Question: 1 You are a network administrator for Examsheets. The

advertisement
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 1
You are a network administrator for Examsheets. The network consists of an intranet and a
perimeter network, as shown in the work area. The perimeter network contains:
• One Windows Server 2003, Web Edition computer named Examsheets1.
• One Windows Server 2003, Standard Edition computer named Examsheets2.
• One Windows Server 2003, Enterprise Edition computer named Examsheets3.
• One Web server farm that consists of two Windows Server 2003, Web Edition computers.
All servers on the perimeter network are members of the same workgroup.
The design team plans to create a new Active Directory domain that uses the existing servers on
the perimeter network. The new domain will support Web applications on the perimeter network.
The design team states that the perimeter network domain must be fault tolerant.
You need to select which server or servers on the perimeter network need to be configured as
domain controllers.
Which server or servers should you promote?
To answer, select the appropriate server or servers in the work area.
Answer:
Explanation:
We know web editions can’t be domain controllers, and we want fault tolerance, which means two
Domain Controllers.
The answer is promote the two servers that aren’t running Web Edition to dc’s (Examsheets2
and Examsheets3).
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 1
Question: 2
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain and contains Windows Server 2003 computers.
You install a new service on a server named Examsheets3. The new service requires that you
restart Examsheets3. When you attempt to restart Examsheets3, the logon screen does not
appear. You turn off and then turn on the power for Examsheets3. The logon screen does not
Page 1 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
appear. You attempt to recover the failed server by using the Last Known Good Configuration
startup option. It is unsuccessful. You attempt to recover Examsheets3 by using the Safe Mode
Startup options. All Safe Mode options are unsuccessful.
You restore Examsheets3. Examsheets3 restarts successfully. You discover that Examsheets3
failed because the new service is not compatible with a security path.
You want to configure all servers so that you can recover from this type of failure by using the
minimum amount of time and by minimizing data loss. You need to ensure that in the future, other
services that fail do not result in the same type of failure.
What should you do?
A. Use Add or Remove Programs.
B. Install and use the Recovery Console.
C. Use Automated System Recovery (ASR).
D. Use Device Driver Roll Back.
Answer: B
Explanation:
• We know that this service causes the failure.
• We want minimum of time and minimum of data loss.
• We want a solution for all servers.
• We want to make sure other services that fail do not result in the same type of failure.
Recovery Console is a text-mode command interpreter that can be used without starting
Windows Server 2003.
It allows you to access the hard disk and use commands to troubleshoot and manage problems
that prevent theoperating system from starting properly.
Incorrect Answers:
A: This option is used to manage software, not uninstall it.
C: Automated System Recovery returns a system to operation by reinstalling the operating
system and restoring System State from an ASR backup set, it does not affect services.
D: This option deals with drivers and devices, not services.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 2, p. 120
Question: 3
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The network contains 80 Web servers that run
Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed.
Examsheets is planning to upgrade its Web servers to Windows Server 2003. You move all Web
servers into an organizational unit (OU) named Web Servers.
You are planning a baseline security configuration for the Web servers. The company’s written
security policy states that all unnecessary services must be disabled on servers. Testing shows
that the server upgrade process leaves the following unnecessary services enabled:
• SMTP
• Telnet
Page 2 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Your plan for the baseline security configuration for Web servers must comply with the written
security policy.
You need to ensure that unnecessary services are always disabled on the Web servers.
What should you do?
A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary
services. Link the GPO to the Web Servers OU.
B. Create a Group Policy object (GPO) and import the Hisecws.inf security template.
Link the GPO to the Web Servers OU.
C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to
Disabled. Link the GPO to the Web Servers OU.
D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services.
Link the GPO to the Web Servers OU.
Answer: C
Explanation:
The web servers have been moved to an OU. This makes it easy for us to configure the web
servers using a group policy. We can simply assign a group policy to the Web Servers OU to
disable the services.
Incorrect Answers:
A: The logon script would only run when someone logs on to the web servers. It’s likely that the
web servers will be running with no one logged in.
B: The Hisecws.inf security template is designed for workstations, not servers.
D: The startup script would only run when the servers are restarted. A group policy would be
refreshed at regular intervals.
Question: 4
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The functional level of the domain is Windows Server
2003. The domain contains Windows Server 2003 computers and Windows XP Professional
computers. The domain consists of the containers shown in the exhibit.
Page 3 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
All production server computer accounts are located in an organizational unit (OU) named
Servers. All production client computer accounts are located in an OU named Desktops. There
are Group Policy objects (GPOs) linked to the domain, to the Servers OU, and to the Desktop
OU.
The company recently added new requirements to its written security policy. Some of the new
requirements apply to all of the computers in the domain, some requirements apply to only
servers, and some requirements apply to only client computers. You intend to implement the new
requirements by making modifications to the existing GPOs.
You configure 10 new Windows XP Professional computers and 5 new Windows Server 2003
computers in order to test the deployment of settings that comply with the new security
requirements by using GPOs. You use the Group Policy Management Console (GPMC) to
duplicate the existing GPOs for use in testing.
You need to decide where to place the test computer accounts in the domain. You want to
minimize the amount of administrative effort required to conduct the test while minimizing the
impact of the test on production computers. You also want to avoid linking GPOs to multiple
containers.
What should you do?
A. Place all test computer accounts in the Examsheets.net container.
B. Place all test computer accounts in the Computers container.
C. Place the test client computer accounts in the Desktops OU and the test server computer
accounts in the Servers OU.
D. Create a child OU under the Desktops OU for the test client computer accounts.
Create a child OU under the Servers OU for the test server computer accounts.
E. Create a new OU named Test under the Examsheets.net container.
Create a child OU under the Test OU for the test client computer accounts.
Create a second child OU under the Test OU for the test server computer accounts.
Answer: E
Explanation:
To minimize the impact of the test on production computers, we can create a test OU with child
OUs for the servers and the client computer accounts. Settings that should apply to the servers
and client computers can be applied to the Test OU, and settings that should apply to the servers
or the client computers can be applied to the appropriate child OUs.
Incorrect Answers:
A: You cannot place computer accounts directly under the domain container. They must be in an
OU or in a built in container such as the Computers container.
B: We need to separate the servers and the client computers into different OUs.
C: This solution would apply the new settings to existing production computers.
D: This could work but you would have more group policy links. For example, the GPO settings
that need to apply to the servers and the client computers would need to be linked to both
Page 4 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
OUs. It would easier to link the GPO to a single parent OU.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 29-30
Question: 5
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The network contains a Windows Server 2003
member server named ExamsheetsSrvA. The network also contains a Windows XP Professional
computer named Client1. You use Client1 as an administrative computer.
You plan to use Microsoft Baseline Security Analyzer (MBSA) on Client1 to analyze
ExamsheetsSrvA.
However, the recent application of a custom security template disabled several services on
ExamsheetsSrvA.
You need to ensure that you can use MBSA to analyze ExamsheetsSrvA.
Which two services should you enable?
To answer, select the appropriate services to enable in the dialog box.
Answer:
Page 5 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
The Remote Registry and Server services should be enabled.
The following are the requirements for a computer running the tool that is scanning a remote
machine(s):
• Windows Server 2003, Windows 2000, or Windows XP
• Internet Explorer 5.01 or greater
• An XML parser (MSXML version 3.0 SP2 or later) is required in order for the tool to function
correctly.
Systems not running Internet Explorer 5.01 or greater will need to download and install an XML
parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you
opt to not install the XML parser that is bundled with the tool, see the notes below on obtaining an
XML parser separately.
• The IIS Common Files are required on the computer on which the tool is installed if performing
remote scans of IIS computers.
The following services must be enabled: Workstation service and Client for Microsoft Networks.
The following are the requirements for a computer to be scanned remotely by the tool:
• Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows
XP computers that use simple file sharing), or Windows Server 2003
• IIS 4.0, 5.0, 6.0 (required for IIS vulnerability checks)
• SQL 7.0, 2000 (required for SQL vulnerability checks)
• Microsoft Office 2000, XP (required for Office vulnerability checks) The following services must
be installed/enabled: Server service, Remote Registry service, File & Print Sharing
Reference:
From the readmefile for MBSA
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12:50-51
Question: 6
You are the senior systems engineer for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. Client
computers in the sales department run Windows NT Workstation 4.0 with the Active Directory
Client Extension software installed. All other client computers run Windows XP Professional. All
servers are located in an organizational unit (OU) named Servers. All client computers are
located in an OU named Desktops.
Page 6 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Four servers contain confidential company information that is used by users in either the finance
department or the research department. Users in the sales department also store files and
applications in these servers. The company’s written security policy states that for auditing
purposes, all network connections to these resources must require authentication at the protocol
level. The written security policy also states that all network connections to these resources must
be encrypted.
The Examsheets budget does not allow for the purchase of any new hardware or software. The
applications and data located on these servers may not be moved to any other server in the
network.
You define and assign the appropriate permissions to ensure that only authorized users can
access the resources on the servers.
You now need to ensure that all connections made to these servers by the users in the finance
department and in the research department meet the security guidelines states by the written
security policy. You also need to ensure that all users in the sales department can continue to
access their resources.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A. Create a new Group Policy object (GPO) and link it to the Servers OU.
Enable the Secure Server (Require Security) IPSec policy in the GPO.
B. Create a new Group Policy object (GPO) and link to the Servers OU.
Enable the Server (Request Security) IPSec policy in the GPO.
C. Create a new Group Policy object (GPO) and link to the Desktops OU.
Enable the Client (Respond only) IPSec policy in the GPO.
D. Create a new Group Policy object (GPO).
Edit the GPO to enable the Registry Policy Processing option and the IP Security Policy
Processing option.
Copy the GPO files to the Netlogon shared folder.
E. Use the System Policy Editor to open the System.adm file and enable the Registry Policy
Processing option and the IP Security Policy Processing option.
Save the system policy as NTConfig.pol.
Answer: B, C
Explanation:
We need to ensure that the connections made to the servers by the users in the finance
department and in the research department meet the security guidelines states by the written
security policy.
The computers in these departments use Windows XP Professional. We can therefore enable
IPSec communication between the servers and the clients in the finance and research
departments. However, the sales users use Windows NT, which cannot use IPSec. Therefore, to
ensure that the NT clients can still communicate with the servers, we should enable the Server
(Request Security) IPSec policy on the servers and the Client (Respond only) IPSec policy for the
client computers.
Incorrect Answers:
A: This policy is intended for computers working with sensitive data that must be secured at all
times.
D: Registry Policy Processing specifies how Registry policies are processed, such as whether
Registry policies can be applied during periodic background processing. IP Security Policy
Page 7 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Processing specifies how IP security policies are updated. By copying the GPO files to the
Netlogon shared folder enables all authenticated users to access it.
E: In Windows Server 2003 operating systems, the Group Policy Object Editor replaces the
System Policy Editor.
Reference:
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows
Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington,
Chapter 5 and 11.
Question: 7
You are the systems engineer for Examsheets. The company has a main office in Las Palmas
and two branch offices, one in Barcelona and one in Madrid. The offices are connected to one
another by dedicated T1 lines. Each office has its own local IT department and administrative
staff.
The company network consists of a single Active Directory domain named Examsheets.net. All
servers run Windows Server 2003. All client computers run Windows XP Professional. All servers
support firmwarebased console redirection by means of the serial port. The server hardware does
not support any other method of console redirection and cannot be upgraded to do so.
The company is currently being reorganized. The IT department from each branch office is being
relocated to a new central data center in the Las Palmas office. Several servers from each branch
office are also being relocated to the Las Palmas data center. Each branch office will retain 10
servers. A new written security policy includes the following requirements:
• All servers must be remotely administered for all administrative tasks.
• All servers must be administered from the Las Palmas office.
• All remote administration connections must be authenticated and encrypted.
Your current network configuration already adheres to the new written security policy for day-today server administration tasks performed on the servers. You need to plan a configuration for
out-of-band management tasks for each office that meets the new security requirements.
Which three actions should you take?
(Each correct answer presents part of the solution. Choose three)
A. Connect each server’s serial port to a terminal concentrator.
Connect the terminal concentrator to the network.
B. Connect a second network adapter to each server.
Connect the second network adapater in each server to a separate network switch.
Connect the management port on the switch to a WAN port on the office router.
Enable IPSec on the router.
C. Enable Routing and Remote Access on a server in each branch office, and configure it as an
L2TP/IPSec VPN server.
Configure a remote access policy to allow only authorized administrative staff to make a VPN
connection.
D. On each server, enable the Telnet service with a startup parameter of Automatic.
Configure Telnet on each server to use only NTLM authentication.
Apply the Server (Request Security) IPSec policy to all servers.
E. On each server, enable Emergency Management Services console redirection and the
Emergency Management Services Special Administration Console (SAC).
Page 8 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: A, C, E
Explanation:
The Special Administration Console Helper system service can be used to perform remote
management tasks if the Windows Server 2003 family operating system stops functioning due to
a Stop error message. It’s main functions are to:
• Redirect Stop error message explanatory text
• Restart the system
• Obtain computer identification information
The SAC is an auxiliary Emergency Management Services command – line environment that is
hosted by Windows Server 2003 family operating systems. It also accepts input, and sends
output through the out – of –band port. !SAC is a separate entity from both SAC and Windows
Server 2003 family command – line environments.
After a specific failure point is reached, Emergency Management Services components determine
when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC
fails to load or is not functioning.
If the Special Administration Console Helper service is stopped, SAC services will no longer be
available. If this service is disabled, any services that explicitly depend on it will not start.
Incorrect answers:
B: There is no need to connect a second network adapter to each server and have that adapter
connected to a separate network switch.
D: Making use of NTLM authentication and applying the Server (Request Security) IPSec policy
on all servers is not the solution.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 12: 27
Question: 8
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The network contains 10 domain controllers and 50
servers in application server roles. All servers run Windows Server 2003.
The application servers are configured with custom security settings that are specific to their roles
as application servers. Application servers are required to audit account logon events, object
access events, and system events. Application servers are required to have passwords that meet
complexity requirements, to enforce password history, and to enforce password aging.
Application servers must also be protected against man-in-the-middle attacks during
authentication.
You need to deploy and refresh the custom security settings on a routine basis. You also need to
be able to verify the custom security settings during audits.
What should you do?
A. Create a custom security template and apply it by using Group Policy.
B. Create a custom IPSec policy and assign it by using Group Policy.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.
Answer: A
Explanation:
Page 9 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a
security template with all the required settings and import the settings into a group policy. We can
also use secedit to analyse the current security settings to verify that the required security
settings are in place.
Incorrect Answers:
B: An IPSec policy will not configure the required auditing policy.
C: We need a security template, not an administrative template.
D: This will create multiple identical machines. We cannot use RIS images in this scenario.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57
Question: 9
You are a network administrator for Examsheets. The network consists of a single Active
Directory forest.
All domain controllers run Windows Server 2003.
The bank decides to provide access to its mortgage application services from a real estate
agency that has offices throughout the country. You install a Examsheets domain controller in
each real estate agency office.
You need to further protect the domain controllers’ user account databases from unauthorized
access.
You want to achieve this goal by using the minimum amount of administrative effort.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A. Use the system key utility (syskey) with the most secure security level on the domain
controllers.
B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the
GPO to the domain controllers.
C. Create a Group Policy object (GPO), configure the Network security: LAN Manager
authentication level security option to the Send NTLMv2 response only\refuse LM setting,
and apply the GPO to the domain controllers.
D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply
the GPO to the domain controllers.
Answer: A, B
Explanation:
On domain controllers, password information is stored in directory services. It is not unusual for
password –cracking software to target the Security Accounts Manager (SAM) database or
directory services to access passwords for user accounts. The System Key utility (Syskey)
provides an extra line of defence against offline password – cracking software. Syskey uses
strong encryption techniques to secure account password information that is stored in directory
services. Mode 3 is the most secure Syskey utility, because it uses a computer-generated
random key and stores the key on a floppy disk. This disk is required for the system to start, and
it must be inserted at a prompt during the startup sequence. The system key is not stored
anywhere on the computer.
Secure (Secure*.inf) Template
Page 10 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The Secure templates define enhanced security settings that are least likely to impact application
compatibility.
For example, the Secure templates define stronger password, lockout, and audit settings.
Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication
protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse
LAN Manager responses.
Incorrect Answers:
C: You should be importing the Securedc.inf security template instead of configuring the Network
security: LAN Manager authentication level security option to the Send NTLMv2 response
only\refuse LM setting.
D: DC Security.inf templates contain a large number of settings, and in particular a long list of
file-system permission assignments. For this reason, you should not apply these templates to a
computer by using group policies.
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8
Question: 10
You are a network administrator for Examsheets. All domain controllers run Windows Server
2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional
computers, and 150 Windows XP Professional computers.
According to the network design specification, the Kerberos version 5 authentication protocol
must be used for all client computers on the internal network.
You need to ensure that Kerberos version 5 authentication is used for all client computers on the
internal network.
What should you do?
A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the
secure channel traffic.
B. Replace all Windows 98 computers with new Windows XP Professional computers.
C. Install the Active Directory Client Extension software on the Windows 98 computers.
D. Upgrade all Windows 98 computers to Windows NT workstation 4.0.
Answer: B
Explanation:
By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use Kerberos as
their authentication protocol. Windows 98 doesn’t support Kerberos authentication; therefore, we
need upgrade the Windows 98 computers.
Incorrect Answers:
A: This won’t enable the Windows 98 clients to use Kerberos authentication.
C: The Active Directory Client Extension software doesn’t enable Windows 98 clients to use
Kerberos authentication.
D: Windows NT 4.0 doesn’t support Kerberos authentication.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 11: 39-42
Page 11 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 11
You are the network administrator for Examsheets. The company has a main office and 20
branch offices.
You recently completed the design of the company network. The network design consists of a
single Active Directory domain named Examsheets.net. All domain controllers will run Windows
Server 2003. The main office will contain four domain controllers, and each branch office will
contain one domain controller. The branch office domain controllers will be administered from the
main office.
You need to ensure that the domain controllers are kept up-to-date with software updates for
Windows Server 2003 after their initial deployment. You want to ensure that the domain
controllers automatically install the updates by using the minimum amount of administrative
intervention. You also want to configure the settings by using the minimum amount of
administrative effort.
What should you do?
A. In System Properties, on the Automatic Update tab, enable Keep my computer up to date,
and then select Download the updates automatically and notify me when they are ready
to be installed.
B. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure
Automatic Updates with option 3 – Auto download and notify for install.
C. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure
Automatic Updates with option 4 – Auto download and schedule the install.
D. In System Properties, on the Automatic Updates tab, enable Keep my computer up to date,
and then select Automatically download the updates, and install them on the schedule
that I specify.
Answer: C
Explanation:
The question states that you want to ensure that the domain controllers automatically install
the updates by using the minimum amount of administrative intervention. The way to do
this is to configure the automatic updates with the option to Auto download and schedule the
install. The easiest way to configure the domain controllers with this setting is to configure a
group policy object for the domain controllers.
The problem with this solution is that the domain controllers may automatically restart after the
updates are installed. Scheduling the updates to install out of business hours will minimize any
disruption.
Incorrect Answers:
A: It is easier to configure the domain controllers using group policy.
B: This solution will download the updates, but it won’t install them until an administrator manually
clicks the install button in the notification dialog box. Answer C automates the procedure more
by scheduling the installation to occur at a set time without any further administrative
intervention.
D: It is easier to configure the domain controllers using group policy.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 13: 8
Page 12 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 12
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net.
The company plans to deploy 120 Windows Server 2003 member servers as file servers in the
domain.
The new file servers will be located in a single organizational unit (OU) named File Servers.
The security department provides you with a security template that must be applied to the new file
servers.
You need to apply and maintain the security settings contained in the security template to the
new file servers. You want to achieve this goal by using the minimum amount of administrative
effort.
What should you do?
A. On a reference computer, use the Local Security Settings console to import the security
template. Use imaging technology to install and configure the new file servers based on the
configuration of the reference computer.
B. On a reference computer, run the secedit command to apply the security template.
Use imaging technology to install and configure the new file serves based on the configuration
of the reference computer.
C. Create a new Group Policy object (GPO).
Import the security template into the Security Settings of the Computer Configuration section of
the GPO.
Link the GPO to the File Servers OU.
D. On the PDC emulator master in the domain, run the secedit command to apply the security
template.
Answer: C
Explanation:
We have a security template with the required security settings. We can simply import the
template into a Group Policy Object and apply the settings to the File Servers OU.
Incorrect Answers:
A: This would work, but there is a catch in the question. The question states that you
apply and maintain the security settings contained in the security template to the
servers. Using a GPO, the settings will be periodically refreshed, ensuring that the
settings ‘maintained’.
B: This would work, but there is a catch in the question. The question states that you
apply and maintain the security settings contained in the security template to the
servers. Using a GPO, the settings will be periodically refreshed, ensuring that the
settings ‘maintained’.
D: This would have no effect on the file servers.
need to
new file
security
need to
new file
security
Reference:
Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure.
Question: 13
You are a network administrator for Examsheets. The company consists of a single Active
Directory domain named Examsheets.net. All client computers run Windows XP Professional.
Page 13 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The company’s main office is located in Dallas. You are a network administrator at the company’s
branch office in Boston. You create a Group Policy object (GPO) that redirects the Start menu for
users in the Boston branch office to a shared folder on a file server.
Several users in Boston report that many of the programs that they normally use are missing from
their Start menus. The programs were available on the Start menu he previous day, but did not
appear when the users logged on today.
You log on to one of the client computers. All of the required programs appear on the Start menu.
You verify that users can access the shared folder on the server.
You need to find out why the Start menu changed for these users.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two)
A. In the Group Policy Management Console (GPMC), select the file server that hosts the shared
folder and a user account that is in the Domain Admins global group and run Resultant Set Of
Policy (RSoP) in planning mode.
B. In the Group Policy Management Console (GPMC), select one of the affected user accounts
and run Resultant Set of Policy (RSoP) in logging mode.
C. On one of the affected client computers, run the gpresult command.
D. On one of the affected client computers, run the gpupdate command.
E. On one of the affected client computers, run the secedit command.
Answer: B, C
Explanation:
We need to view the effective group policy settings for the users or the computers that the users
are using. We can use gpresult of RSoP.
Gpresult
Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer.
RSoP overviewResultant Set of Policy (RSoP) is an addition to Group Policy
RSoP provides details about all policy settings that are configured by an Administrator, including
Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings,
Scripts, and Group Policy Software Installation.
RSoP consists of two modes:
Planning mode and logging mode. With planning mode, you can simulate the effect of policy
settings that you want to apply to a computer and user.
Logging mode reports the existing policy settings for a computer and user that is currently logged
on.
Incorrect Answers:
A: We need to test the effective policy from a user’s computer, not the file server.
D: Gpudate, is the tool used to refresh the policy settings in Windows XP and Windows Server
2003.
E: Secedit is the tool used to refresh the policy in Windows 2000 professional and server editions.
Reference:
Page 14 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 12: 35
Question: 14
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. Examsheets’s perimeter network contains 50 Web
servers that host the company’s public Internet site. The Web servers are not members of the
domain.
The network design team completed a new design specification for the security of servers in
specific roles.
The network design requires that security settings must be applied to Web servers. These
settings include password restrictions, audit settings, and automatic update settings.
You need to comply with the design requirements for securing the Web servers. You also want to
be able to verify the security settings and generate a report during routine maintenance. You want
to achieve these goals by using the minimum amount of administrative effort.
What should you do?
A. Create a custom security template named Web.inf that contains the required security settings.
Create a new organizational unit (OU) named WebServers and move the Web servers into the
new OU.
Apply Web.inf to the WebServers OU.
B. Create a custom security template named Web.inf that contains the required security settings,
and deploy Web.inf to each Web server by using Security Configuration and Analysis.
C. Create an image of a Web server that has the required security settings, and replicate the
image to each Web server.
D. Manually configure the required security settings on each Web server.
Answer: B
Explanation:
The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a
security template with all the required settings and import the settings using the Security
Configuration and Analysis tool.
Incorrect Answers:
A: The web servers aren’t members of the domain. Therefore they cannot be moved to an OU in
Active Directory.
C: We cannot use imaging in this way.
D: This is a long way of doing it. A security template would simply the task.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57
Question: 15
You are a network administrator for Examsheets Inc. The network consists of a single Active
Directory forest as shown in the exhibit.
Page 15 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Examsheets’s written security policy requires that all domain controllers in the
child1.Examsheets.net domain must accept a LAN Manager authentication level of only NTLMv2.
You also want to restrict the ability to start a domain controller to the Domain Admins group.
You need to configure the domain controllers in the child1.Examsheets.net domain to meet the
new security requirements.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group
Policy object (GPO) on the child1.Examsheets.net domain.
B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object
(GPO) in the child1.Examsheets.net domain.
C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group
Policy object (GPO) in the child1.Examsheets.net domain.
D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object
(GPO) in the child1.Examsheets.net domain.
E. Run the system key utility (syskey) on each domain controller in the child1.Examsheets.net
domain.
In the Account Database Key dialog box, select the Password Startup option.
F. Run the system key utility (syskey) on each domain controller in the child1.Examsheets.net
domain.
In the Account Database Key dialog box, select the Store Startup Key Locally option.
Answer: C, E
Explanation:
Secure (Secure*.inf) Template
The Secure templates define enhanced security settings that are least likely to impact application
compatibility.
For example, the Secure templates define stronger password, lockout, and audit settings.
Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication
protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse
LAN Manager responses.
Page 16 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
• In order to apply Securews.inf to a member computer, all of the domain controllers that
contain the accounts of all users that log on to the client must run Windows NT 4.0
Service Pack 4 or higher.
The system key utility (SYSKEY)
A security measure used to restrict logon names to user accounts and access to computer
systems and resources.
By running the syskey utility with the Password startup option, the account information in the
directory services is encrypted and a password needs to be entered during system start. The start
of the Domain Controllers is therefore restricted to everybody with this password.
Incorrect Answers:
A: The Rootsec.inf security template defines permissions for the root of the system drive. This
template can be used to reapply the root directory permissions to other volumes.
B: The Rootsec.inf security template defines permissions for the root of the system drive. This
template can be used to reapply the root directory permissions to other volumes.
D: We need to apply the policy to the domain controllers container, not the entire domain.
F: The System Key Utility (syskey) is used to encrypt the account password information that is
stored in the SAM database or in the directory services. By selecting "Store Key locally" the
computer stores an encrypted version of the key on the local computer. This doesn’t help in
controlling the start of the Domain Controllers.
Reference:
http://www.microsoft.net/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver20
03/proddocs/standard/syskey_concept.asp
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8
Question: 16
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All member servers run Windows Server 2003. All
client computers run Windows XP Professional. All client computer accounts in the domain are
located in an organizational unit (OU) named Workstations.
You need to distribute a new application to all client computers on the network. You create a
Group Policy object (GPO) that includes the application package in the software installation
settings of the Computer Configuration section of the GPO. You assign the GPO to the
Workstations OU.
Several days later, users report that the new application is still not installed on their client
computers.
You need to ensure that the application is installed on all client computers.
What should you do?
A. Instruct users to restart their client computers.
B. Instruct users to run Windows Update on their client computers.
C. Instruct users to force a refresh of the computer policy settings on their client computers.
D. Instruct users to force a refresh of the user policy settings on their client computers.
Page 17 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: A
Explanation:
When an application is assigned to a computer, the software is deployed when it is safe to do so
(that is, when the operating system files are closed). This generally means that the software will
be installed when the computer starts up, which ensures that the applications are deployed prior
to any user logging on. For this scenario, we need to tell the users to restart their client
computers.
Incorrect Answers:
B: Windows Update is used to update the operating system with the latest security patches etc.
C: You applied the policy several days ago. The client computers should have the GPO by now.
D: The setting isn’t in the user section of the group policy.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 29-30
Question: 17
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net Examsheets merges with a company named Acme.
You need to create new user accounts for all of the Acme employees.
The e-mail address format for all users at Acme is alias@acme.net. The users need to continue
to use their e-mail addresses after the merger. To decrease confusion, these users also need to
be able to use their e-mail addresses as their user logon names when logging on to the company
network.
You need to ensure that new users can log on by using their e-mail addresses as their logon
names. You want to achieve this goal by incurring the minimum cost and by using the minimum
amount of administrative effort.
What should you do?
A. Create a new domain tree named acme.net in the Examsheets.net forest.
Create user accounts for all of the users in the acme.net domain.
B. Create a new forest named acme.net.
Create user accounts for all of the users in the acme.net domain.
Configure a forest trust relationship between the two forests.
C. Create user accounts for all of the new users in the Examsheets.net domain.
Configure the e-mail addresses for all of the Acme users as alias@acme.net.
D. Configure acme.net as an additional user principal name (UPN) suffix for the Examsheets.net
forest. Configure each user account to use the acme.net UPN suffix.
Answer: D
Explanation:
You can simplify the logon process for users by enabling UPN logon. When UPN logon is
enabled, all users use the same UPN suffix to log on to their domains. UPN names are comprised
of the user's logon name and the DNS name of the domain. When you enable UPN logon, users'
logon names remain the same even when their domains change.
You might choose to enable UPN logon if:
• Domain names in your enterprise are complex and difficult to remember.
• Users in your organization might change domains as a result of domain consolidation or other
Page 18 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
organizational changes.
• All domains in the forest are in native mode.
• User logon names are unique within the forest.
• A global catalog server is available to match the UPN to the correct domain account.
You can use one UPN suffix for all users in the forest.
Incorrect Answers:
A, B: Creating a new domain tree or forest and recreating the user accounts for all of the users in
the acme.com domain would require excessive administrative effort.
C: Creating new user accounts for all of the users in the acme.com domain would require
excessive administrative effort. Using the UPN logon feature would require less administrative
effort.
