name, she received the following error message: �System error 67 has occurred. The network name cannot be found�. The user was previously able to map network drives by name to shared folders on Server5 from Server2.

You run the ping command on Server2 to troubleshoot the problem. The results of your troubleshooting are shown in the exhibit.


70 - 293


- 78 -

You need to allow the user on Server2 to connect to resources on Server5 both by name and by address.

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. On Server2, purge and reload the remote NetBIOS cache name table. B. Re-register Server5 with WINS. C. On Server2, run the ipconfig command with the /flushdns option. D. On Server5, run the ipconfig command with the /renew option. E. On Server5, run the ipconfig command with the /registerdns option.

Answer: B, E Explanation:The server doesn�t answer to DNS name or IP address which means either he is offline or he has changed his IP and is still registered with the old IP (192.168.202.8). Ipconfig /registerdns will register in DNS, and WINS re-register will register the server with WINS.

Incorrect Answers: A:C: Ipconfig /renew - Attempts to renew the DHCP lease. D: Ipconfig /flushdns - Flushes the DNS cache.


70 - 293


- 79 -

QUESTION NO: 6 You are the network administrator for TestKing. You need to provide Internet name resolution services for the company. You set up a Windows Server 2003 computer running the DNS Server service to provide this network service.

During testing, you notice the following intermittent problems:

Name resolution queries sometimes take longer than one minute to resolve. Some valid name resolution queries receive the following error message in the Nslookup command and-line tool: �Non-existent domain�.

You suspect that there is a problem with name resolution.

You need to review the individual queries that the server handles. You want to configure monitoring on the DNS server to troubleshoot the problem.

What should you do?

A. In the DNS server properties, on the Debug Logging tab, select the Log packets for debugging option. B. In the DNS server properties, on the Event Logging tab, select the Errors and warnings option. C. In the System Monitor, monitor the Recursive Query Failures counter in the DNS object. D. In the DNS server properties, on the Monitoring tab, select the monitoring options.

Answer: A Explanation:If you need to analyze and monitor the DNS server performance in greater detail, you can use the optional debug tool. You can choose to log packets based on the following:

Their direction, either outbound or inboundThe transport protocol, either TCP or UDPTheir contents: queries/transfers, updates, or notificationsTheir type, either requests or responsesTheir IP address

Finally, you can choose to include detailed information.

Note: This is the only thing that�s going to let you see details about packets.

Incorrect Answers: B: The Event Logging tab allows you to restrict the events written to the DNS Events log file to only errors or

to only errors and warnings, also it allows you to disable DNS logging. C: This option allows you to view the total number of recursive query failures


70 - 293


- 80 -

D: The Monitoring tab of the DNS server properties dialog box allows you to check basic DNS functionality with two simple tests: a simple query against the local DNS server and a recursive query to the root DNS servers.

Reference:Syngress 070-293, page 414

J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Chapter 5

MCSA/MCSE Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Chapter 6

QUESTION NO: 7 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains three sites named MainOffice, EastCoast, and WestCoast. Each site contains four domain controllers and 100 client computers. One server in the EastCoast site is named TestKing1. All DNS servers contain Active Directory-integrated zones.

Other administrators report that they cannot connect to TestKing1 when attempting to perform Active Directory administration. They report they can perform these tasks locally at TestKing1. You verify that Server1 is operational and that file and print resources are accessible by using the host name.

You need to ensure that administrators can perform Active Directory administration on TestKing1 without requiring physical access to the server.

What should you do?

A. On Server1, force registration of DNS hosts (A) resource records. B. On Server1, restart the Net Logon service. C. Install DNS on TestKing1. D. Configure TestKing as a local bridgehead server for the EastCoast site.

Answer: B Explanation:TestKing1 is a domain controller. We know this because administrators are trying to perform Active Directory administration on TestKing1. File and print resources on TestKing1 are accessible by using the host name. This means that the A records are present in DNS. The problem in this question is that the SRV records are missing. We need to restore the SRV in DNS.


70 - 293


- 81 -

The Net Logon service on a domain controller registers the DNS resource records required for the domain controller to be located in the network every 24 hours. To initiate the registration performed by Net Logon service manually, you can restart the Net Logon service.

Incorrect Answers: A: File and print resources on TestKing1 are accessible by using the host name. This means that the A records

are present in DNS. C: It is not necessary to install DNS on TestKing1. D: TestKing1 does not need to be a bridgehead server to enable the administrators to access it.

Reference:Server Help - NetLogon

B: Diagnose and resolve issues related to client computer configuration. (1 questions)

QUESTION NO: 1 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains one domain named testking.com.

You need to deploy a new domain named NA.testking.com as a child domain of testking.com.

You install a new stand-alone Windows Server 2003 computer named TK1. You plan to make TK1 the first domain controller in the NA.testking.com domain. You configure TK1 with a static IP configuration.

You run the Active Directory Installation Wizard on TK1. The wizard prompts you for the network credentials to use to join the NA.testking.com domain to testking.com.

You receive an error message stating that a domain controller in the testking.com domain cannot be located.

You need to be able to promote TK1 to a domain controller as the first domain controller of the child domain in the existing forest.

What should you do?

A. Configure the client WINS settings on TK1 to use a WINS server that contains entries for the testking.com domain controllers.

B. Configure the client DNS settings on TK1 to use a DNS server that is authoritative for the testking.com domain.


70 - 293


- 82 -

C. Configure the DNS Server service on TK1 to have a zone for NA.testking.com. D. Configure TK1 to be a member server in the testking.com domain.

Answer: B Explanation:This is typically the effect of a DNS problem because the client (in this case a member server) can't locate the SRV records of a domain.

The process needs to contact the DNS server that is authoritative for the parent domain that you want to make a child domain in.

First, in the Active Directory installation wizard, you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. Later in the installation process, the wizard tests for the following:

Based on its TCP/IP client configuration, it checks to see whether a preferred DNS server is configured. If a preferred DNS server is available, it queries to find the primary authoritative server for the DNS domain you specified earlier in the wizard.

It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the DNS dynamic update protocol.

If, at this point in the process, a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory, you are provided with the option to install the DNS Server service.

Incorrect Answers: A: WINS is used for name resolution for down level clients. TK1 is a Windows Server 2003 computer. C: NA.testking.com does not yet exist. D: We want to install TK1 as a domain controller for the na.testking.com domain. Making TK1 a member

server would me demoting the server and then promoting it again al a later point. This does not make sense.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 4-6 to 4-9, 4-17.


70 - 293


- 83 -

Topic 3: Planning, Implementing and Maintaining Routing and Remote Access (17 Questions)

Part 1: Plan a routing strategy.

A: Identify routing protocols to use in a specified environment. (1 question)

QUESTION NO: 1 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. TestKing�s main office is in Boston, and it has branch offices in Washington and Los Alamos. The company has no immediate plans to expand or relocate the offices.

The company wants to connect the office networks by using a frame relay WAN connection and Routing and Remote Access servers that are configured with frame relay WAN adapters. Computers in each office will be configured to use their local Routing and Remote Access server as a default gateway.

You are planning the routing configuration for the Routing and Remote Access servers.

You need to allow computers in Boston, Washington, and Los Alamos to connect to computers in any office. You want to minimize routing traffic on the WAN connection.

What should you do?

A. At each office, add the OSPF routing protocol to Routing and Remote Access, add the WAN adapater to the OSPF routing protocol, and deploy OSPF as a single-area internetwork.

B. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and configure the WAN adapter to use RIP version 2. Configure the outgoing packet protocol as RIP version 2 broadcast and the incoming packet protocol as RIP version 1 and 2.

C. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and configure the WAN adapter to use RIP version 2. Configure the outgoing packet protocol as RIP version 2 multicast and the incoming packet protocol as RIP version 2 only.

D. At each office, configure the Routing and Remote Access server with static routes to the local networks at the other two offices.

Answer: D Explanation:


70 - 293


- 84 -

We need to configure the routers to route traffic between the offices. As we only have three offices, we can use simple static routes. Once we have configured the routing tables with static routes, the offices will be able to communicate with each other. This solution is preferable to using a routing protocol, such as RIP, because there will be no routing information going over the WAN links.

Incorrect Answers: A: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary.

Static routes will suffice. B: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary.

Static routes will suffice. C: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary.

Static routes will suffice.

Reference:J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.

B: Plan routing for IP multicast traffic. (0 questions)

Part 2: Plan security for remote access users.

A: Plan remote access policies. (3 questions)

QUESTION NO: 1 You are the security analyst for TestKing. TestKing�s written security policy does not allow direct dial-in connections to the network. During a routine security audit, you discover a Windows Server 2003 server named Testking1 that has a modem installed and is connected to an outside analog phone line. You investigate and discover that Testking1 is also running Routing and Remote Access and is used by the sales department. The modem supports the caller ID service.

This remote access connection is used by an application at a partner company to upload product and inventory information to Testking1. Each day at midnight, the partner application connects to Testking1 and uploads the information. The connection never lasts longer than 30 minutes. The application is currently using the sales manager�s domain user account to make the connection. The partner application does not support incoming connections. The partner company has no plans to update this application to support your written security policy, and the sales department requires this updated product and inventory information to be available each morning.


70 - 293


- 85 -

TestKing management directs you to design a solution that provides the highest level of security for this connection until a more secure solution can be developed by the two companies.

You need to design and implement a solution that will ensure that only the partner�s application can connect to your network over the dial-up connection. Your solution must prevent the connection from being used by unauthorized users, and it must allow only the minimum amount of access to the network.


A. Create an account named PartnerDialup in the domain, and add this account to the Domain Guests group.Grant this user account permissions for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access.

B. Create a local account named PartnerDialup on Testking1, and add this account to the local Users group. Grant this user account permission for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access.

C. Configure a remote access policy on Testking1 that allows the connection for only the specified user account between midnight and 1.00 A.M. Configure the policy to require callback authentication to the partner company�s server.

D. Configure a remote access policy on Testking1 that allows the connection for only the specified user account between midnight and 1:00 A.M. Configure the policy to allow only the specific calling station identifier of the partner company�s computer.

Answer: B, D

QUESTION NO: 2 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains a Windows Server 2003 computer named TestKing26 that is running Routing and Remote Access.

The domain contains a universal group named Managers and a global group named Operations. User accounts in the Managers group require remote access between the hours of 8:00 A.M. and 8:00 P.M. User accounts in the Operations group require remote access 24 hours per day.

You configure a remote access policy on TestKing26 named RA_Managers with the appropriate settings for the Managers group, and you configure a second remote access policy named RA_Operations on TestKing26 with the appropriate settings for the Operations group. The default remote access polices on TestKing26 remain unmodified.


70 - 293


- 86 -

Members of the Managers group report that they can establish a remote access connection to TestKing26, but members of the Operations group report that they cannot establish a remote access connection to TestKing26.

You open the Routing and Remote Access administrative tool and note that the remote access polices are in the order presented in the following table.

You need to enable the appropriate remote access for the members of the Managers and Operations groups while restricting remote access to all other users.

What should you do?

A. Delete the Connections to other access servers policy. B. Re-create the Operations global group as a universal group. C. Move the Connections to Microsoft Routing and Remote Access server policy up so that it is the first

policy in the order. D. Move the RA_Operations policy up so that it is the second policy in the order.

Answer: D Explanation:The remote access policies are processed in order. If a user meets a condition in a policy, the user is allowed or denied access according to that policy. No other policies are checked. The Connections to Microsoft Routing and Remote Access server policy is being processed before the RA-Operations policy. The users meet the condition in the Connections to Microsoft Routing and Remote Access server policy and are being denied access. The RA-Operations policy isn�t being checked. Therefore, we need to move the RA-Operations policy above the Connections to Microsoft Routing and Remote Access server policy.

Incorrect Answers: A: This policy isn�t preventing the remote access. The Connections to Microsoft Routing and Remote Access

server policy is preventing the access. B: The global group is fine. Changing it won�t help. C: The Connections to Microsoft Routing and Remote Access server policy is preventing the access. The RA-

Operations policy isn�t being checked. Therefore, we need to move the RA-Operations policy above the Connections to Microsoft Routing and Remote Access server policy.


Remote access policy name Order RA_Managers 1 Connections to Microsoft Routing and remote Access server

2

RA_Operations 3 Connections to other access servers

4


70 - 293


- 87 -

QUESTION NO: 3 You are the systems engineer for TestKing. The company has a main office in Las Palmas and two branch offices, one in Barcelona and one in Madrid. The offices are connected to one another by dedicated T1 lines. Each office has its own local IT department and administrative staff.

The company network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers support firmware-based console redirection by means of the serial port. The server hardware does not support any other method of console redirection and cannot be upgraded to do so.

The company is currently being reorganized. The IT department from each branch office is being relocated to a new central data center in the Las Palmas office. Several servers from each branch office are also being relocated to the Las Palmas data center. Each branch office will retain 10 servers. A new written security policy includes the following requirements:

All servers must be remotely administered for all administrative tasks. All servers must be administered from the Las Palmas office. All remote administration connections must be authenticated and encrypted.

Your current network configuration already adheres to the new written security policy for day-to-day server administration tasks performed on the servers. You need to plan a configuration for out-of-band management tasks for each office that meets the new security requirements.

Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. Connect each server�s serial port to a terminal concentrator. Connect the terminal concentrator to the network.

B. Connect a second network adapter to each server. Connect the second network adapater in each server to a separate network switch. Connect the management port on the switch to a WAN port on the office router. Enable IPSec on the router.

C. Enable Routing and Remote Access on a server in each branch office, and configure it as an L2TP/IPSec VPN server. Configure a remote access policy to allow only authorized administrative staff to make a VPN connection.

D. On each server, enable the Telnet service with a startup parameter of Automatic.Configure Telnet on each server to use only NTLM authentication. Apply the Server (Request Security) IPSec policy to all servers.

E. On each server, enable Emergency Management Services console redirection and the Emergency Management Services Special Administration Console (SAC).

Answer: A, C, E


70 - 293


- 88 -

Explanation:The Special Administration Console Helper system service can be used to perform remote management tasks if the Windows Server 2003 family operating system stops functioning due to a Stop error message. It�s main functions are to:

Redirect Stop error message explanatory textRestart the systemObtain computer identification information

The SAC is an auxiliary Emergency Management Services command � line environment that is hosted by Windows Server 2003 family operating systems. It also accepts input, and sends output through the out � of � band port. !SAC is a separate entity from both SAC and Windows Server 2003 family command � line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or is not functioning.If the Special Administration Console Helper service is stopped, SAC services will no longer be available. If this service is disabled, any services that explicitly depend on it will not start.

References: Server Help

B: Analyze protocol security requirements. (0 questions)

C: Plan authentication methods for remote access. (8 questions)

QUESTION NO: 1 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003.

TestKing has a main office and a branch office. Both offices are connected to the Internet by Network Address Translation (NAT) firewalls and T1 connections to the company�s ISP. Each firewall is configured with a perimeter network. TestKing uses a public key infrastructure (PKI) for both internal and external authentication.

TestKing needs to connect to the main office to the branch office by using the existing Internet connections. TestKing�s written security policy included the following requirements:


70 - 293


- 89 -

All Internet communications must use the PKI for all authentication and data encryption. All servers that are required to communicate to or by means of the Internet must be located in a firewall perimeter network.

You need to connect to the main office to the branch office. You need to comply with the written security policy.

You install Routing and Remote Access servers in the perimeter network at each office.

What else should you do?

A. Configure persistent, two-way initiated PPTP connections with EAP-TLS authentication. B. Configure persistent, two-way initiated PPTP connections with MS-CHAP v2 user authentication. C. Configure persistent, two-way initiated L2TP/IPSec connections with MS-CHAP v2 user authentication. D. Configure persistent, two-way initiated L2TP/IPsec connections with EAP-TLS user and computer

authentication.

Answer: D Explanation:Layer 2 Tunneling Protocol (L2TP) A protocol used to establish virtual private network connections across the Internet. Extensible Authentication Protocol�Transport Level Security (EAP�TLS) Required to authenticate remote access users with smart cards or other security mechanisms based on certificates. The networks that use EAP-TLS typically have a public key infrastructure (PKI) in place and use certificates for authentication, that are stored on the computer or on smart cards. Virtual private network (VPN) This is a technique for connecting to a network at a remote location using the Internet as a network medium. A user can dial in to a local Internet service provider (ISP) and connect through the Internet to a private network at a distant location, using a protocol like the Point-to-Point Tunneling Protocol (PPTP) to secure the private traffic. For L2TP/IPSec-type connections, the L2TP protocol provides VPN tunneling, and the Encapsulation Security Payload (ESP) protocol (itself a feature of IPSec) provides data encryption.

Incorrect Answers: A, B: Although PPTP-based VPN connections do provide data confidentiality (captured packets cannot be

interpreted without the encryption key), they do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).

C: MS-CHAP v2 is not supported by Windows Server 2003.



70 - 293


- 90 -

J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, pp. 10-56 to10-59.

QUESTION NO: 2 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 10 application servers running Windows Server 2003.

There are 500 client computers on the LAN. The LAN-based client computers are members of the domain. There are 50 client computers on the Internet. The Internet-based client computers are not members of the domain. All client computers run Windows XP Professional. All client computers need to access the application servers. TestKing purchases certificates from a commercial certification authority (CA) when needed.

The network design requires that all access to the application servers must be encrypted by using IPSec. The application servers are configured to refuse any connection that is not encrypted.

You need to ensure that the client computers are authorized to access the application servers. You need to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Configure both the LAN-based client computers and the Internet-based client computers to use the Kerberos version 5 authentication protocol.

B. Configure both the LAN-based client computers and the Internet-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA.

C. Configure the LAN-based client computers to use the Kerberos version 5 authentication protocol and the Internet-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA.

D. Configure the LAN-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA and the Internet-based client computers to use the Kerberos version 5 authentication protocol.

Answer: C Explanation:Kerberos is an industry-standard, ticket-based authentication method. This method is used when IIS machines are part of a domain and there are no legacy Windows NT domain controllers present. Kerberos version 5 is the default protocol used by computers running Windows Server 2003, Windows XP, and Windows 2000. With certificates, you can protect network data and secure communications using a variety of cryptographic algorithms and key lengths that enable you to implement as much security as you need for your organization. For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority.


70 - 293


- 91 -

Incorrect Answers: A: The Internet-based client computers are not part of the domain.B, D: If your organization engages in digital transactions with other companies, an internal CA is typically not

useful because the other companies are not going to trust your own CA to verify your identity.

Reference:Dan Holme, and Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296.

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The functional level of the domain is Windows 2000 mixed. The network contains domain controllers that run Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0. The network also contains application servers that run Windows Server 2003, Windows 2000 Advanced Server, or Windows NT Server 4.0. All client computers run Windows XP Professional.

TestKing has a main office and branch offices. Each office has local administrator. Local administrators manage the client computers that are in their offices, including the Group Policy settings.

You want to reduce the possibility of passwords being compromised through man-in-the-middle attacks during the authentication process between client computers and servers. You want to ensure that the authentication protocols used by the client computers are as secure as possible. You are planning the guideline that the local administrators will use when they configure the Network Security policy setting for client computers. You want to be as flexible as possible, while still meeting your goals.

You need to select the appropriate authentication type or types for the client computers.

What should you do?

A. Allow LM, NTLM, NTLMv2, and Kerberos. B. Allow only NTLM, NTLMv2, and Kerberos. C. Allow only NTLMv2 and Kerberos. D. Allow only Kerberos.

Answer: C Explanation:NTLMv2 is the direct successor to the challenge/response NTLM authentication method. This method is used when IIS machines are part of a workgroup or on Windows Server 2003 networks that still have some legacy Windows NT domain controllers present.


70 - 293


- 92 -

Kerberos is an industry-standard, ticket-based authentication method. This method is used when IIS machines are part of a domain and there are no legacy Windows NT domain controllers present.

Incorrect Answers: A: The LM authentication protocol is considered weak because of the method used to encrypt the password.

This weakness is known and exploited by hackers. B: If NTLMv2 is the direct successor to the challenge/response NTLM authentication method, then why should

it be allowed. D: There are legacy Windows NT domain controllers present, so this cannot be used on its own.

Reference:Mitch Tulloch; IIS 6 Administration.

Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System.

QUESTION NO: 4 You are the systems engineer for TestKing. The network consists of a single Active Directory domain testking.com. TestKing has a main office and two branch offices. All servers run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional.

Each branch office maintains a dedicated 256-Kbps connection to the main office. Each office also maintains a T1 connection to the Internet. Each office has a Microsoft Internet Security and Acceleration (ISA) Server 2003 computer, which provides firewall and proxy services on the Internet connection. Each branch office contains one domain controller and five servers that are not domain controllers. Administrative staff at the branch offices is minimal.

A new company policy states that all servers must now be remotely administered by administrators in the main office. The policy states that all remote administrators� connections must be authenticated by the domain and that all traffic must be encrypted. The policy also states that the remote administration traffic must never be carried in clear text across the Internet.

You choose to implement remote administration by enabling Remote Desktop connections on all servers on the network. You decide to use the Internet-connected T1 lines for remote administration connectivity between offices.

Because administrative tasks might require simultaneous connections to multiple servers across the network, you need to ensure that administrators do not lose connections to servers in one office when they attempt to connect to servers in another office.

What should you do?


70 - 293


- 93 -

A. Configure Routing and Remote Access on one server in each branch office. Create L2TP/IPsec VPN ports on these servers. Create new VPN connections to the administrator�s computers to connect to the VPN servers in the branch offices.

B. Configure a VPN server in each branch office. Create connections that use IPSec Authentication Header (AH) in tunnel mode from the main office to connect to VPN servers in the branch offices.

C. Configure a local L2TP/IPSec VPN connection on the ISA Server 2003 firewall computer in the main office. Configure the ISA Server 2003 firewall computers at the branch offices as remote L2TP/IPSec VPN servers.

D. Configure a local PPTP VPN connection on the ISA Server 2000 firewall computers in each branch office. Configure the ISA Server 2000 firewall computer at the main office as a remote PPTP VPN server.

Answer: C Explanation:For L2TP/IPSec-type connections, the L2TP protocol provides VPN tunneling, and the Encapsulation Security Payload (ESP) protocol (itself a feature of IPSec) provides data encryption. L2TP/IPSec connections, unlike those of PPTP, require computer authentication in addition to user authentication. Computer authentication is performed first; this process occurs during all L2TP/IPSec connection attempts between remote access clients and servers. After the tunnel endpoints are authenticated and a secure channel is established between the client and the server, user authentication follows. User authentication over L2TP/IPSec VPN connections occurs by means of any of the same set of authentication protocols that are used for PPTP and dial-up connections. Once user authentication is complete, user authorization follows. Preferred methods of VPN encryption include MPPE and IPSec.

Incorrect Answers: A:B: AH does not provide confidentiality, which means that the data is not encrypted. D: Although PPTP-based VPN connections do provide data confidentiality (captured packets cannot be

interpreted without the encryption key), they do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).

Reference:J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.

QUESTION NO: 5 You are a network administrator for TestKing. TestKing has one main office and 30 branch offices. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003.


70 - 293


- 94 -

TestKing needs to connect the main office network and all branch office networks by using Routing and Remote Access servers at each office. The networks will be connected by VPN connections over the Internet. You install three Routing and Remote Access servers at the main office.

You are configuring security for the Routing and Remote Access servers.

You need to provide centralized authentication for the branch office Routing and Remote Access servers. You need to centrally configure the remote access policies for the main office Routing and Remote Access servers. You need to centrally maintain remote access authentication and connection logs for the main office Routing and Remote Access servers.

You install Internet Authentication Service (IAS) on a server in the main office and register it in Active Directory.


A. Configure the remote access policies on the IAS server. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use RADIUS authentication and accounting.

B. Configure the remote access policies on the IAS server. On the IAS server, configure the branch office RADIUS clients. Configure the branch office Routing and Remote Access servers to use RADIUS authentication and accounting.

C. Configure the remote access policies on the IAS server. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use Windows authentication and accounting.

D. Run the netsh command to configure the remote access polices on the main office Routing and Remote Access servers. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use RADIUS authentication and accounting.

Answer: A Explanation:Internet Authentication Service (IAS) is the Microsoft implementation of Remote Authentication Dial-In User Service (RADIUS), an authentication and accounting system used by many Internet Service Providers (ISPs). When a user connects to an ISP using a username and password, the information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. RADIUS proxy and server support is a new feature in Windows Server 2003. You can install and use the Microsoft Internet Authentication Service (IAS) server for both RADIUS servers and RADIUS proxies.


70 - 293


- 95 -

Incorrect Answers: B:C: The question states that �You need to centrally configure the remote access policies for the main office�

and with Windows authentication there is a separate set of policies for each RRAS server. D: NetSh.exe is a configuration tool that now adds the basic network diagnostic features provided by older

NetDiag.exe tool. Netsh is a command-line scripting utility that permits administrators to display or modify the network configuration of a computer that is currently running.

Reference:Dan Holme, Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment.

Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Laura E. Hunter, Brian Barber, Melissa Craft, and Norris L. Johnson, Jr.; Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Study Guide & DVD Training System.

QUESTION NO: 6 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains Windows Server 2003 file servers. The network also contains a Windows Server 2003 computer named Testking1 that runs Routing and Remote Access and Internet Authentication Service (IAS). Testking1 provides VPN access to the network for user�s home computers.

You suspect that an external unauthorized user is attempting to access the network through Testking1. You want to log the details of access attempts by VPN users when they attempt to access the network. You want to compare the IP addresses of user�s home computers with the IP addresses used in the access attempts to verify that the users are authorized.

You need to configure Testking1 to log the details of access attempts by VPN users.

What should you do?

A. Configure the system event log to Do not overwrite.B. In IAS, in Remote Access Logging, enable the Authentication requests setting. C. Configure the Remote Access server to Log all events.D. Create a custom remote access policy and configure it for Authentication-Type.

Answer: B Explanation:


70 - 293


- 96 -

Internet Authentication Services (IAS) is a service included with Microsoft Windows Server 2003 that provides centralized authentication and authorization services. Remote Access Logging lists log files and allows you to configure additional logging options, one of which is authentication requests.

Incorrect Answers: A: System log files contain events relating to the activity of the operating system. Startups and shutdowns,

device driver events, and system service events are recorded in the System log. C:D:

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System.

Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System

QUESTION NO: 7 You are a network administrator for TestKing. The company has a main office and one branch office. The network consists of a single active directory domain named TestKing.com. All servers run windows server 2003

The company needs to connect the main office network and the branch office network by using RRAS servers at each office the networks will be connected by a VPN connection over the internet.

