Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 1 You are a network administrator for Examsheets. The network consists of an intranet and a perimeter network, as shown in the work area. The perimeter network contains: • One Windows Server 2003, Web Edition computer named Examsheets1. • One Windows Server 2003, Standard Edition computer named Examsheets2. • One Windows Server 2003, Enterprise Edition computer named Examsheets3. • One Web server farm that consists of two Windows Server 2003, Web Edition computers. All servers on the perimeter network are members of the same workgroup. The design team plans to create a new Active Directory domain that uses the existing servers on the perimeter network. The new domain will support Web applications on the perimeter network. The design team states that the perimeter network domain must be fault tolerant. You need to select which server or servers on the perimeter network need to be configured as domain controllers. Which server or servers should you promote? To answer, select the appropriate server or servers in the work area. Answer: Explanation: We know web editions can’t be domain controllers, and we want fault tolerance, which means two Domain Controllers. The answer is promote the two servers that aren’t running Web Edition to dc’s (Examsheets2 and Examsheets3). Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 1 Question: 2 You are a network administrator for Examsheets. The network consists of a single Active Directory domain and contains Windows Server 2003 computers. You install a new service on a server named Examsheets3. The new service requires that you restart Examsheets3. When you attempt to restart Examsheets3, the logon screen does not appear. You turn off and then turn on the power for Examsheets3. The logon screen does not Page 1 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 appear. You attempt to recover the failed server by using the Last Known Good Configuration startup option. It is unsuccessful. You attempt to recover Examsheets3 by using the Safe Mode Startup options. All Safe Mode options are unsuccessful. You restore Examsheets3. Examsheets3 restarts successfully. You discover that Examsheets3 failed because the new service is not compatible with a security path. You want to configure all servers so that you can recover from this type of failure by using the minimum amount of time and by minimizing data loss. You need to ensure that in the future, other services that fail do not result in the same type of failure. What should you do? A. Use Add or Remove Programs. B. Install and use the Recovery Console. C. Use Automated System Recovery (ASR). D. Use Device Driver Roll Back. Answer: B Explanation: • We know that this service causes the failure. • We want minimum of time and minimum of data loss. • We want a solution for all servers. • We want to make sure other services that fail do not result in the same type of failure. Recovery Console is a text-mode command interpreter that can be used without starting Windows Server 2003. It allows you to access the hard disk and use commands to troubleshoot and manage problems that prevent theoperating system from starting properly. Incorrect Answers: A: This option is used to manage software, not uninstall it. C: Automated System Recovery returns a system to operation by reinstalling the operating system and restoring System State from an ASR backup set, it does not affect services. D: This option deals with drivers and devices, not services. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 2, p. 120 Question: 3 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed. Examsheets is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers. You are planning a baseline security configuration for the Web servers. The company’s written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled: • SMTP • Telnet Page 2 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers. What should you do? A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Web Servers OU. B. Create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Web Servers OU. C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU. D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU. Answer: C Explanation: The web servers have been moved to an OU. This makes it easy for us to configure the web servers using a group policy. We can simply assign a group policy to the Web Servers OU to disable the services. Incorrect Answers: A: The logon script would only run when someone logs on to the web servers. It’s likely that the web servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. Question: 4 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The functional level of the domain is Windows Server 2003. The domain contains Windows Server 2003 computers and Windows XP Professional computers. The domain consists of the containers shown in the exhibit. Page 3 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 All production server computer accounts are located in an organizational unit (OU) named Servers. All production client computer accounts are located in an OU named Desktops. There are Group Policy objects (GPOs) linked to the domain, to the Servers OU, and to the Desktop OU. The company recently added new requirements to its written security policy. Some of the new requirements apply to all of the computers in the domain, some requirements apply to only servers, and some requirements apply to only client computers. You intend to implement the new requirements by making modifications to the existing GPOs. You configure 10 new Windows XP Professional computers and 5 new Windows Server 2003 computers in order to test the deployment of settings that comply with the new security requirements by using GPOs. You use the Group Policy Management Console (GPMC) to duplicate the existing GPOs for use in testing. You need to decide where to place the test computer accounts in the domain. You want to minimize the amount of administrative effort required to conduct the test while minimizing the impact of the test on production computers. You also want to avoid linking GPOs to multiple containers. What should you do? A. Place all test computer accounts in the Examsheets.net container. B. Place all test computer accounts in the Computers container. C. Place the test client computer accounts in the Desktops OU and the test server computer accounts in the Servers OU. D. Create a child OU under the Desktops OU for the test client computer accounts. Create a child OU under the Servers OU for the test server computer accounts. E. Create a new OU named Test under the Examsheets.net container. Create a child OU under the Test OU for the test client computer accounts. Create a second child OU under the Test OU for the test server computer accounts. Answer: E Explanation: To minimize the impact of the test on production computers, we can create a test OU with child OUs for the servers and the client computer accounts. Settings that should apply to the servers and client computers can be applied to the Test OU, and settings that should apply to the servers or the client computers can be applied to the appropriate child OUs. Incorrect Answers: A: You cannot place computer accounts directly under the domain container. They must be in an OU or in a built in container such as the Computers container. B: We need to separate the servers and the client computers into different OUs. C: This solution would apply the new settings to existing production computers. D: This could work but you would have more group policy links. For example, the GPO settings that need to apply to the servers and the client computers would need to be linked to both Page 4 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 OUs. It would easier to link the GPO to a single parent OU. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 29-30 Question: 5 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The network contains a Windows Server 2003 member server named ExamsheetsSrvA. The network also contains a Windows XP Professional computer named Client1. You use Client1 as an administrative computer. You plan to use Microsoft Baseline Security Analyzer (MBSA) on Client1 to analyze ExamsheetsSrvA. However, the recent application of a custom security template disabled several services on ExamsheetsSrvA. You need to ensure that you can use MBSA to analyze ExamsheetsSrvA. Which two services should you enable? To answer, select the appropriate services to enable in the dialog box. Answer: Page 5 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: The Remote Registry and Server services should be enabled. The following are the requirements for a computer running the tool that is scanning a remote machine(s): • Windows Server 2003, Windows 2000, or Windows XP • Internet Explorer 5.01 or greater • An XML parser (MSXML version 3.0 SP2 or later) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.01 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not install the XML parser that is bundled with the tool, see the notes below on obtaining an XML parser separately. • The IIS Common Files are required on the computer on which the tool is installed if performing remote scans of IIS computers. The following services must be enabled: Workstation service and Client for Microsoft Networks. The following are the requirements for a computer to be scanned remotely by the tool: • Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), or Windows Server 2003 • IIS 4.0, 5.0, 6.0 (required for IIS vulnerability checks) • SQL 7.0, 2000 (required for SQL vulnerability checks) • Microsoft Office 2000, XP (required for Office vulnerability checks) The following services must be installed/enabled: Server service, Remote Registry service, File & Print Sharing Reference: From the readmefile for MBSA Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12:50-51 Question: 6 You are the senior systems engineer for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. Client computers in the sales department run Windows NT Workstation 4.0 with the Active Directory Client Extension software installed. All other client computers run Windows XP Professional. All servers are located in an organizational unit (OU) named Servers. All client computers are located in an OU named Desktops. Page 6 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Four servers contain confidential company information that is used by users in either the finance department or the research department. Users in the sales department also store files and applications in these servers. The company’s written security policy states that for auditing purposes, all network connections to these resources must require authentication at the protocol level. The written security policy also states that all network connections to these resources must be encrypted. The Examsheets budget does not allow for the purchase of any new hardware or software. The applications and data located on these servers may not be moved to any other server in the network. You define and assign the appropriate permissions to ensure that only authorized users can access the resources on the servers. You now need to ensure that all connections made to these servers by the users in the finance department and in the research department meet the security guidelines states by the written security policy. You also need to ensure that all users in the sales department can continue to access their resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Create a new Group Policy object (GPO) and link it to the Servers OU. Enable the Secure Server (Require Security) IPSec policy in the GPO. B. Create a new Group Policy object (GPO) and link to the Servers OU. Enable the Server (Request Security) IPSec policy in the GPO. C. Create a new Group Policy object (GPO) and link to the Desktops OU. Enable the Client (Respond only) IPSec policy in the GPO. D. Create a new Group Policy object (GPO). Edit the GPO to enable the Registry Policy Processing option and the IP Security Policy Processing option. Copy the GPO files to the Netlogon shared folder. E. Use the System Policy Editor to open the System.adm file and enable the Registry Policy Processing option and the IP Security Policy Processing option. Save the system policy as NTConfig.pol. Answer: B, C Explanation: We need to ensure that the connections made to the servers by the users in the finance department and in the research department meet the security guidelines states by the written security policy. The computers in these departments use Windows XP Professional. We can therefore enable IPSec communication between the servers and the clients in the finance and research departments. However, the sales users use Windows NT, which cannot use IPSec. Therefore, to ensure that the NT clients can still communicate with the servers, we should enable the Server (Request Security) IPSec policy on the servers and the Client (Respond only) IPSec policy for the client computers. Incorrect Answers: A: This policy is intended for computers working with sensitive data that must be secured at all times. D: Registry Policy Processing specifies how Registry policies are processed, such as whether Registry policies can be applied during periodic background processing. IP Security Policy Page 7 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Processing specifies how IP security policies are updated. By copying the GPO files to the Netlogon shared folder enables all authenticated users to access it. E: In Windows Server 2003 operating systems, the Group Policy Object Editor replaces the System Policy Editor. Reference: Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 5 and 11. Question: 7 You are the systems engineer for Examsheets. The company has a main office in Las Palmas and two branch offices, one in Barcelona and one in Madrid. The offices are connected to one another by dedicated T1 lines. Each office has its own local IT department and administrative staff. The company network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers support firmwarebased console redirection by means of the serial port. The server hardware does not support any other method of console redirection and cannot be upgraded to do so. The company is currently being reorganized. The IT department from each branch office is being relocated to a new central data center in the Las Palmas office. Several servers from each branch office are also being relocated to the Las Palmas data center. Each branch office will retain 10 servers. A new written security policy includes the following requirements: • All servers must be remotely administered for all administrative tasks. • All servers must be administered from the Las Palmas office. • All remote administration connections must be authenticated and encrypted. Your current network configuration already adheres to the new written security policy for day-today server administration tasks performed on the servers. You need to plan a configuration for out-of-band management tasks for each office that meets the new security requirements. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. Connect each server’s serial port to a terminal concentrator. Connect the terminal concentrator to the network. B. Connect a second network adapter to each server. Connect the second network adapater in each server to a separate network switch. Connect the management port on the switch to a WAN port on the office router. Enable IPSec on the router. C. Enable Routing and Remote Access on a server in each branch office, and configure it as an L2TP/IPSec VPN server. Configure a remote access policy to allow only authorized administrative staff to make a VPN connection. D. On each server, enable the Telnet service with a startup parameter of Automatic. Configure Telnet on each server to use only NTLM authentication. Apply the Server (Request Security) IPSec policy to all servers. E. On each server, enable Emergency Management Services console redirection and the Emergency Management Services Special Administration Console (SAC). Page 8 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: A, C, E Explanation: The Special Administration Console Helper system service can be used to perform remote management tasks if the Windows Server 2003 family operating system stops functioning due to a Stop error message. It’s main functions are to: • Redirect Stop error message explanatory text • Restart the system • Obtain computer identification information The SAC is an auxiliary Emergency Management Services command – line environment that is hosted by Windows Server 2003 family operating systems. It also accepts input, and sends output through the out – of –band port. !SAC is a separate entity from both SAC and Windows Server 2003 family command – line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or is not functioning. If the Special Administration Console Helper service is stopped, SAC services will no longer be available. If this service is disabled, any services that explicitly depend on it will not start. Incorrect answers: B: There is no need to connect a second network adapter to each server and have that adapter connected to a separate network switch. D: Making use of NTLM authentication and applying the Server (Request Security) IPSec policy on all servers is not the solution. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 27 Question: 8 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits. What should you do? A. Create a custom security template and apply it by using Group Policy. B. Create a custom IPSec policy and assign it by using Group Policy. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS. Answer: A Explanation: Page 9 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings into a group policy. We can also use secedit to analyse the current security settings to verify that the required security settings are in place. Incorrect Answers: B: An IPSec policy will not configure the required auditing policy. C: We need a security template, not an administrative template. D: This will create multiple identical machines. We cannot use RIS images in this scenario. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57 Question: 9 You are a network administrator for Examsheets. The network consists of a single Active Directory forest. All domain controllers run Windows Server 2003. The bank decides to provide access to its mortgage application services from a real estate agency that has offices throughout the country. You install a Examsheets domain controller in each real estate agency office. You need to further protect the domain controllers’ user account databases from unauthorized access. You want to achieve this goal by using the minimum amount of administrative effort. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Use the system key utility (syskey) with the most secure security level on the domain controllers. B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the GPO to the domain controllers. C. Create a Group Policy object (GPO), configure the Network security: LAN Manager authentication level security option to the Send NTLMv2 response only\refuse LM setting, and apply the GPO to the domain controllers. D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply the GPO to the domain controllers. Answer: A, B Explanation: On domain controllers, password information is stored in directory services. It is not unusual for password –cracking software to target the Security Accounts Manager (SAM) database or directory services to access passwords for user accounts. The System Key utility (Syskey) provides an extra line of defence against offline password – cracking software. Syskey uses strong encryption techniques to secure account password information that is stored in directory services. Mode 3 is the most secure Syskey utility, because it uses a computer-generated random key and stores the key on a floppy disk. This disk is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer. Secure (Secure*.inf) Template Page 10 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses. Incorrect Answers: C: You should be importing the Securedc.inf security template instead of configuring the Network security: LAN Manager authentication level security option to the Send NTLMv2 response only\refuse LM setting. D: DC Security.inf templates contain a large number of settings, and in particular a long list of file-system permission assignments. For this reason, you should not apply these templates to a computer by using group policies. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Question: 10 You are a network administrator for Examsheets. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional computers, and 150 Windows XP Professional computers. According to the network design specification, the Kerberos version 5 authentication protocol must be used for all client computers on the internal network. You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network. What should you do? A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic. B. Replace all Windows 98 computers with new Windows XP Professional computers. C. Install the Active Directory Client Extension software on the Windows 98 computers. D. Upgrade all Windows 98 computers to Windows NT workstation 4.0. Answer: B Explanation: By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use Kerberos as their authentication protocol. Windows 98 doesn’t support Kerberos authentication; therefore, we need upgrade the Windows 98 computers. Incorrect Answers: A: This won’t enable the Windows 98 clients to use Kerberos authentication. C: The Active Directory Client Extension software doesn’t enable Windows 98 clients to use Kerberos authentication. D: Windows NT 4.0 doesn’t support Kerberos authentication. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 39-42 Page 11 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 11 You are the network administrator for Examsheets. The company has a main office and 20 branch offices. You recently completed the design of the company network. The network design consists of a single Active Directory domain named Examsheets.net. All domain controllers will run Windows Server 2003. The main office will contain four domain controllers, and each branch office will contain one domain controller. The branch office domain controllers will be administered from the main office. You need to ensure that the domain controllers are kept up-to-date with software updates for Windows Server 2003 after their initial deployment. You want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. You also want to configure the settings by using the minimum amount of administrative effort. What should you do? A. In System Properties, on the Automatic Update tab, enable Keep my computer up to date, and then select Download the updates automatically and notify me when they are ready to be installed. B. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 3 – Auto download and notify for install. C. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 4 – Auto download and schedule the install. D. In System Properties, on the Automatic Updates tab, enable Keep my computer up to date, and then select Automatically download the updates, and install them on the schedule that I specify. Answer: C Explanation: The question states that you want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. The way to do this is to configure the automatic updates with the option to Auto download and schedule the install. The easiest way to configure the domain controllers with this setting is to configure a group policy object for the domain controllers. The problem with this solution is that the domain controllers may automatically restart after the updates are installed. Scheduling the updates to install out of business hours will minimize any disruption. Incorrect Answers: A: It is easier to configure the domain controllers using group policy. B: This solution will download the updates, but it won’t install them until an administrator manually clicks the install button in the notification dialog box. Answer C automates the procedure more by scheduling the installation to occur at a set time without any further administrative intervention. D: It is easier to configure the domain controllers using group policy. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13: 8 Page 12 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 12 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The company plans to deploy 120 Windows Server 2003 member servers as file servers in the domain. The new file servers will be located in a single organizational unit (OU) named File Servers. The security department provides you with a security template that must be applied to the new file servers. You need to apply and maintain the security settings contained in the security template to the new file servers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. On a reference computer, use the Local Security Settings console to import the security template. Use imaging technology to install and configure the new file servers based on the configuration of the reference computer. B. On a reference computer, run the secedit command to apply the security template. Use imaging technology to install and configure the new file serves based on the configuration of the reference computer. C. Create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU. D. On the PDC emulator master in the domain, run the secedit command to apply the security template. Answer: C Explanation: We have a security template with the required security settings. We can simply import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This would work, but there is a catch in the question. The question states that you apply and maintain the security settings contained in the security template to the servers. Using a GPO, the settings will be periodically refreshed, ensuring that the settings ‘maintained’. B: This would work, but there is a catch in the question. The question states that you apply and maintain the security settings contained in the security template to the servers. Using a GPO, the settings will be periodically refreshed, ensuring that the settings ‘maintained’. D: This would have no effect on the file servers. need to new file security need to new file security Reference: Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. Question: 13 You are a network administrator for Examsheets. The company consists of a single Active Directory domain named Examsheets.net. All client computers run Windows XP Professional. Page 13 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The company’s main office is located in Dallas. You are a network administrator at the company’s branch office in Boston. You create a Group Policy object (GPO) that redirects the Start menu for users in the Boston branch office to a shared folder on a file server. Several users in Boston report that many of the programs that they normally use are missing from their Start menus. The programs were available on the Start menu he previous day, but did not appear when the users logged on today. You log on to one of the client computers. All of the required programs appear on the Start menu. You verify that users can access the shared folder on the server. You need to find out why the Start menu changed for these users. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. In the Group Policy Management Console (GPMC), select the file server that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant Set Of Policy (RSoP) in planning mode. B. In the Group Policy Management Console (GPMC), select one of the affected user accounts and run Resultant Set of Policy (RSoP) in logging mode. C. On one of the affected client computers, run the gpresult command. D. On one of the affected client computers, run the gpupdate command. E. On one of the affected client computers, run the secedit command. Answer: B, C Explanation: We need to view the effective group policy settings for the users or the computers that the users are using. We can use gpresult of RSoP. Gpresult Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer. RSoP overviewResultant Set of Policy (RSoP) is an addition to Group Policy RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. RSoP consists of two modes: Planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing policy settings for a computer and user that is currently logged on. Incorrect Answers: A: We need to test the effective policy from a user’s computer, not the file server. D: Gpudate, is the tool used to refresh the policy settings in Windows XP and Windows Server 2003. E: Secedit is the tool used to refresh the policy in Windows 2000 professional and server editions. Reference: Page 14 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 35 Question: 14 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. Examsheets’s perimeter network contains 50 Web servers that host the company’s public Internet site. The Web servers are not members of the domain. The network design team completed a new design specification for the security of servers in specific roles. The network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings. You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort. What should you do? A. Create a custom security template named Web.inf that contains the required security settings. Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU. Apply Web.inf to the WebServers OU. B. Create a custom security template named Web.inf that contains the required security settings, and deploy Web.inf to each Web server by using Security Configuration and Analysis. C. Create an image of a Web server that has the required security settings, and replicate the image to each Web server. D. Manually configure the required security settings on each Web server. Answer: B Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings using the Security Configuration and Analysis tool. Incorrect Answers: A: The web servers aren’t members of the domain. Therefore they cannot be moved to an OU in Active Directory. C: We cannot use imaging in this way. D: This is a long way of doing it. A security template would simply the task. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57 Question: 15 You are a network administrator for Examsheets Inc. The network consists of a single Active Directory forest as shown in the exhibit. Page 15 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Examsheets’s written security policy requires that all domain controllers in the child1.Examsheets.net domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group. You need to configure the domain controllers in the child1.Examsheets.net domain to meet the new security requirements. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) on the child1.Examsheets.net domain. B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.Examsheets.net domain. C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1.Examsheets.net domain. D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.Examsheets.net domain. E. Run the system key utility (syskey) on each domain controller in the child1.Examsheets.net domain. In the Account Database Key dialog box, select the Password Startup option. F. Run the system key utility (syskey) on each domain controller in the child1.Examsheets.net domain. In the Account Database Key dialog box, select the Store Startup Key Locally option. Answer: C, E Explanation: Secure (Secure*.inf) Template The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses. Page 16 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 • In order to apply Securews.inf to a member computer, all of the domain controllers that contain the accounts of all users that log on to the client must run Windows NT 4.0 Service Pack 4 or higher. The system key utility (SYSKEY) A security measure used to restrict logon names to user accounts and access to computer systems and resources. By running the syskey utility with the Password startup option, the account information in the directory services is encrypted and a password needs to be entered during system start. The start of the Domain Controllers is therefore restricted to everybody with this password. Incorrect Answers: A: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. B: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. D: We need to apply the policy to the domain controllers container, not the entire domain. F: The System Key Utility (syskey) is used to encrypt the account password information that is stored in the SAM database or in the directory services. By selecting "Store Key locally" the computer stores an encrypted version of the key on the local computer. This doesn’t help in controlling the start of the Domain Controllers. Reference: http://www.microsoft.net/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver20 03/proddocs/standard/syskey_concept.asp Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Question: 16 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All member servers run Windows Server 2003. All client computers run Windows XP Professional. All client computer accounts in the domain are located in an organizational unit (OU) named Workstations. You need to distribute a new application to all client computers on the network. You create a Group Policy object (GPO) that includes the application package in the software installation settings of the Computer Configuration section of the GPO. You assign the GPO to the Workstations OU. Several days later, users report that the new application is still not installed on their client computers. You need to ensure that the application is installed on all client computers. What should you do? A. Instruct users to restart their client computers. B. Instruct users to run Windows Update on their client computers. C. Instruct users to force a refresh of the computer policy settings on their client computers. D. Instruct users to force a refresh of the user policy settings on their client computers. Page 17 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: A Explanation: When an application is assigned to a computer, the software is deployed when it is safe to do so (that is, when the operating system files are closed). This generally means that the software will be installed when the computer starts up, which ensures that the applications are deployed prior to any user logging on. For this scenario, we need to tell the users to restart their client computers. Incorrect Answers: B: Windows Update is used to update the operating system with the latest security patches etc. C: You applied the policy several days ago. The client computers should have the GPO by now. D: The setting isn’t in the user section of the group policy. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 29-30 Question: 17 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net Examsheets merges with a company named Acme. You need to create new user accounts for all of the Acme employees. The e-mail address format for all users at Acme is alias@acme.net. The users need to continue to use their e-mail addresses after the merger. To decrease confusion, these users also need to be able to use their e-mail addresses as their user logon names when logging on to the company network. You need to ensure that new users can log on by using their e-mail addresses as their logon names. You want to achieve this goal by incurring the minimum cost and by using the minimum amount of administrative effort. What should you do? A. Create a new domain tree named acme.net in the Examsheets.net forest. Create user accounts for all of the users in the acme.net domain. B. Create a new forest named acme.net. Create user accounts for all of the users in the acme.net domain. Configure a forest trust relationship between the two forests. C. Create user accounts for all of the new users in the Examsheets.net domain. Configure the e-mail addresses for all of the Acme users as alias@acme.net. D. Configure acme.net as an additional user principal name (UPN) suffix for the Examsheets.net forest. Configure each user account to use the acme.net UPN suffix. Answer: D Explanation: You can simplify the logon process for users by enabling UPN logon. When UPN logon is enabled, all users use the same UPN suffix to log on to their domains. UPN names are comprised of the user's logon name and the DNS name of the domain. When you enable UPN logon, users' logon names remain the same even when their domains change. You might choose to enable UPN logon if: • Domain names in your enterprise are complex and difficult to remember. • Users in your organization might change domains as a result of domain consolidation or other Page 18 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 organizational changes. • All domains in the forest are in native mode. • User logon names are unique within the forest. • A global catalog server is available to match the UPN to the correct domain account. You can use one UPN suffix for all users in the forest. Incorrect Answers: A, B: Creating a new domain tree or forest and recreating the user accounts for all of the users in the acme.com domain would require excessive administrative effort. C: Creating new user accounts for all of the users in the acme.com domain would require excessive administrative effort. Using the UPN logon feature would require less administrative effort. Reference: Thomas W. Shinder and Debra Littlejohn Shinder, MCSE Exam 70-294: Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Syngress, 2003, pp. 956. Question: 18 You are the network administrator for Examsheets. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.net and cpand1.net. The functional level of each forest is Windows Server 2003. A two-way forest trust relationship exists between the forests. You need to achieve the following goals: • Users in the contoso.net forest must be able to access all resources in the cpand1.net forest. • Users in the cpand1.net forest must be able to access only resources on a server named HRApps.contoso.net. You need to configure the forest trust relationship and the resources on HRApps.contoso.net to achieve the goals. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. On a domain controller in the contoso.net forest, configure the properties of the incoming forest trust relationship to use selective authentication. B. On a domain controller in the contoso.net forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication. C. On a domain controller in the cpand1.net forest, configure the properties of the incoming forest trust relationship to use selective authentication. D. On a domain controller in the cpand1.net forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication. E. Modify the discretionary access control list (DACLs) on HRApps.contoso.net to allow access to the Other Organization security group. F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.net to deny access to This Organization security group. Answer: A, D, E Explanation: When all domains in two forests trust each other and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 Page 19 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 forests trust each other, establish oneway or two-way external trusts between the domains that require interforest authentication. Selective authentication between forests Using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust You can set selective authentication differently for outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would be able to access any resource in ForestA (assuming they have the required permissions). If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest. When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context. Taking the above mentioned into account then options A, D and E will make sure that users in the contoso.com forest have forest-wide access. Incorrect Answers: B: If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. However, users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. We should therefore use selective authentication for the cpandl.com forest to access the contoso.com. C: Users in the contoso.com forest must be able to access all resources in the cpand1.com forest, in other words, they need forest-wide access. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-48 to 4-49. Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 254. Question: 19 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. User accounts are configured as local administrators so that users can install software. A desktop support team supports end users. The desktop support team’s user accounts are all members of a group named Support. Page 20 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You create a software restriction policy that only prevents users from running registry editing tools by file hash rule. You apply the policy to all user accounts in the domains. The desktop support team reports that when they attempt to run registry editing tools, they receive the following error message: “Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator”. You need to ensure that only the desktop support team can run registry editing tools. What should you do? A. Configure the software restriction policies to be enforced for all users except local administrators. B. Make users members of the Power Users group instead of the Administrators group. C. Use a logon script to copy the registry editing tools to the root of drive C. Assign the Domain Admins group the Allow – Read permission for the registry editing tools in the new location. D. Filter the software restriction policy to prevent the Support group from applying the policy. Answer: D Explanation: We can prevent the software restriction policy from applying to the support group by simply assigning the support group the Deny – Read and/or the Deny – Apply group policy permission. Incorrect answers: A: The users are local administrators. The policy must apply to the local administrators. B: The policy applies to all users. It will still apply to the support group. Changing the local users group membership will have no effect on the policy. C: The software restriction policy is using a hash rule to prevent the use of the registry editing tools. It doesn’t matter where the tools are located, they still won’t run. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9: 16 Question: 20 You are the network administrator for Examsheets. Your user account is a member of the Schema Admins group. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named ExamsheetsA holds the schema master role. An application named Application1 creates additional schema classes. You notice that this application created some classes that have incorrect class names. You need to correct the class names as quickly as possible. What should you do? A. Deactivate the Application1 classes that have the incorrect class names. Set the default security permission for the Everyone group for those schema classes to Deny. B. Deactivate the Application1 classes that have the incorrect class names. Page 21 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Create the Application1 classes with the correct class names. C. Rename the description of the Application1 classes to the correct class name. Instruct the developers of Application1 to change the code of the application so that the renamed schema classes can be used. D. Instruct the developers of Application1 to change the code of the application so that the application creates the new schema classes with the correct class names. Reinstall Application1 and select Reload the schema in the Active Directory Schema console. Answer: B Explanation: We need to deactivate the Application1 classes that have the incorrect class names. This is because you cannot delete or rename a class. We can only deactivate the incorrect classes and recreate the classes with the correct class names. Extending the schema When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network. Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. Deactivating a class or attribute Domain controllers running Windows Server 2003 do not permit the deletion of classes or attributes, but they can be deactivated if they are no longer needed or if there was an error in the original definition. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; however, it is easily reactivated. If your forest has been raised to the Windows Server 2003 functional level, you can reuse the object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID that were associated with the defunct class or attribute. This allows you to change the object identifier associated with a particular class or attribute. The only exception to this is that an attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and schemaIdGuid values even after being deactivated (for example, those values cannot be reused). If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a class or attribute and then redefine it. Incorrect Answers: A: It is not necessary to deny access to the classes after deactivating them. We need to recreate the classes with the correct names. C: Changing the description of a class doesn’t rename the class. It is not possible to rename a class. D: We need to deactivate the classes that have the incorrect class names. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 11 Page 22 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 21 You are the administrator for Examsheets. The network consists of a single active directory domain named Examsheets.net. All servers run windows server 2003 When the network was designed, the design team set design specifications. After the network was implemented, the deployment team set baseline specifications. The specifications for broadcast traffic are: • • The design specifications requires that broadcast traffic must be 5 percent or less of total network traffic. The baseline specifications showed that the broadcast traffic is always 1 percent or less of the total network traffic during normal operation. You need to monitor the network traffic and find out if the level of broadcast traffic is within the design and baseline specs. You decide to use network monitor. After monitoring for 1 hour, you observe the results shown in the exhibit: You need to report the results of your observations to management. Which 2 actions should you take? A. report that broadcast traffic is outside of the baseline specs B. report that the broadcast traffic is outside of the design specs C. report that the broadcast traffic is within the design specs D. report that the broadcast traffic is within the baseline specs Answers: A B Page 23 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: A baseline is a measurement derived from the collection of data over an extended period during varying workloads and user connections, representing acceptable performance under typical operating conditions. The baseline indicates how system resources are used during periods of normal activity and makes it easier to spot problems when they occur. A baseline provides a mechanism for identifying what normal operating conditions are for a server. The baseline acts as a reference for troubleshooting performance issues. If the design specifications require that broadcast traffic must be 5 percent or less of total network traffic then the graphic indicates that it is outside of the specifications as monitored over a period of one hour. Further, if the baseline specifications showed that the broadcast traffic is always 1 percent or less of the total network traffic during normal operation then you can report than the broadcast traffic is outside of the baseline specs as monitored over the period of one hour. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 14:42 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 2, pp. 94-112 Question: 22 You are the network administrator for Costos, Ltd. The network contains a single Active Directory domain named Contoso.net. All computers on the network are members of the domain. Contoso, Ltd. has a main office and 20 branch offices. Each branch office has a connection to the main office. Only the main office has a connection to the Internet. You are planning a security update infrastructure for your network. You deploy a central Software Update Services (SUS) server at the main office and an SUS server at each branch office. The SUS server at the main office uses Windows Update to obtain security patches. You want to minimize the amount of bandwidth used on the connection to the Internet and on the connection between the offices to download security patches. Which two actions should you take? A. Configure the SUS servers at the branch office to use Windows Update to obtain security patches. B. Configure the SUS servers at the branch offices to use the central SUS server for updates. C. Configure Automatic Updates on the SUS servers at the branch offices to use the central SUS server for updates. D. Configure Automatic Updates on all computers to use the SUS server on the local network. E. Configure Automatic Updates on all computers to use the default update service location. Answer: B, D Explanation: We must set up the SUS branch offices server to pickup the updates form the server in the main office. By configuring a SUS server in the main office you save network bandwidth, because the branch office servers will not need to use the internet connection. With this solution, the main Page 24 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 office SUS server downloads the updates from Microsoft; the branch office SUS servers download the updates from the main office SUS server and the client computers download the updates from the local SUS server. Incorrect Answers: A: This is an unnecessary use of the internet connection. C: You need to configure the SUS server software to download the updates, not automatic updates. E: The default update service location is Microsoft. This is an unnecessary use of the internet connection. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13: 8 Question: 23 You are the network administrator for Examsheets. The network consists of a single active directory domain named Examsheets.net. All servers run Windows Server 2003. A server named Examsheets2 functions as the mail server for the company. All users use Microsoft Outlook Express as their email client. An update to the company’s written security policy specifies that users must use encrypted authentication while they are retrieving email messages from Examsheets2 You need to comply with the updated policy. What should you do? (Choose three) A. Configure the POP3 service on Examsheets2 to use Active Directory Integrated Authentication B. Configure the SMTP virtual server on Examsheets2 to use Integrated Windows Authentication C. Configure Outlook Express to use the Secure Password Authentication (SPA) D. Configure the SMTP virtual server on Examsheets2 to use Basic Authentication with Trasport Layer Security (TLS) encryption E. Configure the POP3 service on Examsheets2 to require secure password authentication (SPA for all connections Answers: A, C, E Explanation: You can use Active Directory Authentication to incorporate the POP3 service into your existing Active Directory domain. Active Directory integrated authentication supports both plaintext and Secure Password Authentication (SPA) e-mail client authentication. Because plaintext transmits the user's credentials in an unsecured, unencrypted format, however, the use of plaintext authentication is not recommended. SPA does require e-mail clients to transmit both the user name and password using secure authentication; it is therefore recommended over plaintext authentication. We need to configure the POP3 service on ExamSheets2 to require secure password authentication, and we need to configure the email clients to use Secure Password Authentication (SPA). Incorrect Answers: B: We need to configure the POP3 service, not the SMTP virtual server. D: We need to configure the POP3 service, not the SMTP virtual server. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Page 25 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan, and Lisa Justice; Mastering ™ Windows Server 2003. Question: 24 You are the network admin for Examsheets. Your network contains 50 application servers that run Windows Server 2003. The security configuration of the application servers is not uniform. The application servers were deployed by local administrators who configured the setting for each of the application servers differently based on their knowledge and skill. The application servers are configure with different authentication methods, audit setting and account policy settings. The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings. You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements. What should you do? A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf template B. Apply the Application.inf template and then the Hisecws.inf template. C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template D. Apply the Setup.inf template and then the application.inf template Answer: A. Explanation: The servers currently have different security settings. Before applying our modified settings, we should reconfigure the servers with their default settings. This is what the security.inf template does. Now that our servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now we can apply our custom settings using the application.inf template. Incorrect Answers: B: The hisecws.inf template would overwrite the custom application.inf template. C: Same as answer A. Also, the setup.inf security template doesn’t exist. To return a system to its Default security settings, we use the security.inf template. D: The setup.inf security template doesn’t exist. To return a system to its default security settings, we use the security.inf template. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Question: 25 You are the network admin for an Active Directory domain. Examsheets’s written security policy was updated and now requires a minimum of NTLM v2 for LAN manager authentication. You need to identify which Operating Systems on your network do not meet the new requirement Which OS which require an upgrade to the OS or software to meet the requirement? Page 26 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. Windows 2000 Professional B. Windows Server 2003 C. Windows XP Professional D. Windows NT Workstation with service pack 5 E. Windows 95 Answer: E. Explanation: Windows 95 does not natively support NTLM v2 authentication. To enable it, you would need to install the Directory Services Client software. Incorrect Answers: A, B, C, D: Windows 2000 Professional, Server 2003, XP Professional, and NT Workstation with service pack 5 natively supports NTLM v2 authentication. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26 Question: 26 Examsheets has a single active directory domain named Examsheets.net. The company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed. You create a security template named fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using fileserver.inf and receive the resules shown in the exhibit. ***MISSING*** You want to make only the changes that are required to meet the requirements. Which two actions should you take? A. Correct the maximum application log size setting on the file server B. Correct the maximum security log size setting on the file server C. Correct the maximum system log size setting on the file server D. Correct the retention method for application log setting on the file server E. Correct the retention method for the security log setting on the file server F. Correct the retention method for the system log setting for the file server Answers: B E Explanation: The Event Log security area defines attributes related to the application, security, and system logs in the Event Viewer console for computers in a site, domain, or OU. The attributes are: maximum log size, access rights for each log, and retention settings and methods. Event log size and log wrapping should be defined to match your business and security requirements. In this particular case you should be correcting the maximum security log size setting and the retention method for the security log setting on the file server so as to comply with the stated requirements. Page 27 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect answers: A, C, D, F: The question states that the company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. And given the past experiences of the company regarding the size of security events and its retention, you should be correct the maximum log size and retention methods of the security logs and not the application log or the system log. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 10 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:6 Question: 27 You are the administrator of the Examsheets company network. The network consists of a single active directory domain. The network includes 50 servers running Windows Server 2003 and 1000 client computers running Windows XP Professional. All client computers are in an organisational unit (OU) named Clients. All server computers are in an organisational unit (OU) named Servers. You discover that most of the servers are running the SMTP service and the Telnet service. These services are not required and should be disabled. What is the easiest way to ensure that the services are always disabled on the servers? A. Use gpedit.msc to create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Servers OU. B. Use gpedit.msc to create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Servers OU. C. Use gpedit.msc to create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Servers OU. D. Use gpedit.msc to create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Servers OU. Answer: C Explanation: The servers have been moved to an OU. This makes it easy for us to configure the servers using a group policy. We can simply assign a group policy to the Servers OU to disable the services. a Incorrect Answers: A: The logon script would only run when someone logs on to the servers. It’s likely that the servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 55 Question: 28 Page 28 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are the administrator of the Examsheets company network. The network consists of a single active directory domain. The network includes 30 servers running Windows Server 2003 and 2000 client computers running Windows XP Professional. 20 member servers are located in an organisational unit (OU) named Servers. 10 domain controllers are in the default Domain Controllers container. All 2000 client computers are located in an organizational unit (OU) named Clients. The member servers are configured with the following security settings: • Logon events must be audited. • System events must be audited. • Passwords for local user accounts must meet complexity requirements. • Passwords must be changed every 30 days. • Password history must be enforced. • Connections to the servers must be encrypted. The written security policy states that you need to be able to verify the custom security settings during audits. You need to deploy and refresh the custom security settings on a routine basis. What should you do? A. Create a custom security template and apply it by using a Group Policy linked to the Servers OU. B. Create a custom security template and apply it by using a Group Policy linked to the domain. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS. Answer: A Explanation: The easiest way to deploy multiple security settings to a group of Windows 2003 computer is to create a security template with all the required settings and import the settings into a GPO. In this case, the security settings apply to local accounts on the servers. This means that we can apply the settings with a GPO assigned to an Organisation Unit containing the servers. Incorrect Answers: B: The security settings need to apply to the member servers only. Applying the GPO to the domain would affect all computers in the domain. C: We need a security template, not an administrative template. D: We cannot use imaging in this way. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Question: 29 You are the administrator of the Examsheets company network. The network consists of a single active directory domain named Examsheets.net. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional. The company purchases 10 new servers to function as file servers for the domain. You install Windows Server 2003 on the new servers. The computer accounts for the file servers are located on an OU named File Servers. A security expert configures one of the servers named ESFile1 with various security settings. You need to apply and maintain the same security settings on the remaining 9 servers. You need to do this by using the minimum amount of administrative effort. What should you do? (Choose two) A. Use disk imaging software to take an image of ESFile1. Apply the disk image to the remaining Page 29 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 9 servers. B. Use gpedit.msc to create a new Group Policy object (GPO). Manually configure the GPO with the same security settings as ESFile1. Link the GPO to the File Servers OU. C. Use gpedit.msc to create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU. D. On the PDC Emulator, use Security Configuration and Analysis to export the security settings to a security template. E. On ESFile1, use Security Configuration and Analysis to export the security settings to a security template. Answer: C, E Explanation: The easiest way to configure multiple computers with multiple security settings is to use a GPO. In this question, we have a computer configured with the required settings. We can use the Security Configuration and Analysis to export the security settings to a security template. We can then import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This could work (if we changed the computer names and SIDS), but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings ‘maintained’. B: This is a long way of doing it. Exporting the settings to a security template would be easier. D: This would have no effect on the file servers. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Question: 30 You are a network administrator for Examsheets. The network consists of multiple physical segments. The network contains two Windows Server 2003 computers named ExamsheetsSrvA and ExamsheetsSrvB, and several Windows 2000 Server computers. ExamsheetsSrvA is configured with a single DHCP scope for the 10.250.100.0/24 network with an IP address range of 10.250.100.10 to 10.250.100.100 Several users on the network report that they cannot connect to file and print servers, but they can connect to each other’s client computers. All other users on the network are able to connect to all network resources. You run the ipconfig.exe /all command on one of the affected client computers and observe the information in the following table: IP Address Subnet Mask Default Gateway DHCP Server DNS Server Primary Wins Server 10..250.100.150 255.255.255.0 (blank) Examsheets SrvB (blank) (blank) You need to configure all affected client computers so that they can communicate with all other hosts on the network. Which two actions should you take? Page 30 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 (Each correct answer presents part of the solution. Choose two) A. Disable the DHCP service on ExamsheetsSrvB. B. Increase the IP address range for the 10.250.100.0/24 scope on ExamsheetsSrvA. C. Add global DHCP scope options to ExamsheetsSrvA for default gateway, DNS servers, and WINS servers. D. Delete all IP address reservation in the scope on ExamsheetsSrvA. E. Run the ipconfig.exe /renew command on all affected client computers. F. Run the ipconfig.exe /registerdns command on all affected client computers. Answer: A, E Explanation: We can see from the exhibit that the affected computer received it’s IP configuration from ExamsheetsSrvB. We can also see that the IP configuration has no default gateway, WINS or DNS addresses. Obviously, ExamsheetsSrvB is misconfigured. Other client computers have no problems; it is likely that they get their IP configuration from ExamsheetsSrvA. We can either correctly configure the DHCP service on ExamsheetsSrvB or we can disable it and just use ExamsheetsSrvA as the DHCP server. The only option given is to disable the DHCP service on ExamsheetsSrvB, so answer A is correct. We need to run the ipconfig /renew command on all affected client computers so that they can update their IP configurations using ExamsheetsSrvA as their DHCP server. Incorrect Answers: B: The client computer received its IP configuration from ExamsheetsSrvB. Therefore, the problem is likely to be with ExamsheetsSrvB, not ExamsheetsSrvA. C: Some client computers have no problems; it is likely that they get their IP configuration from ExamsheetsSrvA. Therefore, ExamsheetsSrvA is correctly configured. D: The client computer received its IP configuration from ExamsheetsSrvB. Therefore, the problem is likely to be with ExamsheetsSrvB, not ExamsheetsSrvA. F: The affected client computers have no DNS configuration; therefore this command will have no affect. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2:44 Question: 31 You are the network administrator for Examsheets. You need to provide Internet name resolution services for the company. You set up a Windows Server 2003 computer running the DNS Server service to provide this network service. During testing, you notice the following intermittent problems: • Name resolution queries sometimes take longer than one minute to resolve. • Some valid name resolution queries receive the following error message in the Nslookup command and-line tool: “Non-existent domain”. You suspect that there is a problem with name resolution. You need to review the individual queries that the server handles. You want to configure monitoring on the DNS server to troubleshoot the problem. Page 31 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 What should you do? A. In the DNS server properties, on the Debug Logging tab, select the Log packets for debugging option. B. In the DNS server properties, on the Event Logging tab, select the Errors and warnings option. C. In the System Monitor, monitor the Recursive Query Failure counter in the DNS object. D. In the DNS server properties, on the Monitoring tab, select the monitoring options. Answer: A Explanation: If you need to analyze and monitor the DNS server performance in greater detail, you can use the optional debug tool. You can choose to log packets based on the following: _Their direction, either outbound or inbound _The transport protocol, either TCP or UDP _Their contents: queries/transfers, updates, or notifications _Their type, either requests or responses _Their IP address Finally, you can choose to include detailed information. Note: That’s the only thing that’s going to let you see details about packets. Incorrect Answers: B: The Event Logging tab allows you to restrict the events written to the DNS Events log file to only errors or to only errors and warnings, also it allows you to disable DNS logging. C: This option allows you to view the total number of recursive query failures D: The Monitoring tab of the DNS server properties dialog box allows you to check basic DNS functionality with two simple tests: a simple query against the local DNS server and a recursive query to the root DNS servers. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 5 Troubleshooting DNS servers Using server debug logging options The following DNS debug logging options are available: • Direction of packets Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file. • Content of packets Standard queries Specifies that packets containing standard queries (per RFC 1034) are logged in the DNS server log file. Page 32 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Updates Specifies that packets containing dynamic updates (per RFC 2136) are logged in the DNS server log file. Notifies Specifies that packets containing notifications (per RFC 1996) are logged in the DNS server log file. • Transport protocol UDP Specifies that packets sent and received over UDP are logged in the DNS server log file. TCP Specifiesthat packets sent and received over TCP are logged in the DNS server log file. • Type of packet Request Specifies that request packets are logged in the DNS server log file (a request packet is characterized by a QR bit set to 0 in the DNS message header). Response Specifies that response packets are logged in the DNS server log file (a response packet is characterized by a QR bit set to 1 in the DNS message header). • Enable filtering based on IP address Provides additional filtering of packets logged in the DNS server log file. This option allows logging of packets sent from specific IP addresses to a DNS server, or from a DNS server to specific IP addresses. • File name Lets you specify the name and location of the DNS server log file. For example: • dns.log specifies that the DNS server log file should be saved as dns.log in the systemroot Question: 32 You are a network administrator for Examsheets. Examsheets has a main office and two branch offices. The branch offices are connected to the main office by T1 lines. The network consists of three Active Directory sites, one for each office. All client computers run either Windows 2000 Professional or Windows XP Professional. Each office has a small data center that contains domain controllers, WINS, DNS, and DHCP servers, all running Windows Server 2003. Users in all offices connect to a file server in the main office to retrieve critical files. The network team reports that the WAN connections are severely congested during peak business hours. Users report poor file server performance during peak business hours. The design team is concerned that the file server is a single point of failure. The design team requests a plan to alleviate the WAN congestion during business hours and to provide high availability for the file server. You need to provide a solution that improved file server performance during peak hours and that provides high availability for file services. You need to minimize bandwidth utilization. What should you do? A. Purchase two high-end servers and a shared fiber-attached disk array. Implement a file server cluster in the main office by using both new servers and the shared fiberattached disk array. B. Implement Offline Files on the client computers in the branch offices by using Synchronization Manager. Schedule synchronization to occur during off-peak hours. C. Implement a stand-alone Distributed File System (DFS) root in the main office. Implement copies of shared folders for the branch offices. Schedule replication of shared folders to occur during off-peak hours by using scheduled tasks. D. Implement a domain Distributed File System (DFS) root in the main office. Implement DFS replicas for the branch offices. Schedule replication to occur during off-peak hours. Page 33 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: D Explanation: A DFS root is effectively a folder containing links to shared files. A domain DFS root is stored in Active Directory. This means that the users don’t need to know which physical server is hosting the shared files; they just open a folder in Active Directory and view a list of shared folders. A DFS replica is another server hosting the same shared files. We can configure replication between the file servers to replicate the shared files out of business hours. The users in each office will access the files from a DFS replica in the user’s office, rather than accessing the files over a WAN link. Incorrect Answers: A: This won’t minimize bandwidth utilization because the users in the branch offices will still access the files over the WAN. B: This doesn’t provide any redundancy for the server hosting the shared files. C: You need DFS replicas to use the replicas of the shared folders. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 15 Question: 33 You are a network administrator for Woodgrove Bank. All servers run Windows Server 2003. The company uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used. A user on a server named Server2 reports that when she attempts to map a network drive to a shared folder on a server named Server5 by name, she received the following error message: “System error 67 has occurred. The network name cannot be found”. The user was previously able to map network drives by name to shared folders on Server5 from Server2. You run the ping command on Server2 to troubleshoot the problem. The results of your troubleshooting are shown in the exhibit. Page 34 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to allow the user on Server2 to connect to resources on Server5 both by name and by address. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. On Server2, purge and reload the remote NetBIOS cache name table. B. Re-register Server5 with WINS. C. On Server2, run the ipconfig command with the /flushdns option. D. On Server5, run the ipconfig command with the /renew option. E. On Server5, run the ipconfig command with the /registerdns option. Answer: B, E Explanation: The server doesn’t answer to dns name or ip address which means either he is offline or he has changed his ip and is still registered with the old ip(192.168.202.8). Ipconfig /registerdns will register in dns, and wins re-register will register the server with wins. Incorrect Answers: A: Purging and reloading the remote NetBIOS cache name table is the same as option C. This is not going to allow a user on Server2 to connect to resources on Server5 both by name and by address. C: Ipconfig /renew - Attempts to renew the DHCP lease. This is not what is required. D: Ipconfig /flushdns - Flushes the DNS cache. Flushing the DNS cache is not the same as registering. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 60 Page 35 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 34 You are the network administrator for Examsheets. The company has a main office and two branch offices. The network in the main office contains 10 servers and 100 client computers. Each branch office contains 5 servers and 50 client computers. Each branch office is connected to the main office by a direct T1 line. The network design requires that company IP addresses must be assigned from a single classful private IP address range. The network is assigned a class C private IP address range to allocate IP addresses for servers and client computers. Examsheets acquires a company named Acme. The acquisition will increase the number of servers to 20 and the number of client computers to 200 in the main office. The acquisition is expected to increase the number of servers to 20 and the number of client computers to 200 in the branch offices. The acquisition will also add 10 more branch offices. After the acquisition, all branch offices will be the same size. Each branch office will be connected to the main office by a direct T1 line. The new company will follow the Examsheets network design requirements. You need to plan the IP addressing for the new company. You need to comply with the network design requirement. What should you do? A. Assign the main office and each branch office a new class A private IP address range. B. Assign the main office and each branch office a new class B private IP address range. C. Assign the main office and each branch office a subnet from a new class B private IP address range. D. Assign the main office and each branch office a subnet from the current class C private IP address range. Answer: C Explanation: After the expansion the situation will be: • Main office o Need 220 IP, 20 for servers and 200 for clients • Branch Offices o Need 220 IP, 20 for servers and 200 for clients o We will have 12 branch offices o 12 x 220 = 2640 Total for all offices is 2640 + 220 = 2860. The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets. Incorrect Answers: Page 36 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A: The network design requires that company IP addresses must be assigned from a single classful private IP address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP address range. D: The class C network doesn’t have enough IP addresses to accommodate all the computers in all the offices. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 23-26 Question: 35 You are a network administrator for Examsheets. The internal network has an Active Directoryintegrated zone for the Examsheets.net domain. Computers on the internal network use the Active Directory integrated DNS service for all host name resolution. The Examsheets Web site and DNS server are hosted at a local ISP. The public Web site for Examsheets is accessed at www.Examsheets.net. The DNS server at the ISP hosts the Examsheets.net domain. To improve support for the Web site, Examsheets wants to move the Web site and DNS service from the ISP to the company’s perimeter network. The DNS server on the perimeter network must contain only the host resource records for computers on the perimeter network. You install a Windows Server 2003 computer on the perimeter network to host the DNS service for the Examsheets.net domain. You need to ensure that the computers on the internal network can properly resolve host names for all internal resources, all perimeter resources, and all Internet resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. On the DNS server that is on the perimeter network, install a primary zone for Examsheets.net. B. On the DNS server that is on the perimeter network, install a stub zone for Examsheets.net. C. Configure the DNS server that is on the internal network to conditionally forward lookup requests to the DNS server that is on the perimeter network. D. Configure the computers on the internal network to use one of the internal DNS servers as the preferred DNS server. Configure the TCP/IP settings on the computers on the internal network to use the DNS server on the perimeter network as an alternate DNS server. E. On the DNS server that is on the perimeter network, configure a root zone. Answer: A, C Explanation: By configuring a primary zone for examsheets.net on a DNS server in the perimeter network, we have a DNS server that can resolve requests for the www.examsheets.net website. To enable users on the LAN to quickly resolve examsheets.net resources, we can configure conditional forwarding on the internal examsheets.org server so that requests for examsheets.net resources get forwarded straight to the perimeter network DNS server. Incorrect Answers: B: A stub zone is no good to us here. The perimeter DNS server must be authoritative for the examsheets.net domain. Therefore, we need a primary zone on the perimeter DNS server. Page 37 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 D: As long as the internal DNS servers are working, the external DNS server will never be used. Internal clients will not be able to resolve www.examsheets.net. E: There is no need to configure a root zone on the perimeter network DNS server. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Question: 36 You are the systems engineer for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. A Windows Server 2003 computer named EXAMSHEETSDNS1 functions as the internal DNS server and has zone configured as shown in the exhibit. The network is not currently connected to the Internet. Examsheets maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named Examsheets.net. The Examsheets.net zone is hosted by a UNIX-based DNS server named UNIXDNS, which is running the latest version of BIND. The company plans to allow users of the internal network to access Internet-based resources. The company’s written security policy states that resources located on the internal network must never be exposed to the Internet. The written security policy states that the internal network’s DNS namespace must never be exposed to the Internet. To meet these requirements, the design specifies that all name resolution requests for Internet-based resources from computers on the internal network must be sent from EXAMSHEETSDNS1. The current design also specifies that UNIXDNS must attempt to resolve any name resolution requests before sending them to name servers on the Internet. You need to plan a name resolution strategy for Internet access. You need to configure EXAMSHEETSDNS1 so that it complies with company requirements and restrictions. What should you do? A. Delete the root zone from EXAMSHEETSDNS1. Configure EXAMSHEETSDNS1 to forward requests to UNIXDNS. B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the Page 38 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C:\Windows\System32\Dns folder on EXAMSHEETSDNS1. C. Add a name server (NS) resource record for UNIXDNS to your zone. Configure UNIXDNS with current root hints. D. On EXAMSHEETSDNS1, configure a secondary zone named Examsheets.net that uses UNIXDNS as the master server. Configure UNIXDNS to forward requests to your ISP’s DNS servers. Answer: A Explanation: We need to delete the root zone from the internal DNS server. This will enable us to configure the server to forward internet name resolution requests to the external DNS server (UNIXDNS). A DNS server configured to use a forwarder will behave differently than one that is not configured to use it. A DNS server configured to use a forwarder behaves as follows: When the DNS server receives a query, it attempts to resolve this query using the primary and secondary zones that it hosts and its cache. If the query cannot be resolved using this local data, then it will forward the query to the DNS server designated as a forwarder. The DNS server will wait briefly for an answer from the forwarder before attempting to contact the DNS servers specified in its root hints. Incorrect Answers: B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don’t want the internal DNS server to query the root DNS servers, so we don’t need the cache.dns file. C: Unixdns already has root hints. An NS record on the internal DNS server won’t fulfill the requirements of the question. D: We don’t need a secondary zone on the internal DNS server. All external resolution requests must be forwarded to the external DNS server. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Question: 37 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The network contains two IP subnets connected by a Windows Server 2003 computer running Routing and Remote Access. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each subnet contains a domain controller. Each subnet contains a DHCP server, which provides TCP/IP configuration information to the computers on only its subnet. The relevant portion of the network is shown in the exhibit. Page 39 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You recently implemented a Microsoft Internet Security and Acceleration (ISA) Server 2000 array on the network to provide Internet connectivity. The ISA Server array uses Network Load Balancing on the internal adapters. The array’s Network Load Balancing cluster address is 172.30.32.1. You configure the DHCP server on Subnet1 to provide the array’s Network Load Balancing cluster address as the default gateway. You configure the DHCP server on Subnet2 to provide the IP address 172.30.64.1 as the default gateway for Subnet2. Users on Subnet2 report that they cannot connect to Internet-based resources. They can successfully connect to resources located on Subnet1. Users on Subnet1 can successfully connect to Internet-based resources. You investigate and discover that no Internet requests from computers on Subnet2 are being received by the ISA Server array. You need to provide Internet connectivity to users on Subnet2. What should you do? A. Configure the DHCP server on Subnet2 to provide the address 172.30.32.1 as the default gateway. B. Configure the DHCP server on Subnet2 to provide the address 172.30.32.2 as the default gateway. C. On the Routing and Remote Access server, add a default route to 172.30.32.1. D. On the Routing and Remote Access server, add a default route to 131.107.72.17. Answer: C Explanation: The routing and remote access server knows how to route traffic between subnet 1 and subnet 2. However, it doesn’t know how to route traffic to the internet. We can fix this by adding a default route on the routing and remote access server. The default route will tell the routing and remote access server that any traffic that isn’t destined for subnet1 or subnet2 (i.e. any external destination) should be forwarded to the internal interface of the ISA server (172.30.32.1). Incorrect Answers: A: 172.30.32.1 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gateway. Page 40 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B: 172.30.32.2 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gateway. Furthermore, this address isn’t the internal address of the ISA server. D: The default route needs to forward traffic to the internal interface of the ISA server. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 15:30 Question: 38 You are the systems engineer for Examsheets GmBh. The network consists of three Windows NT 4.0 domains in a master domain model configuration. The servers on the network run either Windows NT Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server 4.0. The network also contains 10 UNIX-based application servers. All host name resolution services are provided by a UNIX-based server running the latest version of BIND, which currently hosts the zone for the Examsheets.net domain. All NetBIOS name resolution services are provided by two Windows 2000 Server WINS servers. The company is in the process of migrating to a single Windows Server 2003 Active Directory domain based network. The new domain is named Examsheets-ad.net, and it will be hosted in an Active Directory integrated zone that is stored on the domain controllers. Servers that are not domain controllers will not be updated at this time. The migration plan requires that all computers must use DNS to resolve host names and computer redundancy for the Windows-based DNS servers. You upgrade the domain controllers in the master domain to Windows Server 2003. You also migrate all user and computer accounts to the new Active Directory domain. The DNS zone on the Windows Server 2003 computers is configured as shown in the exhibit. You now need to configure the required redundancy between the Windows-based DNS servers and the UNIX-based DNS server. You need to ensure that there will be no service interruption on any of the DNS server computers. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) Page 41 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based DNS server as the master server. B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS server as the master server. C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS server as the master server. D. Add a delegation in the Examsheets.net zone that delegates authority of the Examsheetsad.net zone to a Windows Server 2003 DNS server. E. Configure the Examsheets-ad.net zone to not replicate WINS-specific resource records during zone transfers. Answer: B, E Explanation: This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers. We can provide this by configuring the UNIX DNS server to resolve names in the Examsheetsad.net domain. With a secondary zone on the UNIX DNS server, the UNIX DNS server will be able to resolve host name resolutions requests in the Examsheets-ad.net domain. The Examsheets-ad.net DNS is configured to query WINS if required. When configuring a UNIX DNS server with a secondary zone, we should configure the zone to not replicate WINS-specific resource records during zone transfers. Incorrect Answers: A: This would provide redundancy for the UNIX server; the question isn’t asking for that. C: This won’t provide any redundancy. D: Examsheets-ad.net isn’t a subdomain of Examsheets.net so no delegation is required. Reference: Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 436-437 Question: 39 You are a network administrator for Examsheets. The network consists of a single Active Directory forest that contains one root domain and multiple child domains. The functional level of all child domains is Windows Server 2003. The functional level of the root domain is Windows 2000 native. You configure a Windows Server 2003 computer named Examsheets1 to be a domain controller for an existing child domain. Examsheets1 is located at a new branch office, and you connect Examsheets1 to a central data center by a persistent VPN connection over a DSL line. Examsheets1 has a single replication connection with a bridgehead domain controller in the central data center. You configure DNS on Examsheets1 and create secondary forward lookup zones for each domain in the forest. You need to minimize the amount of traffic over the VPN connection caused by logon activities. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. Configure the DNS zones to be Active Directory-integrated zones. B. Configure Examsheets1 to be the PDC emulator for the domain. Page 42 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Configure Examsheets1 to be a global catalog server. D. Configure universal group membership caching on Examsheets1. Answer: C, D Explanation: Logon traffic over the VPN is caused by the local domain controller retrieving universal group information from a global catalog server. We can reduce this traffic by either configuring Examsheets1 to be a global catalog server, or by enabling universal group membership caching on Examsheets1. A global catalog server stores information about all objects in the forest, but not their attributes, so that applications can search Active Directory without referring to specific domain controllers that store the requested data. Universal group membership caching, on the other hand allows the domain controller to cache universal group membership information for users. This eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information. Incorrect Answers: A: Logon traffic over the VPN is caused by the local domain controller retrieving universal group information from a global catalog server. It is not cause by DNS replication. B: The PDC emulator isn’t used in the logon process (except for down-level clients). Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 5 Question: 40 You are the network admin for contoso. The network consists of a single active directory domain named contoso.net. The domain is supported by an active directory integrated zone that allows only secure updates. The contoso.net domain is configured as two active directory sites named mainoffice and branch1. Branch1 contains a single windows server 2003 domain controller named server1 that is not a DNS server. There is a single subnet of 192.168.10.0/24 in branch1 that contains all client computers and servers in the site. Branch 1 is connected to Mainoffice by a single low bandwidth WAN connection that is often saturated. Users in branch1 are normally authenticated by server1. Users in branch1 report that they are experiencing unusually long logon times. You discover that branch1 users are being authenticated by domain controllers in MainOffice. You run the nslookup command to query the SRV records for Branch1 and receive the output shown in the following table: Srv hostname Server1.contoso.net internet address Server1.contoso.net 192.168.10.65 You run the ipconfig command on server1 and receive the following: Page 43 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 IP address Subnet mask Default Gateway 192.168.10.32 255.255.255.0 192.168.10.1 You want server1 to resume authenticating all clients in Branch1. What should you do? A. Run the ipconfig.exe /registerdns command on server1 B. Run the ipconfig.exe /flushdns command on server1 C. Stop and restart the Netlogon service on server1 D. Stop and restart the net logon service on clients in Branch1 Answer: C Explanation: The DNS record shows the wrong IP address for Server1. We need to configure the DNS with the correct information. Because server1 is a domain controller, we need to register the A records and the SRV records. The Net Logon service on a domain controller registers the DNS resource records required for the domain controller to be located in the network every 24 hours. To initiate the registration performed by Net Logon service manually, you can restart the Net Logon service. Incorrect Answers: A: This command will only register the A records. The client computers locate the domain controller by querying SRV records. B: This will flush the local DNS client cache. This won’t solve the problem. D: We need to restart the Netlogon service on server1, not the clients. Reference: J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure. Question: 41 You are the network admin for Examsheets. Your network contains 3 subnets. All servers have manually assigned IP addresses while all clients are configured to receive an address from a DHCP server. The DHCP server is located in Site 1. The DHCP server has a scope configured for each subnet. Users in site 2 and site 3 are complaining that periodically they cannot connect to resources located on any subnet. You discover that during times of peak usage users are receiving an ip address in the 169.254.x.x address range. You need to ensure that all client computers receive an address from their subnet even during times of peak usage. What should you do? A. Install one DHCP server in site 2 and site 3. On each DHCP server, configure identical scopes for each subnet B. Install one DHCP server in Site 2 and Site 3. On each DHCP server configure a single subnet specific scope C. Configure a DHCP Relay agent on Site 2 and Site 3 D. Configure a GPO on the domain that disables APIPA Answer: B Explanation: Page 44 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 It appears that during times of peak usage, the DHCP server and/or the subnet containing the DHCP server cannot cope with the load. The clients in sites 2 and 3 are unable to receive an IP configuration from the DHCP server and so configure themselves with an APIPA configuration. We can ease the load on the DHCP server and subnet 1 by installing DHCP servers in Site 2 and Site 3. The DHCP servers must be configured with a single scope specific to the subnet. Incorrect Answers: A: We cannot have DHCP servers with identical scopes. This would lead to duplicate IP addresses on the network. C: The clients can connect to the DHCP server during less busy times. Therefore, a DHCP Relay Agent is either already installed or isn’t required. D: Disabling APIPA won’t ease the load on the DHCP server. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Chapter 4. Question: 42 ExamSheets uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used. A user Smith on a server named ExamSheets2 reports that when she runs a script to transfer files to a server named ExamSheets5, she receives the following error stating “Unknown Host ExamSheets5” You use ExamSheets2 to troubleshoot the problem. The results of your troubleshooting show that the nslookup utility replies with an address of 192.168.1.8. When you try to ping ExamSheets5, the reply times out and shows a different IP address. You need to allow Smith on ExamSheets2 to use the script on ExamSheets5. What should you do? A. Re register ExamSheets5 with WINS B. On ExamSheets5 run the ipconfig /registerdns command C. On ExamSheets2 run the ipconfig /flushdns command D. On ExamSheets2, purge and reload the remote NetBIOS cache name table Answer: A Explanation: The nslookup utility replies with an address of 192.168.1.8. This is probably the correct address. When you ping ExamSheets5, it times out and shows a different IP address. This is an incorrect address that was resolved using a WINS lookup. As the address in the WINS database is wrong, we need to re-register ExamSheets5 with WINS. Incorrect Answers: B: The address of ExamSheets5 stored in DNS is likely to be correct, so it doesn’t need to be reregistered. C: Nslookup returns an address of ExamSheets5 that is likely to be correct. We know this because the ping test fails with a different IP address. Therefore, the locally cached IP address is likely to be correct, so the cache doesn’t need to be cleared. D: We would need to purge the local NetBIOS name cache, not the remote cache. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Page 45 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 43 You are the administrator of the Examsheets company network. The network consists of a single active directory domain. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional. The office uses a single class C private IP address range. The company announces a major expansion. Examsheets will open 12 branch offices. The 12 branch offices will connect to the existing office by direct T1 lines. Each branch office will have the same number of computers as the main office. You need to plan the IP addressing for the new company. You want to assign all company IP addresses from a single classful private IP address range. What should you do? A. Assign each office a new class C private IP address range. B. Assign each office a new class B private IP address range. C. Assign each office a subnet from a new class B private IP address range. D. Assign each office a subnet from the current class C private IP address range. Answer: C Explanation: The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets. Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP address range. D: The class C network doesn’t have enough IP addresses to accommodate all the computers in all the offices. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 23-26 Question: 44 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The company has remote users in the sales department who work from home. The remote users’ client computers run Windows XP Professional, and they are not members of the domain. The remote users’ client computers have local Internet access through an ISP. Examsheets is deploying a Windows Server 2003 computer named ExamsheetsA that has Routing and Remote Access installed. ExamsheetsA will function as a VPN server, and the remote users will use it to connect to the company network. Confidential research data will be transmitted from the remote users’ client computers. Security is critical to the company and ExamsheetsA must protect the remote users’ data transmissions to the main office. The remote client computers will use L2TP/IPSec to connect to the VPN server. You need to choose a secure authentication method. What should you do? Page 46 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. Use the authentication method of the default IPSec policies. B. Create a custom IPSec policy and use the Kerberos version 5 authentication protocol. C. Create a custom IPSec policy and use certificate-based authentication. D. Create a custom IPSec policy and use preshared authentication. E. Use the authentication method of the Routing and Remote Access custom IPSec policy for L2TP connection. Answer: C Explanation: The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and TripleDES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. Tunneling and authentication protocols, and the encryption levels applied to VPN connections, determine VPN security. L2TP/IPSec provides the highest level of security. For a VPN design, determine which VPN protocol best meets your requirements. Windows Server 2003 supports two VPN protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec). Incorrect Answers: A: The default IPSec policies don’t require encryption. B: We cannot use the Kerberos version 5 authentication protocol because the remote users are not members of the domain. D: Pre-shared authentication uses a “password” that is known by the server and the client computers. This method is less secure than a certificate based method. E: This answer sounds plausible, but the actual setting on RRAS "Allow Custom IPSec policy for L2TP connection" in the RRAS Server properties only allows a pre-shared key which is NOT secure compared to certificate-based IPSec policies. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5: 8-10 Question: 45 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The domain contains four organizational units (OUs), as shown in the work area. The HR_Servers OU contains 10 Windows Server 2003 computers that contain confidential human resources information. The Workstation OU contains all of the Windows XP Professional computers in the domain. All client computers need to communicate with the human resources servers. The company’s written security policy requires that all network communications with the servers that contain human resources data must be encrypted by using IPSec. Client computers must also be able to communicate with other computers that do not support IPSec. You create three Group Policy objects (GPOs), one for each of the three default IPSec polices. Page 47 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to link the GPOs to the appropriate Active Directory container or containers to satisfy the security and access requirements. You want to minimize the number of GPOs that are processed by any computer. What should you do? To answer, drag the appropriate GPO or GPOs to the correct Active Directory container or containers in the work area. Answer: Explanation: Page 48 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The servers in the HR_Servers OU require secure communications, so we must enable the Secure Server (Require Security) IPSec policy. The clients should have the Client (Respond Only) IPSec policy assigned. This means that when the clients communicate with an HR server, the server will demand the use of IPSec, and the client will be able to use IPSec. The clients will still be able to communicate with other computers without using IPSec. IPSEC for High security Computers that contain highly sensitive data are at risk for data theft, accidental or malicious disruption of the system (especially in remote dial-up scenarios), or any public network communications. ƒ ƒ Client (Respond Only). This default policy contains one rule, the default response rule. The default response rule secures communication only upon request by another computer. This policy does not attempt to negotiate security for any other traffic. Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, 728 Question: 46 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. Client computers run Windows 2000 Professional, Windows XP Professional, or Windows NT Workstation 4.0. Examsheets wants to increase the security of the communication on the network by using IPSec as much as possible. The company does not want to upgrade the Windows NT Workstation 4.0 client computers to another operating system. The servers use a custom IPSec policy named Domain Servers. The rules of the Domain Servers IPSec policy are shown in the exhibit. Page 49 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You create a new Group Policy object (GPO) and link it to the domain. You configure the GPO to assign the predefined IPSec policy named Client (Respond Only). After these configuration changes, users of the Windows NT Workstation 4.0 computers report that they cannot connect to the servers in the domain. You want to ensure that Windows NT Workstation 4.0 client computers can connect to servers in the domain. What should you do? A. Change the All IP Traffic rule in the Domain Servers IPSec policy to use a preshared key for authentication. B. Change the All IP Traffic rule in the Domain Servers IPSec policy to use the Request Security (Optional) filter action. C. Activate the default response rule for the Domain Servers IPSec policy. D. Install the Microsoft L2TP/IPSec VPN Client software on the Windows NT Workstation 4.0 computers. E. Install the Active Directory Client Extensions software on the Windows NT Workstation 4.0 computers. Answer: B Explanation: The exhibit shows that the server has the “Require Security” IPSec policy. The Windows NT Workstation clients are unable to use IPSec, and so cannot communicate with the server. We can fix this by changing the IPSec policy to Request Security (Optional). This will configure the server to use IPSec whenever possible, but to allow unsecured communications if required. Incorrect Answers: A: If you select to use a preshared key, you must enter a string of characters that is also known to the party with which you are communicating. C: Activating the default response rule for the Domain Servers IPSec policy is not going to ensure that Windows NT Workstation 4.0 client computers will be able to connect to the servers in the domain. Page 50 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 D, E: This will not work. Windows NT Workstation client computers cannot function as an Active Directory client. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 728-739 Question: 47 You are a network administrator for Examsheets. The network consists of two Active Directory forests. No trust relationships exist between the two forests. All computers in both forests are configured to use a common root certification authority (CA). Each forest contains a single domain. The domain named hr.Examsheets.net contains five Windows Server 2003 computers that are used exclusively to host confidential human resources applications and data. The domain named Examsheets.net contains all other servers and client computers. A firewall separates the human resources servers from the other computers on the network. Only VPN traffic from Examsheets.net to a remote access server in hr.Examsheets.net is allowed through the firewall. Managers need to access data on the servers in hr.Examsheets.net from their Windows XP Professional computers. The company’s written security policy requires that all communication containing human resources data must be secured by using the strongest IPSec encryption available. You need to configure an IPSec policy for the servers that host the human resources data that complies with the written security policy and gives the managers in Examsheets.net access to the data they need. What should you do? To answer, drag the appropriate configuration settings to the IPSec Policy Configuration. Page 51 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Explanation: We can not use Kerberos because there is no trust between the forests; we must use certificates, we must affect all traffic, and the server must require security. The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a Page 52 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and TripleDES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, p. 733 Question: 48 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The functional level of the domain is Windows Server 2003. The domain contains a Windows Server 2003 computer named Examsheets26 that is running Routing and Remote Access. The domain contains a universal group named Managers and a global group named Operations. User accounts in the Managers group require remote access between the hours of 8:00 A.M. and 8:00 P.M. User accounts in the Operations group require remote access 24 hours per day. You configure a remote access policy on Examsheets26 named RA_Managers with the appropriate settings for the Managers group, and you configure a second remote access policy named RA_Operations on Examsheets26 with the appropriate settings for the Operations group. The default remote access polices on Examsheets26 remain unmodified. Members of the Managers group report that they can establish a remote access connection to Examsheets26, but members of the Operations group report that they cannot establish a remote access connection to Examsheets26. You open the Routing and Remote Access administrative tool and note that the remote access polices are in the order presented in the following table. Remote access policy name RA_Managers Connections to Microsoft Routing and remote Access server RA_Operations Connections to other access servers Order 1 2 3 4 You need to enable the appropriate remote access for the members of the Managers and Operations groups while restricting remote access to all other users. What should you do? A. Delete the Connections to other access servers policy. B. Re-create the Operations global group as a universal group. C. Move the Connections to Microsoft Routing and Remote Access server policy up so that it is the first policy in the order. D. Move the RA_Operations policy up so that it is the second policy in the order. Answer: D Explanation: Page 53 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The remote access policies are processed in order. If a user meets a condition in a policy, the user is allowed or denied access according to that policy. No other policies are checked. The Connections to Microsoft Routing and Remote Access server policy is being processed before the RA-Operations policy. The users meet the condition in the Connections to Microsoft Routing and Remote Access server policy and are being denied access. The RA-Operations policy isn’t being checked. Therefore, we need to move the RAOperations policy above the Connections to Microsoft Routing and Remote Access server policy. Incorrect Answers: A: This policy isn’t preventing the remote access. The Connections to Microsoft Routing and Remote Access server policy is preventing the access. B: The global group is fine. Changing it won’t help. C: The Connections to Microsoft Routing and Remote Access server policy is preventing the access. The RAOperations policy isn’t being checked. Therefore, we need to move the RAOperations policy above the Connections to Microsoft Routing and Remote Access server policy. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure. Question: 49 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. Examsheets’s main office is in Boston, and it has branch offices in Washington and Los Alamos. The company has no immediate plans to expand or relocate the offices. The company wants to connect the office networks by using a frame relay WAN connection and Routing and Remote Access servers that are configured with frame relay WAN adapters. Computers in each office will be configured to use their local Routing and Remote Access server as a default gateway. You are planning the routing configuration for the Routing and Remote Access servers. You need to allow computers in Boston, Washington, and Los Alamos to connect to computers in any office. You want to minimize routing traffic on the WAN connection. What should you do? A. At each office, add the OSPF routing protocol to Routing and Remote Access, add the WAN adapater to the OSPF routing protocol, and deploy OSPF as a single-area internet work. B. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and configure the WAN adapter to use RIP version 2. Configure the outgoing packet protocol as RIP version 2 broadcast and the incoming packet protocol as RIP version 1 and 2. C. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and configure the WAN adapter to use RIP version 2. Configure the outgoing packet protocol as RIP version 2 multicast and the incoming packet protocol as RIP version 2 only. D. At each office, configure the Routing and Remote Access server with static routes to the local networks at the other two offices. Answer: D Explanation: Page 54 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 We need to configure the routers to route traffic between the offices. As we only have three offices, we can use simple static routes. Once we have configured the routing tables with static routes, the offices will be able to communicate with each other. This solution is preferable to using a routing protocol such as RIP because there will be no routing information going over the WAN links. Incorrect Answers: A: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary. Static routes will suffice. B: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary. Static routes will suffice. C: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary. Static routes will suffice. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure. Question: 50 You are a network administrator for Examsheets. The company has a main office and one branch office. The network consists of a single active directory domain named Examsheets.net. All servers run windows server 2003 The company needs to connect the main office network and the branch office network by using RRAS servers at each office the networks will be connected by a VPN connection over the internet. The company’s written security policy includes the following requirements for VPN connections over the internet: • • • All data must be encrypted with end to end encryption VPN connection authentication must be at the computer level Credential information must not be transmitted over the internet as part of the authentication process. You need to configure security for VPN connections between the main office and the branch office. You need to comply with the written policy. What should you do? A. use a PPTP connectipon with EAP-TLS authentication B. use a PPTP connection with MS-CHAP v2 authentication C. Use an L2TP connection with EAP-TLS authentication D. Use an L2TP connection with MS-CHAP v2 authentication Answer: C Explanation: Strictly speaking, this answer is incomplete, because it doesn’t mention IPSec. For computer level authentication, we must use L2TP/IPSec connections. To establish an IPSec security association, the VPN client and the VPN server use the Internet Key Exchange (IKE) protocol to Page 55 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. Computer certificate authentication is highly recommended, as it is a much stronger authentication method. Computer-level authentication is only done for L2TP/IPSec connections. Incorrect Answers: A: PPTP uses user-level authentication over PPP. The question states that computer-level authentication is required; therefore we must use L2TP/IPSEC. B: PPTP uses user-level authentication over PPP. The question states that computer-level authentication is required; therefore we must use L2TP/IPSEC. D: For computer certificate authentication, we must use EAP-TLS, not MS-CHAP v2. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 591, 594-595 Question: 51 You are the systems engineer for Examsheets. Examsheets has 20,000 users in a large campus environment located in London. Each department in the company is located in its own building. Each department has its own IT staff. The company’s network is divided into several IP subnets that are connected to one another by using dedicated routers. Each building on the company’s main campus contains at least one subnet, and possibly up to five subnets. Each building has at least one router. All routers use RIP v2 broadcasts. A new office in Dortmund has 25 users. Dortmund is connected to the main office with a Frame Relay line. Dortmund installs a server with RRAS and implements RIP v2. Later the Dortmund admin reports that his router is not receiving routing table updates from the routers at the main office. He must manually add routing entries to the routing table to enable connectivity between the locations. You investigate and discover that the RIPv2 broadcasts are not being received at the Dortmund office. You also discover that no routing table announcements from the Dortmund office are being received at the main office. You need to ensure that the network in the Dortmund office can communicate with the main campus network and can send and receive automatic routing table updates as network conditions change. What should you do to the router in the Dortmund office? A. Configure the router to use RIPv1 broadcasts B. Configure the router to use auto-static update mode C. Add the IP address ranges of the main campus network to the routers accept list and announce list D. Add the ip addresses of the main campus routers to the router’s neighbor’s list Answer: D Explanation: Routers need to read from an IP packet only the destination network address of which the particular destination host is a member. The routers then use information stored in their routing tables to determine how to move the packet toward the network of the destination host. Only after the packet is delivered to the destination’s network segment is the precise location of the destination host determined. It looks like the Dortmund router is configured to use neighbors. Page 56 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Therefore, we need to add the IP addresses of the main campus routers to the router’s neighbors list. Incorrect answers: A: Making Use of RIP v1 broadcast is not going to ensure that Dortmund will be able to communicate with the main campus since there are no routing table announcements from Dortmund at the main office. B: When you configure an interface to use auto-static update mode, the router sends a request to other routers and inherits routes. The routes are saved in the routing table as auto-static routes and are kept even if the router is restarted or the interface goes down. But this is not what is required here. C: This would be unnecessary since it will not be addressing the problem. Since Dortmund is configured to use neighbors, then you should rather add the IP addresses of the main campus routers to the router’s neighbor list. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2:14 Question: 52 You are a network administrator for Examsheets. The network contains a Windows Server 2003 application server named ExamsheetsSrv. ExamsheetsSrv has one processor. ExamsheetsSrv has been running for several weeks. You add a new application to ExamsheetsSrv. Users now report intermittent poor performance on ExamsheetsSrv. You configure System Monitor and track the performance of ExamsheetsSrv for two hours. You obtain the performance metrics that are summarized in the exhibit. The values of the performance metrics are consistent over time. You need to identify the bottleneck on ExamsheetsSrv and upgrade the necessary component. You need to minimize hardware upgrades. What should you do? A. Install a faster CPU in ExamsheetsSrv. B. Add more RAM to ExamsheetsSrv. C. Add additional disks and spread the disk I/O over the new disks. D. Increase the size of the paging file. Answer: C Explanation: Page 57 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Physical Disk\Disk Time threshold is 90 percent and the performance metrics values gives a percentage of 93.610. This means that the disk is not being read quickly enough, which could be a hardware issue, and it could also be that the amount of data on the disk is too large. Incorrect Answers: A: The CPU is operating below its threshold. B, D: The values for these could be a result of the Physical Disk\Disk Time exceeding its threshold. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 6: 25-28 Question: 53 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All computers on the network are members of the domain. You administer a three-node Network Load Balancing cluster. Each cluster node runs Windows Server 2003 and has a single network adapater. The cluster has converged successfully. You notice that the nodes in the cluster run at almost full capacity most of the time. You want to add a fourth node to the cluster. You enable and configure Network Load Balancing on the fourth node. However, the cluster does not converge to a four-node cluster. In the System log on the existing three nodes, you find the exact same TCP/IP error event. The event has the following description: “The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 02:BF:0A:32:08:46.” In the System log on the new fourth node, you find a similar TCP/error event with the following description: “The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 03:BF:0A:32:08:46.” Only the hardware address is different in the two descriptions. You verify that IP address 10.50.8.70 is configured as the cluster IP address on all four nodes. You want to configure a four-node Network Load Balancing cluster. What should you do? A. Configure the fourth node to use multicast mode. B. Remove 10.50.8.70 from the Network Connections Properties of the fourth node. C. On the fourth node, run the nlb.exe resume command. D. On the fourth node, run the wlbs.exe reload command. Answer: A Explanation: This normally happens when you don’t enable the Network Load Balancing (NLB) service in TCP/IP of the server, when adding two IP’s (one for the server and one for the load balancing IP). When you want to manage a NLB cluster with one network adapter, you use the multicast option. Page 58 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Since reload/suspend and remove the IP are all garbage answers, it could be that the other nodes are using multicast, and this new node is using unicast. That is why, on a single network adapter configuration, it will cause an IP conflict. Incorrect Answers: B: The IP address cannot be changed, since the node has a single network adapter. C: This command instructs a suspended cluster to resume cluster operations. Using the Resume command doesn't restart clustering operations but, instead, allows the use of Cluster Control commands, including those sent remotely. The Resume command can be targeted at a specific cluster, a specific cluster on a specific host, all clusters on the local machine, or all global machines that are part of the cluster. D: The nlb.exe command replaces the wlbs.exe command previously used in Windows NT 4.0 and Windows 2000 Server. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 689 http://www.microsoft.com/ windowsserver2003/techinfo/reskit/resourcekit.mspx. Question: 54 You are a network administrator for Examsheets. The network contains four Windows Server 2003 computers configured as a four-node server cluster. The cluster uses drive Q for the quorum resource. You receive a critical warning that both drives of the mirrored volume that are dedicated to the quorum disk have failed. You want to bring the cluster and all nodes back into operation as soon as possible. Which four actions should you take to achieve this goal? To answer, drag the action that you should perform first to the First Action box. Continue dragging actions to the corresponding numbered boxes until you list all four required actions in the correct order. Page 59 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Explanation: To recover from a corrupted quorum log or quorum disk 1. If the Cluster service is running, open Computer Management. 2. In the console tree, double-click Services and Applications, and then click Services. 3. In the details pane, click Cluster Service. Page 60 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 4. On the Action menu, click Stop. 5. Repeat steps 1, 2, 3, and 4 for all nodes. 6. If you have a backup of the quorum log, restore the log by following the instructions in "Backing up and restoring server clusters" in Related Topics. 7. If you do not have a backup, select any given node. Make sure that Cluster Service is highlighted in the details pane, and then on the Action menu, click Properties. Under Service status, in Start parameters, specify /fixquorum, and then click Start. 8.Switch from the problematic quorum disk to another quorum resource. For more information, see "To use a different disk for the quorum resource" in Related Topics. 9. In Cluster Administrator, bring the new quorum resource disk online. For information on how to do this, see "To bring a resource online" in Related Topics. 10.Run Chkdsk, using the switches /f and /r, on the quorum resource disk to determine whether the disk is corrupted. For more information on running Chkdsk, see "Chkdsk" in Related Topics. If no corruption is detected on the disk, it is likely that the log was corrupted. Proceed to step12. 11. If corruption is detected, check the System Log in Event Viewer for possible hardware errors. Resolve any hardware errors before continuing. 12. Stop the Cluster service after Chkdsk is complete, following the instructions in steps 1 - 4. 13. Make sure that Cluster Service is highlighted in the details pane. On the Action menu, click Properties. Under Service status, in Start parameters, specify /resetquorumlog, and then click Start. This restores the quorum log from the node's local database. Important • The Cluster service must be started by clicking Start on the service control panel. You cannot click OK or Apply to commit these changes as this does not preserve the /resetquorumlog parameter. 14. Restart the Cluster service on all other nodes. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 38 Question: 55 You are a network administrator for Examsheets. The network contains a perimeter network. The perimeter network contains four Windows Server 2003, Web Edition computers that are configured as a Network Load Balancing cluster. The cluster hosts an e-commerce Web site that must be available 24 hours per day. The cluster is located in a physically secure data center and uses an Internet-addressable virtual IP address. All servers in the cluster are configured with the Hisecws.inf template. You need to implement protective measures against the cluster’s most significant security vulnerability. What should you do? A. Use Encrypting File System (EFS) for all files that contain confidential data stored on the cluster. B. Use packet filtering on all inbound traffic to the cluster. C. Use Security Configuration and Analysis regularly to compare the security settings on all servers in the cluster with the baseline settings. D. Use intrusion detection on the perimeter network. Answer: B Explanation: Page 61 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The most sensitive element in this case is the network card that uses an Internet-addressable virtual IP address. The question doesn’t mention a firewall implementation or an intrusion detection system (Usually Hardware). Therefore, we should set up packet filtering. You can configure packet filtering to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Incorrect Answers: A: In the case of EFS, you can't use it on cluster storage. C: Security Configuration and Analysis enables you to work with security templates in a database, where you can analyze them before applying them to your computers. D: IDS will (if properly maintained and updated with new signatures) look for certain activity on the network and check this against a signature database it carries. If a match occurs, then an alert is sent to an administrator or logged. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 5 Question: 56 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The network contains an application server running Windows Server 2003. Users report intermittent slow performance when they access the application server throughout the day. You find out that the network interface on the application server is being heavily used during the periods of slow performance. You suspect that a single computer is causing the problem. You need to create a plan to identify the problem computer. What should you do? A. Monitor the performance monitor counters on the application server by using System Monitor. B. Monitor the network traffic on the application server by using Network Monitor. C. Monitor network statistics on the application server by using Task Manager. D. Run network diagnostics on the application server by using Network Diagnostics. Answer: B Explanation: Network Monitor Capture Utility Network Monitor Capture Utility (Netcap.exe) is a command-line Support Tool that allows a system administrator to monitor network packets and save the information to a capture (.cap) file. You can use information gathered by using Network Monitor Capture Utility to analyze network use patterns and diagnose specific network problems. This command-line tool allows a system administrator to monitor packets on a LAN and write the information to a log file. NetCap uses the Network Monitor Driver to sniff packets on local network segments. Network Monitor Network Monitor captures network traffic information and gives detailed information about the frames being sent and received. This tool can help you analyze complex patterns of network Page 62 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 traffic. Network Monitor can help you view the header information included in HTTP and FTP requests. Generally, you need to design a capture filter, which functions like a database query and singles out a subset of the frames being transmitted. You can also use a capture trigger that responds to events on your network by initiating an action, such as starting an executable file. An abbreviated version of Network Monitor is included with members of the Windows Server 2003 family. A complete version of Network Monitor is included with Microsoft Systems Management Server. Incorrect Answers: A: System Monitor allows you to monitor real-time performance statistics. C: Task Manager is used to view real-time performance data surrounding processes and applications. D: Network Diagnostics is a graphical troubleshooting tool, built into the Windows Server 2003 interface that provides detailed information about a local computer’s networking configuration. References: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 6: 7-12 J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 3, and 6. Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, 2004, Chapter 12. Question: 57 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All domain controllers and member servers run Windows Server 2003, Enterprise Edition. All client computers run Windows XP Professional. Examsheets has one main office and one branch office. The two offices are connected to a T1 WAN connection. There is a hardware router at each end of the connection. The main office contains 10,000 client computers, and the branch office contains 5,000 client computers. You need to use DHCP to provide IP addresses to the Windows XP Professional computers in both offices. You need to minimize network configuration traffic on the WAN connection. Your solution needs to prevent any component involved in the DHCP architecture from becoming a single point of failure. What should you do? A. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. Configure the branch office router as a DHCP relay agent. B. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. At the branch office, configure a Windows Server 2003 computer as a DHCP relay agent. C. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. At the branch office, configure two Windows Server 2003 computers as a DHCP server cluster. D. At the main office, configure two Windows Server 2003 computers as DHCP servers. Configure one DHCP server to handle 80 percent of the IP address scope and the other DHCP server to handle 20 percent. Configure the branch office router as a DHCP relay agent. Answer: C Explanation: Page 63 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The best fault tolerant solution here would be to implement a DHCP server cluster in each office. The Windows Server 2003 DHCP Server service is a cluster-aware application, which is an application that can run on a cluster node and that can be managed as a cluster resource. These applications use the Cluster API to receive status and notification information from the server cluster. You can implement additional DHCP (or MADCAP) server reliability by deploying a DHCP server cluster using the Cluster service. This service is the essential software component that controls all aspects of server cluster operation and manages the cluster database. Each node in a server cluster runs one instance of the Cluster service provided with Windows Server 2003, Enterprise Edition. By using clustering support for DHCP, you can implement a local method of DHCP server failover, achieving greater fault tolerance. You can also enhance fault tolerance by combining DHCP server clustering with a remote failover configuration, such as by using a split scope configuration. Another way to implement DHCP remote failover is to deploy two DHCP servers in the same network that share a split scope configuration based on the 80/20 rule. Incorrect Answers: A: The branch office router would be a single point of failure in this solution. B: The server hosting the DHCP relay agent would be a single point of failure in this solution. D: The branch office router would be a single point of failure in this solution. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7:2 Question: 58 You are a network administrator for Examsheets. You install Windows Server 2003 on two servers named Examsheets1 and Examsheets2. You configure Examsheets1 and Examsheets2 as a two-node cluster. You configure a custom application on the cluster by using the Generic Application resource, and you put all resources in the Application group. You test the cluster and verify that it fails over properly and that you can move the Application group from one node to the other and back again. The application and the cluster run successfully for several weeks. Users then report that they cannot access the application. You investigate and discover that Examsheets1 and Examsheets2 are running but the Application group is in a failed state. You restart the Cluster service and attempt to bring the Application group online on Examsheets1. The Application group fails. You discover that Examsheets1 fails, restarts automatically, and fails again soon after restarting. Examsheets1 continues to fail and restart until the Application group reports that it is in a failed state and stops attempting to bring itself back online. You need to configure the Application group to remain on Examsheets2 while you research the problem on Examsheets1. What should you do? A. On Examsheets2, configure the failover threshold to 0. B. On Examsheets2, configure the failover period to 0. C. Remove Examsheets1 from the Possible owners list. D. Remove Examsheets1 from the Preferred owners list. Answer: C Page 64 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: We don’t want the application group to move to ExamSheets1 – we want the application group to remain on ExamSheets2. We can do this by removing ExamSheets1 from the possible owners list. A, B: The question states that failover occurred properly. D: The order of failover is defined by the order the nodes appear in the Preferred Owner list. The default node for the application is listed first. A failover will attempt to move the cluster group to each node on the list, in order, until the group successfully starts. Thus you should not remove Examsheets1 from the preferred owners list. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 2-7 http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfdeff731e3c1f96/GDClusters.doc Question: 59 You are a network administrator for Examsheets. The network contains two Windows Server 2003 computers named ExamsheetsA and ExamsheetsB. These servers host an intranet application. Currently, 40 users connect to ExamsheetsA and 44 users connect to ExamsheetsB. The company is adding 35 employees who will need access to the intranet application. Testing shows that each server is capable of supporting approximately 50 users without adversely affecting the performance of the application. You need to provide a solution for supporting the additional 35 employees. The solution must include providing server fault tolerance. You need to minimize the costs and administrative effort required by your solution. You add a new server named ExamsheetsC to the network and install the intranet application on ExamsheetsC. What else should you do? A. Use Network Load Balancing Manager to configure ExamsheetsA, ExamsheetsB, and ExamsheetsC as a Network Load Balancing cluster. B. Use Cluster Administrator to configure ExamsheetsA, ExamsheetsB, and ExamsheetsC as a three-node server cluster. Use the Majority Node Set option. Configure the cluster so that all three nodes are active. C. Use Cluster Administrator to configure ExamsheetsA, ExamsheetsB, and ExamsheetsC as a three-node server cluster. Configure the cluster so that two nodes are active and one node is a hot standby node. D. Use DNS load balancing to utilize all three servers by using the same virtual server name. Answer: A Explanation: We can use Network Load Balancing to balance the load on the three web servers. Clustering allows you to combine application servers to provide a level of scaling, availability, or security that is not possible with an individual server. Network Load Balancing distributes incoming client requests among the servers in the cluster to more evenly balance the workload of Page 65 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 each server and prevent overload on any one server. To client computers, the Network Load Balancing cluster appears as a single server that is highly scalable and fault tolerant. The Network Load Balancing deployment process assumes that your design team has completed the design of the Network Load Balancing solution for your organization and has performed limited testing in a lab. After the design team tests the design in the lab, your deployment team implements the Network Load Balancing solution first in a pilot environment and then in your production environment. Upon completing the deployment process presented here, your Network Load Balancing solution (the Network Load Balancing cluster and the applications and services running on the cluster) will be in place. For more information about the procedures for deploying Network Load Balancing on individual servers, see the appropriate Network Load Balancing topics in Help and Support Center for Windows Server 2003 2003. Incorrect Answers: B: We already have three servers. A cluster would require different hardware and would thus be more expensive. C: We already have three servers. A cluster would require different hardware and would thus be more expensive. D: Round Robin DNS would load balance the servers, but if one server failed, clients would still be directed to the failed server. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 7: 15-17 Question: 60 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The Active Directory database contains 500 MB of information. Examsheets has its main office in Moscow and a branch office in Minsk. The two offices are connected by a 56-Kbps WAN connection that is used only for Active Directory replication. The Moscow office has 450 users, and the Minsk office has 15 users. The Minsk office has a single Windows Server 2003 domain controller and two Windows Server 2003 file and print servers. The hard disk containing the operating system on the domain controller in Minsk fails and cannot be recovered. You need to re-establish a domain controller that contains a current copy of Active Directory in the Minsk office. You need to achieve this goal as quickly as possible. What should you do? A. Replace the hard disk on the domain controller. Install Windows Server 2003 on the domain controller. Install Active Directory from restored backup files. B. Install Active Directory on a file and print server. Force replication. C. Install Active Directory on a file and print server from restored backup files. D. Replace the hard disk on the domain controller. Install Windows Server 2003 on the domain controller. Force replication. Answer: C Explanation: Page 66 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 We need to re-establish a domain controller in the Minsk office as quickly as possible. Therefore, we should install Active Directory from restored backup files. Answer A is the recommended answer, but answer C is quicker. We can use the new dcpromo /adv command to promote the DC from a backup of the system state data of an existing domain controller. The /adv switch Is only necessary when you want to create a domain controller from restored backup files. It is not required when creating an additional domain controller over the network. For additional domain controllers in an existing domain, you have the option of using the install from media feature, which is new in Windows Server 2003. Install from media allows you to prepopulate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link. Incorrect Answers: A: This would work but answer C is quicker. B: We don’t want to replicate a 500MB Active Directory database over a 56Kbps WAN link. D: We don’t want to replicate a 500MB Active Directory database over a 56Kbps WAN link. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 27 Question: 61 You are the network administrator for Examsheets. The network consists of a single Active Directory domain that contains only one domain controller. The domain controller is named ExamsheetsSrvA. The domain contains only one site named Valencia. You are adding a new site named Barcelona. You need to promote an existing Windows Server 2003 member server named ExamsheetsSrvB to be an additional domain controller of the domain. A 56Kbps WAN connection connects the Valencia and Barcelona sites. You need to install ExamsheetsSrvB as a new domain controller on the Barcelona site. You need to minimize the use of the WAN connection during this process. What should you do? A. Set the site link cost between the Valencia and Barcelona sites to 50. Promote ExamsheetsSrvB to be an additional domain controller in the Barcelona site. B. Restore the backup files from the system state data on ExamsheetsSrvA to a folder on ExamsheetsSrvB and install Active Directory by running the dcpromo /adv command. C. Promote ExamsheetsSrvB to be an additional domain controller by running the dcpromo command over the network. D. Promote ExamsheetsSrvB to be an additional domain controller by using an unattended installation file. Answer: B Page 67 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: We want to minimize the use of the WAN link. We can use the new dcpromo /adv command to promote the DC from a backup of the system state data of an existing domain controller. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link. To use the install from media feature, you first create a backup of System State from the existing domain controller, then restore it to the new domain controller by using the Restore to: Alternate location option. In this scenario, we can restore the system state data to a member server, then use that restored system state data to promote a member server to a domain controller. Incorrect Answers: A: Site link costs are a mechanism for controlling replication traffic. In this scenario we need to install Active Directory, not control Active Directory replication. C: Running the dcpromo command over the network will result in large amounts of traffic across the WAN link. We want to reduce this. D: We could promote ExamSheetsSrvB to a domain controller by using unattended installation, however, Active Directory would need to be synchronized with the Active Directory on ExamSheetsSrvA. This synchronization would result in WAN traffic that could be reduced by installing Active Directory from a backup. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2: 26 -28. Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 294-6, 298-300. Question: 62 You are a network administrator for Examsheets. The network consists of single Active Directory forest that contains two domains and four sites. All servers run Windows Server 2003. You are responsible for administering domain controllers in one site. Your site contains four domain controllers. The hard disk that contains the Active Directory database fails on a domain controller named EXAMSHEETS2. You replace the failed disk. You need to recover EXAMSHEETS2. You need to achieve this goal without affecting existing Active Directory data. What should you do? A. Perform a nonauthoritative restoration of the Active Directory database. B. Perform an authoritative restoration of the Active Directory database. C. Use the Ntdsutil utility to run the semantic database analysis command. D. Use the Ntdsutil utility to run the restore subtree command. Answer: A Explanation: You have four domain controllers in your site. You can simply perform a non-authoritative restore of the Active Directory database. Any changes to the Active Directory database since the data was backed up will be replicated from another domain controller. Page 68 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect Answers: B: This is not necessary. This will overwrite the Active Directory database on the other domain controllers. The other domain controllers will have the most recent copies of the Active Directory database. These changes can be replicated to the failed machine. C: You can use this process to generate reports on the number of records present in the Active Directory database, including deleted and phantom records. It is not used to restore the Active Directory database. D: We need to restore the entire Active Directory database, not just a subtree of it. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 3: 44-48 Question: 63 You are the network admin for Examsheets. You need to test a new application. The application requires 2 processors and 2 GB of RAM. The application also requires shared folders and installation of software on client computers. You install the application on a Windows Server 2003 Web Edition computer and install the application on 20 test client computers. You then discover that only some of the client computers can connect and run the application. You turn off some computers and discover that the computer that failed to open the application can now run the application. You need to identify the cause of the failure and update your test plan. What should you do? A. Increase the maximum number of worker processes to 20 for the default application pool B. use add/remove programs to add the application server windows component C. change the application pool to identity to local service for the default application pool D. change the test server OS to Window Server 2003 Standard Edition or Enterprise Answer: D Explanation: Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it reserves 1GB of it for the operating system; only 1GB of RAM is available for the application. Therefore, we need to install Window Server 2003 Standard Edition or Enterprise Edition to support enough RAM. Incorrect Answers: A, C: The application requires 2 GB of RAM; however, Windows Server 2003 Web Edition reserves 1GB for the operating system so only 1GB of RAM is available for the application. So, changing the application pool will not resolve this problem. B: The application server component includes IIS and ASP. These would be part of the default installation on a Web Server. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1: 28 Page 69 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 64 You are the systems engineer for Contoso, Ltd.. The network consists of a single Active Directory domain named Contoso.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The servers on the network are located in a physically secured room, which is located in a central data center building on the company campus. All servers have the Recovery Console installed and support firmware-based console redirection by means of their serial ports, which are connected to a terminal concentrator. The terminal concentrator is connected to the company network by means of a standard LAN connection. It is required that all servers can be managed remotely. All IT staff in the company can establish connections to the servers by means of either a Remote Desktop connection or the Windows Server 2003 Administration Tools, which are installed locally on their client computers. Company management now requires that several servers that have high-availability requirements must also be remotely managed in the event of system failures and when the Recovery Console is used. Company management also requires that these servers can be remotely managed when the servers are slow or are not responding to normal network requests. You need to plan a remote management solution that complies with the new requirements. What should you do? A. On each highly available server, enable Emergency Management Services by adding the Redirect=COM1 and /redirect parameters to the Boot.ini file on each server and the EMSPort=COM1 and EMSBaudRate=9600 parameters to the Winnt.sif file on each server. B. On each highly available server, configure the Telnet service with a startup parameter of Automatic. Set the number of maximum Telnet connections to match the number of administrators in the company. Add the administrator’s user accounts to the Telnet Clients security group. C. Install IIS on each highly available server. Select the Remote Administration (HTML) check box in the properties for the World Wide Web Service. Add the administrator’s user accounts to the HelpServicesGroup security group. D. Use the netsh command to create an offline configuration script that contains the network parameters for outof-band remote management. Copy this script to the C:\Cmdcons folder on each highly available server. Answer: A Explanation: With Emergency Management Services, combined with the appropriate hardware, you can perform remote management and system recovery tasks, even when the server is not available through the standard remote administration tools and mechanisms. To enable Emergency Management Services after setting up a Windows Server 2003 operating system, you must edit the Boot.ini file to enable Windows loader console redirection and Special Administration Console (SAC). The Boot.ini file controls startup; it is located on the system partition root. Incorrect answers: B: Telnet is used to connect to a terminal concentrator through an in-band connection, which then connects to the server through an out-of-band connection. This is not what is required. C: IIS allows users to access information using a number of protocols that are part of the TCP/IP suite. This is not compliance with the requirements as stated. D: Netsh is an interactive command-line utility that allows you to manage local or remote network configurations of active machines. netsh also supports scripting, so you can create batch Page 70 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 configurations that run against the local machine or a specified host on the network. You can also use the Netsh utility to generate a configuration script to use as a backup configuration or as an aid to configure new machines in an identical fashion. netsh works with the existing components installed with the operating system by using helper dynamic link libraries (DLLs). But this is not what is required in this case. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 3, p. 189 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8: 13 Question: 65 You are the network administrator for Examsheets. The network contains Window Server 2003 servers configured in a 4 node server cluster. The cluster provides file services to 5,000 users and contains several terabytes of datafiles. Several thousand shared folders have been created on 16 virtual server groups by using dynamic File Share cluster resources. Many data files are updated, created, or deleted each day. You need to create a backup strategy for both user data and the cluster configuration. You need to ensure that your strategy limits the potential loss of data and the cluster configuration to one week and provides the quickest means of recovery. What should you do? A. Perform a weekly ASR of the cluster node that owns the quorum resource. Perform a weekly backup of all data files to tape. B. Perform a weekly ASR of every node in the cluster. Perform a weekly backup of all data files to tape C. Perform a weekly ASR on each cluster node that currently owns cluster groups containing data files D. Configure daily shadow copies of all volumes on cluster nodes E. Configure weekly shadow copies of all volumes on all cluster nodes Answer: A Explanation: The Backup program included in Windows Server 2003 contains a disaster recovery feature called ASR. When you run the Automated System Recovery Preparation Wizard, the software walks you through the process of creating a full backup of the server, and then prompts you to insert a floppy disk, which is used to create the boot device for the system. In the event of a disaster in which the entire contents of the system drive are lost, you simply insert the backup tape into the tape drive and boot from the floppy disk to completely restore the operating system. A cluster’s quorum contains the cluster’s configuration data, which nodes use to update their registries during the failback process. The quorum is included as part of the System State object, as long as the Clustering service is running on the computer. Incorrect Answers: B, C: You only need to backup the node containing the cluster’s quorum resource, because it contains the configuration data. D, E: Shadow copies is designed to facilitate quick recovery from simple, day-to-day problems— not recovery from significant data loss Reference: Page 71 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 http://support.microsoft.com/default.aspx?scid=kb;en-us;286422&Product=winsvr2003 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, p. 617 Question: 66 Your network contains a Windows Server 2003 computer named ExamSheetsC. ExamSheetsC has a single CPU, 512 MB of RAM, and a single 100MB network adapter. All network user’s home folders are stored on ExamSheetsC. Users access their home folders by using a mapped network drive that connects to a shared folder on ExamSheetsC After several weeks, users report that accessing home folders on ExamSheetsC is extremely slow at certain times during the day. You need to identify the resources bottleneck that is causing the poor performance. What should you do? A. Capture a counter log by using LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface performance objects and view the log data information that is captured during period of poor performance B. Configure alerts on ExamSheetsC to log entries in the event logs for the LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface performance objects when the value of any object is More than 90 C. Capture a trace log that captures Page faults, File details, Network TCP/IP, and Process creations/deletions events D. Implement Auditing on the folder that contains the user’s home folders. Configure Network Monitor on ExamSheetsC Answer: A Explanation: The problem is most likely to be caused by a hardware bottleneck. This could be a disk problem or a problem with the processor, RAM or network card. We can monitor these hardware resources by using a System Monitor counter log. The Windows Performance tool is composed of two parts: System Monitor and Performance Logs and Alerts. With System Monitor, you can collect and view real-time data about memory, disk, processor, network, and other activity in graph, histogram, or report form. The output from the counter log will show us which hardware resource in unable to cope with the load and needs to be upgraded or replaced. Incorrect Answers: B: We cannot use a generic value of 90 for the different hardware resources because different hardware resources have different acceptable performance counters. C: We need to monitor the hardware resources listed in answer A, not the software resources listed in this answer. D: The problem is most likely to be caused by a hardware bottleneck. Auditing and network monitoring won’t give us any useful information about the hardware. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Microsoft Press, Redmond, Washington, 2004, pp. 6: 25-28 Question: 67 Your network consists of a single Active Directory domain. ExamSheets has a main office in Denver and branch offices in Paris and Bogota. Each branch office contains a Windows Server 2003 DC. All client computers run Windows XP Professional. Page 72 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Users in the Bogota office report intermittent problems authenticating to the domain. You suspect that a specific client computer is causing the problem. You need to capture the authentication event details on the domain controller in the Bogota office so that you can find out the IP address of the client computer that is the source of the problem. What should you do? A. Configure System Monitor to monitor authentication events B. Configure Performance Logs and Alerts with a counter log to record the authentication events C. Configure Network Monitor to recorded the authentication events D. Configure Performance Logs and Alerts with an alert to trigger on authentication events Answer: C Explanation: The question states that you find out the IP address of the client computer that is the source of the problem. Using Network Monitor to capture traffic is the only way to do this. Incorrect Answers: A: This will not display the IP address of the client computer that is the source of the problem. B: This will not display the IP address of the client computer that is the source of the problem. D: This will not display the IP address of the client computer that is the source of the problem. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;175062 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, p. 826 Question : 68 You have just installed two Windows Server 2003 computers. You configure the servers as a two node server cluster. You install WINS on each Node of the cluster. You create a new virtual server to support WINS. You create a new cluster group named WINSgroup. When you attempt to create the Network Name resource, you receive an error message. You need to make the proper changes to the cluster to complete the installation of WINS. What should you do? A. Create a Generic Service resource in the WINSgroup cluster group B. Configure the network priorities for the cluster C. Create an IP address resource in the WINSgroup cluster group D. Add the proper DNS name for the WINS Server in the DNS database Answer: C Explanation: You need to create an IP address resource before you can create the network name resource. Incorrect Answers: A: Applications or services that do not provide their own resource DLLs can be configured into the cluster environment by using the generic resource DLL. The Cluster Service then treats these applications or services as generic, cluster-unaware applications or services. The absence of a Generic Service resource will thus not impede the creation of a Network Name resource. B: If cluster nodes can communicate over multiple networks, the network's priority specifies the order in which the nodes will attempt to communicate over the networks. Page 73 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 D: Name Resolution is not required to create a Network Name resource. Reference: Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing, Osborne/McGraw-Hill, 2003 Chapter 3: Designing a Clustered Solution with Windows Server 2003. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/enus/ Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/enus/SAG_MS CS2planning_4.asp Question: 69 You are the administrator of the Examsheets company network. The network consists of a single active directory domain. The network includes 20 servers running Windows Server 2003 and 300 client computers running either Windows XP Professional or Windows 2000 Professional. You install a new member server named Examsheets3, for use by the Finance department. Examsheets3 runs Windows Server 2003. You install a Finance application that runs as a service on Examsheets3. When you restart Examsheets3, the logon screen does not appear. You attempt to restart Examsheets3 using safe mode, and then again using the Last Known Good Configuration. Both of which are unsuccessful. All Safe Mode options are unsuccessful. You reinstall Examsheets3 using a clean installation of Windows Server 2003. You discover that the Finance application is not compatible with a security update. You install a patch provided by the Finance software manufacturer. Examsheets3 reboots successfully and the Finance software now successfully runs as a service. You want to prevent this type of problem happening again. You want to configure the existing servers so that you can quickly recover from this type of failure. What should you do? A. Always install services using Add or Remove Programs. B. On each server, install and use the Recovery Console. C. On each server, create an Automated System Recovery (ASR) disk. D. Next time the problem occurs, use Device Driver Roll Back. Answer: B Explanation: 1. We know that this service causes the failure. 2. We want minimum of time and minimum of data loss. 3. We want a solution for all servers. 4. We want to make sure other services that fail do not result in the same type of failure. Using the Recovery Console, you can enable and disable services This method is recommended only if you are an advanced user who can use basic commands to identify and locate problem drivers and files. To use the Recovery Console, restart the computer with the installation CD for the operating system in the CD drive. When prompted during textmode setup, press R to start the Recovery Console. What it does: From the Recovery Console, you can access the drives on your computer. You can then make any of the following changes so that you can start your computer: • Enable or disable device drivers or services. • Copy files from the installation CD for the operating system, or copy files from other removable media. For example, you can copy an essential file that had been deleted. • Create a new boot sector and new master boot record (MBR) Page 74 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect Answers: A: Located in Control Panel on the client machine, this option is used by users to manage software on their own computers. C: It backs up only the operating system partition; you must back up other partitions using Backup or other means. D: Driver Roll Back is done through Device Manager, and allows for use of a driver that was previously configured for a device. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 10 Question: 70 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. The functional level of the domain is Windows Server 2003. The network contains 100 Windows XP Professional computers. You configure a wireless network that requires IEEE 802.1x certificate-based authentication. Only 10 of the client computers are approved for wireless network access. You need to enable the approved computers to access the wireless network while restricting access for all other computers. What should you do? A. Establish an enterprise certification authority (CA) for the domain. Create a global group that contains the user accounts for the employees who will use the approved computers. Create a certificate template for IEEE 802.1x authentication. For the global group, configure autoenrollment for certificates based on the certificate template. B. Establish an enterprise certification authority (CA) for the domain. Create a global group that contains the approved computer accounts. Create a certificate template for IEEE 802.1x authentication. For the global group, configure the autoenrollment for certificates based on the certificate template. C. Create a global group that contains the user accounts for the employees who will use the approved computers. Configure the security permissions for the Default Domain Policy Group Policy object (GPO) so that only the new global group can apply to the GPO settings. Establish an enterprise certification authority (CA) for the domain. D. Create a global group that contains the approved computer accounts. Configure the security permissions for the Default Domain Controllers Policy Group Policy object (GPO) so that only the new global group can apply the GPO settings. Establish an enterprise certification authority (CA) for the domain. Answer: B Explanation: The question states that only 10 of the client computers are approved for wireless network access. Therefore we need to authenticate the computers to allow wireless access. To plan for the configuration of Active Directory for your wireless clients, identify the user and computer accounts for wireless users, and add them to a group that will be used in conjunction with a remote access policy to manage wireless access. You must also determine how to set the remote access permission on the user and computer accounts. Provides options that allow you to specify how computer authentication works with user authentication. Page 75 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 • If you select Computer only, authentication is always performed using the computer credentials. User authentication is never performed. • If you select With user re-authentication (recommended), when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. • If you select With user authentication, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials. A global group is a security or distribution group that can contain users, groups, and computers from its own domain as members. Global security groups can be granted rights and permissions for resources in any domain in the forest. Thus you should establish an enterprise CA for the domain and create a global group that contains all approved computer accounts and then configure auto enrollment of the certificate template for IEEE 802.1x authentication. Incorrect answers: A, C: The newly created global group must contain the approved computer accounts and not the user accounts for the employees who will use the approved computers. D: Creating a global group that contains all the approved computer accounts is correct, but then you also need to configure auto enrollment of the certificate template for IEEE 802.1x authentication. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 803-805 Question: 71 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All domain controllers run Windows Server 2003. All application servers run Windows Server 2003. Client computers in the accounting department runs Windows XP Professional. Client computers in the engineering department run Windows 2000 Professional. Client computers in the sales department run either Windows NT Workstation 4.0 or Windows 98. All client computers access data files on the application servers. You need to plan the method of securing the data transmissions for the client computers. You want to ensure that the data is not modified while it is transmitted between the application servers and the client computers. You also want to protect the confidentiality of the data, if possible. What should you do? To answer, drag the appropriate method or methods to the correct department’s client computers. Page 76 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Explanation: We can use IPSEC on Windows 2000 and Windows XP but we cannot use IPSEC for Legacy clients except for VPNs. Sales contain Windows NT 4.0 and Windows 98; in this case we use SMB signing. With Windows 2000 and Windows XP both methods are supported in this case and for security reasons we will use IPSEC rules. SMB signed is supported by Windows 2000 an XP by local policies or domain policies to be enforced. To be supported in legacy clients you must modify the registry in Windows 98 and Windows NT Windows 98 includes an updated version of the SMB authentication protocol. However, using SMB signing slows down performance when it is enabled. This setting should be used only when Page 77 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 network security is a concern. The performance decrease usually averages between 10-15 percent. SMB signing requires that every packet is signed for and every packet must be verified. Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol IPSEC The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used. IPSEC is not supported on legacy clients just is supported for VPN Reference: http://www.microsoft.net/windows2000/server/evaluation/news/bulletins/l2tpclient.asp Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 9, p. 646 Knowledge Base Articles: SMB on Windows NT KB article 161372 SMB on Windows 98 KB article 230545 Question: 72 You are the network administrator for Examsheets. The network consists of an internal network and a perimeter network. The internal network is protected by a firewall. The perimeter network is exposed to the Internet. You are deploying 10 Windows Server 2003 computers as Web servers. The servers will be located in the perimeter network. The servers will host only publicly available Web pages. You want to reduce the possibility that users can gain unauthorized access to the servers. You are concerned that a user will probe the Web servers and find ports or services to attack. What should you do? A. Disable File and Printer Sharing on the servers. B. Disable the IIS Admin service on the servers. C. Enable Server Message Block (SMB) signing on the servers. D. Assign the Secure Server (Require Security) IPSec policy to the servers. Answer: A Explanation: We can secure the web servers by disabling File and Printer sharing. The File and Printer Sharing for Microsoft Networks component allows other computers on a network to access resources on your computer by using a Microsoft network. Page 78 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 This component is installed and enabled by default for all VPN connections. However, this component needs to be enabled for PPPoE and dial-up connections. It is enabled per connection and is necessary to share local folders. The File and Printer Sharing for Microsoft Networks component is the equivalent of the Server service in Windows NT 4.0. File and Printer sharing is not required on web servers because the web pages are accesses over web protocols such as http or https, and not over a Microsoft LAN. Incorrect Answers: B: This is needed to administer the web servers. Whilst it could be disabled, disabling File and Printer sharing will secure the servers more. C: SMB signing is used to verify, that the data has not been changed during the transit through the network. It will not help in reducing the possibility that users can gain unauthorized access to the servers. D: This will prevent computers on the internet accessing the web pages. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 2, pp. 126-127 Question: 73 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All computers on the network are members of the domain. All servers run Windows Server 2003 and all client computers run Windows XP Professional. You are planning a security update infrastructure. You need to find out which computers are exposed to known vulnerabilities. You need to collect the information on existing vulnerabilities for each computer every night. You want this process to occur automatically. What should you do? A. Schedule the secedit command to run every night. B. Schedule the mbsacli.exe command to run every night. C. Install Microsoft Baseline Security Analyzer (MBSA) on one of the servers. Configure Automatic Updates on all other computers to use that server. D. Install Software Update Services (SUS) on one of the servers. Configure the SUS server to update every night. Answer: B Explanation: We can schedule the mbsacli.exe command to periodically scan for security vulnerabilities. Incorrect Answers: A, C, D: The question says that you have to gather information to plan a security update infrastructure, not fix it immediately. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Page 79 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, p. 830 Question: 74 Your network contains Terminal servers that host legacy applications that require users to be members of the Power Users group in order to run them. A new company policy states that the Power Users Group must be empty on all servers. You need to maintain the ability to run legacy applications on your servers when the new security requirement is enabled. What should you do? A. Add the domain users global group to the Remote Desktop Users built-in group in the domain B. Add the domain users global group to the Remote Desktop Users local group on each terminal server C. Modify the compatws.inf security template settings to allow members of the local users group to run the applications. Import the security settings into the default Domain Controllers Group Policy Object. D. Modify the compatws.inf security template settings to allow members of the local users group to run the applications. Apply the modified template to each terminal server Answer: D Explanation: The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000 users are members of the Power Users group in order to run applications not certified for Windows 2000, this may be too unsecure for some environments. Some organizations may find it preferable to assign users, by default, only as members of the Users group and then decrease the security privileges for the Users group to the level where applications not certified for Windows 2000 run successfully. The compatible template (compatws.inf) is designed for such organizations. By lowering the security levels on specific files, folders, and registry keys that are commonly accessed by applications, the compatible template allows most applications to run successfully under a User context. In addition, since it is assumed that the administrator applying the compatible template does not want users to be Power Users, all members of the Power Users group are removed. Incorrect Answers: A, B: Global group is a group that is available domainwide in any domain functional level, so why would you add to another group. C: The Compatws.inf template is not intended for domain controllers, so you should not link it to a site, to the domain, or to the Domain Controllers OU Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8:5 Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 9. Page 80 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 75 You are the network admin for Examsheets. The network contains Windows Server 2003 and Windows XP professional clients. All computers are members of the same active directory forest. The company uses a Public Key Infrastructure (PKI) enabled application to manage marketing data. Certificates used with this application are managed by the application administrators. You install certificate services to create an offline stand alone root CA on one Windows Server 2003 server. You configure a 2nd Windows Server 2003 server as a stand alone sub CA You instruct users in the marketing department to enroll for certificates by using the web enrollment tool on the stand alone Sub CA. Some users report that when they attempt to complete the enrollment process, they receive an error message on their certificate stating: This certificate cannot be verified up to a trusted certification authority”. Other users in the Marketing department do not report the error. Page 81 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to ensure that users in the marketing department do not continue to receive this error. You also need to ensure that users in the marketing department trust certificates issued by this CA. You create a new OU name Marketing. What else should you do? A. Place all marketing department computer objects in the Marketing OU. Create a new GPO and link it to the Marketing OU. Publish the root CA’s root certificate in the Trusted Root Certification Authorities Section of the GPO B. Place all marketing department user objects in the Marketing OU. Create a new GPO and link it to the marketing OU. In the user configuration section of the GPO, configure a certificate trust list (CTL) that contains the sub’s CA certificate C. Place all marketing department computer objects in the Marketing OU. Create a new GPO and link it to the Marketing OU. In the computer configuration section of the GPO, configure a certificate trust list (CTL) that contains the sub’s CA certificate D. Place all marketing department user objects in the Marketing OU. Create a new GPO and link it to the marketing OU. In the user configuration section of the GPO, configure a certificate trust list (CTL) that contains the root’s CA certificate Answer: D Explanation: We need to configure the Marketing department users to trust the root CA. We can do this using a group policy object (GPO). We should place the marketing department user objects in the Marketing OU and apply the GPO to the OU. A certificate trust list (CTL) is a signed list of root certification authority certificates that an administrator considers reputable for designated purposes. For the client to trust the certificate, it needs to install a copy of the certificate as a trusted root certificate in its own certificate store. Incorrect Answers: A: This setting is available for the Computer Configuration node only. B,C: For the client to trust the certificate, it needs to install a copy of the certificate as a trusted root certificate in its own certificate store. Thus these options are incorrect. Reference: Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, pp. G-10. Question: 76 You are the network admin for litware, inc. The company’s written security policy requires that you maintain a copy of all private keys issued by Examsheets’s enterprise root CA You create a duplicate of the user template named Employee and configure the template as shown in the Employee Properties exhibit: Page 82 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You configure the CA to archive private keys by using a Key Recovery Agent Certificate. You create a test user account named peter and request a new employee certificate. You issue the certificate to Peter. You reinstall the OS on your test computer and attempt to recover Peter’s private key. Your attempt fails and generates the following error message: C:\ certutil –Geexamsey CertUtil: - Geexamseycommand failed CertUtil: Cannot find object or property. You need to ensure that future attempts to recover private keys associated with Employee certificates succeed What should you do? A. Using Group Policy, deploy a copy of the key recovery agent certificate to all client computers B. In the Employee template, select the Archive subject’s encryption private key check box C. In the employee template, select the Allow private key to be exported check box D. Run the certutil – dspublish command to publish the Key Recovery Agent certificate to Active Directory Answer: B Question: 77 Page 83 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are the network admin for contoso. The network consists of a single active directory domain named Examsheets.net. All computers on the network are members of the domain. You are planning a Public Key Infrastructure (PKI) for the company. You want to deploy smart cards for all users in the domain. You want the members of a new group named Smartcard Agents to be able to issue smart cards for all users. You create a new global group named Smartcard Agents. You install an Enterprise Certificate Authority (CA) on a Windows Server 2003 computer named Server1. You create a duplicate of the enrollment agent certificate template and change the validity period of the new certificate template to three years. The name of the new certificate template is SmartCard Enrollment. The configuration of the permission for the certificate template is shown in the exhibit. You want to ensure that members of the Smartcard Agents group can request smartcard enrollment certificates. What should you do? A. Assign the Smartcard Agents group the Allow Autoenroll permission for the Smartcard Enrollment certificate template B. Add the enrollment agent certificate template to the list of superseded templates on the smartcard enrollment certificate template C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template D. Configure the enterprise CA to assign the Certificate Managers to the Smartcard Agents Group E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web enrollment pages to request certificates Page 84 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: B Explanation: The Superseded Templates tab is used to define which certificates the current template supersedes. In this case, the enrollment agent certificate template is placed on the superseded templates list. Incorrect Answers: A: This will clash with the enrollment agent certificate template, which is why the latter has to be superseded. C: Certificate templates enable you to easily configure a CA to issue specific types of certificates. D: This option will allow the Smartcard Agents Group to issue, approve and revoke certificates, not request them. E: There is no mention of web enrollment in the question. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;313490 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12 Question: 78 D/D 1 You are the network admin for Examsheets. The network consists of a single active directory domain named Examsheets.net. All servers run windows server 2003 and clients run XP Pro. You need to implement the capabilities and requirements in the following table for the users and computers: Type of user or Computer Domain users Security global group Human recourses servers VPN Server Capability or Requirement Smart card logon required for all users Ability to issue smart cards to all domain users Certificate based IPSec encryption required for all data transmissions L2TP Required All client computers are portable computers and need to connect to the VPN servers and to the HR resource servers You configure a PKI to support the domain users and computers. You need to specify which type of certificate, if any each type of user or computer requires What should you do? Page 85 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Explanation: IPSec should be enabled on the HR servers, VPN servers and the client computers. The Smart Card certificates are issued to the users, not the computers. The Security group needs Enrollment Agents certificates. Smart Card Logon is integrated with the Kerberos version 5 authentication protocol implemented in Windows Server 2003. When smart card logon is enabled, the system recognizes a smart-card insertion event as an alternative to the standard Ctrl + Alt + Del secure attention sequence to initiate a logon. The user is then prompted for the smart card PIN code, which controls access to operations performed by using the private key stored on the smart card. In this system, the smart card also contains a copy of the certificate of the user (issued by an enterprise CA). This allows the user to roam within the domain. Smart cards enhance the security of your organization by allowing you to store extremely strong credentials in an easy-to-use form. Requiring a physical smart card for authentication virtually eliminates the potential for spoofing the identities of your users across a network. In addition, you can also use smart card applications in conjunction with virtual private networks and certificate mapping, and in e-commerce. For many organizations, the potential to use smart cards for logon is one of the most compelling reasons for implementing a public key infrastructure. Enroll clients - To participate in a PKI, users, services, and computers must request and receive certificates from an issuing CA. Typically, enrollment is initiated when a requester provides unique identifying information and a newly generated public key. Page 86 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The CA administrator or enrollment agent uses this unique identifying information to authenticate the identity of the requester before issuing a certificate. The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, p. 899 Question: 79 You are the network administrator for Contoso, Ltd. All servers run Windows Server 2003. All client computers run Windows XP Pro. All computers are connected to the network by using wireless access points. You configure a CA. You require certificate based IEEE 802.1X authentication on the wire access point. You need to enable all computers to communicate on the wireless network. What are two possible ways to complete this task? A. Enter a 128 bit WEB key on the wireless access point and on the computers B. In the Wireless Network Connection properties on each computer, select the The key is provided for me automatically check box C. Temporarily connect each computer to an available Ethernet port on the wireless access point and install a computer certificate D. Install a computer certificate on each computer by using a floppy Answer: C, D Explanation: 802.1X authentication An Institute of Electrical and Electronics Engineers (IEEE) standard for port-based network access control that provides authenticated network access to Ethernet networks and wireless 802.11 local area networks (LANs). A PKI using computers running Windows Server 2003 can create certificates that support wireless network authentication. The increasing popularity of wireless local area networking (LAN) technologies, such as those based on the 802.11 standard, raises an important security issue. When you install a wireless LAN, you must make sure that only authorized users can connect to the network and that no one can eavesdrop on the wireless communications. You can use the Windows Server 2003 PKI to protect a wireless network by identifying and authenticating users before they are granted access to the network. Incorrect Answers: A: WEP depends on encryption keys that are generated by a mechanism external to WEP itself, not certificates. B: This option depends on encryption keys as well. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 801-805 Page 87 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 80 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named ExamsheetsA. You are planning a public key infrastructure (PKI) for the company. You want to deploy an enterprise certification authority (CA) on ExamsheetsA. You create a new global security group named Exam Approvers. You install an enterprise CA and configure the CA to issue Key Recovery Agent certificates. The company’s written security policy states that issuance of a Key Recovery Agent certificate requires approval from a member of the Exam Approvers group. All other certificates must be issued automatically. You need to ensure that members of the Exam Approvers group can approve pending enrolment requests for a Key Recovery Agent certificate. What should you? A. Assign the Exam Approvers group the Allow – Enroll permissions for the Key Recovery Agent. B. Assign the Exam Approvers group the Allow – Issue and Manage Certificates permission for the CA. C. For all certificate managers, add the Exam Approvers group to the list of managed subjects. D. Add the Exam Approvers group to the existing Exam Publisher group in the domain. E. Assign the Exam Approvers group the Allow – Full Control permission for the Certificate Templates container in the Active Directory configuration naming context. Answer: B Explanations: In order to approve certificates you need certificate manager rights. In order to get those rights you need Issue and Manage Certificates rights. The option to enable auto enrol or wait for approval is made at the certificate template (in this case the key recovery template) Incorrect Answer: A. will allow enroll only. C. will allow all certificate managers. D. Exam publisher group is meant to include the CA servers only. E. no need to give them full control on the certificate template when we have role separation in windows 2003 pki. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 887 Question: 81 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All computers on the network are members of the domain. Page 88 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are planning a public key infrastructure (PKI) for the company. You want to ensure that users who log on to the domain receive a certificate that can be used to authenticate to Web sites. You create a new certificate template named User Authentication. You configure a Group Policy object (GPO) that applies to all users. The GPO specifies that user certificates must be enrolled when the policy is applied. You install an enterprise certification authority (CA) on a computer that runs Windows Server 2003. Users report that when they log on, they do not have certificates to authenticate to Web sites that require certificate authentication. You want to ensure that users receive certificates that can be used to authenticate to Web sites. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. On the User Authenticate certificate template, select the Reenroll All Certificate Holders command. B. Assign the Domain Users group the Allow – Autoenroll permission for the User Authentication certificate template. C. Configure the CA to enable the User Authentication certificate template. D. Assign the Domain Users group the Allow – Issue and Manage Certificates permission for the CA. Answer: B, C Explanation: For users to request certificates from an enterprise CA, they must have permission to use the templates corresponding to the certificates they need. Incorrect Answers: A: Only used when critical changes have been made to a certificate template, and you want it to apply to all users immediately. D: This would be a security risk, since users shouldn’t be allowed management permissions. Reference: Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, pp. 25-14. Question: 82 You are a network administrator for Examsheets. The network consists of a single Windows 2000 Active Directory forest that has four domains. All client computers run Windows XP Professional. The company’s written security policy states that all e-mail messages must be electronically signed when sent to other employees. You decide to deploy Certificate Services and automatically enroll users for email authentication certificates. You install Windows Server 2003 on two member servers and install Certificate Services. You configure one Windows Server 2003 computer as a root certification authority (CA). You configure the other Windows Server 2003 server as an enterprise subordinate CA. You open Certificate Templates on the enterprise subordinate CA, but you are unable to configure certificates templates for autoenrollment. The Certificate Templates administration tool is shown in the exhibit. Page 89 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to configure Active Directory to support autoenrollment of certificates. What should you do? A. Run the adprep /forestprep command on the schema operations master. B. Place the enterprise subordinate CA’s computer account in the Exam Publisher Domain Local group. C. Run the adprep /domainprep command on a Windows 2000 Server domain controller that is in the same domain as the enterprise subordinate CA. D. Install Active Directory on the Windows Server 2003 member server that is functioning as the enterprise subordinate CA. Configure this server as an additional domain controller in the Windows 2000 Active Directory domain. Answer: A Explanation: The autoenrollment feature has several infrastructure requirements. These include: Windows Server 2003 schema and Group Policy updates Windows 2000 or Windows Server 2003 domain controllers Windows XP Client Windows Server 2003, Enterprise Edition running as an Enterprise certificate authority (CA) In this question, we have a Windows 2000 domain; therefore, we have Windows 2000 domain controllers. The Enterprise CA is running on a Windows Server 2003 member server which will work fine only if the forest schema is a Windows Server 2003 schema. We can update the forest schema with the adprep /forestprep command. Incorrect Answers: B: This will happen in the domain in which the CAs are installed. C: The adprep /domainprep command prepares a Windows 2000 domain for an upgrade to a Windows Server 2003 domain. We are not upgrading the domain, so this isn’t necessary. D: The CA doesn’t have to be installed on a domain controller. You can’t install AD on a Windows 2003 server until you run the adprep commands. Page 90 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintai n/certenrl.asp?frame=true David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 3 Question: 83 You are the network administrator for Examsheets. The network consists of a single Active Directory forest. The forest contains Windows Server 2003 servers and Windows XP Professional computers. The forest consists of a forest root domain named Examsheets.net and two child domains named asia.Examsheets.net and europe.Examsheets.net. The asia.Examsheets.net domain contains a member server named Examsheets2. You configure Examsheets2 to be an enterprise certification authority (CA), and you configure a user certificate template. You enable the Publish certificate in Active Directory setting in the certificate template. You instruct users in both the asia.Examsheets.net and the europe.Examsheets.net domains to enroll for user certificates. You discover that the certificates for user accounts in the asia.Examsheets.net domain are being published to Active Directory, but the certificates for user accounts in the europe.Examsheets.net domain are not. You want certificates issued by Examsheets2 to europe.Examsheets.net domain user accounts to be published in Active Directory. What should you do? A. Configure user certificate autoenrollment for all domain user accounts in the Examsheets.net domain. B. Configure user certificate autoenrollment for all domain user accounts in the europe.Examsheets.net domain. C. Add Examsheets2 to the Exam Publishers group in the Examsheets.net domain. D. Add Examsheets2 to the Exam Publishers group in the europe.Examsheets.net domain. Answer: D Explanation: The problem here is that ExamSheetsSrvC doesn’t have the necessary permission to publish certificates for users in child2.ExamSheets.net. We can solve this problem by adding ExamSheetsSrvC to the Cert Publisher group in the child2.ExamSheets.net domain. Incorrect Answers: A, B: The problem is not enrolment, it is that the certificates are not being published, which points to permissions. C: It is the europe.ExamSheets.net domain that has a problem, not the ExamSheets.net domain. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;219059 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 294): Que Publishing, Indianapolis, 2004, Chapter 3 Question: 84 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named Examsheets5. Page 91 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are planning a public key infrastructure (PKI) for the company. You want to deploy a certification authority (CA) on Examsheets5. You create a new global security group named Exam Administrators. You need to delegate the tasks to issue, approve, and revoke certificates to members of the Exam Administrators group. What should you do? A. Add the e group in the domain. B. Configure the Certificates Templates container in the Active Directory configuration naming context to assign the Exam Administrators group the Allow – Write permission. C. Configure the Exam Srv virtual directory on Examsheets5 to assign the Exam Administrators group the Allow – Modify permission. D. Assign the Certificate Managers role to the Exam Administrators group. Answer: D Explanation: To be able to issue, approve and revoke certificates, the Cert Administrators group needs to be assigned the role of Certificate Manager. The Certificate Manager approves certificate enrollment and revocation requests. This is a CA role, and is sometimes referred to as CA Officer. Incorrect Answers: A, B, C: Only the Certificate Manager can perform the required tasks. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, pp. 11-4 to 11-8. Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 890 Question: 85 You are the network administrator for Examsheets. The network contains a Windows Server 2003 Web server that hosts the company intranet. The human resources department uses the server to publish information relating to vacations and public holidays. This information does not need to be secure. The finance department wants to publish payroll information on the server. The payroll information will be published in a virtual directory named Payroll, which was created under the default Web site on the server. The company’s written security policy states that all payroll-related information must be encrypted on the network. You need to ensure that all payroll-related information is encrypted on the network. To preserve performance, you need to ensure that other information is not encrypted unnecessarily. You obtain and install a server certificate. What else should you do? A. Select the Require secure channel (SSL) check box for the default Web site. B. Assign the Secure Server (Require Security) IPSec policy option for the server. C. Select the Encrypt contents to secure data check box for the Payroll folder. D. Select the Require secure channel (SSL) check box for the Payroll virtual directory. Page 92 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: D Explanation: Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http: Incorrect Answers: A: This will encrypt all data from the web server. We only need to encrypt the payroll data. B: This will encrypt all data from the web server. We only need to encrypt the payroll data. C: This will encrypt the data on the hard disk using EFS. It won’t encrypt the data as it is transferred over the network. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 864 Question: 86 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The Active Directory domain contains three organizational units (OUs): Payroll Users, Payroll Servers, and Finance Servers. The Windows XP Professional computers used by the users in the payroll department are in the Payroll Users OU. The Windows Server 2003 computers used by the payroll department are in the Payroll Servers OU. The Windows Server 2003 computers used by the finance department are in the Finance Servers OU. You are planning the baseline security configuration for the payroll department. The company’s written security policy requires that all network communications with servers in the Payroll Servers OU must be secured by using IPSec. The written security states that IPSec must not be used on any other servers in the company. You need to ensure that the baseline security configuration for the payroll department complies with the written security policy. You also need to ensure that members of the Payroll Users OU can access resources in the Payroll Servers OU and in the Finance Servers OU. What should you do? A. Create a Group Policy object (GPO) and assign the Secure Server (Require Security) IPSec policy setting. Link the GPO to only the Payroll Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU. B. Create a Group Policy object (GPO) and assign the Secure Servers (Require Security) IPSec policy setting. Link the GPO to the Payroll Servers OU and to the Finance Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU. Page 93 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy setting. Link the GPO to only the Payroll Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU. D. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy setting. Link the GPO to the Payroll Serves OU and to the Finance Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU. Answer: A Explanation: Assigning the Secure Server (Require Security) IPSec policy to the payroll servers will ensure that they will only communicate using IPSec. Assigning the Client (Respond Only) IPSec policy to the payroll clients will ensure that they are able to use IPSec when asked to do so by the payroll servers. All other network communications will not use IPSec. Client (Respond Only) policy contains one rule, the default response rule. The default response rule secures communication only upon request by another computer. This policy does not attempt to negotiate security for any other traffic. Secure Server (Require Security) policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections Incorrect Answers: B, D: The question states that IPSec must not be used on any other servers in the company. C: This option configures the computer to use IPSec only when another computer requests IPSec. The computer using this policy never initiates an IPSec negotiation; it only responds to requests from other computers for secured communications. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 12. Question: 87 You are the network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All computers on the network are members of the domain. The network contains a Windows Server 2003 computer named ExamsheetsCA. The company uses an enterprise certification authority (CA) on ExamsheetsCA to issue certificates. A certificate to encrypt files is autoenrolled to all users. The certificate is based on a custom Encryption File System (EFS) certificate template. The validity period if the certificate is set to two years. Currently, the network is configured to use data recovery agents. You are planning to implement key archival for the keys that users use to decrypt files. You configure the CA and the custom EFS certificate template to enable key archival of the encryption private keys. Page 94 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to ensure that the private EFS key of each user who logs on to the domain is archived. What should you do? A. Configure a new issuance policy for the custom EFS certificate template. B. Configure the custom EFS certificate template to reenroll all certificate holders. C. Select the Automatically Enroll Certificates command in the Certificates console. D. Configure a logon script that runs the gpupdate.exe /force command for the users. Answer: B Explanation: The question states: “A certificate to encrypt files is autoenrolled to all users.” We have now modified the custom EFS certificate template to enable key archival of the encryption private keys. Therefore, we now need to reenroll all certificate holders so that they get new certificates based on the new template, and their keys are archived. EFS always attempts to enroll for the Basic EFS template. The EFS driver generates an autoenrollment request that Autoenrollment tries to fulfill. For customers that want to ensure that a specific template is used for EFS (such as to include key archival), the new template should supercede the Basic EFS template. This will ensure that Autoenrollment will not attempt enrollment for Basic EFS any more. Key Archival The private key database is the same as the database used to store the certificate requests. The Windows Server 2003 Certification Authority database has been extended to support storing the encrypted private key along with the associated encrypted symmetric key and issued certificate. The recovery blob will be stored in the same row as the signed certificate request and any other information the CA persists in its database for each request transaction. The actual encrypted blob is stored as an encrypted PKCS #7 blob. The Microsoft Certification Authority uses the JET database engine upon which various JET utilities may be used for maintenance purposes. Incorrect Answers: A: This would use up too much time. C: The question states: “A certificate to encrypt files is autoenrolled to all users.” D: This option reapplies all settings without optimization. Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2 003/maintain/operate/kyacws03.asp Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 868 Question: 88 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. Each client computer runs either Windows XP Professional or Windows 2000 Professional. The company requires that all users log on by using smart cards. You deploy Certificate Services and smart card readers. You configure auto-enrollment to issue certificates to users. Users report that they cannot log on by using a smart card. You need to ensure that all users can log on by using a smart card. What should you do? Page 95 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. In Active Directory Users and Computers, configure all user accounts to require a smart card for interactive logon. B. Configure the domain security policy to require smart cards for interactive logon. C. Use the Certificate Services Web site to enroll each user for a smart card certificate. D. Add a copy of the enterprise root certificate to the trusted root certification authorities store on each client computer. Answer: C Explanation: Although the question says “you configure auto-enrollment to issue certificates to users”, it doesn’t say what types of certificates were auto-enrolled. You can use the Certificate Services Web site to enroll each user for a smart card certificate. The recommended method for enrolling users for smart card-based certificates and keys is through the Smart Card Enrollment station that is integrated with Certificate Services in Windows 2000 Server and Windows 2000 Advanced Server. Incorrect answers: A: This is not necessary. With this setting disabled, the users can log on using any method. B: This is not necessary. With this setting disabled, the users can log on using any method. D: In a single domain, the Certificate Authority would be trusted by the client computers in the domain. Therefore, it is not necessary to add a copy of the enterprise root certificate to the trusted root certification authorities store on each client computer. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 887 Question: 89 You are the network admin for Examsheets. All servers run Windows Server 2003. Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest critical updates installed. You run the mbsaclie.exe /hf command from a server named server1. When you scan a server named ExamsheetsB you receive the following error message stating Error 200, System not fount, Scanned failed. When you ping ExamsheetsB you receive a reply. You need to ensure that you can scan ExamsheetsB by using the mbsacli.exe /hf. What should you do? A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security analyzer folder on server1 B. Ensure that the Server service is running on ExamsheetsB C. Install IIS common files on Server1 D. Install the lastest version of IE on server 5 Answer: B Explanation: From Microsoft: Error: 200 - System not found. Scan not performed. This error message indicates that mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error, Page 96 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 verify that this computer is on the network and that the host name and IP address are correct. We know that the computer is on the network because we can successfully ping it. Therefore, the cause of the problem must be that the Server service isn’t running. Incorrect Answers: A: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with Server1. C: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with Server1. D: The version of IE that comes with Windows Server 2003 is sufficient, and therefore does not need to be upgraded. Reference: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles /q303/2/15.asp&NoWebContent=1 Question: 90 You are the network administrator for ExamSheets. There is a single active directory domain named Examsheets.net. All computers on the network are members of the domain. All domain controllers run Windows Server 2003. You are planning a Public Key Infrastructure (PKI). The PKI design documents for ExamSheets specify that certificates that users request to encrypt files must have a validity period of two years. The validity period of the Basic EFS certificate is one year. In the certificates Templates console, you attempt to change the validity period for the Basic EFS certificate template. However, the console does not allow you to change the value. You need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files. What should you do? A. Install an enterprise CA in each domain. B. Assign the Domain Admins group the Allow Full control permission for the Basic EFS Certificate Template C. Create a duplicate of the basic EFS certificate template. Enable the new template for issuing Certificate authorities D. Instruct users to connect to the CA Web Enrolment pages to request a Basic EFS certificate. Answer: C Explanation: The question states that the validity period of the Basic EFS certificate is one year. This suggests that we are using a standalone CA (the default validity period for an enterprise CA is two years). We cannot change the validity period of the Basic EFS template. We can however, make a copy of the Basic EFS template. This would enable us to make changes to the copy of the template. Incorrect Answers: A: The default validity period for an enterprise CA is two years. This would satisfy the requirement that the certificates have a validity period of two years. However, it does not satisfy the requirement that “you need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files”. Therefore, answer C is a better solution. B: This is not a permissions issue. We cannot change the values in the template because they are hardcoded into the templates. D: We need to edit the template before the users receive the certificates. Reference: Page 97 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 http://support.microsoft.com/?id=254632 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, pp. 872-875 Question : 91 You are the network administrator for Examsheets. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.com and cpand1.com. The functional level of each forest is Windows Server 2003. A two-way forest trust relationship exists between the forests. You need to achieve the following goals: • Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. • Users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. You need to configure the forest trust relationship and the resources on HRApps.contoso.com to achieve the goals. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selective authentication. B. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication. C. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use selective authentication. D. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication. E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access to the Other Organization security group. F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access to This Organization security group. Answer: A, D, E Authentication between Windows Server 2003 forests When all domains in two forests trust each other and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish oneway or two-way external trusts between the domains that require interforest authentication. Selective authentication between forests Using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust You can set selective authentication differently for outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would able to access any resource in ForestA (assuming they have the required permissions). If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest. When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a\ check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, Page 98 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context. Question : 92 You are the network administrator for Examsheets. The network consists of a single Active Directory domain. The domain includes a Windows Server 2003 computer that runs Terminal Services. The terminal server has a computer account in an organizational unit (OU) named Terminal Servers. A Group Policy object (GPO) named TS Settings is linked to the Terminal Servers OU. This GPO is configured with settings that must apply when users are logged on to the terminal server. The company wants users to have their normal settings when connected to the terminal server, except settings that conflicts with the settings in the TS Settings GPO. You discover that when users are logged on to the terminal server, they receive only the settings from the TS Settings GPO, without any of their own settings. You use the Group Policy Management Console (GPMC) to examine the configuration of the TS Settings GPO. The relevant portion of the configuration is shown in the exhibit. ****MISSING**** You need to ensure that policy settings apply properly to users logging on the terminal server. What should you do? A. Enable the Block Policy inheritance setting for the Terminal Servers OU. B. Disable the No Override setting for the TS Settings GPO. C. Modify the TS Settings GPO to use loopback processing in Merge mode. D. Disable the Only allow local profiles setting in the T settings GPO. Answer: B Explanation: When Group Policy is not affecting users and computers in a site, domain, or OU, make sure that the intended policy is not being blocked. Make sure no policy set at a higher level of Active Directory has been set to No Override. If Block Policy Inheritance and No Override are both used, keep in mind that No Override takes precedence. Incorrect Answers: A: Enabling the Block Policy inheritance setting for the Terminal Servers OU will prevent the application of GPOs higher in the hierarchy from being inherited by the Terminal Servers OU. Thus, only the TS Settings GPO will be applied. C: Loopback is a new Group Policy setting that provides alternatives to the default method of obtaining the ordered list of GPOs whose user configuration settings affect a user. By default, a user’s settings come from a GPO list that depends on the user’s location in Active Directory. Loopback operates in replace mode or merge mode. In merge mode, user settings that do not conflict with computer settings are applied. If there is a conflict between the two, the computer settings override the user settings. D: The Only allow local profiles is a new Group Policy option that permits a computer to ignore user settings in roaming profiles. By default, when roaming profile users log on to a computer, their roaming profile is copied to the local computer. If they have previously logged on to this computer, the roaming profile is merged with the local profile. When the users log off this computer, the local copy of their profile, including any changes they have made, is merged with the server copy of their profile. If the Only allow local profiles setting is enabled, the user receives a local profile, rather than the roaming profile. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 10-16 to 10-17, 10-19 to 10-20. Page 99 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/enus/ Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/enus/ dmebc_dsm_jxfc.asp Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370 Chapter 2, pp. 110. Charlie Russel, Sharon Crawford,and Jason Gerend, Microsoft Windows Server 2003, Administrator's Companion, Chapter 10. Question : 93 You are the network administrator for Examsheets. The network consists of a single Active Directory domain. All servers run Windows Server 2003. One of the domain controllers is configured as a subordinate enterprise certification authority (CA). Examsheets also has an offline root CA. All client computers run Windows XP Professional. Examsheets does business with a distributor named Coho Vineyard. Users at Examsheets frequently access secured Web sites at Coho Vineyard. These sites are secured by using certificates issued by an enterprise CA at Coho Vineyard. Users at Examsheets report that they receive security alerts from the Web browser whenever they try to access secured Web sites at Coho Vineyard. Users can access the sites after they acknowledge the warnings, but many choose to cancel the operation in order to be sure that the network is secure. You need to configure the Examsheets network to prevent these security alerts from appearing when accessing the secured Web sites at Coho Vineyard. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Obtain a copy of the Coho Vineyard root certificate from Coho Vineyard. B. Issue a certificate to the Coho Vineyard Web server from the Examsheets enterprise CA. C. Import the certificate into the Trusted Root Certification Authorities section of the Default Domain Policy Group Policy object (GPO). D. Place the Coho Vineyard secured Web sites in the list of trusted sites in the Internet Explorer Maintenance section of the Default Domain Policy Group Policy object (GPO). Answer: A, C Explanation: Cross-Trust Hierarchies For a PKI entity to use a certificate provided by a CA, the entity must trust that CA. This trust is established when the entity has a copy of the CA’s certificate located in its local certificate store. Using the public key contained in the certificate, the entity can verify the CA’s digital signature. How, then, does the certificate get from the CA to the entity’s local store? Unfortunately, there is not just one answer. Group policies under Active Directory, preloaded certificates in Windows Server 2003, and downloads from the Windows Update Web site are the most common ways. If your organization must exchange data with external parties, there needs to be a way to recognize and trust a third-party CA as if it were a part of your local chain of trust. To do this you can either use a certificate trust list (CTL), or you can create a cross-trust hierarchy, which enables an external CA to be viewed as a subordinate CA in your local trust chain. Incorrect Answers: B, D: Coho Vineyard must be part of ExamSheets’s organization for this to be possible. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370 Chapter 12, pp. 883. Page 100 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question : 94 You are a network administrator for Examsheets. The network consists of a single Active Directory domain. ll servers run Windows Server 2003. You configure a certification authority (CA) to issue smart card authentication certificates. Users who are administrative responsibilities are required to have two accounts. One account is for general computer use. The other account is an administrative account that has administrative privileges and is used only when performing administrative tasks. You decide to deploy smart cards to all users in your company. You issue one smart card to each user for general computer use. You enroll each user for a smart card authentication certificate. You need to plan smart card access for users who have administrative responsibilities. What should you do? A. Issue an additional smart card to users who have administrative responsibilities. Enroll each user’s administrative account for a smart card authentication certificate. Instruct users to use this card when logging on to perform administrative tasks. B. Enroll each user’s administrative account for a smart card authentication certificate When prompted, store the certificate on the existing smart card. Instruct users to use this card when logging on to perform all tasks. C. Configure Group Policy to autoenroll administrative users for certificates. Instruct these users to log on by using their nonadministrative accounts. D. Issue a master card to users who have administrative responsibilities. Instruct users to use this card when logging on to perform administrative tasks. Answer: B Explanation: Smart card enrollment is the process by which a CA grants a certificate to the card. After enrollment, the user can insert the card at any workstation on the network, including terminal services clients and remote access clients, as long as a smart card reader is present. Smart card logon A smart card is a credit card-size device that contains memory and possibly an integrated circuit. Windows Server 2003 can use a smart card as an authentication device that verifies the identity of a user during logon. The smart card contains the user’s certificate and private key, enabling the user to log on to any workstation the enterprise with full security. Incorrect Answers: A: It does not state that users with administrative responsibilities should have two smart cards. C: the question states that:” You need to plan smart card access for users who have administrative responsibilities”. D: This is an invalid option. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370 Chapter 12, pp. 898. Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington 98052-6399, Chapter 11. Question : 95 You are the network administrator for Examsheets. The network consists of a single Active Directory forest that contains a single domain named examsheets.net. Organizational units (OUs) in the domain are configured as shown in the Domain Structure exhibit. **MISSING** All client computers run Windows XP Professional. All client computer accounts are located in the Page 101 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Examsheets Computers OU. Your user account is a member of the Domain Admins security group. All user accounts that are members of the Domain Admins security group are located in the Domain Admins OU. All service desk users have user accounts that are members of the SrvDeskGrp security group. All accounts that are members of this group are located in the Service Desk Staff OU. You use the Group Policy Management Console (GPMC) to create a Group Policy object (GPO) named Install Admin Tools. You configure the GPO as follows: • In the GPO, create a software installation package that assigns the Windows Server 2003 Administration Tools Pack (adminpak.msi) to users. • Link the GPO to the IT Users OU. • Remove the Authenticated Users built-in group from the list of users and groups that were delegated permissions for the GPO. • Assign the SrvDeskGrp security the Allow – Read permission for GPO. Service desk users report that the administrative tools needed for their job are not installed. You use the GPMC to examine the history of Group Policy application for one of the affected users. The relevant results are shown in the GPMC exhibit. **MISSING** You also discover that when you log on to a computer normally used by a service desk user, the administrative tools are automatically available for you. You need to ensure that administrative tools can also be installed by Group Policy for all users with accounts in the IT Users OU, without increasing the administrative privileges of any users. What should you do? A. Link the Install Admin Tools GPO to the Service Desk Staff OU. Move the computer accounts for computers used by service desk users to the Service Desk Staff OU. B. Change the security filtering on the Install Admin Tools GPO to grant the SrvDeskGrp security Group the ability to apply the GPO. C. Move the SrvDeskGrp security group to the Domain Admins OU. D. Modify the GPO to assign the Administration Tools Pack to computers instead of to users. Answer: B Explanation: You need to assign the Allow – Apply Group Policy permission, not just the Allow – Read permission, to the SrvDeskGrp group. Incorrect Answers: A: Linking the Install Admin Tools GPO to the Service Desk Staff OU on its own won’t help. The SrvDeskGrp would still only have Allow – Read permissions. C: Making the SrvDeskGrp a member of the Domain Admins OU would give them too much permissions. D: The GPO should apply to users not computers because we are controlling application based on user groups. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 1020, 10-40 to 10-41. Question : 96 You are the network administrator for Examsheets. You are implementing a new Windows Server 2003 etwork environment. You install one Active Directory forest root domain named cpandl.com. You install the first domain controller named DC1. You configure DC1 as a DHCP server and as an Active Directory-integrated DNS server with dynamic updates enabled. Later you install an Page 102 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 additional domain controller named DC2. You cannot raise the functional level of the domain to Windows Server 2003. You discover that the service locator (SRV) resource records of DC1 are not created in the cpandl.com zone on the DNS server. You run the Dcdiag tool on DC1 and receive the output shown in the exhibit. You need to make it possible to raise the functional level of the domain to Windows Server 2003. What should you do? A. Upgrade DC2 to a global catalog server. B. Use the DHCP server locator utility to find out which DHCP servers are available in the cpandl.com zone. C. Start the Net Logon service on DC1. D. Restart the DNS Server service on DC1 to enable DNS clients to resolve host names by answering queries and update requests. Answer: C Explanation: SRV records are required for clients to locate hosts that provide required services. The Netlogon service registers a set of default SRV resource records on the DNS server. However, the exhibit indicates that the NetLogon service is stopped on DC1. We should restart this service. Incorrect Answers: A: The global catalog is the central repository of information about Active Directory objects in a tree or forest. The domain controller that holds a copy of the global catalog is called a global catalog server. The global catalog enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated, and enables finding directory information regardless of which domain in the forest actually contains the data. It does not affect the forest level. B: DHCP is used to assign IP configurations to DHCP clients. However, the SVR records are missing. We will thus not be able to locate the DHCP server. D: The DNS server does not have the SRV records. Restarting the DNS service will not generate these records. We should start the NetLogon service. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2: 48-52 Page 103 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question : 97 You are the network administrator for Examsheets. The network consists of a single Active Directory domain. The network contains three Windows Server 2003 domain controllers named ServerEXAMS1, ServerEXAMS2 and ServerEXAMS3. ServerEXAMS1 holds the schema master role and the domain naming master role. ServerEXAMS2 holds the relative ID (RID) master role. ServerEXAMS3 holds the PDC emulator master role and the infrastructure master role. ServerEXAMS2 fails and cannot be restarted. You log on to ServerEXAMS3 as the administrator and seize RID master role. Later, ServerEXAMS2 is repaired and can be brought back online. You want ServerEXAMS2 to hold the RID master role again. What should you do? A. Restart ServerEXAMS2 while it is connected to the network. Use the Ntdsutil utility and seize the RID master role. Reconnect ServerEXAMS2 to the network. B. Restart ServerEXAMS2 while it is disconnected from the network. Use the Ntdsutil and seize the RID master role. Reconnect ServerEXAMS2 to the network. C. Reinstall Windows Server 2003 on ServerEXAMS2. Restore the system state from the most recent backup to ServerEXAMS2. Reconnect ServerEXAMS2 to the network. D. Reinstall Windows Server 2003 on ServerEXAMS2. Promote ServerEXAMS2 to become a domain controller. Transfer the RID master role to ServerEXAMS2. Answer: D Explanation: A domain controller whose RID master role has been seized can only be brought back online by reinstalling Windows Server 2003. Incorrect Answers: A: ServerES2 was the RID master before it failed. That role was seized to ServerES3. If we restart ServerES2, there will be two RID masters. Furthermore, we can only seize a role if the domain controller that holds that role fails. B: We cannot seize the RID master role if ServerES2 is not connected to the network. Furthermore, we can only seize a role if the domain controller that holds that role fails. C: ServerES2 was the RID master before it failed. That role was seized to ServerES3. However, if we bring ServerES2 back online, there will be two RID masters. Reference: Jill Spealman, Kurt Hudson, and Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure , Chapter 4. Question : 98 You are a network administrator for Examsheets. The network consists of two Active Directory domains. All servers run Windows Server 2003. Examsheets has offices in New York and Rome. The two offices are connected by a 128-Kbps WAN connection. Each office is configured as a single domain. Each office is also configured as an Active Directory site. Examsheets stores printer location information in Active Directory. Users frequently perform searches of Active Directory to find information on printers by selecting the Entire Directory option. Users in the New York Office report that response time is unacceptably slow when searching for printers. You need to improve the response time for users in the New York office. What should you do? A. Place a domain controller for the Rome domain in the New York office. B. Place a domain controller for the New York domain in the Rome office. C. Enable universal group membership caching in the New York office. D. Configure a global catalog server in the New York office. Page 104 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: D Explanation: Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest. The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility. Incorrect Answers: A, B: These options requires users to search via the WAN connection, which will not improve the response time. C: Universal group membership caching allows a domain controller to cache universal group membership information, thus reducing the need for a global catalog server to be contacted during the user authentication process. Reference: Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA 02370, Chapter 8, pp. 540. Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 1 Question : 99 You are the network administrator for Examsheets. The network consists of a single Active Directory forest that contains multiple domains. The functional level of the forest is Windows Server 2003. The forest contains several Active Directory sites that represent branch offices and a site named MainOffice that represent the central data center. A site named Branch1 contains one domain controller named Server1 that is not a global catalog server. The MainOffice site contains one domain controller named Server2 that is a global catalog server. You need to use universal group membership caching in the Branch1 site. Which component pr components should you configure? To answer, select the appropriate component or components in the work area. Answer: Select the “NTDS Site Settings” for the Branch1 office in the right hand pane. Page 105 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: Universal group membership caching, is enabled or disabled in the NTDS Settings Properties dialog box of the Active Directory Sites and Services console. This must be performed in the site where you want to enable universal group membership caching, i.e., in the Branch1 site. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-41 to 5-45, 5-48 to 5-50. Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 31, 543, 547, 550-552. Question :100 You are a network administrator for Examsheets, which has five regional offices and 3,000 branch offices. Each branch office contains 10 users. Branch offices are connected to the nearest regional office by a 56- Kbps WAN connection. The network consists of a single Active Directory forest that contains one domain for each regional office. All servers run Windows Server 2003. Each branch office contains one domain controller that is configured as an additional domain controller in the regional domain for the branch office. The site link between each branch office and the corresponding regional domain is configured to replicate every 30 minutes. Users in the branch office report that applications respond slowly when they access resources in the corresponding regional office. You monitor the WAN connection that connects several of the branch offices and discover that utilization increases from 30 percent to more than 90 percent on a regular basis. You need to improve the response time of applications when they access resources in the regional office. You need to ensure that users can log on without using cached credentials if the WAN connection fails. What should you do? A. Remove Active Directory from the file and print server in each branch office. On the site link between each branch office and the corresponding regional office, increase the replication interval. B. Enable universal group membership caching in each branch office. Configure the site link between each branch office and the corresponding regional office to be available only during off-peak hours. C. Configure the domain controller in each branch office as a global catalog server. D. On the site link between each branch office and the corresponding regional office, decrease the replication interval. Answer: D Explanation: Response times for that application are slow because replication traffic is too much. Decreasing the replication schedule will reduce the amount of replication traffic by allowing amounts of changes to be replicated. Page 106 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect Answers: A: Increasing the replication interval will increase the amount of changes that must be replicated at a time. This might increase replication traffic. B: We don’t want to use cached credentials. C: The global catalog is the central repository of information about Active Directory objects in a tree or forest. The domain controller that holds a copy of the global catalog is called a global catalog server. The global catalog enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated, and enables finding directory information regardless of which domain in the forest actually contains the data. It does not control replication. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-7 to 5-8. Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 449-452, 458, 458-459. Question : 101 You are a network administrator for Examsheets. The network consists of a single Active Directory domain. All servers run Windows Server 2003. Examsheets’s written security policy requires that all administrative passwords be changed every 30 days. You configure the domain security policy to enforce the written security policy. A security audit reveals that the password used to log on to domain controllers in Directory Services Restore mode is 10 months old. You need to ensure that all passwords are changed in accordance with the written security policy. You must accomplish this task without causing disruption to user access. What should you do? A. Restart each domain controller in Directory Services Restore More. Use Computer Management to reset the password for the Administrator account. B. Use the Ntdsutil utility to reset the password on each domain controller for Directory Services Restore Mode. C. Configure the Domain Controller Security Policy to enforce the written security policy. D. Reset the Administrator password by using Active Directory Users and Computers. Answer: B Explanation: In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. Incorrect Answers: A: Restarting the domain controllers will cause a disruption in user access. C: The Domain Controller Security Policy is enforced when the domain controller is booted and can be refreshed at set intervals. However, the Directory Service Restore Mode Administrator password is a user account setting, not a computer account setting and should be enforced when t he user logs on. D: Directory Service Restore Mode Administrator password cannot be set in Active Directory Users and Computers. References: MS Knowledgebase Article 322672: How to reset the Directory Service Restore Mode Administrator Account Password in Windows Server 2003. Page 107 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2-49 to 2-53. Question : 102 Network Diagram You notice that after the forest trust relationship is deleted, the membership lists for some of the domain local groups are no longer accurate. When you view a membership list, it contains entries without userfriendly names. A sample is shown in the Membership List exhibit. **MISSING** You need to delete all the unknown groups from the membership list for the domain local groups. You want to achieve this goal by using the minimum amount of administrative effort, and without modifying the access to resources for users in the examsheets.net forest. What should you do? A. Create new domain local groups. Add the required global groups from the examsheets.net forest to the domain local groups. Grant appropriate permissions to the domain local groups. Delete the original domain local groups. B. Re-create the trust relationship between examsheets.net forest and the fabrikam.com forest. Delete all fabrikam.com global accounts from the domain local group membership lists. Delete the trust relationship between the two forests. C. Verify all remaining trust relationships. Then delete the unknown accounts from the domain local groups. D. Delete all the affected domain local groups. Re-create the groups. Add the appropriate global groups from the examsheets.net forest to the groups. Grant appropriate permissions to the domain local groups. Answer: C Explanation: A method of seek and destroy will represent the least administrative effort. To keep administrative effort to the minimum and deleting all the unknown groups from the membership list without modifying access to resources for the Examsheets.net forest users, then you should verify all Page 108 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 remaining trust relationships and then delete the unknown accounts from the domain local groups. Incorrect answers: A: Creating new domain local groups and adding only the required Examsheets.net forest global group to the domain local group will not reveal where unknown accounts are located. It could well be that amongst the required global Examsheets.net forest group there are unknown accounts. B: This option suggests too much administrative effort to complete the task. And it will also result in modifying access to resources for the Examsheets.net forest users. D: How would you know which are all the affected groups without verifying the trust relationships first. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 70 Question: 103 You are the Network administrator for Examsheets. The network consists of a single Active Directory domain named examsheets.net. All domain controllers run Windows Server 2003. The user accounts for the processing department are located in an Organizational Unit (OU) named processing. You need to deploy an application to all users in the processing department. You create a Group Policy Object (GPO) and link it to the processing OU. You place the .msi file for the application in a shared folder on the network. You configure the User Configuration section of the GPO to deploy the application. You need to ensure that the application is immediately ready for use when a user logs on to a client computer. You also need to prevent any user from continuing to use the application if the user’s user account is moved to another OU. What should you do? Answer: Page 109 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Select the following check boxes: 1. Assigned. 2. Uninstall this application when it falls out of the scope of management. 3. Install this application at logon. 4. Basic Explanation: We need to assign the application to the users and select the “Install this application at logon” option to ensure that the application is immediately ready for use when a user logs on to a client computer. To prevent any user from continuing to use the application if the user’s user account is moved to another OU, we need to select the “Uninstall this application when it falls out of the scope of management” option. The “Basic” option ensures that the application installs with minimal (or no) user intervention. Reference: Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. Microsoft Press, Redmond, Washington, 2004, p. 12: 24 Question: 104 You are the network administrator for Examsheets.net. The network consists of a single Active Directory forest that contains one forest root domain named Examsheets.net and two child domains named europe.Examsheets.net and usa.Examsheets.net. The functional level of the forest is Windows 2000 native. The Examsheets.net domain contains a Windows 2000 Server domain controller named Examsheets3 that is running Service Pack 4 or later. You take Examsheets3 offline. You also remove all references to Examsheets3 from the Configuration container in Active Directory. Five days later, you upgrade all remaining domain controllers to Windows Server 2003. You then raise the functional level of the forest to Windows Server 2003. Page 110 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to integrate Examsheets3 into the new Active Directory infrastructure. You want Examsheets3 to be an additional domain controller of the europe.Examsheets.net domain. What should you do? A. Upgrade Examsheets3 to Windows Server 2003. Add the computer account for Examsheets3 into the Computers container of the europe.Examsheets.net domain. B. Demote Examsheets3 to a Windows 2000 member server by running the dcpromo /forceremoval command. Upgrade Examsheets3 to a Windows Server 2003 member server. Run the dcpromo command to promote Examsheets3 to be an additional domain controller of the europe.Examsheets.net domain. C. Demote Examsheets3 to a Windows 2000 member server by running the dcpromo /forceremoval command. Add the computer account for Examsheets3 into the Domain Controllers organizational unit (OU) of the europe.Examsheets.net domain. D. Upgrade Examsheets3 to Windows Server 2003. Add the computer account for Examsheets3 into the Domain Controllers organizational unit (OU) of the europe.Examsheets.net domain. Answer: B Explanation: Once the forest functional level is raised to Windows Server 2003, you cannot add a Windows 2000 domain controller to the forest. We would need to upgrade the Windows 2000 domain controller to Windows Server 2003. However, we must first demote the Windows 2000 domain controller and then upgrade it to Windows Server 2003. Add it to the network and then promote it. Incorrect Answers: A, D: If we upgrade the Windows 2000 domain controller to Windows Server 2003 while it is disconnected from the network, the upgraded computer will assume that it is the first domain controller for the domain. It will then old the RID, Global Catalog and Schema Master roles. This will cause a conflict when we eventually add the domain controller to the network. C: Once the forest functional level is raised to Windows Server 2003, you cannot add a Windows 2000 server to the forest. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-24 to 4-37. Question: 105 You are a network administrator for Examsheets.net. The network consists of a single Active Directory forest that contains 30 domains. Examsheets has 400 offices. The network contains 150,000 user objects. All servers run Windows Server 2003. You are responsible for administering the marketing department, which has offices in North America and Europe, as shown in the work area. Offices in Toronto, Chicago, and New York are part of the america.Examsheets.net domain. Offices in Paris, Bonn, and Rome are part of the europe.Examsheets.net domain. The number of users in each office is shown in the following table. Office Toronto Chicago New York Paris Bonn Rome Page 111 of 240 Number of users 750 20 650 650 10 15 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Users in the Bonn, New York, and Toronto offices require access to a directory-enabled application that stores configuration information in the global catalog. You need to plan the placement of domain controllers for the network. You need to ensure that each user can log on without using cached credentials and that users have access to the application if a WAN connection fails. You need to achieve this goal while minimizing the increase in WAN traffic. What should you do? To answer, drag the appropriate domain controller configuration or configurations to the correct location or locations in the work area. Answer: Page 112 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest. The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, p. 540. Question: 106 You are a network administrator for Examsheets.net. The network consists of two Active Directory domains with three sites. All servers run Windows Server 2003. Examsheets has offices in three cities and each office is configured as a separate site. The network configuration is shown in the exhibit. Page 113 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The company has 1,750 users in the Paris office, 1,750 users in the Rome office, and 25 users in the Bonn office. Global catalog servers are configured in each site. Automatic site link bridging is disabled. A written company policy requires that no WAN connection exceed 70 percent peak utilization. You examine the WAN connection between the Rome and Paris offices and discover that the utilization reaches 95 percent during Active Directory replication. You need to reduce the WAN traffic associated with the Active Directory replication on the connection between the Rome and Paris offices. You need to ensure that users in the Rome office can log on to the domain if a WAN connection fails. What should you do? A. Decrease the replication interval on the site link connecting the Paris and Rome sites. B. Remove the global catalog server from the Rome office. C. Enable universal group membership caching in the Rome site. D. Enable slow link detection in the Default Domain Policy Group Policy object (GPO) in the rome.Examsheets.net domain. E. Configure a site link bridge between the site link that connects the Rome and Paris sites and the site link that connects the Paris and Bonn sites. Answer: B Page 114 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: The Global Catalog (GC) contains a full replica of all Active Directory objects in its host domain plus a partial replica of all directory objects in every domain in the forest. A GC contains information about all objects in all domains in the forest, so finding information in the directory does not require unnecessary queries across domains. A single query to the GC produces the information about where the object can be found. It provides information about objects that are located in other domains in the forest. Universal group membership caching allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. This ability allows a domain controller to process user logon requests without contacting a global catalog server when a global catalog server is unavailable. The cache is refreshed periodically as determined in the replication schedule. Incorrect answers: A: Reducing the replication interval will reduce the amount of data that must be replicated at a time. However, this is not what will ensure that Rome office can log on to the domain in case of WAN connection failure. C, D: Enabling slow link detection or configuring a site link bridge will not reduce that amount of data that must be replicated at a time. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-25 to 5-35, 5-59 to 5-68. Question: 107 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All production servers are located in an organizational unit (OU) named Servers. You maintain a lab that contains test servers. All test servers are located in an OU named Test Servers. You are planning to deploy critical Windows updates to all servers in the Server OU by using Software Update Services (SUS), which is hosted on two dedicated SUS servers named Examsheets1 and Examsheets2. Examsheets1 and Examsheets2 are located in an OU named SUS servers. You synchronize Examsheets1 to download from the Microsoft Windows Update servers. You approve the relevant updates for your servers on Examsheets1. You need to minimize the impact of applying the critical updates to the production servers. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Create a Group Policy Object (GPO) to configure computers to download and install critical updates from Examsheets1, and link it to the Test Servers OU. Create a second GPO to configure computers to download and install critical updates from Examsheets2, and link it to the Servers OU. B. Configure Examsheets2 to automatically download approved and tested updates from Examsheets1. C. Configure Examsheets2 to manually download approved and tested updates from Examsheets1. D. Create a Group Policy Object (GPO) to configure computers to download and install critical updates from Examsheets1, and link it to the Servers OU. Create a second GPO to configure computers to download and install critical updates from Examsheets2, and link it to the Test Servers OU. Answer: A C Page 115 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: SUS works by retrieving updates from Microsoft and storing these updates on a server that has the SUS tool installed. Clients then can be configured to connect to SUS and retrieve approved hotfixes and patches from the SUS server. Since the question mentions that Examsheets1 is synchronized to download from the Microsoft Windows Update servers and then you approve the relevant updates for your servers on Examsheets1, you should create a GPO to configure computers to download and install critical updates from Examsheets1, and link this GPO to the Test Servers OU since all test servers are located in said OU. After that you should create another GPO to configure computers to download approved critical updates from Examsheets2 (which will then have the approved, tested updates) and link this GPO to the Servers OU. To minimize the application impact these critical updates may have, Examsheets2 should be configured to manually download approved and tested updates. Incorrect Answers: B: When automatically downloading approved and tested updates from Examsheets1, you risk the chance of the computer perhaps having to be restarted to make the updates take effect. This is hardly minimizing the impact of applying critical updates to the production servers. D: The updates must first be linked the Test Servers OU so that it can be tested in the lab containing the test servers. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 830, 837-839 Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 13 Question: 108 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional. Examsheets has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information. The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular, you want to configure stronger password settings, audit settings, and lockout settings. You want to minimize interference with the proper functioning of the legacy applications. You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers. What should you do? A. Apply the Setup security.inf template to the domain controllers. B. Apply the DC security.inf template to the domain controllers. C. Apply the Securedc.inf template to the domain controllers. D. Apply the Rootsec.inf template to the domain controllers. Answer: C Explanation: Securedc.inf Page 116 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 This template contains policy settings that increase the security on a domain controller to a level that remains compatible with most functions and applications. The template includes more stringent account policies, enhanced auditing policies and security options, and increased restrictions for anonymous users and LanManager systems. Incorrect Answers: A: This template allows you to reapply the default security settings. B: The DC security.inf template is available to undo security template policy settings. D: Rootsec.inf contains only the default file system permissions for the system drive on a computer running Windows Server 2003. You can use this template to restore the default permissions to a system drive that you have changed, or to apply the system drive permissions to the computer’s other drives. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington 98052-6399, Chapter 10. Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 Environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, 2004, Chapter 9 Question: 109 You are the network administrator for Examsheets. All Web servers on the network run Windows Server2003. The network also contains a Windows Server 2003 computer named Examsheets1. Software UpdateServices (SUS) is installed on Examsheets1.You are testing the security configuration of a Web server named Examsheets2. Examsheets2 is sued on Examsheets intranet. Examsheets written security policy prohibits the intranet servers from communicating with Internet resources. You run the Microsoft Baseline Security Analyzer (MBSA) on Examsheets2 and receive the results shown in the exhibit. You need to run MBSA successfully. Page 117 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 What should you do? A. B. C. D. Temporarily enable Examsheets2 to access the Internet, and run MBSA again. Run the mbsacli.exe command, and run MBSA again. Run MBSA again. Configure MBSA to use the SUS server. Ensure that Windows Update is correctly configured on Examsheets2, and run MBSA again. Answer: A Explanation: The exhibit shows that many of the scans could not be run. This is due to those issues not being available on Examsheets2 which is used on the intranet. For MBSA to run successfully, you will need to access the Internet. Thus you should temporarily connect to the internet while the scan is running so that you do not violate the written security policy of the company. Incorrect answers: B: Running mbsacli.exe is the same as running MBSA, but from a command prompt. This will not ensure that the scans will be successful. C: Running MBSA using the SUS server means that Examsheets2 will have to access the Internet on a permanent basis and this is again the company security policy. D: It is not a matter of ensuring that Windows Update is correctly configured. Examsheets2 should connect to the Internet temporarily will allow scans to be run successfully without violating the company security policy. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, p. 833 Question: 110 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows 2003. You support 100 mobile users who have portable computers that run Windows NT Workstation 4.0, Windows 98, Windows 2000 Professional, Windows XP Professional, or Windows ME. Examsheets written security policy requires that any remote access solution must provide both data integrity and data origin authentication. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. Install certificates on all VPN client computers. B. Install a certificate on the VPN server computer. C. Implement L2TP-based connections on the Windows 2000 Professional computer and the Windows XP Professional computers. Implement PPTP-based connections on all other portable computers. D. Install the L2TP/IPsec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement L2TP-based connections on all portable computers. E. Install the L2TP/Ipsec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement PPTP-based connections on all portable computers. Answer: A B D Explanation: The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use Page 118 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. IPSEC is not supported on legacy clients just is supported for VPN http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec). • Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking version 1.4 upgrade. • Windows Me with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later) • Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later) Incorrect answers: C: This option might exclude some portable computer users. E: The options seems to be in order, however, making use of PPTP-based connections will not accommodate all the portable computers users. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, p. 307 http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp Question: 111 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All servers are manually configured with static IP addresses. All client computers run Windows XP Professional. All client computers receive their TCP/IP configuration information from a DHCP server. Examsheets network consists of two subnets: 172.30.22.0/24 and 172.30.23.0/24. The research department uses the 172.30.23.0/24 subnet exclusively. All computers that belong to the other departments are located on the 172.30.22.0/24 subnet. You deploy a server named Examsheets1 to the research department. Examsheets1 was formally used in a test lab environment. You change the TCP/IP configuration of Examsheets1 to allow it to communicate on the company network. Later, users from other departments report that when they attempt to connect to Examsheets1, the connection times out. You run the route print command on Examsheets1 and view the output shown in the exhibit. Page 119 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to ensure that users can connect to Examsheets1. Which command should you run on Examsheets1? A. B. C. D. route delete 172.30.22.0 mask 255.255.255.0 192.168.17.100 route delete 172.30.23.0 mask 255.255.255.0 172.30.23.19 route change 172.30.22.0 mask 255.255.255.0 192.168.17.100 2 IF 1 route change 172.30.23.0 mask 255.255.255.0 172.30.23.19 E IF 1 Answer: A Explanation: When a particular route or table entry is applied to a packet, the gateway value determines the next address or hop for which that packet is destined. In this case the gateway address is not part of the same network. Incorrect Answers: B: According to the exhibit, it is a valid address. C, D: Addresses are a numerical sequence, with no letters. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft Press, Redmond, 2003, Part 1, Chapter 15, p. 9:27 Question: 112 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. Examsheets has a main office and a branch office. Both offices are connected to the Internet by Network Address Translation (NAT) firewalls and T1 connections to the company’s ISP. Each firewall is configured with a perimeter network. Examsheets uses a public key infrastructure (PKI) for both internal and external authentication. Examsheets needs to connect to the main office to the branch office by using the existing Internet connections. Examsheets written security policy included the following requirements: Page 120 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 • All Internet communications must use the PKI for all authentication and data encryption. • All servers that are required to communicate to or by means of the Internet must be located in a firewall perimeter network. You need to connect to the main office to the branch office. You need to comply with the written security policy. You install Routing and Remote Access servers in the perimeter network at each office. What else should you do? A. Configure persistent, two-way initiated PPTP connections with EAP-TLS user authentication. B. Configure persistent, two-way initiated PPTP connections with MS-CHAP v2 user authentication. C. Configure persistent, two-way initiated L2TP/IPSec connections with MS-CHAP v2 user authentication. D. Configure persistent, two-way initiated L2TP/IPsec connections with EAP-TLS user and computer authentication. Answer: D Explanation: Layer 2 Tunneling Protocol (L2TP) A protocol used to establish virtual private network connections across the Internet. Extensible Authentication Protocol–Transport Level Security (EAP–TLS) Required to authenticate remote access users with smart cards or other security mechanisms based on certificates. The networks that use EAP-TLS typically have a public key infrastructure (PKI) in place and use certificates for authentication, that are stored on the computer or on smart cards. Virtual private network (VPN) This is a technique for connecting to a network at a remote location using the Internet as a network medium. A user can dial in to a local Internet service provider (ISP) and connect through the Internet to a private network at a distant location, using a protocol like the Point-to-Point Tunneling Protocol (PPTP) to secure the private traffic. For L2TP/IPSec-type connections, the L2TP protocol provides VPN tunneling, and the Encapsulation Security Payload (ESP) protocol (itself a feature of IPSec) provides data encryption. Incorrect Answers: A, B: Although PPTP-based VPN connections do provide data confidentiality (captured packets cannot be interpreted without the encryption key), they do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user). C: MS-CHAP v2 is not supported by Windows Server 2003. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington 98052-6399, Chapter 5. J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, pp. 10-56 to10-59. Question: 113 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The audit department has servers that contain highly confidential files. The files are accessed over the LAN by the audit department client computers. The audit department client computers have slow processors. The network design requires that the network transmissions between the audit department servers and client computers be confidential and Page 121 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 that any changes to the data in transit must be detectable. You create a custom IPSec filter action. You need to select the security method settings. You need to ensure that you minimize the performance impact on the audit department client computers. What should you do? A. B. C. D. Select MD5 as the integrity algorithm and 3DES as the encryption algorithm. Select SHA1 as the integrity algorithm and DES as the encryption algorithm. Select SHA1 as the integrity algorithm and 3DES as the encryption algorithm. Select MD5 as the integrity algorithm and 3DES as the encryption algorithm. Answer: A Explanation: MD5 is an industry-standard one-way, 128-bit hashing scheme, developed by RSA Data Security, Inc., and used by various Point-to-Point Protocol (PPP) vendors for encrypted authentication. A hashing scheme is a method for transforming data (for example, a password) in such a way that the result is unique and cannot be changed back to its original form. The Challenge Handshake Authentication Protocol (CHAP) uses challenge response with one-way MD5 hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network. DES (Data Encryption Standard) is an algorithm used for strong (56-bit) encryption of L2TP/IPSec connections. Incorrect Answers: B, C, D: These options would require more processor time. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 98052-6399, Glossary. Question: 114 You are the network administer for Examsheets. The network contains Windows 98, Windows NT Workstation 4.0, and Windows XP Professional client computers. All computers run the latest service pack. The network contains a Windows Server 2003 file server named Examsheets1. Examsheets written security policy requires that data communications must be encrypted by using IPSec whenever possible. Other than the default GPOs, there are no additional Group Policy objects (GPOs) within Active Directory or any local GPOs applied to the computers in the domain. You need to configure Examsheets1 so that it meets the written security policy requirements without disabling access for any client computer. You also want to minimize session key negotiation times. What should you do? To answer, configure the appropriate option or options in the dialog box. Page 122 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Select the “Allow unsecured communication with non-IPSec aware computers” checkbox. Explanation: The Allow Unsecured Communication With Non-IPSec-Aware Computers checkbox configures the action to allow any computer—IPSec capable or not—to communicate. Any machine that can’t handle IPSec will get a normal, insecure connection. By default, this box isn’t checked; if you check it, you must be certain that your IPSec policies are set up properly. If they’re not, some computers that you think are using IPSec may connect without security. Reference: James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, SYBEX Inc., Chapter 4, pp. 195. Question: 115 You are the system engineer for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The servers on the network are all located in a central data center building, which is located on the company campus. All servers have the Recovery Console installed and Page 123 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 support firmware-based console redirection by means of installed service processors. All servers are located in a physically secured room. IT department personnel can access this room for the purpose of installing or maintaining hardware. All IT department personnel are members of the Domain Admins security group. Examsheets adopts a new remote administration policy, which includes the following requirements: • All in-bound management of servers on the network must be performed remotely. • All remote administration connections made to any server must be authenticated by using the Kerberos version 5 protocol and must be logged in the Security event log. • All remote administration connections must be encrypted. • The new remote administration configuration must not adversely affect normal network connectivity for users or cause any disruption in network services. The new remote administration policy applies to all servers, including domain controllers, file and print servers, and application servers. You need to plan a remote administration strategy for all servers on the network that complies with the new policy. What should you do? A. On each server, enable Emergency Management Services. B. On each server, enable Remote Desktop connections. C. On each server, enable the Telnet service with the Automatic startup parameter. Enable the Secure Server (Require Security) IPSec policy in the Default Domain Policy Group Policy object (GPO). D. Install IIS on each server. Select the Remote Administration (HTML) check box in the properties for the World Wide Web Service. On each server, configure IP packets filters to accept only SSL connections. Answer: B Explanation: Remote Desktop Connection is the client-side software used to connect to a server in the context of either Remote Desktop or Terminal Server modes. The latest version of Remote Desktop Connection provides the most efficient, secure and stable environment possible, through improvements such as a revised user interface, 128-bit encryption and alternate port selection. Incorrect Options A: Emergency Management Services (EMS) provides a means for managing a server even when network connectivity has failed. C, D: Kerberos version 5 protocol must be used, not IPSec or SSL. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, p. 803 Question: 116 You are the systems engineer for Examsheets. The network consists of three physical networks connected by hardware-based routers. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each physical network contains at least one domain controller and at least one DNS server. One physical network contains a Microsoft Internet Security and Acceleration (ISA) Server array that provides Internet access for the entire company. The network also contains a certificate server. Examsheets management wants to ensure that all data is encrypted on the network and that all computers transmitting data on the network are authenticated. You decide to implement Page 124 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 IPSec on all computers on the network. You edit the Default Domain Policy Group Policy object (GPO) to apply to Secure Server (Require Security) IPSec policy. Users immediately report that they cannot access resources located in remote networks. You investigate and discover that all packets are being dropped by the routers. You also discover that Active Directory replication is not functioning between domain controllers in different networks. You need to revise your design and implementation to allow computers to communicate across the entire network. You also need to ensure that the authentication keys are stored encrypted. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. B. C. D. E. Configure the routers to use IPSec and preshared key for authentication. Configure the routers to use IPSec and a certificate for authentication. Configure the routers to use IPsec and Kerberos for authentication. Reconfigure the GPOs to require a preshared key for IPSec authentication. Reconfigure the GPOs to require a certificate for IPSec authentication. Answer: B E Explanation: IPSec allows encryption of data across the network. Certificates are digital documents that are commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certificate authority (CA), and they can be issued for a user, a computer, or a service. Group policies are used in Active Directory to configure auto-enrollment. In Computer Configuration | Windows Settings | Security Settings | Public Key Policies, there is a group policy entitled Automatic Certificate Request Settings. The property sheet for this policy enables you to choose to either Enroll certificates automatically or not. Also, you will need to ensure that the Enroll subject option is selected on the Request Handling tab of the certificate template property sheet without requiring any user input. Incorrect Answers: A, D: Pre-shared keys are stored as plaintext. C: The Kerberos authentication mechanism relies on a key distribution center (KDC) to issue tickets that allow client access to network resources. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder , and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 763. Question: 117 You are a network administrator for ExamSheets.net. The network consists of two Active Directory domains. You are responsible for administering one domain, which contains users who work in the sales department. User objects for the users in the sales department are stored in an organizational unit (OU) named ExamsheetsStaff in your domain. Users in the sales department use a public key infrastructure (PKI) enabled application that requires users to present client authentication certificates before they are granted access. You install Certificate Services on two member servers running Windows Server 2003. You configure one server as an enterprise subordinate certification authority (CA) and the other server as a stand-alone root CA. You need to issue certificates that support client authentication to sales users only. You need to achieve this goal by using the minimum amount of administrative effort. What should you do? Page 125 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll users for certificates. B. Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll computers for certificates. C. Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based in the template. Create a new Group Policy object (GPO) and link it to the Sales OU. Configure the GPO to autoenroll sales users for certificates. D. Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Create a new Group Policy (GPO) and link it to the Sales OU. Configure the GPO to autoenroll sales client computers for certificates. Answer: C Explanation: The first step in the creation process is to duplicate an existing template. For a user to request a certificate, the user must have the Enroll permission assigned to him or her for manual requests and the Autoenroll permission for automatic requests. Autoenrollment enables the request and issuance of certificates to proceed without user intervention. Creating a new GPO will minimize the amount of administrative effort, while linking it to the Sales OU will ensure that certificates will be issued to the sales users only. Incorrect Answers: A, B: This GPO is linked to the Domain Controllers OU, and it generally affects only domain controllers, because computer accounts for domain controllers are kept exclusively in the Domain Controllers OU. D: Certificates need to be issued to sales users, not sales computers. Reference: Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Chapter 12 Question: 118 You are the security analyst for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The perimeter network contains an application server, which is accessible to external users. You view the logs on your intrusion-detection system (IDS) an on the router and discover that very large numbers of TCP SYN packets are being sent to the application server. The application server is responding with SYN-ACK packets to several different IP addresses, but it is not receiving ACK responses. You note that all incoming SYN packets appear to be originating from IP addresses located within the perimeter network’s subnet address range. No computers in your perimeter network are configured with these IP addresses. The router logs show that these packets are originating from locations on the Internet. You need to prevent this type of attack from occurring until a patch is made available from the application vendor. Because of budget constraints, you cannot add any new hardware or software to the network. Your solution cannot adversely affect legitimate traffic to the application server. What should you do? A. Relocate the application server to the company intranet. Configure the firewall to allow inbound and outbound traffic on the ports and protocols used by the application. Page 126 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B. Configure network ingress filters on the router to drop packets that have local addresses but that appear to originate from outside the company network. C. Create access control lists (ACLs) and packet filters on the router to allow perimeter network access to only authorized users and to drop all other packets originating from the Internet. D. Configure the IDS on the perimeter network with a response rule that sends a remote shutdown command to the application server in the event of a similar denial-of-service attack. Answer: B Explanation: In an ideal world, each router would be configured with ingress filters that would drop packets arriving from "internal" networks whose source address was not a member of the set of network addresses that this router serves. The majority of routers could be so configured. Backbone routers and edge routers for complex topologies probably could not be configured with such filters. These ingress filters should be required as part of a "good neighbor policy." Ingress filters would not totally eliminate denial of service attacks but could greatly reduce such attacks. An attacker could still spoof an address within a local subnet, but that would permit backtracking the packets to the source subnet. Incorrect Answers: A: There is no firewall mentioned in the question. C: This option could also work, but it involves extra administration. D: The question clearly states; “Your solution cannot adversely affect legitimate traffic to the application server” and this option would. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter11, p. 783 http://securityresponse.symantec.com/avcenter/security/content/9011.html Question: 119 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The domain contains three Windows Server 2003 computers: Examsheets1, Examsheets2, and Examsheets3. You intend to use the three servers as certification authorities (CAs) for the following roles: Server name Examsheets1 Examsheets2 Examsheets3 Role root CA subordinate CA subordinate CA Examsheets2 will be used exclusively to issue enrolment agent certificates. Examsheets3 will be used to issue all other certificate typed needed in the domain. You plan to take Examsheets1 offline after the CA hierarchy is established. You want to minimize the possibility that unauthorized certificates might get issued. You also want to be able to revoke certificates that are issued by a subordinate CA if that server is compromised, without affecting the certificates that are issued by the other subordinate CA. You need to design a CA hierarchy that meets the requirements. What should you do? To answer, drag the appropriate CAs to the correct locations in the work area. Page 127 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Explanation: If you shift the responsibility of issuing certificates to subordinate CAs, you can take the root CA offline –meaning that you detach it from the network entirely. This provides a very high level of security, because attackers have no way of getting to the machine. When a subordinate CA requires a certificate from the root, you can either, briefly connect the root CA to the network and then remove it again, or you can literally use a floppy disk. References: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, pp. 881. Question: 120 You are the security analyst for Examsheets.cp,. Examsheets written security policy does not allow direct dial-in connections to the network. During a routine security audit, you discover a Page 128 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Windows Server 2003 server named Examsheets1 that has a modem installed and is connected to an outside analog phone line. You investigate and discover that Examsheets1 is also running Routing and Remote Access and is used by the sales department. The modem supports the caller ID service. This remote access connection is used by an application at a partner company to upload product and inventory information to Examsheets1. Each day at midnight, the partner application connects to Examsheets1 and uploads the information. The connection never lasts longer than 30 minutes. The application is currently using the sales manager’s domain user account to make the connection. The partner application does not support incoming connections. The partner company has no plans to update this application to support your written security policy, and the sales department requires this updated product and inventory information to be available each morning. Examsheets management directs you to design a solution that provides the highest level of security for this connection until a more secure solution can be developed by the two companies. You need to design and implement a solution that will ensure that only the partner’s application can connect to your network over the dial-up connection. Your solution must prevent the connection from being used by unauthorized users, and it must allow only the minimum amount of access to the network. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Create an account named PartnerDuialup in the domain, and add this account to the Domain Guests group. Grant this user account permissions for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access. B. Create a local account named PartnerDialup on Examsheets1, and add this account to the local Users group. Grant this user account permission for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access. C. Configure a remote access policy on Examsheets1 that allows the connection for only the specified user account between midnight and 1.00 A.M. Configure the policy to require callback authentication to the partner company’s server. D. Configure a remote access policy on Examsheets1 that allows the connection for only the specified user account between midnight and 1:00 A.M. Configure the policy to allow only the specific calling station identifier of the partner company’s computer. Answer: B D Explanation: A local user account for Microsoft Windows Server 2003 is a user account a domain provides for a user whose global account is not in a trusted domain. A local account is not required where trust relationships exist between domains. IP address A 32-bit address assigned to Transmission Control Protocol/Internet Protocol (TCP/IP) client computers and other network equipment that uniquely identifies that device on the network. For a computer to be accessible from the Internet, it must have an IP address containing a network identifier registered with the Internet Assigned Numbers Authority (IANA). Thus options B and D will prevent the connection from being used by unauthorized users and with the minimum amount of access to the network. Incorrect answers: A: This option will result in unnecessary exposure on the network by allowing more than the minimum amount of access to the network. C: There is no need to make use of require callback authentication. This implies that more than the minimum amount of access to the network needs to be allowed for. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9: 6 Question: 121 Page 129 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are a network administrator for ExamSheets.net. Examsheets participates in a joint venture with Alpine Ski House. Each company’s network consists of a single Active Directory forest. The functional level of each forest is Windows 2003. Two-way forest trust relationships exists between both companies. Each company maintains its own certification authority (CA). Users are required to encrypt and digitally sign all e-mail messages relating to the joint venture that are sent between the companies. Users in the ExamSheets.net domain report that when they open e-mail messages sent by users in the alpineskihouse.com domain, they receive a security warning. The warning indicates an error in the certificate used to sign the e-mal message. You examine several e-mails messages and discover the error shown in the exhibit. You need to ensure that users in the ExamSheets.net domain receive e-mail messages without receiving any error messages. You need to accomplish this task by using the minimum amount of administrative effort. What should you do? A. Add the computer account for the enterprise root CA in the alpineskihouse.com domain to the Exam Publisher domain local group in the ExamSheets.net domain. B. In the alpineskihiuse.com domain, delegate the Allow – Read userCertificate permission for contact objects to the Domain Users global group in the ExamSheets.net domain. Page 130 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the ExamSheets.net domain, import the enterprise root certificate from the alpineskihouse.com domain. D. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the ExamSheets.net domain, run the certutil command to publish the root certificate to Active Directory. Answer: C Explanation:. An enterprise CA is tied into Active Directory (AD) and is required to use it. In fact, a copy of its own CA certificate itself is stored in Active Directory. users can import certificates into any one of the certificate categories found in the certificate store. In the Certificates snap-in, right-click the certificate category to which you want to import the certificate, point to All Tasks, and choose Import. Type the certificate filename, which should have a standard certificate format extension (.PFX, .P12, .CER, .CRT, .P7B, .STL, .SPC, .CRL, or .SST). For PKCS #12 files, which contain private keys as well as certificates, type the password used to protect the file. Exporting Certificates and Private Keys The Export command in the Certificates snap-in provides two distinct functions. First, it allows a certificate or certificate chain to be exported for the purpose of sharing it with users or computers that are not privy to a certificate directory. Second, it allows the export of a certificate or certificate chain along with the associated private key for cryptographic use on another machine. You can export any type of certificate, including those in root CAs. Naturally, only certificates with available private keys (that is, personal certificates) that are marked as exported can be exported together. Incorrect options: A: This option results in unnecessary administrative effort that can be avoided by simply exporting and importing the enterprise root certificate to the appropriate domains. B: This is not a matter of delegating certain permissions for contact object in the Examsheets.net domain. D: The certutil command is mainly used when certificate services are installed before IIS and it will enable an IIS client to connect by supplying the necessary enrolment. This is not what is required. Reference: Charlie Russel, Sharon Crawford, and Jason Gerend, Microsoft Windows Server 2003 Administrator's Companion, Microsoft Press, Redmond, Chapter 21. Question: 122 You are a network administrator for Examsheets. You install Windows Server 2003 on two servers named Examsheets1 and Examsheets2. You configure Examsheets1 and Examsheets2 as two-node server cluster. The cluster has three managed drives assigned the letters Q, R, and S. The quorum resource is located in drive Q. You create a WINS group and configure WINS on the cluster. You create a File Server group and configure file sharing on the cluster by using a shared folder that you create on drive R. File sharing and WINS are both running on Examsheets1. You move the WINS group to Examsheets2. The file share service fails on Examsheets1. When you attempt to bring it back online, the file share resource will not start on Examsheets1. You move the WINS group back to Examsheets1. The file share service will not come back online. You need to configure the cluster so that each application can be moved or can fail over independently, without affecting the other application. What should you do? Page 131 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. Modify the Preferred owners list for the WINS group so that only Examsheets2 is in the list. B. Modify the Preferred owners list for the File Server group so that only Examsheets2 is in the list. C. Configure both the WINS group and the File Server group to allow failback immediately. D. Reconfigure the File Server group File Share resource to use a shared folder on drive S. Answer: B Explanation: A cluster is a group of two or more servers dedicated to running a specific application (or applications) and connected to provide fault tolerance and load balancing. Clustering is intended for organizations running applications that must be available, making any server downtime unacceptable. In a server cluster, each computer is running the same critical applications, so that if one server fails, the others detect the failure and take over at a moment’s notice. This is called failover. When the failed node returns to service, the other nodes take notice and the cluster begins to use the recovered node again. This is called failback. The order of failover is defined by the order the nodes appear in the Preferred Owner list. The default node for the application is listed first. A failover will attempt to move the cluster group to each node on the list, in order, until the group successfully starts. Thus if you modify the Preferred Owners list for the File Server group to make Examsheets2 the only entry in the list then failover can be independent without affecting the other application. Incorrect answers: A: The modification to the Preferred owners list should be for the File Server group and not the WINS group. C: By allowing failover by both groups will affect all applications and failover is thus not independent. D: Making use of a shared folder to make sure that the application is still available is not providing failover in the real sense. In fact the shared folder will also be affected in case of node failure. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 2-7 http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfdeff731e3c1f96/GDClusters.doc Question: 123 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The domain contains a Windows Server 2003 two-node server cluster. The security team states that the password for the cluster service account must be changed because one of the administrators has left the company. You fill out the necessary change control paperwork. You need to provide the process for changing the password in the change control form. You need to change the password for the cluster service account by using the minimum amount of administrative effort. What should you do? A. Change the cluster service account password in Active Directory Users and Computers. Change the cluster service account password on one node, and restart the node. After the first node comes back online, change the cluster service account password on the second node, and restart the node. B. Change the cluster service account password in Active Directory Users and Computers. Change the cluster service account password on both nodes, and restart the first node. After the first node comes back online, restart the second node. Page 132 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Run Dsmod.exe with the change password option. D. Run Cluster.exe with the change password option. E. Run SC.exe with the change password option. Answer: D Explanation: Cluster.exe is the command-line utility you can use to create or administer a server cluster. It has all of the capabilities of the Cluster Administrator graphical utility and more. Cluster.exe has numerous options. The following are some of the tasks that are impossible to do with Cluster Administrator or are easier to perform with Cluster.exe: • Changing the password on the cluster service account • Creating a server cluster or adding a node to a server cluster from a script • Creating a server cluster as part of an unattended setup of Windows Server 2003 • Performing operations on multiple server clusters at the same time It is for this reason that A and B are incorrect. Incorrect Answers: A, B: There is absolutely no need to change the cluster service account passworjd when all that is necessary is to run Dsmod.exe with the change password option. C: Dsmod.exe allows the properties of directory services objects to be changed. E: SC.exe starts and stops and manages Win32 services. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;305813 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, pp. 670-684 Question: 124 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The network contains Windows Server 2003 file servers. The network also contains a Windows Server 2003 computer named Examsheets1 that runs Routing and Remote Access and Internet Authentication Service (IAS). Examsheets1 provides VPN access to the network for user’s home computers. You suspect that an external unauthorized user is attempting to access the network through Examsheets1. You want to log the details of access attempts by VPN users when they attempt to access the network. You want to compare the IP addresses of user’s home computers with the IP addresses used in the access attempts to verify that the users are authorized. You need to configure Examsheets1 to log the details of access attempts by VPN users. What should you do? A. B. C. D. Configure the system event log to Do not overwrite. In IAS, in Remote Access Logging, enable the Authentication requests setting. Configure the Remote Access server to Log all events. Create a custom remote access policy and configure it for Authentication-Type. Answer: B Explanation: Internet Authentication Services (IAS) is a service included with Microsoft Windows Server 2003 that provides centralized authentication and authorization services. Page 133 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Remote Access Logging lists log files and allows you to configure additional logging options, one of which is authentication requests. Incorrect Answers: A: System log files contain events relating to the activity of the operating system. Startups and shutdowns, device driver events, and system service events are recorded in the System log. C: Log all Events will be very inefficient. Enabling the Authentication requests setting will be sufficient to log all details concerning VPN user access attempts. D: Authentication-type option is used to check the authentication method in use. This is not what is required. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System. Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System Question: 125 You are a network administrator for Examsheets. The design team provides you with the following list of requirements for server disaster recovery: • No more than two sets of tapes can be used to restore to the previous day. • A full backup of each server must be stored off-site. • A full backup of each server that is no more than one week old must be available on-site. • Backups must never run during business hours. • Tapes may be recalled from off-site storage only if the on-site tapes are corrupted or damaged. A full backup of all servers require approximately 24 hours. Backing up all files that change during one week requires approximately 4 hours. Business hours for Examsheets are Monday through Friday from 6:00 A.M. to 10:00 P.M. You need to provide a backup rotation plan that meets the design team’s requirements. Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two) A. Perform a full normal backup for on-site storage on Friday night after business hours. Perform a full copy backup of off-site storage on Saturday night after the Friday backup is complete. B. Perform a full normal backup for on-site storage on Friday night after business hours. Perform another full normal backup for off-site storage on Saturday night after the Friday backup is complete. C. Perform a full copy backup for on-site storage on Friday night after business hours. Perform a full copy backup for off-site storage on Saturday night after the Friday backup is complete. D. Perform differential backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours. E. Perform incremental backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours. F. Perform incremental backups on Sunday, Tuesday, and Thursday nights after business hours. Perform differential backups on Monday and Wednesday nights after business hours. Answer: A D Explanation: Copy backup copies all the files you select, but does not mark each file as having been backed Page 134 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. A differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. A normal backup copies all the files you select and marks each file as having been backed up (in other words, the archive attribute is cleared). With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set. Backing up your data using a combination of normal backups and incremental backups requires the least amount of storage space and is the quickest backup method. We do a normal backup on Friday, and the archive bit is cleared. We do a copy backup on Saturday and the archive bit is not cleared. We do a differential backup from Sunday, Monday, Tuesday, Wednesday, and Thursday. This way, we just need two tapes to restore, the full backup and the last differential backup. Incorrect Answers: B: With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. However in this way as suggested by this option, two tapes might be too few and it will not comply with the requirements as set out by the company C: With two full copy backups the archive attribute is not cleared and you will end up using more than two tapes this way. E: An incremental backup backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). This will not enable you to run a full restoration when necessary even though you would be using fewer tapes than most of the other types of backup. F: Since a differential backup copies files that have been created or changed since the last normal or incremental backup; this option is not going to comply with the requirements of the company. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, pp. 596-597 Question: 126 You are the network administrator for ExamSheets.net. All servers run Windows Server 2003. The network contains two Web servers named Examsheets1 and Examsheets2 and three application servers named Examsheets3, Examsheets4, and Examsheets5. All five servers have similar hardware. The servers are configured as Network Load Balancing clusters, as shown in the exhibit. Page 135 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A Web services application hosted on Examsheets1 and Examsheets2 communicates to application components hosted on Examsheets3, Examsheets4 and Examsheets5 by using the IP address 10.1.20.11. The application is designed to be stateless. The Network Load Balancing settings for each server are listed in the following table. Host Examsheets1 Examsheets2 Examsheets3 Examsheets4 Examsheets5 Filtering mode Multiple Multiple Multiple Multiple Multiple Host priority 1 2 1 2 3 Affinity Load Single Single Single Single Single Equal Equal Equal Equal Equal Users report that response time to the Web services application is slow. You investigate the performance of each server and observe the information listed in the following table Host Average % of CPU in use Examsheets1 Examsheets2 Examsheets3 Examsheets4 Examsheets5 75 65 98 2 2 Page 136 of 240 Average%of RAM in use 80 75 90 20 20 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to improve the response time of the application. What should you do? A. Modify the Web services application to access the components on the application servers by using the IP address 10.1.10.11. B. Modify the Network Load Balancing host priorities for Examsheets3 and Examsheets5 by 1. C. Modify the Network Load Balancing host priority for Examsheets2 to be 1. D. Modify the Network Load Balancing affinity setting for Examsheets3, Examsheets4, and Examsheets5 to be None. E. Modify the Network Load Balancing affinity setting for Examsheets1 and Examsheets2 to be None. Answer: D Explanation: In simple terms, affinity is the attraction one item feels for another item. Selecting None specifies that NLB doesn't need to direct multiple requests from the same client to the same NLB host, thereby splitting the load and improving response times and reliability. Incorrect Answers: A: The communication link is not the problem, as ExamSheets3, 4 and 5 are receiving communication. It is the fact that ExamSheets3 is over worked compared to ExamSheets4 and 5. B, C: Each host within the NLB cluster must have a unique priority number configured. D: The load between ExamSheets1 and 2 are balanced. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 27 Question: 127 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All computers on the network are members of the domain. You administer a four-node Network Load Balancing cluster. All nodes run Windows Server 2003. The cluster has converged successfully. You use Network Load Balancing Manager on the default host to configure all nodes of the cluster. The nodes have a single network adapter and are connected to the same switching hub device. Administrators of non-cluster servers that are connected to the same switching hub device report that their servers receive traffic that is destined for the cluster nodes. Receiving this additional network traffic impairs the network performance of the non-cluster servers. You need to ensure that traffic destined for only the cluster nodes is not sent to all ports of the switching hub device. You do not want to move the cluster to another switching hub device. What should you do? A. On the node, run the nlb.exe reload command. B. On each node, run the wlbs.exe drainstop command. C. Use Network Load Balancing Manager to enable Internet Group Management Protocol (IGMP) support on the cluster. D. Use Network Load Balancing Manager to add a second cluster IP address. Answer: C Page 137 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: If you enable IGMP Multicast, NLB attempts to prevent switch flooding by limiting multicast traffic to only those ports on a switch that have a NLB-bound network adapter connected to them. So, when you use IGMP Multicast, traffic is designed to flow only to those switch ports connected to NLB cluster hosts, thus preventing all other switch ports from being flooded by the multicast traffic. Incorrect Answers: A: The nlb.exe reload command instructs NLB to reload the current parameter set from the Registry. If required to complete the process, cluster operations are stopped and subsequently restarted. Any errors that exist within the parameters prevent the host from joining the cluster and also cause a warning dialog box to be displayed. B: The nlb.exe command replaces the wlbs.exe command previously used in Windows NT 4.0 and Windows 2000 Server. C: You use the Network Load Balancing Manager application in Windows Server 2003 to create, manage, and monitor NLB clusters. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 23 Question: 128 You are a network administrator for ExamSheets.net. You install Windows Server 2003, Enterprise Edition on two servers named Examsheets1 and Examsheets2. You configure Examsheets1 and Examsheets2 as a twonode server cluster. Examsheets1 and Examsheets2 are connected to a shared fiber-attached array. You configure the server cluster for file sharing. You configure Examsheets1 as the preferred owner of the file sharing resources. You perform the following backups by using the Backup or Restore Wizard. Examsheets1 Examsheets2 Tuesday Normal backup including system state Normal backup including system state Wednesday Incremental backup and Automated System Recovery (ASR) backup Incremental backup and ASR backup On Thursday morning, Examsheets2 experiences a hard disk failure. The failed disk contains only the operating system for Examsheets2. You evict Examsheets2 from the server cluster. You need to recover Examsheets2 and restore it to the cluster. You need to minimize data loss and recovery time. What should you do? A. Restore the quorum disk signature and data from the Tuesday backup of Examsheets1, and add Examsheets2 to the server cluster. B. Restore Examsheets2 by using ASR, and add Examsheets2 to the server cluster. C. Restore the Tuesday backup of Examsheets2, and add Examsheets2 to the server cluster. D. Restore the Tuesday normal backup and the Wednesday incremental backup of Examsheets2, and add Examsheets2 to the server cluster. Answer: B Explanation: Page 138 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 When an ASR restore is performed, the operating system is reinstalled using the original Windows Server 2003 media. However, instead of generating new disk signatures, security identifiers, and Registry content, these items are restored from the ASR set. Incorrect Answers: A: ExamSheets1 did not fail. C, D: These types of backup do not restore the operating system. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder , and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, pp. 614. Question: 129 You are a network administrator for Examsheets. The network contains two Windows Server 2003 database servers configured as a two-node server cluster. Each cluster node has a 100Mbit network adapter and a 10-Mbit network adapter. The 100-Mbit network adapter on each server is connected to company network. The 10-Mbit adapters are connected to each other by an Ethernet crossover cable. Cluster communications are configured to use the crossover connection as the primary cluster network. The cluster provides mission-critical data to several hundred users at any given time, 24 hours per day. You need to be able to ascertain if the network performance ever becomes or might become a limiting performance factor. You want to be able to identify trends over time. You need to choose which network adapters and performance counters are the most important for you to monitor, and you need to choose which method of monitoring to use to detect potential saturation of the network adapters. What should you do? Page 139 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Explanation: Since each cluster node has 100-Mbit network adapters that are connected to the network, it is logical to choose them to monitor in stead of the 10-Mbit network adapters. The latter is just to connect the clusters to each other by means of cross-over cable. If you need to be able to ascertain if the network performance ever becomes or might become a limiting performance factor and to be able to identify trends over time, then Packets Received/Sec which specifies the number of packets received by the adapter each second, would be the counter to configure for monitoring purposes. This can be viewed using the Performance logs. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 6: 20 Question: 130 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named ExamSheets.net that has two child domains: domain1.ExamSheets.net and domain2.ExamSheets.net. All domain controllers run Windows Server 2003. All domain controllers are configured as DNS servers. You use a proxy firewall to isolate your network from the Internet. You configure the DNS servers in the ExamSheets.net domain as internal DNS root servers. All client computers are configured with the proxy firewall client software. You need to allow users to resolve host names on both the internal network and the Internet. What should you do? A. Configure the internal DNS root servers to use Active Directory-integrated stub zones to resolve DNS queries for domain1.ExamSheets.net and domain2.ExamSheets.net. Page 140 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B. Configure all client computers to use a Web browser automatic configuration script. C. Configure the DNS servers in the child domains to use the internal DNS root servers as forwarders. D. Configure the DNS servers in the child domain with root hints that point to the internal DNS root servers in the ExamSheets.net domain. Answer: D Explanation: If you are using the DNS service on a private network, you can edit or replace the root hints file with similar records that point to your own internal root DNS servers. If you are configuring a DNS server within a large private namespace, you can use the Root Hints tab, in DNS server properties, to delete the Internet root servers and specify the root servers in your network instead. Incorrect Answers: A: Stub zones are used to keep all the NS resource records from a master zone current. B: This option does not resolve name resolution. C: This will only allow users to resolve host names on the internal network. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 4 and 5 Question: 131 You are a network administrator for Examsheets. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest and of all three domains is Windows Server 2003. Examsheets has a main office and 30 branch offices. Each branch office is connected to the main office by a 56-Kbps WAN connection. You configure the main office and each branch office as a separate Active Directory site. You deploy a Windows Server 2003 domain controller at the main office and at each branch office. Each domain controller is configured as a DNS server. You can log on to the network from client computers in the branch offices at any time. However, users in the branch offices report that they cannot log on to the network during peak hours. You need to allow users to log on to the network from branch office computers. You do not want to affect the performance of the branch office domain controllers. You need to minimize Active Directory replication traffic across the WAN connections. What should you do? A. Use Active Directory Sites and Services to enable universal group membership caching for each branch office site. B. Use the DNS console to configure the branch office DNS servers to forward requests to a DNS server in the main office. C. Use Active Directory Sites and Services to configure each branch office domain controller as a global catalog server. D. Use the DNS console to configure the branch office DNS servers to use an Active Directoryintegrated zone. Answer: A Explanation: When a user logs on to the network, the global catalog provides universal group membership information for the account to the domain controller processing the user logon information. If a global catalog is not available when a user initiates a network logon process, the user is able to Page 141 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 log on only to the local computer unless the site has been specifically configured to cache universal group membership lookups when processing user logon attempts. In this scenario the domain controller must contact the global catalog server across a WAN link that is saturated. Enabling universal group membership caching will overcome this problem. Incorrect Answers: B: When users log on, the requests are sent to the global catalog not the DNS server. C: Configure each branch office domain controller as a global catalog server would result in increased replication traffic. We want to avoid this. D: An Active Directory-integrated zone is a DNS zone that is part of Active Directory and is part of Active Directory replication. Making the DNS zone a part of Active Directory will not overcome logon latency and will lead to an increase in replication traffic. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1-17 to 1-18, 5-41 to 5-43. Question: 132 You are the network administrator for ExamSheets.net. Examsheets has 20,000 users in 20 physical locations worldwide. Examsheets is expecting to grow by 50 percent the next five years. Examsheets recently become a subsidiary of Humongous Insurance. Humongous Insurance has five other subsidiaries. Humongous Insurance has 100,000 users in 100 physical locations worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries integrate into this network. The network design team at Examsheets provides you with a network design for integrating into the Humongous Insurance network. The design specifies that Examsheets will use a single block of IP network numbers to assign IP addresses to its network. You need to plan the IP address space to meet the design specification. You need to request a block of IP addresses from Humongous Insurance that will accommodate all Examsheets users. To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance address space, you want to request the smallest block of IP addresses that meets the design specification. What should you do? A. Request a Insurance. B. Request a Insurance. C. Request a Insurance. D. Request a Insurance. 10.0.0.0 block of IP addresses with an 8-bit subnet mask from Humongous 10.0.0.0 block of IP addresses with a 16-bit subnet mask from Humongous 10.0.0.0 block of IP addresses with a 24-bit subnet mask from Humongous 10.0.0.0 block of IP addresses with a 32-bit subnet mask from Humongous Answer: B Explanation: We have 20,000 users in 20 locations which would give us an average of 1,000 users per location. We need to make provision for a 50% growth so that makes in 1,500 users per location. We need to integrate this network with the Humongous Insurance network which uses the 10.0.0.0 network. This means we must use the 10.0.0.0 network. Subnetting is the process of shifting the subnet mask so as to increase or decrease the number of bits reserved for the network addresses. In this instance we are using a Class A address, so the number of clients is important. A simple formula of 2(32-n)-2, where n is the number of bits in the subnet mask, can be used to calculate the number of hosts a network will support. Page 142 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The best subnet mask would be a 21-bit mask which would give us 2,097,150 networks with 2046 clients per network. However, a 21-bit subnet mask is not offered as an option so we must use the next best subnet mask which would be 16. This would give us 65,534 networks with 65,534 clients per network. Incorrect Answers: A: The default subnet mask for a Class A network is and 8 bit subnet mask of 255.0.0.0. This provides a total of 254 networks with 16,777,214 clients per network. This provides us with too mush clients as we want the smallest block of IP addresses that meets the design specification. C: A 24-bit subnet mask would give us 16,777,214 networks with 254 clients per network. This would be too few clients per network. D: We cannot use a 32-bit subnet mask as this is not a valid subnet mask. Reference: Thomas Shinder and Debra Littlejohn Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293, Syngress, 2003, pp. 173-180. Question: 133 You are the administrator of a network at Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 98. All Windows 98 computers have the Active Directory Client Extensions software installed. The network consists of three physical subnets. Each subnet contains a domain controller and a server that runs DHCP. Each subnet also contains a server that runs both the DNS Server service and the WINS service. All client computers receive their TCP/IP configuration from the DHCP server that is located on their local subnet. All of the Windows 98 computers are located on a single subnet. The DHCP scope on this subnet is configured with the options shown in the exhibit. All DHCP servers are configured with similar options. Users of the Windows 98 computers report that they cannot connect to resources on the Windows Server 2003 computers located on any subnet. When they attempt to connect to a shared resource by using \\servername\sharename in the Run command, they receive the following error message: “Server not found”. The users can successfully connect to Web-based resources located on the same servers. When they attempt to connect to the servers by using the ping command on an affected Windows 98 computer you can connect successfully. The users of the Windows XP Professional computers do not report the same problems. You need to ensure that the users of the Windows 98 computers can connect to shared resources on the Windows Server 2003 computers. What should you do? Page 143 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. On the affected subnet’s DHCP server, configure the scope options to use the Windows 98 vendor class. B. On the affected subnet’s DHCP server, remove the WINS/NTB Node Type from the scope options. C. On each DHCP server, remove the Microsoft Disable NetBIOS Option from the scope options. D. On each DHCP server, add the NetBIOS over TCP/IP NBDD DHCP scope option to the scope options. Answer: C Explanation: The main advantage of disabling NetBIOS is improved network security. NetBIOS as a service stores information about network resources that can be collected by any host through broadcastbased queries. Feasibly, this information could be exploited by a malicious intruder. Another advantage of disabling NetBIOS is that doing so can simplify administration by reducing the number of naming infrastructures that you must configure, maintain, and support. Incorrect Answers: A: Vendor Classes are used to identify DHCP clients according to their vendor and hardware configuration type. This determines what options are available for you to give to your DHCP client. This won’t change the options shown in the exhibit. B: This cannot be removed, as there are servers on each subnet running the WINS service. D: Only if all the computers on your network are running Windows 2000 or later and no applications are using Net-BIOS, is it possible to remove WINS servers and disable the NetBIOS Over TCP/IP (NetBT) protocol on your computers. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, Chapter 4. James Chellis, Paul Robichaux, and Matthew Sheltz MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide Chapter 5 Question: 134 You are the system engineer for ExamSheets.net. The internal network consists of a Windows NT 4.0 domain. The company maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named ExamSheets.net. The ExamSheets.net zone is hosted by a UNIX-based DNS server running BIND 4.8.1. Examsheets is planning to migrate to a Windows Server 2003 Active Directory domain-based network. The migration plan states that all client computers will be upgraded to Windows XP Professional and that all servers will be replaced with new computers running Windows Server 2003. The migration plan specifies the following requirements for DNS in the new environment: • Active Directory data must not be accessible from the Internet. • The DNS namespace must be contiguous to minimize confusion for users and administrators. • Users must be able to connect to resources in the ExamSheets.net domain. • Users must be able to connect to resources located on the Internet. • The existing UNIX-based DNS server will continue to host the ExamSheets.net domain. • The existing UNIX-based DNS server cannot be upgraded or replaced. You plan to install a Windows Server 2003 DNS server on the internal network. You need to configure this Windows-based DNS server to meet the requirements specified in the migration plan. Page 144 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 What should you do? A. Create a primary zone named ad.ExamSheets.net as your Windows-based DNS server. Create a delegation record for the new zone on the UNIX-based DNS server. Configure forwarders on your Windows-based DNS server. B. Create a primary zone named ad.ExamSheets.net on the UNIX-based DNS server. Create a secondary zone on your Windows-based DNS server for the ad.ExamSheets.net domain. C. Create a primary zone named Examsheets-ad.com on your Windows-based DNS server. Create a secondary zone on the UNIX-based DNS server for the Examsheets-ad.com domain. D. Create a primary zone named Examsheets-ad.com on the UNIX-based DNS server. Create a stub zone on the Windows-based DNS server for the Examsheets-ad.com domain. Configure conditional forwarders on your Windows-based DNS server for the Examsheets-ad.com and ExamSheets.net domain. Answer: A Explanation: A primary zone contains the master copy of the zone database, where administrators make all changes to the zone’s resource records. If the Store “The Zone In Active Directory” (Available Only If DNS Server Is A Domain Controller) check box is cleared, the server creates a primary master zone database file on the local drive. This is a simple text file that is compliant with most non-Windows DNS server implementations. To delegate a zone means to assign authority over portions of your DNS namespace to subdomains within this namespace. A zone delegation occurs when the responsibility for the resource records of a subdomain is passed from the owner of the parent domain to the owner of the subdomain. The Forwarders tab of the DNS server properties dialog box allows you to forward DNS queries received by the local DNS server to upstream DNS servers, called forwarders. This tab also allows you to disable recursion for select queries (as specified by domain). Incorrect answers: B, C: A Secondary zone is a duplicate of a primary zone on another server; the secondary zone contains a backup copy of the primary master zone database file, stored as an identical text file on the server’s local drive. You cannot modify the resource records in a secondary zone manually; you can only update them by replicating the primary master zone database file, using a process called a zone transfer. This is not that is required to comply with the requirements as stated. Furthermore option B suggests the creation of a primary zone on the wrong server. D: Stub zone is a copy of a primary zone that contains Start Of Authority (SOA) and Name Server (NS) resource records, plus the Host resource records that identify the authoritative servers for the zone, the stub zone forwards or refers requests. When you create a stub zone, you configure it with the IP address of the server that hosts the zone from which you created the stub. When the server hosting the stub zone receives a query for a name in that zone, it either forwards the request to the host of the zone or replies with a referral to that host, depending on whether the query is recursive or iterative. You should be creating a primary zone on the Windows-based DNS server instead. Reference: Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 Environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, 2004, Chapter 7 and 8. J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 5. Page 145 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 34 Question: 135 You are the network administrator for ExamSheets.net. The relevant portion of the network is shown in the exhibit. All servers run Windows Server 2003. Each subnet of the network contains 100 Windows XP Professional computers. Each subnet also contains a DHCP server, which provides TCP/IP configuration information to all computers on its local subnet. You create and configure Subnet3 for a new department at your company. Users in Subnet3 report that they cannot connect to resources located on servers in Subnet1 and Subnet2. When they attempt to connect to these resources, they receive the following message: “Server not found”. The user can successfully connect to resources located on servers in Subnet3. Users in Subnet1 and Subnet2 report that they cannot connect to resources located on servers in Subnet3. When they attempt to connect to these resources, they receive the following error message: “Server did not respond in a timely manner”. The users can successfully connect to resources in both Subnet1 and Subnet2. You need to ensure that all client computers can connect to server-based resources an all subnets. What should you do? A. Configure the DHCP server in Subnet3 to provide a subnet mask of 255.255.255.0 B. Configure the DHCP servers in Subnet1 and Subnet2 to provide a subnet mask of 255.255.0.0. C. Configure the Examsheets2 Interface E1 to use a subnet mask of 255.255.0.0. D. Configure the IP address of the Examsheets2 Interface E0 as the default gateway for Subnet3. E. Configure the IP address of the Examsheets2 Interface E1 as the default gateway for Subnet2. Answer: A Explanation: With a subnet mask of 255.255.255.0, you can assign IP addresses ranging from 172.30.2.1 to 172.30.2.254 to your computers. This will ensure that users in Subnet1 and subnet2 can connect to resources that are located in subnet3. Incorrect Answers: Page 146 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B: The subnet mask for Subnet1 and Subnet2 are correctly configured. Thus you do not need to configure the DHCP servers in Subnet1 and Subnet2 to provide a subnet mask. C: You should configure the DHCP servers of Subnet3 to use the 255.255.255.0 subnet mask and not theExamsheets2 Interface E1. D, E: The IP addresses for interfaces E0 and E1 on Examsheets2 are correctly configured. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2: 25 Question: 136 You are a network administrator for Examsheets. Examsheets has one main office and 30 branch offices. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. Examsheets needs to connect the main office network and all branch office networks by using Routing and Remote Access servers at each office. The networks will be connected by VPN connections over the Internet. You install three Routing and Remote Access servers at the main office. You are configuring security for the Routing and Remote Access servers. You need to provide centralized authentication for the branch office Routing and Remote Access servers. You need to centrally configure the remote access policies for the main office Routing and Remote Access servers. You need to centrally maintain remote access authentication and connection logs for the main office Routing and Remote Access servers. You install Internet Authentication Service (IAS) on a server in the main office and register it in Active Directory. What else should you do? A. Configure the remote access policies on the IAS server. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use RADIUS authentication and accounting. B. Configure the remote access policies on the IAS server. On the IAS server, configure the branch office RADIUS clients. Configure the branch office Routing and Remote Access servers to use RADIUS authentication and accounting. C. Configure the remote access policies on the IAS server. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use Windows authentication and accounting. D. Run the netsh command to configure the remote access polices on the main office Routing and Remote Access servers. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use RADIUS authentication and accounting Answer: A Explanation: Internet Authentication Service (IAS) is the Microsoft implementation of Remote Authentication Dial-In User Service (RADIUS), an authentication and accounting system used by many Internet Service Providers (ISPs). When a user connects to an ISP using a username and password, the information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. RADIUS proxy and server support is a new feature in Windows Server 2003. You can install and use the Microsoft Internet Authentication Service (IAS) server for both RADIUS servers and RADIUS proxies. Incorrect Answers: B: The main office RADIUS clients should be configured on the IAS server and not the other way around. Page 147 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C: The question states that “You need to centrally configure the remote access policies for the main office” and with Windows authentication there is a separate set of policies for each RRAS server. D: NetSh.exe is a configuration tool that now adds the basic network diagnostic features provided by older NetDiag.exe tool. Netsh is a command-line scripting utility that permits administrators to display or modify the network configuration of a computer that is currently running. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 5: 28 Question: 137 You are the systems engineer for Examsheets. The network of a single Active Directory domain ExamSheets.net. Examsheets has a main office and two branch offices. All servers run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional. Each branch office maintains a dedicated 256-Kbps connection to the main office. Each office also maintains a T1 connection to the Internet. Each office has a Microsoft Internet Security and Acceleration (ISA) Server 2003 computer, which provides firewall and proxy services on the Internet connection. Each branch office contains one domain controller and five servers that are not domain controllers. There is a minimal administrative staff at the branch offices. A new company policy states that all servers must now be remotely administered by administrators in the main office. The policy states that all remote administrators connections must be authenticated by the domain and that all traffic must be encrypted. The policy also states that the remote administration traffic must never be carried in clear text across the Internet. You choose to implement remote administration by enabling Remote Desktop connections on all servers on the network. You decide to use the Internet-connected T1 lines for remote administration connectivity between offices. Because administrative tasks might require simultaneous connections to multiple servers across the network, you need to ensure that administrators do not lose connections to servers in one office when they attempt to connect to servers in another office. What should you do? A. Configure Routing and Remote Access on one server in each branch office. Create L2TP/IPsec VPN ports on these servers. Create new VPN connections to the administrator’s computers to connect to the VPN servers in the branch offices. B. Configure a VPN sever in each branch office. Create connections that use IPSec Authentication Header (AH) in tunnel mode from the main office connect to VPN servers in the branch offices. C. Configure a local L2TP/IPSec VPN connection on the ISA Server 2000 firewall computer in the main office. Configure the ISA Server 2000 firewall computers at the branch offices as remote L2TP/IPSec VPN servers. D. Configure a local PPTP VPN connection on the ISA Server 2000 firewall computers in each branch office. Configure the ISA Server 2000 firewall computer at the main office as a remote PPTP VPN server. Answer: C Explanation: Windows 2003 VPNs use the IP Security protocol (IPSec) to encrypt data sent over an L2TP tunnel. This provides end-to-end encryption and greater security than the MPPE encryption used with PPTP. Incorrect answers: Page 148 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A: This option might result in some administrators losing their connection to servers in one office when they try to connect to servers in another office. B: Authentication Header (AH) provides data authentication, integrity, and anti-replay to IP packets. It is one of the two primary IPSec protocols. AH is used to (AH) provide data authentication and integrity. It does not provide data confidentiality. D: PPTP in Windows Server 2003 is based on the existing PPP infrastructure and supports the same authentication methods as PPP, such as the Password Authentication Protocol (PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). However, L2TP provides greater security. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, pp. 258, 307-309 Question: 138 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The functional level of the domain is Windows 2000 mixes. The network contains domain controllers that run Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0. The network also contains application servers that run Windows Server 2003, Windows 2000 Advanced Server, or Windows NT Server 4.0. All client computers run Windows XP Professional. Examsheets has a main office and branch offices. Each office has local administrator. Local administrators manage the client computers that are in their offices, including the Group Policy settings. You want to reduce the possibility of passwords being compromised through man-in-the-middle attacks during the authentication process between client computers and servers. You want to ensure that the authentication protocols used by the client computers are as secure as possible. You are planning the guideline that the local administrators will use when they configure the Network Security policy setting for client computers. You want to be as flexible as possible, while still meeting your goals. You need to select the appropriate authentication type or types for the client computers. What should you do? A. B. C. D. Allow LM, NTLM, NTLMv2, and Kerberos. Allow only NTLM, NTLMv2, and Kerberos. Allow only NTLMv2 and Kerberos. Allow only Kerberos. Answer: C Explanation: NTLMv2 is the direct successor to the challenge/response NTLM authentication method. This method is used when IIS machines are part of a workgroup or on Windows Server 2003 networks that still have some legacy Windows NT domain controllers present. Kerberos is an industry-standard, ticket-based authentication method. This method is used when IIS machines are part of a domain and there are no legacy Windows NT domain controllers present. Incorrect Answers: A: The LM authentication protocol is considered weak because of the method used to encrypt the password. This weakness is known and exploited by hackers. B: If NTLMv2 is the direct successor to the challenge/response NTLM authentication method, then why should it be allowed. D: There are legacy Windows NT domain controllers present, so this cannot be used on its own. Page 149 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9: 23 Question: 139 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The network contains 10 application servers running Windows Server 2003. There are 500 client computers on the LAN. The LAN-based client computers are members of the domain. There are 50 client computers on the Internet. The Internet-based client computers are not members of the domain. All client computers run Windows XP Professional. All client computers need to access the application servers. Examsheets purchases certificates from a commercial certification authority (CA) when needed. The network design requires that all access to the application servers must be encrypted by using IPSec. The application servers are configured to refuse any connection that is not encrypted. You need to ensure that the client computers are authorized to access the application servers. You need to achieve this goal by using the minimum amount of administrative effort. What should you do? A. Configure both the LAN-based client computers and the Internet-based client computers to use the Kerberos version 5 authentication protocol. B. Configure both the LAN-based client computers and the Internet-based client computers to use the certificate-based authentication method with certificate generated by a commercial C A. C. Configure the LAN-based client computers to use the Kerberos version 5 authentication protocol and the Internet-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA. D. Configure the LAN-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA and the Internet-based client computers to use the Kerberos version 5 authentication protocol. Answer: C Explanation: Kerberos is an industry-standard, ticket-based authentication method. This method is used when IIS machines are part of a domain and there are no legacy Windows NT domain controllers present. Kerberos version 5 is the default protocol used by computers running Windows Server 2003, Windows XP, and Windows 2000. With certificates, you can protect network data and secure communications using a variety of cryptographic algorithms and key lengths that enable you to implement as much security as you need for your organization. For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority. Incorrect Answers: A: The Internet-based client computers are not part of the domain. B, D: If your organization engages in digital transactions with other companies, an internal CA is typically not useful because the other companies are not going to trust your own CA to verify your identity. Reference: Page 150 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 35 Question: 140 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The network contains 50 Windows Server 2003 computers and 200 Windows XP Professional computers. Examsheets does not use wireless networking. The network at Examsheets is shown in the exhibit. Examsheets enters into a strategic partnership with Adventure Works. Under the strategic partnership, Adventure Works will regularly send employees to Examsheets. Your design team interviews Adventure Works administrator and discovers the following: • Adventure Works employees require access to the Internet to retrieve e-mail messages and to browse the Internet. • Adventure Works employees do not need access to the internal network at Examsheets. • Adventure Works employees all have portable computers that run Windows XP Professional, and they use a wireless network in their home office. • The wireless network client computers of Adventure Works employees must be protected from Internet-based attacks. Adventure Works sends you a wireless access point that its employees will use to access the Internet through your network. You are allowed to change the configuration of the wireless access point because any change will require changes to all of the wireless client computers. You need to develop a plan that will meet the requirements of Adventure Works employees and the security requirements of Examsheets. Your solution must be secure and must minimize administrative effort. What should you do? A. Install the wireless access point on a separate subnet inside the Examsheets network. Configure a router to allow only HTTP, IMAP4, and SMTP traffic out of the wireless network. B. Install the wireless access point on a separate subnet inside the Examsheets network. Configure a VPN from the wireless network to the Adventure Works office network. C. Install the wireless access point on the Examsheets perimeter network. Configure Firewall1 to allow wireless network traffic to and from the Internet. Configure Firewall2 to not allow wireless traffic into the Examsheets network. D. Install the wireless access point outside Firewall1 at Examsheets. Obtain IP addresses from your ISP to support all wireless users. Answer: C Explanation: Page 151 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 An infrastructure network consists of a standard cabled network with a wireless access point connected to it. Wireless-equipped computers can then interact with the cabled network by communicating with the access point. Firewall1 will now allow wireless network clients access to the Internet for browsing and E-mail retrieval, while Firewall2 will not allow wireless network clients access to ExamSheets’s internal network. Thus, ExamSheets and Adventure Works are satisfied. Incorrect Answers: A, B: This does not satisfy ExamSheets’s security requirements, as they do not use wireless networking. D: If you use this option, you will not be able to even access the perimeter network. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 801-803 Question: 141 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The domain contains a Windows Server 2003 computer named Examsheets1 that is located in an organizational unit (OU) named Servers. Examsheets1 contains confidential data, and all network communications with Examsheets1 must be encrypted by using IPSec. The default Client (Respond Only) IPSec policy is enabled in the Default Domain Policy Group Policy object (GPO). You create a new GPO and link it to the Servers OU. You configure the new GPO by creating and enabling a custom IPSec policy. You monitor and discover that network communications with Examsheets1 are not being encrypted. You need to view all IPSec polices that are being applied to Examsheets1. What should you do? A. Use Local Security Policy to view the IP Security Policies on Local Computer for Examsheets1. B. Use Local Security Policy to view the Security Options for Examsheets1. C. Use Resultant Set of Policy (RSoP) to run an RsoP logging mode query to view the IP Security Policies on Local Computer for Examsheets1. D. Use Resultant Set of Policy (RSoP) to run an RSoP planning mode query to view the Security Options for Examsheets1. E. Use IP Security Monitor to view the Active Policy for Examsheets1. F. Use IP Security Monitor to view the IKE Policies for Examsheets1. Answer: C Explanation: You can use RSoP to view all the effective group policy settings for a computer or user, including the IPSec policies. To use RSoP, you must first load the snap-in into an MMC console, and then perform a query on a specific computer (select Generate RSoP Data from the Action menu), specifying the information you want to gather. The result is a display of the group policy settings that the selected computer is using. You can run an RSoP logging mode query to view all of the IPSec policies that are assigned to an IPSec client. The query results display the precedence of each IPSec policy assignment, so that you can quickly determine which IPSec policies are assigned but are not being applied and which IPSec policy is being applied. The RSoP console also displays detailed settings for the IPSec policy that is being applied, including the following: • Filter rules Page 152 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 • Filter actions • Authentication methods • Tunnel endpoints • Connection type When you run a logging mode query, RSoP retrieves policy information from the WMI repository on the target computer, and then displays this information in the RSoP console. In this way, RSoP provides a view of the policy settings that are being applied to a computer at a given time. Incorrect Answers: A, B: Local Security Policy is used for configuring purposes. D: You can run an RSoP planning mode query only on a domain controller. E, F: You need to view all IPSec polices that are being applied to ExamSheets1, not selected ones. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 12 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 768. Question: 142 You are the security analyst for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. The network currently does not have a connection to the Internet. You are in the process of designing an Internet connection solution for Examsheets. Examsheets Internet security policy includes the following requirements: • Traffic that originates from outside the Examsheets network must never be passed to the Examsheets intranet. • Internal Examsheets resources must not be directly accessible from the Internet. • Examsheets public Web site must not contain any confidential Examsheets information. • Examsheets public Web site must be accessible from the Internet, even in the event of the failure of any Examsheets-owned network component. You design a network solution that provides strict access control to the Examsheets intranet by means of a firewall. You new design includes a perimeter network, which contains resources that external users or computers might need to access. Your design also includes three computers running intrusion-detection software: ISD1, IDS2, and IDS3. You now need to plan the placement of five servers on the network in accordance with Examsheets Internet security policy. How should you place the servers to comply with the security policy? To answer, drag the appropriate server role to the correct network location in the Network Diagram. Page 153 of 240 Exam Name: Exam Type: Doc Type: Answer: Page 154 of 240 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: We must ensure that traffic from outside the ExamSheets network never passes to the ExamSheets intranet and that internal ExamSheets resources aren’t directly accessible from the Internet. In addition, the public Web site must be accessible from the Internet even in the event of the failure of any ExamSheets-owned network component. To ensure that traffic from outside the ExamSheets network never passes to the ExamSheets intranet but can access the public web site, we should place the Web server outside the firewall. For security reasons, services that require access to the Internet should be placed in the perimeter network. These include Email forwarders and VPN servers. File servers that store user folders, and email servers that store mailboxes should be placed in the intranet. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1: 23-28 Question: 143 You are the security analyst for Examsheets. Examsheets network consists of a single Active Directory domain ExamSheets.net. Examsheets network consists of an intranet and a perimeter network separated by a firewall. The perimeter network is connected to the Internet by a second firewall. The perimeter network contains three Windows Server 2003 computers. The servers on the perimeter network host a custom application that provides product inventory information to customers. The application is managed by SNMP. Each server has the SNMP service installed. Two Windows XP Professional computers running SNMP management software are located on the Examsheets intranet. The internet firewall is configured to allow outbound SNMP traffic from the intranet to the perimeter network. The firewall does not allow inbound SNMP traffic to the intranet. The current read-only SNMP community name is Public. The current read-write SNMP community name is AppCommRW. Examsheets management wants to ensure that the SNMP traffic on the perimeter network cannot be intercepted by outside parties and used to compromise application integrity. You need to design a method to secure the SNMP traffic as it passed from the intranet to the perimeter network. Because of budget constraints, you cannot add any new hardware or software. You solution must not affect customer access to the application. You need to ensure that all SNMP management traffic for the application is secure and cannot be used to compromise network security. What should you do? A. Change the read-only SNMP community name to AppCommRO. On each application server, configure the SNMP, service to send only application-specific SNMP information to the management client computers, to send authentication traps for both community names, and to accept only SNMP packets from the IP addresses of the management client computers. B. Create an IPSec filter named SNMP Messages for the default SNMP ports in the local security policy on the management client computers and on the application server. Create and assign a new IPSec policy that requires security by using the SNMP Messages filter in the local security policy on the management client computers and on the application servers. Configure the internal firewall to allow outbound IPSec traffic from the intranet. C. Change the community rights for the Public community to Notify. Change the community rights for the AppCommRW community to Read-Create. On each application server, configure the SNMP service to log on by using a domain user account instead of the local system account and to send authentication traps for the AppCommRW community name. Configure the internal firewall to allow inbound SNMP traffic from the perimeter network. D. Create an organization unit (OU) named SNMP Computers. Add the management client computers and the application servers to the SNMP Computers OU. Assign the Secure Server Page 155 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 (Require Security) IPSec policy to the SNMP Computers OU. Configure the internal firewall to allow outbound IPSec traffic from the intranet. Answer: B Explanation: You can use the IPSec console to manage IPSec policies and to add and remove filters applied to the IPSec policies. IPSec filtering is used to permit or block certain types of IP traffic. With IPSec filtering, you can secure workstations from outside security hazards. Simple Network Management Protocol (SNMP) is an application layer Transmission Control Protocol/Internet Protocol (TCP/IP) protocol and query language used to transmit information about the status of network components to a central network management console. Components embedded in network hardware and software products, called SNMP agents, are responsible for collecting data about the activities of the products they service, storing the data in a management information base (MIB), and transmitting that data to the console at regular intervals using SNMP messages. Keeping the above mentioned in mind, then it is clear that this option will provide the necessary means for ensuring that all SNMP management traffic for the application is secure and cannot be used to compromise network security. Incorrect answers: A: This option will not ensure that that all SNMP management traffic for the application is secure and cannot be used to compromise network security. You should be making use of an IPSec filter and IPSec policies instead. C: This option will not ensure SNMP management will be secure. Furthermore, configuring the firewall to allow inbound SNMP traffic from the perimeter network should not be. D: There is no need to create new organizational units. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 728-730 http://support.microsoft.com/default.aspx?scid=kb;en-us;324261&Product=winsvr2003 Question: 144 You are the network administrator for ExamSheets.net. The network contains 20 Windows Server 2003 database servers. The written security policy for Examsheets requires that the following services must be disabled on all database server computers: • • • • • • Computer Browser File Replication Indexing Service Remote Registry Server Task Scheduler The written security policy also required that the database servers must be prohibited from having access to the Internet. You use a Windows XP Professional client computer named Examsheets1 that has access to the Internet. You need to perform a weekly analysis of the hotfix level of the database servers compared with the latest available updates. You need to minimize the amount of administrative effort. What should you do? Page 156 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. Schedule the mbsacli.exe command to run weekly on Examsheets1. Configure the mbsacli.exe parameters to use a file that contains the names of all database servers. B. Each week, copy the Mssecure.cab file from the Microsoft Web site to Examsheets1 and initiate a Remote Desktop connection to each database server. Run the mbsacli.exe command on each database server. Configure the mbsacli.exe parameters to reference Examsheets1 as a data source for the hotfix information. C. Each week, initiate a Remote Desktop connection to each database server. Run the wmic.exe qfe command on each database server. D. Each week, initiate a Remote Desktop connection to each database server. Run the hotfix.exe command on each database server. Answer: B Explanation: The command-line program for running MBSA is mbsacli.exe. MBSA scans for security vulnerabilities in the operating system and other Microsoft components. MBSA gives administrators a report after a scan has been completed. This report explains what security issues were discovered and how to correct them. The mbsacli.exe parameter /c domainname\computername performs a scan on the selected computer. The mbsacli.exe parameter -i ipaddress specifies the IP address of the computer to be scanned. If not specified, the default is the local computer. Incorrect Answers: A: mbsacli.exe should be run on each database server and not just on Examsheets1 as suggested in this option. Furthermore, the parameters should be configured to reference Examsheets1 as data source for the hotfix information. C: The Windows Management Instrumentation Command (WMIC) utility is a command-line interface to the WMI infrastructure. D: Hotfixes basically are single-issue related, something like an individual update only. This will definitely not be minimizing administrative effort. Reference: Laura E. Hunter, Brian Barber, and Melissa Craft; Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Study Guide & DVD Training System, Syngress Publishing, Rockland, MA, Chapter 8, pp. 480, 481 and 489. Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 828. Question: 145 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All computers on the network are members of the domain. You are planning a public key infrastructure (PKI) for Examsheets. You want to deploy smart cards for all users in the domain. You want the members of a new group named Smartcard Agents to be able to issue smart cards for all users. You create a new global group named Smartcard Agents. You install an enterprise certification authority (CA) on a Windows Server 2003 computer named Examsheets1. You create a duplicate of the Enrollment Agent certificate template and change the validity period of the new certificate template to three years. The name of the new certificate template is SmartCard Enrollment. The configuration of permissions for the Smartcard Enrollment certificate template as shown in exhibit. Page 157 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 However, members of the Smartcard Agents group report that when they start the Certificate Request Wizard, they do not see Smartcard Enrollment in the list of certificate types that they can request. You want to ensure that members of the Smartcard Agents group request SmartCard Enrollment certificates. What should you do? A. Assign the Smartcard Agents group the Allow – Autoenroll permission for the Smartcard Enrollment certificate template. B. Add the Enrollment Agent certificate template to the list of superseded templates on the Smartcard certificate template. C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template. D. Configure the enterprise CA to assign the Certificate Managers role to the Smartcard Agents group. E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web enrolment pages to request certificates. Answer: A Explanation: A client has three ways to request a certificate from a CA. The most common is autoenrollment. There is a group policy entitled Automatic Certificate Request Settings. The property sheet for this policy enables you to choose to either Enroll certificates automatically or not. Also, you will need to ensure that Enroll subject without requiring any user input option is selected on the Request Handling tab of the certificate template property sheet. Autoenrollment of certificates can be done through Group Policy for users and computers. When using autoenrollment, users do not need to be aware of the certificates that are enrolled, retrieved, or renewed. When you select autoenrollment behavior, you can establish a silent Page 158 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 autoenrollment that requires zero user input. You can also require a user to provide input such as when users have smart cards and personal identification numbers (PINs). You set autoenrollment of computer and user certificates in the Autoenrollment Settings Properties dialog box, which you can access by opening Autoenrollment Settings in Computer Configuration or User Configuration/Windows Settings/ Security Settings/Public Kaey Policies in a GPO for a site, domain, or OU. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 13: 12; 18: 16 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, pp. 892, 895-897 Question: 146 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The domain name is ExamSheets.net. The network contains three Windows Server 2003 domain controllers. You are creating the recovery plan for Examsheets. According to the existing backup plan, domain controllers are backed up by using normal backups each night. The normal backups of the domain controllers include the system state of each domain controller. Your recovery plan must incorporate the following organizational requirements: • Active Directory objects that are accidentally or maliciously deleted must be recoverable. • Active Directory must be restored to its most recent state as quickly as possible. • Active Directory database replication must be minimized. You need to create a plan to restore a deleted organizational unit (OU). Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two) A. B. C. D. E. Restart a domain controller in Directory Services Restore Mode. Restart a domain controller in Safe Mode. Use the Ntdsutil controller in Safe Mode. Restore the system state by using the Always replace the file on my computer option. Use the Ntdsutil to perform an authoritative restore operation of the appropriate subtree. Answer: A E Explanation: If an OU gets deleted from the Active Directory, we can restore it from a backup of the system state data. Directory Services Restore Mode is a sort of safe mode in which we can boot a domain controller without loading the Active Directory. This will enable us to restore all or part of the Active Directory database. To ensure that the deleted OU isn’t deleted again by replication from another domain controller, we must use the Ntdsutil utility to mark the restored subtree as authoritative. Incorrect Answers: B: To restore part of the Active Directory, we must start a domain controller in Directory Services Restore Mode, not safe mode. C: We don’t need to restore the entire Active Directory database; we can just restore part of it. D: This will overwrite the existing Active Directory database. References: Page 159 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2-49 to 2-53. Question: 147 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All computers on the network are members of the domain. You administer a Network Load Balancing cluster that consists of three nodes. Each node runs Windows Server 2003 and contains a single network adapter, The Network Load Balancing cluster can run only in unicast mode. The Network Load Balancing cluster has converged successfully. To increase the utilization of the cluster, you decide to move a particular application to each node of the cluster. For this application to run, you must add a Network Load Balancing port rule to the nodes of the cluster. You start Network Load Balancing Manager on the second node of the cluster. However, Network Load Balancing Manager displays a message that it cannot communicate with the other two nodes of the cluster. You want to add the port rule the nodes of the cluster. What should you do? A. Use Network Load Balancing Manager on the Network Load Balancing default host to add the port rule. B. Change the host priority of the second node to be the highest in the cluster, and then use Network Load Balancing Manager to add the port rule. C. Run the nlb.exe drain command on each node, and then use Network Load Balancing Manager to add the port rule. D. Add the port rule through Network Connections Properties on each node. Answer: D Explanation: Network Load Balancing Manager is the preferred method, but since it cannot communicate with the other two nodes of the cluster you can also open the Network Load Balancing Properties dialog box through the Network Connections tool. If you use the Network Connections tool, you must make the same configuration changes on every cluster host. Using both Network Load Balancing Manager and the Network Connections tool together to change Network Load Balancing properties may create unpredictable results. The parameters that are set in the Network Load Balancing Properties dialog box are recorded in the registry on each host. Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations. Incorrect Answers: A, B, C: The question states that the Network Load Balancing Manager: “cannot communicate with the other two nodes of the cluster”. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 7: 21-25 http://support.microsoft.com/default.aspx?scid=kb;en-us;323437&Product=winsvr2003 Question: 148 You are a network administrator for Examsheets. You install an intranet application on three Windows Server 2003 computers. You configure the servers as a Network Load Balancing cluster. You configure each server with two network adapters. One network adapter provides Page 160 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 client computers access to the servers. The second network adapter is for cluster communications. Cluster communications is on a separate network segment. The network team wants to reduce the cluster’s vulnerability to attack. These servers need to be highly available. The network team decides that the Network Load Balancing cluster needs to filter IP ports. The team wants the cluster to allow only the ports that are required for the intranet application. You need to implement filtering so that only the intranet application ports are available on the cluster. You need to achieve this goal by using the minimum amount of administrative effort. What should you do? A. Use Network Load Balancing Manager to configure port rules. Allow only the intranet application ports on the cluster IP address. B. Use TCP/IP filtering one each server. Configure only the intranet application ports on the network adapter that provides client computers access to the servers. C. Use TCP/IP filtering on each server. Configure only the intranet application ports on both of the network adapters. D. Configure Routing and Remote Access on each server. Use Routing and Remote Access input filters to allow only the intranet application ports on the network adapter that provides client computers access to the servers. Answer: A Explanation: The Port Rule tab, in the NLB Properties sheet, lets you specify the Port Rules used for your NLB cluster. These settings enable you to control how your NLB cluster will function under load. IP address filtering is useful for protecting part of a private network from users on the other parts. You can create filters that give only certain computers access to the protected LAN, while preventing all others from accessing it. Incorrect answers: B, C: This is not a TCP/IP filtering matter. D: There is no need to configure Routing and Remote Access input filters and the likes and described int his option. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 12. Question: 149 You are a network administrator for Examsheets. The network contains four Windows Server 2003 computers configured as a four-node server cluster. Each cluster node is the preferred owner of a clustered instance of Microsoft SQL Server 2000, and each cluster node is configured as a possible owner of all other instances of SQL Server. All nodes have identically configured hardware. All four nodes operate at a sustained 70 percent CPU average. You add a server that has identically configured hardware to the cluster as a fifth node. You want each SQL Server instance to continue operating at the same level of performance in the e vent of a single node failure. What should you do? A. Clear the Affect group check box in the cluster resource properties for each SQL Server instance. B. Configure the fifth node as the only possible other than the existing preferred owner of the cluster resources that are associated with each SQL Server instance. Page 161 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Configure the fifth node as the preferred owner of each cluster group that contains an SQL Server instance. D. Enable failback on each group that contains an SQL Server instance. Answer: B Explanation: Clustering is intended for organizations running applications that must be available, making any server downtime unacceptable. In a server cluster, each computer is running the same critical applications, so that if one server fails, the others detect the failure and take over at a moment’s notice. This is called failover. In the question it is mentioned that a fifth node is added. The other four nodes are each configured as preferred owner. Thus if you configure the added node as the only possible other that are associated with each SQL Serer instance, then each SQL Server instance will continue at the same level of performance in case a single node fails. Incorrect answers: A: Clearing the Affect group check box is not going to ensure that the other nodes will continue to operate at the same level of performance in case of single node failure. C: This would be the wrong configuration for the purposes of this question. D: Failback is when the failed node returns to service, the other nodes take notice and the cluster begins to use the recovered node again. This will not ensure that each of the SQL Server instance continue to operate at the same level of performance. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;296799&Product=winsvr2003 Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 2 Question: 150 You are a network administrator for Examsheets. The network contains a Windows Server 2003 computer named Examsheets1. You install a custom mission-critical application on Examsheets1 for the shipping department. You install the application on drive D of Examsheets1. You configure the application database on drive D, and you configure the application database log files on drive E of Examsheets1. After running successfully for six days, the custom application fails. You investigate and find out that drive E is almost completely filled with the application’s log files. The application’s backup program is not properly deleting log files. Security requirements do not allow log files to be deleted unless the database on Examsheets1 has been backed up. You can keep the application running by manually backing up the application database and then deleting the log files. You need an automated process to keep the application running until a long-term solution can be provided. Because of the size of the database, you need to minimize the number of backups performed. What should you do? A. Create a script that backs up the database and then deletes the log files. Configure an alert on Examsheets1 to run the script when there is less then 20 percent of free space on drive E. B. Create a script that backs up the database and deletes the log files. Configure an event trigger on Examsheets1 to run the script when drive D has 20 percent free space. C. Create a script that backs up the log files and then deletes the log files. Configure a scheduled task to run the script on Examsheets1 each night. D. Create a script that backs up the database and then deletes the log files. Configure a scheduled tasks to run the script on Examsheets1 each night. Answer: A Page 162 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: Set an alert on a counter with options to send an administrative message, an application is executed, or a log is started when the configured threshold on the counter is breached. Incorrect Answers: B: The log files are located on drive E. C: Security requirements state that the database has to be backed up, not the log files. D: The question requires you to minimize the number of backups performed, and this option will not. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, p. 602 Question: 151 You are the network administrator for Examsheets. Examsheets has a main office in San Francisco and branch offices in London and Vancouver. The network consists of a single Active Directory domain ExamSheets.net. The network contains four Windows Server 2003 domain controllers. There are two domain controllers in the main office and one in each branch office. The domain controllers are DNS servers. Network services are monitored centrally from the main office. You review the DNS server event logs remotely from the main office during the monthly maintenance routine. During the monthly maintenance, you find out that some of the DNS event history is missing. You need to ensure that all DNS event history is retained until you manually clear it. How should you modify each domain controller? A. Use DNS Manager to select the All Events option on the Event Logging tab in the DNS Server properties. B. Use DNS Manager to select the Do not overwrite events option on the General tab in the DNS Events properties. C. Use Event Viewer to set the Maximum log size to 512 KB in the DNS Server properties. D. Use Event Viewer to select the Do not overwrite events option in the Application properties. Answer: D Explanation: Leaving the default setting of Overwrite Events As Needed on the Security log could overwrite important resource access or other security-related data if the log is not checked often. The question mentions that some of the DNS event history is missing and it could be a result of the Overwrite Events as needed settings. To ensure that all events are retained, you should check the Do Not Overwrite Events (Clear Log Manually) This configuration will halt event logging when the log reaches the maximum size and will afford you the opportunity to manually clear the log. To ensure that the information is not deleted automatically you should configure the setting that states DO not overwrite events (clear log manually) to ensure that information is deleted only through user intervention. Incorrect answers: A: This will not ensure that you will not lose information of the DNS history that is logged. B: The General tab will not yield the proper options for you to set the required retention method so as not to lose DNS history that should have been logged. C: Setting the Maximum log size to 512 KB in the DNS server properties only specifies the size of the log. You still have to choose a retention method. Page 163 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied, Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training System, Syngress Publishing Rockland, 2004, p. 767 Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 1477-1478 Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, 2004, pp. 12-5, 12-34. Question: 152 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network consists of three physical subnets, which corresponds to the three buildings on Examsheets campus, as shown in the Network Diagram exhibit. All servers have manually configured IP addresses. All client computers receive their TCP/IP configuration information from a DHCP server located on the Building1 subnet. The DHCP server has one scope configured for each subnet. Users on the Building2 subnet and the Building3 subnet report that they periodically cannot connect to network resources located on any subnet. You discover that during times of high network usage, client computers in Building2 and Building3 are configured as shown in the Network Connection Details exhibit. Page 164 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to ensure that all client computers receive valid IP addresses for their subnet even during times of high network usage. What should you do? A. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each DHCP server, configure identical scopes for each subnet. B. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each DHCP server, configure a single subnet-specific scope. C. Configure one DHCP relay agent on the Building2 subnet and one on the Building3 subnet to forward DHCP requests to the Building1 subnet DHCP server. D. Configure an administrative template in the Default Domain Policy Group Policy object (GPO) to disable Automatic Private IP addressing (APIPA) on the client computers. Answer: B Explanation: DHCP is a service that, when installed and configured correctly, will take a massive administration burden off any network administrator or engineer. DHCP works with the assignment of IP addresses on your network. In other words, when you want your network clients to communicate with any device on the network, they need to speak the same protocol and be assigned with a unique logical address. This address (called an IP address) allows for this. Scope is the pool of Internet Protocol (IP) addresses on a given subnet that a Dynamic Host Configuration Protocol (DHCP) server is configured to assign to clients when using the automatic or dynamic allocation method. Page 165 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A subnet is a group of computers on a Transmission Control Protocol/Internet Protocol (TCP/IP) network that share a common network identifier. In some cases, a TCP/IP network is divided into multiple subnets by modifying the subnet mask and designating some of the host identifier bits as subnet identifier bits . Incorrect Answers: A: Configuring identical scopes on two separate networks will create a network address conflict. C: DHCP Relay agents are used when the router cannot pass DHCP requests; however, the problem in this case only occurs during times of high network usage. A DHCP Relay agent won’t resolve this problem. D: APIPA is used automatically when the DHCP client cannot located the DHCP server. If we disable APIPA on all client computers, we would need to configure each computer with alternative IP configuration. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Question: 153 You are the network administrator for Examsheets. Examsheets has an internal network and a perimeter network, as shown in the work area. The internal network consists of a single Active Directory domain ExamSheets.net. The internal network contains a Windows Server 2003 domain controller named DC1, which runs the DNS Server service. The internal network also contains a Windows Server 2003 file server named Examsheets1, which runs the DHCP Server service. The network contains 500 Windows XP Professional computers. The perimeter network contains a public Web server named WebES1. The internal network is connected to the perimeter network by a firewall. The perimeter network is connected to the Internet. You need to plan an IP address strategy. The IP address strategy must provide TCP/IP connectivity from the internal network to WebES1. Examsheets wants to reduce administrative overhead by automatically assign IP addresses whenever possible. You need to choose the appropriate IP addressing distribution method for the computers on the networks. To answer, drag the appropriate IP addressing distribution method or methods to the correct computer or computers in the work area. Page 166 of 240 Exam Name: Exam Type: Doc Type: Answer: Page 167 of 240 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: Static and dynamic routing both provide the same level of router performance. The drawbacks of static routing are the amount of manual maintenance the process requires and the routers’ inability to compensate for changes in the network configuration. Dynamic routing enables routers to compensate for a failed router or WAN link, but it can generate a considerable amount of additional network traffic. Thus to comply with the requirements of providing TCP/IP connectivity from the internal network to WebES1 and still reducing administrative overhead, the above configuration will be the solution. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5: 12-13 Question: 154 You are a network administrator for Examsheets. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains a single DHCP server that services two subnets named SubnetES1 and SubnetES2, as shown in the work area. All servers and the administrator client computer have manually assigned IP addresses. All other client computers are DHCP clients. The router on your network fails and is replaced by another router. After the router is replaced, client computers on SubnetES2 cannot receive IP addressing from the DHCP server. You need to configure an appropriate host to be a DHCP relay agent. Which component should you use? To answer, select the appropriate component in the work area. Page 168 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: Select the print server Explanation: DHCP relay agents intercept DHCP Discover packets and forward them to a remote DHCP server whose address has been preconfigured. Although DHCP Relay Agent is configured through Routing And Remote Access, the computer hosting the agent does not need to be functioning as an actual router between subnets. Reference: J. C. Mackin, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 9. Question: 155 You are the network administrator for ExamSheets.net. The network contains Windows Server 2003 computers and Windows XP Professional computers. Examsheets deploys two DNS servers. Both DNS servers run Windows Server 2003. One DNS server is inside of the corporate firewall, and the other DNS server is outside of the firewall. The external DNS server provides Page 169 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 name resolution for the external Internet name of Examsheets on the Internet, and it is configured with root hints. The internal DNS server hosts the DNS zones related to the internal network configuration, and it is not configured with root hints. You want to limit the exposure of the client computers to DNS-related attacks from the Internet, without limiting their access to Internet-based sites. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. B. C. D. E. F. Configure the client computers to use only the internal DNS server. Configure the client computers to use both DNS servers. List the internal DNS server first. Configure the firewall to allow only network traffic on the DNS ports. On the internal DNS server, disable recursion. On the internal DNS server, configure the external DNS server as forwarder. On the internal DNS server, add the external DNS server as the only root hint. Answer: A E Explanation: Install one server on your perimeter network, for Internet name resolution, and another on your internal network, to host your private namespace and provide internal name resolution services. Then configure the internal DNS server to forward all Internet name resolution requests to the external DNS server. This way, no computers on the Internet communicate directly with your internal DNS server, making it less vulnerable to all kinds of attacks. Incorrect Answers: B: The internal DNS server is not configured with root hints, so it will not be able to resolve names outside its domain. C: Clearly this is incorrect, as it will not limit the exposure of the client computers to DNS-related attacks from the Internet D: If disable recursion is enabled, the internal DNS server still needs root hints for referrals. F: The root hints are a DNS server’s list of root name server addresses, which it uses to resolve names outside its domain. In this way DNS can resolve internet queries, but its not a best practice because can give negative answers to domain. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 4. Question: 156 You are the network administrator for ExamSheets.net. The network contains 10 Web servers that run Windows Server 2003, Web Edition. The Web servers are located in an organizational unit (OU) named Web_Servers A security analysis of the Web servers reveals that they all contain several security settings that are critical vulnerabilities. You need to modify the security settings on the Web as quickly as possible while minimizing the performance impact on the servers. You want the new settings to be periodically enforced without administrative intervention. What should you do? A. Create a Group Policy object (GPO) and link to the Web_Servers OU. Configure the appropriate security settings in the GPO. On each server, run the secedit /refreshpolicy machine_policy command. B. Create a Group Policy object (GPO) and link it to the Web_Servers OU. Configure the appropriate security settings in the GPO. On each server, run the gpupdate /target:computer command. Page 170 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Configure a security template that contains the appropriate security settings and name it Websec.inf. On each server, run the secedit /configure /db secedit.sdb /cfg websec.inf command. D. Configure a security template that contains the appropriate security settings and name it Websec.inf. On each server, run the secedit /import /db secedit.sdb /cfg websec.inf command. Answer: B Explanation: /target : computer allows you to specify that only Computer policy settings should be refreshed. By default, both User and Computer policy settings are refreshed. Incorrect Answers: A: The secedit /refreshpolicy machine_policy is a command available to Windows 2000 Servers, but is replaced by gpupdate in Windows Server 2003. B: Configures local security policy settings by applying the stored database settings C: Imports a security template into the named database Reference: Laura E. Hunter, Brian Barber, Melissa Craft, Norris L. Johnson, Jr., and Tony Piltzecker; Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 7, pp. 376. Question: 157 You are the network administrator for Examsheets. All servers run Windows Server 2003. You configure a baseline security template Baseline.inf. Several operations groups are responsible for creating templates containing settings that satisfy operational requirements. You receive the templates shown in the following table. Operations group File and Print Database Security Template name ExamsheetsExamsheetsFile.inf ExamsheetsExamsheetsDB.inf ExamsheetsExamsheetsSec.inf Applies to File servers Database servers All resource servers The operations groups agree that in the case of conflicting settings, the priority order listed in the following table establishes the resultants setting. Template ExamsheetsSec.inf Baseline.inf Specific server role template Priority 1 2 3 You need to create one or more Group Policy objects (GPOs) to implement the security settings. You want to minimize the amount of administrative effort required when changes are requested by the various operations groups. What should you do? A. Create a GPO and import the following templates in the following order: Baseline.inf, ExamsheetsSec.inf. Create a GPO for each server role and import only the specific template for that role into each respective GPO. B. Create a GPO and import the following templates in the following order: ExamsheetsSec.inf, Baseline.inf. Create a GPO for each server role and import only the specific template for that role into each respective GPO. Page 171 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Create a GPO for each server role and import the following templates in the following order: Baseline.inf, specific server role template, ExamsheetsSec.inf. D. Create a GPO and import the following templates in the following order: ExamsheetsSec.inf, ExamsheetsDB.inf, ExamsheetsFile.inf, Baseline.inf. Answer: A Explanation: Windows Server 2003 processes GPOs from the bottom of the list to the top of the list, with the topmost GPO having the final authority. Because policies contained in GPOs will, by default, overwrite policies of previously applied, we would need to import the Baseline.inf before the ExamSheetsSec.inf template. Incorrect Answers: B: Because policies contained in GPOs will, by default, overwrite policies of previously applied; we would need to import the Baseline.inf before the ExamSheetsSec.inf template. C, D: Because we need to import templates specific to each of two server roles, we need a separate GPO for each server role. Reference: Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 5 Question: 158 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The network contains Web servers that run Windows Server 2003. You use Sysprep to create a baseline image for Web servers. You instruct a technique to install Windows Server 2003 on 20 new Web servers by using the baseline image. A new service pack is subsequently released. You need to install the new service pack on all Web servers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. Copy the service pack installation files to a shared folder. Install the service pack on each Web server from the shared folder. B. Create an organizational unit (OU) named Web servers. Create a Group Policy object (GPO) to assign the service pack package to users. Link the GPO to the Web Servers OU. Move the Web servers into the Web Servers OU. C. Create an organizational unit (OU) named Web Servers. Create a Group Policy object (GPO) to assign the service pack package to computers. Link the GPO to the Web Servers OU. Move the Web servers into the Web Servers OU. D. Create a Cmdlines.txt file for use with the baseline Sysprep image in order to run the service pack package. Answer: C Explanation: A service pack is a software update package provided by Microsoft for one of its products. A service pack contains a collection of fixes and enhancements packaged into a single selfinstalling archive file. To distribute a service pack, create a shared folder and either extract the service pack to that folder or copy the contents of the service pack CD to the folder. Then, using the Active Directory Users And Computers snap-in, create or select an existing GPO. Click Edit and the Group Policy Object Editor console appears, focused on the selected GPO. Expand the Page 172 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Computer Configuration\Software Settings node. Right-click Software Installation and choose New, then Package. Enter the path to the service pack’s Update.msi file. Be certain to use a UNC format (for example, \\Server\Share) and not a local volume path, such as Drive:\Path. In the Deploy Software dialog box, select Assigned. Close the Group Policy Object Editor console. Computers within the scope of the GPO—in the site, domain, or OU branch to which the policy is linked—automatically deploy the service pack at the next startup. You can create a baseline security configuration in a GPO directly, or import a security template into a GPO. Link the baseline security GPO to OUs in which member servers’ computer objects exist. Incorrect Answers: A: Installing the service pack on each server would require a lot of administrative effort. B: Service packs must be applied to the computers not the users. D: Service packs can be applied without running the Sysprep image. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Glossary. Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, Chapter 9. Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, 2004, Chapter 9. Question: 159 You are a network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers at they are deployed. Examsheets is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers. You are planning a baseline security configuration for the Web servers. Examsheets written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled: • SMTP • Telnet Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers. What should you do? A. Create a Group Policy Object (GPO) to apply a logon script that disabled the unnecessary services. Link the GPO to the Web Servers OU. B. Create a Group Policy Object (GPO) and import Hisecws.inf security template. Link the GPO to the Web Servers OU. C. Create a Group Policy Object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU. D. Create a Group Policy Object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU. Page 173 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Answer: C Explanation: Windows Server 2003 installs a great many services with the operating system, and configures quite a few with the Automatic startup type, so that these services load automatically when the system starts. Many of these services are not needed in a typical member server configuration, and it is a good idea to disable the ones that the computer doesn’t need. Services are programs that run continuously in the background, waiting for another application to call on them. Instead of controlling the services manually, using the Services console, you can configure service parameters as part of a GPO. Applying the GPO to a container object causes the services on all the computers in that container to be reconfigured. To configure service parameters in the Group Policy Object Editor console, you browse to the Computer Configuration\Windows Settings\Security Settings\System Services container and select the policies corresponding to the services you want to control. Incorrect Answers: A: The logon script would only run when someone logs on to the web servers. It’s likely that the web servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:1-6 Question: 160 You are the network administrator for Examsheets. The network consists of a single Active Directory domain ExamSheets.net. The network contains two Windows Server 2003 domain controllers, two Windows 2000 Server domain controllers, and two Windows NT Server 4.0 domain controllers. All file servers for the finance department are located in an organizational unit (OU) named Finance Servers. All file servers for the payroll department are located in an OU named Payroll Servers. The Payroll Servers OU is a child OU of the Finance Servers OU. Examsheets written security policy for the finance department states that departmental servers must have security settings that are enhanced from the default settings. The written security policy for the payroll department states that departmental servers must have enhanced security settings from the default settings, and auditing must be enabled for file or folder deletion. You need to plan the security policy settings for the finance and payroll departments. What should you do? A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU. B. computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU. C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to apply the Hisecws.inf security template to computer objects, and link it to the Payroll Servers OU. D. computer objects, and link it to the Finance Servers and to the Payroll Servers OUs. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU. Answer: B Page 174 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: The Securews.inf template contains policy settings that increase the security on a workstation or member server to a level that remains compatible with most functions and applications. The template includes many of the same account and local policy settings as Securedc.inf, and implements digitally signed communications and greater anonymous user restrictions. Audit Object Access A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these, you must enable this policy and you must enable auditing on the resource that you want to monitor. For example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or folder, and then add the users or groups whose access to that file or folder you want to audit. Incorrect Answers: A, C: The Compatws.inf security template is designed for Windows NT compatible applications that require lower security settings in order to run. These settings are lower than the default settings. D: The Payroll Servers OU is a child OU of the Finance Servers OU. GPO settings applied to parent OUs are inherited by child OUs; therefore we don’t need to link the GPO to both the Finance Servers OU and the Payroll Servers OU. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 9 and 10. Question: 161 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain Examsheets.net. ExamSheets has an internal network and a perimeter network. The internal network is protected by a firewall. Application servers on the perimeter network are accessible from the Internet. You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web pages. The network design requires that custom security settings must be applied to the application servers. These custom security settings must be automatically refreshed every day to ensure compliance with the design. You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements. What should you do? A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO). B. Create a task on each application server that runs Security and Configuration Analysis with Baseline1.inf every day. C. Create a task on each application server that runs the secedit command with Baseline1.inf every day. D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the secedit command with Baseline1.inf. Answer: C Explanation: Page 175 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in scripts and batch files to automate security template deployments. Incorrect Answers: A, D: The Default Domain Policy Group Policy object (GPO) is applied to the domain controllers. We need to configure the application servers, not the domain controllers. B: Security and Configuration Analysis analyzes the security settings. It doesn’t apply it. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington 98052-6399, Chapter 10. Question: 162 ExamSheet is a network administrator for ExamSheets. The network consists of a single Active Directory domain Examsheets.net. The network contains 12 domain controllers and 50 servers in the application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Applications servers are required to audit account logon events, object access events, and system events. Application servers required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. Exams needs to deploy and refresh the custom security settings on a routine basis. She also need to be able to verify the customer security settings during audits. What actions should ExamSheet take? A. She should create a custom security template and apply it by using Group Policy. B. She should create a customer IPSec policy and assign it by using Group Policy. C. She should create and apply a custom Administrative Template. D. She should create a custom application server image and deploy it by using RIS. Answer: A Explanation: A security template is a physical file representation of a security configuration that can be applied to a local computer or imported to a Group Policy Object (GPO) in Active Directory. When you import a security template to a GPO, Group Policy processes the template and makes the corresponding changes to the members of that GPO, which can be users or computers. A Group Policy Object (GPO) is a collection of configuration parameters that you can use to create a secure baseline installation for a computer running Windows Server 2003. To deploy a GPO, you associate it with an Active Directory container, and all the objects in the container inherit the GPO configuration settings. Audit and Event Log policies enable you to specify what information a computer logs, how much information the computer retains in logs, and how the computer behaves when logs are full. Windows Server 2003 loads many services by default that a member server usually doesn’t need. You can use a GPO to specify the startup type for each service on a computer. GPOs include a great many security options that you can use to configure specific behaviours of a computer running Windows Server 2003. Incorrect Answers: B: IPSec is required to secure network traffic, not application servers. Page 176 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C: Administrative templates are used to provide settings required to allow for the performance of administrative tasks. Security templates are used to provide security settings, such as minimum password lengths. D: Custom application server images deployed through RIS are used to install automate the installation of operating systems with applications pre-installed. It is not used to apply security settings. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 2004, Glossary Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 9. Question: 163 You are the network administrator for Examsheets.net. The network consists of a single Active Directory domain named Examsheets.net. The functional level of the domain is Windows Server 2003. The domain contains an organizational unit (OU) named Servers that contains all of ExamSheets’s Windows Server 2003 resource servers. The domain also contains an OU named Workstations that contains all of ExamSheets’s Windows XP Professional client computers. You configure a baseline security template for resource servers named Server.inf and a baseline security template for client computers named Workstation.inf. The Server.inf template contains hundreds of settings, including file and registry permission settings that have inheritance propagation enabled. The Workstation.inf template contains 20 security settings, none of which contain file or registry permissions settings. The resource servers operate at near capacity during business hours. You need to apply the baseline security templates so that the settings will be periodically enforced. You need to accomplish this task by using the minimum amount of administrative effort and while minimizing the performance impact on the resource servers. What should you do? A. Create a Group Policy object (GPO) and link it to the domain. Import both the Server.inf and the Workstation.inf templates into the GPO. B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group Policy object (GPO). C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Create a Group Policy object (GPO) and link it to the Workstations OU. Import the Workstation.inf template into the GPO. D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO). Answer: C Explanation: The question states that you need to apply the baseline security templates so that the settings will be periodically enforced. To accomplish this you must create a scheduled task so that the performance impact on resource servers is minimized. The question also states that Workstation.inf is a baseline security template for client computers. Therefore, the GPO has to be linked to the OU that contains the client computers, and the orkstation.inf template must be imported to the said GPO so that it can be applied. Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the Page 177 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 computer. You can use Secedit.exe in scripts and batch files to automate security template deployments. You can create a baseline security configuration in a GPO directly, or import a security template into a GPO. Link the baseline security GPO to OUs in which member servers’ computer objects exist. Incorrect Answers: A: GPOs process security templates from the bottom up; therefore, by import both the Server.inf and the Workstation.inf templates into a single GPO, we would ensure that the settings in the security template imported last are applied in cases where there are conflicting settings. If we apply this to the domain, then all computers would have the same settings. B, D: The Default Domain Policy Group Policy object (GPO) is applied only to the Domain Controllers group. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 10. Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 9. Question: 164 You are the network administrator for Examsheets.net. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The human resources department has servers that contain confidential information stored in files. The client computers in the human resources department access the confidential information over the LAN. The network design requires that any access to the human resources department servers must be encrypted to protect the confidentiality of the data transmissions. You need to automatically enforce the network design requirement at regular intervals. What should you do? A. Assign the Secure Server (Require Security) IPSec policy to the human resources department servers by using Group Policy. B. Assign the Secure Server (Require Security) IPSec policy to the human resources department servers by using local policy. C. Apply the Hisecws.inf security template to the human resources department servers by using Group Policy. D. Apply the Hisecws.inf security template to the human resources department servers by using the secedit command. Answer: A Explanation: Secure Server (Require Security) configures the computer to require IPSec security for all communications. If the computer attempts to communicate with a computer that does not support IPSec, the initiating computer terminates the connection. The Secure Server (Require Security) policy is intended for computers working with sensitive data that must be secured at all times. Before implementing this policy, you must make sure all the computers that need to access the secured server support IPSec. When security settings are imported to a GPO in Active Directory, they affect the local security settings of any computer accounts to which that GPO is applied. Incorrect Answers: Page 178 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B: Network design dictates that any access to the human resources department servers must be encrypted, but using local policy only affects an individual computer. C, D: The question asks for encryption, not authentication. Reference: Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 11. Question: 165 You are the network administrator for Examsheets.net. The network consists of a single Active Directory domain named Examsheets.net. ExamSheets has a main office and five branch offices. The branch offices are connected to the main office by a WAN connection. All servers run Windows Server 2003. All client computers run Windows XP Professional. The audit department has users in the main office and in all branch offices. The audit department users share files on an audit department secured server at the main office. The files must be kept confidential. The audit department is concerned that files will be captured while they are transmitted between the audit department server and the client computers. The audit department server is configured to protect the confidentiality of network transmissions. You need to configure the audit department client computers to further ensure the confidentiality of network transmissions. You need to ensure that the configuration of the client computers is periodically enforced. What should you do? A. Use a Group Policy object (GPO) to assign the Client (Respond Only) IPSec policy to the client computers. B. Run the secedit command with the Hisecws.inf predefined security template on the client computers. C. Use a Group Policy object (GPO) to configure Server Message Block (SMB) signing on the client computers. D. Run the secedit command with the Rootsec.inf predefined security template on the client computers. Answer: C Explanation: Server Message Block (SMB) is an application-layer protocol that allows a client to access files and printers on remote servers. Clients and servers that are configured to support SMB can communicate using SMB over transport- and network-layer protocols, including Transmission Control Protocol (TCP/IP). By using a GPO, you are ensuring that the of the client computers is periodically enforced. Incorrect Answers: A: This configures the computer to use IPSec only when another computer requests IPSec. The computer using this policy never initiates an IPSec negotiation; it only responds to requests from other computers for secured communications. B, D: This does not ensure that the configuration of the client computers is periodically enforced. Reference: Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, Glossary. Page 179 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 3 Question: 166 You are the security analyst for Examsheets.net. The network consists of ExamSheets’s intranet and a perimeter network. The networks are separated by a firewall. ExamSheets’s intranet consists of a single Active Directory domain named corp.Examsheets.net. The perimeter network consists of a DNS domain named Examsheets.net. The perimeter network contains publicly accessible Web servers. The intranet contains a Windows Server 2003 DNS server named ExamSheets1. ExamSheets1 hosts an Active Directory-integrated primary zone for the corp.Examsheets.net domain. ExamSheets1 also hosts a secondary zone that is not integrated with Active Directory for the Examsheets.net domain. The perimeter network contains a Windows Server 2003 DNS server named ExamSheets2. ExamSheets2 is authoritative for the Examsheets.net DNS domain, which contains the resource records for the publicly accessible servers. ExamSheets1 is configured to forward requests to ExamSheets2. ExamSheets2 is configured with root hints. ExamSheets’s written DNS security includes the following requirements: • The internal DNS namespace must never be accessible by external users or computers. • External users must not be able to retrieve zone information from either DNS server. You need to plan a DNS security solution that meets the DNS security policy requirements. Your solution must not adversely affect required or allowed name resolution functions in the network. What should you do? A. On ExamSheets2, allow zone transfers to only servers listed in the Name Servers list. Disable recursion on ExamSheets1. B. On ExamSheets2, allow zone transfers to only servers listed by IP address. On ExamSheets1, do not allow zone transfers. C. On ExamSheets1, allow zone transfers to only servers listed in the Name Servers list. Disable recursion on ExamSheets2. D. On ExamSheets1, allow zone transfer to only servers listed by IP address. On ExamSheets2, do not allow zone transfers. Answer: A Explanation: Zone transfer data can be protected by specifying the IP addresses of the DNS servers that you allow to participate in zone transfers. If you do not do this, a potential intruder can simply install a DNS server, create a secondary zone, and request a zone transfer from your primary zone. The intruder then has a complete copy of your zone and all the information in it. To limit zone transfers on a Windows Server 2003 DNS server, you open the DNS console, display the Properties dialog box for a primary zone and then click the Zone transfers tab to display the dialog box shown in Figure 4-15. Select the Allow Zone Transfers check box and then choose either the Only To Servers Listed On The Name Servers Tab or the Only To The Following Servers option button. You can then specify the IP addresses of the DNS servers that contain your secondary zones, in either the IP Address text box or the Name Servers tab. When the Disable Recursion option is enabled, however, the DNS Server service does not answer the query for the client but instead provides the client with referrals, which are resource records that allow a DNS client to perform iterative queries to resolve an FQDN. This option might be appropriate, for example, when clients need to resolve Internet names but the local DNS server contains resource records only for the private namespace. Incorrect Answers: Page 180 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B: For a secondary DNS server to operate, it has to copy the information in the primary DNS server’s zone files to its own zone files to ensure that its database of names and IP addresses is up-to-date. C: This is incorrect because ExamSheets 2 contains the resource records for the publicly accessible servers. D: Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 4. Question: 167 You are the network administrator for Examsheets.net. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains a Windows Server 2003 computer named ExamSheets1 that is not a member of the domain and a Windows Server 2003 member server named ExamSheets2. You need to implement a public key infrastructure (PKI) for the network. You configure ExamSheets1 as a root certification authority (CA). You intend to disconnect ExamSheets1 from the network. You configure ExamSheets2 as a subordinate CA, and you leave ExamSheets2 connected to the network. You need to configure ExamSheets1 to support updates to the certificate revocation list (CRL) and to support certificate chain verification on the network while it is offline. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. On ExamSheets1, use the Certification Authority snap-in to configure the CRL Distribution Point (CDP) setting to point to a shared folder. Regularly copy the CRL from ExamSheets1 to the shared folder. B. On ExamSheets1, use the Certification Authority snap-in to configure the CRL Distribution Point (CDP) setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder. C. On ExamSheets1, use the Certification Authority snap-in to configure the Authority Information Access (AIA) setting to point to a shared folder. Regularly copy the AIA from ExamSheets1 to the shared folder. D. On ExamSheets1, use the Certification Authority snap-in to configure the Authority Information Access (AIA) setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder. E. Configure the Default Domain Policy Group Policy object (GPO) to enable the Enroll Certificates automatically setting and then select the Remove expired certificates, update pending certificates and remove revoked certificates option. F. Configure all certificate templates on ExamSheets2 to be published in Active Directory. Answer: B D Explanation: Most CA configuration after installation is done through the Certification Authority snap-in. this snap-in can be used to install and manage certification services. CRL Distribution Points or CDPs are locations on the network to which a CA publishes the CRL. In the case of an enterprise CA under Windows Server 2003, Active Directory holds the CRL and for a standalone, the CRL is located in the certsrv\certenroll directory. Each certificate has a location listed for the CDP, when the client views the certificate; it then understands where to go for the latest CRL. For Examsheets1 to support CRL and certificate verification on the network while it is offline, you need to use the Certification authority snap-in to configure a CDP- as well as an AIA setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder. Page 181 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect answers: A, C: Setting the CDP setting as well as the AIA setting on Examsheets1 to point to a shared folder will need the network to be online to work. E: This is not a matter of enrollment and selecting the Remove expired certificates, etc. that is the function of CRLs. F: Subordinate CAs are child CAs in the hierarchy. They are certified by the root authority and bind its public key to its identity. Just as the root CA can issue and manage certificates and certify child CAs, a subordinate CA can also perform these actions and certify CAs that are subordinate to it in the hierarchy. Examsheets2 is a subordinate CA. But this is not what is required. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, pp. 886, 907 Question: 168 You are a network administrator for Examsheets.net. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. You install Certificate Services and configure an offline root certification authority (CA). You also configure an enterprise subordinate CA in the domain. Employees in the marketing department use a public key infrastructure (PKI) enabled application to store secure marketing data. Employees require a certificate that supports client authentication to gain access to this application. User objects for employees in the marketing department are stored in an organizational unit (OU) named Marketing. You create a Group Policy object (GPO) that configures users for autoenrollment, and you link the GPO to the Marketing OU. You create a duplicate of the User certificate template named Employee and assign permission to allow autoenrollment for users in the marketing department. You configure the Employee template to prompt the user during enrolment. An employee in the marketing department named David Lindberg reports that when he attempts to use the marketing application, he receives a message stating that he does not have a client authentication certificate. David is unable to use the marketing application. You examine David Lindberg’s user object, shown in the exhibit. **MISSING** You need to ensure that David can use the marketing application. What should you do? A. Edit David Lindberg’s user object to include an e-mail address. B. Add David Lindberg’s user object to the Exam Publishers domain local group. C. On David Lindberg’s computer, use the Web enrolment tool to connect to the subordinate CA and download a copy of the subordinate CA’s certificate. D. On David Lindberg’s computer, use the Web enrolment tool to connect to the subordinate CA and download the most recent certificate revocation list (CRL). Answer: D Explanation: CAs can revoke as well as issue certificates. After a certificate is revoked, it needs to be published to a CRL distribution point. Clients check the CRL periodically before they can trust a certificate. Following this reasoning it could be that his certificate could have been revoked. To make sure that he can use the marketing application he should make use of the Web enrolment tool to connect to the subordinate CA and download the latest CRL. Incorrect answers: Page 182 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A: This is probably a case of a revoked CA and editing Lindberg’s user object to include an e-mail address will not address the issue at hand. B: This will not ensure that David will be able to make use of the marketing application. C: You should not be downloading a copy of the subordinate CA’s certificate; it is a matter of downloading the latest CRL from the subordinate CA. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 909 Question: 169 You are a network administrator for a consulting company. You need to create a wireless network that will be used by consultants from your company at a customer location. The wireless network will consists of nine portable computers, three servers, and four wireless digital cameras. All computers and cameras can use either static or dynamic IP addressing. The cameras do not support data encryption. Both the portable computers and the servers must be able to initiate communication over the Internet to VPN servers in your company’s main data center. Only the wireless point is connected to the customer’s corporate network. You need to plan the wireless IP network so that it minimizes the risk of unauthorized use of the wireless network and prevents unsolicited communication from the Internet to the hosts on the network. What should you do? Page 183 of 240 Exam Name: Exam Type: Doc Type: Answer: Page 184 of 240 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: Network Address Translation (NAT) is a service that allows multiple LAN clients to share a single public IP address and Internet connection by translating and modifying packets to reflect the correct addressing information. Thus making use of static IP addressing should minimize the risk of unauthorized use of the wireless network and prevents unsolicited communication from the Internet to the hosts on the network Reference: James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2004, Question: 170 You are the network administrator for Examsheets.net. The network contains an application server running Windows Server 2003. Users report that the application server intermittently responds slowly. When the application server is responding slowly, requests that normally take 1 second to complete take more than 30 seconds to complete. You suspect that the slow server response is because of high broadcast traffic on the network. Page 185 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to plan how to monitor the application server and to have a message generated when broadcast traffic is high. You also want to minimize the creation of false alarms when nonbroadcast traffic is high. What should you do? A. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert trigger when the Datagrams/sec counter in the UDPv4 object is high. B. Use System Monitor and configure it to monitor the Segments/sec counter in the TCPv4 object. C. Use System Monitor and configure it to monitor the Datagrams/sec counter in the UDPv4 object. D. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert to trigger when the Datagrams/sec counter in the TCPv4 object is high. Answer: A Explanation: Performance Logs And Alerts is an MMC snap-in that uses System Monitor’s performance counters to capture information to log files over a long period of time. Although the Performance console works well when systems are actively performing poorly, when you can’t wait around, you can set up triggers using the Performance console to catch bad systems in action. UDPv4 is one of the performance objects that provide network traffic monitoring capabilities. It monitors the number of User Datagram Protocol (UDP) packets the computer transmits and receives. Service applications, such as the Domain Name System (DNS) and the Dynamic Host Configuration Protocol (DHCP), typically use UDP for client–server communications. Incorrect Answers: B: TCPv4 tracks the number of successful and failed Transmission Control Protocol (TCP) connections. C: An alert needs to be configured as well, to prevent false alarms. D: Datagrams/sec counter is found in the UDPv4 object. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 6: 6 Question: 171 You are the network administrator for Examsheets.net. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network also contains 10 network printers. All servers have manually configured IP addresses. The client computers and network printers receive their TCP/IP configuration information from a DHCP server. ExamSheets IP policy states that each of the network printers will always be configured with the same IP address. You configure a DHCP server and create a DHCP scope as shown in the exhibit. Page 186 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Users report that they cannot submit print jobs to any of the network printers. You investigate and discover that none of the network printers are receiving their IP addresses from the DHCP server. You need to ensure that the network printers receive their IP addresses from DHCP. What should you do? A. Remove the IP address reservations for the network printers from the DHCP scope. B. Delete the IP address exclusion range for the network printers from the DHCP scope. C. Add the 009 LPR Servers option to the DHCP server options. D. Enable address conflict detection on the DHCP server. Answer: B Explanation: An exclusion range is a set of one or more IP addresses, included within the range of a defined scope that you do not want to lease to DHCP clients. Exclusion ranges assure that the server does not offer to DHCP clients on your network any addresses in these ranges. Therefore, you would want to perform the action described in “B”, so that ExamSheets IP policy is adhered to. Incorrect Answers: A: Using address reservations in DHCP, allows devices the ability to always have the same address. C: There are no LPR Servers mentioned in the question. D: It is an optional server-side mechanism for detecting whether a scope IP address is in use on the network. Reference: J. C. Mackin, and Ian McLean MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Chapter 7. Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System. Question: 172 Page 187 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are a network administrator for Examsheets.net. The network consists of a Windows NT 4.0 domain. All servers run Windows NT Server 4.0 and all client computers run Windows NT Workstation 4.0. ExamSheets has two offices that are connected by a 56-Kbps WAN connection. All computers are configured to use WINS for name resolution and network browsing capability between the two offices. ExamSheets is planning to upgrade the domain controllers to Windows Server 2003 and to deploy Windows Server 2003 and Windows XP Professional computers. You need to maintain name resolution and network browsing support during and after the upgrade process. You need to allow users of Windows NT Workstation 4.0 and Windows XP Professional computers to browse and connect to both Windows NT Server 4.0 and Windows Server 2003 computers. You need to minimize name resolution traffic across the WAN connection. What should you do? A. Install a Windows Server 2003 DNS server at each office. Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both WINS and DNS for name resolution. Configure all Windows Server 2003 computers to use WINS. B. Install a Windows Server 2003 DNS server at only one office. Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both WINS and DNS for name resolution. Configure all Windows Server 2003 computers to use WINS C. Upgrade the WINS servers at each office to Windows Server 2003. Install a Windows Server 2003 DNS server at only one office and configure it to use WINS lookup. Configure all Windows Server 2003 computers to use WINS. D. Upgrade the WINS servers at each office to Windows Server 2003. Install a Windows Server 2003 DNS server at each office. Configure each DNS server to use WINS lookup. Configure all Windows Server 2003 computers to use WINS. Answer: A Explanation: A DNS server provides host name resolution by translating host names to IP addresses (forward lookups) and IP addresses to host names (reverse lookups). WINS provides computer name resolution by translating NetBIOS names to IP addresses. It is not necessary to install Windows Internet Name Service (WINS) unless you are supporting legacy operating systems, such as Windows 95 or Windows NT. Operating systems such as Windows 2000 and Windows XP do not require WINS, although legacy applications on those platforms may very well require NetBIOS name resolution. Incorrect Answers: B: The question requires name resolution and network browsing support, during and after the upgrade process, to be maintained in both offices. C, D: There is no need to upgrade any of the servers because NetBIOS names supports computers with earlier versions of Windows. Furthermore, configuring the usage of WINS lookup will not minimize name resolution traffic across the WAN connection. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 41 Question: 173 Page 188 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. The network contains 10 application servers that run Windows Server 2003. The application servers are accessed from the ExamSheets network and from the Internet. The network design requires that the application servers must have specifically configured security settings, including the password policy, audit policies, and security options settings. You create a security template named App.inf that contains the security settings required by the network design. You are concerned that an unauthorized user will modify the configuration and gain access to the application servers. You want to capture any changes made to the security settings of the application servers. You need to generate a report that compares the current settings of each application server with the required settings every 24 hours. What should you do? A. Use a Group Policy startup script to run the secedit command in analysis mode with the App.inf template, and set the Group Policy refresh interval for computers to 24 hours. B. Import the App.inf template into Group Policy, and set the Group Policy refresh interval for computers to 24 hours. C. Use Task Scheduler to run the gpresult command in verbose mode every 24 hours. D. Use a custom script in Task Scheduler to run the secedit command in analysis mode with the App.inf template every 24 hours. Answer: D Explanation: Secedit.exe is a command line version of the Security Configuration and Analysis tool. In ‘analysis’ mode, this tool can be used to compare the current system settings with the required settings. We can use the Task Scheduler to run a script that runs secedit.exe to analyse the current settings. Incorrect Answers: A: A Group Policy startup script will only run when the computer starts up. It does not run every time the group policy is refreshed. B: This will reapply the required settings every 24 hours, but the question states that you want to capture any changes by comparing the current settings to the required settings. C: The gpresult utility is a command line version of the RSoP utility. In verbose mode, it will list the effective policies on a computer. However, it won’t list the differences between the current settings and the required settings. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 10:44 Question: 174 You are the network administrator for ExamSheets. ExamSheets is deploying a public Web server farm on Windows Server 2003 computers. This Web server farm will allow the public to view company information. The Web servers in the Web server farm will be placed in ExamSheets’s perimeter network, which uses a public Internet address space. ExamSheets wants to reduce the probability of external unauthorized users breaking into the public Web servers. You need to make the Web servers less vulnerable to attack. You also want to ensure that the public will be able to view information that is placed in ExamSheets’s perimeter network. What should you do? Page 189 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 A. Configure each Web server’s IP address to a private reserved Internet address. B. Configure the Web servers to allow only IPSec communications. C. Disable any unneeded services on the Web servers. D. Disable TCP/IP filtering on all adapters in the Web servers. Answer: C Explanation: We should disable any unneeded services on the Web servers. This includes unneeded web services and unneeded server services. This will also ensure that no unnecessary ports are open on the servers. Reducing the Attack Surface of the Web Server Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker. However, if you reduce the attack surface of the Web server too much, you can eliminate functionality that is required by the Web sites and applications that the server hosts. You need to ensure that only the functionality that is necessary to support your Web sites and applications is enabled on the server. This ensures that the Web sites and applications will run properly on your Web server, but that the attack surface is minimized. Incorrect Answers: A: The public web servers need public IP addresses. B: You can’t use IPSec on public web servers. No one would be able to access the web pages. D: TCP/IP filtering should be enabled, not disabled. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 1 MS Windows Server 2003 Deployment Kit Deploying Internet Information Services (IIS) 6.0 Reducing the Attack Surface of the Web Server Question: 175 You are a consultant for several different companies. You design the security policies for the computers running Windows 2003 Server and Windows 2000 Professional in your customers' networks. You use these security policies to configure a server named Server1. You want to deploy the security configuration on Server1 to computers in your customer's networks by using the least amount of administrative effort. What should you do first? A. Create a Group Policy Object (GPO) that configures the security settings for all computers to match the settings on Server1, and then link the GPO to the domain. Export the console list to a file. B. In the Security Configuration and Analysis snap-in, analyze Server1 and export the security template in a file. C. In the System Information snap-in, save the system summary as a system information file. D. In the Security Templates snap-in, export the console list to a file. Answer: B Page 190 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: We can use the Security Configuration and Analysis snap-in to export all the security settings from a computer to a template file. This will enable us to apply the same security settings to other computers. We can apply the template to other computers either by using the Security Configuration and Analysis snap-in (for single computers) or by importing the template into a group policy object (for multiple computers). Incorrect Answers: A: You have already manually configured the settings on Server1. It would be quicker to export them to a template file, rather than manually enter the settings into a GPO. C: The system summary does not contain the security settings. D: The console list does not contain the security settings. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 13-57 to 13-65, 13- 70-13-80. Question: 176 You are the network administrator for ExamSheets.net. ExamSheets has offices in New York, Copenhagen, and Ankara. The network consists of a single Active Directory domain and three sites. The sites are named NYsite, CopSite, and AnkSite. ExamSheets is adding a new division at the New York office for publishing fiction books. You create a new organizational unit (OU) named Fiction for the fiction division. You add a new network segment and subnet for the fiction division. You plan to place new Windows XP Professional computers for the fiction division in the new subnet. You also plan to add a new domain controller to NYSite. You need to ensure that users in the fiction division use the domain controllers in the New York office when logging on to the network. What should you do? A. Decrease the metric for the default gateway on the new Windows XP Professional computers. B. Create a new subnet object for the new subnet. Add the new subnet object to NYSite. C. Configure the location attribute for the new Windows XP Professional computers to be NYSite. D. Move the domain controller objects for the domain controllers in the New York office to the Fiction OU. Answer: B Explanation: Subnets can be associated with a site by using subnet objects. This will ensure that users on a particular subnet log on to a domain controller in a particular site. Incorrect Answers: A: this won’t accomplish anything C: The location attribute is for information only. It will not link the computer to the site. D: This will give the administrators of the Fiction OU control over the domain controllers in the New York office. It won’t ensure that the users on the new subnet logon to the domain controller in the New York office. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 27-30 Page 191 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 177 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. You configure a new Windows Server 2003 file server named ExamSheetsSrvl. You restore user files from a tape backup, and you create a logon script that maps drive letters to shared files on ExamSheets Srv1. Users report that they cannot access ExamSheetsSrvl through the drive mappings you created. Users also report that ExamSheetsSrvl does not appear in My Network Places. You log on to ExamSheetsSrvl and confirm that the files are present and that the NTFS permissions and share permissions are correct. You cannot access any network resources. You run the ipconfig command and see the following output. You need to configure the TCP/IP properties on ExamSheetsSrv1 to resolve the problem. What should you do? A. Add ExamSheets.net to the DNS suffix for this connection field. B. Configure the default gateway. C. Configure the DNS server address. D. Configure a static IP address. Answer: D Explanation: The IP address shown in the exhibit is an APIPA (automatic private IP addressing) address. This means that the server is configured to use DHCP for it’s IP configuration but is unable to contact a DHCP server (a likely cause for this is that there isn’t a DHCP server on the network). We can fix the problem by configuring a static IP address in the same IP range as the rest of the network. Incorrect Answers: A: A DNS suffix isn’t necessary. B: A default gateway isn’t necessary unless this is a routed network. C: The server not having a DNS server address wouldn’t prevent clients connecting to the server. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4:59 Question: 178 You are the network administrator for ExamSheets.net. The network consists of a single Active Directory forest that contains three domains. Each domain contains domain controllers that run Windows 2000 Server and domain controllers that run Windows Server 2003. The DNS Server service is installed on all domain controllers. All client computers run Windows XP Professional. Page 192 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to add an additional DNS zone that is hosted on at least one DNS server on each domain. You want to configure the zone to allow secure updates only. What should you do? A. Configure the new zone on DNS servers in the root domain. Configure stub zones that refer to DNS servers in another two domains. B. Configure the new zone as a primary zone on one DNS server. Configure other DNS servers in the three domains as secondary servers for this zone. Enable the DNS Security Extensions (DNSSEC) protocol. C. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains. Store the zone data in the DNS directory partition named DomainDNSZones. D. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains. Store the zone data in the DNS directory partition named ForestDNSZones. Answer: D Explanation: To enable secure updates, we need an Active Directory integrated zone. To replicate to the DNS servers in the other domains, the zone must be installed on a Windows 2003 domain controller in each domain. During the configuration of the zone, you can select the option to replicate the zone information to all domain controllers in the forest; this will store the zone data in the DNS directory partition named ForestDNSZones. Incorrect Answers: A: We need Active Directory integrated zones, not stub zones. B: Secondary zones are not writeable and so cannot accept updates. C: If we store the zone data in the DNS directory partition named DomainDNSZones, it will only be replicated in a single domain, not the entire forest. References: J.C. Mackin & Ian McLean, MCSA/MCSE self-paced training kit (Exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-25, 6-22. Question: 179 You are the network administrator for ExamSheets. The network consists of two physical subnets connected by a hardware-based router. Each subnet contains two domain controllers running Windows 2000 Advanced Server. All other servers run Windows 2000 server. ExamSheets is in the process of migrating to a Windows Server 2003 Active Directory domainbased network. You plan to install two new Windows Server 2003 computers as domain controllers in the domain. The migration plan does not currently allow for upgrading the Windows 2000 domain controllers or changing any operations master roles. Currently, host name resolution is performed by one of the Windows 2000 domain controllers that is running the DNS Server service. The DNS server hosts a standard primary zone for the domain. The migration plan requires that the DNS zone must be implemented as an Active Directory-integrated zone. You need to redesign the DNS infrastructure to comply with the requirements of the migration plan. You need to ensure that the Active Directory-integrated zone will be loaded and hosted on all domain controllers. What should you do? A. Configure the zone replication scope to replicate the zone to all DNS servers in the Active Directory forest. Page 193 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B. Configure the zone replication scope to replicate the zone to all DNS servers in the Active Directory domain named ExamSheets.net. C. Configure the zone replication scope to replicate the zone to all domain controllers in the Active Directory domain named ExamSheets.net. D. Configure the zone replication scope to replicate the zone to all domain controllers specified for a separate DNS application directory partition. Answer: C Explanation The question states that You need to ensure that the Active Directory-integrated zone will be loaded and hosted on all domain controllers. This is the only answer that states “all domain controllers”. This option replicates zone data to all domain controllers in the Active Directory domain. If you want Windows 2000 DNS servers to load an Active Directory zone, this setting must be selected for that zone. Incorrect Answers: A, B: These options suggest that zone replication scope should be replicated to all DNS servers in the forest and in the domain respectively. This is contradictory to what is required if you are to ensure that the Active Directory-integrated zone is to be loaded and hosted on all domain controllers. D: Zone replication should be configured to replicate the zone to all domain controllers in the Active directory domain and not for a specified separate DNS application directory partition. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 36 Question: 180 You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest root domain is contoso.com. Contoso, Ltd., recently merged with another company named ExamSheets, whose network consists of a single Active Directory forest. The functional level of the ExamSheets forest is Windows Server 2003. The forest root domain for ExamSheets is ExamSheets.net. You need to create a forest trust relationship between the two forests. Each company has dedicated connections to the Internet. You need to configure DNS to support the forest trust relationship. You want to maintain Internet name resolution capability for each company’s network. What should you do? A. Configure the contoso.com DNS servers to forward to the ExamSheets.net DNS servers. Configure the ExamSheets.net DNS servers to forward to the contoso.com DNS servers. B. Configure conditional forwarding of ExamSheets.net on the contoso.com DNS servers to the ExamSheets.net DNS servers. Configure conditional forwarding of contoso.com on the ExamSheets.net DNS servers to the contoso.com DNS servers. C. Configure a standard primary zone for ExamSheets.net on one of the contoso.com DNS servers. Configure a standard primary zone for contoso.com on one of the ExamSheets.net DNS servers. D. Configure an Active Directory-integrated zone for ExamSheets.net on the contoso.com DNS servers. Configure an Active Directory-integrated zone for contoso.com on the ExamSheets.net DNS servers. Answer: B Page 194 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Incorrect Answers: A: We don’t want ALL resolution requests to be forwarded to the other DNS servers. C: We can’t host primary zones on multiple servers. D: We can’t host Active Directory integrates zones on DNS servers in different forests. References: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-58, 4-61. Question: 181 You are the network administrator for Acme. The network consists of a single Active Directory forest root domain named acme.com. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named DC1.acme.com is the Active Directoryintegrated DNS server for acme.com. All servers and client computers in the acme.com domain use DC1.acme.com as their DNS server for name resolution. Acme acquires a company named ExamSheets. The ExamSheets network consists of a single Active Directory forest root domain named ExamSheets.net. The functional level of this domain is Windows Server 2003. A Windows Server 2003 domain controller named DC1.ExamSheets.net is the Active Directoryintegrated DNS server for ExamSheets.net. All servers and client computers in the ExamSheets.net domain use DC1.ExamSheets.net as their DNS server for name resolution. You create a two-way forest trust relationship with forest-wide authentication between acme.com and ExamSheets.net. You need to ensure that all users in both companies can log on to both forest root domains. You need to achieve this goal without adversely affecting Internet access. What should you do? A. Set the Stub Zone as the zone type for the acme.com domain on DC1.acme.com and for the ExamSheets.net domain on DC1.ExamSheets.net. B. Select the Do not use recursion for this domain check box on DC1.ExamSheets.net and on DC1.acme.com. C. Add the fully qualified domain name (FQDN) and the IP address of DC1.ExamSheets.net to the Root hints list in DC1.acme.com. Add the FQDN and the IP address of DC1.acme.com to the Root hints list on DC1.ExamSheets.net. D. Configure conditional forwarding on DC1.acme.com to forward all requests for resources in the ExamSheets.net domain to DC1.ExamSheets.net. Configure conditional forwarding on DC1.ExamSheets.net to forward all requests for resources in the acme.com domain to DC1.acme.com. Answer: D Explanation: To log on to a computer in acme.com with a user account in ExamSheets.net, the acme.com DNS server needs to be able to locate a domain controller in ExamSheets.net to authenticate the login. You can use Conditional forwarding which enables a DNS server to forward DNS queries Page 195 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 based on the DNS domain name in the query. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name. Incorrect Answers: A: A stub zone is a copy of a zone containing only those resource records necessary to identify the authoritative DNS servers for the master zone B: Recursion is the process of a DNS server querying other DNS servers on behalf of an original querying client. If recursion is disabled, the client performs iterative queries by using root hint referrals from the DNS server. Iteration refers to the process of a DNS client making repeated queries to different DNS servers. C: Root hints is a list of preliminary resource records used by the DNS service to locate servers authoritative for the root of the DNS domain namespace tree. Reference Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 451. Question: 182 You are the system engineer for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. All servers run Windows Server 2003. The network is connected to the Internet by a dedicated T3 line. ExamSheets enters into a partnership with another company for a new project. The partner company’s network consists of a single Active Directory forest that contains two domains. All servers in the network run Windows 2003 Server. The partner network is also connected to the Internet by a dedicated T3 line. The partner network is accessible by a VPN connection that was established between the two networks. The VPN connection was tested and was verified to provide a functional connection between the two networks. Users from both companies need to connect to resources located on another network. A forest trust relationship exists between the two companies’ forests to allow user access to resources. Users in your company report that they can access resources on the partner network, but that it can take up to several minutes for the connection to be established. This problem is most pronounced during the morning. You verify that there is sufficient available bandwidth on the connection between the two networks to provide access. You also verify that both network’s routing tables are configured correctly to route requests to the appropriate destinations. When you attempt to connect to a server in the partner network by host name by using the ping command, the connection times out. However, when you attempt to connect to the server a second time by IP address by using the ping command, you receive a response within a few seconds. You need to improve the performance of the network connection between the two networks.What should you do? A. Add the partner network’s domain names and DNS server addresses to the forwarders list on your DNS servers. B. Update the root hints list on your DNS servers to include the host names and IP addresses of the partner network’s DNS servers. C. Disable recursion on the DNS servers in both companies’ networks. D. Add the partner network’s DNS server addresses to the 006 DNS Servers scope option in your DHCP scope. Answer: A Explanation: It is taking a long time to locate resources on the other network. This is because name resolution requests are being passed to the internet root servers, then down through the internet DNS hierarchy before the request finally reaches the appropriate DNS server. We can Page 196 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 speed up this process by using conditional forwarding. This would enable resolution requests for resources in the partner network to be forwarded directly to the partner’s DNS server. Conditional forwarders A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Incorrect Answers: B: The root hints are used to locate internet root DNS servers. C: This won’t help. It would mean that the internal DNS servers wouldn’t forward external resolution requests to other DNS servers such as the root servers. D: The partner network’s DNS servers would never be used unless the local DNS server failed. Reference: Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, p. 451 Question: 183 You are a network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. The network contains two Windows Server 2003 domain controllers named ExamSheetsA and ExamSheetsB, which both run the DNS Server service. All of the resource servers on the network are DHCP clients, including a Windows Server 2003 file server named ExamSheetsC. The DNS configuration consists of a primary forward lookup zone that allows dynamic updates on ExamSheetsA and a secondary zone on ExamSheetsB. Users report that they cannot connect to ExamSheetsC. You discover that the IP address that is associated with the host resource record for ExamSheetsC is assigned to a test computer that is not a member of the domain. This computer is also named ExamSheetsC. You need to configure DNS to ensure that A records resolve to the IP addresses of the computers that made the original registration. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Configure the Secure Only dynamic updates setting on the forward lookup zone on ExamSheetsA. B. Configure the None dynamic updates setting on the forward lookup zone on ExamSheetsA. C. Manually create A record entries for each server on ExamSheetsA. D. Convert the zone type on ExamSheetsA to Active Directory-integrated. E. Convert the zone type on ExamSheetsB to primary. Answer: A, D Explanation: By configuring Secure only updates, only domain members can register their A records with DNS. The zone is currently a primary zone; we need to convert the zone to Active Directory integrated to enable “secure only” updates. Incorrect Answers: B: It is not necessary (or recommended) to disable dynamic updates on the zone. C: This would only be necessary if we disabled dynamic updates on the zone. E: You can’t have two primary zones for one domain. Reference: Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, p. 387 Page 197 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 184 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. The network contains Windows Server 2003 computers and Windows XP Professional computers. The network also contains UNIX servers and UNIX client computers. Many users share files on their client computers with other users. All client computers also access shared resources on both the Windows Server 2003 computers and the UNIX servers, which use a third-party Server Message Block (SMB) server product. The written security policy for ExamSheets requires that SMB packet signing must be used whenever possible. You need to edit the Computer Configuration section of the Default Domain Policy Group Policy object (GPO) to ensure that all computers in the domain meet the written security policy requirement. Which two security settings should you enable? To answer, select the appropriate security settings in the Group Policy Object Editor Results Pane. Answer: Explanation: All Windows operating systems support both a client-side SMB component and a server-side SMB component. To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Page 198 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 If server-side SMB signing is required, a client will not be able to establish a session with that server unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. Using SMB packet signing can impose up to a 15 percent performance hit on file service transactions. Reference Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft WindowsServer 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9:13 Question: 185 You are the systems engineer for Acme Inc. The network consists of a single Active Directory domain named acme.com. All servers run Windows Server 2003. The network is not currently connected to the Internet. Acme enters into a partnership with ExamSheets. The ExamSheets network consists of a single Active Directory domain named ExamSheets-ad.com. All servers in the ExamSheets-ad.com domain run Windows Server 2003. ExamSheets maintains a separate network that contains publicity accessible Web and mail servers. These Web and mail servers are members of a DNS domain named ExamSheets.net. The ExamSheets.net zone is hosted by a UNIX-based DNS server running the latest version of BIND. Both companies require that users from each company must be able to access resources in either network. A new dedicated T1 line is established between the two offices to provide connectivity. The Active Directory project team plans to create a forest trust relationship between the two forests. Both companies’ written security policies state that resources located on the internal network must never be exposed to the Internet. The ExamSheets written security policy also states that the internal network’s DNS namespace must never be exposed to the Internet. You need to plan a name resolution strategy for internetwork connectivity. You need to configure both Windows Server 2003 DNS servers so that they comply with both companies’ requirements and restrictions. Your plan must provide for minimal disruption of network connectivity in both networks. What should you do? A. Create a conditional forwarder on the acme.com DNS server to forward all requests for hosts in the ExamSheets-ad.com domain to the ExamSheets-ad.com DNS server. Create a conditional forwarder on the ExamSheets-ad.com DNS server to forward all requests for hosts in the acme.com domain to the acme.com DNS server. B. Create a conditional forwarder on the acme.com DNS server to forward all requests for hosts in the ExamSheets-ad.com domain to the ExamSheets.net UNIX-based DNS server. Configure the ExamSheets.net UNIX-based DNS server to forward all requests for hosts in the acme.com domain to the acme.com DNS server. C. Configure root hints on each Windows Server 2003 DNS server. Configure each Windows Server 2003 DNS server to forward requests to the ExamSheets.net UNIX-based DNS server. D. Configure a secondary zone on the ExamSheets.net UNIX-based DNS server for each company’s domain. Configure each company’s Windows Server 2003 DNS server to allow zone transfers to only the ExamSheets.net UNIX-based DNS server. Answer: A Explanation: Page 199 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 If your internal network does not have a private root and your users need access to other namespaces, such as a network belonging to a partner company, use conditional forwarding to enable servers to query for names in other namespaces. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name. By creating conditional forwarders to work in both directions between the two companies as described in this option will result in the least amount of disruption in connectivity while still complying with all the requirements as set out in the question. Incorrect answers: B: The first section of this option is correct; however you should also be configuring a conditional forwarder on the Examsheets-ad.com DNS server to forward all requests to the Examsheets.net UNIX-based DNS server. C: There is no need to configure root hints when you make use of conditional forwarders between the two parties as suggested in option A. D: If you make use of conditional forwarders, then you do not have to make use of secondary zones. Secondary zone application as described in this option will also cause unnecessary disruption in connectivity that can be avoided. Furthermore, conditional forwarders render secondary zones obsolete. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 34 Question: 186 You are the administrator of ExamSheets’s network, which links the main office and 15 branch offices. The network contains 5,000 computers running Windows 2000 Professional and 180 computers running Windows 2000 Server. The main office has two WINS servers, and each branch office has one WINS server. The WINS servers in the branch offices are configured for push/pull replication with one of the WINS servers in the main office. Both WINS servers in the main office are configured for push/pull replication with each other. You enable periodic database consistency checking. You then notice an increase in network traffic during the check periods. You need to reduce or eliminate the additional traffic, while maintaining the integrity of the database records. What should you do? A. Configure all WINS servers to use the automatic partner configuration. B. Disable periodic database consistency checking and manually perform consistency checking. C. Increase the verification interval on each of the WINS servers. D. Configure the DHCP client options for WINS so that the primary WINS servers are evenly divided among the DHCP clients. Answer: B Explanation: Periodic database consistency checking increases network traffic, so it should be disabled and manually perform consistency checking. Incorrect answers: A: Making use of automatic partner configuration will not solve the problem as the question states clearly that there is an increase in network traffic during check periods. C: Increasing the verification interval on each of the WINS servers will result in an increase in network traffic. D: This option might compromise the integrity of the database records. Page 200 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 44-47 Question: 187 You are the administrator of the Woodgrove Bank company network. The network consists of a single active directory domain. The network includes 10 domain controllers running Windows Server 2003, 30 member servers running Windows Server 2003, 500 client computers running Windows XP Professional and 200 client computers running Windows NT 4.0 Workstation. WINS and DNS are used for name resolution. You log in to a member server named Server15. You attempt to connect to another member server named Server5, but you are unable to connect. You receive the following error message: “System error 67 has occurred. The network name cannot be found”. To troubleshoot the problem, you try to ping Server5. The results are shown in the exhibit. You need to be able to connect to Server5 by host name and IP address. What should you do? (Each correct answer presents a complete solution. Choose two) A. Open compmgmt.msc. Use the “Connect to another computer” option. B. Open a command prompt on Server5. Run the nbtstat –RR command. C. Open a command prompt on Server15. Run the ipconfig /flushdns command. D. Open a command prompt on Server5. Run the ipconfig /renew command. E. Open a command prompt on Server5. Run the ipconfig /registerdns command. Answer: B, E Explanation: The server doesn’t answer to dns name or ip address which means either he is offline or he has changed his ip and is still registered with the old ip(192.168.202.8). Ipconfig /registerdns will register server5 in dns. The nbtstat –RR command will re-register Server5 with WINS. Page 201 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect answers: A: This option will not work because you need to register the host name and ip address in the DNS cache. C: Ipconfig /flushdns - Flushes the DNS cache. Flushing the DNS cache is not the same as registering. D: Ipconfig /renew - Attempts to renew the DHCP lease. This is not what is required. The host name and ip address has to be registered for you to be able to connect to Server5 by either of the two. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 60 Question: 188 You are a network administrator for ExamSheets.net. The network consists of a single Active Directory domain named ExamSheets.net. The domain contains three sites named MainOffice, EastCoast, and WestCoast. Each site contains four domain controllers and 100 client computers. One server in the EastCoast site is named ExamSheets1. All DNS servers contain Active Directory-integrated zones. Other administrators report that they cannot connect to ExamSheets1 when attempting to perform Active Directory administration. They report they can perform these tasks locally at ExamSheets1. You verify that Server1 is operational and that file and print resources are accessible by using the host name. You need to ensure that administrators can perform Active Directory administration on ExamSheets1 without requiring physical access to the server. What should you do? A. On Server1, force registration of DNS hosts resource records. B. On Server1, restart the Net Logon service. C. Install DNS on ExamSheets1. D. Configure ExamSheets as a local bridgehead server for the EastCoast site. Answer: B Explanation: ExamSheets1 is a domain controller. We know this because administrators are trying to perform Active Directory administration on ExamSheets1. File and print resources on ExamSheets1 are accessible by usin the host name.This means that the A records are present in DNS. The problem in this question is that the SRV records are missing. We need to restore the SRV in DNS. The Net Logon service on a domain controller registers the DNS resource records required for the domain controller to be located in the network every 24 hours. To initiate the registration performed by Net Logon service manually, you can restart the Net Logon service. Incorrect Answers: A: File and print resources on ExamSheets1 are accessible by using the host name. This means that the A records are present in DNS. C: It is not necessary to install DNS on ExamSheets1. D: ExamSheets1 does not need to be a bridgehead server to enable the administrators to access it. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 12 Page 202 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 189 You are the network administrator for ExamSheets.net. The network consists of a single Active Directory forest that contains one domain named ExamSheets.net. You need to deploy a new domain named NA.ExamSheets.net as a child domain of ExamSheets.net. You install a new stand-alone Windows Server 2003 computer named ES1. You plan to make ES1 the first domain controller in the NA.ExamSheets.net domain. You configure ES1 with a static IP configuration. You run the Active Directory Installation Wizard on ES1. The wizard prompts you for the network credentials to use to join the NA.ExamSheets.net domain to ExamSheets.net. You receive an error message stating that a domain controller in the ExamSheets.net domain cannot be located. You need to be able to promote ES1 to a domain controller as the first domain controller of the child domain in the existing forest. What should you do? A. Configure the client WINS settings on ES1 to use a WINS server that contains entries for the ExamSheets.net domain controllers. B. Configure the client DNS settings on ES1 to use a DNS server that is authoritative for the ExamSheets.net domain. C. Configure the DNS Server service on ES1 to have a zone for NA.ExamSheets.net. D. Configure ES1 to be a member server in the ExamSheets.net domain. Answer: B Explanation: This is typically the effect of a DNS problem because the client (in this case a member server) can't locate the SRV records of a domain. The process needs to contact the DNS server that is authoritative for the parent domain that you want to make a child domain in. First, in the Active Directory installation wizard, you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. Later in the installation process, the wizard tests for the following: Based on its TCP/IP client configuration, it checks to see whether a preferred DNS server is configured. If a preferred DNS server is available, it queries to find the primary authoritative server for the DNS domain you specified earlier in the wizard. It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the DNS dynamic update protocol. If, at this point in the process, a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory, you are provided with the option to install the DNS Server service. Incorrect Answers: A: WINS is used for name resolution for down level clients. ES1 is a Windows Server 2003 computer. C: NA.ExamSheets.net does not yet exist. D: We want to install ES1 as a domain controller for the na.ExamSheets.net domain. Making ES1 a member server would me demoting the server and then promoting it again al a later point. This does not make sense. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 6 Question: 190 Page 203 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. The network contains a Windows Server 2003 computer named ExamSheets4 that functions as a mail server. ExamSheets4 is configured as a member server in the domain. To improve service to users, ExamSheets launched a single sign-on initiative. Currently, users need to authenticate to the mail server after they log on to the domain to send or receive e-mail messages. You use IIS Manager to configure the properties for the Default SMTP Virtual Server on ExamSheets4. You need to allow users to send e-mail messages without explicitly logging on to ExamSheets4. You need to prevent unauthorized users from sending email messages. What should you do? To answer, configure the appropriate option or options in the dialog box. Answer: Uncheck anonymous access, Check Integrated Windows Authentication Explanation: Integrated Windows Authentication Select this option to enable the standard security mechanism that is provided with servers running Windows Server. This security feature makes it possible for businesses to provide secure logon services for their customers. Virtual servers that already use Integrated Windows Authentication in an internal system can benefit by using a single, common security mechanism. Integrated Windows Authentication uses a cryptographic technique for authenticating users and does not require the user to transmit actual passwords across the network. Note: Using Integrated Windows Authentication requires a mail client that supports this authentication method. Microsoft Outlook and Microsoft Outlook Express support Integrated Windows Authentication. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 5: 27 Page 204 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 191 You are the administrator of ExamSheets’s network, which consists of a single Windows 2003 domain named ExamSheets.net. The network includes a stand-alone Windows 2003 Server computer named RAS 1, which runs Routing and Remote Access. All employees use computers running Windows XP Professional to dial in to the network. Your remote access polices permit members of the Domain Users group to dial in to RAS1 between 7:00 P.M and 6:00 A.M. every day. To increase dial-up security, your company issues smart cards to all employees. You need to configure RAS1 and your remote access polices to support the use of the smart cards for dial-up connections. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two) A. Create a remote access policy that requires users to authenticate by using the EAP-TLS. B. Create a remote access policy that requires users to authenticate by using the MS-CHAP v2. C. Create a remote access policy that requires users to authenticate by using SPAP protocol. D. Add RAS1 to the Windows 2000 domain. E. Install the Internet Authentication Service (lAS) on RAS 1 F. Install Certificate Services on RAS1 and configure it to issue encryption certificates upon request. Answer: A, F Explanation: Smart cards require certificates. To authenticate using certificates, the RRAS server needs to be configured to use EAP-TLS. When configuring EAP-TLS, you can select the smart card option. The RRAS server is a standalone server, so we’ll need to configure Certificate Services on it to issue the certificates for the smart cards. Incorrect Answers: B: EAP-TLS is required for smart card authentication, not MS-CHAP v2. C: EAP-TLS is required for smart card authentication, not SPAP. D: The RRAS server does not need to be a member of the domain. E: Internet Authentication Service (lAS) is Microsoft’s implementation of the RADIUS service. This is used when you have multiple RRAS servers and require centralized authentication. Reference: Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 591, 594-595 Question: 192 You are the network administrator for ExamSheets. ExamSheets’s Web site is hosted at a local ISP. ExamSheets needs to move the Web site from the ISP to ExamSheets’s perimeter network. The design team specifies that five servers will be needed to host the Web site. The five servers must balance the network load of requests from the Internet. The Web site must remain available in the event that up to three servers fail at the same time. Each server will have four processors and 4 GB of RAM. Discussions with the design team and the Web developers reveal that the site can be implemented by using either shared storage or local server storage. You need to select the proper operating system to install on each server. You need to select the proper Windows Server 2003 technology to provide fault tolerance. You need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. What should you do? A. Install Windows Server 2003, Enterprise Edition on all five servers. Connect all five servers to a shared fiber-attached disk array. Page 205 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Configure the five servers as a server cluster. Configure the cluster so that all five nodes are active. B. Install Windows Server 2003, Enterprise Edition on all five servers. Connect all five servers to a shared fiber-attached disk array. Configure the five servers as a server cluster. Configure the cluster so that three nodes are active and two nodes are hot standby nodes. C. Install Windows Server 2003, Standard Edition on all five servers. Connect all five servers by using Network Load Balancing. D. Install Windows Server 2003, Web Edition on all five servers. Connect all five servers by using Network Load Balancing. Answer: C Explanation: The question states that you need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. Windows 2003 Standard Edition supports up to 4 processors and 4 GB of RAM. If three server fail, we will still have two servers serving the web site. Incorrect Answers: A: The question states that you need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. We can use Windows 2003 Standard Edition with NLB. B: The question states that you need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. We can use Windows 2003 Standard Edition with NLB. D: Web server edition only supports two-way symmetric multiprocessing (SMP) and 2 gigabytes (GB) of RAM. Reference Overview of Windows Server 2003, Web Edition http://www.microsoft.com/windowsserver2003/evaluation/overview/web.mspx Overview of Windows Server 2003, Standard Edition http://www.microsoft.com/windowsserver2003/evaluation/overview/standard.mspx Introducing the Windows Server 2003 Family http://www.microsoft.com/windowsserver2003/evaluation/overview/family.mspx Question: 193 You are a network administrator for ExamSheets. You administer a file server named ExamSheetsSrvC. The file server stores all data files on a logical volume. You perform a full normal backup of the file server every Saturday. You perform a differential backup of the file server each day on Sunday through Friday. You perform a copy backup of the file server every Wednesday after the differential backup is complete. The copy backup is sent to an off-site facility that requires two hours for tape delivery. The logical volume fails on Friday morning. You need to restore the data that was stored on the failed volume. You need to minimize the loss of data and the time required to perform the restoration. What should you do? A. Restore the tapes from the copy backup that was performed on Wednesday and from the differential backup that was performed on Thursday. B. Restore the tapes from the normal backup that was performed on Saturday and from the differential backup that was performed on Thursday. C. Restore the tapes from the normal backup that was performed on Saturday and from the differential backups that were performed on Monday through Thursday Page 206 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 D. Restore the tapes from the normal backup that was performed on Saturday, from the copy backup that was performed on Wednesday, and from the differential backup that was performed on Thursday . Answer: B Explanation: A copy backup copies all the files you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. A differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. The logical volume fails on Friday morning. The most recent backup of all the files was Wednesday’s copy backup. However, if we restored this, we would lose and new or changed data between the copy backup and Friday morning. The correct answer is to restore the normal backup that was performed on Saturday and the differential backup that was performed on Thursday. This would ensure that the restored files will be up to date as of Thursday. Incorrect Answers: A: This would work but the copy backup is offsite. It’s quicker to use Saturday’s full backup. C: This is more than necessary. We only need the last differential backup with the full backup. D: This is more than necessary. We only need the last differential backup with the full backup. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, pp. 596-597 Question: 194 You are a network administrator for ExamSheets. You install Windows Server 2003 on a server named ExamSheetsA. You install a production application on ExamSheetsA. You create a shared folder named ProdData on ExamSheetsA to support the needs of the production application. All critical data files for the application are stored in the ProdData shared folder on ExamSheetsA. You install Windows Server 2003 in another server named ExamSheetsB. You create a shared folder on ExamSheetsB named ProdDataBackup. The production application keeps many data files open. All the files in the ProdData folder must be backed up during each shift change. You are not allowed to stop and restart the production application without special approval. You need to provide a backup solution for the critical files in the ProdData on ExamSheetsA. Your solution must not affect the production application. What should you do? A. On ExamSheetsA, use the Backup or Restore Wizard to select the ProdData folder. Type \\ExamSheetsB\ProdDataBackUp for the backup destination, and the advanced backup options to select the Disable volume shadow copy check box. B. On ExamSheetsB, use the Backup or Restore Wizard to select the ProdData folder. Type \\ExamSheetsA\ProdData for the backup destination, and use the advanced backup options to select the Disable volume shadow copy check box. C. On ExamSheetsA, use the Backup or Restore Wizard to select the ProdData folder. Page 207 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Type \\ExamSheetsB\ProdDataBackUp for the backup destination. D. On ExamSheetsA, use the Backup or Restore Wizard to select the ProdData folder. Type \\ExamSheetsA\ProdData for the backup destination. Answer: C Explanation: To back up open files, the backup needs to be configured to use Shadow Copies. This is the default behaviour for the Windows Server 2003 backup program. Therefore, we just need to configure the backup program to backup the files to \\ExamSheetsB\ProdDataBackUp. Incorrect Answers: A: We need to use Shadow Copies. This is enabled by default. We should not select the Disable volume shadow copy check box. B: We need to use Shadow Copies. This is enabled by default. We should not select the Disable volume shadow copy check box. D: \\ExamSheetsA\ProdData is the wrong backup destination. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, p. 602 Question: 195 You are a network administrator for ExamSheets. All client computers run Windows XP Professional. You administer a Windows Server 2003 file server named ExamSheetsSrvC. ExamSheetsSrvC contains two volumes configured as drive G and Drive H. Shared folders for the accounting department are stored on drive G. Shared folders for the marketing department are stored on drive G and on drive H. Drive H has sufficient space to store all of the shared folders with 400 GB of free space. The design team specifies the following requirements for the files in the marketing shared folders on ExamSheetsSrvC: • The files must be backed up, even if they are open. • Backups can be performed during business hours, if required. • Users must be able to restore the files. You need to create a plan that will allow the backup and recovery of folders and files in accordance with the requirements. You need to minimize data loss. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Customize all shared folders by using the Documents template. B. Place all marketing shared folders on drive H. Enable Shadow Copies of Shared Folders on the volume. C. Configure all backups by selecting the Disable volume shadow copy check box. D. Install the Previous Versions client software on all marketing client computers. E. Assign all users the Allow – Full Control NTFS permissions for the marketing shared folders. Answer: B, D Explanation: The question states that drive H has sufficient space to hold all the files, and will have enough space left over to hold shadow copies of the files. The client computers will need the previous versions client software to access the previous versions of the files. Deploying the client software for shadow copies. The client software for Shadow Copies of Shared Folders is installed on the server in the Page 208 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 \\%systemroot%\system32\clients\twclient directory. You can distribute the client software in a variety of ways; consider the various options before deployment. There are several tools included in the Windows Server 2003 family, such as Group Policy, that can make deploying and maintaining the clients software easier. Recover files that were accidentally deleted. If you accidentally delete a file, you can open a previous version and copy it to a safe location. Recover from accidentally overwriting a file. If you accidentally overwrite a file, you can recover a previous version of the file. Compare versions of file while working. You can use previous versions when you want to check what has changed between two versions of a file. Incorrect Answers: A: This is not necessary. C: This option should be enabled, not disabled, in order to back up the open files. E: It is not necessary to change the permissions on the marketing shared folders. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, p. 602 Question: 196 You are a network administrator for ExamSheets. All client computers on the network run Windows XP Professional. You administer a Windows Server 2003 file sever named ExamSheetsB. On ExamSheetsB, you create a shared folder named SharedDocs. SharedDocs contains data files. All client computers connect to the shared folder by using a mapped drive connected to \\ExamSheetsB\SharedDocs. ExamSheetsB is configured to support volume shadow copies. You install the Previous Versions client software on all client computers. You perform a full normal backup of ExamSheetsB every day, seven days per week. You need to document the recovery process to be used if a user accidentally deletes a file from SharedDocs. The process must allow you to recover the file as quickly as possible and to minimize data loss. Which process should you use? A. On ExamSheetsB, restore the file from the normal backup that was performed on the day before the file was deleted. Use the advanced restore options to select the Replace existing files check box. B. On ExamSheetsB, restore the file from the normal backup that was performed on the day before the file was deleted. Use the advanced restore options to select the Preserve existing volume mount points check box. C. Run the volume shadow copy command-line tool to list all shadow copies. Instruct the user to open the mapped drive and use the folder view options to expose hidden files. D. Instruct the user to open the mapped drive and navigate to the folder from which the file was deleted. In the properties for the shared folder, select the Previous Versions tab. View the most recent version and navigate until the file is located. Restore the file by copying it to its new location. Answer: D Explanation: Although shadow copies are taken for an entire volume, users must use shared folders to access shadow copies. Administrators on the local server must also specify the \\servername\sharename Page 209 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 path to access shadow copies. If you or your users want to access a previous version of a file that does not reside in a shared folder, you must first share the folder. Note: This will only work if the deleted file was in a subfolder in the shared folder. You can give users access to previous versions of files by enabling shadow copies, which provide point-in-time copies of files stored on file servers running Windows Server 2003. By enabling shadow copies, you can reduce the administrative burden of restoring previously backed up files for users who accidentally delete or overwrite important files. Shadow copies work for both open and closed files; therefore, shadow copies can be taken even when files are in use. Shadow copies work by making a block-level copy of any changes that have occurred to files since the last shadow copy. Only the changes are copied, not the entire file. As a result, previous versions of files do not usually take up as much disk space as the current file, although the amount of disk space used for changes can vary depending on the application that changed the file. For example, some applications rewrite the entire file when a change is made, whereas other applications append changes to the existing file. If the entire file is rewritten to disk, the shadow copy contains the entire file. Therefore, consider the type of applications in your organization, as well as the frequency and number of updates, when you determine how much disk space to allocate for shadow copies. Incorrect answers: A: This option does not represent the quickest way to locate and restore an accidentally deleted file. B: Restoring the file from a normal backup is not the quickest way to locate and restore the file if it was deleted. Since ExamsheetsB is configured to support volume shadow copies, it would be quicker to locate and restore the deleted files from it. C: Listing all the shadow copies as suggested in this option does not represent the quickest way to recover a file it would be quicker to navigate amongst the most recent versions of shadow copies. This option also does not state anything regarding actually restoring the file. It stops after locating the file. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 8, pp. 599-602 Question: 197 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. All domain controllers and servers run Windows Server 2003. Client computers in the human resources department run Windows XP Professional. Employees in the human resources department use the human resources client computers to transmit confidential data to the file servers. The network also contains kiosk computers. The kiosk computers are used by temporary employees to transmit data to file servers. The kiosk computers run Windows XP Professional. ExamSheets’s written security policy requires that all data transmissions from the kiosk computers must be able to be monitored by using a protocol analyzer. You need to ensure that the confidential data transmissions to and from the human resources client computers remain confidential. You also need to ensure that you can detect any alterations in the data transmissions made by any computer. You need to comply with the written security policy. What should you do? A. Use IPSec encryption on both the human resources client computers and the kiosk computers. B. Use IPSec encryption on the human resources client computers and IPSec integrity on the kiosk computers. Page 210 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 C. Use IPSec integrity on the human resources client computers and IPSec encryption on the kiosk computers. D. Use IPSec integrity on both the human resources client computers and the kiosk computers. Answer: B Explanation: We want to monitor IPSEC traffic. We can not use ESP because it encrypts the IP header. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers. We need to use AH so that we can monitor network traffic and preserve the integrity of messages, If you need to provide both integrity and encryption for data confidentiality, select the Data integrity and encryption (ESP) check box. Then under Integrity algorithm, click None (for no data integrity; if you have AH enabled and for increased performance, you can choose this), MD5, or SHA1. Under Encryption algorithm, choose None, DES, or 3DES. Using both AH and ESP is the only way to both protect the IP header and encrypt the data. However, this level of protection is rarely used because of the increased overhead that AH would incur for packets that are already adequately protected by ESP. ESP protects everything but the IP header, and modifying the IP header does not provide a valuable target for attackers. Generally, the only valuable information in the header is the addresses, and these cannot be spoofed effectively because ESP guarantees data origin authentication for the packets Incorrect answers: A: Making use of IPSec encryption alone is not enough to comply with company written security policy. C: To be able to have all data transmissions from the kiosk computers must be able to be monitored by using a protocol analyzer, you should use IPSec integrity and IPSec encryption in a vice versa fashion from what is suggested in this option. D: Making use of IPSec integrity on both the human resources client computers and the kiosk computers, will not comply with company written security policy. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, p. 735 Question: 198 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. All servers run Windows Server 2003. One of the domain controllers is configured as an enterprise root certification authority (CA). All client computers run Windows XP Professional. ExamSheets uses IPSec to secure communications between computers in ExamSheets and computers at other companies. These IPSec connections require computer certificates. Your IPSec policies require every computer to be able to make an IPSec connection when connecting to other computers. You need to configure the network so that all computers can make IPSec connections. What should you do? A. In the computer settings section of the Default Domain Policy Group Policy object (GPO), configure the domain members to always digitally encrypt or sign secure channel data. B. Create a new automatic certificate request in the computer settings section of the Default Domain Policy Group Policy object (GPO), C. Obtain a new computer certificate from a public CA. Import a copy of this certificate into the Trusted Root Certification Authorities section of the Default Domain Policy Group Policy object Page 211 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 (GPO). D. Issue a new computer certificate from your enterprise CA. Place a copy of this certificate on an Internal Web page. Instruct users to install this certificate in their trusted certificate store the first time they need to make an IPSec connection. Answer: D Explanation: Enterprise CAs are integrated into the Active Directory directory service. They use certificate templates, publish their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically. Because the clients of an enterprise CA must have access to Active Directory to receive certificates, enterprise CAs are not suitable for issuing certificates to clients outside the enterprise. Enterprise CAs requires and uses Active Directory to issue certificates, often automatically. AN IPSec connection comprises of two modes: Main mode and Quick mode. Main Mode is the first part of an IPSec connection. In Main Mode, each computer authenticates to the other and then IKE is used to calculate the master key. All other keys are generated from the master key. An IKE security association (SA) is created over which Quick Mode can be negotiated. Quick Mode is the second phase of IPSec. In Quick Mode, agreement is reached for the encryption, integrity algorithms, and other policy settings. Two SAs are created, one incoming and one outgoing. Incorrect answers: A: Always digitally encrypting or signing secure channel data does not necessarily ensure the ability to make IPSec connections. B: An automatic certificate request in the computer settings section of the Default Domain GPO is not the solution. C: Obtaining a new certificate from a public CA is not going to ensure that all computers will have the ability to make IPSec connections. What is needed is to have a new computer certificate issued from your enterprise CA which should be installed on users’ trusted certificate store. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p.11: 88 James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2004, p. 11: 15 Question: 199 You are the systems engineer for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. All servers on the network run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional. All servers that are not domain controllers are located in an organizational unit (OU) named Servers. All client computers used by administrative personnel are located in an OU named AdminDesktops. Both the Domain Controllers OU and the Servers OU have the Server (Request Security) IPsec policy applied. The AdminDesktops OU has the Client (Respond Only) IPSec policy applied. You implement remote administration for all servers on the network. All servers are configured to allow Remote Desktop connections for administration. The company’s written security policy requires that the highest security levels possible must be enforced during remote administration of the servers. The Terminal Services encryption settings are set to High in the Default Group Policy object (GPO). Administrators who use Windows 2000 Professional computes soon report that they cannot establish Remote Desktop connections to the servers. Administrators can successfully establish Page 212 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 network connections to shared resources on the servers. Administrators who use Windows XP Professional computers do not experience the same problem. You verify that the servers to which the administrators are attempting to connect are online and have Remote Desktop connections enabled. You also verify that the maximum number of remote connections has not been exceeded on any server. You need to ensure that all administrators can establish Remote Desktop connections to the servers regardless of which operating system is running on their client computers. What should you do? A. In the properties for the Remote Desktop Protocol (RDP) connection on each server, set the encryption level to FIPS Compliant. B. Deploy the Remote Desktop Protocol (RDP) 5.2 client software to the AdminDesktops OU. C. On each server, use Terminal Services Manager to configure the servers to use standard Windows authentication. D. Configure the Terminal Services permission compatibility to Relaxed Security. Answer: B Explanation: Computers running earlier versions of Microsoft Windows, including Windows 2000 Server, Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95 can not connect to a Windows Server 2003 Terminal Services if they are using the old client Terminal server. Client can not connect because they are using the full security. But when install the new version allows older Windows platforms to remotely connect to a computer running Windows XP Professional with Remote Desktop enabled In Windows Server 2003 you do not need to install Terminal Server. Instead, you can use Remote Desktop for Administration (formerly Terminal Services in Remote Administration mode), which is installed by default on computers running one of the Windows Server 2003 operating systems. After you enable remote connections, Remote Desktop for Administration allows you to remotely manage servers from any client over a LAN, WAN, or dial-up connection. Up to two remote sessions, plus the console session, can be accessed at the same time, without requiring Terminal Server Licensing. Incorrect Answers A. If this setting is enabled, the security channel provider of the operating system is forced to use only the following security algorithms: TLS_RSA_WITH_3DES_EDE_CBC_SHA. This behavior forces the security channel provider to negotiate only the stronger Transport Layer Security (TLS) 1.0 C. Specifies whether the connection defaults to the standard Windows authentication when another authentication package has been installed on the server. D. Relaxed security enables you to run programs that otherwise might not work at all in the more rigorous Full security mode. However, in Relaxed security mode (also known as Windows NT 4.0/Terminal Server Edition permissions compatibility mode), any user on the system can change files and registry settings in many places throughout the system, although others users' data files might not be visible. A malicious user could exploit this situation by replacing a known and trusted program with a program of the same name but some harmful intent. If the operating system on your terminal server was installed using the Upgrade method, the security mode might be set to Relaxed security. The question asks to provide the highest level of security. References: http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, p. 11: 30 Page 213 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 200 You are a system engineer for ExamSheets. The network consists of four Active Directory domains. All servers on the network run Windows Server 2003. The Windows Server 2003 computers are distributed among three offices. All servers support out-of-band management by means of serial connections to terminal concentrators in each office’s data center. Each office maintains its own separate connection to the Internet. The company adopts a new written security policy, which includes the following requirements: • Physical access to all servers is restricted to authorized personnel and only for the purpose of installing or maintaining hardware. • All in-band remote ad ministration connections must be authenticated by the Kerberos version 5 protocol. • Administrators in each office must be able to access their servers for remote administration or troubleshooting even when the operating system is not running or experiences a Stop error. • Services or programs that are not essential for remote administration or server operation must not be installed on any computer. You need to plan a remote administration strategy for the network that compiles with the new policy. You are not responsible for permissions management in the domains. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Configure each server to accept Remote Desktop connections. B. On each server, enable the Telnet service with a startup parameter of Automatic. C. Install Terminal Services on each server. D. On each server, enable Emergency Management Services. E. Install IIS on each server. Select the Remote Administration (HTML) check box in the properties for the Wide World Web Service. Answer: A, D Explanation: Emergency Management Services is a new feature in Windows Server 2003 that permits you to perform remote management and system recovery tasks when the server is not available by using the standard remote administration tools and mechanisms. Emergency Management Services provides alternative access to a server when the server is not accessible through the standard connection methods, typically a network. With Emergency Management Services, combined with the appropriate hardware, you can perform remote management and system recovery tasks, even when the server is not available through the standard remote administration tools and mechanisms. To manage a server from a remote computer when the server is not available on the network, you must enable Emergency Management Services. Emergency Management Services is a Windows Server 2003 service that runs on the managed server. This service is not enabled by default when you install the Windows Server 2003 operating system, but you can enable it during installation or at any later time. Emergency Management Services features are available when the Windows Server 2003 loader or kernel is at least partially running. You can access all Emergency Management Services output by using terminal emulator software that supports VT100, VT100+, or VT-UTF8 protocols on the management computer, although VTUTF8 is the preferred protocol. For more information about terminal emulator software and the supported protocols Management Software for Out-of-Band Connections Typically, you use terminal emulation software on the management computer to connect to and communicate with a server through an out-of-band connection. The two most common methods are the following: Page 214 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 • Use Telnet — or a secure alternative such as SSH — to connect to a terminal concentrator through an in-band connection, which then connects to the server through an out-of-band connection. • Use HyperTerminal to connect directly to the server Remote Administration using Terminal Services In Microsoft® Windows® Server 2003 family operating systems, Terminal Services technology is the basis for several features that enable you to connect to remote computers and perform administrative tasks. • Remote Desktop for Administration (formerly known as Terminal Services in Remote Administration mode) provides remote server management capabilities for Windows Server 2003 family operating systems. Using this feature, you can administer a server from virtually any computer on your network. No license is required for up to two simultaneous remote connections in addition to the server console session. A corresponding desktop version of Remote Desktop for Administration is available on Microsoft® Windows® XP Professional, and is called Remote Desktop. • The Remote Desktops MMC snap-in allows you to create remote connections to the console session of multiple terminal servers, as well as computers running Windows 2000 or Windows Server 2003 family operating systems. Remote Desktop Connection, available on Windows Server 2003 family operating systems as well as on Microsoft® Windows® XP operating systems, enables you to log on to a remote computer and perform administrative tasks, even from a client computer that is running an earlier version of Windows. References: MS Knowledge Base article 815273 HOW TO: Perform an Unattended Emergency Management Services Installation of Windows Server 2003 MS Windows Server 2003 Planning Server Deployments Emergency Management Services Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8: 13 Question: 201 You are a network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. The network contains two Windows Server 2003 domain controllers. All servers run Windows Server 2003, and all client computers run Windows XP Professional. You install a wireless network. You discover that the coverage for the executive offices is very poor. You need to improve wireless coverage for the executive team in their office area. The design team specifies the following requirements for the executive team: • Executives must be able to access the wireless network in all locations in the building, including their offices. • Non executive employees may use wireless access points in the executive office area only if other access points are unavailable. You need to develop a plan to improve the coverage in the executive offices. You need to implement your plan by using the minimum amount of administrative effort. What should you do? A. Use the Connection Manager Administration Kit (CMAK) wizard to create new service profiles. One profile will be used for executives only. Send an e-mail message that contains the proper profiles to the proper users. B. Use the Windows Management Instrumentation command-line tool with the NIC and the NICCONFIG aliases. C. Install new access points for the executive team with a new dedicated service set identifier Page 215 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 (SSID). Use wireless network policies to control use of the SSIDs on the wireless network. D. Install new access points for the executive team with a new dedicates service set identifier (SSID). Use wireless network policies to control access for ad hoc networks. Answer: C Explanation The Network name (SSID) specifies the name for the specified wireless network. Under the IEEE 802.11 standard, the network name is also known as the Service Set Identifier (SSID). To distinguish different wireless networks from one another, the 802.11 standard defines the service set identifier (SSID).The SSID can be considered the identity element that “glues” various components of a wireless local area network (LAN) together. Traffic from wireless clients that use one SSID can be distinguished from other wireless traffic using a different SSID. Using the SSID, an AP can determine which traffic is meant for it and which is meant for other wireless networks. We will need to setup two different Network name (SSID) s, one for users and one for executives. Also we can to enhance the deployment and administration of wireless networks, using a Group Policy to centrally create, modify, and assign wireless network policies for Active Directory clients. Thus installing new access points with a new dedicated service set identifier (SSID) for the executive team and making use of policies to control the use of the SSIDs on the wireless network involves the least amount of administrative effort to accomplish the task at hand. Incorrect answers: A: This option suggests far too much administrative effort than is necessary. B: There is no need to make use of the WMI command line when all that is necessary is to install new access points with new SSIDs and making use of a wireless network policy to control its use. D: The network policies should be to control the user of SSIDs on the wireless network and not for controlling access for ad hoc networks. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 801-802 Question: 202 You are the network administrator for ExamSheets. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are connected to the network by using a wireless access point. You configure a certification authority (CA). You require certificate-based IEEE 802.1x authentication on the wireless access point. You need to enable all computers to communicate on the wireless network. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. Enter a 128-bit Wired Equivalent Privacy (WEP) key on the wireless access point and on the computers. B. In the Wireless Network Connection properties on each computer, select the The key is provided for me automatically check box. C. Temporarily connect each computer to an available Ethernet port on the wireless access point and install a computer certificate. D. Install a computer certificate on each computer by using a floppy disk. Answer: C, D Page 216 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 203 You are the network administrator for ExamSheets. The network consists of a single Active Directory domain named ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. The users in the accounting department use their client computers to access confidential files over the network. The files must not be altered by unauthorized users as the files traverse the network. You need to secure the data transmissions to and from client computers in the accounting department. You also need to be able to monitor the traffic on the network and report to IT management the percentage of bandwidth used for each protocol. What should you do? A. Use IPSec encryption. B. Use Server Message Block (SMB) signing. C. Use NTLMv2 authentication. D. Use the Kerberos version 5 authentication protocol. Answer: B Explanation: Server Message Block (SMB) signing Determines whether the computer always digitally signs client communications. The Windows 2000 Server, Windows 2000 Professional, and Windows XP Professional authentication protocol Server Message Block (SMB) supports mutual authentication, which closes a "man-in-the-middle" attack and supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. We can’t use IPSec “encryption” because this uses ESP to encrypt the IP header. If we use IPSec encryption, we won’t be able to monitor the traffic. We could use IPSec “integrity” but that isn’t listed as an option. Instead, we should use Server Message Block (SMB) signing. Incorrect answers: A: IPSec makes use of ESP and AH. ESP is to encrypt the IP header, we cannot make use of IPSec for then monitoring would not be possible. C, D: Highly secure templates shut down NTLM communication as well as Kerberos communication. There would thus not be anything to monitor. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13: 59 Question: 204 You are the network administrator for ExamSheets. The network includes a perimeter network. The perimeter network consists of a single Active Directory domain named ExamSheets.net. The domain contains four Windows Server 2003 Web servers configure as a Network Load Balancing cluster. The cluster hosts an Internet e-commerce Web site. You upgrade the Web site to require users to log on in order to gain full access to the site. You will use Active Directory to store the user accounts. Web site users may access the site by using various Web browsers. Page 217 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to enable and require SSL when users log on to the Web site. You need to minimize the administrative impact for users of the Web site. What should you do? A. Obtain a Web server certificate from an external certification authority (CA) that is widely trusted on the Internet. Install the certificate on each Web server in the cluster. B. Configure a stand-alone certification authority (CA) in the perimeter network. Obtain a Web certificate from the CA. Install the certificate on each Web server in the cluster. C. Install Certificate Services on each Web server in the cluster, and configure each Web server as enterprise certification authority (CA). Configure certificate autoenrollment for all users. D. Install Certificate Services on each Web server in the cluster, and configure each Web server as a standalone certification authority (CA). Configure Web-based certificates enrollment for users. Answer: A Explanation: To enable SSL on the web cluster we need a Web server certificate. The web site is a publicly accessible site, so the Web server certificate needs to be trusted by the public computers. We should use a Web server certificate from an external certification authority (CA) that is widely trusted on the Internet such as Verisign. Incorrect Answers: B: The public client computers will display a message saying that the server certificate isn’t trusted. C: The web server needs a Web server certificate from an external certification authority. It doesn’t need to be a CA. D: The web server needs a Web server certificate from an external certification authority. It doesn’t need to be a CA. Reference Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, pp. 882-884 Knowledge base Articles: How to Configure Certificate Server for Use with SSL on IIS KB 218445 HOW TO: Configure IIS Web Site Authentication in Windows Server 2003 KB 324274 HOW TO: Load Balance a Web Server Farm Using One SSL Certificate in IIS KB 313299 Question: 205 You are the network administrator for ExamSheets. All servers run Windows Server 2003. ExamSheets has 1,000 users that need to use certificates for secure e-mail. ExamSheets also uses certificates for Encrypting File Systems (EFS) and for authentication to Web-based applications that are located in the perimeter network. ExamSheets is legally required to maintain access to files and e-mail messages even after employees leave ExamSheets. ExamSheets also has internal requirements stating that administrators must be able to restore lost certificate keys for network users. You need to provide a backup and recovery plan to be used in the event that users accidentally delete or lose their certificates and the associated private keys. You need to plan the steps for configuring the certification authority (CA) to issue user certificates for EFS, secure e-mail, and client authentication. Your plan must also provide all requirements for Page 218 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 recovering private keys for user certificates. Your plan must minimize administrative effort. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. Create a key recovery agent and acquire the Key Recovery Agent certificate for the account. B. Configure the CA with a policy module that requires the administrator to explicitly issue certificates. C. Configure the CA to allow key archival. D. Create a new certificate template that has the proper application policies and allows key archiving. Add the certificate template to the CA. Allow authenticated users to enrol for certificates by using the new certificate template. E. Configure the certificate template to supersede the Domain Controller Authentication Certification template. Answer: A, C, D Explanation: Windows Server 2003 provides a locksmith of sorts (called a Registration Authority, or RA) that earlier versions of Windows did not have. A key recovery solution, however, is not easy to implement and requires several steps. The basic method is as follows: 1. Create an account to be used for key recovery. 2. Create a new template to issue to that account. 3. Request a key recovery certificate from the CA. 4. Have the CA issue the certificate. 5. Configure the CA to archive certificates by using the Recovery Agents tab of the CA property sheet 6. Create an archive template for the CA. Key archival and recovery rely on a version 2 template, which is only available in Windows Server 2003 Enterprise or datacenter Editions. Incorrect answers: B: The CA should be configured to allow key archival not a policy module that requires the administrator to explicitly issue certificates. E: This option will not minimize administrative effort under the given circumstances. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 884 Question: 206 You are a network administrator for ExamSheets. All servers run Windows Server 2003. The company uses a public key infrastructure (PKI) enabled sales application that enforces strong certificate revocation list (CRL) checking. On average, 100,000 users require access to this application. A stand-alone root certification authority (CA) is configured to issue certificates to users. Certificate Services is configured as shown in the exhibit. Page 219 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Certificates you issue are valid for three years. You issue and revoke approximately 10,000 certificates per month for 12 months. After 12 months, users begin to report delays when they open the sales application. You discover that the delays occur periodically. You need to improve the performance when users open the sales application. What should you do? A. Configure Certificate Services to publish the delta CRL daily and the base CRL monthly. B. Configure Certificate Services to publish the base CRL to a Web server on the network. Include this location in the CRL distribution point of certificates. C. Configure a subordinate CA. Instruct new users to enroll for certificates by using this CA. D. Configure Certificate Services to publish the base CRL daily and the delta CRL monthly. Answer: A Explanation: The CRL is a list of certificates that are expired or invalid, and it is made available so that network users can identify whether certificates they receive are valid. CRLs can become very long on large CAs that have experienced significant amounts of certificate revocation. This can become a burden for clients to download frequently. To help minimize frequent downloads of Page 220 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 lengthy CRLs, delta CRLs can be published. This allows the client to download the most current delta CRL and combine that with the most current base CRL to have a complete list of revoked certificates. Because the client will normally have the CRL cached locally, the use of delta CRLs can potentially improve performance. Delta CRL is a list containing only the certificates that have been revoked since the last certificate revocation list was published. Delta lists enable new additions to a CRL to be published without the need to publish the entire CRL again. Much like an incremental backup in theory, this advancement helps optimize network speed and simplifies the distribution of CRLs. Incorrect answers: B: Configuring Certificate Services to publish the base CRL to a Web server on the network will not ensure that you have a current up to date revocation list and network performance will thus not be improved. C: Any certification authority that is established after the root CA is a subordinate CA. Subordinate CAs gain their authority by requesting a certificate from either the root CA or a higher-level subordinate CA. They are certified by the root authority and bind its public key to its identity. Just as the root CA can issue and manage certificates and certify child CAs, a subordinate CA can also perform these actions and certify CAs that are subordinate to it in the hierarchy. However, since many certificates are revoked on a monthly basis, it will not improve performance if new users enroll for certificates using subordinate CAs. This will only result in even more revocations. D: Publishing the base CRL on a daily basis and the delta CRL on a monthly basis will not improve performance. You should rather have it done vice versa. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, pp. 71-72, 872 Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 32 Question: 207 You are a network administrator for ExamSheets.net. Your network consists of a single Active Directory domain named ExamSheets.net. All servers run Windows Server 2003. The company has users who work in the main office and users who work remotely by connecting to a server running Routing and Remote Access. The company’s written security policy requires that administrators in the main office log on by using smart cards. The written security policy also requires that remote users use smart cards to access network resources. No other users are required to use smart cards. You issue portable computers that contain smart card readers to administrators and remote users. You issue smart cards to administrators and remote users. Administrators and remote users report that they can log on without using a smart card. You need to ensure that only administrators are required to use smart cards when working in the main office. You must also ensure that remote users are required to use smart cards when accessing network resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. In the computer configuration settings of the Default Domain Policy Group Policy object (GPO), enable the Interactive logon: Require smart card setting. B. On the server running Routing and Remote Access, select the Extensible authentication protocol (EAP) check box and require smart card authentication. C. In the properties of each administrator account, select the Smart Card Required for Page 221 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Interactive Logon check box. D. In the computer configuration settings of the Default Domain Controllers Policy Group Policy object (GPO), enable the Interactive logon: Requires smart card setting. E. In the properties of each user account that requires remote access, select the Smart Card Required for Interactive Logon check box. Answer: B, C Explanation: We can require remote users to log on using smart cards only by configuring the RRAS server that the remote users connect to require smart card authentication. We can configure the administrators’ user accounts to require smart cards for interactive logons. This setting is defined in the user properties in Active Directory Users and Computers. Incorrect Answers: A: This would require that all users log on using a smart card. D: This would require that users use a smart card to log on to only the domain controllers. The administrators must use smart cards to log on to any machine in the domain. E: This would require that the remote users log on using a smart card to any machine. They don’t need a smart card logon if they are using a machine in the office. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 7-9 to 7-10. Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, p. 655 Question: 208 You are a network administrator for ExamSheets.net. The network consists of a single Active Directory domain named ExamSheets.net. All servers run Windows Server 2003. Most of the client computers are located in the offices of individual users. Some client computers are located in publicly accessible locations. The company’s written security policy includes the following requirements. • All users must use smart cards to log on to a client computer. • Users using the publicly accessible client computers must be logged off if the smart card is removed from the smart card reader. You configure all user accounts to require smart cards for interactive logon. You create an organizational unit (OU) named Public. You need to ensure that the appropriate result occurs on each client computer when a smart card is removed. You must achieve this goal without affecting other computers. What should you do? A. Place all computer accounts for the publicly accessible client computers in the Public OU. Create a new Group Policy object (GPO) and link the GPO to the Public OU. Configure the Interactive Logon: Smart card removal behavior setting to Force Logoff. B. Place the user accounts of all users who use the publicly accessible client computers in the Public OU. Create a new Group Policy object (GPO) and link the GPO to the Public OU. Configure the Interactive logon: Smart card removal behavior setting to Force loggoff. C. On the Default Domain Policy Group Policy object (GPO), configure the Interactive logon: Smart card removal behavior setting to Force logoff. D. On the Default Domain Controllers Policy Group Policy object (GPO), configure the Interactive logon: Page 222 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Smart card removal behavior setting to Force Logoff. Answer: A Explanation: We can place the public computers in the Public OU; this will enable us to apply a group policy to the public computers. The question states that users must be logged off if the smart card is removed from the smart card reader. There is a specific setting in group policy for this. We can configure the Interactive Logon: Smart card removal behaviour setting to Force Logoff. Incorrect Answers: B: This is a computer setting, not a user setting. C: This will force logoff all users in the domain. Only users of the public computers should be logged off when they remove their smart cards. D: This will force logoff all users who log on to a domain controller. Only users of the public computers should be logged off when they remove their smart cards. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 10-4 to 10-12, 10-15 Question: 209 You are the Network administrator for ExamSheets. The network consists of a single domain Active Directory forest and a single Windows NT 4.0 domain. The functional level of the forest is Windows 2000. The Active Directory domain contains computer accounts and two Windows Server 2003 domain controllers. The Active Directory domain also uses Group Policy objects (GPOs). The Windows NT 4.0 domain contains user Accounts. The Windows NT 4.0 domain also uses System Policy to configure users’ computers. You no longer want the settings that were configured by using the system polices applied to computers. What should you do? A. Create a new system policy that contains user configuration settings that reverse the previous system policies. Replace the old system policies with the new system policies. B. Create a new GPO that contains user configuration settings that reverse the previous system policies. Apply the new GPO to the Active Directory domain. C. Raise the functional level of the Active Directory domain to Windows Server 2003 interim. D. Raise the functional level of the forest to Windows Server 2003 interim. Answer: A Explanation: Unlike Windows 2000 (or later) GPOs, Windows NT system policy settings stay in place even after the system policy is removed. To remove the system policy settings, we must create another system policy that reverses the settings from the previous system policies. Incorrect Answers: B: Group Policy Objects (GPOs) have no effect on Windows NT computers. C: The functional level of the forest or domain will have no effect on the computers in the Windows NT domain. D: The functional level of the forest or domain will have no effect on the computers in the Windows NT domain. Reference: Page 223 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, p. 830 Question: 210 You are a network administrator for ExamSheets. The network contains a Windows Server 2003, Enterprise Edition file server named ExamSheets3 that contains two volumes configured as drive H and drive J. Drive H contains 40 GB of unused space and drive J contains 12 GB of unused space. ExamSheets3 contains the shared folders shown in the following table. Each file in the ExamSheetsData folder is modified or deleted every seven days on average, and new files are added frequently. Users often request that prior versions of files be restored from backup tapes. All users have Windows XP Professional computers. You want to enable users to restore prior versions of modified or deleted files in the ExamSheetsData folder. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Enable Shadow Copies of Shared Folders on drive J and configure an 8-GB storage area on drive J. B. Enable Shadow Copies of Shared Folders on drive J and configure a 20-GB storage area on drive H. C. Enable automatic caching of documents for ESData. D. Enable manual caching of documents for ESData. E. Install Twcli32.msi on each user’s client computer. F. Install Adminpak.msi on each user’s client computer. Answer: B, E Explanation: To store the shadow copies of another volume on the same file server, a volume can be dedicated on separate disks. For example, if user files are stored on H:\, another volume such as S:\ can be used to store the shadow copies. Using a separate volume on separate disks provides better performance and is recommended for heavily used file servers. Note: If shadow copies are stored on the same volume as the user files, note that a burst of disk input/output (I/O) can cause all shadow copies to be deleted. If the sudden deletion of shadow copies is unacceptable to administrators or end users, it is best to use a separate volume on separate disks to store shadow copies. Windows Server 2003 includes the client software for volume shadow copy in its %Systemroot%\System32\Clients\Twclient folder. The client software to access previous versions of files is Twcli32.msi. This needs to be installed on every client computer. This is a difficult question because answer A or B will work. We need to decide which disk to store the shadow copies on. Drive H has enough spare space. With more space, we can store more shadow copies. Also, placing the shadow copies on a separate disk or volume provides better performance. Incorrect answers: C, D: This is not a caching concern that will address the issue. You should rather enable shadow copies so that you can enable users to restore prior versions of modified and deleted files. F: The Adminpak.msi can be used to repair console issues related to file corruption and software deployment, but in this case you would need the Twcli32.msi. Page 224 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 6: 41 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 3: 10 Question: 211 You are the network administrator for a new branch office of Examsheets. The office network is connected to the Internet by a T1 line. Examsheets’s Internet service provider (ISP) gives you a single public IP address and provides firewall services to protect the office network. The office network includes five windows XP Professional client computers and a Windows Server 2003 computer named ExamsheetsA. All client computers are configured to use DHCP to obtain their IP configuration settings. ExamsheetsA is configured as a DHCP server and contains two network adapters. You connect one network adapter to the ISP connection, and you connect the other network adapter to the office network. You want to configure ExamsheetsA so that client computers can access the Internet. Which two courses of action should you take? (Each correct answer presents part of the solution. Choose two) A. Remove the DHCP Server service. B. Install the DNS Server service. C. Run the route command to add a route to the internal network. D. Assign the public IP address to the external network adapter. Install and configure Routing and Remote Access. Answer: B, D Explanation: We have a single public IP address from the ISP. This should be assigned to the external network adapter. This will enable the server to send and receive data on the internet. The LAN clients will use private IP addresses. We need to install the Routing and Remote Access service on the server and configure NAT (Network Address Translation). This will enable the server to route traffic between the internet and the LAN. We need to install the DNS service on the router so that the clients can resolve external (internet) host names. Incorrect Answers: A: It is not necessary to remove the DHCP service. C: We do not need to add a route into the internal network. The question doesn’t say that people will be connecting to the LAN computers from the internet. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Iinfrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1: 23-28 Question: 212 You are a network administrator for Examsheets. The network consists of 20 Active Directory domains. All servers run Windows Server 2003. Examsheets has 240 offices. Each office is configured as an Active Directory site. Examsheets has a branch office that contains four users. User objects for these users are stored in the australia.Examsheets.net domain. The branch Page 225 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 office is connected to the corporate network by a 56-Kbps WAN connection. The branch office contains a domain controller named Examsheets17 that is configured as an additional domain controller for the australia.Examsheets.net domain. An Active Directory site is configured for the branch office. Examsheets17 is a member of this site. An IP site link exists between the branch office and the main office. The WAN connection is available only during business hours. Users in the branch office report slow response times on the WAN connection. You examine the WAN connection and discover that the problem is caused by Active Directory replication. You need to improve the performance of the WAN connection. What should you do? A. Configure Examsheets17 as a global catalog server. B. Enable universal group membership caching in the branch office. C. Remove Active Directory from Examsheets17 and configure Examsheets17 as a member server. D. On the site link that connects the branch office to the corporate network, increase the replication interval. Answer: D Explanation: The branch office contains a domain controller from the australia.Examsheets.net domain. Replication between this domain controller and a domain controller at the main office is using up the bandwidth of the 56Kbps link between the two sites. We can reduce the WAN link usage by increasing the replication interval, thus ensuring that replication across the WAN link occurs less frequently. Incorrect Answers: A: Configuring Examsheets17 as a global catalog server will increase the bandwidth used by the replication. B: Enabling universal group membership caching in the branch office won’t decrease the bandwidth used the replication. C: It is not necessary to demote Examsheets17 to a member server. Furthermore, this would cause logon authentication traffic to go over the WAN link. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 36 Question: 213 You are the network administrator for Examsheets Ltd. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest contains a root domain named Examsheets.net and two child domains named scotland.Examsheets.net and wales.Examsheets.net. All domain controllers run Windows Sever 2003. Each domain contains a DNS server. The DNS server in Examsheets.net is named EXAMSHEETSDNS1, the DNS server in scotland.Examsheets.net is named EXAMSHEETSDNS2, and the DNS server in wales.Examsheets.net is named EXAMSHEETSDNS3. Each DNS server in a child domain is responsible for name resolution in only its domain. The TCP/IP properties of all client computers in the child domains are configured to use only the DNS server in the domain. All records of all DNS servers are stored in Active Directory. You create a new application directory partition named DSNdata.Examsheets.net. You enlist EXAMSHEETSDNS1 and EXAMSHEETSDNS2 in this application directory partition. Page 226 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You need to enable all users in Examsheets.net to access resources in the scotland.Examsheets.net domain by using host names. Users in the Examsheets.net domain do not need to access resources in the wales.Examsheets.net domain. You need to configure the zone replication scope of the scotland.Examsheets.net domain at EXAMSHEETSDNS2. What should you do? To answer, configure the appropriate option or options in the dialog box. Answer: Select the fourth radio button. Explanation: The application directory partition DNSdata.Examsheets.net contains a DNS server from Examsheets.net and Scotland.Examsheets.net. By configuring the DNS information from the DNS server in Scotland.Examsheets.net to be replicated to the DNS server in Examsheets.net, we will enable users in Examsheets.net to locate resources in Scotland.Examsheets.net. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 36 Question: 214 You are the network administrators for Examsheets. Two of Examsheets’s customers are Contoso Pharmaceuticals and City Power and Light. Your domain infrastructure is shown in the exhibit. Page 227 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 All users in the Examsheets.net domain need to access resources in the contoso.com domain. Some users in the Examsheets.net domain need to access resources in the sales.cpandl.com domain. No users in the Examsheets.net domain need to access resources in the sales.contoso.com domain. Although a two-way trust relationship exists between the Examsheets.net and cpandl.com domains. You discover that the users in the Examsheets.net domain cannot access resources in the sales.cpandl.com domain. You need to ensure that all users in the Examsheets.net domain can access the appropriate resources in the other forests. What should you do? A. Enable the routing status of the sales.contoso.com name suffix on the forest trust from Examsheets.net to contoso.com Disable the routing status of the sales.cpandl.com name suffix on the forest trust from Examsheets.net to cpandl.com B. Disable the routing status of the sales.contoso.com name suffix on the forest trust from Examsheets.net to contoso.com Enable the routing status of the sales.cpandl.com name suffix on the forest trust from Examsheets.net to cpandl.com C. Enable the routing status of the sales.contoso.com name suffix on the forest trust from Examsheets.net to contoso.com Enable the routing status of the sales.cpandl.com name suffix on the forest trust from Examsheets.net to cpandl.com D. Disable the routing status of the sales.contoso.com name suffix on the forest trust from Examsheets.net to contoso.com Disable the routing status of the sales.cpandl.com name suffix on the forest trust from Examsheets.net to cpandl.com Answer: B Explanation: A forest trust must be explicitly created by a systems administrator between two forest root domains. This trust allows all domains in one forest to transitively trust all domains in another forest. A forest trust is not transitive across three or more forests. E.g., forest A trusts forest B and forest B trusts forest C. There is no trust relationship between forest A and forest C. The trust is transitive between two forests only and can be one-way or two-way. Forest trusts are only available when the forest is at the Windows Server 2003 functional level. Following this argument, it is clear that you should disable routing status between the sales.contoso.com name suffix on the forest trust from Examsheets.net to contoso.com and then enable the routing status of the sales.cpandl.com name suffix on the forest trust from Examsheets.net to cpandl.com. This should ensure that all users in the Examsheets.net domain can access the appropriate resources in the other forests. Incorrect answers: A, C, D: Forest trusts are not transitive over three or more forests. Thus these options will result in some of the resources being inaccessible to the Examsheets.net domain users. References: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1: 27 http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/enu / Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/enus/ x_c_forestauthentication.asp Question: 215 Page 228 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 You are the network administrator for Examsheets. The company needs to implement a Web application that uses two Microsoft SQL Server 2000 database instances. You expect the size of each database instance to be between 200 GB and 300 GB at any given time. Several tables in each database contain data that is updated once every few seconds, on average. You estimate that each database instance requires 7 GB of memory, and that each instance requires 70 percent usage of four CPUs, on average. Using two servers ExamsheetsSQL1 and ExamsheetsSQL2, you need to plan the minimum highly available server infrastructure for the databases that meets the requirements. You also want to minimize the costs and administrative effort required to maintain the infrastructure. What should you do? To answer, drag the appropriate configuration settings to the Cluster Configuration. Answer: Explanation: We are running two different databases so we need a Cluster Service Cluster rather than a Network Load Balancing cluster (We can only use NLB if the two servers are hosting identical content). For a Cluster Service Cluster, we need to use Windows Server 2003 Enterprise Edition. We need to ensure that the database will still run if one of the cluster nodes fails. Therefore each cluster node will need enough resources to run both databases. Each database requires four CPUs, so each cluster node must have 8 CPUs in order to run both databases in the event of a cluster node failure. Each database requires 7 GB of RAM so each cluster node must have at least 14 GB of RAM in order to run both databases in the event of a cluster node failure (our only option above 14GB or RAM is to put 16GB of RAM in each cluster node). Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 5 Question: 216 You are a network administrator for Examsheets. Examsheets is developing a new Web application that connects to an SQL back-end environment. The design team decides that the Page 229 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 new application must be fault tolerant. You interview the Web developers and the SQL administrators to establish the size of the environment. The Web developers state that they need at least three Web servers to share the load. Each Web server requires two processors and 1 GB of RAM. The Web developers state if one of the Web servers fails, the Web application can run for several hours in a degraded state. Responsiveness will be below specifications in a degraded state. The SQL administrators state that they need two Microsoft SQL Server computers to support the new application. They want the SQL server environment to be redundant. Each SQL Server computer requires four processors and 3 GB of RAM. The SQL administrators state that only one SQL Server computer is required to maintain the application. You need to ensure that two of the Web servers and one of the SQL Server computers are always available. You need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Install Windows Server 2003, Web Edition on all three Web servers. Connect all three servers by using Network Load Balancing. B. Install Windows Server 2003, Standard Edition on all three Web servers. Connect all three servers by using Network Load Balancing. C. Install Windows Server 2003, Enterprise Edition on all three Web servers. Install a shared fiber-attached disk array for the Web servers. Implement a three-node server cluster for the Web servers. Configure the cluster so that all three nodes are active. D. Install Windows Server 2003, Standard Edition on both SQL Server computers. Connect the SQL Server computers by using Network Load Balancing. E. Install Windows Server 2003, Enterprise Edition on both SQL Server computers. Connect the SQL Server computers by using Network Load Balancing. F. Install Windows Server 2003, Enterprise Edition on both SQL Server computers. Install a shared fiber-attached disk array for the SQL Server computers. Implement a two-node server cluster for the SQL servers. Configure the cluster so that one node is active and the second node is a hot standby node. Answer: A, F Explanation: For the web servers we can three servers connected using Network Load Balancing. We can use Network Load Balancing because the content will be the same on the web servers. Windows Server 2003 Web Edition supports Network Load Balancing. For the SQL servers we need a two-node server cluster. For a server cluster, we need Windows Server 2003 Enterprise edition. Incorrect Answers: B: Windows Server 2003 Web Edition supports Network Load Balancing. We don’t need Windows Server 2003, Standard Edition: C: We can use Network Load Balancing because the content will be the same on the web servers. We don’t need a server cluster. D: We can not use Network Load Balancing for the SQL servers. Network Load Balancing should only be used when you have static content. E: We can not use Network Load Balancing for the SQL servers. Network Load Balancing should only be used when you have static content. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 5 Page 230 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Question: 217 You are a network administrator for Examsheets. The network design team decides that the DNS Server service must always be available. The network design team requires that all computers on the network must always access the DNS Server service by using a single IP address. TCP/IP configurations for client computers and servers will contain a single DNS entry. The DNS Server service must be authoritative for all host and service locator (SRV) resource records for the network. The DNS Server service must maintain all records in the event that there is a hardware failure of the DNS server. You need to deploy DNS on the network. You need to comply with the network design team’s requirements. What should you do? A. Deploy DNS by using the Cluster service to configure a two-node server cluster in a failover configuration. B. Deploy DNS by using the Cluster service to configure a two-node server cluster that hosts DNS on both nodes simultaneously. C. Deploy DNS stub zones by using Network Load Balancing. D. Deploy multiple DNS servers that host secondary zones that are load balanced by using Network Load Balancing. Answer: A Explanation: We can use the Cluster service to configure a two-node server cluster in a failover configuration. Using the failover configuration, if one machine fails, the other machine will continue to run. Incorrect Answers: B: This configuration will not work. C: We need a primary zone, not a stub zone. The DNS Server service must be authoritative for all host and service locator (SRV) resource records for the network. D: We need a primary zone, not secondary zones. The DNS Server service must be authoritative for all host and service locator (SRV) resource records for the network. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 5 Question: 218 You are a network administrator for Examsheets. The company has a main office and one branch office. The network consists of a single Active Directory domain named Examsheets.net. The network contains three Windows Server 2003 domain controllers: Examsheets1, Examsheets2, and Examsheets4. You configure two Active Directory sites, one for the main office and one for the branch office. The network is shown in exhibit. Page 231 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 The domain controllers are backed up each night by using a normal backup that also captures the system state. You are responsible for creating a domain controller recovery plan to be used if a domain controller fails in either office. The design team specifies that the domain controller recovery plan must minimize replication traffic across the link between the network in the main office and the network in the branch office. The plan must also minimize restoration time. You need to include in your recovery plan the process for restoring Active Directory services if any of the domain controllers suffers a hardware failure. Which two actions should you include in your plan? (Each correct answer presents part of the solution. (Choose two) A. Restore the system state of any domain controller to an available member server in the same network subnet. B. Perform an authoritative restore operation on a functioning domain controller. C. On an available member server in the same network subnet as the failed domain controller, run the dcpromo /adv command and select the Over the network option. D. On an available member server in the same network subnet as the failed domain controller, run the dcpromo /adv command and select the From these restored backup files option. Answer: A, D Explanation: For additional domain controllers in an existing domain, you have the option of using the install from media feature, which is new in Windows Server 2003. Install from media allows you to prepopulate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link. To use the install from media feature, you first create a backup of System State from the existing domain controller, and then restore it to the new domain controller by using the Restore to: Alternate location option. In this scenario, we can restore the system state data to a member server, then use that restored system state data to promote a member server to a domain controller. Page 232 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Incorrect Answers: B: We do not want to authoritatively restore the data. There is also no need to restore anything to a functioning domain controller. C: The Over the network option is incomplete. The full option is Over the network from a domain controller. We want to create a domain controller from the restored files. References: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 27 Question: 219 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. You are responsible for planning the backup and recovery of all servers and services for Examsheets. A Windows Server 2003 computer named Examsheets4 runs the enterprise root certification authority (CA). No subordinate CAs are installed on the network. You need to create a plan to back up and restore the CA database. Your plan must ensure that the database and log files can be completely recovered in the event that the database is corrupted. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. On Examsheets4, use the Certificates console to export all Trusted Root Certification Authorities certificates. On Examsheets4, use the Certificates console to import the certificates to the Trusted Root Certification Authorities node. B. On Examsheets4, run the certreq command with the –submit option. On Examsheets4, run the certreq command with the –retrieve option. C. On Examsheets4, use the Certification Authority snap-in to back up the CA. On Examsheets4, use the Certification Authority snap-in to restore the CA. D. On Examsheets4, run the certutil command with the –backup option. On Examsheets4, run the certutil command with the –restore option. Answer: C, D Explanation: C: Certificate needs are based upon which applications and communications an organization uses and how secure they need to be. Based on these needs, CAs is created by installing certificate services and is managed using the Certification Authority snap-in. The options on the Certificate Managers Restrictions tab enable you to grant or deny each administrator’s capability to manage users, groups, and computers. Renewing the CA’s certificate is a capability given only to the CA administrator with Manage CA permission. The Certification Authority snap-in is available only for the CA. D: You can backup and restore the database and keys with the certutil command line utility certutil -backupDB -- Backup Certificate Services database -backupKey -- Backup Certificate Services certificate and private key -restore -- Restore Certificate Services -restoreDB -- Restore Certificate Services database -restoreKey -- Restore Certificate Services certificate and private key Incorrect answers: A: The Certificates console is responsible for certificate revocation lists and the like and not for backingup and restoring corrupted CA data. Page 233 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 B: Making use of these commands with the -submit and -retrieve options will not ensure that you database and the log files can be completely recovered in the event of CA-data corruption. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 908 Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, Washington, 2004, p. 18: 7 Question: 220 You are the systems engineer for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. All servers run Windows Server 2003. All client computers run Windows XP Professional. All administrative staff use portable computers. The relevant portion of the network is shown in the exhibit. The private Web server uses non-standard ports for connections. The external firewall is configured to allow inbound connections on these non-standard ports. Company policy requires that all administrative tasks must be performed remotely. You enable Remote Desktop connections on all servers on the company intranet. Each administrative client computer has two Windows Server 2003 Administrative Tools and Remote Desktops snap-in installed. The administrators request that they be able to use Remote Desktop connections to administer the servers when they are at home. The company’s written security policy requires that connections originating from the Internet are not allowed into the company intranet. Currently, only the Web servers are accessible from the Internet. The written security policy does not allow any other connections to the perimeter network from the Internet. You need to provide a solution that allows Remote Desktop connections to the company intranet and that complies with the written security policy. What should you do? A. Install the Remote Administration Web site on the private Web server. Configure the external firewall to allow inbound connections on the IIS Remote Administration port. Configure the internal firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port. B. Install the Remote Administration Web site on the private Web server. Configure the external firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port. Configure the internal firewall to allow inbound connections on the IIS Remote Administration port. C. Install the Remote Desktop Web Connection Web site on the private Web server. Configure the internal firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port. D. Install the Remote Desktop Web connection Web site on the Private Web server. Page 234 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Configure the internal firewall to allow inbound connections on the IIS Remote Administration port. Answer: C Explanation: The Remote Desktop Web Connection is a high-encryption, Remote Desktop Protocol (RDP) 5.0 client and uses RSA Security’s RC4 cipher with a key strength of 40-, 56-, or 128-bit, as determined by the computer to which it is connecting. The Remote Desktop Web Connection uses the well-known RDP TCP port (3389) to communicate to the host. Unlike some other display protocols, which send data over the network using clear text or with an easily decodable "scrambling" algorithm. Remote Desktop Web Connection's built-in encryption makes it safe to use over any network—including the Internet—as the protocol cannot be easily sniffed to discover passwords and other sensitive data. This will provide the necessary security. With this solution, we can access the private web server from the internet over a non-standard port by configuring RDP to listen on the non-standard port. Then we can open a remote desktop connection from the private web server to the intranet servers. That would be without contravening the company written security policy that states that connections originating from the Internet are not allowed into the company intranet and it also will not allow any other connections to the perimeter network from the Internet. Incorrect answers: A: Configuring the external firewall to allow inbound connections on the IIS Remote Administration port would be wrong in this case. It should be omitted. B: The internal and not the external firewall should be configured to allow inbound connections on the RDP port. D: It is not the IIS Remote Administration port that should be considered here but rather the RDP port that should be considered regarding the firewall configuration to allow inbound connections. References: MS Knowledge Base article 306759: How to Change the Listening Port for Remote Desktop MS Knowledge Base article 308127: How to Manually Open Ports in Internet Connection Firewall in Windows XP MS Knowledge Base article 304034: Configuring the Remote Desktop Client to Connect to a Specific Port Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 7, p. 530 http://msdn.microsoft.com/library/default.asp?url=/library/ens/termserv/termserv/providing_for_rdp _client_security.asp. http://www.microsoft.com/windowsxp/pro/downloads/rdwebconn.asp Question: 221 You are the network administrator for Examsheets. The network consists of a single ActiveDirectory domain named Examsheets.net. All computers on the network are members of the domain. You are planning a public key infrastructure (PKI) for Examsheets. Examsheets’s written security policy states that the private keys that are used to encrypt files must be archived for later recovery. You install an enterprise certification authority (CA) on a server that runs Windows Server 2003. You create a new certificate template for file encryption. You configure the certificate template so that the private key is archived. All users on the domain are issued certificates from this template. You separate the roles of key recovery agent and certificate manager. As part of the planning of the CA deployment, you want to document the procedure for how to recover a private key for a user. Page 235 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Which three actions should you include in your procedure? Answer: Page 236 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 Explanation: The Certutil.exe program is a command-line alternative to the Certification Authority console that administrators use to manage a CA. The Certutil.exe program is a command-line utility that can perform the same tasks as the Certification Authority console. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter12,p.884 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2 003/proddocs /standard/sag_CS_keyarch_walk.asp Question: 222 You are the network administrator for Examsheets. The company is deploying a network that consists of a single Active Directory domain named Examsheets.net. All client computers run Windows XP Professional. You are planning the data transmission security for the sales department. You need to monitor the data transmissions to and from the client computers in the sales department at all times. You need to ensure the integrity of the data transmissions to and from the client computers. You also need to be able to implement intrusion detection on the sales department traffic. What should you do? A. Assign a custom IPSec policy with the Integrity and Encryption security method to the sales department client computers. B. Assign a custom IPSec policy with the Integrity only security method to the sales department client computers. C. Assign a custom IPSec policy with a custom security method and the 3DES encryption Page 237 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 algorithm to the sales department client computers. D. Assign the Client (Respond Only) IPSec policy to the sales department client computers. Answer: B Explanation: The two primary protocols used by IPSec: AH and ESP. AH provides for data authentication and integrity, and ESP also provides those services, and also adds data confidentiality. AH and ESP can be used separately or together. When you select the Data and address integrity without encryption (AH) check box if you need to provide data integrity for the packet’s IP header and the data. Then for Integrity algorithm, select either MD5 (which uses a 128-bit key) or SHA1 (which uses a 160-bit key) If you need to provide both integrity and encryption for data confidentiality, We want to monitor IPSEC traffic. We can not use ESP; if we did, we would not be able to monitor the IPSEC traffic because it is encrypted. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers. We need to use AH; this way we can monitor network traffic and preserve the integrity of messages. Incorrect answers: A: Using both AH and ESP is the only way to both protect the IP header and encrypt the data. However, this level of protection is rarely used because of the increased overhead that AH would incur for packets that are already adequately protected by ESP. ESP protects everything but the IP header, and modifying the IP header does not provide a valuable target for attackers. Generally, the only valuable information in the header is the addresses, and these cannot be spoofed effectively because ESP guarantees data origin authentication for the packets. C: This option will work if youi want both integrity and encryption for data confidentiality then select the Data integrity and encryption (ESP) checkbox. Then under Integrity algorithm, click None (for no data integrity; if you have AH enabled and for increased performance, you can choose this), MD5, or SHA1. Under Encryption algorithm, choose None, DES, or 3DES. However, this is not what is needed. D: Client (Respond Only) is the least secure default policy.You might want to implement this policy for intranet computers that need to respond to IPSec requests but do not require secure communications. If you implement this policy, the computer will use secured data communications when requested to do so by another computer. This policy uses the default response rule, which creates dynamic IPSec filters for inbound/outbound traffic based on the port/protocol requested. This will not enable you to implement intrusion detection of the Sales department traffic. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 10, pp. 732-735 Question: 223 You are a network administrator for Examsheets. The network consists of a single Active Directory domain named Examsheets.net. You install a wireless network. You configure the network to use Wired Equivalent Privacy (WEP). You install Windows Server 2003 on a server named ExamsheetsSrv3. You install a wireless network adapter in ExamsheetsSrv3. The company’s written security policy for implementing wireless devices includes the following requirements: • Administrators must be able to identify unauthorized wireless devices that attempt to connect to the wireless network. Page 238 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 • Administrators must be able to monitor wireless network device status, including radio channels information and signal strength, for wireless devices. You need to comply with the security monitoring requirements. What should you do? A. Add the Wireless Monitor snap-in to enable logging and to view Wireless Client Information. B. Configure preferred networks in the wireless network policy for the Default Domain Policy Group Policy object (GPO). C. Install and configure Network Monitor on ExamsheetsSrv3 to capture and analyze network traffic, D. In the wireless network policy for the Default Domain Policy Group Policy object (GPO), in the Networks to access list, select Any available network (access point preferred). Answer: A Explanation: Wireless Monitor allows you to view details about access points and wireless clients. You can use this information to troubleshoot your wireless service. The Wireless Configuration service logs information in Wireless Monitor that allows you to: • Identify service configuration changes. • Check the events logged in the Wireless Configuration service log that are generated from outside of your network, such as media event notifications, 802.1X events, and timer expiration events. • Check how the Wireless Configuration service reacts to external events by following transitions, as they are reflected in the log. If you want to enable or disable logging of client information then right-click the Wireless Client Information node and make the appropriate selection. This should comply with the company security monitoring requirements. Incorrect answers: B: This tab is used mainly to add a new wireless network to the existing one. This is not the same as monitoring. C: Network Monitor allows you to capture data, identify the source, and analyze the content and format of the message. However, the version of Network Monitor that ships with Windows Server 2003 can analyze only traffic addressed to the network interface card (NIC) on the server itself or that is sent by the server on which it is running. This will not comply with the company’s monitoring requirements. D: When you configure new or existing wireless network connections or connect to an available wireless network, you can choose the wireless network types of which Any available network (access point preferred) is one. In access point preferred wireless networks; a connection to an access point wireless network is always attempted first, if there are any available. If an access point network is not available, a connection to a computer-to-computer wireless network is attempted. E.g., if you use your laptop at work in an access point wireless network, and then you take your laptop home to use in your computer-to-computer home network, the Windows Configuration service will change your wireless network settings as needed so that you can connect to your home network. This poses a security risk and does not comply with the company’s security monitoring requirements. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, p. 817 Page 239 of 240 Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 223 End of document Page 240 of 240