Reference:
Thomas W. Shinder and Debra Littlejohn Shinder, MCSE Exam 70-294: Planning, Implementing,
and Maintaining a Windows Server 2003 Active Directory Infrastructure, Syngress, 2003, pp. 956.
Question: 18
You are the network administrator for Examsheets. The company consists of two subsidiaries
named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests
named contoso.net and cpand1.net. The functional level of each forest is Windows Server 2003.
A two-way forest trust relationship exists between the forests.
You need to achieve the following goals:
• Users in the contoso.net forest must be able to access all resources in the cpand1.net forest.
• Users in the cpand1.net forest must be able to access only resources on a server named
HRApps.contoso.net.
You need to configure the forest trust relationship and the resources on HRApps.contoso.net to
achieve the goals.
Which three actions should you take?
(Each correct answer presents part of the solution. Choose three)
A. On a domain controller in the contoso.net forest, configure the properties of the incoming
forest trust relationship to use selective authentication.
B. On a domain controller in the contoso.net forest, configure the properties of the incoming
forest trust relationship to use forest-wide authentication.
C. On a domain controller in the cpand1.net forest, configure the properties of the incoming
forest trust relationship to use selective authentication.
D. On a domain controller in the cpand1.net forest, configure the properties of the incoming
forest trust relationship to use forest-wide authentication.
E. Modify the discretionary access control list (DACLs) on HRApps.contoso.net to allow access
to the Other Organization security group.
F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.net to deny access
to This Organization security group.
Answer: A, D, E
Explanation:
When all domains in two forests trust each other and need to authenticate users, establish a
forest trust between the forests. When only some of the domains in two Windows Server 2003
Page 19 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
forests trust each other, establish oneway or two-way external trusts between the domains that
require interforest authentication.
Selective authentication between forests
Using Active Directory Domains and Trusts, you can determine the scope of authentication
between two forests that are joined by a forest trust You can set selective authentication
differently for outgoing and incoming forest trusts. With selective trusts, administrators can make
flexible forest-wide access control decisions.
If you use forest-wide authentication on an incoming forest trust, users from the outside forest
have the same level of access to resources in the local forest as users who belong to the local
forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide
authentication is used, users from ForestB would be able to access any resource in ForestA
(assuming they have the required permissions).
If you decide to set selective authentication on an incoming forest trust, you need to manually
assign permissions on each domain and resource to which you want users in the second forest to
have access. To do this, set a control access right Allowed to authenticate on an object for that
particular user or group from the second forest.
When a user authenticates across a trust with the Selective authentication option enabled, an
Other Organization security ID (SID) is added to the user's authorization data. The presence of
this SID prompts a check on the resource domain to ensure that the user is allowed to
authenticate to the particular service. Once the user is authenticated, then the server to which he
authenticates adds the This Organization SID if the Other Organization SID is not already
present. Only one of these special SIDs can be present in an authenticated user's context.
Taking the above mentioned into account then options A, D and E will make sure that users in the
contoso.com forest have forest-wide access.
Incorrect Answers:
B: If you use forest-wide authentication on an incoming forest trust, users from the outside forest
have the same level of access to resources in the local forest as users who belong to the local
forest. However, users in the cpand1.com forest must be able to access only resources on a
server named HRApps.contoso.com. We should therefore use selective authentication for the
cpandl.com forest to access the contoso.com.
C: Users in the contoso.com forest must be able to access all resources in the cpand1.com
forest, in other words, they need forest-wide access.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-48 to 4-49.
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 254.
Question: 19
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. All client
computers run Windows XP Professional.
User accounts are configured as local administrators so that users can install software. A desktop
support team supports end users. The desktop support team’s user accounts are all members of
a group named Support.
Page 20 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You create a software restriction policy that only prevents users from running registry editing tools
by file hash rule. You apply the policy to all user accounts in the domains.
The desktop support team reports that when they attempt to run registry editing tools, they
receive the following error message:
“Windows cannot open this program because it has been prevented by a software restriction
policy. For more information, open Event Viewer or contact your system administrator”.
You need to ensure that only the desktop support team can run registry editing tools.
What should you do?
A. Configure the software restriction policies to be enforced for all users except local
administrators.
B. Make users members of the Power Users group instead of the Administrators group.
C. Use a logon script to copy the registry editing tools to the root of drive C.
Assign the Domain Admins group the Allow – Read permission for the registry editing tools in
the new location.
D. Filter the software restriction policy to prevent the Support group from applying the policy.
Answer: D
Explanation:
We can prevent the software restriction policy from applying to the support group by simply
assigning the support group the Deny – Read and/or the Deny – Apply group policy permission.
Incorrect answers:
A: The users are local administrators. The policy must apply to the local administrators.
B: The policy applies to all users. It will still apply to the support group. Changing the local users
group membership will have no effect on the policy.
C: The software restriction policy is using a hash rule to prevent the use of the registry editing
tools. It doesn’t matter where the tools are located, they still won’t run.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9: 16
Question: 20
You are the network administrator for Examsheets. Your user account is a member of the
Schema Admins group. The network consists of a single Active Directory forest that contains
three domains. The functional level of the forest is Windows Server 2003. A Windows Server
2003 domain controller named ExamsheetsA holds the schema master role.
An application named Application1 creates additional schema classes. You notice that this
application created some classes that have incorrect class names.
You need to correct the class names as quickly as possible.
What should you do?
A. Deactivate the Application1 classes that have the incorrect class names.
Set the default security permission for the Everyone group for those schema classes to Deny.
B. Deactivate the Application1 classes that have the incorrect class names.
Page 21 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Create the Application1 classes with the correct class names.
C. Rename the description of the Application1 classes to the correct class name.
Instruct the developers of Application1 to change the code of the application so that the
renamed schema classes can be used.
D. Instruct the developers of Application1 to change the code of the application so that the
application creates the new schema classes with the correct class names.
Reinstall Application1 and select Reload the schema in the Active Directory Schema console.
Answer: B
Explanation:
We need to deactivate the Application1 classes that have the incorrect class names. This is
because you cannot delete or rename a class. We can only deactivate the incorrect classes and
recreate the classes with the correct class names.
Extending the schema
When the set of classes and attributes in the base Active Directory schema do not meet your
needs, you can extend the schema by modifying or adding classes and attributes. You should
only extend the schema when absolutely necessary. The easiest way to extend the schema is
through the Schema Microsoft Management Console (MMC) snap-in. You should always develop
and test your schema extensions in a test lab before moving them to your production network.
Schema extensions are not reversible
Attributes or classes cannot be removed after creation. At best, they can be modified or
deactivated.
Deactivating a class or attribute
Domain controllers running Windows Server 2003 do not permit the deletion of classes or
attributes, but they can be deactivated if they are no longer needed or if there was an error in the
original definition. A deactivated class or attribute is considered defunct. A defunct class or
attribute is unavailable for use; however, it is easily reactivated.
If your forest has been raised to the Windows Server 2003 functional level, you can reuse the
object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID
that were associated with the defunct class or attribute. This allows you to change the object
identifier associated with a particular class or attribute. The only exception to this is that an
attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and
schemaIdGuid values even after being deactivated (for example, those values cannot be reused).
If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a
class or attribute and then redefine it.
Incorrect Answers:
A: It is not necessary to deny access to the classes after deactivating them. We need to recreate
the classes with the correct names.
C: Changing the description of a class doesn’t rename the class. It is not possible to rename a
class.
D: We need to deactivate the classes that have the incorrect class names.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 11
Page 22 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 21
You are the administrator for Examsheets. The network consists of a single active directory
domain named Examsheets.net. All servers run windows server 2003
When the network was designed, the design team set design specifications. After the network
was implemented, the deployment team set baseline specifications. The specifications for
broadcast traffic are:
•
•
The design specifications requires that broadcast traffic must be 5 percent or less of
total network traffic.
The baseline specifications showed that the broadcast traffic is always 1 percent or
less of the total network traffic during normal operation.
You need to monitor the network traffic and find out if the level of broadcast traffic is within the
design and baseline specs. You decide to use network monitor. After monitoring for 1 hour, you
observe the results shown in the exhibit:
You need to report the results of your observations to management.
Which 2 actions should you take?
A. report that broadcast traffic is outside of the baseline specs
B. report that the broadcast traffic is outside of the design specs
C. report that the broadcast traffic is within the design specs
D. report that the broadcast traffic is within the baseline specs
Answers: A B
Page 23 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
A baseline is a measurement derived from the collection of data over an extended period during
varying workloads and user connections, representing acceptable performance under typical
operating conditions. The baseline indicates how system resources are used during periods of
normal activity and makes it easier to spot problems when they occur. A baseline provides a
mechanism for identifying what normal operating conditions are for a server. The baseline acts as
a reference for troubleshooting performance issues. If the design specifications require that
broadcast traffic must be 5 percent or less of total network traffic then the graphic indicates that it
is outside of the specifications as monitored over a period of one hour. Further, if the
baseline specifications showed that the broadcast traffic is always 1 percent or less of the total
network traffic during normal operation then you can report than the broadcast traffic is outside of
the baseline specs as monitored over the period of one hour.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 14:42
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W.
Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293
Study
Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 2, pp. 94-112
Question: 22
You are the network administrator for Costos, Ltd. The network contains a single Active Directory
domain named Contoso.net. All computers on the network are members of the domain.
Contoso, Ltd. has a main office and 20 branch offices. Each branch office has a connection to the
main office. Only the main office has a connection to the Internet.
You are planning a security update infrastructure for your network. You deploy a central Software
Update Services (SUS) server at the main office and an SUS server at each branch office. The
SUS server at the main office uses Windows Update to obtain security patches.
You want to minimize the amount of bandwidth used on the connection to the Internet and on the
connection between the offices to download security patches.
Which two actions should you take?
A. Configure the SUS servers at the branch office to use Windows Update to obtain security
patches.
B. Configure the SUS servers at the branch offices to use the central SUS server for updates.
C. Configure Automatic Updates on the SUS servers at the branch offices to use the central SUS
server for updates.
D. Configure Automatic Updates on all computers to use the SUS server on the local network.
E. Configure Automatic Updates on all computers to use the default update service location.
Answer: B, D
Explanation:
We must set up the SUS branch offices server to pickup the updates form the server in the main
office. By configuring a SUS server in the main office you save network bandwidth, because the
branch office servers will not need to use the internet connection. With this solution, the main
Page 24 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
office SUS server downloads the updates from Microsoft; the branch office SUS servers
download the updates from the main office SUS server and the client computers download the
updates from the local SUS server.
Incorrect Answers:
A: This is an unnecessary use of the internet connection.
C: You need to configure the SUS server software to download the updates, not automatic
updates.
E: The default update service location is Microsoft. This is an unnecessary use of the internet
connection.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 13: 8
Question: 23
You are the network administrator for Examsheets. The network consists of a single active
directory domain named Examsheets.net. All servers run Windows Server 2003. A server named
Examsheets2 functions as the mail server for the company. All users use Microsoft Outlook
Express as their email client.
An update to the company’s written security policy specifies that users must use encrypted
authentication while they are retrieving email messages from Examsheets2
You need to comply with the updated policy. What should you do? (Choose three)
A. Configure the POP3 service on Examsheets2 to use Active Directory Integrated Authentication
B. Configure the SMTP virtual server on Examsheets2 to use Integrated Windows Authentication
C. Configure Outlook Express to use the Secure Password Authentication (SPA)
D. Configure the SMTP virtual server on Examsheets2 to use Basic Authentication with Trasport
Layer Security (TLS) encryption
E. Configure the POP3 service on Examsheets2 to require secure password authentication (SPA
for all connections
Answers: A, C, E
Explanation:
You can use Active Directory Authentication to incorporate the POP3 service into your existing
Active Directory domain. Active Directory integrated authentication supports both plaintext and
Secure Password Authentication (SPA) e-mail client authentication. Because plaintext transmits
the user's credentials in an unsecured, unencrypted format, however, the use of plaintext
authentication is not recommended. SPA does require e-mail clients to transmit both the user
name and password using secure authentication; it is therefore recommended over plaintext
authentication. We need to configure the POP3 service on ExamSheets2 to require secure
password authentication, and we need to configure the email clients to use Secure Password
Authentication (SPA).
Incorrect Answers:
B: We need to configure the POP3 service, not the SMTP virtual server.
D: We need to configure the POP3 service, not the SMTP virtual server.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Page 25 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan, and Lisa Justice; Mastering ™
Windows Server 2003.
Question: 24
You are the network admin for Examsheets. Your network contains 50 application servers that
run Windows Server 2003. The security configuration of the application servers is not uniform.
The application servers were deployed by local administrators who configured the setting for each
of the application servers differently based on their knowledge and skill. The application servers
are configure with different authentication methods, audit setting and account policy settings.
The security team recently completed a new network security design. The design includes a
baseline configuration for security settings on all servers. The baseline security settings use the
hisecws.inf predefined security template. The design also requires modified settings for servers in
an application role. These settings include system service startup requirements, renaming the
administrator account, and more stringent account lockout policies. The security team created a
security template named application.inf that contains the required settings.
You need to plan the deployment of the new security design. You need to ensure that all security
settings for the application servers are standardized, and that after the deployment, the security
settings on all application servers meet the design requirements. What should you do?
A. Apply the setup security.inf template first, the hisecws.inf template next, and then the
application.inf template
B. Apply the Application.inf template and then the Hisecws.inf template.
C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf
template
D. Apply the Setup.inf template and then the application.inf template
Answer: A.
Explanation:
The servers currently have different security settings. Before applying our modified settings, we
should reconfigure the servers with their default settings. This is what the security.inf template
does. Now that our servers have the default settings, we can apply our baseline settings specified
in the hisecws.inf template. Now we can apply our custom settings using the application.inf
template.
Incorrect Answers:
B: The hisecws.inf template would overwrite the custom application.inf template.
C: Same as answer A. Also, the setup.inf security template doesn’t exist. To return a system to its
Default security settings, we use the security.inf template.
D: The setup.inf security template doesn’t exist. To return a system to its default security settings,
we use the security.inf template.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Question: 25
You are the network admin for an Active Directory domain. Examsheets’s written security policy
was updated and now requires a minimum of NTLM v2 for LAN manager authentication.
You need to identify which Operating Systems on your network do not meet the new requirement
Which OS which require an upgrade to the OS or software to meet the requirement?
Page 26 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. Windows 2000 Professional
B. Windows Server 2003
C. Windows XP Professional
D. Windows NT Workstation with service pack 5
E. Windows 95
Answer: E.
Explanation:
Windows 95 does not natively support NTLM v2 authentication. To enable it, you would need to
install the Directory Services Client software.
Incorrect Answers:
A, B, C, D: Windows 2000 Professional, Server 2003, XP Professional, and NT Workstation with
service pack 5 natively supports NTLM v2 authentication.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294):
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26
Question: 26
Examsheets has a single active directory domain named Examsheets.net.
The company’s written security policy requires that computers in a file server role must have a
minimum file size for event log settings. In the past, logged events were lost because the size of
the event log files was too small. You want to ensure that the event log files are large enough to
hold history. You also want the security event log to be cleared manually to ensure that no
security information is lost. The application log must clear events as needed.
You create a security template named fileserver.inf to meet the requirements. You need to test
each file server and take the appropriate corrective action if needed. You audit a file server by
using fileserver.inf and receive the resules shown in the exhibit.
***MISSING***
You want to make only the changes that are required to meet the requirements. Which two
actions should you take?
A. Correct the maximum application log size setting on the file server
B. Correct the maximum security log size setting on the file server
C. Correct the maximum system log size setting on the file server
D. Correct the retention method for application log setting on the file server
E. Correct the retention method for the security log setting on the file server
F. Correct the retention method for the system log setting for the file server
Answers: B E
Explanation:
The Event Log security area defines attributes related to the application, security, and system
logs in the Event Viewer console for computers in a site, domain, or OU. The attributes are:
maximum log size, access rights for each log, and retention settings and methods. Event log size
and log wrapping should be defined to match your business and security requirements. In this
particular case you should be correcting the maximum security log size setting and the retention
method for the security log setting on the file server so as to comply with the stated requirements.
Page 27 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect answers:
A, C, D, F: The question states that the company’s written security policy requires that computers
in a file server role must have a minimum file size for event log settings. And given the past
experiences of the company regarding the size of security events and its retention, you should be
correct the maximum log size and retention methods of the security logs and not the application
log or the system log.
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 10
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:6
Question: 27
You are the administrator of the Examsheets company network. The network consists of a single
active directory domain. The network includes 50 servers running Windows Server 2003 and
1000 client computers running Windows XP Professional.
All client computers are in an organisational unit (OU) named Clients. All server computers are in
an organisational unit (OU) named Servers.
You discover that most of the servers are running the SMTP service and the Telnet service.
These services are not required and should be disabled.
What is the easiest way to ensure that the services are always disabled on the servers?
A. Use gpedit.msc to create a Group Policy object (GPO) to apply a logon script that disables the
unnecessary services. Link the GPO to the Servers OU.
B. Use gpedit.msc to create a Group Policy object (GPO) and import the Hisecws.inf security
template. Link the GPO to the Servers OU.
C. Use gpedit.msc to create a Group Policy object (GPO) to set the startup type of the
unnecessary services to Disabled. Link the GPO to the Servers OU.
D. Use gpedit.msc to create a Group Policy object (GPO) to apply a startup script to stop the
unnecessary services. Link the GPO to the Servers OU.
Answer: C
Explanation:
The servers have been moved to an OU. This makes it easy for us to configure the servers using
a group policy. We can simply assign a group policy to the Servers OU to disable the services.
a
Incorrect Answers:
A: The logon script would only run when someone logs on to the servers. It’s likely that the
servers will be running with no one logged in.
B: The Hisecws.inf security template is designed for workstations, not servers.
D: The startup script would only run when the servers are restarted. A group policy would be
refreshed at regular intervals.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 55
Question: 28
Page 28 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are the administrator of the Examsheets company network. The network consists of a single
active directory domain. The network includes 30 servers running Windows Server 2003 and
2000 client computers running Windows XP Professional.
20 member servers are located in an organisational unit (OU) named Servers. 10 domain
controllers are in the default Domain Controllers container. All 2000 client computers are located
in an organizational unit (OU) named Clients.
The member servers are configured with the following security settings:
• Logon events must be audited.
• System events must be audited.
• Passwords for local user accounts must meet complexity requirements.
• Passwords must be changed every 30 days.
• Password history must be enforced.
• Connections to the servers must be encrypted.
The written security policy states that you need to be able to verify the custom security settings
during audits. You need to deploy and refresh the custom security settings on a routine basis.
What should you do?
A. Create a custom security template and apply it by using a Group Policy linked to the Servers
OU.
B. Create a custom security template and apply it by using a Group Policy linked to the domain.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.
Answer: A
Explanation:
The easiest way to deploy multiple security settings to a group of Windows 2003 computer is to
create a security template with all the required settings and import the settings into a GPO. In this
case, the security settings apply to local accounts on the servers. This means that we can apply
the settings with a GPO assigned to an Organisation Unit containing the servers.
Incorrect Answers:
B: The security settings need to apply to the member servers only. Applying the GPO to the
domain would affect all computers in the domain.
C: We need a security template, not an administrative template.
D: We cannot use imaging in this way.
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8
Question: 29
You are the administrator of the Examsheets company network. The network consists of a single
active directory domain named Examsheets.net. The network includes 20 servers running
Windows Server 2003 and 200 client computers running Windows XP Professional.
The company purchases 10 new servers to function as file servers for the domain.
You install Windows Server 2003 on the new servers. The computer accounts for the file servers
are located on an OU named File Servers. A security expert configures one of the servers named
ESFile1 with various security settings. You need to apply and maintain the same security settings
on the remaining 9 servers. You need to do this by using the minimum amount of administrative
effort. What should you do? (Choose two)
A. Use disk imaging software to take an image of ESFile1. Apply the disk image to the remaining
Page 29 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
9 servers.
B. Use gpedit.msc to create a new Group Policy object (GPO). Manually configure the GPO with
the same security settings as ESFile1. Link the GPO to the File Servers OU.
C. Use gpedit.msc to create a new Group Policy object (GPO). Import the security template into
the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the
File Servers OU.
D. On the PDC Emulator, use Security Configuration and Analysis to export the security settings
to a security template.
E. On ESFile1, use Security Configuration and Analysis to export the security settings to a
security template.
Answer: C, E
Explanation:
The easiest way to configure multiple computers with multiple security settings is to use a GPO.
In this question, we have a computer configured with the required settings. We can use the
Security Configuration and Analysis to export the security settings to a security template. We can
then import the template into a Group Policy Object and apply the settings to the File Servers OU.
Incorrect Answers:
A: This could work (if we changed the computer names and SIDS), but there is a catch in the
question. The question states that you need to apply and maintain the security settings
contained in the security template to the new file servers. Using a GPO, the settings will be
periodically refreshed, ensuring that the security settings ‘maintained’.
B: This is a long way of doing it. Exporting the settings to a security template would be easier.
D: This would have no effect on the file servers.
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8
Question: 30
You are a network administrator for Examsheets. The network consists of multiple physical
segments. The network contains two Windows Server 2003 computers named ExamsheetsSrvA
and ExamsheetsSrvB, and several Windows 2000 Server computers. ExamsheetsSrvA is
configured with a single DHCP scope for the 10.250.100.0/24 network with an IP address range
of 10.250.100.10 to 10.250.100.100
Several users on the network report that they cannot connect to file and print servers, but they
can connect to each other’s client computers. All other users on the network are able to connect
to all network resources. You run the ipconfig.exe /all command on one of the affected client
computers and observe the information in the following table:
IP Address
Subnet Mask
Default Gateway
DHCP Server
DNS Server
Primary Wins Server
10..250.100.150
255.255.255.0
(blank)
Examsheets SrvB
(blank)
(blank)
You need to configure all affected client computers so that they can communicate with all other
hosts on the network.
Which two actions should you take?
Page 30 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
(Each correct answer presents part of the solution. Choose two)
A. Disable the DHCP service on ExamsheetsSrvB.
B. Increase the IP address range for the 10.250.100.0/24 scope on ExamsheetsSrvA.
C. Add global DHCP scope options to ExamsheetsSrvA for default gateway, DNS servers, and
WINS servers.
D. Delete all IP address reservation in the scope on ExamsheetsSrvA.
E. Run the ipconfig.exe /renew command on all affected client computers.
F. Run the ipconfig.exe /registerdns command on all affected client computers.
Answer: A, E
Explanation:
We can see from the exhibit that the affected computer received it’s IP configuration from
ExamsheetsSrvB. We can also see that the IP configuration has no default gateway, WINS or
DNS addresses.
Obviously, ExamsheetsSrvB is misconfigured. Other client computers have no problems; it is
likely that they get their IP configuration from ExamsheetsSrvA. We can either correctly configure
the DHCP service on ExamsheetsSrvB or we can disable it and just use ExamsheetsSrvA as the
DHCP server. The only option given is to disable the DHCP service on ExamsheetsSrvB, so
answer A is correct.
We need to run the ipconfig /renew command on all affected client computers so that they can
update their IP configurations using ExamsheetsSrvA as their DHCP server.
Incorrect Answers:
B: The client computer received its IP configuration from ExamsheetsSrvB. Therefore, the
problem is likely to be with ExamsheetsSrvB, not ExamsheetsSrvA.
C: Some client computers have no problems; it is likely that they get their IP configuration from
ExamsheetsSrvA. Therefore, ExamsheetsSrvA is correctly configured.
D: The client computer received its IP configuration from ExamsheetsSrvB. Therefore, the
problem is likely to be with ExamsheetsSrvB, not ExamsheetsSrvA.
F: The affected client computers have no DNS configuration; therefore this command will have
no affect.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 2:44
Question: 31
You are the network administrator for Examsheets. You need to provide Internet name resolution
services for the company. You set up a Windows Server 2003 computer running the DNS Server
service to provide this network service.
During testing, you notice the following intermittent problems:
• Name resolution queries sometimes take longer than one minute to resolve.
• Some valid name resolution queries receive the following error message in the Nslookup
command and-line tool: “Non-existent domain”.
You suspect that there is a problem with name resolution.
You need to review the individual queries that the server handles. You want to configure
monitoring on the DNS server to troubleshoot the problem.
Page 31 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
What should you do?
A. In the DNS server properties, on the Debug Logging tab, select the Log packets for
debugging option.
B. In the DNS server properties, on the Event Logging tab, select the Errors and warnings
option.
C. In the System Monitor, monitor the Recursive Query Failure counter in the DNS object.
D. In the DNS server properties, on the Monitoring tab, select the monitoring options.
Answer: A
Explanation:
If you need to analyze and monitor the DNS server performance in greater detail, you can use the
optional debug tool.
You can choose to log packets based on the following:
_Their direction, either outbound or inbound
_The transport protocol, either TCP or UDP
_Their contents: queries/transfers, updates, or notifications
_Their type, either requests or responses
_Their IP address
Finally, you can choose to include detailed information.
Note:
That’s the only thing that’s going to let you see details about packets.
Incorrect Answers:
B: The Event Logging tab allows you to restrict the events written to the DNS Events log file to
only errors or to only errors and warnings, also it allows you to disable DNS logging.
C: This option allows you to view the total number of recursive query failures
D: The Monitoring tab of the DNS server properties dialog box allows you to check basic DNS
functionality with two simple tests: a simple query against the local DNS server and a recursive
query to the root DNS servers.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 5
Troubleshooting DNS servers
Using server debug logging options
The following DNS debug logging options are available:
• Direction of packets
Send Packets sent by the DNS server are logged in the DNS server log file.
Receive Packets received by the DNS server are logged in the log file.
• Content of packets
Standard queries Specifies that packets containing standard queries (per RFC 1034) are logged
in the DNS server log file.
Page 32 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Updates Specifies that packets containing dynamic updates (per RFC 2136) are logged in the
DNS server log file.
Notifies Specifies that packets containing notifications (per RFC 1996) are logged in the DNS
server log file.
• Transport protocol
UDP Specifies that packets sent and received over UDP are logged in the DNS server log file.
TCP Specifiesthat packets sent and received over TCP are logged in the DNS server log file.
• Type of packet
Request Specifies that request packets are logged in the DNS server log file (a request packet is
characterized by a QR bit set to 0 in the DNS message header).
Response Specifies that response packets are logged in the DNS server log file (a response
packet is characterized by a QR bit set to 1 in the DNS message header).
• Enable filtering based on IP address Provides additional filtering of packets logged in the
DNS server log file. This option allows logging of packets sent from specific IP addresses to a
DNS server, or from a DNS server to specific IP addresses.
• File name Lets you specify the name and location of the DNS server log file.
For example: • dns.log specifies that the DNS server log file should be saved as dns.log in the
systemroot
Question: 32
You are a network administrator for Examsheets. Examsheets has a main office and two branch
offices. The branch offices are connected to the main office by T1 lines. The network consists of
three Active Directory sites, one for each office. All client computers run either Windows 2000
Professional or Windows XP Professional. Each office has a small data center that contains
domain controllers, WINS, DNS, and DHCP servers, all running Windows Server 2003.
Users in all offices connect to a file server in the main office to retrieve critical files. The network
team reports that the WAN connections are severely congested during peak business hours.
Users report poor file server performance during peak business hours. The design team is
concerned that the file server is a single point of failure. The design team requests a plan to
alleviate the WAN congestion during business hours and to provide high availability for the file
server.
You need to provide a solution that improved file server performance during peak hours and that
provides high availability for file services. You need to minimize bandwidth utilization.
What should you do?
A. Purchase two high-end servers and a shared fiber-attached disk array.
Implement a file server cluster in the main office by using both new servers and the shared
fiberattached disk array.
B. Implement Offline Files on the client computers in the branch offices by using Synchronization
Manager.
Schedule synchronization to occur during off-peak hours.
C. Implement a stand-alone Distributed File System (DFS) root in the main office.
Implement copies of shared folders for the branch offices.
Schedule replication of shared folders to occur during off-peak hours by using scheduled tasks.
D. Implement a domain Distributed File System (DFS) root in the main office.
Implement DFS replicas for the branch offices.
Schedule replication to occur during off-peak hours.
Page 33 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: D
Explanation:
A DFS root is effectively a folder containing links to shared files. A domain DFS root is stored in
Active Directory. This means that the users don’t need to know which physical server is hosting
the shared files; they just open a folder in Active Directory and view a list of shared folders.
A DFS replica is another server hosting the same shared files. We can configure replication
between the file servers to replicate the shared files out of business hours. The users in each
office will access the files from a DFS replica in the user’s office, rather than accessing the files
over a WAN link.
Incorrect Answers:
A: This won’t minimize bandwidth utilization because the users in the branch offices will still
access the files over the WAN.
B: This doesn’t provide any redundancy for the server hosting the shared files.
C: You need DFS replicas to use the replicas of the shared folders.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 15
Question: 33
You are a network administrator for Woodgrove Bank. All servers run Windows Server 2003. The
company uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used.
A user on a server named Server2 reports that when she attempts to map a network drive to a
shared folder on a server named Server5 by name, she received the following error message:
“System error 67 has occurred. The network name cannot be found”. The user was previously
able to map network drives by name to shared folders on Server5 from Server2.
You run the ping command on Server2 to troubleshoot the problem. The results of your
troubleshooting are shown in the exhibit.
Page 34 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to allow the user on Server2 to connect to resources on Server5 both by name and by
address.
What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two)
A. On Server2, purge and reload the remote NetBIOS cache name table.
B. Re-register Server5 with WINS.
C. On Server2, run the ipconfig command with the /flushdns option.
D. On Server5, run the ipconfig command with the /renew option.
E. On Server5, run the ipconfig command with the /registerdns option.
Answer: B, E
Explanation:
The server doesn’t answer to dns name or ip address which means either he is offline or he has
changed his ip and is still registered with the old ip(192.168.202.8).