The company�s written security policy includes the following requirements for VPN connections over the internet:

All data must be encrypted with end to end encryption VPN connection authentication must be at the computer level Credential information must not be transmitted over the internet as part of the authentication process.

You need to configure security for VPN connections between the main office and the branch office. You need to comply with the written policy.

What should you do?


70 - 293


- 97 -

A. Use a PPTP connection with EAP-TLS authentication B. Use a PPTP connection with MS-CHAP v2 authentication C. Use an L2TP connection with EAP-TLS authentication D. Use an L2TP connection with MS-CHAP v2 authentication

Answer: C Explanation:Strictly speaking, this answer is incomplete, because it doesn�t mention IPSec. For computer level authentication, we must use L2TP/IPSec connections. To establish an IPSec security association, the VPN client and the VPN server use the Internet Key Exchange (IKE) protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. Computer certificate authentication is highly recommended, as it is a much stronger authentication method. Computer-level authentication is only done for L2TP/IPSec connections.

Incorrect Answers: A: PPTP uses user-level authentication over PPP. The question states that computer-level authentication is

required; therefore we must use L2TP/IPSEC. B: PPTP uses user-level authentication over PPP. The question states that computer-level authentication is

required; therefore we must use L2TP/IPSEC. D: For computer certificate authentication, we must use EAP-TLS, not MS-CHAP v2.


QUESTION NO: 8 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The company has remote users in the sales department who work from home. The remote users� client computers run Windows XP Professional, and they are not members of the domain. The remote users� client computers have local Internet access through an ISP.

TestKing is deploying a Windows Server 2003 computer named TestKingA that has Routing and Remote Access installed. TestKingA will function as a VPN server, and the remote users will use it to connect to the company network. Confidential research data will be transmitted from the remote users� client computers. Security is critical to the company and TestKingA must protect the remote users� data transmissions to the main office. The remote client computers will use L2TP/IPSec to connect to the VPN server.

You need to choose a secure authentication method.

What should you do?


70 - 293


- 98 -

A. Use the authentication method of the default IPSec policies. B. Create a custom IPSec policy and use the Kerberos version 5 authentication protocol. C. Create a custom IPSec policy and use certificate-based authentication. D. Create a custom IPSec policy and use preshared authentication. E. Use the authentication method of the Routing and Remote Access custom IPSec policy for L2TP

connection.

Answer: C Explanation:The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. Tunneling and authentication protocols, and the encryption levels applied to VPN connections, determine VPN security. L2TP/IPSec provides the highest level of security. For a VPN design, determine which VPN protocol best meets your requirements. Windows Server 2003 supports two VPN protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).

Incorrect Answers: A: The default IPSec policies don�t require encryption. B: We cannot use the Kerberos version 5 authentication protocol because the remote users are not members of

the domain. D: Pre-shared authentication uses a �password� that is known by the server and the client computers. This

method is less secure than a certificate based method. E: This answer sounds plausible, but the actual setting on RRAS "Allow Custom IPSec policy for L2TP

connection" in the RRAS Server properties only allows a pre-shared key which is NOT secure compared to certificate-based IPSec policies.

Reference:MS Windows Server 2003 Deployment Kit Deploying Network Services Planning Security for a VPN Selecting a VPN Protocol

Part 3: Implement secure access between private networks.

A: Create and implement secure VPN connections. (1 question)


70 - 293


- 99 -

QUESTION NO: 1 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains one root domain and multiple child domains. The functional level of all child domains is Windows Server 2003. The functional level of the root domain is Windows 2000 native.

You configure a Windows Server 2003 computer named TestKing1 to be a domain controller for an existing child domain. TestKing1 is located at a new branch office, and you connect TestKing1 to a central data center by a persistent VPN connection over a DSL line. TestKing1 has a single replication connection with a bridgehead domain controller in the central data center.

You configure DNS on TestKing1 and create secondary forward lookup zones for each domain in the forest.

You need to minimize the amount of traffic over the VPN connection caused by logon activities.


A. Configure the DNS zones to be Active Directory-integrated zones. B. Configure TestKing1 to be the PDC emulator for the domain. C. Configure TestKing1 to be a global catalog server. D. Configure universal group membership caching on TestKing1.

Answer: C, D Explanation:Logon traffic over the VPN is caused by the local domain controller retrieving universal group information from a global catalog server. We can reduce this traffic by either configuring TestKing1 to be a global catalog server, or by enabling universal group membership caching on TestKing1.

A global catalog server stores information about all objects in the forest, but not their attributes, so that applications can search Active Directory without referring to specific domain controllers that store the requested data. Universal group membership caching, on the other hand allows the domain controller to cache universal group membership information for users. This eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information.

Incorrect Answers: A: Logon traffic over the VPN is caused by the local domain controller retrieving universal group information

from a global catalog server. It is not cause by DNS replication. B: The PDC emulator isn�t used in the logon process (except for down-level clients).

Reference:


70 - 293


- 100 -

MS Windows Server 2003 Deployment Kit Designing and Deploying Directory and Security Services Active Directory Replication Concepts

B: Create and implement an IPSec policy. (2 questions)

QUESTION NO: 1 You are the systems engineer for TestKing. The network consists of three physical networks connected by hardware-based routers. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

Each physical network contains at least one domain controller and at least one DNS server. One physical network contains a Microsoft Internet Security and Acceleration (ISA) Server array that provides Internet access for the entire company. The network also contains a certificate server.

TestKing management wants to ensure that all data is encrypted on the network and that all computers transmitting data on the network are authenticated.

You decide to implement IPSec on all computers on the network. You edit the Default Domain Policy Group Policy object (GPO) to apply to Secure Server (Require Security) IPSec policy.

Users immediately report that they cannot access resources located in remote networks. You investigate and discover that all packets are being dropped by the routers. You also discover that Active Directory replication is not functioning between domain controllers in different networks.

You need to revise your design and implementation to allow computers to communicate across the entire network. You also need to ensure that the authentication keys are stored encrypted.


A. Configure the routers to use IPSec and preshared key for authentication. B. Configure the routers to use IPSec and a certificate for authentication. C. Configure the routers to use IPsec and Kerberos for authentication. D. Reconfigure the GPOs to require a preshared key for IPSec authentication. E. Reconfigure the GPOs to require a certificate for IPSec authentication.

Answer: B, E Explanation:IPSec allows encryption of data across the network.


70 - 293


- 101 -

Certificates are digital documents that are commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certificate authority (CA), and they can be issued for a user, a computer, or a service. Group policies are used in Active Directory to configure auto-enrollment. In Computer Configuration | Windows Settings | Security Settings | Public Key Policies, there is a group policy entitled Automatic Certificate Request Settings. The property sheet for this policy enables you to choose to either Enroll certificates automatically or not. Also, you will need to ensure that the Enroll subject option is selected on the Request Handling tab of the certificate template property sheet without requiring any user input.

Incorrect Answers: A, D: Pre-shared keys are stored as plaintext. C: The Kerberos authentication mechanism relies on a key distribution center (KDC) to issue tickets that allow

client access to network resources.

Reference:Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder , and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 763.

James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, SYBEX Inc., Glossary.

Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System

J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.

QUESTION NO: 2 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The Active Directory domain contains three organizational units (OUs): Payroll Users, Payroll Servers, and Finance Servers. The Windows XP Professional computers used by the users in the payroll department are in the Payroll Users OU. The Windows Server 2003 computers used by the payroll department are in the Payroll Servers OU. The Windows Server 2003 computers used by the finance department are in the Finance Servers OU.


70 - 293


- 102 -

You are planning the baseline security configuration for the payroll department. The company�s written security policy requires that all network communications with servers in the Payroll Servers OU must be secured by using IPSec. The written security states that IPSec must not be used on any other servers in the company.

You need to ensure that the baseline security configuration for the payroll department complies with the written security policy. You also need to ensure that members of the Payroll Users OU can access resources in the Payroll Servers OU and in the Finance Servers OU.

What should you do?

A. Create a Group Policy object (GPO) and assign the Secure Server (Require Security) IPSec policy setting.Link the GPO to only the Payroll Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

B. Create a Group Policy object (GPO) and assign the Secure Servers (Require Security) IPSec policy setting.Link the GPO to the Payroll Servers OU and to the Finance Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

C. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy setting. Link the GPO to only the Payroll Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

D. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy setting. Link the GPO to the Payroll Serves OU and to the Finance Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

Answer: A Explanation:Assigning the Secure Server (Require Security) IPSec policy to the payroll servers will ensure that they will only communicate using IPSec. Assigning the Client (Respond Only) IPSec policy to the payroll clients will ensure that they are able to use IPSec when asked to do so by the payroll servers. All other network communications will not use IPSec.

Client (Respond Only) policy contains one rule, the default response rule. The default response rule secures communication only upon request by another computer. This policy does not attempt to negotiate security for any other traffic.

Secure Server (Require Security) policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be


70 - 293


- 103 -

secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections

Incorrect Answers: B, D: The question states that IPSec must not be used on any other servers in the company.C: This option configures the computer to use IPSec only when another computer requests IPSec. The

computer using this policy never initiates an IPSec negotiation; it only responds to requests from other computers for secured communications.

Reference:Server Help


Part 4: Troubleshoot TCP/IP routing. Tools might include the route, tracert, ping, pathping, and netsh commands and Network Monitor. (2 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All servers are manually configured with static IP addresses. All client computers run Windows XP Professional. All client computers receive their TCP/IP configuration information from a DHCP server.

TestKing�s network consists of two subnets: 172.30.22.0/24 and 172.30.23.0/24. The research department uses the 172.30.23.0/24 subnet exclusively. All computers that belong to the other departments are located on the 172.30.22.0/24 subnet.

You deploy a server named Testking1 to the research department. Testking1 was formally used in a test lab environment. You change the TCP/IP configuration of Testking1 to allow it to communicate on the company network. Later, users from other departments report that when they attempt to connect to Testking1, the connection times out.

You run the route print command on Testking1 and view the output shown in the exhibit.


70 - 293


- 104 -

You need to ensure that users can connect to Testking1.

Which command should you run on Testking1?

A. route delete 172.30.22.0 mask 255.255.255.0 192.168.17.100 B. route delete 172.30.23.0 mask 255.255.255.0 172.30.23.19 C. route change 172.30.22.0 mask 255.255.255.0 192.168.17.100 2 IF 1 D. route change 172.30.23.0 mask 255.255.255.0 172.30.23.19 E IF 1

Answer: A Explanation:When a particular route or table entry is applied to a packet, the gateway value determines the next address or hop for which that packet is destined. In this case the gateway address is not part of the same network.

Incorrect Answers: B: According to the exhibit, it is a valid address. C, D: Addresses are a numerical sequence, with no letters.



70 - 293


- 105 -

QUESTION NO: 2 You are the network administrator for TestKing.com. The network contains 10 Web servers that run Windows Server 2003, Web Edition. The Web servers are located in an organizational unit (OU) named Web_Servers

A security analysis of the Web servers reveals that they all contain several security settings that are critical vulnerabilities.

You need to modify the security settings on the Web as quickly as possible while minimizing the performance impact on the servers. You want the new settings to be periodically enforced without administrative intervention.

What should you do?

A. Create a Group Policy object (GPO) and link to the Web_Servers OU. Configure the appropriate security settings in the GPO. On each server, run the secedit /refreshpolicy machine_policy command.

B. Create a Group Policy object (GPO) and link it to the Web_Servers OU. Configure the appropriate security settings in the GPO. On each server, run the gpupdate /target:computer command.

C. Configure a security template that contains the appropriate security settings and name it Websec.inf. On each server, run the secedit /configure /db secedit.sdb /cfg websec.inf command.

D. Configure a security template that contains the appropriate security settings and name it Websec.inf. On each server, run the secedit /import /db secedit.sdb /cfg websec.inf command.

Answer: B Explanation:/Target : Computer - Allows you to specify that only Computer policy settings should be refreshed. By default, both User and Computer policy settings are refreshed.

Incorrect Answers: A: The secedit /refreshpolicy machine_policy is a command available to Windows 2000 Servers, but is

replaced by gpupdate in Windows Server 2003.B: Configures local security policy settings by applying the stored database settingsC: Imports a security template into the named database

Reference:Laura E. Hunter, Brian Barber, Melissa Craft, Norris L. Johnson, Jr., and Tony Piltzecker; Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 7, pp. 376.


70 - 293


- 106 -

Robert Williams, and Mark Walla, �The Ultimate Windows Server 2003 system administrator's guide�, appendix.

Topic 4: Planning, Implementing, and Maintaining Server Availability (24 Questions)

Part 1: Plan services for high availability.

A: Plan a high availability solution that uses clustering services. (3 questions)

QUESTION NO: 1 You are a network administrator for TestKing. The network contains four Windows Server 2003 computers configured as a four-node server cluster.

Each cluster node is the preferred owner of a clustered instance of Microsoft SQL Server 2000, and each cluster node is configured as a possible owner of all other instances of SQL Server. All nodes have identically configured hardware. All four nodes operate at a sustained 70 percent CPU average.

You add a server that has identically configured hardware to the cluster as a fifth node.

You want each SQL Server instance to continue operating at the same level of performance in the e vent of a single node failure.

What should you do?

A. Clear the Affect group check box in the cluster resource properties for each SQL Server instance. B. Configure the fifth node as the only possible other than the existing preferred owner of the cluster

resources that are associated with each SQL Server instance. C. Configure the fifth node as the preferred owner of each cluster group that contains an SQL Server

instance. D. Enable failback on each group that contains an SQL Server instance.

Answer: B http://support.microsoft.com/default.aspx?scid=kb;en-us;296799&Product=winsvr2003

QUESTION NO: 2


http://support.microsoft.com/default.aspx?scid=kb

70 - 293


- 107 -

You have just installed two Windows Server 2003 computers. You configure the servers as a two node server cluster. You install WINS on each Node of the cluster. You create a new virtual server to support WINS.

You create a new cluster group named WINSgroup. When you attempt to create the Network Name resource, you receive an error message. You need to make the proper changes to the cluster to complete the installation of WINS.

What should you do?

A. Create a Generic Service resource in the WINSgroup cluster group B. Configure the network priorities for the cluster C. Create an IP address resource in the WINSgroup cluster group D. Add the proper DNS name for the WINS Server in the DNS database

Answer: C Explanation:You need to create an IP address resource before you can create the network name resource.

Incorrect Answers: A: Applications or services that do not provide their own resource DLLs can be configured into the cluster

environment by using the generic resource DLL. The Cluster Service then treats these applications or services as generic, cluster-unaware applications or services. The absence of a Generic Service resource will thus not impede the creation of a Network Name resource.

B: If cluster nodes can communicate over multiple networks, the network's priority specifies the order in which the nodes will attempt to communicate over the networks.

D: Name Resolution is not required to create a Network Name resource.

Reference:Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing, Osborne/McGraw-Hill, 2003 Chapter 3: Designing a Clustered Solution with Windows Server 2003.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/SAG_MSCS2planning_4.asp

QUESTION NO: 3 You are a network administrator for TestKing. The network contains a perimeter network. The perimeter network contains four Windows Server 2003, Web Edition computers that are configured as a Network Load Balancing cluster.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en

70 - 293


- 108 -

The cluster hosts an e-commerce Web site that must be available 24 hours per day. The cluster is located in a physically secure data centre and uses an Internet-addressable virtual IP address. All servers in the cluster are configured with the Hisecws.inf template.

You need to implement protective measures against the cluster�s most significant security vulnerability.

What should you do?

A. Use Encrypting File System (EFS) for all files that contain confidential data stored on the cluster. B. Use packet filtering on all inbound traffic to the cluster. C. Use Security Configuration and Analysis regularly to compare the security settings on all servers in the

cluster with the baseline settings. D. Use intrusion detection on the perimeter network.

Answer: B Explanation:The most sensitive element in this case is the network card that uses an Internet-addressable virtual IP address. The question doesn�t mention a firewall implementation or an intrusion detection system (Usually Hardware). Therefore, we should set up packet filtering.

You can configure packet filtering to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information.

Incorrect Answers: A: In the case of EFS, you can't use it on cluster storage. C: Security Configuration and Analysis enables you to work with security templates in a database, where you

can analyze them before applying them to your computers. D: IDS will (if properly maintained and updated with new signatures) look for certain activity on the network

and check this against a signature database it carries. If a match occurs, then an alert is sent to an administrator or logged.

Reference:Deploying Network Services (Windows Server 2003 Reskit) Using a Perimeter Network

Robert J. Shimonski; Windows Server 2003 Clustering & Load Balancing.

B: Plan a high availability solution that uses Network Load Balancing. (3 questions)

QUESTION NO: 1


70 - 293


- 109 -

You are a network administrator for TestKing. The network contains two Windows Server 2003 computers named TestKingA and TestKingB. These servers host an intranet application. Currently, 40 users connect to TestKingA and 44 users connect to TestKingB.

The company is adding 35 employees who will need access to the intranet application. Testing shows that each server is capable of supporting approximately 50 users without adversely affecting the performance of the application.

You need to provide a solution for supporting the additional 35 employees. The solution must include providing server fault tolerance. You need to minimize the costs and administrative effort required by your solution.

You add a new server named TestKingC to the network and install the intranet application on TestKingC.


A. Use Network Load Balancing Manager to configure TestKingA, TestKingB, and TestKingC as a Network Load Balancing cluster.

B. Use Cluster Administrator to configure TestKingA, TestKingB, and TestKingC as a three-node server cluster.Use the Majority Node Set option. Configure the cluster so that all three nodes are active.

C. Use Cluster Administrator to configure TestKingA, TestKingB, and TestKingC as a three-node server cluster.Configure the cluster so that two nodes are active and one node is a hot standby node.

D. Use DNS load balancing to utilize all three servers by using the same virtual server name.

Answer: A Explanation:We can use Network Load Balancing to balance the load on the three web servers. Clustering allows you to combine application servers to provide a level of scaling, availability, or security that is not possible with an individual server. Network Load Balancing distributes incoming client requests among the servers in the cluster to more evenly balance the workload of each server and prevent overload on any one server. To client computers, the Network Load Balancing cluster appears as a single server that is highly scalable and fault tolerant. The Network Load Balancing deployment process assumes that your design team has completed the design of the Network Load Balancing solution for your organization and has performed limited testing in a lab. After the design team tests the design in the lab, your deployment team implements the Network Load Balancing solution first in a pilot environment and then in your production environment. Upon completing the deployment process presented here, your Network Load Balancing solution (the Network Load Balancing cluster and the applications and services running on the cluster) will be in place. For more information about the procedures for deploying Network Load Balancing on individual servers, see the appropriate Network Load Balancing topics in Help and Support Center for Windows Server 2003 2003.


70 - 293


- 110 -

Incorrect Answers: B: We already have three servers. A cluster would require different hardware and would thus be more

expensive.C: We already have three servers. A cluster would require different hardware and would thus be more

expensive.D: Round Robin DNS would load balance the servers, but if one server failed, clients would still be directed to

the failed server.

Reference:Deploying Network Load Balancing

QUESTION NO: 2 You are a network administrator for TestKing. TestKing has a main office and two branch offices. The branch offices are connected to the main office by T1 lines. The network consists of three Active Directory sites, one for each office. All client computers run either Windows 2000 Professional or Windows XP Professional. Each office has a small data centre that contains domain controllers, WINS, DNS, and DHCP servers, all running Windows Server 2003.

Users in all offices connect to a file server in the main office to retrieve critical files. The network team reports that the WAN connections are severely congested during peak business hours. Users report poor file server performance during peak business hours. The design team is concerned that the file server is a single point of failure. The design team requests a plan to alleviate the WAN congestion during business hours and to provide high availability for the file server.

You need to provide a solution that improves file server performance during peak hours and that provides high availability for file services. You need to minimize bandwidth utilization.

What should you do?

A. Purchase two high-end servers and a shared fiber-attached disk array. Implement a file server cluster in the main office by using both new servers and the shared fiber-attached disk array.

B. Implement Offline Files on the client computers in the branch offices by using Synchronization Manager.Schedule synchronization to occur during off-peak hours.

C. Implement a stand-alone Distributed File System (DFS) root in the main office. Implement copies of shared folders for the branch offices. Schedule replication of shared folders to occur during off-peak hours by using scheduled tasks.

D. Implement a domain Distributed File System (DFS) root in the main office. Implement DFS replicas for the branch offices.


70 - 293


- 111 -

Schedule replication to occur during off-peak hours.

Answer: D Explanation:A DFS root is effectively a folder containing links to shared files. A domain DFS root is stored in Active Directory. This means that users don�t need to know which physical server is hosting the shared files. All they do is open a folder in Active Directory and view a list of shared folders. A DFS replica is another server hosting the same shared files. We can configure replication between the file servers to replicate the shared files out of business hours. The users in each office will access the files from a DFS replica in the user�s office, rather than accessing the files over a WAN link.

Incorrect Answers: A: This won�t minimize bandwidth utilization because the users in the branch offices will still access the files

over the WAN. B: This doesn�t provide any redundancy for the server hosting the shared files. C: You need DFS replicas to use the replicas of the shared folders.

Reference:Robert Williams, Mark Walla; The Ultimate Windows Server 2003 system administrator's guide.

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain.

You administer a three-node Network Load Balancing cluster. Each cluster node runs Windows Server 2003 and has a single network adapter. The cluster has converged successfully.

You notice that the nodes in the cluster run at almost full capacity most of the time. You want to add a fourth node to the cluster. You enable and configure Network Load Balancing on the fourth node.

However, the cluster does not converge to a four-node cluster. In the System log on the existing three nodes, you find the exact same TCP/IP error event. The event has the following description: �The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 02:BF:0A:32:08:46.�

In the System log on the new fourth node, you find a similar TCP/error event with the following description: �The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 03:BF:0A:32:08:46.� Only the hardware address is different in the two descriptions.

You verify that IP address 10.50.8.70 is configured as the cluster IP address on all four nodes.


70 - 293


- 112 -

You want to configure a four-node Network Load Balancing cluster.

What should you do?

A. Configure the fourth node to use multicast mode. B. Remove 10.50.8.70 from the Network Connections Properties of the fourth node. C. On the fourth node, run the nlb.exe resume command. D. On the fourth node, run the wlbs.exe reload command.

Answer: A Explanation:This normally happens when you don�t enable the Network Load Balancing (NLB) service in TCP/IP of the server, when adding two IP�s (one for the server and one for the load balancing IP). When you want to manage a NLB cluster with one network adapter, you use the multicast option. Since reload/suspend and remove the IP are all garbage answers, it could be that the other nodes are using multicast, and this new node is using unicast. That is why, on a single network adapter configuration, it will cause an IP conflict.

Incorrect Answers: B: The IP address cannot be changed, since the node has a single network adapter. C: This command instructs a suspended cluster to resume cluster operations. Using the Resume command

doesn't restart clustering operations but, instead, allows the use of Cluster Control commands, including those sent remotely. The Resume command can be targeted at a specific cluster, a specific cluster on a specific host, all clusters on the local machine, or all global machines that are part of the cluster.

D: The nlb.exe command replaces the wlbs.exe command previously used in Windows NT 4.0 and Windows 2000 Server.

Reference:Syngress 070-293, Page 689

Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing.

Part 2: Identify system bottlenecks, including memory, processor, disk, and network related bottlenecks. (5 questions)

QUESTION NO: 1 You are the network administrator for TestKing.com. The network contains an application server running Windows Server 2003.


70 - 293


- 113 -

Users report that the application server intermittently responds slowly. When the application server is responding slowly, requests that normally take 1 second to complete take more than 30 seconds to complete. You suspect that the slow server response is because of high broadcast traffic on the network.

You need to plan how to monitor the application server and to have a message generated when broadcast traffic is high. You also want to minimize the creation of false alarms when non-broadcast traffic is high.

What should you do?

A. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert trigger when the Datagrams/sec counter in the UDPv4 object is high.

B. Use System Monitor and configure it to monitor the Segments/sec counter in the TCPv4 object. C. Use System Monitor and configure it to monitor the Datagrams/sec counter in the UDPv4 object. D. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert to trigger when

the Datagrams/sec counter in the TCPv4 object is high.

Answer: A Explanation:Performance Logs And Alerts is an MMC snap-in that uses System Monitor�s performance counters to capture information to log files over a long period of time. Although the Performance console works well when systems are actively performing poorly, when you can�t wait around, you can set up triggers using the Performance console to catch bad systems in action. UDPv4 is one of the performance objects that provide network traffic monitoring capabilities. It monitors the number of User Datagram Protocol (UDP) packets the computer transmits and receives. Service applications, such as the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP), typically use UDP for client�server communications.

Incorrect Answers: B: TCPv4 tracks the number of successful and failed Transmission Control Protocol (TCP) connections. C: An alert needs to be configured as well, to prevent false alarms. D: Datagrams/sec counter is found in the UDPv4 object.


QUESTION NO: 2 You are a network administrator for TestKing. The network contains two Windows Server 2003 database servers configured as a two-node server cluster.


70 - 293


- 114 -

Each cluster node has a 100-Mbit network adapter and a 10-Mbit network adapter. The 100-Mbit network adapter on each server is connected to the company network. The 10-Mbit adapters are connected to each other by an Ethernet crossover cable. Cluster communications are configured to use the crossover connection as the primary cluster network.

The cluster provides mission-critical data to several hundred users at any given time, 24 hours per day. You need to be able to ascertain if the network performance ever becomes or might become a limiting performance factor. You want to be able to identify trends over time.

You need to choose which network adapters and performance counters are the most important for you to monitor, and you need to choose which method of monitoring to use to detect potential saturation of the network adapters.

What should you do?

Answer:


70 - 293


- 115 -

QUESTION NO: 3 Your network contains a Windows Server 2003 computer named TestKingC. TestKingC has a single CPU, 512 MB of RAM, and a single 100MB network adapter.

All network user�s home folders are stored on TestKingC. Users access their home folders by using a mapped network drive that connects to a shared folder on TestKingC

After several weeks, users report that accessing home folders on TestKingC is extremely slow at certain times during the day. You need to identify the resources bottleneck that is causing the poor performance.

What should you do?