Ipconfig /registerdns will register in dns, and wins re-register will register the server with wins.
Incorrect Answers:
A: Purging and reloading the remote NetBIOS cache name table is the same as option C. This is
not going to allow a user on Server2 to connect to resources on Server5 both by name and by
address.
C: Ipconfig /renew - Attempts to renew the DHCP lease. This is not what is required.
D: Ipconfig /flushdns - Flushes the DNS cache. Flushing the DNS cache is not the same as
registering.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 60
Page 35 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 34
You are the network administrator for Examsheets. The company has a main office and two
branch offices.
The network in the main office contains 10 servers and 100 client computers. Each branch office
contains 5 servers and 50 client computers. Each branch office is connected to the main office by
a direct T1 line.
The network design requires that company IP addresses must be assigned from a single classful
private IP address range. The network is assigned a class C private IP address range to allocate
IP addresses for servers and client computers.
Examsheets acquires a company named Acme. The acquisition will increase the number of
servers to 20 and the number of client computers to 200 in the main office. The acquisition is
expected to increase the number of servers to 20 and the number of client computers to 200 in
the branch offices. The acquisition will also add 10 more branch offices. After the acquisition, all
branch offices will be the same size. Each branch office will be connected to the main office by a
direct T1 line. The new company will follow the Examsheets network design requirements.
You need to plan the IP addressing for the new company. You need to comply with the network
design requirement.
What should you do?
A. Assign the main office and each branch office a new class A private IP address range.
B. Assign the main office and each branch office a new class B private IP address range.
C. Assign the main office and each branch office a subnet from a new class B private IP address
range.
D. Assign the main office and each branch office a subnet from the current class C private IP
address range.
Answer: C
Explanation:
After the expansion the situation will be:
• Main office
o Need 220 IP, 20 for servers and 200 for clients
• Branch Offices
o Need 220 IP, 20 for servers and 200 for clients
o We will have 12 branch offices
o 12 x 220 = 2640
Total for all offices is 2640 + 220 = 2860.
The network design requires that company IP addresses must be assigned from a single classful
private IP address range. We can subnet a private Class B address range into enough subnets to
accommodate each office. There are various ways of doing this, but one way would be to subnet
the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP
addresses per subnet and up to 254 subnets.
Incorrect Answers:
Page 36 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A: The network design requires that company IP addresses must be assigned from a single
classful private IP address range.
B: The network design requires that company IP addresses must be assigned from a single
classful private IP address range.
D: The class C network doesn’t have enough IP addresses to accommodate all the computers in
all the offices.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 2: 23-26
Question: 35
You are a network administrator for Examsheets. The internal network has an Active Directoryintegrated zone for the Examsheets.net domain. Computers on the internal network use the
Active Directory integrated DNS service for all host name resolution.
The Examsheets Web site and DNS server are hosted at a local ISP. The public Web site for
Examsheets is accessed at www.Examsheets.net. The DNS server at the ISP hosts the
Examsheets.net domain.
To improve support for the Web site, Examsheets wants to move the Web site and DNS service
from the ISP to the company’s perimeter network. The DNS server on the perimeter network must
contain only the host resource records for computers on the perimeter network.
You install a Windows Server 2003 computer on the perimeter network to host the DNS service
for the Examsheets.net domain. You need to ensure that the computers on the internal network
can properly resolve host names for all internal resources, all perimeter resources, and all
Internet resources.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A. On the DNS server that is on the perimeter network, install a primary zone for Examsheets.net.
B. On the DNS server that is on the perimeter network, install a stub zone for Examsheets.net.
C. Configure the DNS server that is on the internal network to conditionally forward lookup
requests to the DNS server that is on the perimeter network.
D. Configure the computers on the internal network to use one of the internal DNS servers as the
preferred DNS server.
Configure the TCP/IP settings on the computers on the internal network to use the DNS server
on the perimeter network as an alternate DNS server.
E. On the DNS server that is on the perimeter network, configure a root zone.
Answer: A, C
Explanation:
By configuring a primary zone for examsheets.net on a DNS server in the perimeter network, we
have a DNS server that can resolve requests for the www.examsheets.net website. To enable
users on the LAN to quickly resolve examsheets.net resources, we can configure conditional
forwarding on the internal examsheets.org server so that requests for examsheets.net resources
get forwarded straight to the perimeter network DNS server.
Incorrect Answers:
B: A stub zone is no good to us here. The perimeter DNS server must be authoritative for the
examsheets.net domain. Therefore, we need a primary zone on the perimeter DNS server.
Page 37 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
D: As long as the internal DNS servers are working, the external DNS server will never be used.
Internal clients will not be able to resolve www.examsheets.net.
E: There is no need to configure a root zone on the perimeter network DNS server.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Question: 36
You are the systems engineer for Examsheets. The network consists of a single Active Directory
domain named Examsheets.net. All servers run Windows Server 2003. A Windows Server 2003
computer named EXAMSHEETSDNS1 functions as the internal DNS server and has zone
configured as shown in the exhibit.
The network is not currently connected to the Internet. Examsheets maintains a separate network
that contains publicly accessible Web and mail servers. These Web and mail servers are
members of a DNS domain named Examsheets.net. The Examsheets.net zone is hosted by a
UNIX-based DNS server named UNIXDNS, which is running the latest version of BIND.
The company plans to allow users of the internal network to access Internet-based resources.
The company’s written security policy states that resources located on the internal network must
never be exposed to the Internet. The written security policy states that the internal network’s
DNS namespace must never be exposed to the Internet. To meet these requirements, the design
specifies that all name resolution requests for Internet-based resources from computers on the
internal network must be sent from EXAMSHEETSDNS1. The current design also specifies that
UNIXDNS must attempt to resolve any name resolution requests before sending them to name
servers on the Internet.
You need to plan a name resolution strategy for Internet access. You need to configure
EXAMSHEETSDNS1 so that it complies with company requirements and restrictions.
What should you do?
A. Delete the root zone from EXAMSHEETSDNS1.
Configure EXAMSHEETSDNS1 to forward requests to UNIXDNS.
B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the
Page 38 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C:\Windows\System32\Dns folder on EXAMSHEETSDNS1.
C. Add a name server (NS) resource record for UNIXDNS to your zone.
Configure UNIXDNS with current root hints.
D. On EXAMSHEETSDNS1, configure a secondary zone named Examsheets.net that uses
UNIXDNS as the master server.
Configure UNIXDNS to forward requests to your ISP’s DNS servers.
Answer: A
Explanation:
We need to delete the root zone from the internal DNS server. This will enable us to configure the
server to forward internet name resolution requests to the external DNS server (UNIXDNS). A
DNS server configured to use a forwarder will behave differently than one that is not configured to
use it. A DNS server configured to use a forwarder behaves as follows:
When the DNS server receives a query, it attempts to resolve this query using the primary and
secondary zones that it hosts and its cache.
If the query cannot be resolved using this local data, then it will forward the query to the DNS
server designated as a forwarder.
The DNS server will wait briefly for an answer from the forwarder before attempting to contact the
DNS servers specified in its root hints.
Incorrect Answers:
B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don’t want
the internal DNS server to query the root DNS servers, so we don’t need the cache.dns file.
C: Unixdns already has root hints. An NS record on the internal DNS server won’t fulfill the
requirements of the question.
D: We don’t need a secondary zone on the internal DNS server. All external resolution requests
must be forwarded to the external DNS server.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Question: 37
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The network contains two IP subnets connected by a
Windows Server 2003 computer running Routing and Remote Access. All servers run Windows
Server 2003. All client computers run Windows XP Professional.
Each subnet contains a domain controller. Each subnet contains a DHCP server, which provides
TCP/IP configuration information to the computers on only its subnet. The relevant portion of the
network is shown in the exhibit.
Page 39 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You recently implemented a Microsoft Internet Security and Acceleration (ISA) Server 2000 array
on the network to provide Internet connectivity. The ISA Server array uses Network Load
Balancing on the internal adapters. The array’s Network Load Balancing cluster address is
172.30.32.1. You configure the DHCP server on Subnet1 to provide the array’s Network Load
Balancing cluster address as the default gateway. You configure the DHCP server on Subnet2 to
provide the IP address 172.30.64.1 as the default gateway for Subnet2.
Users on Subnet2 report that they cannot connect to Internet-based resources. They can
successfully connect to resources located on Subnet1. Users on Subnet1 can successfully
connect to Internet-based resources. You investigate and discover that no Internet requests from
computers on Subnet2 are being received by the ISA Server array.
You need to provide Internet connectivity to users on Subnet2.
What should you do?
A. Configure the DHCP server on Subnet2 to provide the address 172.30.32.1 as the default
gateway.
B. Configure the DHCP server on Subnet2 to provide the address 172.30.32.2 as the default
gateway.
C. On the Routing and Remote Access server, add a default route to 172.30.32.1.
D. On the Routing and Remote Access server, add a default route to 131.107.72.17.
Answer: C
Explanation:
The routing and remote access server knows how to route traffic between subnet 1 and subnet 2.
However, it doesn’t know how to route traffic to the internet. We can fix this by adding a default
route on the routing and remote access server. The default route will tell the routing and remote
access server that any traffic that isn’t destined for subnet1 or subnet2 (i.e. any external
destination) should be forwarded to the internal interface of the ISA server (172.30.32.1).
Incorrect Answers:
A: 172.30.32.1 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot
use this address as their default gateway.
Page 40 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B: 172.30.32.2 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot
use this address as their default gateway. Furthermore, this address isn’t the internal address
of the ISA server.
D: The default route needs to forward traffic to the internal interface of the ISA server.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 15:30
Question: 38
You are the systems engineer for Examsheets GmBh. The network consists of three Windows NT
4.0 domains in a master domain model configuration. The servers on the network run either
Windows NT Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server
4.0.
The network also contains 10 UNIX-based application servers. All host name resolution services
are provided by a UNIX-based server running the latest version of BIND, which currently hosts
the zone for the Examsheets.net domain. All NetBIOS name resolution services are provided by
two Windows 2000 Server WINS servers.
The company is in the process of migrating to a single Windows Server 2003 Active Directory
domain based network. The new domain is named Examsheets-ad.net, and it will be hosted in an
Active Directory integrated zone that is stored on the domain controllers. Servers that are not
domain controllers will not be updated at this time. The migration plan requires that all computers
must use DNS to resolve host names and computer redundancy for the Windows-based DNS
servers.
You upgrade the domain controllers in the master domain to Windows Server 2003. You also
migrate all user and computer accounts to the new Active Directory domain. The DNS zone on
the Windows Server 2003 computers is configured as shown in the exhibit.
You now need to configure the required redundancy between the Windows-based DNS servers
and the UNIX-based DNS server. You need to ensure that there will be no service interruption on
any of the DNS server computers.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
Page 41 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based
DNS server as the master server.
B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS
server as the master server.
C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS
server as the master server.
D. Add a delegation in the Examsheets.net zone that delegates authority of the Examsheetsad.net zone to a Windows Server 2003 DNS server.
E. Configure the Examsheets-ad.net zone to not replicate WINS-specific resource records during
zone transfers.
Answer: B, E
Explanation:
This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers.
We can provide this by configuring the UNIX DNS server to resolve names in the Examsheetsad.net domain.
With a secondary zone on the UNIX DNS server, the UNIX DNS server will be able to resolve
host name resolutions requests in the Examsheets-ad.net domain. The Examsheets-ad.net DNS
is configured to query WINS if required. When configuring a UNIX DNS server with a secondary
zone, we should configure the zone to not replicate WINS-specific resource records during zone
transfers.
Incorrect Answers:
A: This would provide redundancy for the UNIX server; the question isn’t asking for that.
C: This won’t provide any redundancy.
D: Examsheets-ad.net isn’t a subdomain of Examsheets.net so no delegation is required.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering
Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 436-437
Question: 39
You are a network administrator for Examsheets. The network consists of a single Active
Directory forest that contains one root domain and multiple child domains. The functional level of
all child domains is Windows Server 2003. The functional level of the root domain is Windows
2000 native.
You configure a Windows Server 2003 computer named Examsheets1 to be a domain controller
for an existing child domain. Examsheets1 is located at a new branch office, and you connect
Examsheets1 to a central data center by a persistent VPN connection over a DSL line.
Examsheets1 has a single replication connection with a bridgehead domain controller in the
central data center.
You configure DNS on Examsheets1 and create secondary forward lookup zones for each
domain in the forest.
You need to minimize the amount of traffic over the VPN connection caused by logon activities.
What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two)
A. Configure the DNS zones to be Active Directory-integrated zones.
B. Configure Examsheets1 to be the PDC emulator for the domain.
Page 42 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Configure Examsheets1 to be a global catalog server.
D. Configure universal group membership caching on Examsheets1.
Answer: C, D
Explanation:
Logon traffic over the VPN is caused by the local domain controller retrieving universal group
information from a global catalog server. We can reduce this traffic by either configuring
Examsheets1 to be a global catalog server, or by enabling universal group membership caching
on Examsheets1.
A global catalog server stores information about all objects in the forest, but not their attributes,
so that applications can search Active Directory without referring to specific domain controllers
that store the requested data. Universal group membership caching, on the other hand allows the
domain controller to cache universal group membership information for users. This eliminates the
need for a global catalog server at every site in a domain, which minimizes network bandwidth
usage because a domain controller does not need to replicate all of the objects located in the
forest. It also reduces logon times because the authenticating domain controllers do not always
need to access a global catalog to obtain universal group membership information.
Incorrect Answers:
A: Logon traffic over the VPN is caused by the local domain controller retrieving universal group
information from a global catalog server. It is not cause by DNS replication.
B: The PDC emulator isn’t used in the logon process (except for down-level clients).
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 5
Question: 40
You are the network admin for contoso. The network consists of a single active directory domain
named contoso.net. The domain is supported by an active directory integrated zone that allows
only secure updates.
The contoso.net domain is configured as two active directory sites named mainoffice and
branch1.
Branch1 contains a single windows server 2003 domain controller named server1 that is not a
DNS server. There is a single subnet of 192.168.10.0/24 in branch1 that contains all client
computers and servers in the site.
Branch 1 is connected to Mainoffice by a single low bandwidth WAN connection that is often
saturated.
Users in branch1 are normally authenticated by server1. Users in branch1 report that they are
experiencing unusually long logon times. You discover that branch1 users are being
authenticated by domain controllers in MainOffice. You run the nslookup command to query the
SRV records for Branch1 and receive the output shown in the following table:
Srv hostname
Server1.contoso.net internet address
Server1.contoso.net
192.168.10.65
You run the ipconfig command on server1 and receive the following:
Page 43 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
IP address
Subnet mask
Default Gateway
192.168.10.32
255.255.255.0
192.168.10.1
You want server1 to resume authenticating all clients in Branch1. What should you do?
A. Run the ipconfig.exe /registerdns command on server1
B. Run the ipconfig.exe /flushdns command on server1
C. Stop and restart the Netlogon service on server1
D. Stop and restart the net logon service on clients in Branch1
Answer: C
Explanation:
The DNS record shows the wrong IP address for Server1. We need to configure the DNS with the
correct information. Because server1 is a domain controller, we need to register the A records
and the SRV records. The Net Logon service on a domain controller registers the DNS resource
records required for the domain controller to be located in the network every 24 hours. To initiate
the registration performed by Net Logon service manually, you can restart the Net Logon service.
Incorrect Answers:
A: This command will only register the A records. The client computers locate the domain
controller by querying SRV records.
B: This will flush the local DNS client cache. This won’t solve the problem.
D: We need to restart the Netlogon service on server1, not the clients.
Reference:
J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.
Question: 41
You are the network admin for Examsheets. Your network contains 3 subnets. All servers have
manually assigned IP addresses while all clients are configured to receive an address from a
DHCP server. The DHCP server is located in Site 1. The DHCP server has a scope configured
for each subnet.
Users in site 2 and site 3 are complaining that periodically they cannot connect to resources
located on any subnet. You discover that during times of peak usage users are receiving an ip
address in the 169.254.x.x address range.
You need to ensure that all client computers receive an address from their subnet even during
times of peak usage. What should you do?
A. Install one DHCP server in site 2 and site 3. On each DHCP server, configure identical scopes
for each subnet
B. Install one DHCP server in Site 2 and Site 3. On each DHCP server configure a single subnet
specific scope
C. Configure a DHCP Relay agent on Site 2 and Site 3
D. Configure a GPO on the domain that disables APIPA
Answer: B
Explanation:
Page 44 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
It appears that during times of peak usage, the DHCP server and/or the subnet containing the
DHCP server cannot cope with the load. The clients in sites 2 and 3 are unable to receive an IP
configuration from the DHCP server and so configure themselves with an APIPA configuration.
We can ease the load on the DHCP server and subnet 1 by installing DHCP servers in Site 2 and
Site 3. The DHCP servers must be configured with a single scope specific to the subnet.
Incorrect Answers:
A: We cannot have DHCP servers with identical scopes. This would lead to duplicate IP
addresses on the network.
C: The clients can connect to the DHCP server during less busy times. Therefore, a DHCP Relay
Agent is either already installed or isn’t required.
D: Disabling APIPA won’t ease the load on the DHCP server.
Reference:
J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, Chapter 4.
Question: 42
ExamSheets uses WINS and DNS for name resolution. The LMHosts and Hosts files are not
used.
A user Smith on a server named ExamSheets2 reports that when she runs a script to transfer
files to a server named ExamSheets5, she receives the following error stating “Unknown Host
ExamSheets5” You use ExamSheets2 to troubleshoot the problem. The results of your
troubleshooting show that the nslookup utility replies with an address of 192.168.1.8. When you
try to ping ExamSheets5, the reply times out and shows a different IP address.
You need to allow Smith on ExamSheets2 to use the script on ExamSheets5.
What should you do?
A. Re register ExamSheets5 with WINS
B. On ExamSheets5 run the ipconfig /registerdns command
C. On ExamSheets2 run the ipconfig /flushdns command
D. On ExamSheets2, purge and reload the remote NetBIOS cache name table
Answer: A
Explanation:
The nslookup utility replies with an address of 192.168.1.8. This is probably the correct address.
When you ping ExamSheets5, it times out and shows a different IP address. This is an incorrect
address that was resolved using a WINS lookup. As the address in the WINS database is wrong,
we need to re-register ExamSheets5 with WINS.
Incorrect Answers:
B: The address of ExamSheets5 stored in DNS is likely to be correct, so it doesn’t need to be reregistered.
C: Nslookup returns an address of ExamSheets5 that is likely to be correct. We know this
because the ping test fails with a different IP address. Therefore, the locally cached IP address
is likely to be correct, so the cache doesn’t need to be cleared.
D: We would need to purge the local NetBIOS name cache, not the remote cache.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Page 45 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 43
You are the administrator of the Examsheets company network. The network consists of a single
active directory domain. The network includes 20 servers running Windows Server 2003 and 200
client computers running Windows XP Professional. The office uses a single class C private IP
address range. The company announces a major expansion. Examsheets will open 12 branch
offices. The 12 branch offices will connect to the existing office by direct T1 lines. Each branch
office will have the same number of computers as the main office.
You need to plan the IP addressing for the new company. You want to assign all company IP
addresses from a single classful private IP address range.
What should you do?
A. Assign each office a new class C private IP address range.
B. Assign each office a new class B private IP address range.
C. Assign each office a subnet from a new class B private IP address range.
D. Assign each office a subnet from the current class C private IP address range.
Answer: C
Explanation:
The network design requires that company IP addresses must be assigned from a single classful
private IP address range. We can subnet a private Class B address range into enough subnets to
accommodate each office. There are various ways of doing this, but one way would be to subnet
the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP
addresses per subnet and up to 254 subnets.
Incorrect Answers:
A: The network design requires that company IP addresses must be assigned from a single
classful private IP address range.
B: The network design requires that company IP addresses must be assigned from a single
classful private IP address range.
D: The class C network doesn’t have enough IP addresses to accommodate all the computers in
all the offices.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 2: 23-26
Question: 44
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The company has remote users in the sales
department who work from home. The remote users’ client computers run Windows XP
Professional, and they are not members of the domain. The remote users’ client computers have
local Internet access through an ISP.
Examsheets is deploying a Windows Server 2003 computer named ExamsheetsA that has
Routing and Remote Access installed. ExamsheetsA will function as a VPN server, and the
remote users will use it to connect to the company network. Confidential research data will be
transmitted from the remote users’ client computers. Security is critical to the company and
ExamsheetsA must protect the remote users’ data transmissions to the main office. The remote
client computers will use L2TP/IPSec to connect to the VPN server.
You need to choose a secure authentication method.
What should you do?
Page 46 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. Use the authentication method of the default IPSec policies.
B. Create a custom IPSec policy and use the Kerberos version 5 authentication protocol.
C. Create a custom IPSec policy and use certificate-based authentication.
D. Create a custom IPSec policy and use preshared authentication.
E. Use the authentication method of the Routing and Remote Access custom IPSec policy for
L2TP connection.
Answer: C
Explanation:
The security of a VPN is based on the tunneling and authentication protocols that you use and
the level of encryption that you apply to VPN connections. For the highest level of security, use a
remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and TripleDES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and
improve manageability and interoperability, use Microsoft Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) as the authentication protocol.
Tunneling and authentication protocols, and the encryption levels applied to VPN connections,
determine VPN security. L2TP/IPSec provides the highest level of security. For a VPN design,
determine which VPN protocol best meets your requirements. Windows Server 2003 supports
two VPN protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol
with Internet Protocol security (L2TP/IPSec).
Incorrect Answers:
A: The default IPSec policies don’t require encryption.
B: We cannot use the Kerberos version 5 authentication protocol because the remote users are
not members of the domain.
D: Pre-shared authentication uses a “password” that is known by the server and the client
computers. This method is less secure than a certificate based method.
E: This answer sounds plausible, but the actual setting on RRAS "Allow Custom IPSec policy for
L2TP connection" in the RRAS Server properties only allows a pre-shared key which is NOT
secure compared to certificate-based IPSec policies.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 5: 8-10
Question: 45
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The domain contains four organizational units (OUs),
as shown in the work area.
The HR_Servers OU contains 10 Windows Server 2003 computers that contain confidential
human resources information. The Workstation OU contains all of the Windows XP Professional
computers in the domain. All client computers need to communicate with the human resources
servers.
The company’s written security policy requires that all network communications with the servers
that contain human resources data must be encrypted by using IPSec. Client computers must
also be able to communicate with other computers that do not support IPSec.
You create three Group Policy objects (GPOs), one for each of the three default IPSec polices.
Page 47 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to link the GPOs to the appropriate Active Directory container or containers to satisfy
the security and access requirements. You want to minimize the number of GPOs that are
processed by any computer.
What should you do?
To answer, drag the appropriate GPO or GPOs to the correct Active Directory container or
containers in the work area.
Answer:
Explanation:
Page 48 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The servers in the HR_Servers OU require secure communications, so we must enable the
Secure Server (Require Security) IPSec policy. The clients should have the Client (Respond
Only) IPSec policy assigned. This means that when the clients communicate with an HR server,
the server will demand the use of IPSec, and the client will be able to use IPSec. The clients will
still be able to communicate with other computers without using IPSec.
IPSEC for High security
Computers that contain highly sensitive data are at risk for data theft, accidental or malicious
disruption of the system (especially in remote dial-up scenarios), or any public network
communications.
ƒ
ƒ
Client (Respond Only). This default policy contains one rule, the default response rule.
The default response rule secures communication only upon request by another
computer. This policy does not attempt to negotiate security for any other traffic.
Secure Server (Require Security). This default policy has two rules: the default
response rule and a rule that allows the initial inbound communication request to be
unsecured, but requires that all outbound communication be secured. The filter action for
the second rule does not allow IKE to fall back to unsecured communication. If the IKE
security negotiation fails, the outbound traffic is discarded and the communication is
blocked. This policy requires that all connections be secured with IPSec. Any clients that
are not IPSec-enabled cannot establish connections.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, 728
Question: 46
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. Client
computers run Windows 2000 Professional, Windows XP Professional, or Windows NT
Workstation 4.0.
Examsheets wants to increase the security of the communication on the network by using IPSec
as much as possible. The company does not want to upgrade the Windows NT Workstation 4.0
client computers to another operating system. The servers use a custom IPSec policy named
Domain Servers. The rules of the Domain Servers IPSec policy are shown in the exhibit.
Page 49 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You create a new Group Policy object (GPO) and link it to the domain. You configure the GPO to
assign the predefined IPSec policy named Client (Respond Only). After these configuration
changes, users of the Windows NT Workstation 4.0 computers report that they cannot connect to
the servers in the domain.
You want to ensure that Windows NT Workstation 4.0 client computers can connect to servers in
the domain.
What should you do?
A. Change the All IP Traffic rule in the Domain Servers IPSec policy to use a preshared key for
authentication.
B. Change the All IP Traffic rule in the Domain Servers IPSec policy to use the Request
Security (Optional) filter action.
C. Activate the default response rule for the Domain Servers IPSec policy.
D. Install the Microsoft L2TP/IPSec VPN Client software on the Windows NT Workstation 4.0
computers.
E. Install the Active Directory Client Extensions software on the Windows NT Workstation 4.0
computers.
Answer: B
Explanation:
The exhibit shows that the server has the “Require Security” IPSec policy. The Windows NT
Workstation clients are unable to use IPSec, and so cannot communicate with the server. We can
fix this by changing the IPSec policy to Request Security (Optional). This will configure the
server to use IPSec whenever possible, but to allow unsecured communications if required.
Incorrect Answers:
A: If you select to use a preshared key, you must enter a string of characters that is also known to
the party with which you are communicating.
C: Activating the default response rule for the Domain Servers IPSec policy is not going to ensure
that Windows NT Workstation 4.0 client computers will be able to connect to the servers in the
domain.
Page 50 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
D, E: This will not work. Windows NT Workstation client computers cannot function as an Active
Directory client.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, pp. 728-739
Question: 47
You are a network administrator for Examsheets. The network consists of two Active Directory
forests. No trust relationships exist between the two forests. All computers in both forests are
configured to use a common root certification authority (CA).
Each forest contains a single domain. The domain named hr.Examsheets.net contains five
Windows Server 2003 computers that are used exclusively to host confidential human resources
applications and data. The domain named Examsheets.net contains all other servers and client
computers. A firewall separates the human resources servers from the other computers on the
network. Only VPN traffic from Examsheets.net to a remote access server in hr.Examsheets.net
is allowed through the firewall.
Managers need to access data on the servers in hr.Examsheets.net from their Windows XP
Professional computers. The company’s written security policy requires that all communication
containing human resources data must be secured by using the strongest IPSec encryption
available.
You need to configure an IPSec policy for the servers that host the human resources data that
complies with the written security policy and gives the managers in Examsheets.net access to the
data they need.
What should you do?
To answer, drag the appropriate configuration settings to the IPSec Policy Configuration.
Page 51 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer:
Explanation:
We can not use Kerberos because there is no trust between the forests; we must use certificates,
we must affect all traffic, and the server must require security.
The security of a VPN is based on the tunneling and authentication protocols that you use and
the level of encryption that you apply to VPN connections. For the highest level of security, use a
Page 52 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and TripleDES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and
improve manageability and interoperability, use Microsoft Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) as the authentication protocol.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, p. 733
Question: 48
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The functional level of the domain is Windows Server
2003. The domain contains a Windows Server 2003 computer named Examsheets26 that is
running Routing and Remote Access.
The domain contains a universal group named Managers and a global group named Operations.
User accounts in the Managers group require remote access between the hours of 8:00 A.M. and
8:00 P.M.
User accounts in the Operations group require remote access 24 hours per day.
You configure a remote access policy on Examsheets26 named RA_Managers with the
appropriate settings for the Managers group, and you configure a second remote access policy
named RA_Operations on Examsheets26 with the appropriate settings for the Operations group.
The default remote access polices on Examsheets26 remain unmodified.
Members of the Managers group report that they can establish a remote access connection to
Examsheets26, but members of the Operations group report that they cannot establish a remote
access connection to Examsheets26.
You open the Routing and Remote Access administrative tool and note that the remote access
polices are in the order presented in the following table.
Remote access policy name
RA_Managers
Connections to Microsoft Routing and remote Access
server
RA_Operations
Connections to other access servers
Order
1
2
3
4
You need to enable the appropriate remote access for the members of the Managers and
Operations groups while restricting remote access to all other users.
What should you do?
A. Delete the Connections to other access servers policy.
B. Re-create the Operations global group as a universal group.
C. Move the Connections to Microsoft Routing and Remote Access server policy up so that it
is the first policy in the order.
D. Move the RA_Operations policy up so that it is the second policy in the order.
Answer: D
Explanation:
Page 53 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The remote access policies are processed in order. If a user meets a condition in a policy, the
user is allowed or denied access according to that policy. No other policies are checked. The
Connections to Microsoft Routing and Remote Access server policy is being processed before
the RA-Operations policy. The users meet the condition in the Connections to Microsoft Routing
and Remote Access server policy and are being denied access. The RA-Operations policy isn’t
being checked. Therefore, we need to move the RAOperations policy above the Connections to
Microsoft Routing and Remote Access server policy.
Incorrect Answers:
A: This policy isn’t preventing the remote access. The Connections to Microsoft Routing and
Remote Access server policy is preventing the access.
B: The global group is fine. Changing it won’t help.
C: The Connections to Microsoft Routing and Remote Access server policy is preventing the
access. The RAOperations policy isn’t being checked. Therefore, we need to move the RAOperations policy above the Connections to Microsoft Routing and Remote Access server
policy.
Reference:
J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.
Question: 49
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. Examsheets’s
main office is in Boston, and it has branch offices in Washington and Los Alamos. The company
has no immediate plans to expand or relocate the offices.
The company wants to connect the office networks by using a frame relay WAN connection and
Routing and Remote Access servers that are configured with frame relay WAN adapters.
Computers in each office will be configured to use their local Routing and Remote Access server
as a default gateway.
You are planning the routing configuration for the Routing and Remote Access servers.
You need to allow computers in Boston, Washington, and Los Alamos to connect to computers in
any office. You want to minimize routing traffic on the WAN connection.
What should you do?
A. At each office, add the OSPF routing protocol to Routing and Remote Access, add the WAN
adapater to the OSPF routing protocol, and deploy OSPF as a single-area internet work.
B. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and
configure the WAN adapter to use RIP version 2.
Configure the outgoing packet protocol as RIP version 2 broadcast and the incoming packet
protocol as RIP version 1 and 2.
C. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and
configure the WAN adapter to use RIP version 2.
Configure the outgoing packet protocol as RIP version 2 multicast and the incoming packet
protocol as RIP version 2 only.
D. At each office, configure the Routing and Remote Access server with static routes to the local
networks at the other two offices.
Answer: D
Explanation:
Page 54 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
We need to configure the routers to route traffic between the offices. As we only have three
offices, we can use simple static routes. Once we have configured the routing tables with static
routes, the offices will be able to communicate with each other. This solution is preferable to
using a routing protocol such as RIP because there will be no routing information going over the
WAN links.
Incorrect Answers:
A: We have a simple network configuration with just three offices. Using a routing protocol is
unnecessary.
Static routes will suffice.
B: We have a simple network configuration with just three offices. Using a routing protocol is
unnecessary.
Static routes will suffice.
C: We have a simple network configuration with just three offices. Using a routing protocol is
unnecessary.
Static routes will suffice.
Reference:
J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure.
Question: 50
You are a network administrator for Examsheets. The company has a main office and one branch
office.
The network consists of a single active directory domain named Examsheets.net. All servers run
windows server 2003
The company needs to connect the main office network and the branch office network by using
RRAS servers at each office the networks will be connected by a VPN connection over the
internet.
The company’s written security policy includes the following requirements for VPN connections
over the internet:
•
•
•
All data must be encrypted with end to end encryption
VPN connection authentication must be at the computer level
Credential information must not be transmitted over the internet as part of the
authentication process.
You need to configure security for VPN connections between the main office and the branch
office. You need to comply with the written policy.
What should you do?
A. use a PPTP connectipon with EAP-TLS authentication
B. use a PPTP connection with MS-CHAP v2 authentication
C. Use an L2TP connection with EAP-TLS authentication
D. Use an L2TP connection with MS-CHAP v2 authentication
Answer: C
Explanation:
Strictly speaking, this answer is incomplete, because it doesn’t mention IPSec. For computer
level authentication, we must use L2TP/IPSec connections. To establish an IPSec security
association, the VPN client and the VPN server use the Internet Key Exchange (IKE) protocol to
Page 55 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
exchange either computer certificates or a preshared key. In either case, the VPN client and
server authenticate each other at the computer level. Computer certificate authentication is highly
recommended, as it is a much stronger authentication method. Computer-level authentication is
only done for L2TP/IPSec connections.
Incorrect Answers:
A: PPTP uses user-level authentication over PPP. The question states that computer-level
authentication is required; therefore we must use L2TP/IPSEC.
B: PPTP uses user-level authentication over PPP. The question states that computer-level
authentication is required; therefore we must use L2TP/IPSEC.
D: For computer certificate authentication, we must use EAP-TLS, not MS-CHAP v2.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 591, 594-595
Question: 51
You are the systems engineer for Examsheets. Examsheets has 20,000 users in a large campus
environment located in London. Each department in the company is located in its own building.
Each department has its own IT staff.
The company’s network is divided into several IP subnets that are connected to one another by
using dedicated routers. Each building on the company’s main campus contains at least one
subnet, and possibly up to five subnets. Each building has at least one router. All routers use RIP
v2 broadcasts.
A new office in Dortmund has 25 users. Dortmund is connected to the main office with a Frame
Relay line. Dortmund installs a server with RRAS and implements RIP v2.
Later the Dortmund admin reports that his router is not receiving routing table updates from the
routers at the main office. He must manually add routing entries to the routing table to enable
connectivity between the locations. You investigate and discover that the RIPv2 broadcasts are
not being received at the Dortmund office. You also discover that no routing table
announcements from the Dortmund office are being received at the main office.
You need to ensure that the network in the Dortmund office can communicate with the main
campus network and can send and receive automatic routing table updates as network conditions
change.
What should you do to the router in the Dortmund office?
A. Configure the router to use RIPv1 broadcasts
B. Configure the router to use auto-static update mode
C. Add the IP address ranges of the main campus network to the routers accept list and
announce list
D. Add the ip addresses of the main campus routers to the router’s neighbor’s list
Answer: D
Explanation:
Routers need to read from an IP packet only the destination network address of which the
particular destination host is a member. The routers then use information stored in their routing
tables to determine how to move the packet toward the network of the destination host. Only after
the packet is delivered to the destination’s network segment is the precise location of the
destination host determined. It looks like the Dortmund router is configured to use neighbors.
Page 56 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Therefore, we need to add the IP addresses of the main campus routers to the router’s neighbors
list.
Incorrect answers:
A: Making Use of RIP v1 broadcast is not going to ensure that Dortmund will be able to
communicate with the main campus since there are no routing table announcements from
Dortmund at the main office.
B: When you configure an interface to use auto-static update mode, the router sends a request to
other routers and inherits routes. The routes are saved in the routing table as auto-static routes
and are kept even if the router is restarted or the interface goes down. But this is not what is
required here.
C: This would be unnecessary since it will not be addressing the problem. Since Dortmund is
configured to use neighbors, then you should rather add the IP addresses of the main campus
routers to the router’s neighbor list.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 2:14
Question: 52
You are a network administrator for Examsheets. The network contains a Windows Server 2003
application server named ExamsheetsSrv. ExamsheetsSrv has one processor. ExamsheetsSrv
has been running for several weeks.
You add a new application to ExamsheetsSrv. Users now report intermittent poor performance on
ExamsheetsSrv. You configure System Monitor and track the performance of ExamsheetsSrv for
two hours. You obtain the performance metrics that are summarized in the exhibit.
The values of the performance metrics are consistent over time.
You need to identify the bottleneck on ExamsheetsSrv and upgrade the necessary component.
You need to minimize hardware upgrades.
What should you do?
A. Install a faster CPU in ExamsheetsSrv.
B. Add more RAM to ExamsheetsSrv.
C. Add additional disks and spread the disk I/O over the new disks.
D. Increase the size of the paging file.
Answer: C
Explanation:
Page 57 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Physical Disk\Disk Time threshold is 90 percent and the performance metrics values gives a
percentage of 93.610. This means that the disk is not being read quickly enough, which could be
a hardware issue, and it could also be that the amount of data on the disk is too large.
Incorrect Answers:
A: The CPU is operating below its threshold.
B, D: The values for these could be a result of the Physical Disk\Disk Time exceeding its
threshold.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 6: 25-28
Question: 53
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All computers on the network are members of the
domain.
You administer a three-node Network Load Balancing cluster. Each cluster node runs Windows
Server 2003 and has a single network adapater. The cluster has converged successfully.
You notice that the nodes in the cluster run at almost full capacity most of the time. You want to
add a fourth node to the cluster. You enable and configure Network Load Balancing on the fourth
node.
However, the cluster does not converge to a four-node cluster. In the System log on the existing
three nodes, you find the exact same TCP/IP error event. The event has the following description:
“The system detected an address conflict for IP address 10.50.8.70 with the system having
network hardware address 02:BF:0A:32:08:46.”
In the System log on the new fourth node, you find a similar TCP/error event with the following
description: “The system detected an address conflict for IP address 10.50.8.70 with the system
having network hardware address 03:BF:0A:32:08:46.” Only the hardware address is different in
the two descriptions.
You verify that IP address 10.50.8.70 is configured as the cluster IP address on all four nodes.
You want to configure a four-node Network Load Balancing cluster.
What should you do?
A. Configure the fourth node to use multicast mode.
B. Remove 10.50.8.70 from the Network Connections Properties of the fourth node.
C. On the fourth node, run the nlb.exe resume command.
D. On the fourth node, run the wlbs.exe reload command.
Answer: A
Explanation:
This normally happens when you don’t enable the Network Load Balancing (NLB) service in
TCP/IP of the server, when adding two IP’s (one for the server and one for the load balancing IP).
When you want to manage a NLB cluster with one network adapter, you use the multicast option.
Page 58 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Since reload/suspend and remove the IP are all garbage answers, it could be that the other
nodes are using multicast, and this new node is using unicast. That is why, on a single network
adapter configuration, it will cause an IP conflict.
Incorrect Answers:
B: The IP address cannot be changed, since the node has a single network adapter.
C: This command instructs a suspended cluster to resume cluster operations. Using the Resume
command doesn't restart clustering operations but, instead, allows the use of Cluster Control
commands, including those sent remotely. The Resume command can be targeted at a specific
cluster, a specific cluster on a specific host, all clusters on the local machine, or all global
machines that are part of the cluster.
D: The nlb.exe command replaces the wlbs.exe command previously used in Windows NT 4.0
and Windows 2000 Server.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 689
http://www.microsoft.com/ windowsserver2003/techinfo/reskit/resourcekit.mspx.
Question: 54
You are a network administrator for Examsheets. The network contains four Windows Server
2003 computers configured as a four-node server cluster.
The cluster uses drive Q for the quorum resource. You receive a critical warning that both drives
of the mirrored volume that are dedicated to the quorum disk have failed.
You want to bring the cluster and all nodes back into operation as soon as possible.
Which four actions should you take to achieve this goal?
To answer, drag the action that you should perform first to the First Action box. Continue dragging
actions to the corresponding numbered boxes until you list all four required actions in the correct
order.
Page 59 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer:
Explanation:
To recover from a corrupted quorum log or quorum disk
1. If the Cluster service is running, open Computer Management.
2. In the console tree, double-click Services and Applications, and then click Services.
3. In the details pane, click Cluster Service.
Page 60 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
4. On the Action menu, click Stop.
5. Repeat steps 1, 2, 3, and 4 for all nodes.
6. If you have a backup of the quorum log, restore the log by following the instructions in "Backing
up and restoring server clusters" in Related Topics.
7. If you do not have a backup, select any given node. Make sure that Cluster Service is
highlighted in the details pane, and then on the Action menu, click Properties.
Under Service status, in Start parameters, specify /fixquorum, and then click Start.
8.Switch from the problematic quorum disk to another quorum resource. For more information,
see "To use a different disk for the quorum resource" in Related Topics.
9. In Cluster Administrator, bring the new quorum resource disk online. For information on how to
do this, see "To bring a resource online" in Related Topics.
10.Run Chkdsk, using the switches /f and /r, on the quorum resource disk to determine whether
the disk is corrupted. For more information on running Chkdsk, see "Chkdsk" in Related Topics.
If no corruption is detected on the disk, it is likely that the log was corrupted. Proceed to step12.
11. If corruption is detected, check the System Log in Event Viewer for possible hardware errors.
Resolve any hardware errors before continuing.
12. Stop the Cluster service after Chkdsk is complete, following the instructions in steps 1 - 4.
13. Make sure that Cluster Service is highlighted in the details pane. On the Action menu, click
Properties. Under Service status, in Start parameters, specify /resetquorumlog, and then click
Start. This restores the quorum log from the node's local database.
Important
• The Cluster service must be started by clicking Start on the service control panel. You cannot
click OK or Apply to commit these changes as this does not preserve the /resetquorumlog
parameter.
14. Restart the Cluster service on all other nodes.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 38
Question: 55
You are a network administrator for Examsheets. The network contains a perimeter network. The
perimeter network contains four Windows Server 2003, Web Edition computers that are
configured as a Network Load Balancing cluster.
The cluster hosts an e-commerce Web site that must be available 24 hours per day. The cluster
is located in a physically secure data center and uses an Internet-addressable virtual IP address.
All servers in the cluster are configured with the Hisecws.inf template.
You need to implement protective measures against the cluster’s most significant security
vulnerability.
What should you do?
A. Use Encrypting File System (EFS) for all files that contain confidential data stored on the
cluster.
B. Use packet filtering on all inbound traffic to the cluster.
C. Use Security Configuration and Analysis regularly to compare the security settings on all
servers in the cluster with the baseline settings.
D. Use intrusion detection on the perimeter network.
Answer: B
Explanation:
Page 61 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The most sensitive element in this case is the network card that uses an Internet-addressable
virtual IP address. The question doesn’t mention a firewall implementation or an intrusion
detection system (Usually Hardware). Therefore, we should set up packet filtering.
You can configure packet filtering to accept or deny specific types of packets. Packet headers are
examined for source and destination addresses, TCP and UDP port numbers, and other
information.
Incorrect Answers:
A: In the case of EFS, you can't use it on cluster storage.
C: Security Configuration and Analysis enables you to work with security templates in a
database, where you can analyze them before applying them to your computers.
D: IDS will (if properly maintained and updated with new signatures) look for certain activity on
the network and check this against a signature database it carries. If a match occurs, then an
alert is sent to an administrator or logged.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 5
Question: 56
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The network contains an application server running
Windows Server 2003.
Users report intermittent slow performance when they access the application server throughout
the day.
You find out that the network interface on the application server is being heavily used during the
periods of slow performance. You suspect that a single computer is causing the problem.
You need to create a plan to identify the problem computer.
What should you do?
A. Monitor the performance monitor counters on the application server by using System Monitor.
B. Monitor the network traffic on the application server by using Network Monitor.
C. Monitor network statistics on the application server by using Task Manager.
D. Run network diagnostics on the application server by using Network Diagnostics.
Answer: B
Explanation:
Network Monitor Capture Utility
Network Monitor Capture Utility (Netcap.exe) is a command-line Support Tool that allows a
system administrator to monitor network packets and save the information to a capture (.cap) file.
You can use information gathered by using Network Monitor Capture Utility to analyze network
use patterns and diagnose specific network problems.
This command-line tool allows a system administrator to monitor packets on a LAN and write the
information to a log file. NetCap uses the Network Monitor Driver to sniff packets on local network
segments.
Network Monitor
Network Monitor captures network traffic information and gives detailed information about the
frames being sent and received. This tool can help you analyze complex patterns of network
Page 62 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
traffic. Network Monitor can help you view the header information included in HTTP and FTP
requests. Generally, you need to design a
capture filter, which functions like a database query and singles out a subset of the frames being
transmitted. You can also use a capture trigger that responds to events on your network by
initiating an action, such as starting an executable file. An abbreviated version of Network Monitor
is included with members of the Windows Server 2003 family. A complete version of Network
Monitor is included with Microsoft Systems Management Server.
Incorrect Answers:
A: System Monitor allows you to monitor real-time performance statistics.
C: Task Manager is used to view real-time performance data surrounding processes and
applications.
D: Network Diagnostics is a graphical troubleshooting tool, built into the Windows Server 2003
interface that provides detailed information about a local computer’s networking configuration.
References:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 6: 7-12 J. C.
Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 3, and 6.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond,
Washington, 2004, Chapter 12.
Question: 57
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All domain controllers and member servers run
Windows Server 2003, Enterprise Edition. All client computers run Windows XP Professional.
Examsheets has one main office and one branch office. The two offices are connected to a T1
WAN connection. There is a hardware router at each end of the connection. The main office
contains 10,000 client computers, and the branch office contains 5,000 client computers.
You need to use DHCP to provide IP addresses to the Windows XP Professional computers in
both offices. You need to minimize network configuration traffic on the WAN connection. Your
solution needs to prevent any component involved in the DHCP architecture from becoming a
single point of failure.
What should you do?
A. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster.
Configure the branch office router as a DHCP relay agent.
B. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster.
At the branch office, configure a Windows Server 2003 computer as a DHCP relay agent.
C. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster.
At the branch office, configure two Windows Server 2003 computers as a DHCP server cluster.
D. At the main office, configure two Windows Server 2003 computers as DHCP servers.
Configure one DHCP server to handle 80 percent of the IP address scope and the other DHCP
server to handle 20 percent.
Configure the branch office router as a DHCP relay agent.
Answer: C
Explanation:
Page 63 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The best fault tolerant solution here would be to implement a DHCP server cluster in each office.
The Windows Server 2003 DHCP Server service is a cluster-aware application, which is an
application that can run on a cluster node and that can be managed as a cluster resource. These
applications use the Cluster API to receive status and notification information from the server
cluster. You can implement additional DHCP (or MADCAP) server reliability by deploying a DHCP
server cluster using the Cluster service. This service is the essential software component that
controls all aspects of server cluster operation and manages the cluster database. Each node in a
server cluster runs one instance of the Cluster service provided with Windows Server 2003,
Enterprise Edition. By using clustering support for DHCP, you can implement a local method of
DHCP server failover, achieving greater fault tolerance. You can also enhance fault tolerance by
combining DHCP server clustering with a remote failover configuration, such as by using a split
scope configuration.
Another way to implement DHCP remote failover is to deploy two DHCP servers in the same
network that share a split scope configuration based on the 80/20 rule.
Incorrect Answers:
A: The branch office router would be a single point of failure in this solution.
B: The server hosting the DHCP relay agent would be a single point of failure in this solution.
D: The branch office router would be a single point of failure in this solution.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7:2
Question: 58
You are a network administrator for Examsheets. You install Windows Server 2003 on two
servers named Examsheets1 and Examsheets2. You configure Examsheets1 and Examsheets2
as a two-node cluster.
You configure a custom application on the cluster by using the Generic Application resource, and
you put all resources in the Application group. You test the cluster and verify that it fails over
properly and that you can move the Application group from one node to the other and back again.
The application and the cluster run successfully for several weeks. Users then report that they
cannot access the application. You investigate and discover that Examsheets1 and Examsheets2
are running but the Application group is in a failed state.
You restart the Cluster service and attempt to bring the Application group online on
Examsheets1. The Application group fails. You discover that Examsheets1 fails, restarts
automatically, and fails again soon after restarting. Examsheets1 continues to fail and restart until
the Application group reports that it is in a failed state and stops attempting to bring itself back
online.
You need to configure the Application group to remain on Examsheets2 while you research the
problem on Examsheets1.
What should you do?
A. On Examsheets2, configure the failover threshold to 0.
B. On Examsheets2, configure the failover period to 0.
C. Remove Examsheets1 from the Possible owners list.
D. Remove Examsheets1 from the Preferred owners list.
Answer: C
Page 64 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
We don’t want the application group to move to ExamSheets1 – we want the application group to
remain on
ExamSheets2. We can do this by removing ExamSheets1 from the possible owners list.
A, B: The question states that failover occurred properly.
D: The order of failover is defined by the order the nodes appear in the Preferred Owner list. The
default node for the application is listed first. A failover will attempt to move the cluster group to
each node on the list, in order, until the group successfully starts. Thus you should not remove
Examsheets1 from the preferred owners list.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 2-7
http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfdeff731e3c1f96/GDClusters.doc
Question: 59
You are a network administrator for Examsheets. The network contains two Windows Server
2003 computers named ExamsheetsA and ExamsheetsB. These servers host an intranet
application. Currently, 40 users connect to ExamsheetsA and 44 users connect to ExamsheetsB.
The company is adding 35 employees who will need access to the intranet application. Testing
shows that each server is capable of supporting approximately 50 users without adversely
affecting the performance of the application.
You need to provide a solution for supporting the additional 35 employees. The solution must
include providing server fault tolerance. You need to minimize the costs and administrative effort
required by your solution.
You add a new server named ExamsheetsC to the network and install the intranet application on
ExamsheetsC.
What else should you do?
A. Use Network Load Balancing Manager to configure ExamsheetsA, ExamsheetsB, and
ExamsheetsC as a Network Load Balancing cluster.
B. Use Cluster Administrator to configure ExamsheetsA, ExamsheetsB, and ExamsheetsC as a
three-node server cluster.
Use the Majority Node Set option.
Configure the cluster so that all three nodes are active.
C. Use Cluster Administrator to configure ExamsheetsA, ExamsheetsB, and ExamsheetsC as a
three-node server cluster.
Configure the cluster so that two nodes are active and one node is a hot standby node.
D. Use DNS load balancing to utilize all three servers by using the same virtual server name.
Answer: A
Explanation:
We can use Network Load Balancing to balance the load on the three web servers.
Clustering allows you to combine application servers to provide a level of scaling, availability, or
security that is not possible with an individual server. Network Load Balancing distributes
incoming client requests among the servers in the cluster to more evenly balance the workload of
Page 65 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
each server and prevent overload on any one server. To client computers, the Network Load
Balancing cluster appears as a single server that is highly scalable and fault tolerant. The
Network Load Balancing deployment process assumes that your design team has
completed the design of the Network Load Balancing solution for your organization and has
performed limited testing in a lab. After the design team tests the design in the lab, your
deployment team implements the Network Load Balancing solution first in a pilot environment and
then in your production environment. Upon completing the deployment process presented here,
your Network Load Balancing solution (the Network Load Balancing cluster and the applications
and services running on the cluster) will be in place. For more information about the procedures
for deploying Network Load Balancing on individual servers, see the appropriate Network Load
Balancing topics in Help and Support Center for Windows Server 2003 2003.
Incorrect Answers:
B: We already have three servers. A cluster would require different hardware and would thus be
more expensive.
C: We already have three servers. A cluster would require different hardware and would thus be
more expensive.
D: Round Robin DNS would load balance the servers, but if one server failed, clients would still
be directed to the failed server.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 7: 15-17
Question: 60
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The Active Directory database contains 500 MB of
information.
Examsheets has its main office in Moscow and a branch office in Minsk. The two offices are
connected by a 56-Kbps WAN connection that is used only for Active Directory replication. The
Moscow office has 450 users, and the Minsk office has 15 users.
The Minsk office has a single Windows Server 2003 domain controller and two Windows Server
2003 file and print servers. The hard disk containing the operating system on the domain
controller in Minsk fails and cannot be recovered.
You need to re-establish a domain controller that contains a current copy of Active Directory in
the Minsk office. You need to achieve this goal as quickly as possible.
What should you do?
A. Replace the hard disk on the domain controller.
Install Windows Server 2003 on the domain controller.
Install Active Directory from restored backup files.
B. Install Active Directory on a file and print server.
Force replication.
C. Install Active Directory on a file and print server from restored backup files.
D. Replace the hard disk on the domain controller.
Install Windows Server 2003 on the domain controller.
Force replication.
Answer: C
Explanation:
Page 66 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
We need to re-establish a domain controller in the Minsk office as quickly as possible.
Therefore, we should install Active Directory from restored backup files. Answer A is the
recommended answer, but answer C is quicker.
We can use the new dcpromo /adv command to promote the DC from a backup of the system
state data of an existing domain controller.
The /adv switch
Is only necessary when you want to create a domain controller from restored backup files. It is not
required when creating an additional domain controller over the network.
For additional domain controllers in an existing domain, you have the option of using the install
from media feature, which is new in Windows Server 2003. Install from media allows you to prepopulate Active Directory with System State data backed up from an existing domain controller.
This backup can be present on local CD, DVD, or hard disk partition.
Installing from media drastically reduces the time required to install directory information by
reducing the amount of data that is replicated over the network. Installing from media is most
beneficial in large domains or for installing new domain controllers that are connected by a slow
network link.
Incorrect Answers:
A: This would work but answer C is quicker.
B: We don’t want to replicate a 500MB Active Directory database over a 56Kbps WAN link.
D: We don’t want to replicate a 500MB Active Directory database over a 56Kbps WAN link.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 27
Question: 61
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain that contains only one domain controller. The domain controller is named
ExamsheetsSrvA. The domain contains only one site named Valencia.
You are adding a new site named Barcelona. You need to promote an existing Windows Server
2003 member server named ExamsheetsSrvB to be an additional domain controller of the
domain. A 56Kbps WAN connection connects the Valencia and Barcelona sites.
You need to install ExamsheetsSrvB as a new domain controller on the Barcelona site. You need
to minimize the use of the WAN connection during this process.
What should you do?
A. Set the site link cost between the Valencia and Barcelona sites to 50.
Promote ExamsheetsSrvB to be an additional domain controller in the Barcelona site.
B. Restore the backup files from the system state data on ExamsheetsSrvA to a folder on
ExamsheetsSrvB and install Active Directory by running the dcpromo /adv command.
C. Promote ExamsheetsSrvB to be an additional domain controller by running the dcpromo
command over the network.
D. Promote ExamsheetsSrvB to be an additional domain controller by using an unattended
installation file.
Answer: B
Page 67 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
We want to minimize the use of the WAN link. We can use the new dcpromo /adv command to
promote the DC from a backup of the system state data of an existing domain controller.
Installing from media drastically reduces the time required to install directory information by
reducing the amount of data that is replicated over the network. Installing from media is most
beneficial in large domains or for installing new domain controllers that are connected by a slow
network link. To use the install from media feature, you first create a backup of System State from
the existing domain controller, then restore it to the new domain controller by using the Restore
to: Alternate location option. In this scenario, we can restore the system state data to a member
server, then use that restored system state data to promote a member server to a domain
controller.
Incorrect Answers:
A: Site link costs are a mechanism for controlling replication traffic. In this scenario we need to
install Active Directory, not control Active Directory replication.
C: Running the dcpromo command over the network will result in large amounts of traffic across
the WAN link. We want to reduce this.
D: We could promote ExamSheetsSrvB to a domain controller by using unattended installation,
however, Active Directory would need to be synchronized with the Active Directory on
ExamSheetsSrvA. This synchronization would result in WAN traffic that could be reduced by
installing Active Directory from a backup.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2: 26 -28.
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 294-6, 298-300.
Question: 62
You are a network administrator for Examsheets. The network consists of single Active Directory
forest that contains two domains and four sites. All servers run Windows Server 2003. You are
responsible for administering domain controllers in one site. Your site contains four domain
controllers. The hard disk that contains the Active Directory database fails on a domain controller
named EXAMSHEETS2.
You replace the failed disk.
You need to recover EXAMSHEETS2. You need to achieve this goal without affecting existing
Active Directory data.
What should you do?
A. Perform a nonauthoritative restoration of the Active Directory database.
B. Perform an authoritative restoration of the Active Directory database.
C. Use the Ntdsutil utility to run the semantic database analysis command.
D. Use the Ntdsutil utility to run the restore subtree command.
Answer: A
Explanation:
You have four domain controllers in your site. You can simply perform a non-authoritative restore
of the Active Directory database. Any changes to the Active Directory database since the data
was backed up will be replicated from another domain controller.
Page 68 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect Answers:
B: This is not necessary. This will overwrite the Active Directory database on the other domain
controllers.
The other domain controllers will have the most recent copies of the Active Directory
database. These changes can be replicated to the failed machine.
C: You can use this process to generate reports on the number of records present in the Active
Directory database, including deleted and phantom records. It is not used to restore the Active
Directory database.
D: We need to restore the entire Active Directory database, not just a subtree of it.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 3: 44-48
Question: 63
You are the network admin for Examsheets. You need to test a new application.
The application requires 2 processors and 2 GB of RAM. The application also requires shared
folders and installation of software on client computers.
You install the application on a Windows Server 2003 Web Edition computer and install the
application on 20 test client computers.
You then discover that only some of the client computers can connect and run the application.
You turn off some computers and discover that the computer that failed to open the application
can now run the application. You need to identify the cause of the failure and update your test
plan.
What should you do?
A. Increase the maximum number of worker processes to 20 for the default application pool
B. use add/remove programs to add the application server windows component
C. change the application pool to identity to local service for the default application pool
D. change the test server OS to Window Server 2003 Standard Edition or Enterprise
Answer: D
Explanation:
Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it reserves 1GB of it for
the operating system; only 1GB of RAM is available for the application. Therefore, we need to
install Window Server 2003 Standard Edition or Enterprise Edition to support enough RAM.
Incorrect Answers:
A, C: The application requires 2 GB of RAM; however, Windows Server 2003 Web Edition
reserves 1GB for the operating system so only 1GB of RAM is available for the application. So,
changing the application pool will not resolve this problem.
B: The application server component includes IIS and ASP. These would be part of the default
installation on a Web Server.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1: 28
Page 69 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 64
You are the systems engineer for Contoso, Ltd.. The network consists of a single Active Directory
domain named Contoso.net. All servers run Windows Server 2003. All client computers run
Windows XP Professional.
The servers on the network are located in a physically secured room, which is located in a central
data center building on the company campus. All servers have the Recovery Console installed
and support firmware-based console redirection by means of their serial ports, which are
connected to a terminal concentrator. The terminal concentrator is connected to the company
network by means of a standard LAN connection.
It is required that all servers can be managed remotely. All IT staff in the company can establish
connections to the servers by means of either a Remote Desktop connection or the Windows
Server 2003 Administration Tools, which are installed locally on their client computers.
Company management now requires that several servers that have high-availability requirements
must also be remotely managed in the event of system failures and when the Recovery Console
is used.
Company management also requires that these servers can be remotely managed when the
servers are slow or are not responding to normal network requests. You need to plan a remote
management solution that complies with the new requirements. What should you do?
A. On each highly available server, enable Emergency Management Services by adding the
Redirect=COM1 and /redirect parameters to the Boot.ini file on each server and the
EMSPort=COM1 and EMSBaudRate=9600 parameters to the Winnt.sif file on each server.
B. On each highly available server, configure the Telnet service with a startup parameter of
Automatic. Set the number of maximum Telnet connections to match the number of
administrators in the company. Add the administrator’s user accounts to the Telnet Clients
security group.
C. Install IIS on each highly available server. Select the Remote Administration (HTML) check
box in the properties for the World Wide Web Service. Add the administrator’s user accounts
to the HelpServicesGroup security group.