A. Capture a counter log by using LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface performance objects and view the log data information that is captured during period of poor performance


70 - 293


- 116 -

B. Configure alerts on TestKingC to log entries in the event logs for the LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface performance objects when the value of any object is more than 90

C. Capture a trace log that captures Page faults, File details, Network TCP/IP, and Process creations/deletions events

D. Implement Auditing on the folder that contains the user�s home folders. Configure Network Monitor on TestKingC

Answer: A Explanation:The problem is most likely to be caused by a hardware bottleneck. This could be a disk problem or a problem with the processor, RAM or network card. We can monitor these hardware resources by using a System Monitor counter log. The Windows Performance tool is composed of two parts: System Monitor and Performance Logs and Alerts. With System Monitor, you can collect and view real-time data about memory, disk, processor, network, and other activity in graph, histogram, or report form. The output from the counter log will show us which hardware resource in unable to cope with the load and needs to be upgraded or replaced.

Incorrect Answers: B: We cannot use a generic value of 90 for the different hardware resources because different hardware

resources have different acceptable performance counters. C: We need to monitor the hardware resources listed in answer A, not the software resources listed in this

answer.D: The problem is most likely to be caused by a hardware bottleneck. Auditing and network monitoring won�t

give us any useful information about the hardware.


QUESTION NO: 4 You are a network administrator for TestKing. The network contains a Windows Server 2003 application server named TestKingSrv. TestKingSrv has one processor. TestKingSrv has been running for several weeks.

You add a new application to TestKingSrv. Users now report intermittent poor performance on TestKingSrv. You configure System Monitor and track the performance of TestKingSrv for two hours. You obtain the performance metrics that are summarized in the exhibit.


70 - 293


- 117 -

The values of the performance metrics are consistent over time.

You need to identify the bottleneck on TestKingSrv and upgrade the necessary component. You need to minimize hardware upgrades.

What should you do?

A. Install a faster CPU in TestKingSrv. B. Add more RAM to TestKingSrv. C. Add additional disks and spread the disk I/O over the new disks. D. Increase the size of the paging file.

Answer: C Explanation:Physical Disk\Disk Time threshold is 90 percent and the performance metrics values gives a percentage of 93.610. This means that the disk is not being read quickly enough, which could be a hardware issue, and it could also be that the amount of data on the disk is too large.

Incorrect Answers: A: The CPU is operating below its threshold. B, D: The values for these could be a result of the Physical Disk\Disk Time exceeding its threshold.

Reference:Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; MCSA/MCSE Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System.

QUESTION NO: 5 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains an application server running Windows Server 2003.


70 - 293


- 118 -

Users report intermittent slow performance when they access the application server throughout the day. You find out that the network interface on the application server is being heavily used during the periods of slow performance. You suspect that a single computer is causing the problem.

You need to create a plan to identify the problem computer.

What should you do?

A. Monitor the performance monitor counters on the application server by using System Monitor. B. Monitor the network traffic on the application server by using Network Monitor. C. Monitor network statistics on the application server by using Task Manager. D. Run network diagnostics on the application server by using Network Diagnostics.

Answer: B Explanation:Network Monitor Capture Utility Network Monitor Capture Utility (Netcap.exe) is a command-line Support Tool that allows a system administrator to monitor network packets and save the information to a capture (.cap) file. You can use information gathered by using Network Monitor Capture Utility to analyze network use patterns and diagnose specific network problems. This command-line tool allows a system administrator to monitor packets on a LAN and write the information to a log file. NetCap uses the Network Monitor Driver to sniff packets on local network segments.

Network Monitor Network Monitor captures network traffic information and gives detailed information about the frames being sent and received. This tool can help you analyze complex patterns of network traffic. Network Monitor can help you view the header information included in HTTP and FTP requests. Generally, you need to design a capture filter, which functions like a database query and singles out a subset of the frames being transmitted. You can also use a capture trigger that responds to events on your network by initiating an action, such as starting an executable file. An abbreviated version of Network Monitor is included with members of the Windows Server 2003 family. A complete version of Network Monitor is included with Microsoft Systems Management Server.

Incorrect Answers: A: System Monitor allows you to monitor real-time performance statistics. C: Task Manager is used to view real-time performance data surrounding processes and applications. D: Network Diagnostics is a graphical troubleshooting tool, built into the Windows Server 2003 interface that

provides detailed information about a local computer�s networking configuration.

References:Resource Kit Windows XP: Appendix D - Tools for Troubleshooting Server Help: Performance Monitoring and Scalability Tools


70 - 293


- 119 -

J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Chapter 3, and 6.

Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Chapter 12.

Part 3: Implement a cluster server. (4 questions)

QUESTION NO: 1 You are a network administrator for TestKing. You install Windows Server 2003 on two servers named Testking1 and Testking2. You configure Testking1 and Testking2 as two-node server cluster. The cluster has three managed drives assigned the letters Q, R, and S. The quorum resource is located in drive Q.

You create a WINS group and configure WINS on the cluster. You create a File Server group and configure file sharing on the cluster by using a shared folder that you create on drive R. File sharing and WINS are both running on Testking1.

You move the WINS group to Testking2. The file share service fails on Testking1. When you attempt to bring it back online, the file share resource will not start on Testking1. You move the WINS group back to Testking1. The file share service will not come back online.

You need to configure the cluster so that each application can be moved or can fail over independently, without affecting the other application.

What should you do?

A. Modify the Preferred owners list for the WINS group so that only Testking2 is in the list. B. Modify the Preferred owners list for the File Server group so that only Testking2 is in the list. C. Configure both the WINS group and the File Server group to allow failback immediately. D. Reconfigure the File Server group File Share resource to use a shared folder on drive S.

Answer: B

http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfde-ff731e3c1f96/GDClusters.doc

QUESTION NO: 2


http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfde-ff731e3c1f96/GDClusters.doc

70 - 293


- 120 -

You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The domain contains a Windows Server 2003 two-node server cluster.

The security team states that the password for the cluster service account must be changed because one of the administrators has left the company. You fill out the necessary change control paperwork. You need to provide the process for changing the password in the change control form.

You need to change the password for the cluster service account by using the minimum amount of administrative effort.

What should you do?

A. Change the cluster service account password in Active Directory Users and Computers. Change the cluster service account password on one node, and restart the node. After the first node comes back online, change the cluster service account password on the second node, and restart the node.

B. Change the cluster service account password in Active Directory Users and Computers. Change the cluster service account password on both nodes, and restart the first node. After the first node comes back online, restart the second node.

C. Run Dsmod.exe with the change password option. D. Run Cluster.exe with the change password option. E. Run SC.exe with the change password option.

Answer: D Explanation:Cluster.exe is the command-line utility you can use to create or administer a server cluster. It has all of the capabilities of the Cluster Administrator graphical utility and more. Cluster.exe has numerous options. The following are some of the tasks that are impossible to do with Cluster Administrator or are easier to perform with Cluster.exe:

Changing the password on the cluster service accountCreating a server cluster or adding a node to a server cluster from a scriptCreating a server cluster as part of an unattended setup of Windows Server 2003Performing operations on multiple server clusters at the same time

It is for this reason that A and B are incorrect.

Incorrect Answers: A:B:C: Dsmod.exe allows the properties of directory services objects to be changed. E: SC.exe starts and stops and manages Win32 services.

Reference:http://support.microsoft.com/default.aspx?scid=kb;en-us;305813



70 - 293


- 121 -

Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing.

Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System.

QUESTION NO: 3 You are a network administrator for TestKing. You install Windows Server 2003 on two servers named TestKing1 and TestKing2. You configure TestKing1 and TestKing2 as a two-node cluster.

You configure a custom application on the cluster by using the Generic Application resource, and you put all resources in the Application group. You test the cluster and verify that it fails over properly and that you can move the Application group from one node to the other and back again.

The application and the cluster run successfully for several weeks. Users then report that they cannot access the application. You investigate and discover that TestKing1 and TestKing2 are running but the Application group is in a failed state.

You restart the Cluster service and attempt to bring the Application group online on TestKing1. The Application group fails. You discover that TestKing1 fails, restarts automatically, and fails again soon after restarting. TestKing1 continues to fail and restart until the Application group reports that it is in a failed state and stops attempting to bring itself back online.

You need to configure the Application group to remain on TestKing2 while you research the problem on TestKing1.

What should you do?

A. On TestKing2, configure the failover threshold to 0.B. On TestKing2, configure the failover period to 0.C. Remove TestKing1 from the Possible owners list. D. Remove TestKing1 from the Preferred owners list.

Answer: C Explanation:We don�t want the application group to move to TestKing1 � we want the application group to remain on TestKing2. We can do this by removing TestKing1 from the possible owners list.

Incorrect Answers: A, B: The question states that failover occurred properly. D:


70 - 293


- 122 -


QUESTION NO: 4 You are a network administrator for TestKing.com. The network contains four Windows Server 2003 computers configured as a four-node server cluster.

The cluster uses drive Q for the quorum resource. You receive a critical warning that both drives of the mirrored volume that are dedicated to the quorum disk have failed.

You want to bring the cluster and all nodes back into operation as soon as possible.

Which four actions should you take to achieve this goal?

To answer, drag the action that you should perform first to the First Action box. Continue dragging actions to the corresponding numbered boxes until you list all four required actions in the correct order.


70 - 293


- 123 -

Answer:

Explanation:To recover from a corrupted quorum log or quorum disk, proceed as follows:

If the Cluster service is running, open Computer Management.In the console tree, double-click Services and Applications, and then click Services.In the details pane, click Cluster Service.On the Action menu, click Stop.Repeat steps 1, 2, 3, and 4 for all nodes.If you have a backup of the quorum log, restore the log by following the instructions in "Backing up and restoring server clusters" in Related Topics.If you do not have a backup, select any given node. Make sure that Cluster Service is highlighted in the details pane, and then on the Action menu, click Properties.Under Service status, in Start parameters, specify /fixquorum, and then click Start.Switch from the problematic quorum disk to another quorum resource.For more information, see "To use a different disk for the quorum resource" in Related Topics.In Cluster Administrator, bring the new quorum resource disk online.For information on how to do this, see "To bring a resource online" in Related Topics.


70 - 293


- 124 -

Run Chkdsk, using the switches /f and /r, on the quorum resource disk to determine whether the disk is corrupted.For more information on running Chkdsk, see "Chkdsk" in Related Topics.If no corruption is detected on the disk, it is likely that the log was corrupted. Proceed to step 12.If corruption is detected, check the System Log in Event Viewer for possible hardware errors.Resolve any hardware errors before continuing.Stop the Cluster service after Chkdsk is complete, following the instructions in steps 1 - 4.Make sure that Cluster Service is highlighted in the details pane. On the Action menu, click Properties.Under Service status, in Start parameters, specify /resetquorumlog, and then click Start.This restores the quorum log from the node's local database.

Important The Cluster service must be started by clicking Start on the service control panel. You cannot click OK or Apply to commit these changes as this does not preserve the /resetquorumlog parameter.

Restart the Cluster service on all other nodes.


Part 4: Manage Network Load Balancing. Tools might include the Network Load Balancing Monitor Microsoft Management Console (MMC) snap-in and the WLBS cluster control utility. (4 questions)

QUESTION NO: 1 You are a network administrator for TestKing. You install an intranet application on three Windows Server 2003 computers. You configure the servers as a Network Load Balancing cluster. You configure each server with two network adapters. One network adapter provides client computers access to the servers. The second network adapter is for cluster communications. Cluster communications are on a separate network segment.

The network team wants to reduce the cluster�s vulnerability to attack. These servers need to be highly available. The network team decides that the Network Load Balancing cluster needs to filter IP ports. The team wants the cluster to allow only the ports that are required for the intranet application.

You need to implement filtering so that only the intranet application ports are available on the cluster. You need to achieve this goal by using the minimum amount of administrative effort.

What should you do?


70 - 293


- 125 -

A. Use Network Load Balancing Manager to configure port rules. Allow only the intranet application ports on the cluster IP address.

B. Use TCP/IP filtering on each server. Configure only the intranet application ports on the network adapter that provides client computers access to the servers.

C. Use TCP/IP filtering on each server. Configure only the intranet application ports on both of the network adapters.

D. Configure Routing and Remote Access on each server. Use Routing and Remote Access input filters to allow only the intranet application ports on the network adapter that provides client computers access to the servers.

Answer: A Explanation:The Port Rule tab, in the NLB Properties sheet, lets you specify the Port Rules used for your NLB cluster. These settings enable you to control how your NLB cluster will function under load.

IP address filtering is useful for protecting part of a private network from users on the other parts. You can create filters that give only certain computers access to the protected LAN, while preventing all others from accessing it.

Reference:Robert Shimonski, Windows Server 2003 Clustering & Load Balancing, Brandon A. Nordin, Chapter 2.


QUESTION NO: 2 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All computers on the network are members of the domain.

You administer a Network Load Balancing cluster that consists of three nodes. Each node runs Windows Server 2003 and contains a single network adapter. The Network Load Balancing cluster can run only in unicast mode. The Network Load Balancing cluster has converged successfully.

To increase the utilization of the cluster, you decide to move a particular application to each node of the cluster. For this application to run, you must add a Network Load Balancing port rule to the nodes of the cluster.


70 - 293


- 126 -

You start Network Load Balancing Manager on the second node of the cluster. However, Network Load Balancing Manager displays a message that it cannot communicate with the other two nodes of the cluster.

You want to add the port rule to the nodes of the cluster.

What should you do?

A. Use Network Load Balancing Manager on the Network Load Balancing default host to add the port rule. B. Change the host priority of the second node to be the highest in the cluster, and then use Network Load

Balancing Manager to add the port rule. C. Run the nlb.exe drain command on each node, and then use Network Load Balancing Manager to add

the port rule. D. Add the port rule through Network Connections Properties on each node.

Answer: D Network Load Balancing Manager is the preferred method, but since it cannot communicate with the other two nodes of the cluster you can also open the Network Load Balancing Properties dialog box through the Network Connections tool. If you use the Network Connections tool, you must make the same configuration changes on every cluster host. Using both Network Load Balancing Manager and the Network Connections tool together to change Network Load Balancing properties may create unpredictable results.

The parameters that are set in the Network Load Balancing Properties dialog box are recorded in the registry on each host. Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations.

Incorrect Answers: A, B, C: The question states that the Network Load Balancing Manager: �cannot communicate with the other

two nodes of the cluster�.

Reference:http://support.microsoft.com/default.aspx?scid=kb;en-us;323437&Product=winsvr2003

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All computers on the network are members of the domain.

You administer a four-node Network Load Balancing cluster. All nodes run Windows Server 2003. The cluster has converged successfully. You use Network Load Balancing Manager on the default host to configure all nodes of the cluster.



70 - 293


- 127 -

The nodes have a single network adapter and are connected to the same switching hub device.

Administrators of non-cluster servers that are connected to the same switching hub device report that their servers receive traffic that is destined for the cluster nodes. Receiving this additional network traffic impairs the network performance of the non-cluster servers.

You need to ensure that traffic destined for only the cluster nodes is not sent to all ports of the switching hub device. You do not want to move the cluster to another switching hub device.

What should you do?

A. On the node, run the nlb.exe reload command. B. On each node, run the wlbs.exe drainstop command. C. Use Network Load Balancing Manager to enable Internet Group Management Protocol (IGMP) support

on the cluster. D. Use Network Load Balancing Manager to add a second cluster IP address.

Answer: C Explanation:If you enable IGMP Multicast, NLB attempts to prevent switch flooding by limiting multicast traffic to only those ports on a switch that have a NLB-bound network adapter connected to them. So, when you use IGMP Multicast, traffic is designed to flow only to those switch ports connected to NLB cluster hosts, thus preventing all other switch ports from being flooded by the multicast traffic.

Incorrect Answers: A: The nlb.exe reload command instructs NLB to reload the current parameter set from the Registry. If

required to complete the process, cluster operations are stopped and subsequently restarted. Any errors that exist within the parameters prevent the host from joining the cluster and also cause a warning dialog box to be displayed.

B: The nlb.exe command replaces the wlbs.exe command previously used in Windows NT 4.0 and Windows 2000 Server.

C: You use the Network Load Balancing Manager application in Windows Server 2003 to create, manage, and monitor NLB clusters.

Reference:Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing, Brandon A. Nordin, Chapter 3.

Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296.


70 - 293


- 128 -

QUESTION NO: 4 You are the network administrator for TestKing.com. All servers run Windows Server 2003. The network contains two Web servers named Testking1 and Testking2 and three application servers named Testking3, Testking4, and Testking5. All five servers have similar hardware. The servers are configured as Network Load Balancing clusters, as shown in the exhibit.

A Web services application hosted on Testking1 and Testking2 communicates to application components hosted on Testking3, Testking4 and Testking5 by using the IP address 10.1.20.11. The application is designed to be stateless. The Network Load Balancing settings for each server are listed in the following table.

Host Filtering mode Host priority Affinity Load Testking1 Multiple 1 Single EqualTestking2 Multiple 2 Single EqualTestking3 Multiple 1 Single EqualTestking4 Multiple 2 Single EqualTestking5 Multiple 3 Single Equal

Users report that response time to the Web services application is slow. You investigate the performance of each server and observe the information listed in the following table

Host Average % of CPU in use Average %of RAM in useTestking1 75 80 Testking2 65 75 Testking3 98 90


70 - 293


- 129 -

Testking4 2 20 Testking5 2 20

You need to improve the response time of the application.

What should you do?

A. Modify the Web services application to access the components on the application servers by using the IP address 10.1.10.11.

B. Modify the Network Load Balancing host priorities for Testking3 and Testking5 by 1.C. Modify the Network Load Balancing host priority for Testking2 to be 1.D. Modify the Network Load Balancing affinity setting for Testking3, Testking4, and Testking5 to be

None.E. Modify the Network Load Balancing affinity setting for Testking1 and Testking2 to be None.

Answer: D Explanation:In simple terms, affinity is the attraction one item feels for another item. Selecting None specifies that NLB doesn't need to direct multiple requests from the same client to the same NLB host, thereby splitting the load and improving response times and reliability.

Incorrect Answers: A: The communication link is not the problem, as Testking3, 4 and 5 are receiving communication. It is the

fact that Testking3 is over worked compared to Testking4 and 5. B, C: Each host within the NLB cluster must have a unique priority number configured. D: The load between Testking1 and 2 are balanced.

Reference:Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing, Brandon A. Nordin, Chapter 3.

Part 5: Plan a backup and recovery strategy.

A: Identify appropriate backup types. Methods include full, incremental, and differential. (1 question)

QUESTION NO: 1 You are a network administrator for TestKing. The design team provides you with the following list of requirements for server disaster recovery:


70 - 293


- 130 -

No more than two sets of tapes can be used to restore to the previous day. A full backup of each server must be stored off-site. A full backup of each server that is no more than one week old must be available on-site. Backups must never run during business hours. Tapes may be recalled from off-site storage only if the on-site tapes are corrupted or damaged.

A full backup of all servers requires approximately 24 hours. Backing up all files that change during one week requires approximately 4 hours. Business hours for TestKing are Monday through Friday from 6:00 A.M. to 10:00 P.M.

You need to provide a backup rotation plan that meets the design team�s requirements.

Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Perform a full normal backup for on-site storage on Friday night after business hours. Perform a full copy backup of off-site storage on Saturday night after the Friday backup is complete.

B. Perform a full normal backup for on-site storage on Friday night after business hours. Perform another full normal backup for off-site storage on Saturday night after the Friday backup is complete.

C. Perform a full copy backup for on-site storage on Friday night after business hours. Perform a full copy backup for off-site storage on Saturday night after the Friday backup is complete.

D. Perform differential backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours.

E. Perform incremental backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours.

F. Perform incremental backups on Sunday, Tuesday, and Thursday nights after business hours. Perform differential backups on Monday and Wednesday nights after business hours.

Answer: A, D Explanation:If you begin with a full backup over the weekend, it might make sense to perform differential backups on Monday and Tuesday. By later in the week, the quantity of changes may be such that a differential backup cannot be performed overnight. An incremental backup on Wednesday will likely solve the problem, with differential backups continuing after that. Using this system, the restore times are still minimized, because the maximum restoration would involve tapes from the full, incremental, and one differential backup. If a failure occurred before Wednesday, it may take tapes from only the full and, possibly, a differential backup to restore the system.

Incorrect Answers: B: Full normal backup, backs up all files and sets the archive bit as marked for each file that is backed up.

Requires only one tape set for the restore process.


70 - 293


- 131 -

C: With a full backup, everything that is backed up has the file system archive bit reset (cleared).This allows the incremental and differential backup types to determine if the file needs to be backed up. If the bit is still clear, the other backup types know that the data has not changed. If the bit is set, the data has changed, and the file needs to be backed up.

E: Requires the last normal backup set and all of the incremental tapes that have been created since the last normal backup for the restore process.

F: Backs up only the files that have not been marked as archived and does not set the archive bit for each file that is backed up. Requires the last normal backup set and the last differential tape set for the restore process.


Lisa Donald, MCSA/MCSE: Windows Server 2003 Environment Management and Maintenance Study Guide

B: Plan a backup strategy that uses volume shadow copy. (1 question)

QUESTION NO: 1 You are a network administrator for TestKing. The network contains a Windows Server 2003 computer named Testking1.

You install a custom mission-critical application on Testking1 for the shipping department. You install the application on drive D of Testking1. You configure the application database on drive D, and you configure the application database log files on drive E of Testking1.

After running successfully for six days, the custom application fails. You investigate and find out that drive E is almost completely filled with the application�s log files. The application�s backup program is not properly deleting log files.

Security requirements do not allow log files to be deleted unless the database on Testking1 has been backed up. You can keep the application running by manually backing up the application database and then deleting the log files.

You need an automated process to keep the application running until a long-term solution can be provided. Because of the size of the database, you need to minimize the number of backups performed.

What should you do?


70 - 293


- 132 -

A. Create a script that backs up the database and then deletes the log files. Configure an alert on Testking1 to run the script when there is less then 20 percent of free space on drive E.

B. Create a script that backs up the database and deletes the log files. Configure an event trigger on Testking1 to run the script when drive D has 20 percent free space.

C. Create a script that backs up the log files and then deletes the log files. Configure a scheduled task to run the script on Testking1 each night.

D. Create a script that backs up the database and then deletes the log files. Configure a scheduled task to run the script on Testking1 each night.

Answer: A Explanation:Set an alert on a counter with options to send an administrative message, an application is executed, or a log is started when the configured threshold on the counter is breached.

Incorrect Answers: B: The log files are located on drive E. C: Security requirements state that the database has to be backed up, not the log files. D: The question requires you to minimize the number of backups performed, and this option will not.

Reference:Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment.

C: Plan system recovery that uses Automated System Recovery (ASR). (3 questions)

QUESTION NO: 1 You are a network administrator for TestKing. You install Windows Server 2003, Enterprise Edition on two servers named Testking1 and Testking2. You configure Testking1 and Testking2 as a two-node server cluster. Testking1 and Testking2 are connected to a shared fiber-attached array. You configure the server cluster for file sharing. You configure Testking1 as the preferred owner of the file sharing resources.

You perform the following backups by using the Backup or Restore Wizard.

Tuesday Wednesday Testking1 Normal backup including

system state Incremental backup and Automated System Recovery (ASR) backup


70 - 293


- 133 -

Testking2 Normal backup including system state

Incremental backup and ASRbackup

On Thursday morning, Testking2 experiences a hard disk failure. The failed disk contains only the operating system for Testking2. You evict Testking2 from the server cluster.

You need to recover Testking2 and restore it to the cluster. You need to minimize data loss and recovery time.

What should you do?

A. Restore the quorum disk signature and data from the Tuesday backup of Testking1, and add Testking2 to the server cluster.

B. Restore Testking2 by using ASR, and add Testking2 to the server cluster. C. Restore the Tuesday backup of Testking2, and add Testking2 to the server cluster. D. Restore the Tuesday normal backup and the Wednesday incremental backup of Testking2, and add

Testking2 to the server cluster.

Answer: B Explanation:When an ASR restore is performed, the operating system is reinstalled using the original Windows Server 2003 media. However, instead of generating new disk signatures, security identifiers, and Registry content, these items are restored from the ASR set.

Incorrect Answers: A: Testking1 did not fail. C, D: These types of backup do not restore the operating system.


Lisa Donald, MCSA/MCSE: Windows Server 2003 Environment Management and Maintenance Study Guide

QUESTION NO: 2 You are the network administrator for TestKing. The network contains Window Server 2003 servers configured in a 4 node server cluster.


70 - 293


- 134 -

The cluster provides file services to 5,000 users and contains several terabytes of datafiles. Several thousand shared folders have been created on 16 virtual server groups by using dynamic File Share cluster resources. Many data files are updated, created, or deleted each day.

You need to create a backup strategy for both user data and the cluster configuration. You need to ensure that your strategy limits the potential loss of data and the cluster configuration to one week and provides the quickest means of recovery. What should you do?

A. Perform a weekly ASR of the cluster node that owns the quorum resource. Perform a weekly backup of all data files to tape.

B. Perform a weekly ASR of every node in the cluster. Perform a weekly backup of all data files to tape C. Perform a weekly ASR on each cluster node that currently owns cluster groups containing data files D. Configure daily shadow copies of all volumes on cluster nodes E. Configure weekly shadow copies of all volumes on all cluster nodes

Answer: A Explanation:The Backup program included in Windows Server 2003 contains a disaster recovery feature called ASR. When you run the Automated System Recovery Preparation Wizard, the software walks you through the process of creating a full backup of the server, and then prompts you to insert a floppy disk, which is used to create the boot device for the system. In the event of a disaster in which the entire contents of the system drive are lost, you simply insert the backup tape into the tape drive and boot from the floppy disk to completely restore the operating system.

A cluster�s quorum contains the cluster�s configuration data, which nodes use to update their registries during the failback process. The quorum is included as part of the System State object, as long as the Clustering service is running on the computer.

Incorrect Answers: B, C: You only need to backup the node containing the cluster�s quorum resource, because it contains the

configuration data. D, E: Shadow copies is designed to facilitate quick recovery from simple, day-to-day problems�not recovery

from significant data loss

Reference:http://support.microsoft.com/default.aspx?scid=kb;en-us;286422&Product=winsvr2003

Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

QUESTION NO: 3



70 - 293


- 135 -

You are a network administrator for TestKing. The network consists of a single Active Directory domain and contains Windows Server 2003 computers.

You install a new service on a server named TestKing3. The new service requires that you restart TestKing3. When you attempt to restart TestKing3, the logon screen does not appear. You turn off and then turn on the power for TestKing3. The logon screen does not appear. You attempt to recover the failed server by using the Last Known Good Configuration startup option. It is unsuccessful. You attempt to recover TestKing3 by using the Safe Mode Startup options. All Safe Mode options are unsuccessful.

You restore TestKing3. TestKing3 restarts successfully. You discover that TestKing3 failed because the new service is not compatible with a security path.