D. Use the netsh command to create an offline configuration script that contains the network
parameters for outof-band remote management. Copy this script to the C:\Cmdcons folder on
each highly available server.
Answer: A
Explanation:
With Emergency Management Services, combined with the appropriate hardware, you can
perform remote management and system recovery tasks, even when the server is not available
through the standard remote administration tools and mechanisms.
To enable Emergency Management Services after setting up a Windows Server 2003 operating
system, you must edit the Boot.ini file to enable Windows loader console redirection and Special
Administration Console (SAC). The Boot.ini file controls startup; it is located on the system
partition root.
Incorrect answers:
B: Telnet is used to connect to a terminal concentrator through an in-band connection, which then
connects to the server through an out-of-band connection. This is not what is required.
C: IIS allows users to access information using a number of protocols that are part of the TCP/IP
suite. This is not compliance with the requirements as stated.
D: Netsh is an interactive command-line utility that allows you to manage local or remote network
configurations of active machines. netsh also supports scripting, so you can create batch
Page 70 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
configurations that run against the local machine or a specified host on the network. You can also
use the Netsh utility to generate a configuration script to use as a backup configuration or as an
aid to configure new machines in an identical fashion. netsh works with the existing components
installed with the operating system by using helper dynamic link libraries (DLLs). But this is not
what is required in this case.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 3, p. 189 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit
(Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003
Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8: 13
Question: 65
You are the network administrator for Examsheets. The network contains Window Server 2003
servers configured in a 4 node server cluster.
The cluster provides file services to 5,000 users and contains several terabytes of datafiles.
Several thousand shared folders have been created on 16 virtual server groups by using dynamic
File Share cluster resources. Many data files are updated, created, or deleted each day.
You need to create a backup strategy for both user data and the cluster configuration. You need
to ensure that your strategy limits the potential loss of data and the cluster configuration to one
week and provides the quickest means of recovery. What should you do?
A. Perform a weekly ASR of the cluster node that owns the quorum resource. Perform a weekly
backup of all data files to tape.
B. Perform a weekly ASR of every node in the cluster. Perform a weekly backup of all data files to
tape
C. Perform a weekly ASR on each cluster node that currently owns cluster groups containing data
files
D. Configure daily shadow copies of all volumes on cluster nodes
E. Configure weekly shadow copies of all volumes on all cluster nodes
Answer: A
Explanation:
The Backup program included in Windows Server 2003 contains a disaster recovery feature
called ASR. When you run the Automated System Recovery Preparation Wizard, the software
walks you through the process of creating a full backup of the server, and then prompts you to
insert a floppy disk, which is used to create the boot device for the system. In the event of a
disaster in which the entire contents of the system drive are lost, you simply insert the backup
tape into the tape drive and boot from the floppy disk to completely restore the operating system.
A cluster’s quorum contains the cluster’s configuration data, which nodes use to update their
registries during the failback process. The quorum is included as part of the System State object,
as long as the Clustering service is running on the computer.
Incorrect Answers:
B, C: You only need to backup the node containing the cluster’s quorum resource, because it
contains the configuration data.
D, E: Shadow copies is designed to facilitate quick recovery from simple, day-to-day problems—
not recovery from significant data loss
Reference:
Page 71 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
http://support.microsoft.com/default.aspx?scid=kb;en-us;286422&Product=winsvr2003
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 617
Question: 66
Your network contains a Windows Server 2003 computer named ExamSheetsC. ExamSheetsC
has a single CPU, 512 MB of RAM, and a single 100MB network adapter. All network user’s
home folders are stored on ExamSheetsC. Users access their home folders by using a mapped
network drive that connects to a shared folder on ExamSheetsC After several weeks, users report
that accessing home folders on ExamSheetsC is extremely slow at certain times during the day.
You need to identify the resources bottleneck that is causing the poor performance.
What should you do?
A. Capture a counter log by using LogicalDisk, PhysicalDisk, Processor, Memory and Network
Interface performance objects and view the log data information that is captured during period
of poor performance
B. Configure alerts on ExamSheetsC to log entries in the event logs for the LogicalDisk,
PhysicalDisk, Processor, Memory and Network Interface performance objects when the value
of any object is More than 90
C. Capture a trace log that captures Page faults, File details, Network TCP/IP, and Process
creations/deletions events
D. Implement Auditing on the folder that contains the user’s home folders. Configure Network
Monitor on ExamSheetsC
Answer: A
Explanation:
The problem is most likely to be caused by a hardware bottleneck. This could be a disk problem
or a problem with the processor, RAM or network card. We can monitor these hardware
resources by using a System Monitor counter log. The Windows Performance tool is composed of
two parts: System Monitor and Performance Logs and Alerts. With System Monitor, you can
collect and view real-time data about memory, disk, processor, network, and other activity in
graph, histogram, or report form. The output from the counter log will show us which hardware
resource in unable to cope with the load and needs to be upgraded or replaced.
Incorrect Answers:
B: We cannot use a generic value of 90 for the different hardware resources because different
hardware resources have different acceptable performance counters.
C: We need to monitor the hardware resources listed in answer A, not the software resources
listed in this answer.
D: The problem is most likely to be caused by a hardware bottleneck. Auditing and network
monitoring won’t give us any useful information about the hardware.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure. Microsoft Press, Redmond,
Washington, 2004, pp. 6: 25-28
Question: 67
Your network consists of a single Active Directory domain. ExamSheets has a main office in
Denver and branch offices in Paris and Bogota. Each branch office contains a Windows Server
2003 DC. All client computers run Windows XP Professional.
Page 72 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Users in the Bogota office report intermittent problems authenticating to the domain. You suspect
that a specific client computer is causing the problem.
You need to capture the authentication event details on the domain controller in the Bogota office
so that you can find out the IP address of the client computer that is the source of the problem.
What should you do?
A. Configure System Monitor to monitor authentication events
B. Configure Performance Logs and Alerts with a counter log to record the authentication events
C. Configure Network Monitor to recorded the authentication events
D. Configure Performance Logs and Alerts with an alert to trigger on authentication events
Answer: C
Explanation:
The question states that you find out the IP address of the client computer that is the source of
the problem. Using Network Monitor to capture traffic is the only way to do this.
Incorrect Answers:
A: This will not display the IP address of the client computer that is the source of the problem.
B: This will not display the IP address of the client computer that is the source of the problem.
D: This will not display the IP address of the client computer that is the source of the problem.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;175062
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 826
Question : 68
You have just installed two Windows Server 2003 computers. You configure the servers as a two
node server cluster. You install WINS on each Node of the cluster. You create a new virtual
server to support WINS.
You create a new cluster group named WINSgroup. When you attempt to create the Network
Name resource, you receive an error message. You need to make the proper changes to the
cluster to complete the installation of WINS.
What should you do?
A. Create a Generic Service resource in the WINSgroup cluster group
B. Configure the network priorities for the cluster
C. Create an IP address resource in the WINSgroup cluster group
D. Add the proper DNS name for the WINS Server in the DNS database
Answer: C
Explanation:
You need to create an IP address resource before you can create the network name resource.
Incorrect Answers:
A: Applications or services that do not provide their own resource DLLs can be configured into
the cluster environment by using the generic resource DLL. The Cluster Service then treats these
applications or services as generic, cluster-unaware applications or services. The absence of a
Generic Service resource will thus not impede the creation of a Network Name resource.
B: If cluster nodes can communicate over multiple networks, the network's priority specifies the
order in which the nodes will attempt to communicate over the networks.
Page 73 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
D: Name Resolution is not required to create a Network Name resource.
Reference:
Robert J. Shimonski, Windows Server 2003 Clustering & Load Balancing, Osborne/McGraw-Hill,
2003 Chapter 3: Designing a Clustered Solution with Windows Server 2003.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/enus/
Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/enus/SAG_MS
CS2planning_4.asp
Question: 69
You are the administrator of the Examsheets company network. The network consists of a single
active directory domain. The network includes 20 servers running Windows Server 2003 and 300
client computers running either Windows XP Professional or Windows 2000 Professional.
You install a new member server named Examsheets3, for use by the Finance department.
Examsheets3 runs Windows Server 2003. You install a Finance application that runs as a service
on Examsheets3. When you restart Examsheets3, the logon screen does not appear. You
attempt to restart Examsheets3 using safe mode, and then again using the Last Known Good
Configuration. Both of which are unsuccessful. All Safe Mode options are unsuccessful.
You reinstall Examsheets3 using a clean installation of Windows Server 2003. You discover that
the
Finance application is not compatible with a security update. You install a patch provided by the
Finance software manufacturer. Examsheets3 reboots successfully and the Finance software
now successfully runs as a service.
You want to prevent this type of problem happening again. You want to configure the existing
servers so that you can quickly recover from this type of failure.
What should you do?
A. Always install services using Add or Remove Programs.
B. On each server, install and use the Recovery Console.
C. On each server, create an Automated System Recovery (ASR) disk.
D. Next time the problem occurs, use Device Driver Roll Back.
Answer: B
Explanation:
1. We know that this service causes the failure.
2. We want minimum of time and minimum of data loss.
3. We want a solution for all servers.
4. We want to make sure other services that fail do not result in the same type of failure.
Using the Recovery Console, you can enable and disable services
This method is recommended only if you are an advanced user who can use basic commands to
identify and locate problem drivers and files. To use the Recovery Console, restart the computer
with the installation CD for the operating system in the CD drive. When prompted during textmode setup, press R to start the Recovery Console.
What it does: From the Recovery Console, you can access the drives on your computer. You can
then make any of the following changes so that you can start your computer:
• Enable or disable device drivers or services.
• Copy files from the installation CD for the operating system, or copy files from other removable
media. For example, you can copy an essential file that had been deleted.
• Create a new boot sector and new master boot record (MBR)
Page 74 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect Answers:
A: Located in Control Panel on the client machine, this option is used by users to manage
software on their own computers.
C: It backs up only the operating system partition; you must back up other partitions using
Backup or other means.
D: Driver Roll Back is done through Device Manager, and allows for use of a driver that was
previously configured for a device.
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 10
Question: 70
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. The functional level of the domain is Windows Server
2003. The network contains 100 Windows XP Professional computers.
You configure a wireless network that requires IEEE 802.1x certificate-based authentication. Only
10 of the client computers are approved for wireless network access.
You need to enable the approved computers to access the wireless network while restricting
access for all other computers.
What should you do?
A. Establish an enterprise certification authority (CA) for the domain.
Create a global group that contains the user accounts for the employees who will use the
approved computers.
Create a certificate template for IEEE 802.1x authentication.
For the global group, configure autoenrollment for certificates based on the certificate template.
B. Establish an enterprise certification authority (CA) for the domain.
Create a global group that contains the approved computer accounts.
Create a certificate template for IEEE 802.1x authentication.
For the global group, configure the autoenrollment for certificates based on the certificate
template.
C. Create a global group that contains the user accounts for the employees who will use the
approved computers.
Configure the security permissions for the Default Domain Policy Group Policy object (GPO) so
that only the new global group can apply to the GPO settings.
Establish an enterprise certification authority (CA) for the domain.
D. Create a global group that contains the approved computer accounts.
Configure the security permissions for the Default Domain Controllers Policy Group Policy
object (GPO) so that only the new global group can apply the GPO settings.
Establish an enterprise certification authority (CA) for the domain.
Answer: B
Explanation:
The question states that only 10 of the client computers are approved for wireless network
access. Therefore we need to authenticate the computers to allow wireless access.
To plan for the configuration of Active Directory for your wireless clients, identify the user and
computer accounts for wireless users, and add them to a group that will be used in
conjunction with a remote access policy to manage wireless access. You must also determine
how to set the remote access permission on the user and computer accounts.
Provides options that allow you to specify how computer authentication works with user
authentication.
Page 75 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
•
If you select Computer only, authentication is always performed using the computer
credentials. User authentication is never performed.
• If you select With user re-authentication (recommended), when users are not logged
on to the computer, authentication is performed using the computer credentials. After a
user logs on to the computer, authentication is performed using the user credentials.
When a user logs off of the computer, authentication is performed with the computer
credentials.
• If you select With user authentication, when users are not logged on to the computer,
authentication is performed using the computer credentials. After a user logs on to the
computer, authentication is maintained using the computer credentials. If a user travels to
a new wireless access point, authentication is performed using the user credentials.
A global group is a security or distribution group that can contain users, groups, and computers
from its own domain as members. Global security groups can be granted rights and permissions
for resources in any domain in the forest. Thus you should establish an enterprise CA for the
domain and create a global group that contains all approved computer accounts and then
configure auto enrollment of the certificate template for IEEE 802.1x
authentication.
Incorrect answers:
A, C: The newly created global group must contain the approved computer accounts and not the
user accounts for the employees who will use the approved computers.
D: Creating a global group that contains all the approved computer accounts is correct, but then
you also need to configure auto enrollment of the certificate template for IEEE 802.1x
authentication.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, pp. 803-805
Question: 71
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All domain controllers run Windows Server 2003. All
application servers run Windows Server 2003.
Client computers in the accounting department runs Windows XP Professional. Client computers
in the engineering department run Windows 2000 Professional. Client computers in the sales
department run either Windows NT Workstation 4.0 or Windows 98. All client computers access
data files on the application servers.
You need to plan the method of securing the data transmissions for the client computers. You
want to ensure that the data is not modified while it is transmitted between the application servers
and the client computers. You also want to protect the confidentiality of the data, if possible.
What should you do?
To answer, drag the appropriate method or methods to the correct department’s client computers.
Page 76 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer:
Explanation:
We can use IPSEC on Windows 2000 and Windows XP but we cannot use IPSEC for Legacy
clients except for VPNs.
Sales contain Windows NT 4.0 and Windows 98; in this case we use SMB signing.
With Windows 2000 and Windows XP both methods are supported in this case and for security
reasons we will use IPSEC rules.
SMB signed is supported by Windows 2000 an XP by local policies or domain policies to be
enforced.
To be supported in legacy clients you must modify the registry in Windows 98 and Windows NT
Windows 98 includes an updated version of the SMB authentication protocol. However, using
SMB signing slows down performance when it is enabled. This setting should be used only when
Page 77 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
network security is a concern. The performance decrease usually averages between 10-15
percent. SMB signing requires that every packet is signed for and every packet must be verified.
Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block
(SMB) authentication protocol, also known as the Common Internet File System (CIFS) file
sharing protocol
IPSEC
The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows
Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide
basic permit and block filtering by using address, protocol and port information in network
packets. IPsec was also designed as an administrative tool to enhance the security of
communications in a way that is transparent to the programs.
Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec
transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust
was available from the Kerberos service or for specific paths across the Internet where public key
infrastructure (PKI) digital certificates can be used. IPSEC is not supported on legacy clients just
is supported for VPN
Reference:
http://www.microsoft.net/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 9, p. 646 Knowledge Base Articles:
SMB on Windows NT KB article 161372
SMB on Windows 98 KB article 230545
Question: 72
You are the network administrator for Examsheets. The network consists of an internal network
and a perimeter network. The internal network is protected by a firewall. The perimeter network is
exposed to the Internet.
You are deploying 10 Windows Server 2003 computers as Web servers. The servers will be
located in the perimeter network. The servers will host only publicly available Web pages.
You want to reduce the possibility that users can gain unauthorized access to the servers. You
are concerned that a user will probe the Web servers and find ports or services to attack.
What should you do?
A. Disable File and Printer Sharing on the servers.
B. Disable the IIS Admin service on the servers.
C. Enable Server Message Block (SMB) signing on the servers.
D. Assign the Secure Server (Require Security) IPSec policy to the servers.
Answer: A
Explanation:
We can secure the web servers by disabling File and Printer sharing.
The File and Printer Sharing for Microsoft Networks component allows other computers on a
network to access resources on your computer by using a Microsoft network.
Page 78 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
This component is installed and enabled by default for all VPN connections. However, this
component needs to be enabled for PPPoE and dial-up connections. It is enabled per connection
and is necessary to share local folders. The File and Printer Sharing for Microsoft Networks
component is the equivalent of the Server service in Windows NT 4.0.
File and Printer sharing is not required on web servers because the web pages are accesses
over web protocols such as http or https, and not over a Microsoft LAN.
Incorrect Answers:
B: This is needed to administer the web servers. Whilst it could be disabled, disabling File and
Printer sharing will secure the servers more.
C: SMB signing is used to verify, that the data has not been changed during the transit through
the network. It will not help in reducing the possibility that users can gain unauthorized access
to the servers.
D: This will prevent computers on the internet accessing the web pages.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 2, pp. 126-127
Question: 73
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All computers on the network are members of the
domain. All servers run Windows Server 2003 and all client computers run Windows XP
Professional.
You are planning a security update infrastructure.
You need to find out which computers are exposed to known vulnerabilities. You need to collect
the information on existing vulnerabilities for each computer every night. You want this process to
occur automatically.
What should you do?
A. Schedule the secedit command to run every night.
B. Schedule the mbsacli.exe command to run every night.
C. Install Microsoft Baseline Security Analyzer (MBSA) on one of the servers.
Configure Automatic Updates on all other computers to use that server.
D. Install Software Update Services (SUS) on one of the servers.
Configure the SUS server to update every night.
Answer: B
Explanation:
We can schedule the mbsacli.exe command to periodically scan for security vulnerabilities.
Incorrect Answers:
A, C, D: The question says that you have to gather information to plan a security update
infrastructure, not fix it immediately.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Page 79 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 830
Question: 74
Your network contains Terminal servers that host legacy applications that require users to be
members of the Power Users group in order to run them.
A new company policy states that the Power Users Group must be empty on all servers. You
need to maintain the ability to run legacy applications on your servers when the new security
requirement is enabled.
What should you do?
A. Add the domain users global group to the Remote Desktop Users built-in group in the domain
B. Add the domain users global group to the Remote Desktop Users local group on each terminal
server
C. Modify the compatws.inf security template settings to allow members of the local users group
to run the applications. Import the security settings into the default Domain Controllers Group
Policy Object.
D. Modify the compatws.inf security template settings to allow members of the local users group
to run the applications. Apply the modified template to each terminal server
Answer: D
Explanation:
The default Windows 2000 security configuration gives members of the local Users group strict
security settings, while members of the local Power Users group have security settings that are
compatible with Windows NT 4.0 user assignments. This default configuration enables certified
Windows 2000 applications to run in the standard Windows environment for Users, while still
allowing applications that are not certified for Windows 2000 to run successfully under the less
secure Power Users configuration. However, if Windows 2000 users are members of the Power
Users group in order to run applications not certified for Windows 2000, this may be too unsecure
for some environments. Some organizations may find it preferable to assign users, by default,
only as members of the Users group and then decrease the security privileges for the Users
group to the level where applications not certified for Windows 2000 run successfully. The
compatible template (compatws.inf) is designed for such organizations. By lowering the security
levels on specific files, folders, and registry keys that are commonly accessed by applications, the
compatible template allows most applications to run successfully under a User context. In
addition, since it is assumed that the administrator applying the compatible template does not
want users to be Power Users, all members of the Power Users group are removed.
Incorrect Answers:
A, B: Global group is a group that is available domainwide in any domain functional level, so why
would you add to another group.
C: The Compatws.inf template is not intended for domain controllers, so you should not link it to a
site, to the domain, or to the Domain Controllers OU
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8:5
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Chapter 9.
Page 80 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 75
You are the network admin for Examsheets. The network contains Windows Server 2003 and
Windows XP professional clients. All computers are members of the same active directory forest.
The company uses a Public Key Infrastructure (PKI) enabled application to manage marketing
data.
Certificates used with this application are managed by the application administrators. You install
certificate services to create an offline stand alone root CA on one Windows Server 2003 server.
You configure a 2nd Windows Server 2003 server as a stand alone sub CA You instruct users in
the marketing department to enroll for certificates by using the web enrollment tool on the stand
alone Sub CA. Some users report that when they attempt to complete the enrollment process,
they receive an error message on their certificate stating:
This certificate cannot be verified up to a trusted certification authority”. Other users in the
Marketing department do not report the error.
Page 81 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to ensure that users in the marketing department do not continue to receive this error.
You also need to ensure that users in the marketing department trust certificates issued by this
CA. You create a new OU name Marketing. What else should you do?
A. Place all marketing department computer objects in the Marketing OU. Create a new GPO and
link it to the Marketing OU. Publish the root CA’s root certificate in the Trusted Root
Certification Authorities Section of the GPO
B. Place all marketing department user objects in the Marketing OU. Create a new GPO and link
it to the marketing OU. In the user configuration section of the GPO, configure a certificate
trust list (CTL) that contains the sub’s CA certificate
C. Place all marketing department computer objects in the Marketing OU. Create a new GPO and
link it to the Marketing OU. In the computer configuration section of the GPO, configure a
certificate trust list (CTL) that contains the sub’s CA certificate
D. Place all marketing department user objects in the Marketing OU. Create a new GPO and link
it to the marketing OU. In the user configuration section of the GPO, configure a certificate
trust list (CTL) that contains the root’s CA certificate
Answer: D
Explanation:
We need to configure the Marketing department users to trust the root CA. We can do this using
a group policy object (GPO). We should place the marketing department user objects in the
Marketing OU and apply the GPO to the OU.
A certificate trust list (CTL) is a signed list of root certification authority certificates that an
administrator considers reputable for designated purposes.
For the client to trust the certificate, it needs to install a copy of the certificate as a trusted root
certificate in its own certificate store.
Incorrect Answers:
A: This setting is available for the Computer Configuration node only.
B,C: For the client to trust the certificate, it needs to install a copy of the certificate as a trusted
root certificate in its own certificate store. Thus these options are incorrect.
Reference:
Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to
Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft
Windows Server 2003 environment: Exams 70-292 and 70-296, pp. G-10.
Question: 76
You are the network admin for litware, inc. The company’s written security policy requires that
you maintain a copy of all private keys issued by Examsheets’s enterprise root CA You create a
duplicate of the user template named Employee and configure the template as shown in the
Employee Properties exhibit:
Page 82 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You configure the CA to archive private keys by using a Key Recovery Agent Certificate.
You create a test user account named peter and request a new employee certificate. You issue
the certificate to Peter. You reinstall the OS on your test computer and attempt to recover Peter’s
private key. Your attempt fails and generates the following error message:
C:\ certutil –Geexamsey
CertUtil: - Geexamseycommand failed
CertUtil: Cannot find object or property.
You need to ensure that future attempts to recover private keys associated with Employee
certificates succeed
What should you do?
A. Using Group Policy, deploy a copy of the key recovery agent certificate to all client computers
B. In the Employee template, select the Archive subject’s encryption private key check box
C. In the employee template, select the Allow private key to be exported check box
D. Run the certutil – dspublish command to publish the Key Recovery Agent certificate to Active
Directory
Answer: B
Question: 77
Page 83 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are the network admin for contoso. The network consists of a single active directory domain
named Examsheets.net. All computers on the network are members of the domain.
You are planning a Public Key Infrastructure (PKI) for the company. You want to deploy smart
cards for all users in the domain. You want the members of a new group named Smartcard
Agents to be able to issue smart cards for all users.
You create a new global group named Smartcard Agents. You install an Enterprise Certificate
Authority (CA) on a Windows Server 2003 computer named Server1.
You create a duplicate of the enrollment agent certificate template and change the validity period
of the new certificate template to three years.
The name of the new certificate template is SmartCard Enrollment. The configuration of the
permission for the certificate template is shown in the exhibit.
You want to ensure that members of the Smartcard Agents group can request smartcard
enrollment certificates. What should you do?
A. Assign the Smartcard Agents group the Allow Autoenroll permission for the Smartcard
Enrollment certificate template
B. Add the enrollment agent certificate template to the list of superseded templates on the
smartcard enrollment certificate template
C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template
D. Configure the enterprise CA to assign the Certificate Managers to the Smartcard Agents
Group
E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web
enrollment pages to request certificates
Page 84 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: B
Explanation:
The Superseded Templates tab is used to define which certificates the current template
supersedes. In this case, the enrollment agent certificate template is placed on the superseded
templates list.
Incorrect Answers:
A: This will clash with the enrollment agent certificate template, which is why the latter has to be
superseded.
C: Certificate templates enable you to easily configure a CA to issue specific types of certificates.
D: This option will allow the Smartcard Agents Group to issue, approve and revoke certificates,
not request them.
E: There is no mention of web enrollment in the question.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;313490
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12
Question: 78
D/D 1 You are the network admin for Examsheets. The network consists of a single active
directory domain named Examsheets.net. All servers run windows server 2003 and clients run XP
Pro.
You need to implement the capabilities and requirements in the following table for the users and
computers:
Type of user or Computer
Domain users
Security global group
Human recourses servers
VPN Server
Capability or Requirement
Smart card logon required for all users
Ability to issue smart cards to all domain users
Certificate based IPSec encryption required for
all data transmissions
L2TP Required
All client computers are portable computers and need to connect to the VPN servers and to the
HR resource servers
You configure a PKI to support the domain users and computers. You need to specify which type
of certificate, if any each type of user or computer requires
What should you do?
Page 85 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer:
Explanation:
IPSec should be enabled on the HR servers, VPN servers and the client computers.
The Smart Card certificates are issued to the users, not the computers.
The Security group needs Enrollment Agents certificates.
Smart Card Logon is integrated with the Kerberos version 5 authentication protocol implemented
in Windows Server 2003. When smart card logon is enabled, the system recognizes a smart-card
insertion event as an alternative to the standard Ctrl + Alt + Del secure attention sequence to
initiate a logon. The user is then prompted for the smart card PIN code, which controls access to
operations performed by using the private key stored on the smart card. In this system, the smart
card also contains a copy of the certificate of the user (issued by an enterprise CA). This allows
the user to roam within the domain.
Smart cards enhance the security of your organization by allowing you to store extremely strong
credentials in an easy-to-use form. Requiring a physical smart card for authentication virtually
eliminates the potential for spoofing the identities of your users across a network. In addition, you
can also use smart card applications in conjunction with virtual private networks and certificate
mapping, and in e-commerce. For many organizations, the potential to use smart cards for logon
is one of the most compelling reasons for implementing a public key
infrastructure.
Enroll clients - To participate in a PKI, users, services, and computers must request and receive
certificates from an issuing CA. Typically, enrollment is initiated when a requester provides
unique identifying information and a newly generated public key.
Page 86 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The CA administrator or enrollment agent uses this unique identifying information to authenticate
the identity of the requester before issuing a certificate. The security of a VPN is based on the
tunneling and authentication protocols that you use and the level of encryption that you apply to
VPN connections. For the highest level of security, use a remote access VPN based on
L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, p.
899
Question: 79
You are the network administrator for Contoso, Ltd. All servers run Windows Server 2003. All
client computers run Windows XP Pro. All computers are connected to the network by using
wireless access points.
You configure a CA. You require certificate based IEEE 802.1X authentication on the wire access
point.
You need to enable all computers to communicate on the wireless network.
What are two possible ways to complete this task?
A. Enter a 128 bit WEB key on the wireless access point and on the computers
B. In the Wireless Network Connection properties on each computer, select the The key is
provided for me automatically check box
C. Temporarily connect each computer to an available Ethernet port on the wireless access point
and install a computer certificate
D. Install a computer certificate on each computer by using a floppy
Answer: C, D
Explanation:
802.1X authentication An Institute of Electrical and Electronics Engineers (IEEE) standard for
port-based network access control that provides authenticated network access to Ethernet
networks and wireless 802.11 local area networks (LANs).
A PKI using computers running Windows Server 2003 can create certificates that support
wireless network authentication. The increasing popularity of wireless local area networking
(LAN) technologies, such as those based on the 802.11 standard, raises an important security
issue. When you install a wireless LAN, you must make sure that only authorized users can
connect to the network and that no one can eavesdrop on the wireless communications. You can
use the Windows Server 2003 PKI to protect a wireless network by identifying and authenticating
users before they are granted access to the network.
Incorrect Answers:
A: WEP depends on encryption keys that are generated by a mechanism external to WEP itself,
not certificates.
B: This option depends on encryption keys as well.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, pp. 801-805
Page 87 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 80
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All computers on the network are members of the
domain. The domain contains a Windows Server 2003 computer named ExamsheetsA.
You are planning a public key infrastructure (PKI) for the company. You want to deploy an
enterprise certification authority (CA) on ExamsheetsA.
You create a new global security group named Exam Approvers. You install an enterprise CA and
configure the CA to issue Key Recovery Agent certificates.
The company’s written security policy states that issuance of a Key Recovery Agent certificate
requires approval from a member of the Exam Approvers group. All other certificates must be
issued automatically.
You need to ensure that members of the Exam Approvers group can approve pending enrolment
requests for a Key Recovery Agent certificate.
What should you?
A. Assign the Exam Approvers group the Allow – Enroll permissions for the Key Recovery
Agent.
B. Assign the Exam Approvers group the Allow – Issue and Manage Certificates permission for
the CA.
C. For all certificate managers, add the Exam Approvers group to the list of managed subjects.
D. Add the Exam Approvers group to the existing Exam Publisher group in the domain.
E. Assign the Exam Approvers group the Allow – Full Control permission for the Certificate
Templates container in the Active Directory configuration naming context.
Answer: B
Explanations:
In order to approve certificates you need certificate manager rights. In order to get those rights
you need Issue and Manage Certificates rights.
The option to enable auto enrol or wait for approval is made at the certificate template (in this
case the key recovery template)
Incorrect Answer:
A. will allow enroll only.
C. will allow all certificate managers.
D. Exam publisher group is meant to include the CA servers only.
E. no need to give them full control on the certificate template when we have role separation in
windows 2003 pki.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 887
Question: 81
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All computers on the network are members of the
domain.
Page 88 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are planning a public key infrastructure (PKI) for the company. You want to ensure that users
who log on to the domain receive a certificate that can be used to authenticate to Web sites.
You create a new certificate template named User Authentication. You configure a Group Policy
object (GPO) that applies to all users. The GPO specifies that user certificates must be enrolled
when the policy is applied. You install an enterprise certification authority (CA) on a computer that
runs Windows Server 2003.
Users report that when they log on, they do not have certificates to authenticate to Web sites that
require certificate authentication.
You want to ensure that users receive certificates that can be used to authenticate to Web sites.
Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A. On the User Authenticate certificate template, select the Reenroll All Certificate Holders
command.
B. Assign the Domain Users group the Allow – Autoenroll permission for the User
Authentication certificate template.
C. Configure the CA to enable the User Authentication certificate template.
D. Assign the Domain Users group the Allow – Issue and Manage Certificates permission for
the CA.
Answer: B, C
Explanation:
For users to request certificates from an enterprise CA, they must have permission to use the
templates corresponding to the certificates they need.
Incorrect Answers:
A: Only used when critical changes have been made to a certificate template, and you want it to
apply to all users immediately.
D: This would be a security risk, since users shouldn’t be allowed management permissions.
Reference:
Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to
Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft
Windows Server 2003 environment: Exams 70-292 and 70-296, pp. 25-14.
Question: 82
You are a network administrator for Examsheets. The network consists of a single Windows 2000
Active Directory forest that has four domains. All client computers run Windows XP Professional.
The company’s written security policy states that all e-mail messages must be electronically
signed when sent to other employees. You decide to deploy Certificate Services and
automatically enroll users for email authentication certificates.
You install Windows Server 2003 on two member servers and install Certificate Services. You
configure one Windows Server 2003 computer as a root certification authority (CA). You
configure the other Windows Server 2003 server as an enterprise subordinate CA. You open
Certificate Templates on the enterprise subordinate CA, but you are unable to configure
certificates templates for autoenrollment.
The Certificate Templates administration tool is shown in the exhibit.
Page 89 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to configure Active Directory to support autoenrollment of certificates.
What should you do?
A. Run the adprep /forestprep command on the schema operations master.
B. Place the enterprise subordinate CA’s computer account in the Exam Publisher Domain Local
group.
C. Run the adprep /domainprep command on a Windows 2000 Server domain controller that is
in the same domain as the enterprise subordinate CA.
D. Install Active Directory on the Windows Server 2003 member server that is functioning as the
enterprise subordinate CA.
Configure this server as an additional domain controller in the Windows 2000 Active Directory
domain.
Answer: A
Explanation:
The autoenrollment feature has several infrastructure requirements. These include:
Windows Server 2003 schema and Group Policy updates
Windows 2000 or Windows Server 2003 domain controllers
Windows XP Client
Windows Server 2003, Enterprise Edition running as an Enterprise certificate authority (CA)
In this question, we have a Windows 2000 domain; therefore, we have Windows 2000 domain
controllers. The Enterprise CA is running on a Windows Server 2003 member server which will
work fine only if the forest schema is a Windows Server 2003 schema. We can update the forest
schema with the adprep /forestprep command.
Incorrect Answers:
B: This will happen in the domain in which the CAs are installed.
C: The adprep /domainprep command prepares a Windows 2000 domain for an upgrade to a
Windows Server 2003 domain. We are not upgrading the domain, so this isn’t necessary.
D: The CA doesn’t have to be installed on a domain controller. You can’t install AD on a Windows
2003 server until you run the adprep commands.
Page 90 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintai
n/certenrl.asp?frame=true
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 3
Question: 83
You are the network administrator for Examsheets. The network consists of a single Active
Directory forest. The forest contains Windows Server 2003 servers and Windows XP Professional
computers.
The forest consists of a forest root domain named Examsheets.net and two child domains named
asia.Examsheets.net and europe.Examsheets.net. The asia.Examsheets.net domain contains a
member server named Examsheets2. You configure Examsheets2 to be an enterprise
certification authority (CA), and you configure a user certificate template. You enable the Publish
certificate in Active Directory setting in the certificate template. You instruct users in both the
asia.Examsheets.net and the europe.Examsheets.net domains to enroll for user certificates.
You discover that the certificates for user accounts in the asia.Examsheets.net domain are being
published to Active Directory, but the certificates for user accounts in the europe.Examsheets.net
domain are not.
You want certificates issued by Examsheets2 to europe.Examsheets.net domain user accounts to
be published in Active Directory.
What should you do?
A. Configure user certificate autoenrollment for all domain user accounts in the Examsheets.net
domain.
B. Configure user certificate autoenrollment for all domain user accounts in the
europe.Examsheets.net domain.
C. Add Examsheets2 to the Exam Publishers group in the Examsheets.net domain.
D. Add Examsheets2 to the Exam Publishers group in the europe.Examsheets.net domain.
Answer: D
Explanation:
The problem here is that ExamSheetsSrvC doesn’t have the necessary permission to publish
certificates for users in child2.ExamSheets.net. We can solve this problem by adding
ExamSheetsSrvC to the Cert Publisher group in the child2.ExamSheets.net domain.
Incorrect Answers:
A, B: The problem is not enrolment, it is that the certificates are not being published, which points
to permissions.
C: It is the europe.ExamSheets.net domain that has a problem, not the ExamSheets.net domain.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;219059
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 294): Que Publishing, Indianapolis, 2004, Chapter 3
Question: 84
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All computers on the network are members of the
domain. The domain contains a Windows Server 2003 computer named Examsheets5.
Page 91 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are planning a public key infrastructure (PKI) for the company. You want to deploy a
certification authority (CA) on Examsheets5.
You create a new global security group named Exam Administrators. You need to delegate the
tasks to issue, approve, and revoke certificates to members of the Exam Administrators group.
What should you do?
A. Add the e group in the domain.
B. Configure the Certificates Templates container in the Active Directory configuration naming
context to assign the Exam Administrators group the Allow – Write permission.
C. Configure the Exam Srv virtual directory on Examsheets5 to assign the Exam Administrators
group the Allow – Modify permission.
D. Assign the Certificate Managers role to the Exam Administrators group.
Answer: D
Explanation:
To be able to issue, approve and revoke certificates, the Cert Administrators group needs to be
assigned the role of Certificate Manager. The Certificate Manager approves certificate enrollment
and revocation requests. This is a CA role, and is sometimes referred to as CA Officer.
Incorrect Answers:
A, B, C: Only the Certificate Manager can perform the required tasks.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, pp. 11-4 to 11-8.
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 890
Question: 85
You are the network administrator for Examsheets. The network contains a Windows Server 2003
Web server that hosts the company intranet.
The human resources department uses the server to publish information relating to vacations and
public holidays. This information does not need to be secure.
The finance department wants to publish payroll information on the server. The payroll
information will be published in a virtual directory named Payroll, which was created under the
default Web site on the server. The company’s written security policy states that all payroll-related
information must be encrypted on the network.
You need to ensure that all payroll-related information is encrypted on the network. To preserve
performance, you need to ensure that other information is not encrypted unnecessarily. You
obtain and install a server certificate.
What else should you do?
A. Select the Require secure channel (SSL) check box for the default Web site.
B. Assign the Secure Server (Require Security) IPSec policy option for the server.
C. Select the Encrypt contents to secure data check box for the Payroll folder.
D. Select the Require secure channel (SSL) check box for the Payroll virtual directory.
Page 92 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: D
Explanation:
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private
documents via the Internet. SSL works by using a private key to encrypt data that's transferred
over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many
Web sites use the protocol to obtain confidential user information, such as credit card numbers.
By convention, URLs that require an SSL connection start with https: instead of http:
Incorrect Answers:
A: This will encrypt all data from the web server. We only need to encrypt the payroll data.
B: This will encrypt all data from the web server. We only need to encrypt the payroll data.
C: This will encrypt the data on the hard disk using EFS. It won’t encrypt the data as it is
transferred over the network.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 864
Question: 86
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. All client
computers run Windows XP Professional.
The Active Directory domain contains three organizational units (OUs): Payroll Users, Payroll
Servers, and Finance Servers. The Windows XP Professional computers used by the users in the
payroll department are in the Payroll Users OU. The Windows Server 2003 computers used by
the payroll department are in the Payroll Servers OU. The Windows Server 2003 computers used
by the finance department are in the Finance Servers OU.
You are planning the baseline security configuration for the payroll department. The company’s
written security policy requires that all network communications with servers in the Payroll
Servers OU must be secured by using IPSec. The written security states that IPSec must not be
used on any other servers in the company.
You need to ensure that the baseline security configuration for the payroll department complies
with the written security policy. You also need to ensure that members of the Payroll Users OU
can access resources in the Payroll Servers OU and in the Finance Servers OU.
What should you do?
A. Create a Group Policy object (GPO) and assign the Secure Server (Require Security) IPSec
policy setting.
Link the GPO to only the Payroll Servers OU.
Create a second GPO and assign the Client (Respond Only) IPSec policy setting.
Link the second GPO to the Payroll Users OU.
B. Create a Group Policy object (GPO) and assign the Secure Servers (Require Security) IPSec
policy setting.
Link the GPO to the Payroll Servers OU and to the Finance Servers OU.
Create a second GPO and assign the Client (Respond Only) IPSec policy setting.
Link the second GPO to the Payroll Users OU.
Page 93 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy
setting.
Link the GPO to only the Payroll Servers OU.
Create a second GPO and assign the Client (Respond Only) IPSec policy setting.
Link the second GPO to the Payroll Users OU.
D. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy
setting.
Link the GPO to the Payroll Serves OU and to the Finance Servers OU.
Create a second GPO and assign the Client (Respond Only) IPSec policy setting.
Link the second GPO to the Payroll Users OU.
Answer: A
Explanation:
Assigning the Secure Server (Require Security) IPSec policy to the payroll servers will ensure
that they will only communicate using IPSec. Assigning the Client (Respond Only) IPSec policy to
the payroll clients will ensure that they are able to use IPSec when asked to do so by the payroll
servers. All other network communications will not use IPSec.
Client (Respond Only) policy contains one rule, the default response rule. The default response
rule secures communication only upon request by another computer. This policy does not attempt
to negotiate security for any other traffic.
Secure Server (Require Security) policy has two rules: the default response rule and a rule that
allows the initial inbound communication request to be unsecured, but requires that all outbound
communication be secured. The filter action for the second rule does not allow IKE to fall back to
unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded
and the communication is blocked. This policy requires that all connections be secured with
IPSec. Any clients that are not IPSec-enabled cannot establish connections
Incorrect Answers:
B, D: The question states that IPSec must not be used on any other servers in the company.
C: This option configures the computer to use IPSec only when another computer requests
IPSec. The computer using this policy never initiates an IPSec negotiation; it only responds to
requests from other computers for secured communications.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, Chapter 12.
Question: 87
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All computers on the network are members of the
domain. The network contains a Windows Server 2003 computer named ExamsheetsCA.
The company uses an enterprise certification authority (CA) on ExamsheetsCA to issue
certificates. A certificate to encrypt files is autoenrolled to all users. The certificate is based on a
custom Encryption File System (EFS) certificate template. The validity period if the certificate is
set to two years.
Currently, the network is configured to use data recovery agents. You are planning to implement
key archival for the keys that users use to decrypt files.
You configure the CA and the custom EFS certificate template to enable key archival of the
encryption private keys.
Page 94 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to ensure that the private EFS key of each user who logs on to the domain is archived.
What should you do?
A. Configure a new issuance policy for the custom EFS certificate template.
B. Configure the custom EFS certificate template to reenroll all certificate holders.
C. Select the Automatically Enroll Certificates command in the Certificates console.
D. Configure a logon script that runs the gpupdate.exe /force command for the users.
Answer: B
Explanation:
The question states: “A certificate to encrypt files is autoenrolled to all users.” We have now
modified the custom EFS certificate template to enable key archival of the encryption private
keys. Therefore, we now need to reenroll all certificate holders so that they get new certificates
based on the new template, and their keys are archived. EFS always attempts to enroll for the
Basic EFS template. The EFS driver generates an autoenrollment request that Autoenrollment
tries to fulfill. For customers that want to ensure that a specific template is used for EFS (such as
to include key archival), the new template should supercede the Basic EFS template. This will
ensure that Autoenrollment will not attempt enrollment for Basic EFS any more.
Key Archival
The private key database is the same as the database used to store the certificate requests. The
Windows Server 2003 Certification Authority database has been extended to support storing the
encrypted private key along with the associated encrypted symmetric key and issued certificate.
The recovery blob will be stored in the same row as the signed certificate request and any other
information the CA persists in its database for each request transaction. The actual encrypted
blob is stored as an encrypted PKCS #7 blob.
The Microsoft Certification Authority uses the JET database engine upon which various JET
utilities may be used for maintenance purposes.
Incorrect Answers:
A: This would use up too much time.
C: The question states: “A certificate to encrypt files is autoenrolled to all users.”
D: This option reapplies all settings without optimization.
Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2
003/maintain/operate/kyacws03.asp
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 868
Question: 88
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. Each client
computer runs either Windows XP Professional or Windows 2000 Professional.
The company requires that all users log on by using smart cards. You deploy Certificate Services
and smart card readers. You configure auto-enrollment to issue certificates to users. Users report
that they cannot log on by using a smart card.
You need to ensure that all users can log on by using a smart card.
What should you do?
Page 95 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. In Active Directory Users and Computers, configure all user accounts to require a smart card
for interactive logon.
B. Configure the domain security policy to require smart cards for interactive logon.
C. Use the Certificate Services Web site to enroll each user for a smart card certificate.
D. Add a copy of the enterprise root certificate to the trusted root certification authorities store on
each client computer.
Answer: C
Explanation:
Although the question says “you configure auto-enrollment to issue certificates to users”, it
doesn’t say what types of certificates were auto-enrolled. You can use the Certificate Services
Web site to enroll each user for a smart card certificate.
The recommended method for enrolling users for smart card-based certificates and keys is
through the Smart Card Enrollment station that is integrated with Certificate Services in Windows
2000 Server and Windows 2000 Advanced Server.
Incorrect answers:
A: This is not necessary. With this setting disabled, the users can log on using any method.
B: This is not necessary. With this setting disabled, the users can log on using any method.
D: In a single domain, the Certificate Authority would be trusted by the client computers in the
domain. Therefore, it is not necessary to add a copy of the enterprise root certificate to the trusted
root certification authorities store on each client computer.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 887
Question: 89
You are the network admin for Examsheets. All servers run Windows Server 2003.
Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest
critical updates installed. You run the mbsaclie.exe /hf command from a server named server1.
When you scan a server named ExamsheetsB you receive the following error message stating
Error 200, System not fount, Scanned failed.
When you ping ExamsheetsB you receive a reply.
You need to ensure that you can scan ExamsheetsB by using the mbsacli.exe /hf.
What should you do?
A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security
analyzer folder on server1
B. Ensure that the Server service is running on ExamsheetsB
C. Install IIS common files on Server1
D. Install the lastest version of IE on server 5
Answer: B
Explanation:
From Microsoft: Error: 200 - System not found. Scan not performed. This error message indicates
that mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error,
Page 96 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
verify that this computer is on the network and that the host name and IP address are correct. We
know that the computer is on the network because we can successfully ping it. Therefore, the
cause of the problem must be that the Server service isn’t running.
Incorrect Answers:
A: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to
be with Server1.
C: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to
be with Server1.
D: The version of IE that comes with Windows Server 2003 is sufficient, and therefore does not
need to be upgraded.
Reference:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles
/q303/2/15.asp&NoWebContent=1
Question: 90
You are the network administrator for ExamSheets. There is a single active directory domain
named Examsheets.net. All computers on the network are members of the domain. All domain
controllers run Windows Server 2003.
You are planning a Public Key Infrastructure (PKI). The PKI design documents for ExamSheets
specify that certificates that users request to encrypt files must have a validity period of two years.
The validity period of the Basic EFS certificate is one year. In the certificates Templates console,
you attempt to change the validity period for the Basic EFS certificate template. However, the
console does not allow you to change the value.
You need to ensure that you can change the value of the validity period of the certificate that
users request to encrypt files. What should you do?
A. Install an enterprise CA in each domain.
B. Assign the Domain Admins group the Allow Full control permission for the Basic EFS
Certificate Template
C. Create a duplicate of the basic EFS certificate template. Enable the new template for issuing
Certificate authorities
D. Instruct users to connect to the CA Web Enrolment pages to request a Basic EFS certificate.
Answer: C
Explanation:
The question states that the validity period of the Basic EFS certificate is one year. This suggests
that we are using a standalone CA (the default validity period for an enterprise CA is two years).
We cannot change the validity period of the Basic EFS template. We can however, make a copy
of the Basic EFS template. This would enable us to make changes to the copy of the template.
Incorrect Answers:
A: The default validity period for an enterprise CA is two years. This would satisfy the
requirement that the certificates have a validity period of two years. However, it does not
satisfy the requirement that “you need to ensure that you can change the value of the validity
period of the certificate that users request to encrypt files”. Therefore, answer C is a better
solution.
B: This is not a permissions issue. We cannot change the values in the template because they
are hardcoded into the templates.
D: We need to edit the template before the users receive the certificates.
Reference:
Page 97 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
http://support.microsoft.com/?id=254632
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, pp. 872-875
Question : 91
You are the network administrator for Examsheets. The company consists of two subsidiaries
named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests
named contoso.com and cpand1.com. The functional level of each forest is Windows Server
2003. A two-way forest trust relationship exists between the forests. You need to achieve the
following goals:
• Users in the contoso.com forest must be able to access all resources in the cpand1.com forest.
• Users in the cpand1.com forest must be able to access only resources on a server named
HRApps.contoso.com. You need to configure the forest trust relationship and the resources on
HRApps.contoso.com to achieve the goals. Which three actions should you take? (Each correct
answer presents part of the solution. Choose three)
A. On a domain controller in the contoso.com forest, configure the properties of the incoming
forest trust relationship to use selective authentication.
B. On a domain controller in the contoso.com forest, configure the properties of the incoming
forest trust relationship to use forest-wide authentication.
C. On a domain controller in the cpand1.com forest, configure the properties of the incoming
forest trust relationship to use selective authentication.
D. On a domain controller in the cpand1.com forest, configure the properties of the incoming
forest trust relationship to use forest-wide authentication.
E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access
to the Other Organization security group.
F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access
to This Organization security group.
Answer: A, D, E
Authentication between Windows Server 2003 forests
When all domains in two forests trust each other and need to authenticate users, establish a
forest trust between the forests. When only some of the domains in two Windows Server 2003
forests trust each other, establish oneway or two-way external trusts between the domains that
require interforest authentication.
Selective authentication between forests
Using Active Directory Domains and Trusts, you can determine the scope of authentication
between two forests that are joined by a forest trust You can set selective authentication
differently for outgoing and incoming forest trusts. With selective trusts, administrators can make
flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming
forest trust, users from the outside forest have the same level of access to resources in the local
forest as users who belong to the local forest. For example, if ForestA has an incoming forest
trust from ForestB and forest-wide authentication is used, users from ForestB would able to
access any resource in ForestA (assuming they have the required permissions). If you decide to
set selective authentication on an incoming forest trust, you need to manually assign permissions
on each domain and resource to which you want users in the second forest to have access. To
do this, set a control access right Allowed to authenticate on an object for that particular user or
group from the second forest. When a user authenticates across a trust with the Selective
authentication option enabled, an Other Organization security ID (SID) is added to the user's
authorization data. The presence of this SID prompts a\ check on the resource domain to ensure
that the user is allowed to authenticate to the particular service. Once the user is authenticated,
Page 98 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
then the server to which he authenticates adds the This Organization SID if the Other
Organization SID is not already present. Only one of these special SIDs can be present in an
authenticated user's context.
Question : 92
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain. The domain includes a Windows Server 2003 computer that runs Terminal
Services. The terminal server has a computer account in an organizational unit (OU) named
Terminal Servers. A Group Policy object (GPO) named TS Settings is linked to the Terminal
Servers OU. This GPO is configured with settings that must apply when users are logged on to
the terminal server. The company wants users to have their normal settings when connected to
the terminal server, except settings that conflicts with the settings in the TS Settings GPO.
You discover that when users are logged on to the terminal server, they receive only the settings
from the TS Settings GPO, without any of their own settings. You use the Group Policy
Management Console (GPMC) to examine the configuration of the TS Settings GPO. The
relevant portion of the configuration is shown in the exhibit.
****MISSING****
You need to ensure that policy settings apply properly to users logging on the terminal server.
What should you do?
A. Enable the Block Policy inheritance setting for the Terminal Servers OU.
B. Disable the No Override setting for the TS Settings GPO.
C. Modify the TS Settings GPO to use loopback processing in Merge mode.
D. Disable the Only allow local profiles setting in the T settings GPO.
Answer: B
Explanation:
When Group Policy is not affecting users and computers in a site, domain, or OU, make sure that
the intended policy is not being blocked. Make sure no policy set at a higher level of Active
Directory has been set to No Override. If Block Policy Inheritance and No Override are both used,
keep in mind that No Override takes precedence.
Incorrect Answers:
A: Enabling the Block Policy inheritance setting for the Terminal Servers OU will prevent the
application of GPOs higher in the hierarchy from being inherited by the Terminal Servers OU.
Thus, only the TS Settings GPO will be applied.
C: Loopback is a new Group Policy setting that provides alternatives to the default method of
obtaining the ordered list of GPOs whose user configuration settings affect a user. By default, a
user’s settings come from
a GPO list that depends on the user’s location in Active
Directory. Loopback operates in replace mode or merge mode. In merge mode, user settings that
do not conflict with computer settings are applied. If there is a conflict between the two, the
computer settings override the user settings.
D: The Only allow local profiles is a new Group Policy option that permits a computer to ignore
user settings in roaming profiles. By default, when roaming profile users log on to a computer,
their roaming profile is copied to the local computer. If they have previously logged on to this
computer, the roaming profile is merged with the local profile. When the users log off this
computer, the local copy of their profile, including any changes they have made, is merged with
the server copy of their profile. If the Only allow local profiles setting is enabled, the user
receives a local profile, rather than the roaming profile.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 10-16 to 10-17, 10-19 to 10-20.
Page 99 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/enus/
Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/enus/
dmebc_dsm_jxfc.asp
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA
02370 Chapter 2, pp. 110. Charlie Russel, Sharon Crawford,and Jason Gerend, Microsoft
Windows Server 2003, Administrator's Companion, Chapter 10.
Question : 93
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain. All servers run Windows Server 2003. One of the domain controllers is
configured as a subordinate enterprise certification authority (CA). Examsheets also has an
offline root CA. All client computers run Windows XP Professional. Examsheets does business
with a distributor named Coho Vineyard. Users at Examsheets frequently access secured Web
sites at Coho Vineyard. These sites are secured by using certificates issued by an enterprise CA
at Coho Vineyard. Users at Examsheets report that they receive security alerts from the Web
browser whenever they try to access secured Web sites at Coho Vineyard. Users can access the
sites after they acknowledge the warnings, but many choose to cancel the operation in order to
be sure that the network is secure. You need to configure the Examsheets network to prevent
these security alerts from appearing when accessing the secured Web sites at Coho Vineyard.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. Obtain a copy of the Coho Vineyard root certificate from Coho Vineyard.
B. Issue a certificate to the Coho Vineyard Web server from the Examsheets enterprise CA.
C. Import the certificate into the Trusted Root Certification Authorities section of the Default
Domain Policy Group Policy object (GPO).
D. Place the Coho Vineyard secured Web sites in the list of trusted sites in the Internet Explorer
Maintenance section of the Default Domain Policy Group Policy object (GPO).
Answer: A, C
Explanation:
Cross-Trust Hierarchies
For a PKI entity to use a certificate provided by a CA, the entity must trust that CA. This trust is
established when the entity has a copy of the CA’s certificate located in its local certificate store.
Using the public key contained in the certificate, the entity can verify the CA’s digital signature.
How, then, does the certificate get from the CA to the entity’s local store? Unfortunately, there is
not just one answer. Group policies under Active Directory, preloaded certificates in Windows
Server 2003, and downloads from the Windows Update Web site are the most common ways. If
your organization must exchange data with external parties, there needs to be a way to recognize
and trust a third-party CA as if it were a part of your local chain of trust. To do this you can
either use a certificate trust list (CTL), or you can create a cross-trust hierarchy, which enables an
external CA to be viewed as a subordinate CA in your local trust chain.
Incorrect Answers:
B, D: Coho Vineyard must be part of ExamSheets’s organization for this to be possible.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA
02370 Chapter 12, pp. 883.
Page 100 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question : 94
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain. ll servers run Windows Server 2003.
You configure a certification authority (CA) to issue smart card authentication certificates. Users
who are administrative responsibilities are required to have two accounts. One account is for
general computer use. The other account is an administrative account that has administrative
privileges and is used only when performing administrative tasks. You decide to deploy smart
cards to all users in your company. You issue one smart card to each user for general computer
use. You enroll each user for a smart card authentication certificate. You need to plan smart card
access for users who have administrative responsibilities. What should you do?
A. Issue an additional smart card to users who have administrative responsibilities. Enroll each
user’s administrative account for a smart card authentication certificate. Instruct users to use
this card when logging on to perform administrative tasks.
B. Enroll each user’s administrative account for a smart card authentication certificate When
prompted, store the certificate on the existing smart card. Instruct users to use this card when
logging on to perform all tasks.
C. Configure Group Policy to autoenroll administrative users for certificates. Instruct these users
to log on by using their nonadministrative accounts.
D. Issue a master card to users who have administrative responsibilities. Instruct users to use this
card when logging on to perform administrative tasks.
Answer: B
Explanation:
Smart card enrollment is the process by which a CA grants a certificate to the card. After
enrollment, the user can insert the card at any workstation on the network, including terminal
services clients and remote access clients, as long as a smart card reader is present.
Smart card logon
A smart card is a credit card-size device that contains memory and possibly an integrated circuit.
Windows Server 2003 can use a smart card as an authentication device that verifies the identity
of a user during logon. The smart card contains the user’s certificate and private key, enabling the
user to log on to any workstation the enterprise with full security.
Incorrect Answers:
A: It does not state that users with administrative responsibilities should have two smart cards.
C: the question states that:” You need to plan smart card access for users who have
administrative responsibilities”.
D: This is an invalid option.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA
02370 Chapter 12, pp. 898.
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington
98052-6399, Chapter 11.
Question : 95
You are the network administrator for Examsheets. The network consists of a single Active
Directory forest that contains a single domain named examsheets.net. Organizational units (OUs)
in the domain are configured as shown in the Domain Structure exhibit.
**MISSING**
All client computers run Windows XP Professional. All client computer accounts are located in the
Page 101 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Examsheets Computers OU. Your user account is a member of the Domain Admins security
group. All user accounts that are members of the Domain Admins security group are located in
the Domain Admins OU. All service desk users have user accounts that are members of the
SrvDeskGrp security group. All accounts that are members of this group are located in the
Service Desk Staff OU. You use the Group Policy Management Console (GPMC) to create a
Group Policy object (GPO) named Install Admin Tools. You configure the GPO as follows:
• In the GPO, create a software installation package that assigns the Windows Server 2003
Administration Tools Pack (adminpak.msi) to users.
• Link the GPO to the IT Users OU.
• Remove the Authenticated Users built-in group from the list of users and groups that were
delegated permissions for the GPO.
• Assign the SrvDeskGrp security the Allow – Read permission for GPO.
Service desk users report that the administrative tools needed for their job are not installed. You
use the GPMC to examine the history of Group Policy application for one of the affected users.
The relevant results are shown in the GPMC exhibit.
**MISSING**
You also discover that when you log on to a computer normally used by a service desk user, the
administrative tools are automatically available for you.
You need to ensure that administrative tools can also be installed by Group Policy for all users
with accounts in the IT Users OU, without increasing the administrative privileges of any users.
What should you do?
A. Link the Install Admin Tools GPO to the Service Desk Staff OU. Move the computer accounts
for computers used by service desk users to the Service Desk Staff OU.
B. Change the security filtering on the Install Admin Tools GPO to grant the SrvDeskGrp security
Group the ability to apply the GPO.
C. Move the SrvDeskGrp security group to the Domain Admins OU.
D. Modify the GPO to assign the Administration Tools Pack to computers instead of to users.
Answer: B
Explanation:
You need to assign the Allow – Apply Group Policy permission, not just the Allow – Read
permission, to the SrvDeskGrp group.
Incorrect Answers:
A: Linking the Install Admin Tools GPO to the Service Desk Staff OU on its own won’t help. The
SrvDeskGrp would still only have Allow – Read permissions.
C: Making the SrvDeskGrp a member of the Domain Admins OU would give them too much
permissions.
D: The GPO should apply to users not computers because we are controlling application based
on user groups.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, MS Press: MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing,
and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, 2004, pp. 1020, 10-40 to 10-41.
Question : 96
You are the network administrator for Examsheets. You are implementing a new Windows Server
2003 etwork environment. You install one Active Directory forest root domain named cpandl.com.
You install the first domain controller named DC1. You configure DC1 as a DHCP server and as
an Active Directory-integrated DNS server with dynamic updates enabled. Later you install an
Page 102 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
additional domain controller named DC2. You cannot raise the functional level of the domain to
Windows Server 2003. You discover that the service locator (SRV) resource records of DC1 are
not created in the cpandl.com zone on the DNS server. You run the Dcdiag tool on DC1 and
receive the output shown in the exhibit.
You need to make it possible to raise the functional level of the domain to Windows Server 2003.
What should you do?
A. Upgrade DC2 to a global catalog server.
B. Use the DHCP server locator utility to find out which DHCP servers are available in the
cpandl.com zone.
C. Start the Net Logon service on DC1.
D. Restart the DNS Server service on DC1 to enable DNS clients to resolve host names by
answering queries and update requests.
Answer: C
Explanation:
SRV records are required for clients to locate hosts that provide required services. The Netlogon
service registers a set of default SRV resource records on the DNS server. However, the exhibit
indicates that the NetLogon service is stopped on DC1. We should restart this service.