You want to configure all servers so that you can recover from this type of failure by using the minimum amount of time and by minimizing data loss. You need to ensure that in the future, other services that fail do not result in the same type of failure.

What should you do?

A. Use Add or Remove Programs. B. Install and use the Recovery Console. C. Use Automated System Recovery (ASR). D. Use Device Driver Roll Back.


We know that this service causes the failure.We want minimum of time and minimum of data loss.We want a solution for all servers.We want to make sure other services that fail do not result in the same type of failure.

NTFSAn advanced file system that provides performance, security, reliability, and advanced features that are not found in any version of file allocation table (FAT). For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. NTFS also provides advanced features, such as file and folder permissions, encryption, disk quotas, and compression.), and perform many other administrative tasks. The Recovery Console is particularly useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service that is preventing your computer from starting properly.

From the Recovery Console, you can access the drives on your computer. You can then make any of the following changes so that you can start your computer:


70 - 293


- 136 -

Enable or disable device drivers or services.Copy files from the installation CD for the operating system, or copy files from other removable media. For example, you can copy an essential file that had been deleted.Create a new boot sector and new master boot record (MBR)

Master boot record (MBR) It is the first sector on a hard disk, which begins the process of starting the computer. The MBR contains the partition table for the disk and a small amount of executable code called the master boot code. You might need to do this if there are problems starting from the existing boot sector.

Incorrect Answers: A: This option is used to manage software, not uninstall it. C: Automated System Recovery returns a system to operation by reinstalling the operating system and

restoring System State from an ASR backup set, it does not affect services. D: This option deals with drivers and devices, not services.

Reference:Server HELP Recovery Console overview Repair overview


70 - 293


- 137 -

Topic 5: Planning and Maintaining Network Security (19 Questions)

Part 1: Configure network protocol security.

A: Configure protocol security in a heterogeneous client computer environment. (0 questions)

B: Configure protocol security by using IPSec policies. (0 questions)

Part 2: Configure security for data transmission. (0 questions)

Part 3: Plan for network protocol security.

A: Specify the required ports and protocols for specified services. (3 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network contains a Windows Server 2003 Web server that hosts the company intranet.

The human resources department uses the server to publish information relating to vacations and public holidays. This information does not need to be secure.

The finance department wants to publish payroll information on the server. The payroll information will be published in a virtual directory named Payroll, which was created under the default Web site on the server. The company�s written security policy states that all payroll-related information must be encrypted on the network.

You need to ensure that all payroll-related information is encrypted on the network. To preserve performance, you need to ensure that other information is not encrypted unnecessarily. You obtain and install a server certificate.


A. Select the Require secure channel (SSL) check box for the default Web site.


70 - 293


- 138 -

B. Assign the Secure Server (Require Security) IPSec policy option for the server. C. Select the Encrypt contents to secure data check box for the Payroll folder. D. Select the Require secure channel (SSL) check box for the Payroll virtual directory.

Answer: D Explanation:SSL is a protocol developed by Netscape for transmitting private documents via the Internet. It works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL and many Web sites use the protocol to obtain confidential user information such as credit card numbers. By convention, URLs that require an SSL connection start with https, instead of http.

Incorrect Answers: A: This will encrypt all data from the web server. We only need to encrypt the payroll data. B: This will encrypt all data from the web server. We only need to encrypt the payroll data. C: This will encrypt the data on the hard disk using EFS. It won�t encrypt the data as it is transferred over the

network.

Reference:Robert Williams, Mark Walla, The Ultimate Windows Server 2003 system administrator's guide.

QUESTION NO: 2 You are the security analyst for TestKing. TestKing�s network consists of a single Active Directory domain testking.com. TestKing�s network consists of an intranet and a perimeter network separated by a firewall. The perimeter network is connected to the Internet by a second firewall. The perimeter network contains three Windows Server 2003 computers.

The servers on the perimeter network host a custom application that provides product inventory information to customers. The application is managed by SNMP. Each server has the SNMP service installed. Two Windows XP Professional computers running SNMP management software are located on the TestKing intranet.

The internet firewall is configured to allow outbound SNMP traffic from the intranet to the perimeter network. The firewall does not allow inbound SNMP traffic to the intranet. The current read-only SNMP community name is Public. The current read-write SNMP community name is AppCommRW.

TestKing management wants to ensure that the SNMP traffic on the perimeter network cannot be intercepted by outside parties and used to compromise application integrity. You need to design a method to secure the SNMP traffic as it passed from the intranet to the perimeter network. Because of budget constraints, you cannot add any new hardware or software. You solution must not affect customer access to the application.


70 - 293


- 139 -

You need to ensure that all SNMP management traffic for the application is secure and cannot be used to compromise network security.

What should you do?

A. Change the read-only SNMP community name to AppCommRO. On each application server, configure the SNMP, service to send only application-specific SNMP information to the management client computers, to send authentication traps for both community names, and to accept only SNMP packets from the IP addresses of the management client computers.

B. Create an IPSec filter named SNMP Messages for the default SNMP ports in the local security policy on the management client computers and on the application server. Create and assign a new IPSec policy that requires security by using the SNMP Messages filter in the local security policy on the management client computers and on the application servers. Configure the internal firewall to allow outbound IPSec traffic from the intranet.

C. Change the community rights for the Public community to Notify.Change the community rights for the AppCommRW community to Read-Create.On each application server, configure the SNMP service to log on by using a domain user account instead of the local system account and to send authentication traps for the AppCommRW community name. Configure the internal firewall to allow inbound SNMP traffic from the perimeter network.

D. Create an organization unit (OU) named SNMP Computers. Add the management client computers and the application servers to the SNMP Computers OU. Assign the Secure Server (Require Security) IPSec policy to the SNMP Computers OU. Configure the internal firewall to allow outbound IPSec traffic from the intranet.

Answer: B http://support.microsoft.com/default.aspx?scid=kb;en-us;324261&Product=winsvr2003

QUESTION NO: 3 You are the security analyst for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The perimeter network contains an application server, which is accessible to external users.

You view the logs on your intrusion-detection system (IDS) on the router and discover that very large numbers of TCP SYN packets are being sent to the application server. The application server is responding with SYN-ACK packets to several different IP addresses, but it is not receiving ACK responses. You note that all incoming SYN packets appear to be originating from IP addresses located within the perimeter network�s subnet address range. No computers in your perimeter network are configured with these IP addresses. The router logs show that these packets are originating from locations on the Internet.



70 - 293


- 140 -

You need to prevent this type of attack from occurring until a patch is made available from the application vendor. Because of budget constraints, you cannot add any new hardware or software to the network. Your solution cannot adversely affect legitimate traffic to the application server.

What should you do?

A. Relocate the application server to the company intranet. Configure the firewall to allow inbound and outbound traffic on the ports and protocols used by the application.

B. Configure network ingress filters on the router to drop packets that have local addresses but that appear to originate from outside the company network.

C. Create access control lists (ACLs) and packet filters on the router to allow perimeter network access to only authorized users and to drop all other packets originating from the Internet.

D. Configure the IDS on the perimeter network with a response rule that sends a remote shutdown command to the application server in the event of a similar denial-of-service attack.

Answer: B Explanation:In an ideal world, each router would be configured with ingress filters that would drop packets arriving from "internal" networks whose source address was not a member of the set of network addresses that this router serves. The majority of routers could be so configured. Backbone routers and edge routers for complex topologies probably could not be configured with such filters. These ingress filters should be required as part of a "good neighbor policy." Ingress filters would not totally eliminate denial of service attacks but could greatly reduce such attacks. An attacker could still spoof an address within a local subnet, but that would permit backtracking the packets to the source subnet. Cisco's unicast reverse path forwarding also can be used to block spoofed packets at edge routers. Routers that implement ingress filtering will not forward the packets sent by a mobile host in a foreign network.

Incorrect Answers:A: There is no firewall mentioned in the question. C: This option could also work, but it involves extra administration. D: The question clearly states; �Your solution cannot adversely affect legitimate traffic to the application

server� and this option would.

Reference:http://securityresponse.symantec.com/avcenter/security/content/9011.html

B: Plan an IPSec policy for secure network communications. (2 questions)


http://securityresponse.symantec.com/avcenter/security/content/9011.html

70 - 293


- 141 -

QUESTION NO: 1 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The human resources department has servers that contain confidential information stored in files. The client computers in the human resources department access the confidential information over the LAN. The network design requires that any access to the human resources department servers must be encrypted to protect the confidentiality of the data transmissions.

You need to automatically enforce the network design requirement at regular intervals.

What should you do?

A. Assign the Secure Server (Require Security) IPSec policy to the human resources department servers by using Group Policy.

B. Assign the Secure Server (Require Security) IPSec policy to the human resources department servers by using local policy.

C. Apply the Hisecws.inf security template to the human resources department servers by using Group Policy.

D. Apply the Hisecws.inf security template to the human resources department servers by using the seceditcommand.

Answer: A Explanation:Secure Server (Require Security) configures the computer to require IPSec security for all communications. If the computer attempts to communicate with a computer that does not support IPSec, the initiating computer terminates the connection. The Secure Server (Require Security) policy is intended for computers working with sensitive data that must be secured at all times. Before implementing this policy, you must make sure all the computers that need to access the secured server support IPSec. When security settings are imported to a GPO in Active Directory, they affect the local security settings of any computer accounts to which that GPO is applied.

Incorrect Answers: B: Network design dictates that any access to the human resources department servers must be encrypted, but

using local policy only affects an individual computer. C, D: The question asks for encryption, not authentication.

Reference:Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 11.


70 - 293


- 142 -

QUESTION NO: 2 You are the senior systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Client computers in the sales department run Windows NT Workstation 4.0 with the Active Directory Client Extension software installed. All other client computers run Windows XP Professional. All servers are located in an organizational unit (OU) named Servers. All client computers are located in an OU named Desktops.

Four servers contain confidential company information that is used by users in either the finance department or the research department. Users in the sales department also store files and applications in these servers. The company�s written security policy states that for auditing purposes, all network connections to these resources must require authentication at the protocol level. The written security policy also states that all network connections to these resources must be encrypted. The TestKing budget does not allow for the purchase of any new hardware or software. The applications and data located on these servers may not be moved to any other server in the network.

You define and assign the appropriate permissions to ensure that only authorized users can access the resources on the servers.

You now need to ensure that all connections made to these servers by the users in the finance department and in the research department meet the security guidelines stated by the written security policy. You also need to ensure that all users in the sales department can continue to access their resources.


A. Create a new Group Policy object (GPO) and link it to the Servers OU. Enable the Secure Server (Require Security) IPSec policy in the GPO.

B. Create a new Group Policy object (GPO) and link it to the Servers OU. Enable the Server (Request Security) IPSec policy in the GPO.

C. Create a new Group Policy object (GPO) and link it to the Desktops OU. Enable the Client (Respond only) IPSec policy in the GPO.

D. Create a new Group Policy object (GPO). Edit the GPO to enable the Registry Policy Processing option and the IP Security Policy Processingoption.Copy the GPO files to the Netlogon shared folder.

E. Use the System Policy Editor to open the System.adm file and enable the Registry Policy Processingoption and the IP Security Policy Processing option. Save the system policy as NTConfig.pol.

Answer: B, C Explanation:


70 - 293


- 143 -

We need to ensure that the connections made to the servers by the users in the finance department and in the research department meet the security guidelines stated by the written security policy. The computers in these departments use Windows XP Professional. We can therefore enable IPSec communication between the servers and the clients in the finance and research departments. However, the sales users use Windows NT, which cannot use IPSec. Therefore, to ensure that the NT clients can still communicate with the servers, we should enable the Server (Request Security) IPSec policy on the servers and the Client (Respond only) IPSec policy for the client computers.

Incorrect Answers: A: This policy is intended for computers working with sensitive data that must be secured at all times. D: Registry Policy Processing specifies how Registry policies are processed, such as whether Registry policies

can be applied during periodic background processing. IP Security Policy Processing specifies how IP security policies are updated. By copying the GPO files to the Netlogon shared folder enables all authenticated users to access it.

E: In Windows Server 2003 operating systems, the Group Policy Object Editor replaces the System Policy Editor.

Reference:Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 5 and 11.

Part 4: Plan secure network administration methods.

A: Create a plan to offer Remote Assistance to client computers. (1 question)

QUESTION NO: 1 You are the system engineer for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The servers on the network are all located in a central data center building, which is located on the company campus. All servers have the Recovery Console installed and support firmware-based console redirection by means of installed service processors.

All servers are located in a physically secured room. IT department personnel can access this room for the purpose of installing or maintaining hardware. All IT department personnel are members of the Domain Admins security group.

TestKing adopts a new remote administration policy, which includes the following requirements:


70 - 293


- 144 -

All in-bound management of servers on the network must be performed remotely. All remote administration connections made to any server must be authenticated by using the Kerberos version 5 protocol and must be logged in the Security event log. All remote administration connections must be encrypted. The new remote administration configuration must not adversely affect normal network connectivity for users or cause any disruption in network services.

The new remote administration policy applies to all servers, including domain controllers, file and print servers, and application servers.

You need to plan a remote administration strategy for all servers on the network that complies with the new policy.

What should you do?

A. On each server, enable Emergency Management Services. B. On each server, enable Remote Desktop connections. C. On each server, enable the Telnet service with the Automatic startup parameter.

Enable the Secure Server (Require Security) IPSec policy in the Default Domain Policy Group Policy object (GPO).

D. Install IIS on each server. Select the Remote Administration (HTML) check box in the properties for the World Wide Web Service.On each server, configure IP packets filters to accept only SSL connections.

Answer: B Explanation:Remote Desktop Connection is the client-side software used to connect to a server in the context of either Remote Desktop or Terminal Server modes. The latest version of Remote Desktop Connection provides the most efficient, secure and stable environment possible, through improvements such as a revised user interface, 128-bit encryption and alternate port selection.

Incorrect Options A: Emergency Management Services (EMS) provides a means for managing a server even when network

connectivity has failed. C, D: Kerberos version 5 protocol must be used, not IPSec or SSL.

Reference:Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment.


70 - 293


- 145 -

Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System.

B: Plan for remote administration. (1 question)

QUESTION NO: 1 You are the systems engineer for Contoso, Ltd.. The network consists of a single Active Directory domain named Contoso.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The servers on the network are located in a physically secured room, which is located in a central data center building on the company campus. All servers have the Recovery Console installed and support firmware-based console redirection by means of their serial ports, which are connected to a terminal concentrator. The terminal concentrator is connected to the company network by means of a standard LAN connection.

It is required that all servers can be managed remotely. All IT staff in the company can establish connections to the servers by means of either a Remote Desktop connection or the Windows Server 2003 Administration Tools, which are installed locally on their client computers.

Company management now requires that several servers that have high-availability requirements must also be remotely managed in the event of system failures and when the Recovery Console is used.

Company management also requires that these servers can be remotely managed when the servers are slow or are not responding to normal network requests. You need to plan a remote management solution that complies with the new requirements.

What should you do?

A. On each highly available server, enable Emergency Management Services by adding the Redirect=COM1 and /redirect parameters to the Boot.ini file on each server and the EMSPort=COM1 and EMSBaudRate=9600 parameters to the Winnt.sif file on each server.

B. On each highly available server, configure the Telnet service with a startup parameter of Automatic. Set the number of maximum Telnet connections to match the number of administrators in the company. Add the administrator�s user accounts to the TelnetClients security group.

C. Install IIS on each highly available server. Select the Remote Administration (HTML) check box in the properties for the World Wide Web Service. Add the administrator�s user accounts to the HelpServicesGroup security group.


70 - 293


- 146 -

D. Use the netsh command to create an offline configuration script that contains the network parameters for outof-band remote management. Copy this script to the C:\Cmdcons folder on each highly available server.

Answer: A Explanation:To enable Emergency Management Services after setting up a Windows Server 2003 operating system, you must edit the Boot.ini file to enable Windows loader console redirection and Special Administration Console (SAC). The Boot.ini file controls startup; it is located on the system partition root.

Part 5: Plan security for wireless networks. (3 questions)

QUESTION NO: 1 You are a network administrator for a consulting company. You need to create a wireless network that will be used by consultants from your company at a customer location.

The wireless network will consists of nine portable computers, three servers, and four wireless digital cameras. All computers and cameras can use either static or dynamic IP addressing. The cameras do not support data encryption. Both the portable computers and the servers must be able to initiate communication over the Internet to VPN servers in your company�s main data center. Only the wireless point is connected to the customer�s corporate network.

You need to plan the wireless IP network so that it minimizes the risk of unauthorized use of the wireless network and prevents unsolicited communication from the Internet to the hosts on the network.

What should you do?


70 - 293


- 147 -

Answer:


70 - 293


- 148 -

QUESTION NO: 2 You are the network administrator for Contoso, Ltd. All servers run Windows Server 2003. All client computers run Windows XP Pro. All computers are connected to the network by using wireless access points.

You configure a CA. You require certificate based IEEE 802.1X authentication on the wire access point.


70 - 293


- 149 -

You need to enable all computers to communicate on the wireless network.

What are two possible ways to complete this task?

A. Enter a 128 bit WEP key on the wireless access point and on the computers B. In the Wireless Network Connection properties on each computer, select the �The key is provided for

me automatically� check box C. Temporarily connect each computer to an available Ethernet port on the wireless access point and install

a computer certificate D. Install a computer certificate on each computer by using a floppy

Answers: C, D Explanation:802.1X authentication An Institute of Electrical and Electronics Engineers (IEEE) standard for port-based network access control that provides authenticated network access to Ethernet networks and wireless 802.11 local area networks (LANs). A PKI using computers running Windows Server 2003 can create certificates that support wireless network authentication. The increasing popularity of wireless local area networking (LAN) technologies, such as those based on the 802.11 standard, raises an important security issue. When you install a wireless LAN, you must make sure that only authorized users can connect to the network and that no one can eavesdrop on the wireless communications. You can use the Windows Server 2003 PKI to protect a wireless network by identifying and authenticating users before they are granted access to the network.

Incorrect Answers: A: WEP depends on encryption keys that are generated by a mechanism external to WEP itself, not certificates. B: This option depends on encryption keys as well.



QUESTION NO: 3 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 50 Windows Server 2003 computers and 200 Windows XP Professional computers. TestKing does not use wireless networking. The network at TestKing is shown in the exhibit.


70 - 293


- 150 -

TestKing enters into a strategic partnership with Adventure Works. Under the strategic partnership, Adventure Works will regularly send employees to TestKing. Your design team interviews the Adventure Works administrator and discovers the following:

Adventure Works employees require access to the Internet to retrieve e-mail messages and to browse the Internet. Adventure Works employees do not need access to the internal network at TestKing. Adventure Works employees all have portable computers that run Windows XP Professional, and they use a wireless network in their home office. The wireless network client computers of Adventure Works employees must be protected from Internet-based attacks.

Adventure Works sends you a wireless access point that its employees will use to access the Internet through your network. You are not allowed to change the configuration of the wireless access point because any change will require changes to all of the wireless client computers.

You need to develop a plan that will meet the requirements of Adventure Works employees and the security requirements of TestKing. Your solution must be secure and must minimize administrative effort.

What should you do?

A. Install the wireless access point on a separate subnet inside the TestKing network. Configure a router to allow only HTTP, IMAP4, and SMTP traffic out of the wireless network.

B. Install the wireless access point on a separate subnet inside the TestKing network. Configure a VPN from the wireless network to the Adventure Works office network.

C. Install the wireless access point on the TestKing perimeter network. Configure Firewall1 to allow wireless network traffic to and from the Internet. Configure Firewall2 to not allow wireless traffic into the TestKing network.

D. Install the wireless access point outside Firewall1 at TestKing. Obtain IP addresses from your ISP to support all wireless users.


70 - 293


- 151 -

Answer: C Explanation:An infrastructure network consists of a standard cabled network with a wireless access point connected to it. Wireless-equipped computers can then interact with the cabled network by communicating with the access point. Firewall1 will now allow wireless network clients access to the Internet for browsing and E-mail retrieval, while Firewall2 will not allow wireless network clients access to TestKing�s internal network. Thus, Testking and Adventure Works are satisfied.

Incorrect Answers: A, B: This does not satisfy TestKing�s security requirements, as they do not use wireless networking. D: If you use this option, you will not be able to even access the perimeter network.


Part 6: Plan security for data transmission.

A: Secure data transmission between client computers to meet security requirements. (2 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network consists of an internal network and a perimeter network. The internal network is protected by a firewall. The perimeter network is exposed to the Internet.

You are deploying 10 Windows Server 2003 computers as Web servers. The servers will be located in the perimeter network. The servers will host only publicly available Web pages.

You want to reduce the possibility that users can gain unauthorized access to the servers. You are concerned that a user will probe the Web servers and find ports or services to attack.

What should you do?

A. Disable File and Printer Sharing on the servers. B. Disable the IIS Admin service on the servers. C. Enable Server Message Block (SMB) signing on the servers. D. Assign the Secure Server (Require Security) IPSec policy to the servers.


70 - 293


- 152 -

Answer: A Explanation:We can secure the web servers by disabling File and Printer sharing.

File and Printer Sharing for Microsoft Networks The File and Printer Sharing for Microsoft Networks component allows other computers on a network to access resources on your computer by using a Microsoft network. This component is installed and enabled by default for all VPN connections. However, it needs to be enabled for PPPoE and dial-up connections. It is enabled per connection and is necessary to share local folders. The File and Printer Sharing for Microsoft Networks component is the equivalent of the Server service in Windows NT 4.0. File and Printer sharing is not required on web servers because the web pages are accessed over web protocols such as http or https, and not over a Microsoft LAN.

Incorrect Answers: B: This is needed to administer the web servers. Whilst it could be disabled, disabling File and Printer sharing

will secure the servers more. C: SMB signing is used to verify, that the data has not been changed during the transit through the network. It

will not help in reducing the possibility that users can gain unauthorized access to the servers. D: This will prevent computers on the internet accessing the web pages.

Reference:James Chellis, Paul Robichaux, and Matthew Sheltz; MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide393 394

QUESTION NO: 2 You are the network administrator for TestKing. The network consists of a single active directory domain named TestKing.com. All servers run Windows Server 2003. A server named TestKing2 functions as the mail server for the company. All users use Microsoft Outlook Express as their email client.

An update to the company�s written security policy specifies that users must use encrypted authentication while they are retrieving email messages from TestKing2

You need to comply with the updated policy. What should you do? (Choose three)

A. Configure the POP3 service on TestKing2 to use Active Directory Integrated Authentication B. Configure the SMTP virtual server on TestKing2 to use Integrated Windows Authentication C. Configure Outlook Express to use the Secure Password Authentication (SPA) D. Configure the SMTP virtual server on TestKing2 to use Basic Authentication with Transport Layer

Security (TLS) encryption


70 - 293


- 153 -

E. Configure the POP3 service on TestKing2 to require secure password authentication (SPA for all connections

Answers: A, C, E Explanation:You can use Active Directory Authentication to incorporate the POP3 service into your existing Active Directory domain. Active Directory integrated authentication supports both plaintext and Secure Password Authentication (SPA) e-mail client authentication. Because plaintext transmits the user's credentials in an unsecured, unencrypted format, however, the use of plaintext authentication is not recommended. SPA does require e-mail clients to transmit both the user name and password using secure authentication; it is therefore recommended over plaintext authentication. We need to configure the POP3 service on TestKing2 to require secure password authentication, and we need to configure the email clients to use Secure Password Authentication (SPA).

Incorrect Answers: B: We need to configure the POP3 service, not the SMTP virtual server. D: We need to configure the POP3 service, not the SMTP virtual server.


Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan, and Lisa Justice; Mastering � Windows Server 2003.

B: Secure data transmission by using IPSec. (7 questions)

QUESTION NO: 1 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. TestKing has a main office and five branch offices. The branch offices are connected to the main office by a WAN connection. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The audit department has users in the main office and in all branch offices. The audit department users share files on an audit department secured server at the main office. The files must be kept confidential. The audit department is concerned that files will be captured while they are transmitted between the audit department server and the client computers. The audit department server is configured to protect the confidentiality of network transmissions.


70 - 293


- 154 -

You need to configure the audit department client computers to further ensure the confidentiality of network transmissions. You need to ensure that the configuration of the client computers is periodically enforced.

What should you do?

A. Use a Group Policy object (GPO) to assign the Client (Respond Only) IPSec policy to the client computers.

B. Run the secedit command with the Hisecws.inf predefined security template on the client computers. C. Use a Group Policy object (GPO) to configure Server Message Block (SMB) signing on the client

computers. D. Run the secedit command with the Rootsec.inf predefined security template on the client computers.

Answer: C Explanation:Server Message Block (SMB) is an application-layer protocol that allows a client to access files and printers on remote servers. Clients and servers that are configured to support SMB can communicate using SMB over transport- and network-layer protocols, including Transmission Control Protocol (TCP/IP).

By using a GPO, you are ensuring that the of the client computers is periodically enforced.

Incorrect Answers: A: This configures the computer to use IPSec only when another computer requests IPSec. The computer using

this policy never initiates an IPSec negotiation; it only responds to requests from other computers for secured communications.

B, D: This does not ensure that the configuration of the client computers is periodically enforced.

Reference:Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, Glossary.

QUESTION NO: 2 You are the network administer for TestKing. The network contains Windows 98, Windows NT Workstation 4.0, and Windows XP Professional client computers. All computers run the latest service pack.

The network contains a Windows Server 2003 file server named Testking1. TestKing�s written security policy requires that data communications must be encrypted by using IPSec whenever possible. Other than the default GPOs, there are no additional Group Policy objects (GPOs) within Active Directory or any local GPOs applied to the computers in the domain.


70 - 293


- 155 -

You need to configure Testking1 so that it meets the written security policy requirements without disabling access for any client computer. You also want to minimize session key negotiation times.

What should you do?

To answer, configure the appropriate option or options in the dialog box.

Answer: Select the �Allow unsecured communication with non-IPSec aware computers� checkbox. Explanation:The Allow Unsecured Communication With Non-IPSec-Aware Computers checkbox configures the action to allow any computer�IPSec capable or not�to communicate. Any machine that can�t handle IPSec will get a normal, insecure connection. By default, this box isn�t checked; if you check it, you must be certain that your IPSec policies are set up properly. If they�re not, some computers that you think are using IPSec may connect without security.

Reference:James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, SYBEX Inc., Chapter 4, pp. 195.


70 - 293


- 156 -

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com.

The domain contains a Windows Server 2003 computer named Testking1 that is located in an organizational unit (OU) named Servers. Testking1 contains confidential data, and all network communications with Testking1 must be encrypted by using IPSec.

The default Client (Respond Only) IPSec policy is enabled in the Default Domain Policy Group Policy object (GPO). You create a new GPO and link it to the Servers OU. You configure the new GPO by creating and enabling a custom IPSec policy. You monitor and discover that network communications with Testking1 are not being encrypted.

You need to view all IPSec polices that are being applied to Testking1.

What should you do?

A. Use Local Security Policy to view the IP Security Policies on Local Computer for Testking1. B. Use Local Security Policy to view the Security Options for Testking1. C. Use Resultant Set of Policy (RSoP) to run an RsoP logging mode query to view the IP Security Policies

on Local Computer for Testking1. D. Use Resultant Set of Policy (RSoP) to run an RSoP planning mode query to view the Security Options

for Testking1. E. Use IP Security Monitor to view the Active Policy for Testking1. F. Use IP Security Monitor to view the IKE Policies for Testking1.

Answer: C Explanation:You can use RSoP to view all the effective group policy settings for a computer or user, including the IPSec policies. To use RSoP, you must first load the snap-in into an MMC console, and then perform a query on a specific computer (select Generate RSoP Data from the Action menu), specifying the information you want to gather. The result is a display of the group policy settings that the selected computer is using.

You can run an RSoP logging mode query to view all of the IPSec policies that are assigned to an IPSec client. The query results display the precedence of each IPSec policy assignment, so that you can quickly determine which IPSec policies are assigned but are not being applied and which IPSec policy is being applied. The RSoP console also displays detailed settings for the IPSec policy that is being applied, including the following:

Filter rulesFilter actionsAuthentication methodsTunnel endpoints


70 - 293


- 157 -

Connection typeWhen you run a logging mode query, RSoP retrieves policy information from the WMI repository on the target computer, and then displays this information in the RSoP console. In this way, RSoP provides a view of the policy settings that are being applied to a computer at a given time.

Incorrect Answers: A, B: Local Security Policy is used for configuring purposes. D: You can run an RSoP planning mode query only on a domain controller. E, F: You need to view all IPSec polices that are being applied to Testking1, not selected ones.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 12

Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 768.

QUESTION NO: 4 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

The audit department has servers that contain highly confidential files. The files are accessed over the LAN by the audit department client computers. The audit department client computers have slow processors.

The network design requires that the network transmissions between the audit department servers and client computers be confidential and that any changes to the data in transit must be detectable.

You create a custom IPSec filter action.

You need to select the security method settings. You need to ensure that you minimize the performance impact on the audit department client computers.

What should you do?

A. Select MD5 as the integrity algorithm and DES as the encryption algorithm. B. Select SHA1 as the integrity algorithm and DES as the encryption algorithm. C. Select SHA1 as the integrity algorithm and 3DES as the encryption algorithm. D. Select MD5 as the integrity algorithm and 3DES as the encryption algorithm.


70 - 293


- 158 -

Answer: A Explanation:MD5 is an industry-standard one-way, 128-bit hashing scheme, developed by RSA Data Security, Inc., and used by various Point-to-Point Protocol (PPP) vendors for encrypted authentication. A hashing scheme is a method for transforming data (for example, a password) in such a way that the result is unique and cannot be changed back to its original form. The Challenge Handshake Authentication Protocol (CHAP) uses challenge response with one-way MD5 hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network.

DES (Data Encryption Standard) is an algorithm used for strong (56-bit) encryption of L2TP/IPSec connections.

Incorrect Answers: B, C, D: These options would require more processor time.

Reference:J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 98052-6399, Glossary.

QUESTION NO: 5 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All domain controllers run Windows Server 2003. All application servers run Windows Server 2003.

Client computers in the accounting department run Windows XP Professional. Client computers in the engineering department run Windows 2000 Professional. Client computers in the sales department run either Windows NT Workstation 4.0 or Windows 98. All client computers access data files on the application servers.

You need to plan the method of securing the data transmissions for the client computers. You want to ensure that the data is not modified while it is transmitted between the application servers and the client computers. You also want to protect the confidentiality of the data, if possible.

What should you do?

To answer, drag the appropriate method or methods to the correct department�s client computers.


70 - 293


- 159 -

Answer:

Explanation:We can use IPSEC on Windows 2000 and Windows XP but we cannot use IPSEC for Legacy clients except for VPNs.Sales contain Windows NT 4.0 and Windows 98; in this case we use SMB signing. With Windows 2000 and Windows XP both methods are supported in this case and for security reasons we will use IPSEC rules. SMB signed is supported by Windows 2000 an XP by local policies or domain policies to be enforced. To be supported in legacy clients you must modify the registry in Windows 98 and Windows NT


70 - 293


- 160 -

SMB on Windows 98 KB article 230545 Windows 98 includes an updated version of the SMB authentication protocol. However, using SMB signing slows down performance when it is enabled. This setting should be used only when network security is a concern. The performance decrease usually averages between 10-15 percent. SMB signing requires that every packet is signed for and every packet must be verified.

SMB on Windows NT KB article 161372 Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol

IPSECThe Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used.IPSEC is not supported on legacy clients it is just supported for VPN.

Reference:http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp

QUESTION NO: 6 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Client computers run Windows 2000 Professional, Windows XP Professional, or Windows NT Workstation 4.0.

TestKing wants to increase the security of the communication on the network by using IPSec as much as possible. The company does not want to upgrade the Windows NT Workstation 4.0 client computers to another operating system. The servers use a custom IPSec policy named Domain Servers. The rules of the Domain Servers IPSec policy are shown in the exhibit.


http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp

70 - 293


- 161 -

You create a new Group Policy object (GPO) and link it to the domain. You configure the GPO to assign the predefined IPSec policy named Client (Respond Only). After these configuration changes, users of the Windows NT Workstation 4.0 computers report that they cannot connect to the servers in the domain.

You want to ensure that Windows NT Workstation 4.0 client computers can connect to servers in the domain.

What should you do?

A. Change the All IP Traffic rule in the Domain Servers IPSec policy to use a preshared key for authentication.

B. Change the All IP Traffic rule in the Domain Servers IPSec policy to use the Request Security (Optional) filter action.

C. Activate the default response rule for the Domain Servers IPSec policy. D. Install the Microsoft L2TP/IPSec VPN Client software on the Windows NT Workstation 4.0 computers. E. Install the Active Directory Client Extensions software on the Windows NT Workstation 4.0 computers.

Answer: B Explanation:The exhibit shows that the server has the �Require Security� IPSec policy. The Windows NT Workstation clients are unable to use IPSec, and so cannot communicate with the server. We can fix this by changing the


70 - 293


- 162 -

IPSec policy to Request Security (Optional). This will configure the server to use IPSec whenever possible, but to allow unsecured communications if required.

Incorrect Answers: A:


QUESTION NO: 7 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain contains four organizational units (OUs), as shown in the work area.

The HR_Servers OU contains 10 Windows Server 2003 computers that contain confidential human resources information. The Workstation OU contains all of the Windows XP Professional computers in the domain. All client computers need to communicate with the human resources servers.

The company�s written security policy requires that all network communications with the servers that contain human resources data must be encrypted by using IPSec. Client computers must also be able to communicate with other computers that do not support IPSec.

You create three Group Policy objects (GPOs), one for each of the three default IPSec polices.

You need to link the GPOs to the appropriate Active Directory container or containers to satisfy the security and access requirements. You want to minimize the number of GPOs that are processed by any computer.

What should you do?

To answer, drag the appropriate GPO or GPOs to the correct Active Directory container or containers in the work area.


70 - 293


- 163 -


70 - 293


- 164 -

Answer:

Explanation:The servers in the HR_Servers OU require secure communications, so we must enable the Secure Server (Require Security) IPSec policy. The clients should have the Client (Respond Only) IPSec policy assigned. This means that when the clients communicate with an HR server, the server will demand the use of IPSec, and the client will be able to use IPSec. The clients will still be able to communicate with other computers without using IPSec.

IPSec for High security Computers that contain highly sensitive data are at risk for data theft, accidental or malicious disruption of the system (especially in remote dial-up scenarios), or any public network communications.

Client (Respond Only). This default policy contains one rule, the default response rule. This rule secures communication only upon request by another computer. This policy does not attempt to negotiate security for any other traffic.Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections.

Reference:


70 - 293


- 165 -

Server Help

Part 7: Troubleshoot security for data transmission. Tools might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in. (0 questions)


70 - 293


- 166 -

Topic 6: Planning, Implementing, and Maintaining Security Infrastructure (26 Questions)

Part 1: Configure Active Directory directory service for certificate publication. (3 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network consists of a single Active Directory forest. The forest contains Windows Server 2003 servers and Windows XP Professional computers.

The forest consists of a forest root domain named testking.com and two child domains named asia.testking.com and europe.testking.com. The asia.testking.com domain contains a member server named TestKing2. You configure TestKing2 to be an enterprise certification authority (CA), and you configure a user certificate template. You enable the Publish certificate in Active Directory setting in the certificate template. You instruct users in both the asia.testking.com and the europe.testking.com domains to enroll for user certificates.

You discover that the certificates for user accounts in the asia.testking.com domain are being published to Active Directory, but the certificates for user accounts in the europe.testking.com domain are not.

You want certificates issued by TestKing2 to europe.testking.com domain user accounts to be published in Active Directory.

What should you do?

A. Configure user certificate autoenrollment for all domain user accounts in the testking.com domain. B. Configure user certificate autoenrollment for all domain user accounts in the europe.testking.com

domain. C. Add TestKing2 to the Cert Publishers group in the testking.com domain. D. Add TestKing2 to the Cert Publishers group in the europe.testking.com domain.

Answer: D Explanation:The problem here is that TestKingSrvC doesn�t have the necessary permission to publish certificates for users in child2.testking.com. We can solve this problem by adding TestKingSrvC to the Cert Publisher group in the child2.testking.com domain.

Incorrect Answers: A, B: The problem is not enrolment, it is that the certificates are not being published, which points to

permissions.


70 - 293


- 167 -

C: It is the europe.testking.com domain that has a problem, not the testking.com domain.


QUESTION NO: 2 You are a network administrator for TestKing. The network consists of a single Windows 2000 Active Directory forest that has four domains. All client computers run Windows XP Professional.

The company�s written security policy states that all e-mail messages must be electronically signed when sent to other employees. You decide to deploy Certificate Services and automatically enroll users for e-mail authentication certificates.

You install Windows Server 2003 on two member servers and install Certificate Services. You configure one Windows Server 2003 computer as a root certification authority (CA). You configure the other Windows Server 2003 server as an enterprise subordinate CA. You open Certificate Templates on the enterprise subordinate CA, but you are unable to configure certificates templates for autoenrollment. The Certificate Templates administration tool is shown in the exhibit.

You need to configure Active Directory to support autoenrollment of certificates.

What should you do?



70 - 293


- 168 -

A. Run the adprep /forestprep command on the schema operations master. B. Place the enterprise subordinate CA�s computer account in the Cert Publisher Domain Local group. C. Run the adprep /domainprep command on a Windows 2000 Server domain controller that is in the

same domain as the enterprise subordinate CA. D. Install Active Directory on the Windows Server 2003 member server that is functioning as the enterprise

subordinate CA. Configure this server as an additional domain controller in the Windows 2000 Active Directory domain.

Answer: A Explanation:The autoenrollment feature has several infrastructure requirements. These include: Windows Server 2003 schema and Group Policy updates Windows 2000 or Windows Server 2003 domain controllers Windows XP Client Windows Server 2003, Enterprise Edition running as an Enterprise certificate authority (CA) In this question, we have a Windows 2000 domain; therefore, we have Windows 2000 domain controllers. The Enterprise CA is running on a Windows Server 2003 member server which will work fine only if the forest schema is a Windows Server 2003 schema. We can update the forest schema with the adprep /forestprepcommand.

Incorrect Answers: B: This will happen in the domain in which the CAs are installed. C: The adprep /domainprep command prepares a Windows 2000 domain for an upgrade to a Windows Server

2003 domain. We are not upgrading the domain, so this isn�t necessary.D: The CA doesn�t have to be installed on a domain controller. You can�t install AD on a Windows 2003

server until you run the adprep commands.

Reference:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/certenrl.asp?frame=true

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named TestKing5.

You are planning a public key infrastructure (PKI) for the company. You want to deploy a certification authority (CA) on TestKing5.


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/certenrl.as

70 - 293


- 169 -

You create a new global security group named Cert Administrators. You need to delegate the tasks to issue, approve, and revoke certificates to members of the Cert Administrators group.

What should you do?

A. Add the c group in the domain. B. Configure the Certificates Templates container in the Active Directory configuration naming context to

assign the Cert Administrators group the Allow � Write permission. C. Configure the CertSrv virtual directory on TestKing5 to assign the Cert Administrators group the Allow

� Modify permission. D. Assign the Certificate Managers role to the Cert Administrators group.

Answer: D Explanation:To be able to issue, approve and revoke certificates, the Cert Administrators group needs to be assigned the role of Certificate Manager. The Certificate Manager approves certificate enrollment and revocation requests. This is a CA role, and is sometimes referred to as CA Officer.

Incorrect Answers: A, B, C: Only the Certificate Manager can perform the required tasks.

Reference:Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, pp. 11-4 to 11-8.

Part 2: Plan a public key infrastructure (PKI) that uses Certificate Services.

A: Identify the appropriate type of certificate authority to support certificate issuance requirements. (3 questions)

QUESTION NO: 1 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The domain contains three Windows Server 2003 computers: Testking1, Testking2, and Testking3.

You intend to use the three servers as certification authorities (CAs) for the following roles:

Server name Role Testking1 root CA


70 - 293


- 170 -

Testking2 subordinate CA Testking3 subordinate CA

Testking2 will be used exclusively to issue enrolment agent certificates. Testking3 will be used to issue all other certificate types needed in the domain. You plan to take Testking1 offline after the CA hierarchy is established.

You want to minimize the possibility that unauthorized certificates might get issued. You also want to be able to revoke certificates that are issued by a subordinate CA if that server is compromised, without affecting the certificates that are issued by the other subordinate CA.

You need to design a CA hierarchy that meets the requirements.

What should you do?

To answer, drag the appropriate CAs to the correct locations in the work area.

Answer:


70 - 293


- 171 -

Explanation:If you shift the responsibility of issuing certificates to subordinate CAs, you can take the root CA offline � meaning that you detach it from the network entirely. This provides a very high level of security, because attackers have no way of getting to the machine. When a subordinate CA requires a certificate from the root, you can either, briefly connect the root CA to the network and then remove it again, or you can literally use a floppy disk.

References: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, pp. 881.

QUESTION NO: 2 You are a network administrator for TestKing. The network consists of two Active Directory forests. No trust relationships exist between the two forests. All computers in both forests are configured to use a common root certification authority (CA).

Each forest contains a single domain. The domain named hr.testking.com contains five Windows Server 2003 computers that are used exclusively to host confidential human resources applications and data. The domain named testking.com contains all other servers and client computers. A firewall separates the


70 - 293


- 172 -

human resources servers from the other computers on the network. Only VPN traffic from testking.com to a remote access server in hr.testking.com is allowed through the firewall.

Managers need to access data on the servers in hr.testking.com from their Windows XP Professional computers. The company�s written security policy requires that all communication containing human resources data must be secured by using the strongest IPSec encryption available.

You need to configure an IPSec policy for the servers that host the human resources data that complies with the written security policy and gives the managers in testking.com access to the data they need.

What should you do?

To answer, drag the appropriate configuration settings to the IPSec Policy Configuration.

Answer:


70 - 293


- 173 -

Explanation:We cannot use Kerberos because there is no trust between the forests; we must use certificates, we must affect all traffic, and the server must require security.

The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol.

ReferenceServer Help

QUESTION NO: 3


70 - 293


- 174 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The network contains 100 Windows XP Professional computers.

You configure a wireless network that requires IEEE 802.1x certificate-based authentication. Only 10 of the client computers are approved for wireless network access.

You need to enable the approved computers to access the wireless network while restricting access for all other computers.

What should you do?

A. Establish an enterprise certification authority (CA) for the domain. Create a global group that contains the user accounts for the employees who will use the approved computers. Create a certificate template for IEEE 802.1x authentication. For the global group, configure autoenrollment for certificates based on the certificate template.

B. Establish an enterprise certification authority (CA) for the domain. Create a global group that contains the approved computer accounts. Create a certificate template for IEEE 802.1x authentication. For the global group, configure the autoenrollment for certificates based on the certificate template.

C. Create a global group that contains the user accounts for the employees who will use the approved computers. Configure the security permissions for the Default Domain Policy Group Policy object (GPO) so that only the new global group can apply to the GPO settings. Establish an enterprise certification authority (CA) for the domain.

D. Create a global group that contains the approved computer accounts. Configure the security permissions for the Default Domain Controllers Policy Group Policy object (GPO) so that only the new global group can apply the GPO settings. Establish an enterprise certification authority (CA) for the domain.

Answer: B Explanation:The question states that only 10 of the client computers are approved for wireless network access. Therefore we need to authenticate the computers to allow wireless access.

To plan for the configuration of Active Directory for your wireless clients, identify the user and computer accounts for wireless users, and add them to a group that will be used in conjunction with a remote access policy to manage wireless access. You must also determine how to set the remote access permission on the user and computer accounts. Provides options that allow you to specify how computer authentication works with user authentication. If you select Computer only, authentication is always performed using the computer credentials. User authentication is never performed.


70 - 293


- 175 -

If you select With user re-authentication (recommended), when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. If you select With user authentication, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials.

References: MS Windows Server 2003 Deployment

B: Plan the enrollment and distribution of certificates. (8 questions)

QUESTION NO: 1 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains a Windows Server 2003 computer named Testking1 that is not a member of the domain and a Windows Server 2003 member server named Testking2.

You need to implement a public key infrastructure (PKI) for the network. You configure Testking1 as a root certification authority (CA). You intend to disconnect Testking1 from the network. You configure Testking2 as a subordinate CA, and you leave Testking2 connected to the network.

You need to configure Testking1 to support updates to the certificate revocation list (CRL) and to support certificate chain verification on the network while it is offline.


A. On Testking1, use the Certification Authority snap-in to configure the CRL Distribution Point (CDP)setting to point to a shared folder. Regularly copy the CRL from Testking1 to the shared folder.

B. On Testking1, use the Certification Authority snap-in to configure the CRL Distribution Point (CDP)setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder.

C. On Testking1, use the Certification Authority snap-in to configure the Authority Information Access (AIA) setting to point to a shared folder. Regularly copy the AIA from Testking1 to the shared folder.

D. On Testking1, use the Certification Authority snap-in to configure the Authority Information Access (AIA) setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder.


70 - 293


- 176 -

E. Configure the Default Domain Policy Group Policy object (GPO) to enable the Enroll certificates automatically setting and then select the Remove expired certificates, update pending certificates and remove revoked certificates option.

F. Configure all certificate templates on Testking2 to be published in Active Directory.

Answer: B, D

QUESTION NO: 2 You are a network administrator for TestKing.com. The network consists of two Active Directory domains. You are responsible for administering one domain, which contains users who work in the sales department. User objects for the users in the sales department are stored in an organizational unit (OU) named Sales in your domain.

Users in the sales department use a Public Key Infrastructure (PKI) enabled application that requires users to present client authentication certificates before they are granted access. You install Certificate Services on two member servers running Windows Server 2003. You configure one server as an enterprise subordinate certification authority (CA) and the other server as a stand-alone root CA.

You need to issue certificates that support client authentication to sales users only. You need to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll users for certificates.

B. Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll computers for certificates.

C. Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Create a new Group Policy object (GPO) and link it to the Sales OU. Configure the GPO to autoenroll sales users for certificates.

D. Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Create a new Group Policy (GPO) and link it to the Sales OU. Configure the GPO to autoenroll sales client computers for certificates.

Answer: C


70 - 293


- 177 -

Explanation:The first step in the creation process is to duplicate an existing template. For a user to request a certificate, the user must have the Enroll permission assigned to him or her for manual requests and the Autoenroll permission for automatic requests. Autoenrollment enables the request and issuance of certificates to proceed without user intervention. Creating a new GPO will minimize the amount of administrative effort, while linking it to the Sales OU will ensure that certificates will be issued to the sales users only.

Incorrect Answers: A, B: This GPO is linked to the Domain Controllers OU, and it generally affects only domain controllers,

because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU. D: Certificates need to be issued to sales users, not sales computers.

Reference:Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Chapter 12

QUESTION NO: 3 You are the network administrator for TestKing. There is a single active directory domain named TestKing.com. All computers on the network are members of the domain. All domain controllers run Windows Server 2003.

You are planning a Public Key Infrastructure (PKI). The PKI design documents for TestKing specify that certificates that users request to encrypt files must have a validity period of two years.

The validity period of the Basic EFS certificate is one year. In the certificates Templates console, you attempt to change the validity period for the Basic EFS certificate template. However, the console does not allow you to change the value.

You need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files. What should you do?

A. Install an enterprise CA in each domain. B. Assign the Domain Admins group the Allow Full control permission for the Basic EFS certificate

Template C. Create a duplicate of the basic EFS certificate template. Enable the new template for issuing certificate

authorities D. Instruct users to connect to the CA Web Enrolment pages to request a Basic EFS certificate.



70 - 293


- 178 -

The question states that the validity period of the Basic EFS certificate is one year. This suggests that we are using a standalone CA (the default validity period for an enterprise CA is two years). We cannot change the validity period of the Basic EFS template, but we can however, make a copy of the Basic EFS template. This would enable us to make changes to the copy of the template.

Incorrect Answers: A: The default validity period for an enterprise CA is two years. This would satisfy the requirement that the

certificates have a validity period of two years. However, it does not satisfy the requirement that �you need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files�. Therefore, answer C is a better solution.

B: This is not a permissions issue. We cannot change the values in the template because they are hardcoded into the templates.

D: We need to edit the template before the users receive the certificates.

Reference:http://support.microsoft.com/?id=254632

QUESTION NO: 4 You are a network administrator for TestKing.com. TestKing participates in a joint venture with Alpine Ski House. Each company�s network consists of a single Active Directory forest. The functional level of each forest is Windows 2003. A two-way forest trust relationship exists between both companies. Each company maintains its own certification authority (CA).

Users are required to encrypt and digitally sign all e-mail messages relating to the joint venture that are sent between the companies. Users in the testking.com domain report that when they open e-mail messages sent by users in the alpineskihouse.com domain, they receive a security warning. The warning indicates an error in the certificate used to sign the e-mail message. You examine several e-mails messages and discover the error shown in the exhibit.


http://support.microsoft.com/?id=254632

70 - 293


- 179 -

You need to ensure that users in the testking.com domain receive e-mail messages without receiving any error messages. You need to accomplish this task by using the minimum amount of administrative effort.

What should you do?

A. Add the computer account for the enterprise root CA in the alpineskihouse.com domain to the Cert Publisher domain local group in the testking.com domain.

B. In the alpineskihouse.com domain, delegate the Allow � Read userCertificate permission for contact objects to the Domain Users global group in the testking.com domain.

C. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the testking.com domain, import the enterprise root certificate from the alpineskihouse.com domain.

D. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the testking.com domain, run the certutil command to publish the root certificate to Active Directory.

Answer: C Explanation:Importing Certificates


70 - 293


- 180 -

Users can import certificates into any one of the certificate categories found in the certificate store. In the Certificates snap-in, right-click the certificate category to which you want to import the certificate, point to All Tasks, and choose Import. Type the certificate filename, which should have a standard certificate format extension (.PFX, .P12, .CER, .CRT, .P7B, .STL, .SPC, .CRL, or .SST). For PKCS #12 files, which contain private keys as well as certificates, type the password used to protect the file.

Caution:Root certificates are the basis of trust for certificate verification. Be extremely careful when importing a root certificate. Ensure that the certificate was received from a trusted source and that the certificate thumbprint matches a trusted publication.

Exporting Certificates and Private Keys The Export command in the Certificates snap-in provides two distinct functions. First, it allows a certificate or certificate chain to be exported for the purpose of sharing it with users or computers that are not privy to a certificate directory. Second, it allows the export of a certificate or certificate chain along with the associated private key for cryptographic use on another machine. You can export any type of certificate, including those in root CAs. Naturally, only certificates with available private keys (that is, personal certificates) that are marked as exported can be exported together.

Reference:Charlie Russel, Sharon Crawford, and Jason Gerend, Microsoft Windows Server 2003 Administrator's Companion, Microsoft Press, Redmond, Chapter 21.

QUESTION NO: 5 You are the network admin for TestKing. The network contains Windows Server 2003 and Windows XP professional clients. All computers are members of the same active directory forest.

The company uses a Public Key Infrastructure (PKI) enabled application to manage marketing data. Certificates used with this application are managed by the application administrators. You install certificate services to create an offline stand alone root CA on one Windows Server 2003 server. You configure a 2nd Windows Server 2003 server as a stand alone sub CA.

You instruct users in the marketing department to enroll for certificates by using the web enrollment tool on the stand alone Sub CA. Some users report that when they attempt to complete the enrollment process, they receive an error message on their certificate stating:


70 - 293


- 181 -

You need to ensure that users in the marketing department do not continue to receive this error. You also need to ensure that users in the marketing department trust certificates issued by this CA. You create a new OU name Marketing. What else should you do?

A. Place all marketing department computer objects in the Marketing OU. Create a new GPO and link it to the Marketing OU. Publish the root CA�s root certificate in the Trusted Root Certification Authorities Section of the GPO

B. Place all marketing department user objects in the Marketing OU. Create a new GPO and link it to the marketing OU. In the user configuration section of the GPO, configure a certificate trust list (CTL) that contains the sub�s CA certificate

C. Place all marketing department computer objects in the Marketing OU. Create a new GPO and link it to the Marketing OU. In the computer configuration section of the GPO, configure a certificate trust list (CTL) that contains the sub�s CA certificate

D. Place all marketing department user objects in the Marketing OU. Create a new GPO and link it to the marketing OU. In the user configuration section of the GPO, configure a certificate trust list (CTL) that contains the root�s CA certificate

Answer: D


70 - 293


- 182 -

Explanation:We need to configure the Marketing department users to trust the root CA. We can do this using a group policy object (GPO). We should place the marketing department user objects in the Marketing OU and apply the GPO to the OU. A certificate trust list (CTL) is a signed list of root certification authority certificates that an administrator considers reputable for designated purposes. For the client to trust the certificate, it needs to install a copy of the certificate as a trusted root certificate in its own certificate store. It is for this reason that B and C are incorrect.

Incorrect Answers: A: This setting is available for the Computer Configuration node only. B:C:

Reference:Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, pp. G-10.