Incorrect Answers:
A: The global catalog is the central repository of information about Active Directory objects in a
tree or forest. The domain controller that holds a copy of the global catalog is called a global
catalog server. The global catalog enables a user to log on to a network by providing universal
group membership information to a domain controller when a logon process is initiated, and
enables finding directory information regardless of which domain in the forest actually contains
the data. It does not affect the forest level.
B: DHCP is used to assign IP configurations to DHCP clients. However, the SVR records are
missing. We will thus not be able to locate the DHCP server.
D: The DNS server does not have the SRV records. Restarting the DNS service will not generate
these records.
We should start the NetLogon service.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2: 48-52
Page 103 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question : 97
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain. The network contains three Windows Server 2003 domain controllers named
ServerEXAMS1, ServerEXAMS2 and ServerEXAMS3. ServerEXAMS1 holds the schema master
role and the domain naming master role. ServerEXAMS2 holds the relative ID (RID) master role.
ServerEXAMS3 holds the PDC emulator master role and the infrastructure master role.
ServerEXAMS2 fails and cannot be restarted. You log on to ServerEXAMS3 as the administrator
and seize RID master role. Later, ServerEXAMS2 is repaired and can be brought back online.
You want ServerEXAMS2 to hold the RID master role again. What should you do?
A. Restart ServerEXAMS2 while it is connected to the network. Use the Ntdsutil utility and seize
the RID master role. Reconnect ServerEXAMS2 to the network.
B. Restart ServerEXAMS2 while it is disconnected from the network.
Use the Ntdsutil and seize the RID master role. Reconnect ServerEXAMS2 to the network.
C. Reinstall Windows Server 2003 on ServerEXAMS2.
Restore the system state from the most recent backup to ServerEXAMS2. Reconnect
ServerEXAMS2 to the network.
D. Reinstall Windows Server 2003 on ServerEXAMS2. Promote ServerEXAMS2 to become a
domain controller. Transfer the RID master role to ServerEXAMS2.
Answer: D
Explanation:
A domain controller whose RID master role has been seized can only be brought back online by
reinstalling Windows Server 2003.
Incorrect Answers:
A: ServerES2 was the RID master before it failed. That role was seized to ServerES3. If we
restart ServerES2, there will be two RID masters. Furthermore, we can only seize a role if the
domain controller that holds that role fails.
B: We cannot seize the RID master role if ServerES2 is not connected to the network.
Furthermore, we can only seize a role if the domain controller that holds that role fails.
C: ServerES2 was the RID master before it failed. That role was seized to ServerES3. However,
if we bring ServerES2 back online, there will be two RID masters.
Reference:
Jill Spealman, Kurt Hudson, and Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure , Chapter 4.
Question : 98
You are a network administrator for Examsheets. The network consists of two Active Directory
domains. All servers run Windows Server 2003. Examsheets has offices in New York and Rome.
The two offices are connected by a 128-Kbps WAN connection. Each office is configured as a
single domain. Each office is also configured as an Active Directory site. Examsheets stores
printer location information in Active Directory. Users frequently perform searches of Active
Directory to find information on printers by selecting the Entire Directory option. Users in the
New York Office report that response time is unacceptably slow when searching for printers.
You need to improve the response time for users in the New York office.
What should you do?
A. Place a domain controller for the Rome domain in the New York office.
B. Place a domain controller for the New York domain in the Rome office.
C. Enable universal group membership caching in the New York office.
D. Configure a global catalog server in the New York office.
Page 104 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: D
Explanation:
Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects
in the forest, to let users search for directory information across all the domains in the forest. The
GC helps in keeping a list of every object without holding all the details of those objects; this
optimizes network traffic while still providing maximum accessibility.
Incorrect Answers:
A, B: These options requires users to search via the WAN connection, which will not improve the
response time.
C: Universal group membership caching allows a domain controller to cache universal group
membership information, thus reducing the need for a global catalog server to be contacted
during the user authentication process.
Reference:
Michael Cross, Jeffery A. Martin, Todd A. Walls, Martin Grasdal, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning, Implementing, and Maintaining a Windows Server 2003 Active
Directory Infrastructure Study Guide & DVD Training System, Syngress Publishing, Inc.,
Rockland, MA 02370, Chapter 8, pp. 540.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Chapter 1
Question : 99
You are the network administrator for Examsheets. The network consists of a single Active
Directory forest that contains multiple domains. The functional level of the forest is Windows
Server 2003. The forest contains several Active Directory sites that represent branch offices and
a site named MainOffice that represent the central data center. A site named Branch1 contains
one domain controller named Server1 that is not a global catalog server. The MainOffice site
contains one domain controller named Server2 that is a global catalog server. You need to use
universal group membership caching in the Branch1 site. Which component pr components
should you configure? To answer, select the appropriate component or components in the work
area.
Answer: Select the “NTDS Site Settings” for the Branch1 office in the right hand pane.
Page 105 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
Universal group membership caching, is enabled or disabled in the NTDS Settings Properties
dialog box of the Active Directory Sites and Services console. This must be performed in the site
where you want to enable universal group membership caching, i.e., in the Branch1 site.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-41 to 5-45, 5-48 to 5-50.
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 31, 543, 547, 550-552.
Question :100
You are a network administrator for Examsheets, which has five regional offices and 3,000
branch offices. Each branch office contains 10 users. Branch offices are connected to the nearest
regional office by a 56- Kbps WAN connection. The network consists of a single Active Directory
forest that contains one domain for each regional office. All servers run Windows Server 2003.
Each branch office contains one domain controller that is configured as an additional domain
controller in the regional domain for the branch office. The site link between each branch office
and the corresponding regional domain is configured to replicate every 30 minutes. Users in the
branch office report that applications respond slowly when they access resources in the
corresponding regional office. You monitor the WAN connection that connects several of the
branch offices and discover that utilization increases from 30 percent to more than 90 percent on
a regular basis. You need to improve the response time of applications when they access
resources in the regional office. You need to ensure that users can log on without using cached
credentials if the WAN connection fails. What should you do?
A. Remove Active Directory from the file and print server in each branch office.
On the site link between each branch office and the corresponding regional office, increase the
replication interval.
B. Enable universal group membership caching in each branch office.
Configure the site link between each branch office and the corresponding regional office to be
available only during off-peak hours.
C. Configure the domain controller in each branch office as a global catalog server.
D. On the site link between each branch office and the corresponding regional office, decrease
the replication interval.
Answer: D
Explanation:
Response times for that application are slow because replication traffic is too much. Decreasing
the replication schedule will reduce the amount of replication traffic by allowing amounts of
changes to be replicated.
Page 106 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect Answers:
A: Increasing the replication interval will increase the amount of changes that must be replicated
at a time. This might increase replication traffic.
B: We don’t want to use cached credentials.
C: The global catalog is the central repository of information about Active Directory objects in a
tree or forest. The domain controller that holds a copy of the global catalog is called a global
catalog server. The global catalog enables a user to log on to a network by providing universal
group membership information to a domain controller when a logon process is initiated, and
enables finding directory information regardless of which domain in the forest actually contains
the data. It does not control replication.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-7 to 5-8.
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 449-452, 458, 458-459.
Question : 101
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain. All servers run Windows Server 2003. Examsheets’s written security policy
requires that all administrative passwords be changed every 30 days. You configure the domain
security policy to enforce the written security policy. A security audit reveals that the password
used to log on to domain controllers in Directory Services Restore mode is 10 months old.
You need to ensure that all passwords are changed in accordance with the written security policy.
You must accomplish this task without causing disruption to user access.
What should you do?
A. Restart each domain controller in Directory Services Restore More.
Use Computer Management to reset the password for the Administrator account.
B. Use the Ntdsutil utility to reset the password on each domain controller for Directory Services
Restore Mode.
C. Configure the Domain Controller Security Policy to enforce the written security policy.
D. Reset the Administrator password by using Active Directory Users and Computers.
Answer: B
Explanation:
In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore
Mode Administrator password.
Incorrect Answers:
A: Restarting the domain controllers will cause a disruption in user access.
C: The Domain Controller Security Policy is enforced when the domain controller is booted and
can be refreshed at set intervals. However, the Directory Service Restore Mode Administrator
password is a user account setting, not a computer account setting and should be enforced when
t he user logs on.
D: Directory Service Restore Mode Administrator password cannot be set in Active Directory
Users and Computers.
References:
MS Knowledgebase Article 322672: How to reset the Directory Service Restore Mode
Administrator Account Password in Windows Server 2003.
Page 107 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2-49 to 2-53.
Question : 102
Network Diagram
You notice that after the forest trust relationship is deleted, the membership lists for some of the
domain local groups are no longer accurate. When you view a membership list, it contains entries
without userfriendly names. A sample is shown in the Membership List exhibit.
**MISSING**
You need to delete all the unknown groups from the membership list for the domain local groups.
You want to achieve this goal by using the minimum amount of administrative effort, and without
modifying the access to resources for users in the examsheets.net forest.
What should you do?
A. Create new domain local groups.
Add the required global groups from the examsheets.net forest to the domain local groups.
Grant appropriate permissions to the domain local groups.
Delete the original domain local groups.
B. Re-create the trust relationship between examsheets.net forest and the fabrikam.com forest.
Delete all fabrikam.com global accounts from the domain local group membership lists.
Delete the trust relationship between the two forests.
C. Verify all remaining trust relationships.
Then delete the unknown accounts from the domain local groups.
D. Delete all the affected domain local groups.
Re-create the groups.
Add the appropriate global groups from the examsheets.net forest to the groups.
Grant appropriate permissions to the domain local groups.
Answer: C
Explanation:
A method of seek and destroy will represent the least administrative effort. To keep administrative
effort to the minimum and deleting all the unknown groups from the membership list without
modifying access to resources for the Examsheets.net forest users, then you should verify all
Page 108 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
remaining trust relationships and then delete the unknown accounts from the domain local
groups.
Incorrect answers:
A: Creating new domain local groups and adding only the required Examsheets.net forest global
group to the domain local group will not reveal where unknown accounts are located. It could well
be that amongst the required global Examsheets.net forest group there are unknown accounts.
B: This option suggests too much administrative effort to complete the task. And it will also result
in modifying access to resources for the Examsheets.net forest users.
D: How would you know which are all the affected groups without verifying the trust relationships
first.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 70
Question: 103
You are the Network administrator for Examsheets. The network consists of a single Active
Directory domain named examsheets.net. All domain controllers run Windows Server 2003. The
user accounts for the processing department are located in an Organizational Unit (OU) named
processing. You need to deploy an application to all users in the processing department. You
create a Group Policy Object (GPO) and link it to the processing OU. You place the .msi file for
the application in a shared folder on the network. You configure the User Configuration section of
the GPO to deploy the application. You need to ensure that the application is immediately ready
for use when a user logs on to a client computer. You also need to prevent any user from
continuing to use the application if the user’s user account is moved to another OU. What should
you do?
Answer:
Page 109 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Select the following check boxes:
1. Assigned.
2. Uninstall this application when it falls out of the scope of management.
3. Install this application at logon.
4. Basic
Explanation:
We need to assign the application to the users and select the “Install this application at logon”
option to ensure that the application is immediately ready for use when a user logs on to a client
computer. To prevent any user from continuing to use the application if the user’s user account is
moved to another OU, we need to select the “Uninstall this application when it falls out of the
scope of management” option. The “Basic” option ensures that the application installs with
minimal (or no) user intervention.
Reference:
Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure. Microsoft Press, Redmond, Washington, 2004, p. 12: 24
Question: 104
You are the network administrator for Examsheets.net. The network consists of a single Active
Directory forest that contains one forest root domain named Examsheets.net and two child
domains named europe.Examsheets.net and usa.Examsheets.net. The functional level of the
forest is Windows 2000 native. The Examsheets.net domain contains a Windows 2000 Server
domain controller named Examsheets3 that is running Service Pack 4 or later. You take
Examsheets3 offline. You also remove all references to Examsheets3 from the Configuration
container in Active Directory.
Five days later, you upgrade all remaining domain controllers to Windows Server 2003. You then
raise the functional level of the forest to Windows Server 2003.
Page 110 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to integrate Examsheets3 into the new Active Directory infrastructure. You want
Examsheets3 to be an additional domain controller of the europe.Examsheets.net domain.
What should you do?
A. Upgrade Examsheets3 to Windows Server 2003. Add the computer account for Examsheets3
into the Computers container of the europe.Examsheets.net domain.
B. Demote Examsheets3 to a Windows 2000 member server by running the dcpromo
/forceremoval command. Upgrade Examsheets3 to a Windows Server 2003 member server.
Run the dcpromo command to promote Examsheets3 to be an additional domain controller of
the europe.Examsheets.net domain.
C. Demote Examsheets3 to a Windows 2000 member server by running the dcpromo
/forceremoval command. Add the computer account for Examsheets3 into the Domain
Controllers organizational unit (OU) of the europe.Examsheets.net domain.
D. Upgrade Examsheets3 to Windows Server 2003. Add the computer account for Examsheets3
into the Domain Controllers organizational unit (OU) of the europe.Examsheets.net domain.
Answer: B
Explanation:
Once the forest functional level is raised to Windows Server 2003, you cannot add a Windows
2000 domain controller to the forest. We would need to upgrade the Windows 2000 domain
controller to Windows Server 2003. However, we must first demote the Windows 2000 domain
controller and then upgrade it to Windows Server 2003. Add it to the network and then promote it.
Incorrect Answers:
A, D: If we upgrade the Windows 2000 domain controller to Windows Server 2003 while it is
disconnected from the network, the upgraded computer will assume that it is the first domain
controller for the domain. It will then old the RID, Global Catalog and Schema Master roles. This
will cause a conflict when we eventually add the domain controller to the network.
C: Once the forest functional level is raised to Windows Server 2003, you cannot add a Windows
2000 server to the forest.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-24 to 4-37.
Question: 105
You are a network administrator for Examsheets.net. The network consists of a single Active
Directory forest that contains 30 domains. Examsheets has 400 offices. The network contains
150,000 user objects. All servers run Windows Server 2003.
You are responsible for administering the marketing department, which has offices in North
America and Europe, as shown in the work area. Offices in Toronto, Chicago, and New York are
part of the america.Examsheets.net domain. Offices in Paris, Bonn, and Rome are part of the
europe.Examsheets.net domain. The number of users in each office is shown in the following
table.
Office
Toronto
Chicago
New York
Paris
Bonn
Rome
Page 111 of 240
Number of users
750
20
650
650
10
15
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Users in the Bonn, New York, and Toronto offices require access to a directory-enabled
application that stores configuration information in the global catalog.
You need to plan the placement of domain controllers for the network. You need to ensure that
each user can log on without using cached credentials and that users have access to the
application if a WAN connection fails. You need to achieve this goal while minimizing the increase
in WAN traffic.
What should you do?
To answer, drag the appropriate domain controller configuration or configurations to the correct
location or locations in the work area.
Answer:
Page 112 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects
in the forest, to let users search for directory information across all the domains in the forest. The
GC helps in keeping a list of every object without holding all the details of those objects; this
optimizes network traffic while still providing maximum accessibility.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 540.
Question: 106
You are a network administrator for Examsheets.net. The network consists of two Active
Directory domains with three sites. All servers run Windows Server 2003. Examsheets has offices
in three cities and each office is configured as a separate site. The network configuration is
shown in the exhibit.
Page 113 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The company has 1,750 users in the Paris office, 1,750 users in the Rome office, and 25 users in
the Bonn office. Global catalog servers are configured in each site. Automatic site link bridging is
disabled.
A written company policy requires that no WAN connection exceed 70 percent peak utilization.
You examine the WAN connection between the Rome and Paris offices and discover that the
utilization reaches 95 percent during Active Directory replication.
You need to reduce the WAN traffic associated with the Active Directory replication on the
connection between the Rome and Paris offices. You need to ensure that users in the Rome
office can log on to the domain if a WAN connection fails.
What should you do?
A. Decrease the replication interval on the site link connecting the Paris and Rome sites.
B. Remove the global catalog server from the Rome office.
C. Enable universal group membership caching in the Rome site.
D. Enable slow link detection in the Default Domain Policy Group Policy object (GPO) in the
rome.Examsheets.net domain.
E. Configure a site link bridge between the site link that connects the Rome and Paris sites and
the site link that connects the Paris and Bonn sites.
Answer: B
Page 114 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
The Global Catalog (GC) contains a full replica of all Active Directory objects in its host domain
plus a partial replica of all directory objects in every domain in the forest. A GC contains
information about all objects in all domains in the forest, so finding information in the directory
does not require unnecessary queries across domains. A single query to the GC produces the
information about where the object can be found. It provides information about objects that are
located in other domains in the forest. Universal group membership caching allows a site that
does not contain a global catalog server to be configured to cache universal group memberships
for users who log on to the domain controller in the site. This ability allows a domain controller to
process user logon requests without contacting a global catalog server when a global catalog
server is unavailable. The cache is refreshed periodically as determined in the replication
schedule.
Incorrect answers:
A: Reducing the replication interval will reduce the amount of data that must be replicated at a
time. However, this is not what will ensure that Rome office can log on to the domain in case of
WAN connection failure.
C, D: Enabling slow link detection or configuring a site link bridge will not reduce that amount of
data that must be replicated at a time.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 5-25 to 5-35, 5-59 to 5-68.
Question: 107
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows Server 2003.
All production servers are located in an organizational unit (OU) named Servers. You maintain a
lab that contains test servers. All test servers are located in an OU named Test Servers. You are
planning to deploy critical Windows updates to all servers in the Server OU by using Software
Update Services (SUS), which is hosted on two dedicated SUS servers named Examsheets1 and
Examsheets2. Examsheets1 and Examsheets2 are located in an OU named SUS servers. You
synchronize Examsheets1 to download from the Microsoft Windows Update servers. You
approve the relevant updates for your servers on Examsheets1.
You need to minimize the impact of applying the critical updates to the production servers.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. Create a Group Policy Object (GPO) to configure computers to download and install critical
updates from Examsheets1, and link it to the Test Servers OU. Create a second GPO to
configure computers to download and install critical updates from Examsheets2, and link it to
the Servers OU.
B. Configure Examsheets2 to automatically download approved and tested updates from
Examsheets1.
C. Configure Examsheets2 to manually download approved and tested updates from
Examsheets1.
D. Create a Group Policy Object (GPO) to configure computers to download and install critical
updates from Examsheets1, and link it to the Servers OU. Create a second GPO to configure
computers to download and install critical updates from Examsheets2, and link it to the Test
Servers OU.
Answer: A C
Page 115 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
SUS works by retrieving updates from Microsoft and storing these updates on a server that has
the SUS tool installed. Clients then can be configured to connect to SUS and retrieve approved
hotfixes and patches from the SUS server. Since the question mentions that Examsheets1 is
synchronized to download from the
Microsoft Windows Update servers and then you approve the relevant updates for your servers
on Examsheets1, you should create a GPO to configure computers to download and install
critical updates from Examsheets1, and link this GPO to the Test Servers OU since all test
servers are located in said OU. After that you should create another GPO to configure computers
to download approved critical updates from Examsheets2 (which will then
have the approved, tested updates) and link this GPO to the Servers OU. To minimize the
application impact these critical updates may have, Examsheets2 should be configured to
manually download approved and tested updates.
Incorrect Answers:
B: When automatically downloading approved and tested updates from Examsheets1, you risk
the chance of the computer perhaps having to be restarted to make the updates take effect. This
is hardly minimizing the impact of applying critical updates to the production servers.
D: The updates must first be linked the Test Servers OU so that it can be tested in the lab
containing the test servers.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study
Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 11, pp. 830,
837-839 Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 13
Question: 108
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All domain controllers run Windows Server 2003. All client
computers run Windows XP Professional.
Examsheets has legacy applications that run on UNIX servers. The legacy applications use the
LDAP protocol to query Active Directory for employee information. The domain controllers are
currently configured with the default security settings. You need to configure enhanced security
for the domain controllers. In particular, you want to configure stronger password settings, audit
settings, and lockout settings. You want to minimize interference with the proper functioning of
the legacy applications. You decide to use the predefined security templates. You need to choose
the appropriate predefined security template to apply to the domain controllers.
What should you do?
A. Apply the Setup security.inf template to the domain controllers.
B. Apply the DC security.inf template to the domain controllers.
C. Apply the Securedc.inf template to the domain controllers.
D. Apply the Rootsec.inf template to the domain controllers.
Answer: C
Explanation:
Securedc.inf
Page 116 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
This template contains policy settings that increase the security on a domain controller to a level
that remains compatible with most functions and applications. The template includes more
stringent account policies, enhanced auditing policies and security options, and increased
restrictions for anonymous users and LanManager systems.
Incorrect Answers:
A: This template allows you to reapply the default security settings.
B: The DC security.inf template is available to undo security template policy settings.
D: Rootsec.inf contains only the default file system permissions for the system drive on a
computer running Windows Server 2003. You can use this template to restore the default
permissions to a system drive that you have changed, or to apply the system drive permissions to
the computer’s other drives.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington
98052-6399, Chapter 10.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 Environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, 2004, Chapter 9
Question: 109
You are the network administrator for Examsheets. All Web servers on the network run Windows
Server2003. The network also contains a Windows Server 2003 computer named Examsheets1.
Software UpdateServices (SUS) is installed on Examsheets1.You are testing the security
configuration of a Web server named Examsheets2. Examsheets2 is sued on Examsheets
intranet. Examsheets written security policy prohibits the intranet servers from communicating
with Internet resources. You run the Microsoft Baseline Security Analyzer (MBSA) on
Examsheets2 and receive the results shown in the exhibit.
You need to run MBSA successfully.
Page 117 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
What should you do?
A.
B.
C.
D.
Temporarily enable Examsheets2 to access the Internet, and run MBSA again.
Run the mbsacli.exe command, and run MBSA again.
Run MBSA again. Configure MBSA to use the SUS server.
Ensure that Windows Update is correctly configured on Examsheets2, and run MBSA again.
Answer: A
Explanation:
The exhibit shows that many of the scans could not be run. This is due to those issues not being
available on Examsheets2 which is used on the intranet. For MBSA to run successfully, you will
need to access the Internet. Thus you should temporarily connect to the internet while the scan is
running so that you do not violate the written security policy of the company.
Incorrect answers:
B: Running mbsacli.exe is the same as running MBSA, but from a command prompt. This will not
ensure that the scans will be successful.
C: Running MBSA using the SUS server means that Examsheets2 will have to access the
Internet on a permanent basis and this is again the company security policy.
D: It is not a matter of ensuring that Windows Update is correctly configured. Examsheets2
should connect to the Internet temporarily will allow scans to be run successfully without violating
the company security policy.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 833
Question: 110
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows 2003. You support 100 mobile users
who have portable computers that run Windows NT Workstation 4.0, Windows 98, Windows 2000
Professional, Windows XP Professional, or Windows ME. Examsheets written security policy
requires that any remote access solution must provide both data integrity and data origin
authentication. Which three actions should you take? (Each correct answer presents part of the
solution. Choose three)
A. Install certificates on all VPN client computers.
B. Install a certificate on the VPN server computer.
C. Implement L2TP-based connections on the Windows 2000 Professional computer and the
Windows XP Professional computers. Implement PPTP-based connections on all other
portable computers.
D. Install the L2TP/IPsec VPN client on the portable computers that run Windows NT Workstation
4.0 or earlier. Implement L2TP-based connections on all portable computers.
E. Install the L2TP/Ipsec VPN client on the portable computers that run Windows NT Workstation
4.0 or earlier. Implement PPTP-based connections on all portable computers.
Answer: A B D
Explanation:
The security of a VPN is based on the tunneling and authentication protocols that you use and
the level of encryption that you apply to VPN connections. For the highest level of security, use
Page 118 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and
Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and
improve manageability and interoperability, use Microsoft Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) as the authentication protocol.
IPSEC is not supported on legacy clients just is supported for VPN
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98,
Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling
Protocol (L2TP) connections with Internet Protocol security (IPSec).
• Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up
Networking version 1.4 upgrade.
• Windows Me with the Virtual Private Networking communications component and Microsoft
Internet Explorer 5.5 (or later)
• Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling
Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later)
Incorrect answers:
C: This option might exclude some portable computer users.
E: The options seems to be in order, however, making use of PPTP-based connections will not
accommodate all the portable computers users.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, p.
307 http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
Question: 111
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows Server 2003. All servers are
manually configured with static IP addresses. All client computers run Windows XP Professional.
All client computers receive their TCP/IP configuration information from a DHCP server.
Examsheets network consists of two subnets: 172.30.22.0/24 and 172.30.23.0/24. The research
department uses the 172.30.23.0/24 subnet exclusively. All computers that belong to the other
departments are located on the 172.30.22.0/24 subnet. You deploy a server named Examsheets1
to the research department. Examsheets1 was formally used in a test lab environment. You
change the TCP/IP configuration of Examsheets1 to allow it to communicate on the company
network. Later, users from other departments report that when they attempt to connect to
Examsheets1, the connection times out. You run the route print command on Examsheets1 and
view the output shown in the exhibit.
Page 119 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to ensure that users can connect to Examsheets1. Which command should you run on
Examsheets1?
A.
B.
C.
D.
route delete 172.30.22.0 mask 255.255.255.0 192.168.17.100
route delete 172.30.23.0 mask 255.255.255.0 172.30.23.19
route change 172.30.22.0 mask 255.255.255.0 192.168.17.100 2 IF 1
route change 172.30.23.0 mask 255.255.255.0 172.30.23.19 E IF 1
Answer: A
Explanation:
When a particular route or table entry is applied to a packet, the gateway value determines the
next address or hop for which that packet is destined. In this case the gateway address is not part
of the same network.
Incorrect Answers:
B: According to the exhibit, it is a valid address.
C, D: Addresses are a numerical sequence, with no letters.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, Part 1, Chapter 15, p. 9:27
Question: 112
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows Server 2003. Examsheets has a
main office and a branch office. Both offices are connected to the Internet by Network Address
Translation (NAT) firewalls and T1 connections to the company’s ISP. Each firewall is configured
with a perimeter network. Examsheets uses a public key infrastructure (PKI) for both internal and
external authentication. Examsheets needs to connect to the main office to the branch office by
using the existing Internet connections. Examsheets written security policy included the following
requirements:
Page 120 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
• All Internet communications must use the PKI for all authentication and data encryption.
• All servers that are required to communicate to or by means of the Internet must be located in
a firewall perimeter network. You need to connect to the main office to the branch office.
You need to comply with the written security policy. You install Routing and Remote Access
servers in the perimeter network at each office. What else should you do?
A. Configure persistent, two-way initiated PPTP connections with EAP-TLS user authentication.
B. Configure persistent, two-way initiated PPTP connections with MS-CHAP v2 user
authentication.
C. Configure persistent, two-way initiated L2TP/IPSec connections with MS-CHAP v2 user
authentication.
D. Configure persistent, two-way initiated L2TP/IPsec connections with EAP-TLS user and
computer authentication.
Answer: D
Explanation:
Layer 2 Tunneling Protocol (L2TP)
A protocol used to establish virtual private network connections across the Internet.
Extensible Authentication Protocol–Transport Level Security (EAP–TLS)
Required to authenticate remote access users with smart cards or other security mechanisms
based on certificates. The networks that use EAP-TLS typically have a public key infrastructure
(PKI) in place and use certificates for authentication, that are stored on the computer or on smart
cards.
Virtual private network (VPN)
This is a technique for connecting to a network at a remote location using the Internet as a
network medium. A user can dial in to a local Internet service provider (ISP) and connect through
the Internet to a private network at a distant location, using a protocol like the Point-to-Point
Tunneling Protocol (PPTP) to secure the private traffic. For L2TP/IPSec-type connections, the
L2TP protocol provides VPN tunneling, and the Encapsulation Security Payload (ESP) protocol
(itself a feature of IPSec) provides data encryption.
Incorrect Answers:
A, B: Although PPTP-based VPN connections do provide data confidentiality (captured packets
cannot be interpreted without the encryption key), they do not provide data integrity (proof that the
data was not modified in transit) or data origin authentication (proof that the data was sent by the
authorized user).
C: MS-CHAP v2 is not supported by Windows Server 2003.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington
98052-6399, Chapter 5.
J. C. Mackin, Ian McLean; MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, pp. 10-56
to10-59.
Question: 113
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run
Windows XP Professional. The audit department has servers that contain highly confidential files.
The files are accessed over the LAN by the audit department client computers. The audit
department client computers have slow processors. The network design requires that the network
transmissions between the audit department servers and client computers be confidential and
Page 121 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
that any changes to the data in transit must be detectable. You create a custom IPSec filter
action. You need to select the security method settings. You need to ensure that you minimize
the performance impact on the audit department client computers.
What should you do?
A.
B.
C.
D.
Select MD5 as the integrity algorithm and 3DES as the encryption algorithm.
Select SHA1 as the integrity algorithm and DES as the encryption algorithm.
Select SHA1 as the integrity algorithm and 3DES as the encryption algorithm.
Select MD5 as the integrity algorithm and 3DES as the encryption algorithm.
Answer: A
Explanation:
MD5 is an industry-standard one-way, 128-bit hashing scheme, developed by RSA Data Security,
Inc., and used by various Point-to-Point Protocol (PPP) vendors for encrypted authentication. A
hashing scheme is a method for transforming data (for example, a password) in such a way that
the result is unique and cannot be changed back to its original form. The Challenge Handshake
Authentication Protocol (CHAP) uses challenge response with one-way MD5 hashing on the
response. In this way, you can prove to the server that you know your password without actually
sending the password over the network.
DES (Data Encryption Standard) is an algorithm used for strong (56-bit) encryption of
L2TP/IPSec connections.
Incorrect Answers:
B, C, D: These options would require more processor time.