QUESTION NO: 6 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. The network contains a Windows Server 2003 computer named TestKingCA.

The company uses an enterprise certification authority (CA) on TestKingCA to issue certificates. A certificate to encrypt files is autoenrolled to all users. The certificate is based on a custom Encryption File System (EFS) certificate template. The validity period if the certificate is set to two years.

Currently, the network is configured to use data recovery agents. You are planning to implement key archival for the keys that users use to decrypt files.

You configure the CA and the custom EFS certificate template to enable key archival of the encryption private keys.

You need to ensure that the private EFS key of each user who logs on to the domain is archived.

What should you do?

A. Configure a new issuance policy for the custom EFS certificate template. B. Configure the custom EFS certificate template to reenroll all certificate holders. C. Select the Automatically Enroll Certificates command in the Certificates console. D. Configure a logon script that runs the gpupdate.exe /force command for the users.


70 - 293


- 183 -

Answer: B Explanation:The question states: �A certificate to encrypt files is autoenrolled to all users.� We have now modified the custom EFS certificate template to enable key archival of the encryption private keys. Therefore, we now need to reenroll all certificate holders so that they get new certificates based on the new template, and their keys are archived. EFS always attempts to enroll for the Basic EFS template. The EFS driver generates an autoenrollment request that Autoenrollment tries to fulfill. For customers that want to ensure that a specific template is used for EFS (such as to include key archival), the new template should supercede the Basic EFS template. This will ensure that Autoenrollment will not attempt enrollment for Basic EFS any more.

Key Archival The private key database is the same as the database used to store the certificate requests. The Windows Server 2003 Certification Authority database has been extended to support storing the encrypted private key along with the associated encrypted symmetric key and issued certificate. The recovery blob will be stored in the same row as the signed certificate request and any other information the CA persists in its database for each request transaction. The actual encrypted blob is stored as an encrypted PKCS #7 blob. The Microsoft Certification Authority uses the JET database engine upon which various JET utilities may be used for maintenance purposes.

Incorrect Answers: A: This would use up too much time. C: The question states: �A certificate to encrypt files is autoenrolled to all users.� D: This option reapplies all settings without optimization.

Reference:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/kyacws03.asp

Key Archival and Management in Windows Server 2003

QUESTION NO: 7 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain.

You are planning a public key infrastructure (PKI) for the company. You want to ensure that users who log on to the domain receive a certificate that can be used to authenticate to Web sites.

You create a new certificate template named User Authentication. You configure a Group Policy object (GPO) that applies to all users. The GPO specifies that user certificates must be enrolled when the policy


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/

70 - 293


- 184 -

is applied. You install an enterprise certification authority (CA) on a computer that runs Windows Server 2003.

Users report that when they log on, they do not have certificates to authenticate to Web sites that require certificate authentication.

You want to ensure that users receive certificates that can be used to authenticate to Web sites.


A. On the User Authenticate certificate template, select the Reenroll All Certificate Holders command. B. Assign the Domain Users group the Allow � Autoenroll permission for the User Authentication

certificate template. C. Configure the CA to enable the User Authentication certificate template. D. Assign the Domain Users group the Allow � Issue and Manage Certificates permission for the CA.

Answer: B, C Explanation:For users to request certificates from an enterprise CA, they must have permission to use the templates corresponding to the certificates they need.

Incorrect Answers: A: Only used when critical changes have been made to a certificate template, and you want it to apply to all

users immediately. D: This would be a security risk, since users shouldn�t be allowed management permissions.

Reference:Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, pp. 25-14.

QUESTION NO: 8 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named TestKingA.

You are planning a public key infrastructure (PKI) for the company. You want to deploy an enterprise certification authority (CA) on TestKingA.

You create a new global security group named Cert Approvers. You install an enterprise CA and configure the CA to issue Key Recovery Agent certificates.


70 - 293


- 185 -

The company�s written security policy states that issuance of a Key Recovery Agent certificate requires approval from a member of the Cert Approvers group. All other certificates must be issued automatically.

You need to ensure that members of the Cert Approvers group can approve pending enrolment requests for a Key Recovery Agent certificate.

What should you?

A. Assign the Cert Approvers group the Allow � Enroll permissions for the Key Recovery Agent. B. Assign the Cert Approvers group the Allow � Issue and Manage Certificates permission for the CA. C. For all certificate managers, add the Cert Approvers group to the list of managed subjects. D. Add the Cert Approvers group to the existing Cert Publisher group in the domain. E. Assign the Cert Approvers group the Allow � Full Control permission for the Certificate Templates

container in the Active Directory configuration naming context.

Answer: B Explanation:In order to approve certificates you need certificate manager rights. In order to get those rights you need Issue and Manage Certificates rights. The option to enable auto enroll or wait for approval is made at the certificate template (in this case, the key recovery template).

Incorrect Answers: A: Will allow enroll only. C: Will allow all certificate managers. D: Cert publisher group is meant to include the CA servers only. E: No need to give them full control on the certificate template when we have role separation in windows 2003

pki.

Reference:Windows 2003 help.

C: Plan for the use of smart cards for authentication. (6 questions)



70 - 293


- 186 -

You configure a certification authority (CA) to issue smart card authentication certificates. Users who have administrative responsibilities are required to have two accounts. One account is for general computer use. The other account is an administrative account that has administrative privileges and is used only when performing administrative tasks.

You decide to deploy smart cards to all users in your company. You issue one smart card to each user for general computer use. You enroll each user for a smart card authentication certificate.

You need to plan smart card access for users who have administrative responsibilities.

What should you do?

A. Issue an additional smart card to users who have administrative responsibilities. Enroll each user�s administrative account for a smart card authentication certificate. Instruct users to use this card when logging on to perform administrative tasks.

B. Enroll each user�s administrative account for a smart card authentication certificate. When prompted, store the certificate on the existing smart card. Instruct users to use this card when logging on to perform all tasks.

C. Configure Group Policy to autoenroll administrative users for certificates. Instruct these users to log on by using their nonadministrative accounts.

D. Issue a master card to users who have administrative responsibilities. Instruct users to use this card when logging on to perform administrative tasks.

Answer: B Explanation:Smart card enrollment is the process by which a CA grants a certificate to the card. After enrollment, the user can insert the card at any workstation on the network, including terminal services clients and remote access clients, as long as a smart card reader is present. Smart card logon A smart card is a credit card-size device that contains memory and possibly an integrated circuit. Windows Server 2003 can use a smart card as an authentication device that verifies the identity of a user during logon. The smart card contains the user�s certificate and private key, enabling the user to log on to any workstation in the enterprise with full security.

Incorrect Answers: A: It does not state that users with administrative responsibilities should have two smart cards. C: the question states that:� You need to plan smart card access for users who have administrative

responsibilities�.D: This is an invalid option.

Reference:


70 - 293


- 187 -

Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370 Chapter 12, pp. 898.

Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington 98052-6399, Chapter 11.

QUESTION NO: 2 You are the network admin for TestKing. The network consists of a single active directory domain named TestKing.com. All computers on the network are members of the domain.

You are planning a Public Key Infrastructure (PKI) for the company. You want to deploy smart cards for all users in the domain. You want the members of a new group named Smartcard Agents to be able to issue smart cards for all users.

You create a new global group named Smartcard Agents. You install an Enterprise Certificate Authority (CA) on a Windows Server 2003 computer named Server1.

You create a duplicate of the enrollment agent certificate template and change the validity period of the new certificate template to three years.

The name of the new certificate template is SmartCard Enrollment. The configuration of the permissions for the certificate template is shown in the exhibit.


70 - 293


- 188 -

You want to ensure that members of the Smartcard Agents group can request smartcard enrollment certificates. What should you do?

A. Assign the Smartcard Agents group the Allow Autoenroll permission for the Smartcard Enrollment certificate template.

B. Add the enrollment agent certificate template to the list of superseded templates on the smartcard enrollment certificate template.

C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template. D. Configure the enterprise CA to assign the Certificate Managers to the Smartcard Agents Group. E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web enrollment

pages to request certificates.

Answer: B Explanation:The Superseded Templates tab is used to define which certificates the current template supersedes. In this case, the enrollment agent certificate template is placed on the superseded templates list.

Incorrect Answers: A: This will clash with the enrollment agent certificate template, that is why the latter has to be superceded.


70 - 293


- 189 -

C: Certificate templates enable you to easily configure a CA to issue specific types of certificates. D: This option will allow the Smartcard Agents Group to issue, approve and revoke certificates, not request

them. E: There is no mention of web enrollment in the question.


Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Chapter 12

QUESTION NO: 3 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Each client computer runs either Windows XP Professional or Windows 2000 Professional.

The company requires that all users log on by using smart cards. You deploy Certificate Services and smart card readers. You configure auto-enrollment to issue certificates to users. Users report that they cannot log on by using a smart card.

You need to ensure that all users can log on by using a smart card.

What should you do?

A. In Active Directory Users and Computers, configure all user accounts to require a smart card for interactive logon.

B. Configure the domain security policy to require smart cards for interactive logon. C. Use the Certificate Services Web site to enroll each user for a smart card certificate. D. Add a copy of the enterprise root certificate to the trusted root certification authorities store on each

client computer.

Answer: C Explanation:Although the question says �you configure auto-enrollment to issue certificates to users�, it doesn�t say what types of certificates were auto-enrolled. You can use the Certificate Services Web site to enroll each user for a smart card certificate. The recommended method for enrolling users for smart card-based certificates and keys is through the Smart Card Enrollment station that is integrated with Certificate Services in Windows 2000 Server and Windows 2000 Advanced Server.

Incorrect answers:



70 - 293


- 190 -

A: This is not necessary. With this setting disabled, the users can log on using any method. B: This is not necessary. With this setting disabled, the users can log on using any method. D: In a single domain, the Certificate Authority would be trusted by the client computers in the domain.

Therefore, it is not necessary to add a copy of the enterprise root certificate to the trusted root certification authorities store on each client computer.

Reference:Server help Certificate Services

QUESTION NO: 4 You are the network admin for TestKing. The network consists of a single active directory domain named TestKing.com. All servers run windows server 2003 and clients run XP Pro.

You need to implement the capabilities and requirements in the following table for the users and computers:

Type of user or computer Capability or requirement Domain users Smart card logon required for all users Security global group Ability to issue smart cards to all domain

usersHuman recourses servers Certificate based IPSec encryption required

for all data transmissions VPN Server L2TP Required

All client computers are portable computers and need to connect to the VPN servers and to the HR resource servers

You configure a PKI to support the domain users and computers. You need to specify which type of certificate, if any, each type of user or computer requires.

What should you do?


70 - 293


- 191 -

Answer:

Explanation:IPSec should be enabled on the HR servers, VPN servers and the client computers. The Smart Card certificates are issued to the users, not the computers. The Security group need Enrollment Agents certificates.

Smart Card LogonSmart card logon is integrated with the Kerberos version 5 authentication protocol implemented in Windows Server 2003. When smart card logon is enabled, the system recognizes a smart-card insertion event as an alternative to the standard Ctrl + Alt + Del secure attention sequence to initiate a logon. The user is then prompted for the smart card PIN code, which controls access to operations performed by using the private key stored on the smart card. In this system, the smart card also contains a copy of the certificate of the user (issued by an enterprise CA). This allows the user to roam within the domain.


70 - 293


- 192 -

Smart cards enhance the security of your organization by allowing you to store extremely strong credentials in an easy-to-use form. Requiring a physical smart card for authentication virtually eliminates the potential for spoofing the identities of your users across a network. In addition, you can also use smart card applications in conjunction with virtual private networks and certificate mapping, and in e-commerce. For many organizations, the potential to use smart cards for logon is one of the most compelling reasons for implementing a public key infrastructure.

Enroll clients.To participate in a PKI, users, services, and computers must request and receive certificates from an issuing CA. Typically, enrollment is initiated when a requester provides unique identifying information and a newly generated public key. The CA administrator or enrollment agent uses this unique identifying information to authenticate the identity of the requester before issuing a certificate.

Secure VPN The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol.

Understanding Default IPSec Policies Windows Server 2003 includes three default IPSec policies that are provided as examples only. Do not use any part of the examples as templates to edit or change when creating your own IPSec policies. Instead, design new custom IPSec policies for operational use. The example policies will be overwritten during operating system upgrades and when IPSec policies are imported (when the import files contain other definitions of the same example policies).

Reference:Robert Williams, Mark Walla, The Ultimate Windows Server 2003 system administrator's guide.

QUESTION NO: 5 You are a network administrator for TestKing.com. Your network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003.

The company has users who work in the main office and users who work remotely by connecting to a server running Routing and Remote Access. The company�s written security policy requires that administrators in the main office log on by using smart cards. The written security policy also requires that remote users use smart cards to access network resources. No other users are required to use smart cards.


70 - 293


- 193 -

You issue portable computers that contain smart card readers to administrators and remote users. You issue smart cards to administrators and remote users. Administrators and remote users report that they can log on without using a smart card.

You need to ensure that only administrators are required to use smart cards when working in the main office. You must also ensure that remote users are required to use smart cards when accessing network resources.


A. In the computer configuration settings of the Default Domain Policy Group Policy object (GPO), enable the Interactive logon: Require smart card setting.

B. On the server running Routing and Remote Access, select the Extensible authentication protocol (EAP) check box and require smart card authentication.

C. In the properties of each administrator account, select the Smart Card Required for Interactive Logoncheck box.

D. In the computer configuration settings of the Default Domain Controllers Policy Group Policy object (GPO), enable the Interactive logon: Requires smart card setting.

E. In the properties of each user account that requires remote access, select the Smart Card Required for Interactive Logon check box.

Answer: B, C Explanation:We can require remote users to log on using smart cards only by configuring the RRAS server that the remote users connect to require smart card authentication. We can configure the administrators� user accounts to require smart cards for interactive logons. This setting is defined in the user properties in Active Directory Users and Computers.

Incorrect Answers: A: This would require that all users log on using a smart card. D: This would require that users use a smart card to log on to only the domain controllers. The administrators

must use smart cards to log on to any machine in the domain. E: This would require that the remote users log on using a smart card to any machine. They don�t need a smart

card logon if they are using a machine in the office.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 7-9 to 7-10.

Sybex, Mastering Windows Server 2003, 2003, p. 655.


70 - 293


- 194 -

QUESTION NO: 6 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Most of the client computers are located in the offices of individual users. Some client computers are located in publicly accessible locations.

The company�s written security policy includes the following requirements.

All users must use smart cards to log on to a client computer. Users using the publicly accessible client computers must be logged off if the smart card is removed from the smart card reader.

You configure all user accounts to require smart cards for interactive logon. You create an organizational unit (OU) named Public.

You need to ensure that the appropriate result occurs on each client computer when a smart card is removed.You must achieve this goal without affecting other computers.

What should you do?

A. Place all computer accounts for the publicly accessible client computers in the Public OU. Create a new Group Policy object (GPO) and link the GPO to the Public OU. Configure the Interactive Logon: Smart card removal behavior setting to Force Logoff.

B. Place the user accounts of all users who use the publicly accessible client computers in the Public OU. Create a new Group Policy object (GPO) and link the GPO to the Public OU. Configure the Interactive logon: Smart card removal behavior setting to Force loggoff.

C. On the Default Domain Policy Group Policy object (GPO), configure the Interactive logon: Smart card removal behavior setting to Force logoff.

D. On the Default Domain Controllers Policy Group Policy object (GPO), configure the Interactive logon: Smart card removal behavior setting to Force Logoff.

Answer: A Explanation: We can place the public computers in the Public OU; this will enable us to apply a group policy to the public computers. The question states that users must be logged off if the smart card is removed from the smart card reader. There is a specific setting in group policy for this. We can configure the Interactive Logon: Smart card removal behaviour setting to Force Logoff.

Incorrect Answers: B: This is a computer setting, not a user setting. C: This will force logoff all users in the domain. Only users of the public computers should be logged off

when they remove their smart cards.


70 - 293


- 195 -

D: This will force logoff all users who log on to a domain controller. Only users of the public computers should be logged off when they remove their smart cards.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 10-4 to 10-12, 10-15 to 10-19, 10-24 to 10-28.

Part 3: Plan a framework for planning and implementing security.

A: Plan for security monitoring. (3 questions)

QUESTION NO: 1 You are the network administrator for Test King.com. The network contains 20 Windows Server 2003 database servers.

The written security policy for TestKing requires that the following services must be disabled on all database server computers:

Computer Browser File Replication Indexing Service Remote Registry ServerTask Scheduler

The written security policy also requires that the database servers must be prohibited from having access to the Internet.

You use a Windows XP Professional client computer named Testking1 that has access to the Internet.

You need to perform a weekly analysis of the hotfix level of the database servers compared with the latest available updates. You need to minimize the amount of administrative effort.

What should you do?

A. Schedule the mbsacli.exe command to run weekly on Testking1. Configure the mbsacli.exe parameters to use a file that contains the names of all database servers.


70 - 293


- 196 -

B. Each week, copy the Mssecure.cab file from the Microsoft Web site to Testking1 and initiate a Remote Desktop connection to each database server. Run the mbsacli.exe command on each database server. Configure the mbsacli.exe parameters to reference Testking1 as a data source for the hotfix information.

C. Each week, initiate a Remote Desktop connection to each database server. Run the wmic.exe qfe command on each database server.

D. Each week, initiate a Remote Desktop connection to each database server. Run the hotfix.exe command on each database server.

Answer: B The mssecure.cab file contains the hotfix information that is located at http://download.microsoft.com/download/xml/security/1.0/NT5/ENUS/mssecure.cab.

Hotfix is a code update (sometimes called a patch or a security update) that is normally released to correct a bug in a software product or to deploy a needed code upgrade to ensure system stability. Although hotfixes are normally associated with operating systems, the term is not exclusive to operating system patches and updates.

Hotfixes are leased for browsers, for example, but Microsoft blurs the line between the operating system and the Internet Explorer browser. The command-line program for running MBSA is mbsacli.exe. MBSA scans for security vulnerabilities in the operating system and other Microsoft components. MBSA gives administrators a report after a scan has been completed. This report explains what security issues were discovered and how to correct them. The mbsacli.exe parameter /c domainname\computername performs a scan on the selected computer. The mbsacli.exe parameter -i ipaddress specifies the IP address of the computer to be scanned. If not specified, the default is the local computer.

Incorrect Answers: A:C: The Windows Management Instrumentation Command (WMIC) utility is a command-line interface to the

WMI infrastructure. D:

Reference:Laura E. Hunter, Brian Barber, and Melissa Craft; Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Study Guide & DVD Training System, Chapter 8, pp. 480, 481 and 489.

Jason Zandri; Planning and Maintaining a Windows Server� 2003 Network Infrastructure Exam Cram� 2 (Exam 70-293), Glossary.

Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp.850.


http://download.microsoft.com/download/xml/security/1.0/NT5/ENUS/mssecure.cab

70 - 293


- 197 -

QUESTION NO: 2 Your network consists of a single Active Directory domain testking.com. TestKing has a main office in Denver and branch offices in Paris and Bogota. Each branch office contains a Windows Server 2003 DC. All client computers run Windows XP Professional.

Users in the Bogota office report intermittent problems authenticating to the domain. You suspect that a specific client computer is causing the problem.

You need to capture the authentication event details on the domain controller in the Bogota office so that you can find out the IP address of the client computer that is the source of the problem.

What should you do?

A. Configure System Monitor to monitor authentication events B. Configure Performance Logs and Alerts with a counter log to record the authentication events C. Configure Network Monitor to record the authentication events D. Configure Performance Logs and Alerts with an alert to trigger on authentication events

Answer: C Explanation:The question states that you find out the IP address of the client computer that is the source of the problem. Using Network Monitor to capture traffic is the only way to do this.

Incorrect Answers: A: This will not display the IP address of the client computer that is the source of the problem. B: This will not display the IP address of the client computer that is the source of the problem.D: This will not display the IP address of the client computer that is the source of the problem.


QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. All servers run Windows Server 2003 and all client computers run Windows XP Professional.

You are planning a security update infrastructure.



70 - 293


- 198 -

You need to find out which computers are exposed to known vulnerabilities. You need to collect the information on existing vulnerabilities for each computer every night. You want this process to occur automatically.

What should you do?

A. Schedule the secedit command to run every night. B. Schedule the mbsacli.exe command to run every night. C. Install Microsoft Baseline Security Analyzer (MBSA) on one of the servers.

Configure Automatic Updates on all other computers to use that server. D. Install Software Update Services (SUS) on one of the servers.

Configure the SUS server to update every night.

Answer: B Explanation:We can schedule the mbsacli.exe command to periodically scan for security vulnerabilities.

Incorrect Answers: A, C, D: The question says that you have to gather information to plan a security update infrastructure, not fix

it immediately.


B: Plan a change and configuration management framework for security. (0 questions)

Part 4: Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services. (3 questions)

QUESTION NO: 1 You are the network administrator for Costoso Ltd. The network contains a single Active Directory domain named Contoso.com. All computers on the network are members of the domain.

Contoso, Ltd. has a main office and 20 branch offices. Each branch office has a connection to the main office. Only the main office has a connection to the Internet.


70 - 293


- 199 -

You are planning a security update infrastructure for your network. You deploy a central Software Update Services (SUS) server at the main office and an SUS server at each branch office. The SUS server at the main office uses Windows Update to obtain security patches.

You want to minimize the amount of bandwidth used on the connection to the Internet and on the connection between the offices to download security patches.

Which two actions should you take?

A. Configure the SUS servers at the branch office to use Windows Update to obtain security patches. B. Configure the SUS servers at the branch offices to use the central SUS server for updates. C. Configure Automatic Updates on the SUS servers at the branch offices to use the central SUS server for

updates.D. Configure Automatic Updates on all computers to use the SUS server on the local network. E. Configure Automatic Updates on all computers to use the default update service location.

Answer: B, D Explanation:We must set up the SUS branch offices server to pickup the updates form the server in the main office. By configuring a SUS server in the main office you save network bandwidth, because the branch office servers will not need to use the internet connection. With this solution, the main office SUS server downloads the updates from Microsoft; the branch office SUS servers download the updates from the main office SUS server and the client computers download the updates from the local SUS server.

Incorrect Answers: A: This is an unnecessary use of the internet connection. C: You need to configure the SUS server software to download the updates, not automatic updates. E: The default update service location is Microsoft. This is an unnecessary use of the internet connection.


QUESTION NO: 2 You are the network administrator for TestKing. The company has a main office and 20 branch offices. You recently completed the design of the company network. The network design consists of a single Active Directory domain named testking.com. All domain controllers will run Windows Server 2003. The main office will contain four domain controllers, and each branch office will contain one domain controller. The branch office domain controllers will be administered from the main office.


70 - 293


- 200 -

You need to ensure that the domain controllers are kept up-to-date with software updates for Windows Server 2003 after their initial deployment. You want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. You also want to configure the settings by using the minimum amount of administrative effort.

What should you do?

A. In System Properties, on the Automatic Update tab, enable Keep my computer up to date, and then select Download the updates automatically and notify me when they are ready to be installed.

B. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 3 � Auto download and notify for install.

C. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 4 � Auto download and schedule the install.

D. In System Properties, on the Automatic Updates tab, enable Keep my computer up to date, and then select Automatically download the updates, and install them on the schedule that I specify.

Answer: C Explanation:The question states that �You want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention�. The way to do this is to configure the automatic updates with the option to Auto download and schedule the install. The easiest way to configure the domain controllers with this setting is to configure a group policy object for the domain controllers. The problem with this solution is that the domain controllers may automatically restart after the updates are installed. Scheduling the updates to install out of business hours will minimize any disruption.

Incorrect Answers: A: It is easier to configure the domain controllers using group policy. B: This solution will download the updates, but it won�t install them until an administrator manually clicks the

install button in the notification dialog box. Answer C automates the procedure more by scheduling the installation to occur at a set time without any further administrative intervention.

D: It is easier to configure the domain controllers using group policy.




70 - 293


- 201 -

All production servers are located in an organizational unit (OU) named Servers. You maintain a lab that contains test servers. All test servers are located in an OU named Test Servers.

You are planning to deploy critical Windows updates to all servers in the Servers OU by using Software Update Services (SUS), which is hosted on two dedicated SUS servers named Testking1 and Testking2. Testking1 and Testking2 are located in an OU named SUS servers. You synchronize Testking1 to download from the Microsoft Windows Update servers. You approve the relevant updates for your servers on Testking1.

You need to minimize the impact of applying the critical updates to the production servers.


A. Create a Group Policy Object (GPO) to configure computers to download and install critical updates from Testking1, and link it to the Test Servers OU. Create a second GPO to configure computers to download and install critical updates from Testking2, and link it to the Servers OU.

B. Configure Testking2 to automatically download approved and tested updates from Tesking1. C. Configure Testking2 to manually download approved and tested updates from Testking1. D. Create a Group Policy Object (GPO) to configure computers to download and install critical updates

from Testking1, and link it to the Servers OU. Create a second GPO to configure computers to download and install critical updates from Testking2, and link it to the Test Servers OU.

Answer: A, C Explanation:

Incorrect Answers: B:D: The updates must first be linked the Test Servers OU so that it can be tested in the lab containing the test

servers.



70 - 293


- 202 -

Topic 7: Miscellaneous (34 Questions)

QUESTION NO: 1 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003.

You install Certificate Services and configure an offline root certification authority (CA). You also configure an enterprise subordinate CA in the domain.

Employees in the marketing department use a public key infrastructure (PKI) enabled application to store secure marketing data. Employees require a certificate that supports client authentication to gain access to this application. User objects for employees in the marketing department are stored in an organizational unit (OU) named Marketing.

You create a Group Policy object (GPO) that configures users for autoenrollment, and you link the GPO to the Marketing OU. You create a duplicate of the User certificate template named Employee and assign permission to allow autoenrollment for users in the marketing department. You configure the Employee template to prompt the user during enrolment.

An employee in the marketing department named David Lindberg reports that when he attempts to use the marketing application, he receives a message stating that he does not have a client authentication certificate. David is unable to use the marketing application. You examine David Lindberg�s user object, shown in the exhibit. **MISSING**

You need to ensure that David can use the marketing application.

What should you do?

A. Edit David Lindberg�s user object to include an e-mail address. B. Add David Lindberg�s user object to the Cert Publishers domain local group. C. On David Lindberg�s computer, use the Web enrolment tool to connect to the subordinate CA and

download a copy of the subordinate CA�s certificate. D. On David Lindberg�s computer, use the Web enrolment tool to connect to the subordinate CA and

download the most recent certificate revocation list (CRL).

Answer: D

QUESTION NO: 2


70 - 293


- 203 -

You are the network administrator for TestKing. All Web servers on the network run Windows Server 2003. The network also contains a Windows Server 2003 computer named Testking1. Software Update Services (SUS) is installed on Testking1.

You are testing the security configuration of a Web server named Testking2. Testking2 is used on TestKing�s intranet. TestKing�s written security policy prohibits the intranet servers from communicating with Internet resources. You run the Microsoft Baseline Security Analyzer (MBSA) on Testking2 and receive the results shown in the exhibit.

You need to run MBSA successfully.

What should you do?

A. Temporarily enable Testking2 to access the Internet, and run MBSA again. B. Run the mbsacli.exe command, and run MBSA again. C. Run MBSA again. Configure MBSA to use the SUS server. D. Ensure that Windows Update is correctly configured on Testking2, and run MBSA again.

Answer: A

QUESTION NO: 3 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. One of the domain controllers is configured as a subordinate enterprise certification authority (CA). TestKing also has an offline root CA. All client computers run Windows XP Professional.


70 - 293


- 204 -

TestKing does business with a distributor named Coho Vineyard. Users at TestKing frequently access secured Web sites at Coho Vineyard. These sites are secured by using certificates issued by an enterprise CA at Coho Vineyard.

Users at TestKing report that they receive security alerts from the Web browser whenever they try to access secured Web sites at Coho Vineyard. Users can access the sites after they acknowledge the warnings, but many choose to cancel the operation in order to be sure that the network is secure.

You need to configure the TestKing network to prevent these security alerts from appearing when accessing the secured Web sites at Coho Vineyard.


A. Obtain a copy of the Coho Vineyard root certificate from Coho Vineyard. B. Issue a certificate to the Coho Vineyard Web server from the TestKing enterprise CA. C. Import the certificate into the Trusted Root Certification Authorities section of the Default Domain

Policy Group Policy object (GPO). D. Place the Coho Vineyard secured Web sites in the list of trusted sites in the Internet Explorer

Maintenance section of the Default Domain Policy Group Policy object (GPO).

Answer: A, C Explanation:Cross-Trust Hierarchies For a PKI entity to use a certificate provided by a CA, the entity must trust that CA. This trust is established when the entity has a copy of the CA�s certificate located in its local certificate store. Using the public key contained in the certificate, the entity can verify the CA�s digital signature. How, then, does the certificate get from the CA to the entity�s local store? Unfortunately, there is not just one answer. Group policies under Active Directory, preloaded certificates in Windows Server 2003, and downloads from the Windows Update Web site are the most common ways. If your organization must exchange data with external parties, there needs to be a way to recognize and trust a third-party CA as if it were a part of your local chain of trust. To do this you can either use a certificate trust list (CTL), or you can create a cross-trust hierarchy, which enables an external CA to be viewed as a subordinate CA in your local trust chain.

Incorrect Answers: B, D: Coho Vineyard must be part of Testking�s organization for this to be possible.

Reference:Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370 Chapter 12, pp. 883.


70 - 293


- 205 -

QUESTION NO: 4 You are the network admin for litware inc. The company�s written security policy requires that you maintain a copy of all private keys issued by TestKing�s enterprise root CA

You create a duplicate of the user template named Employee and configure the template as shown in the Employee Properties exhibit:

You configure the CA to archive private keys by using a Key Recovery Agent Certificate.

You create a test user account named Peter and request a new employee certificate. You issue the certificate to Peter. You reinstall the OS on your test computer and attempt to recover Peter�s private key. Your attempt fails and generates the following error message:

C:\ certutil �Getkey CertUtil: - GetKeycommand failed CertUtil: Cannot find object or property.

You need to ensure that future attempts to recover private keys associated with Employee certificates succeed

What should you do?

A. Using Group Policy, deploy a copy of the key recovery agent certificate to all client computers.


70 - 293


- 206 -

B. In the Employee template, select the Archive subject�s encryption private key check box. C. In the employee template, select the Allow private key to be exported check box. D. Run the certutil � dspublish command to publish the Key Recovery Agent certificate to Active

Directory.

Answer: C Explanation:The Request Handling tab has options including minimum key size and certificate purpose. The certificate purpose can be encryption, signature, or signature and encryption. There is also an option to allow the export of the private key.

Incorrect Answers: A: Key recovery is deployed via the Certificate Services B: You are attempting to recover the key, not archive it D: This option will not work since the certutil command is not responding positively.

Reference:Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Chapter 12

QUESTION NO: 5 You are a network administrator for TestKing. The company consists of a single Active Directory domain named testking.com. All client computers run Windows XP Professional.

The company�s main office is located in Dallas. You are a network administrator at the company�s branch office in Boston. You create a Group Policy object (GPO) that redirects the Start menu for users in the Boston branch office to a shared folder on a file server.

Several users in Boston report that many of the programs that they normally use are missing from their Start menus. The programs were available on the Start menu the previous day, but did not appear when the users logged on today.

You log on to one of the client computers. All of the required programs appear on the Start menu. You verify that users can access the shared folder on the server.

You need to find out why the Start menu changed for these users.



70 - 293


- 207 -

A. In the Group Policy Management Console (GPMC), select the file server that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant Set Of Policy (RSoP) in planning mode.

B. In the Group Policy Management Console (GPMC), select one of the affected user accounts and run Resultant Set of Policy (RSoP) in logging mode.

C. On one of the affected client computers, run the gpresult command. D. On one of the affected client computers, run the gpupdate command. E. On one of the affected client computers, run the secedit command.

Answer: B, C Explanation:We need to view the effective group policy settings for the users or the computers that the users are using. We can use gpresult of RSoP.

Gpresult displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer.

RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. It consists of two modes, planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing policy settings for a computer and user that is currently logged on.

Incorrect Answers: A: We need to test the effective policy from a user�s computer, not the file server. D: Gpudate, is the tool used to refresh the policy settings in Windows XP and Windows Server 2003. E: Secedit is the tool used to refresh the policy in Windows 2000 professional and server editions.

Reference:Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System.

J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.

QUESTION NO: 6 You are the administrator of the TestKing company network. The network consists of a single Active Directory domain testking.com. The network includes 20 servers running Windows Server 2003 and 300 client computers running either Windows XP Professional or Windows 2000 Professional.

You install a new member server named TestKing3, for use by the Finance department. TestKing3 runs Windows Server 2003. You install a Finance application that runs as a service on TestKing3. When you


70 - 293


- 208 -

restart TestKing3, the logon screen does not appear. You attempt to restart TestKing3 using safe mode, and then again using the Last Known Good Configuration. Both of which are unsuccessful. All Safe Mode options are unsuccessful.

You reinstall TestKing3 using a clean installation of Windows Server 2003. You discover that the Finance application is not compatible with a security update. You install a patch provided by the Finance software manufacturer. TestKing3 reboots successfully and the Finance software now successfully runs as a service.

You want to prevent this type of problem happening again. You want to configure the existing servers so that you can quickly recover from this type of failure.

What should you do?

A. Always install services using Add or Remove Programs. B. On each server, install and use the Recovery Console. C. On each server, create an Automated System Recovery (ASR) disk. D. Next time the problem occurs, use Device Driver Roll Back.

Answer: B Explanation:1. We know that this service causes the failure. 2. We want minimum of time and minimum of data loss. 3. We want a solution for all servers. 4. We want to make sure other services that fail do not result in the same type of failure.

Using the Recovery Console, you can enable and disable services This method is recommended only if you are an advanced user who can use basic commands to identify and locate problem drivers and files. To use the Recovery Console, restart the computer with the installation CD for the operating system in the CD drive. When prompted during text-mode setup, press R to start the Recovery Console.What it does:

From the Recovery Console, you can access the drives on your computer. You can then make any of the following changes so that you can start your computer:

Enable or disable device drivers or services.Copy files from the installation CD for the operating system, or copy files from other removable media. For example, you can copy an essential file that had been deleted.Create a new boot sector and new master boot record (MBR)

Incorrect Answers: A: Located in Control Panel on the client machine, this option is used by users to manage software on their

own computers.


70 - 293


- 209 -

C: It backs up only the operating system partition; you must back up other partitions using Backup or other means.

D: Driver Roll Back is done through Device Manager, and allows for use of a driver that was previously configured for a device.

Reference:Server HELP, Recovery Console overview, Repair overview.

Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment.

QUESTION NO: 7 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains Web servers that run Windows Server 2003.

You use Sysprep to create a baseline image for Web servers. You instruct a technician to install Windows Server 2003 on 20 new Web servers by using the baseline image.

A new service pack is subsequently released.

You need to install the new service pack on all Web servers. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Copy the service pack installation files to a shared folder. Install the service pack on each Web server from the shared folder.

B. Create an organizational unit (OU) named Web servers. Create a Group Policy object (GPO) to assign the service pack package to users. Link the GPO to the Web Servers OU. Move the Web servers into the Web Servers OU.

C. Create an organizational unit (OU) named Web Servers. Create a Group Policy object (GPO) to assign the service pack package to computers. Link the GPO to the Web Servers OU. Move the Web servers into the Web Servers OU.

D. Create a Cmdlines.txt file for use with the baseline Sysprep image in order to run the service pack package.


70 - 293


- 210 -

Answer: C Explanation:A service pack is a software update package provided by Microsoft for one of its products. A service pack contains a collection of fixes and enhancements packaged into a single self-installing archive file.

To distribute a service pack, create a shared folder and either extract the service pack to that folder or copy the contents of the service pack CD to the folder. Then, using the Active Directory Users And Computers snap-in, create or select an existing GPO. Click Edit and the Group Policy Object Editor console appears, focused on the selected GPO. Expand the Computer Configuration\Software Settings node. Right-click Software Installation and choose New, then Package. Enter the path to the service pack�s Update.msi file. Be certain to use a UNC format (for example, \\Server\Share) and not a local volume path, such as Drive:\Path. In the Deploy Software dialog box, select Assigned. Close the Group Policy Object Editor console. Computers within the scope of the GPO�in the site, domain, or OU branch to which the policy is linked�automatically deploy the service pack at the next startup.

You can create a baseline security configuration in a GPO directly, or import a security template into a GPO. Link the baseline security GPO to OUs in which member servers� computer objects exist.

Incorrect Answers: A: Installing the service pack on each server would require a lot of administrative effort. B: Service packs must be applied to the computers not the users. D: Service packs can be applied without running the Sysprep image.

Reference:Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Glossary.

Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, Chapter 9.

Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 9.

QUESTION NO: 8 You are the network administrator for TestKing. All servers run Windows Server 2003.

You configure a baseline security template Baseline.inf. Several operations groups are responsible for creating templates containing settings that satisfy operational requirements. You receive the templates shown in the following table.


70 - 293


- 211 -

Operations group Template name Applies to File and Print TestKingFile.inf File servers Database TestKingDB.inf Database servers Security TestKingSec.inf All resource servers

The operations groups agree that in the case of conflicting settings, the priority order listed in the following table establishes the resultants setting.

Template Priority TestKingSec.inf 1 Baseline.inf 2 Specific server role template 3

You need to create one or more Group Policy objects (GPOs) to implement the security settings. You want to minimize the amount of administrative effort required when changes are requested by the various operations groups.

What should you do?

A. Create a GPO and import the following templates in the following order: Baseline.inf, TestKingSec.inf. Create a GPO for each server role and import only the specific template for that role into each respective GPO.

B. Create a GPO and import the following templates in the following order: TestKingSec.inf, Baseline.inf. Create a GPO for each server role and import only the specific template for that role into each respective GPO.

C. Create a GPO for each server role and import the following templates in the following order: Baseline.inf, specific server role template, TestKingSec.inf.

D. Create a GPO and import the following templates in the following order: TestKingSec.inf, TestKingDB.inf, TestKingFile.inf, Baseline.inf.

Answer: A Explanation:Windows Server 2003 processes GPOs from the bottom of the list to the top of the list, with the topmost GPO having the final authority. Because policies contained in GPOs will, by default, overwrite policies of previously applied, we would need to import the Baseline.inf before the TestKingSec.inf template.

Incorrect Answers: B: Because policies contained in GPOs will, by default, overwrite policies of previously applied; we would

need to import the Baseline.inf before the TestKingSec.inf template. C, D: Because we need to import templates specific to each of two server roles, we need a separate GPO for

each server role.

Reference:


70 - 293


- 212 -


QUESTION NO: 9 You are a network administrator for TestKing.com. The network consists of a single Active Directory forest that contains 30 domains. TestKing has 400 offices. The network contains 150,000 user objects. All servers run Windows Server 2003.

You are responsible for administering the marketing department, which has offices in North America and Europe, as shown in the work area. Offices in Toronto, Chicago, and New York are part of the america.testking.com domain. Offices in Paris, Bonn, and Rome are part of the europe.testking.com domain. The number of users in each office is shown in the following table.

Office Number of users Toronto 750 Chicago 20 New York 650 Paris 650 Bonn 10 Rome 15

Users in the Bonn, New York, and Toronto offices require access to a directory-enabled application that stores configuration information in the global catalog.

You need to plan the placement of domain controllers for the network. You need to ensure that each user can log on without using cached credentials and that users have access to the application if a WAN connection fails. You need to achieve this goal while minimizing the increase in WAN traffic.

What should you do?

To answer, drag the appropriate domain controller configuration or configurations to the correct location or locations in the work area.


70 - 293


- 213 -

Answer:


70 - 293


- 214 -

Explanation:Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest. The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility.

Reference:Michael Cross, Jeffery A. Martin , Todd A. Walls, Martin Grasdal, Debra Littlejohn Shinder,and Dr. Thomas W. Shinder, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370, Chapter 8, pp. 540.

QUESTION NO: 10 You are a network administrator for TestKing. The network consists of two Active Directory domains. All servers run Windows Server 2003. TestKing has offices in New York and Rome. The two offices are connected by a 128-Kbps WAN connection. Each office is configured as a single domain. Each office is also configured as an Active Directory site.

TestKing stores printer location information in Active Directory. Users frequently perform searches of Active Directory to find information on printers by selecting the Entire Directory option. Users in the New York Office report that response time is unacceptably slow when searching for printers.


70 - 293


- 215 -

You need to improve the response time for users in the New York office.

What should you do?

A. Place a domain controller for the Rome domain in the New York office. B. Place a domain controller for the New York domain in the Rome office. C. Enable universal group membership caching in the New York office. D. Configure a global catalog server in the New York office.

Answer: D Explanation:Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest. The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility.

Incorrect Answers: A, B: These options requires users to search via the WAN connection, which will not improve the response

time. C: Universal group membership caching allows a domain controller to cache universal group membership

information, thus reducing the need for a global catalog server to be contacted during the user authentication process.

Reference:Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370, Chapter 8, pp. 540.


QUESTION NO: 11 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains three Windows Server 2003 domain controllers named ServerTK1, ServerTK2 and ServerTK3. ServerTK1 holds the schema master role and the domain naming master role. ServerTK2 holds the relative ID (RID) master role. ServerTK3 holds the PDC emulator master role and the infrastructure master role.


70 - 293


- 216 -

ServerTK2 fails and cannot be restarted. You log on to ServerTK3 as the administrator and seize the RID master role.

Later, ServerTK2 is repaired and can be brought back online. You want ServerTK2 to hold the RID master role again.

What should you do?

A. Restart ServerTK2 while it is connected to the network. Use the Ntdsutil utility and seize the RID master role. Reconnect ServerTK2 to the network.

B. Restart ServerTK2 while it is disconnected from the network. Use the Ntdsutil and seize the RID master role. Reconnect ServerTK2 to the network.

C. Reinstall Windows Server 2003 on ServerTK2. Restore the system state from the most recent backup to ServerTK2. Reconnect ServerTK2 to the network.

D. Reinstall Windows Server 2003 on ServerTK2. Promote ServerTK2 to become a domain controller. Transfer the RID master role to ServerTK2.

Answer: D Explanation:A domain controller whose RID master role has been seized can only be brought back online by reinstalling Windows Server 2003.

Incorrect Answers: A: ServerTK2 was the RID master before it failed. That role was seized to ServerTK3. If we restart ServerTK2,

there will be two RID masters. Furthermore, we can only seize a role if the domain controller that holds that role fails.

B: We cannot seize the RID master role if ServerTK2 is not connected to the network. Furthermore, we can only seize a role if the domain controller that holds that role fails.

C: ServerTK2 was the RID master before it failed. That role was seized to ServerTK3. However, if we bring ServerTK2 back online, there will be two RID masters.

Reference:Jill Spealman, Kurt Hudson, and Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure , Chapter 4.

QUESTION NO: 12


70 - 293


- 217 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The domain includes a Windows Server 2003 computer that runs Terminal Services. The terminal server has a computer account in an organizational unit (OU) named Terminal Servers.

A Group Policy object (GPO) named TS Settings is linked to the Terminal Servers OU. This GPO is configured with settings that must apply when users are logged on to the terminal server. The company wants users to have their normal settings when connected to the terminal server, except settings that conflicts with the settings in the TS Settings GPO.

You discover that when users are logged on to the terminal server, they receive only the settings from the TS Settings GPO, without any of their own settings.

You use the Group Policy Management Console (GPMC) to examine the configuration of the TS Settings GPO. The relevant portion of the configuration is shown in the exhibit. ****MISSING****

You need to ensure that policy settings apply properly to users logging on the terminal server.

What should you do?

A. Enable the Block Policy inheritance setting for the Terminal Servers OU. B. Disable the No Override setting for the TS Settings GPO. C. Modify the TS Settings GPO to use loopback processing in Merge mode. D. Disable the Only allow local profiles setting in the TS settings GPO.


Incorrect Answers: A: Enabling the Block Policy inheritance setting for the Terminal Servers OU will prevent the application of

GPOs higher in the hierarchy from being inherited by the Terminal Servers OU. Thus, only the TS Settings GPO will be applied.

C: Loopback is a new Group Policy setting that provides alternatives to the default method of obtaining the ordered list of GPOs whose user configuration settings affect a user. By default, a user�s settings come from a GPO list that depends on the user�s location in Active Directory. Loopback operates in replace mode or merge mode. In merge mode, user settings that do not conflict with computer settings are applied. If there is a conflict between the two, the computer settings override the user settings.


70 - 293


- 218 -

D: The Only allow local profiles is a new Group Policy option that permits a computer to ignore user settings in roaming profiles. By default, when roaming profile users log on to a computer, their roaming profile is copied to the local computer. If they have previously logged on to this computer, the roaming profile is merged with the local profile. When the users log off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile. If the Only allow local profiles setting is enabled, the user receives a local profile, rather than the roaming profile.

Reference:Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, pp. 582, 590.

MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 10-16 to 10-17, 10-19 to 10-20.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dmebc_dsm_jxfc.asp

Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370 Chapter 2, pp. 110.

Charlie Russel, Sharon Crawford,and Jason Gerend, Microsoft Windows Server 2003, Administrator's Companion, Chapter 10.

QUESTION NO: 13 You are the administrator of the TestKing company network. The network consists of a single Active Directory domain testking.com. The network includes 50 servers running Windows Server 2003 and 1000 client computers running Windows XP Professional.

All client computers are in an organisational unit (OU) named Clients. All server computers are in an organisational unit (OU) named Servers.

You discover that most of the servers are running the SMTP service and the Telnet service. These services are not required and should be disabled.

What is the easiest way to ensure that the services are always disabled on the servers?

A. Use gpedit.msc to create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Servers OU.

B. Use gpedit.msc to create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Servers OU.


http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en

70 - 293


- 219 -

C. Use gpedit.msc to create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Servers OU.

D. Use gpedit.msc to create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services.Link the GPO to the Servers OU.

Answer: C Explanation:The servers have been moved to an OU. This makes it easy for us to configure the servers using a group policy. We can simply assign a group policy to the Servers OU to disable the services.

Incorrect Answers: A: The logon script would only run when someone logs on to the servers. It�s likely that the servers will be

running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at

regular intervals.


QUESTION NO: 14 You are the network administrator for TestKing. You need to test a new application.

The application requires 2 processors and 2 GB of RAM. The application also requires shared folders and installation of software on client computers.

You install the application on a Windows Server 2003 Web Edition computer and install the application on 20 test client computers.

You then discover that only some of the client computers can connect and run the application. You turn off some computers and discover that the computer that failed to open the application can now run the application. You need to identify the cause of the failure and update your test plan.

What should you do?

A. Increase the maximum number of worker processes to 20 for the default application pool B. Use add/remove programs to add the application server windows component C. Change the application pool to identify the local service for the default application pool


70 - 293


- 220 -

D. Change the test server OS to Window Server 2003 Standard Edition or Enterprise

Answer: D Explanation:Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it reserves 1GB of it for the operating system; only 1GB of RAM is available for the application. Therefore, we need to install Window Server 2003 Standard Edition or Enterprise Edition to support enough RAM.

Incorrect Answers: A, C: The application requires 2 GB of RAM; however, Windows Server 2003 Web Edition reserves 1GB for

the operating system so only 1GB of RAM is available for the application. So, changing the application pool won�t resolve this problem.

B: The application server component includes IIS and ASP. These would be part of the default installation on a Web Server.

QUESTION NO: 15 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains Windows Server 2003 computers and Windows XP Professional computers. The domain consists of the containers shown in the exhibit.

All production server computer accounts are located in an organizational unit (OU) named Servers. All production client computer accounts are located in an OU named Desktops. There are Group Policy objects (GPOs) linked to the domain, to the Servers OU, and to the Desktop OU.

The company recently added new requirements to its written security policy. Some of the new requirements apply to all of the computers in the domain, some requirements apply to only servers, and some requirements apply to only client computers. You intend to implement the new requirements by making modifications to the existing GPOs.

You configure 10 new Windows XP Professional computers and 5 new Windows Server 2003 computers in order to test the deployment of settings that comply with the new security requirements by using GPOs. You use the Group Policy Management Console (GPMC) to duplicate the existing GPOs for use in testing.


70 - 293


- 221 -

You need to decide where to place the test computer accounts in the domain. You want to minimize the amount of administrative effort required to conduct the test while minimizing the impact of the test on production computers. You also want to avoid linking GPOs to multiple containers.

What should you do?

A. Place all test computer accounts in the testking.com container. B. Place all test computer accounts in the Computers container. C. Place the test client computer accounts in the Desktops OU and the test server computer accounts in the

Servers OU. D. Create a child OU under the Desktops OU for the test client computer accounts.

Create a child OU under the Servers OU for the test server computer accounts. E. Create a new OU named Test under the testking.com container.

Create a child OU under the Test OU to test client computer accounts. Create a second child OU under the Test OU to test server computer accounts.

Answer: E Explanation:To minimize the impact of the test on production computers, we can create a test OU with child OUs for the servers and the client computer accounts. Settings that should apply to the servers and client computers can be applied to the Test OU, and settings that should apply to the servers or the client computers can be applied to the appropriate child OUs.

Incorrect Answers: A: You cannot place computer accounts directly under the domain container. They must be in an OU or in a

built in container such as the Computers container. B: We need to separate the servers and the client computers into different OUs. C: This solution would apply the new settings to existing production computers. D: This could work but you would have more group policy links. For example, the GPO settings that need to

apply to the servers and the client computers would need to be linked to both OUs. It would easier to link the GPO to a single parent OU.


QUESTION NO: 16 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All member servers run Windows Server 2003. All client computers run Windows XP Professional. All client computer accounts in the domain are located in an organizational unit (OU) named Workstations.


70 - 293


- 222 -

You need to distribute a new application to all client computers on the network. You create a Group Policy object (GPO) that includes the application package in the software installation settings of the Computer Configuration section of the GPO. You assign the GPO to the Workstations OU.

Several days later, users report that the new application is still not installed on their client computers.

You need to ensure that the application is installed on all client computers.

What should you do?

A. Instruct users to restart their client computers. B. Instruct users to run Windows Update on their client computers. C. Instruct users to force a refresh of the computer policy settings on their client computers. D. Instruct users to force a refresh of the user policy settings on their client computers.

Answer: A Explanation:When an application is assigned to a computer, the software is deployed when it is safe to do so (that is, when the operating system files are closed). This generally means that the software will be installed when the computer starts up, which ensures that the applications are deployed prior to any user logging on. For this scenario, we need to tell the users to restart their client computers.

Incorrect Answers: B: Windows Update is used to update the operating system with the latest security patches etc. C: You applied the policy several days ago. The client computers should have the GPO by now. D: The setting isn�t in the user section of the group policy.

Reference:Group Policy Help

QUESTION NO: 17 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com

TestKing merges with a company named Acme. You need to create new user accounts for all of the Acme employees.

The e-mail address format for all users at Acme is [email protected]. The users need to continue to use their e-mail addresses after the merger. To decrease confusion, these users also need to be able to use their e-mail addresses as their user logon names when logging on to the company network.


mailto:@acme.com

70 - 293


- 223 -

You need to ensure that new users can log on by using their e-mail addresses as their logon names. You want to achieve this goal by incurring the minimum cost and by using the minimum amount of administrative effort.

What should you do?

A. Create a new domain tree named acme.com in the testking.com forest. Create user accounts for all of the users in the acme.com domain.

B. Create a new forest named acme.com. Create user accounts for all of the users in the acme.com domain. Configure a forest trust relationship between the two forests.

C. Create user accounts for all of the new users in the testking.com domain. Configure the e-mail addresses for all of the Acme users as [email protected].

D. Configure acme.com as an additional user principal name (UPN) suffix for the testking.com forest. Configure each user account to use the acme.com UPN suffix.

Answer: D Explanation:You can simplify the logon process for users by enabling UPN logon. When UPN logon is enabled, all users use the same UPN suffix to log on to their domains. UPN names are comprised of the user's logon name and the DNS name of the domain. When you enable UPN logon, users' logon names remain the same even when their domains change.

You might choose to enable UPN logon if: Domain names in your enterprise are complex and difficult to remember.Users in your organization might change domains as a result of domain consolidation or other organizational changes.All domains in the forest are in native mode.User logon names are unique within the forest.A global catalog server is available to match the UPN to the correct domain account.

You can use one UPN suffix for all users in the forest.

Incorrect Answers: A, B: Creating a new domain tree or forest and recreating the user accounts for all of the users in the acme.com

domain would require excessive administrative effort. C: Creating new user accounts for all of the users in the acme.com domain would require excessive

administrative effort. Using the UPN logon feature would require less administrative effort.

Reference:MS White Paper, Designing an Authentication Strategy

Thomas W. Shinder and Debra Littlejohn Shinder, MCSE Exam 70-294: Planning, Implementing, and


mailto:@acme.com

70 - 293


- 224 -

Maintaining a Windows Server 2003 Active Directory Infrastructure, Syngress, 2003, pp. 95-6.

QUESTION NO: 18 You are the network administrator for TestKing. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.com and cpand1.com. The functional level of each forest is Windows Server 2003.

A two-way forest trust relationship exists between the forests.

You need to achieve the following goals:

Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com.

You need to configure the forest trust relationship and the resources on HRApps.contoso.com to achieve the goals.

Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.

B. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication.

C. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.

D. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication.

E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access to the Other Organization security group.

F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access to This Organization security group.

Answer: A, D, E Explanation:Authentication between Windows Server 2003 forests When all the domains in two forests trust each other, and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish one-way or two-way external trusts between the domains that require interforest authentication.

Selective authentication between forests


70 - 293


- 225 -

Using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust You can set selective authentication differently for outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would be able to access any resource in ForestA (assuming they have the required permissions). If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest.

When a user authenticates across a trust with the Selective authentication option enabled, an OtherOrganization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, then the server to which he authenticates adds the This Organization SID if the OtherOrganization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context.

Incorrect Answers: B: If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the

same level of access to resources in the local forest as users who belong to the local forest. However, users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. We should therefore use selective authentication for the cpandl.com forest to access the contoso.com.

C: Users in the contoso.com forest must be able to access all resources in the cpand1.com forest, in other words, they need forest-wide access.


Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, p. 254.

QUESTION NO: 19 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The Active Directory database contains 500 MB of information.

TestKing has its main office in Moscow and a branch office in Minsk. The two offices are connected by a 56-Kbps WAN connection that is used only for Active Directory replication. The Moscow office has 450 users, and the Minsk office has 15 users.


70 - 293


- 226 -

The Minsk office has a single Windows Server 2003 domain controller and two Windows Server 2003 file and print servers. The hard disk containing the operating system on the domain controller in Minsk fails and cannot be recovered.

You need to re-establish a domain controller that contains a current copy of Active Directory in the Minsk office. You need to achieve this goal as quickly as possible.

What should you do?

A. Replace the hard disk on the domain controller. Install Windows Server 2003 on the domain controller. Install Active Directory from restored backup files.

B. Install Active Directory on a file and print server. Force replication.

C. Install Active Directory on a file and print server from restored backup files. D. Replace the hard disk on the domain controller.

Install Windows Server 2003 on the domain controller. Force replication.

Answer: C Explanation:We need to re-establish a domain controller in the Minsk office as quickly as possible. Therefore, we should install Active Directory from restored backup files. Answer A is the recommended answer, but answer C is quicker. We can use the new dcpromo /adv command to promote the DC from a backup of the system state data of an existing domain controller. The /adv switch is only necessary when you want to create a domain controller from restored backup files. It is not required when creating an additional domain controller over the network. For additional domain controllers in an existing domain, you have the option of using the install from media feature, which is new in Windows Server 2003. Install from media allows you to pre-populate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link.

Incorrect Answers: A: This would work but answer C is quicker. B: We don�t want to replicate a 500MB Active Directory database over a 56Kbps WAN link. D: We don�t want to replicate a 500MB Active Directory database over a 56Kbps WAN link.

Reference:


70 - 293


- 227 -


QUESTION NO: 20 You are the network administrator for TestKing. The network consists of a single Active Directory domain that contains only one domain controller. The domain controller is named TestKingSrvA. The domain contains only one site named Valencia.

You are adding a new site named Barcelona. You need to promote an existing Windows Server 2003 member server named TestKingSrvB to be an additional domain controller of the domain. A 56Kbps WAN connection connects the Valencia and Barcelona sites.

You need to install TestKingSrvB as a new domain controller on the Barcelona site. You need to minimize the use of the WAN connection during this process.

What should you do?

A. Set the site link cost between the Valencia and Barcelona sites to 50. Promote TestKingSrvB to be an additional domain controller in the Barcelona site.

B. Restore the backup files from the system state data on TestKingSrvA to a folder on TestKingSrvB and install Active Directory by running the dcpromo /adv command.

C. Promote TestKingSrvB to be an additional domain controller by running the dcpromo command over the network.

D. Promote TestKingSrvB to be an additional domain controller by using an unattended installation file.

Answer: B Explanation:We want to minimize the use of the WAN link. We can use the new dcpromo /adv command to promote the DC from a backup of the system state data of an existing domain controller.

Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link. To use the install from media feature, you first create a backup of System State from the existing domain controller, then restore it to the new domain controller by using the Restore to: Alternate location option.

In this scenario, we can restore the system state data to a member server, then use that restored system state data to promote a member server to a domain controller.

Incorrect Answers:


70 - 293


- 228 -

A: Site link costs are a mechanism for controlling replication traffic. In this scenario we need to install Active Directory, not control Active Directory replication.

C: Running the dcpromo command over the network will result in large amounts of traffic across the WAN link. We want to reduce this.

D: We could promote TestKingSrvB to a domain controller by using unattended installation, however, Active Directory would need to be synchronized with the Active Directory on TestKingSrvA. This synchronization would result in WAN traffic that could be reduced by installing Active Directory from a backup.


Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, pp. 294-6, 298-300.

QUESTION NO: 21 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional.

User accounts are configured as local administrators so that users can install software. A desktop support team supports end users. The desktop support team�s user accounts are all members of a group named Support.

You create a software restriction policy that only prevents users from running registry editing tools by file hash rule. You apply the policy to all user accounts in the domains.

The desktop support team reports that when they attempt to run registry editing tools, they receive the following error message:

�Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator�.

You need to ensure that only the desktop support team can run registry editing tools.

What should you do?

A. Configure the software restriction policies to be enforced for all users except local administrators. B. Make users members of the Power Users group instead of the Administrators group. C. Use a logon script to copy the registry editing tools to the root of drive C.

Assign the Domain Admins group the Allow � Read permission for the registry editing tools in the new location.


70 - 293


- 229 -

D. Filter the software restriction policy to prevent the Support group from applying the policy.

Answer: D Explanation:We can prevent the software restriction policy from applying to the support group by simply assigning the support group the Deny � Read and/or the Deny � Apply group policy permission.

Incorrect answers: A: The users are local administrators. The policy must apply to the local administrators. B: The policy applies to all users. It will still apply to the support group. Changing the local users group

membership will have no effect on the policy. C: The software restriction policy is using a hash rule to prevent the use of the registry editing tools. It doesn�t

matter where the tools are located, they still won�t run.

Reference:Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296.

QUESTION NO: 22 You are the network administrator for TestKing. Your user account is a member of the Schema Admins group. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named TestKingA holds the schema master role.

An application named Application1 creates additional schema classes. You notice that this application created some classes that have incorrect class names.

You need to correct the class names as quickly as possible.

What should you do?

A. Deactivate the Application1 classes that have the incorrect class names. Set the default security permission for the Everyone group for those schema classes to Deny.

B. Deactivate the Application1 classes that have the incorrect class names. Create the Application1 classes with the correct class names.

C. Rename the description of the Application1 classes to the correct class name. Instruct the developers of Application1 to change the code of the application so that the renamed schema classes can be used.

D. Instruct the developers of Application1 to change the code of the application so that the application creates the new schema classes with the correct class names.


70 - 293


- 230 -

Reinstall Application1 and select Reload the schema in the Active Directory Schema console.

Answer: B Explanation:We need to deactivate the Application1 classes that have the incorrect class names. This is because you cannot delete or rename a class. We can only deactivate the incorrect classes and recreate the classes with the correct class names. Extending the schema When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network.

Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated.

Deactivating a class or attribute Domain controllers running Windows Server 2003 do not permit the deletion of classes or attributes, but they can be deactivated if they are no longer needed or if there was an error in the original definition. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; however, it is easily reactivated.If your forest has been raised to the Windows Server 2003 functional level, you can reuse the object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID that were associated with the defunct class or attribute. This allows you to change the object identifier associated with a particular class or attribute. The only exception to this is that an attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and schemaIdGuid values even after being deactivated (for example, those values cannot be reused). If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a class or attribute and then redefine it.

Incorrect Answers: A: It is not necessary to deny access to the classes after deactivating them. We need to recreate the classes with

the correct names. C: Changing the description of a class doesn�t rename the class. It is not possible to rename a class. D: We need to deactivate the classes that have the incorrect class names.


QUESTION NO: 23


70 - 293


- 231 -

You are a network administrator for TestKing. The network consists of single Active Directory forest that contains two domains and four sites. All servers run Windows Server 2003. You are responsible for administering domain controllers in one site. Your site contains four domain controllers. The hard disk that contains the Active Directory database fails on a domain controller named TESTKING2. You replace the failed disk.

You need to recover TESTKING2. You need to achieve this goal without affecting existing Active Directory data.

What should you do?

A. Perform a nonauthoritative restoration of the Active Directory database. B. Perform an authoritative restoration of the Active Directory database. C. Use the Ntdsutil utility to run the semantic database analysis command. D. Use the Ntdsutil utility to run the restore subtree command.

Answer: A Explanation:You have four domain controllers in your site. You can simply perform a non-authoritative restore of the Active Directory database. Any changes to the Active Directory database since the data was backed up will be replicated from another domain controller.

Incorrect Answers: B: This is not necessary. This will overwrite the Active Directory database on the other domain controllers.

The other domain controllers will have the most recent copies of the Active Directory database. These changes can be replicated to the failed machine.

C: You can use this process to generate reports on the number of records present in the Active Directory database, including deleted and phantom records. It is not used to restore the Active Directory database.

D: We need to restore the entire Active Directory database, not just a subtree of it.

Reference:Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

QUESTION NO: 24 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains a single domain named testking.com. Organizational units (OUs) in the domain are configured as shown in the Domain Structure exhibit. **MISSING**


70 - 293


- 232 -

All client computers run Windows XP Professional. All client computer accounts are located in the TestKing Computers OU.

Your user account is a member of the Domain Admins security group. All user accounts that are members of the Domain Admins security group are located in the Domain Admins OU.

All service desk users have user accounts that are members of the SrvDeskGrp security group. All accounts that are members of this group are located in the Service Desk Staff OU.

You use the Group Policy Management Console (GPMC) to create a Group Policy object (GPO) named Install Admin Tools. You configure the GPO as follows:

In the GPO, create a software installation package that assigns the Windows Server 2003 Administration Tools Pack (adminpak.msi) to users. Link the GPO to the IT Users OU. Remove the Authenticated Users built-in group from the list of users and groups that were delegated permissions for the GPO. Assign the SrvDeskGrp security the Allow � Read permission for GPO.

Service desk users report that the administrative tools needed for their job are not installed. You use the GPMC to examine the history of Group Policy application for one of the affected users. The relevant results are shown in the GPMC exhibit. **MISSING**

You also discover that when you log on to a computer normally used by a service desk user, the administrative tools are automatically available for you.

You need to ensure that administrative tools can also be installed by Group Policy for all users with accounts in the IT Users OU, without increasing the administrative privileges of any users.

What should you do?

A. Link the Install Admin Tools GPO to the Service Desk Staff OU. Move the computer accounts for computers used by service desk users to the Service Desk Staff OU.

B. Change the security filtering on the Install Admin Tools GPO to grant the SrvDeskGrp security group the ability to apply the GPO.

C. Move the SrvDeskGrp security group to the Domain Admins OU. D. Modify the GPO to assign the Administration Tools Pack to computers instead of to users.

Answer: B Explanation:You need to assign the Allow � Apply Group Policy permission, not just the Allow � Read permission, to the SrvDeskGrp group.


70 - 293


- 233 -

Incorrect Answers: A: Linking the Install Admin Tools GPO to the Service Desk Staff OU on its own won�t help. The SrvDeskGrp

would still only have Allow � Read permissions. C: Making the SrvDeskGrp a member of the Domain Admins OU would give them too much permissions. D: The GPO should apply to users not computers because we are controlling application based on user groups.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 10-20, 10-40 to 10-41.

QUESTION NO: 25 You are the network administrator for TestKing. You are implementing a new Windows Server 2003 network environment. You install one Active Directory forest root domain named cpandl.com. You install the first domain controller named DC1. You configure DC1 as a DHCP server and as an Active Directory-integrated DNS server with dynamic updates enabled. Later you install an additional domain controller named DC2.

You cannot raise the functional level of the domain to Windows Server 2003. You discover that the service locator (SRV) resource records of DC1 are not created in the cpandl.com zone on the DNS server. You run the Dcdiag tool on DC1 and receive the output shown in the exhibit.

You need to make it possible to raise the functional level of the domain to Windows Server 2003.


70 - 293


- 234 -

What should you do?

A. Upgrade DC2 to a global catalog server. B. Use the DHCP server locator utility to find out which DHCP servers are available in the cpandl.com

zone.C. Start the Net Logon service on DC1. D. Restart the DNS Server service on DC1 to enable DNS clients to resolve host names by answering

queries and update requests.

Answer: C Explanation:SRV records are required for clients to locate hosts that provide required services. The Netlogon service registers a set of default SRV resource records on the DNS server. However, the exhibit indicates that the NetLogon service is stopped on DC1. We should restart this service.

Incorrect Answers: A: The global catalog is the central repository of information about Active Directory objects in a tree or forest.

The domain controller that holds a copy of the global catalog is called a global catalog server. The global catalog enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated, and enables finding directory information regardless of which domain in the forest actually contains the data. It does not affect the forest level.

B: DHCP is used to assign IP configurations to DHCP clients. However, the SVR records are missing. We will thus not be able to locate the DHCP server.

D: The DNS server does not have the SRV records. Restarting the DNS service will not generate these records. We should start the NetLogon service.

Reference:Server Help - NetLogon

QUESTION NO: 26 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains multiple domains. The functional level of the forest is Windows Server 2003.

The forest contains several Active Directory sites that represent branch offices and a site named MainOffice that represent the central data center. A site named Branch1 contains one domain controller named Server1 that is not a global catalog server. The MainOffice site contains one domain controller named Server2 that is a global catalog server.

You need to use universal group membership caching in the Branch1 site.


70 - 293


- 235 -

Which component or components should you configure?

To answer, select the appropriate component or components in the work area.

Answer: Select the �NTDS Site Settings� for the Branch1 office in the right hand pane.

Explanation:Universal group membership caching, is enabled or disabled in the NTDS Settings Properties dialog box of the Active Directory Sites and Services console. This must be performed in the site where you want to enable universal group membership caching, i.e., in the Branch1 site.

Reference:MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 5-41 to 5-45, 5-48 to 5-50.


70 - 293


- 236 -

Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, pp. 31, 543, 547, 550-552.

QUESTION NO: 27 You are a network administrator for TestKing, which has five regional offices and 3,000 branch offices. Each branch office contains 10 users. Branch offices are connected to the nearest regional office by a 56-Kbps WAN connection.

The network consists of a single Active Directory forest that contains one domain for each regional office. All servers run Windows Server 2003. Each branch office contains one domain controller that is configured as an additional domain controller in the regional domain for the branch office. The site link between each branch office and the corresponding regional domain is configured to replicate every 30 minutes.

Users in the branch office report that applications respond slowly when they access resources in the corresponding regional office. You monitor the WAN connection that connects several of the branch offices and discover that utilization increases from 30 percent to more than 90 percent on a regular basis.

You need to improve the response time of applications when they access resources in the regional office. You need to ensure that users can log on without using cached credentials if the WAN connection fails.

What should you do?

A. Remove Active Directory from the file and print server in each branch office. On the site link between each branch office and the corresponding regional office, increase the replication interval.

B. Enable universal group membership caching in each branch office. Configure the site link between each branch office and the corresponding regional office to be available only during off-peak hours.

C. Configure the domain controller in each branch office as a global catalog server. D. On the site link between each branch office and the corresponding regional office, decrease the

replication interval.

Answer: D Explanation:Response times for that application are slow because replication traffic is too much. Decreasing the replication schedule will reduce the amount of replication traffic by allowing amounts of changes to be replicated.

Incorrect Answers: A: Increasing the replication interval will increase the amount of changes that must be replicated at a time. This

might increase replication traffic.


70 - 293


- 237 -

B: We don�t want to use cached credentials. C: The global catalog is the central repository of information about Active Directory objects in a tree or forest.

The domain controller that holds a copy of the global catalog is called a global catalog server. The global catalog enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated, and enables finding directory information regardless of which domain in the forest actually contains the data. It does not control replication.


Syngress Press, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, 2003, pp. 449-452, 458, 458-459.


TestKing�s written security policy requires that all administrative passwords be changed every 30 days. You configure the domain security policy to enforce the written security policy. A security audit reveals that the password used to log on to domain controllers in Directory Services Restore mode is 10 months old.

You need to ensure that all passwords are changed in accordance with the written security policy. You must accomplish this task without causing disruption to user access.

What should you do?

A. Restart each domain controller in Directory Services Restore More. Use Computer Management to reset the password for the Administrator account.

B. Use the Ntdsutil utility to reset the password on each domain controller for Directory Services Restore Mode.

C. Configure the Domain Controller Security Policy to enforce the written security policy. D. Reset the Administrator password by using Active Directory Users and Computers.

Answer: B Explanation:In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password.

Incorrect Answers:


70 - 293


- 238 -

A: Restarting the domain controllers will cause a disruption in user access. C: The Domain Controller Security Policy is enforced when the domain controller is booted and can be

refreshed at set intervals. However, the Directory Service Restore Mode Administrator password is a user account setting, not a computer account setting and should be enforced when t he user logs on.

D: Directory Service Restore Mode Administrator password cannot be set in Active Directory Users and Computers.

References: MS Knowledgebase Article 322672: How to reset the Directory Service Restore Mode Administrator Account Password in Windows Server 2003.

MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 2-49 to 2-53.

QUESTION NO: 29 You are the Network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All domain controllers run Windows Server 2003. The user accounts for the processing department are located in an Organizational Unit (OU) named processing.

You need to deploy an application to all users in the processing department. You create a Group Policy Object (GPO) and link it to the processing OU. You place the .msi file for the application in a shared folder on the network. You configure the User Configuration section of the GPO to deploy the application.

You need to ensure that the application is immediately ready for use when a user logs on to a client computer. You also need to prevent any user from continuing to use the application if the user�s user account is moved to another OU.

What should you do?


70 - 293


- 239 -

Answer:


70 - 293


- 240 -

Select the following check boxes: 1. Assigned.2. Uninstall this application when it falls out of the scope of management. 3. Install this application at logon. 4. Basic

Explanation:We need to assign the application to the users and select the �Install this application at logon� option to ensure that the application is immediately ready for use when a user logs on to a client computer. To prevent any user from continuing to use the application if the user�s user account is moved to another OU, we need to select the �Uninstall this application when it falls out of the scope of management� option. The �Basic� option ensures that the application installs with minimal (or no) user intervention.

Reference:Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

QUESTION NO: 30


70 - 293


- 241 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains one forest root domain named testking.com and two child domains named europe.testking.com and usa.testking.com. The functional level of the forest is Windows 2000 native.

The testking.com domain contains a Windows 2000 Server domain controller named TestKing3 that is running Service Pack 4 or later. You take TestKing3 offline. You also remove all references to TestKing3 from the Configuration container in Active Directory.

Five days later, you upgrade all remaining domain controllers to Windows Server 2003. You then raise the functional level of the forest to Windows Server 2003.

You need to integrate TestKing3 into the new Active Directory infrastructure. You want TestKing3 to be an additional domain controller of the europe.testking.com domain.

What should you do?

A. Upgrade TestKing3 to Windows Server 2003. Add the computer account for TestKing3 into the Computers container of the europe.testking.com domain.

B. Demote TestKing3 to a Windows 2000 member server by running the dcpromo /forceremovalcommand. Upgrade TestKing3 to a Windows Server 2003 member server. Run the dcpromo command to promote TestKing3 to be an additional domain controller of the europe.testking.com domain.

C. Demote TestKing3 to a Windows 2000 member server by running the dcpromo /forceremovalcommand. Add the computer account for TestKing3 into the Domain Controllers organizational unit (OU) of the europe.testking.com domain.

D. Upgrade TestKing3 to Windows Server 2003. Add the computer account for TestKing3 into the Domain Controllers organizational unit (OU) of the europe.testking.com domain.

Answer: B Explanation:Once the forest functional level is raised to Windows Server 2003, you cannot add a Windows 2000 domain controller to the forest. We would need to upgrade the Windows 2000 domain controller to Windows Server 2003. However, we must first demote the Windows 2000 domain controller and then upgrade it to Windows Server 2003. Add it to the network and then promote it.

Incorrect Answers: A, D: If we upgrade the Windows 2000 domain controller to Windows Server 2003 while it is disconnected

from the network, the upgraded computer will assume that it is the first domain controller for the domain. It will then old the RID, Global Catalog and Schema Master roles. This will cause a conflict when we eventually add the domain controller to the network.

C: Once the forest functional level is raised to Windows Server 2003, you cannot add a Windows 2000 server to the forest.

Reference:


70 - 293


- 242 -

MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 4-24 to 4-37.

QUESTION NO: 31 You are a network administrator for TestKing.com. The network consists of two Active Directory domains with three sites. All servers run Windows Server 2003. TestKing has offices in three cities and each office is configured as a separate site. The network configuration is shown in the exhibit.

The company has 1,750 users in the Paris office, 1,750 users in the Rome office, and 25 users in the Bonn office. Global catalog servers are configured in each site. Automatic site link bridging is disabled.

A written company policy requires that no WAN connection exceed 70 percent peak utilization. You examine the WAN connection between the Rome and Paris offices and discover that the utilization reaches 95 percent during Active Directory replication.

You need to reduce the WAN traffic associated with the Active Directory replication on the connection between the Rome and Paris offices. You need to ensure that users in the Rome office can log on to the domain if a WAN connection fails.


70 - 293


- 243 -

What should you do?

A. Decrease the replication interval on the site link connecting the Paris and Rome sites. B. Remove the global catalog server from the Rome office. C. Enable universal group membership caching in the Rome site. D. Enable slow link detection in the Default Domain Policy Group Policy object (GPO) in the

rome.testking.com domain. E. Configure a site link bridge between the site link that connects the Rome and Paris sites and the site link

that connects the Paris and Bonn sites.

Answer: C check Section2 Part4 A Q6 in 294


QUESTION NO: 32 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest and of all three domains is Windows Server 2003. TestKing has a main office and 30 branch offices. Each branch office is connected to the main office by a 56-Kbps WAN connection.

You configure the main office and each branch office as a separate Active Directory site. You deploy a Windows Server 2003 domain controller at the main office and at each branch office. Each domain controller is configured as a DNS server.

You can log on to the network from client computers in the branch offices at any time. However, users in the branch offices report that they cannot log on to the network during peak hours.

You need to allow users to log on to the network from branch office computers. You do not want to affect the performance of the branch office domain controllers. You need to minimize Active Directory replication traffic across the WAN connections.

What should you do?

A. Use Active Directory Sites and Services to enable universal group membership caching for each branch office site.


70 - 293


- 244 -

B. Use the DNS console to configure the branch office DNS servers to forward requests to a DNS server in the main office.

C. Use Active Directory Sites and Services to configure each branch office domain controller as a global catalog server.

D. Use the DNS console to configure the branch office DNS servers to use an Active Directory-integrated zone.

Answer: A Explanation:When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If a global catalog is not available when a user initiates a network logon process, the user is able to log on only to the local computer unless the site has been specifically configured to cache universal group membership lookups when processing user logon attempts. In this scenario the domain controller must contact the global catalog server across a WAN link that is saturated. Enabling universal group membership caching will overcome this problem.

Incorrect Answers: B: When users log on, the requests are sent to the global catalog not he DNS server. C: Configure each branch office domain controller as a global catalog server would result in increased

replication traffic. We want to avoid this. D: An Active Directory-integrated zone is a DNS zone that is part of Active Directory and is part of Active

Directory replication. Making the DNS zone a part of Active Directory will not overcome logon latency and will lead to an increase in replication traffic.


QUESTION NO: 33 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains three Windows Server 2003 domain controllers.

You are creating the recovery plan for TestKing. According to the existing backup plan, domain controllers are backed up by using normal backups each night. The normal backups of the domain controllers include the system state of each domain controller.

Your recovery plan must incorporate the following organizational requirements:

Active Directory objects that are accidentally or maliciously deleted must be recoverable. Active Directory must be restored to its most recent state as quickly as possible. Active Directory database replication must be minimized.


70 - 293


- 245 -

You need to create a plan to restore a deleted organizational unit (OU).

Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Restart a domain controller in Directory Services Restore Mode. B. Restart a domain controller in Safe Mode. C. Use the Ntdsutil utility in Safe Mode. D. Restore the system state by using the Always replace the file on my computer option. E. Use the Ntdsutil to perform an authoritative restore operation of the appropriate subtree.

Answer: A, E Explanation:If an OU gets deleted from the Active Directory, we can restore it from a backup of the system state data. Directory Services Restore Mode is a sort of safe mode in which we can boot a domain controller without loading the Active Directory. This will enable us to restore all or part of the Active Directory database. To ensure that the deleted OU isn�t deleted again by replication from another domain controller, we must use the Ntdsutil utility to mark the restored subtree as authoritative.

Incorrect Answers: B: To restore part of the Active Directory, we must start a domain controller in Directory Services Restore

Mode, not safe mode. C: We don�t need to restore the entire Active Directory database; we can just restore part of it. D: This will overwrite the existing Active Directory database.

References: MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 2-49 to 2-53.

QUESTION NO: 34 Network Diagram


70 - 293


- 246 -

You notice that after the forest trust relationship is deleted, the membership lists for some of the domain local groups are no longer accurate. When you view a membership list, it contains entries without user-friendly names. A sample is shown in the Membership List exhibit. **MISSING**

You need to delete all the unknown groups from the membership list for the domain local groups. You want to achieve this goal by using the minimum amount of administrative effort, and without modifying the access to resources for users in the testking.com forest.

What should you do?

A. Create new domain local groups. Add the required global groups from the testking.com forest to the domain local groups. Grant appropriate permissions to the domain local groups. Delete the original domain local groups.

B. Re-create the trust relationship between testking.com forest and the fabrikam.com forest. Delete all fabrikam.com global accounts from the domain local group membership lists. Delete the trust relationship between the two forests.

C. Verify all remaining trust relationships. Then delete the unknown accounts from the domain local groups.


70 - 293


- 247 -

D. Delete all the affected domain local groups. Re-create the groups. Add the appropriate global groups from the testking.com forest to the groups. Grant appropriate permissions to the domain local groups.

Answer: C


Documents

TestKing 70-293 v21