Reference:
J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, 98052-6399, Glossary.
Question: 114
You are the network administer for Examsheets. The network contains Windows 98, Windows NT
Workstation 4.0, and Windows XP Professional client computers. All computers run the latest
service pack. The network contains a Windows Server 2003 file server named Examsheets1.
Examsheets written security policy requires that data communications must be encrypted by
using IPSec whenever possible. Other than the default GPOs, there are no additional Group
Policy objects (GPOs) within Active Directory or any local GPOs applied to the computers in the
domain. You need to configure Examsheets1 so that it meets the written security policy
requirements without disabling access for any client computer. You also want to minimize session
key negotiation times.
What should you do? To answer, configure the appropriate option or options in the dialog box.
Page 122 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: Select the “Allow unsecured communication with non-IPSec aware computers”
checkbox.
Explanation:
The Allow Unsecured Communication With Non-IPSec-Aware Computers checkbox configures
the action to allow any computer—IPSec capable or not—to communicate. Any machine that
can’t handle IPSec will get a normal, insecure connection. By default, this box isn’t checked; if
you check it, you must be certain that your IPSec policies are set up properly. If they’re not, some
computers that you think are using IPSec may connect without security.
Reference:
James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003
Network Infrastructure Implementation, Management, and Maintenance Study Guide, SYBEX
Inc., Chapter 4, pp. 195.
Question: 115
You are the system engineer for Examsheets. The network consists of a single Active Directory
domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows
XP Professional. The servers on the network are all located in a central data center building,
which is located on the company campus. All servers have the Recovery Console installed and
Page 123 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
support firmware-based console redirection by means of installed service processors. All servers
are located in a physically secured room. IT department personnel can access this room for the
purpose of installing or maintaining hardware. All IT department personnel are members of the
Domain Admins security group. Examsheets adopts a new remote administration policy, which
includes the following requirements:
• All in-bound management of servers on the network must be performed remotely.
• All remote administration connections made to any server must be authenticated by using the
Kerberos version 5 protocol and must be logged in the Security event log.
• All
remote
administration
connections
must
be
encrypted.
• The new remote administration configuration must not adversely affect normal network
connectivity for users or cause any disruption in network services. The new remote administration
policy applies to all servers, including domain controllers, file and print servers, and application
servers. You need to plan a remote administration strategy for all servers on the network that
complies with the new policy.
What should you do?
A. On each server, enable Emergency Management Services.
B. On each server, enable Remote Desktop connections.
C. On each server, enable the Telnet service with the Automatic startup parameter. Enable the
Secure Server (Require Security) IPSec policy in the Default Domain Policy Group Policy
object (GPO).
D. Install IIS on each server. Select the Remote Administration (HTML) check box in the
properties for the World Wide Web Service. On each server, configure IP packets filters to
accept only SSL connections.
Answer: B
Explanation:
Remote Desktop Connection is the client-side software used to connect to a server in the context
of either Remote Desktop or Terminal Server modes. The latest version of Remote Desktop
Connection provides the most efficient, secure and stable environment possible, through
improvements such as a revised user interface, 128-bit encryption and alternate port selection.
Incorrect Options
A: Emergency Management Services (EMS) provides a means for managing a server even when
network connectivity has failed.
C, D: Kerberos version 5 protocol must be used, not IPSec or SSL.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 803
Question: 116
You are the systems engineer for Examsheets. The network consists of three physical networks
connected by hardware-based routers. The network consists of a single Active Directory domain
ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows XP
Professional. Each physical network contains at least one domain controller and at least one DNS
server. One physical network contains a Microsoft Internet Security and Acceleration (ISA) Server
array that provides Internet access for the entire company. The network also contains a certificate
server. Examsheets management wants to ensure that all data is encrypted on the network and
that all computers transmitting data on the network are authenticated. You decide to implement
Page 124 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
IPSec on all computers on the network. You edit the Default Domain Policy Group Policy object
(GPO) to apply to Secure Server (Require Security) IPSec policy. Users immediately report that
they cannot access resources located in remote networks. You investigate and discover that all
packets are being dropped by the routers. You also discover that Active Directory replication is
not functioning between domain controllers in different networks. You need to revise your design
and implementation to allow computers to communicate across the entire network. You also need
to ensure that the authentication keys are stored encrypted. Which two actions should you take?
(Each correct answer presents part of the solution. Choose two)
A.
B.
C.
D.
E.
Configure the routers to use IPSec and preshared key for authentication.
Configure the routers to use IPSec and a certificate for authentication.
Configure the routers to use IPsec and Kerberos for authentication.
Reconfigure the GPOs to require a preshared key for IPSec authentication.
Reconfigure the GPOs to require a certificate for IPSec authentication.
Answer: B E
Explanation:
IPSec allows encryption of data across the network.
Certificates are digital documents that are commonly used for authentication and to secure
information on open networks. A certificate securely binds a public key to the entity that holds the
corresponding private key. Certificates are digitally signed by the issuing certificate authority
(CA), and they can be issued for a user, a computer, or a service.
Group policies are used in Active Directory to configure auto-enrollment. In Computer
Configuration | Windows Settings | Security Settings | Public Key Policies, there is a group policy
entitled Automatic Certificate Request Settings. The property sheet for this policy enables you to
choose to either Enroll certificates automatically or not. Also, you will need to ensure that the
Enroll subject option is selected on the Request Handling tab of the certificate template property
sheet without requiring any user input.
Incorrect Answers:
A, D: Pre-shared keys are stored as plaintext.
C: The Kerberos authentication mechanism relies on a key distribution center (KDC) to issue
tickets that allow client access to network resources.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder , and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, pp. 763.
Question: 117
You are a network administrator for ExamSheets.net. The network consists of two Active
Directory domains. You are responsible for administering one domain, which contains users who
work in the sales department. User objects for the users in the sales department are stored in an
organizational unit (OU) named ExamsheetsStaff in your domain. Users in the sales department
use a public key infrastructure (PKI) enabled application that requires users to present client
authentication certificates before they are granted access. You install Certificate Services on two
member servers running Windows Server 2003. You configure one server as an enterprise
subordinate certification authority (CA) and the other server as a stand-alone root CA. You need
to issue certificates that support client authentication to sales users only. You need to achieve
this goal by using the minimum amount of administrative effort.
What should you do?
Page 125 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. Create a duplicate of the User certificate template and configure it to support autoenrollment.
Configure the enterprise subordinate CA to issue certificates based on the template. Configure
the Default Domain Policy Group Policy object (GPO) to autoenroll users for certificates.
B. Create a duplicate of the Computer certificate template and configure it to support
autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the
template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll
computers for certificates.
C. Create a duplicate of the User certificate template and configure it to support autoenrollment.
Configure the enterprise subordinate CA to issue certificates based in the template. Create a
new Group Policy object (GPO) and link it to the Sales OU. Configure the GPO to autoenroll
sales users for certificates.
D. Create a duplicate of the Computer certificate template and configure it to support
autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the
template. Create a new Group Policy (GPO) and link it to the Sales OU. Configure the GPO to
autoenroll sales client computers for certificates.
Answer: C
Explanation:
The first step in the creation process is to duplicate an existing template. For a user to request a
certificate, the user must have the Enroll permission assigned to him or her for manual requests
and the Autoenroll permission for automatic requests. Autoenrollment enables the request and
issuance of certificates to proceed without user intervention. Creating a new GPO will minimize
the amount of administrative effort, while linking it to the Sales OU will ensure that certificates will
be issued to the sales users only.
Incorrect Answers:
A, B: This GPO is linked to the Domain Controllers OU, and it generally affects only domain
controllers, because computer accounts for domain controllers are kept exclusively in the Domain
Controllers OU.
D: Certificates need to be issued to sales users, not sales computers.
Reference:
Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server
2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Chapter 12
Question: 118
You are the security analyst for Examsheets. The network consists of a single Active Directory
domain ExamSheets.net. All servers run Windows Server 2003. All client computers run Windows
XP Professional. The perimeter network contains an application server, which is accessible to
external users. You view the logs on your intrusion-detection system (IDS) an on the router and
discover that very large numbers of TCP SYN packets are being sent to the application server.
The application server is responding with SYN-ACK packets to several different IP addresses, but
it is not receiving ACK responses. You note that all incoming SYN packets appear to be
originating from IP addresses located within the perimeter network’s subnet address range. No
computers in your perimeter network are configured with these IP addresses. The router logs
show that these packets are originating from locations on the Internet. You need to prevent this
type of attack from occurring until a patch is made available from the application vendor. Because
of budget constraints, you cannot add any new hardware or software to the network. Your
solution cannot adversely affect legitimate traffic to the application server.
What should you do?
A. Relocate the application server to the company intranet. Configure the firewall to allow
inbound and outbound traffic on the ports and protocols used by the application.
Page 126 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B. Configure network ingress filters on the router to drop packets that have local addresses but
that appear to originate from outside the company network.
C. Create access control lists (ACLs) and packet filters on the router to allow perimeter network
access to only authorized users and to drop all other packets originating from the Internet.
D. Configure the IDS on the perimeter network with a response rule that sends a remote
shutdown command to the application server in the event of a similar denial-of-service attack.
Answer: B
Explanation:
In an ideal world, each router would be configured with ingress filters that would drop packets
arriving from "internal" networks whose source address was not a member of the set of network
addresses that this router serves. The majority of routers could be so configured. Backbone
routers and edge routers for complex topologies probably could not be configured with such
filters. These ingress filters should be required as part of a "good neighbor policy." Ingress filters
would not totally eliminate denial of service attacks but could greatly reduce such attacks. An
attacker could still spoof an address within a local subnet, but that would permit backtracking the
packets to the source subnet.
Incorrect Answers:
A: There is no firewall mentioned in the question.
C: This option could also work, but it involves extra administration.
D: The question clearly states; “Your solution cannot adversely affect legitimate traffic to the
application server” and this option would.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter11, p. 783
http://securityresponse.symantec.com/avcenter/security/content/9011.html
Question: 119
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The domain contains three Windows Server 2003 computers:
Examsheets1, Examsheets2, and Examsheets3.
You intend to use the three servers as certification authorities (CAs) for the following roles:
Server name
Examsheets1
Examsheets2
Examsheets3
Role
root CA
subordinate CA
subordinate CA
Examsheets2 will be used exclusively to issue enrolment agent certificates. Examsheets3 will be
used to issue all other certificate typed needed in the domain. You plan to take Examsheets1
offline after the CA hierarchy is established. You want to minimize the possibility that
unauthorized certificates might get issued. You also want to be able to revoke certificates that are
issued by a subordinate CA if that server is compromised, without affecting the certificates that
are issued by the other subordinate CA. You need to design a CA hierarchy that meets the
requirements.
What should you do? To answer, drag the appropriate CAs to the correct locations in the work
area.
Page 127 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer:
Explanation:
If you shift the responsibility of issuing certificates to subordinate CAs, you can take the root CA
offline –meaning that you detach it from the network entirely. This provides a very high level of
security, because attackers have no way of getting to the machine. When a subordinate CA
requires a certificate from the root, you can either, briefly connect the root CA to the network and
then remove it again, or you can literally use a floppy disk.
References:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, pp. 881.
Question: 120
You are the security analyst for Examsheets.cp,. Examsheets written security policy does not
allow direct dial-in connections to the network. During a routine security audit, you discover a
Page 128 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Windows Server 2003 server named Examsheets1 that has a modem installed and is connected
to an outside analog phone line. You investigate and discover that Examsheets1 is also running
Routing and Remote Access and is used by the sales department. The modem supports the
caller ID service. This remote access connection is used by an application at a partner company
to upload product and inventory information to Examsheets1. Each day at midnight, the partner
application connects to Examsheets1 and uploads the information. The connection never lasts
longer than 30 minutes. The application is currently using the sales manager’s domain user
account to make the connection. The partner application does not support incoming connections.
The partner company has no plans to update this application to support your written security
policy, and the sales department requires this updated product and inventory information to be
available each morning. Examsheets management directs you to design a solution that provides
the highest level of security for this connection until a more secure solution can be developed by
the two companies. You need to design and implement a solution that will ensure that only the
partner’s application can connect to your network over the dial-up connection. Your solution must
prevent the connection from being used by unauthorized users, and it must allow only the
minimum amount of access to the network. Which two actions should you take? (Each correct
answer presents part of the solution. Choose two)
A. Create an account named PartnerDuialup in the domain, and add this account to the Domain
Guests group. Grant this user account permissions for the folder to which the sales
information is uploaded. Direct the partner company to use this account for remote access.
B. Create a local account named PartnerDialup on Examsheets1, and add this account to the
local Users group. Grant this user account permission for the folder to which the sales
information is uploaded. Direct the partner company to use this account for remote access.
C. Configure a remote access policy on Examsheets1 that allows the connection for only the
specified user account between midnight and 1.00 A.M. Configure the policy to require
callback authentication to the partner company’s server.
D. Configure a remote access policy on Examsheets1 that allows the connection for only the
specified user account between midnight and 1:00 A.M. Configure the policy to allow only the
specific calling station identifier of the partner company’s computer.
Answer: B D
Explanation:
A local user account for Microsoft Windows Server 2003 is a user account a domain provides for
a user whose global account is not in a trusted domain. A local account is not required where
trust relationships exist between domains.
IP address A 32-bit address assigned to Transmission Control Protocol/Internet Protocol (TCP/IP)
client computers and other network equipment that uniquely identifies that device on the
network. For a computer to be accessible from the Internet, it must have an IP address containing
a network identifier registered with the Internet Assigned Numbers Authority (IANA).
Thus options B and D will prevent the connection from being used by unauthorized users and
with the minimum amount of access to the network.
Incorrect answers:
A: This option will result in unnecessary exposure on the network by allowing more than the
minimum amount of access to the network.
C: There is no need to make use of require callback authentication. This implies that more than
the minimum amount of access to the network needs to be allowed for.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 9: 6
Question: 121
Page 129 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are a network administrator for ExamSheets.net. Examsheets participates in a joint venture
with Alpine Ski House. Each company’s network consists of a single Active Directory forest. The
functional level of each forest is Windows 2003. Two-way forest trust relationships exists between
both companies. Each company maintains its own certification authority (CA). Users are required
to encrypt and digitally sign all e-mail messages relating to the joint venture that are sent between
the companies. Users in the ExamSheets.net domain report that when they open e-mail
messages sent by users in the alpineskihouse.com domain, they receive a security warning. The
warning indicates an error in the certificate used to sign the e-mal message. You examine several
e-mails messages and discover the error shown in the exhibit.
You need to ensure that users in the ExamSheets.net domain receive e-mail messages without
receiving any error messages. You need to accomplish this task by using the minimum amount of
administrative effort.
What should you do?
A. Add the computer account for the enterprise root CA in the alpineskihouse.com domain to the
Exam Publisher domain local group in the ExamSheets.net domain.
B. In the alpineskihiuse.com domain, delegate the Allow – Read userCertificate permission for
contact objects to the Domain Users global group in the ExamSheets.net domain.
Page 130 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the
enterprise root CA in the ExamSheets.net domain, import the enterprise root certificate from
the alpineskihouse.com domain.
D. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the
enterprise root CA in the ExamSheets.net domain, run the certutil command to publish the root
certificate to Active Directory.
Answer: C
Explanation:.
An enterprise CA is tied into Active Directory (AD) and is required to use it. In fact, a
copy of its own CA certificate itself is stored in Active Directory.
users can import certificates into any one of the certificate categories found in the certificate
store. In the Certificates snap-in, right-click the certificate category to which you want to import
the certificate, point to All Tasks, and choose Import. Type the certificate filename, which should
have a standard certificate format extension (.PFX, .P12, .CER, .CRT, .P7B, .STL, .SPC, .CRL,
or .SST). For PKCS #12 files, which contain private keys as well as certificates, type the
password used to protect the file.
Exporting Certificates and Private Keys
The Export command in the Certificates snap-in provides two distinct functions. First, it allows a
certificate or certificate chain to be exported for the purpose of sharing it with users or computers
that are not privy to a certificate directory. Second, it allows the export of a certificate or certificate
chain along with the associated private key for cryptographic use on another machine.
You can export any type of certificate, including those in root CAs. Naturally, only certificates with
available private keys (that is, personal certificates) that are marked as exported can be exported
together.
Incorrect options:
A: This option results in unnecessary administrative effort that can be avoided by simply
exporting and importing the enterprise root certificate to the appropriate domains.
B: This is not a matter of delegating certain permissions for contact object in the Examsheets.net
domain.
D: The certutil command is mainly used when certificate services are installed before IIS and it
will enable an IIS client to connect by supplying the necessary enrolment. This is not what is
required.
Reference:
Charlie Russel, Sharon Crawford, and Jason Gerend, Microsoft Windows Server 2003
Administrator's Companion, Microsoft Press, Redmond, Chapter 21.
Question: 122
You are a network administrator for Examsheets. You install Windows Server 2003 on two
servers named Examsheets1 and Examsheets2. You configure Examsheets1 and Examsheets2
as two-node server cluster. The cluster has three managed drives assigned the letters Q, R, and
S. The quorum resource is located in drive Q. You create a WINS group and configure WINS on
the cluster. You create a File Server group and configure file sharing on the cluster by using a
shared folder that you create on drive R. File sharing and WINS are both running on
Examsheets1. You move the WINS group to Examsheets2. The file share service fails on
Examsheets1. When you attempt to bring it back online, the file share resource will not start on
Examsheets1. You move the WINS group back to Examsheets1. The file share service will not
come back online. You need to configure the cluster so that each application can be moved or
can fail over independently, without affecting the other application.
What should you do?
Page 131 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. Modify the Preferred owners list for the WINS group so that only Examsheets2 is in the list.
B. Modify the Preferred owners list for the File Server group so that only Examsheets2 is in the
list.
C. Configure both the WINS group and the File Server group to allow failback immediately.
D. Reconfigure the File Server group File Share resource to use a shared folder on drive S.
Answer: B
Explanation:
A cluster is a group of two or more servers dedicated to running a specific application (or
applications) and connected to provide fault tolerance and load balancing. Clustering is intended
for organizations running applications that must be available, making any server downtime
unacceptable. In a server cluster, each computer is running the same critical applications, so that
if one server fails, the others detect the failure and take over at a moment’s notice. This is called
failover. When the failed node returns to service, the other nodes take notice and the cluster
begins to use the recovered node again. This is called failback. The order of failover is defined by
the order the nodes appear in the Preferred Owner list. The default node for the application is
listed first. A failover will attempt to move the cluster group to each node on the list,
in order, until the group successfully starts. Thus if you modify the Preferred Owners list for the
File Server group to make Examsheets2 the only entry in the list then failover can be independent
without affecting the other application.
Incorrect answers:
A: The modification to the Preferred owners list should be for the File Server group and not the
WINS group.
C: By allowing failover by both groups will affect all applications and failover is thus not
independent.
D: Making use of a shared folder to make sure that the application is still available is not providing
failover in the real sense. In fact the shared folder will also be affected in case of node failure.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7: 2-7
http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfdeff731e3c1f96/GDClusters.doc
Question: 123
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The domain contains a Windows Server 2003 two-node
server cluster. The security team states that the password for the cluster service account must be
changed because one of the administrators has left the company. You fill out the necessary
change control paperwork. You need to provide the process for changing the password in the
change control form. You need to change the password for the cluster service account by using
the minimum amount of administrative effort.
What should you do?
A. Change the cluster service account password in Active Directory Users and Computers.
Change the cluster service account password on one node, and restart the node. After the first
node comes back online, change the cluster service account password on the second node,
and restart the node.
B. Change the cluster service account password in Active Directory Users and Computers.
Change the cluster service account password on both nodes, and restart the first node. After
the first node comes back online, restart the second node.
Page 132 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Run Dsmod.exe with the change password option.
D. Run Cluster.exe with the change password option.
E. Run SC.exe with the change password option.
Answer: D
Explanation:
Cluster.exe is the command-line utility you can use to create or administer a server cluster. It has
all of the capabilities of the Cluster Administrator graphical utility and more. Cluster.exe has
numerous options. The following are some of the tasks that are impossible to do with Cluster
Administrator or are easier to perform
with Cluster.exe:
• Changing the password on the cluster service account
• Creating a server cluster or adding a node to a server cluster from a script
• Creating a server cluster as part of an unattended setup of Windows Server 2003
• Performing operations on multiple server clusters at the same time
It is for this reason that A and B are incorrect.
Incorrect Answers:
A, B: There is absolutely no need to change the cluster service account passworjd when all that
is necessary is to run Dsmod.exe with the change password option.
C: Dsmod.exe allows the properties of directory services objects to be changed.
E: SC.exe starts and stops and manages Win32 services.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;305813
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, pp.
670-684
Question: 124
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The network contains Windows Server 2003 file servers. The
network also contains a Windows Server 2003 computer named Examsheets1 that runs Routing
and Remote Access and Internet Authentication Service (IAS). Examsheets1 provides VPN
access to the network for user’s home computers. You suspect that an external unauthorized
user is attempting to access the network through Examsheets1. You want to log the details of
access attempts by VPN users when they attempt to access the network. You want to compare
the IP addresses of user’s home computers with the IP addresses used in the access attempts to
verify that the users are authorized. You need to configure Examsheets1 to log the details of
access attempts by VPN users.
What should you do?
A.
B.
C.
D.
Configure the system event log to Do not overwrite.
In IAS, in Remote Access Logging, enable the Authentication requests setting.
Configure the Remote Access server to Log all events.
Create a custom remote access policy and configure it for Authentication-Type.
Answer: B
Explanation:
Internet Authentication Services (IAS) is a service included with Microsoft Windows Server 2003
that provides centralized authentication and authorization services.
Page 133 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Remote Access Logging lists log files and allows you to configure additional logging options, one
of which is authentication requests.
Incorrect Answers:
A: System log files contain events relating to the activity of the operating system. Startups and
shutdowns, device driver events, and system service events are recorded in the System log.
C: Log all Events will be very inefficient. Enabling the Authentication requests setting will be
sufficient to log all details concerning VPN user access attempts.
D: Authentication-type option is used to check the authentication method in use. This is not what
is required.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure.
Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Managing and Maintaining a Windows
Server 2003 Environment Study Guide & DVD Training System.
Martin Grasdal, Laura E. Hunter, and Michael Cross; Planning and Maintaining a Windows Server
2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System
Question: 125
You are a network administrator for Examsheets. The design team provides you with the
following list of requirements for server disaster recovery:
• No more than two sets of tapes can be used to restore to the previous day.
• A
full
backup
of
each
server
must
be
stored
off-site.
• A full backup of each server that is no more than one week old must be available on-site.
• Backups
must
never
run
during
business
hours.
• Tapes may be recalled from off-site storage only if the on-site tapes are corrupted or
damaged.
A full backup of all servers require approximately 24 hours. Backing up all files that change during
one week requires approximately 4 hours. Business hours for Examsheets are Monday through
Friday from 6:00 A.M. to 10:00 P.M.
You need to provide a backup rotation plan that meets the design team’s requirements. Which
two actions should you include in your plan? (Each correct answer presents part of the solution.
Choose two)
A. Perform a full normal backup for on-site storage on Friday night after business hours. Perform
a full copy backup of off-site storage on Saturday night after the Friday backup is complete.
B. Perform a full normal backup for on-site storage on Friday night after business hours. Perform
another full normal backup for off-site storage on Saturday night after the Friday backup is
complete.
C. Perform a full copy backup for on-site storage on Friday night after business hours. Perform a
full copy backup for off-site storage on Saturday night after the Friday backup is complete.
D. Perform differential backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights
after business hours.
E. Perform incremental backups on Sunday, Monday, Tuesday, Wednesday, and Thursday
nights after business hours.
F. Perform incremental backups on Sunday, Tuesday, and Thursday nights after business hours.
Perform differential backups on Monday and Wednesday nights after business hours.
Answer: A D
Explanation:
Copy backup copies all the files you select, but does not mark each file as having been backed
Page 134 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up
files between normal and incremental backups because copying does not affect these other
backup operations. A differential backup copies files that have been created or changed since the
last normal or incremental backup. It does not mark files as having been backed up (in other
words, the archive attribute is not cleared). If you are performing a combination of normal and
differential backups, restoring files and folders requires that you have the last normal as well as
the last differential backup.
A normal backup copies all the files you select and marks each file as having been backed up (in
other words, the archive attribute is cleared). With normal backups, you only need the most
recent copy of the backup file or tape to restore all of the files. You usually perform a normal
backup the first time you create a backup set.
Backing up your data using a combination of normal backups and incremental backups requires
the least amount of storage space and is the quickest backup method.
We do a normal backup on Friday, and the archive bit is cleared. We do a copy backup on
Saturday and the archive bit is not cleared. We do a differential backup from Sunday, Monday,
Tuesday, Wednesday, and Thursday. This way, we just need two tapes to restore, the full backup
and the last differential backup.
Incorrect Answers:
B: With normal backups, you only need the most recent copy of the backup file or tape to restore
all of the files. However in this way as suggested by this option, two tapes might be too few and it
will not comply with the requirements as set out by the company
C: With two full copy backups the archive attribute is not cleared and you will end up using more
than two tapes this way.
E: An incremental backup backs up only those files that have been created or changed since the
last normal or incremental backup. It marks files as having been backed up (in other words, the
archive attribute is cleared). This will not enable you to run a full restoration when necessary even
though you would be using fewer tapes than most of the other types of backup.
F: Since a differential backup copies files that have been created or changed since the last
normal or incremental backup; this option is not going to comply with the requirements of the
company.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, pp. 596-597
Question: 126
You are the network administrator for ExamSheets.net. All servers run Windows Server 2003.
The network contains two Web servers named Examsheets1 and Examsheets2 and three
application servers named Examsheets3, Examsheets4, and Examsheets5. All five servers have
similar hardware. The servers are configured as Network Load Balancing clusters, as shown in
the exhibit.
Page 135 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A Web services application hosted on Examsheets1 and Examsheets2 communicates to
application components hosted on Examsheets3, Examsheets4 and Examsheets5 by using the
IP address 10.1.20.11. The application is designed to be stateless. The Network Load Balancing
settings for each server are listed in the following table.
Host
Examsheets1
Examsheets2
Examsheets3
Examsheets4
Examsheets5
Filtering
mode
Multiple
Multiple
Multiple
Multiple
Multiple
Host
priority
1
2
1
2
3
Affinity
Load
Single
Single
Single
Single
Single
Equal
Equal
Equal
Equal
Equal
Users report that response time to the Web services application is slow. You investigate the
performance of each server and observe the information listed in the following table
Host
Average % of CPU in use
Examsheets1
Examsheets2
Examsheets3
Examsheets4
Examsheets5
75
65
98
2
2
Page 136 of 240
Average%of RAM in use
80
75
90
20
20
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to improve the response time of the application.
What should you do?
A. Modify the Web services application to access the components on the application servers by
using the IP address 10.1.10.11.
B. Modify the Network Load Balancing host priorities for Examsheets3 and Examsheets5 by 1.
C. Modify the Network Load Balancing host priority for Examsheets2 to be 1.
D. Modify the Network Load Balancing affinity setting for Examsheets3, Examsheets4, and
Examsheets5 to be None.
E. Modify the Network Load Balancing affinity setting for Examsheets1 and Examsheets2 to be
None.
Answer: D
Explanation:
In simple terms, affinity is the attraction one item feels for another item.
Selecting None specifies that NLB doesn't need to direct multiple requests from the same client
to the same NLB host, thereby splitting the load and improving response times and reliability.
Incorrect Answers:
A: The communication link is not the problem, as ExamSheets3, 4 and 5 are receiving
communication. It is the fact that ExamSheets3 is over worked compared to ExamSheets4 and 5.
B, C: Each host within the NLB cluster must have a unique priority number configured.
D: The load between ExamSheets1 and 2 are balanced.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 27
Question: 127
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All computers on the network are members of the domain.
You administer a four-node Network Load Balancing cluster. All nodes run Windows Server 2003.
The cluster has converged successfully. You use Network Load Balancing Manager on the
default host to configure all nodes of the cluster. The nodes have a single network adapter and
are connected to the same switching hub device. Administrators of non-cluster servers that are
connected to the same switching hub device report that their servers receive traffic that is
destined for the cluster nodes. Receiving this additional network traffic impairs the network
performance of the non-cluster servers. You need to ensure that traffic destined for only the
cluster nodes is not sent to all ports of the switching hub device. You do not want to move the
cluster to another switching hub device.
What should you do?
A. On the node, run the nlb.exe reload command.
B. On each node, run the wlbs.exe drainstop command.
C. Use Network Load Balancing Manager to enable Internet Group Management Protocol (IGMP)
support on the cluster.
D. Use Network Load Balancing Manager to add a second cluster IP address.
Answer: C
Page 137 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
If you enable IGMP Multicast, NLB attempts to prevent switch flooding by limiting multicast traffic
to only those ports on a switch that have a NLB-bound network adapter connected to them. So,
when you use IGMP Multicast, traffic is designed to flow only to those switch ports connected to
NLB cluster hosts, thus preventing all other switch ports from being flooded by the multicast
traffic.
Incorrect Answers:
A: The nlb.exe reload command instructs NLB to reload the current parameter set from the
Registry. If required to complete the process, cluster operations are stopped and subsequently
restarted. Any errors that exist within the parameters prevent the host from joining the cluster and
also cause a warning dialog box to be displayed.
B: The nlb.exe command replaces the wlbs.exe command previously used in Windows NT 4.0
and Windows 2000 Server.
C: You use the Network Load Balancing Manager application in Windows Server 2003 to create,
manage, and monitor NLB clusters.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 23
Question: 128
You are a network administrator for ExamSheets.net. You install Windows Server 2003,
Enterprise Edition on two servers named Examsheets1 and Examsheets2. You configure
Examsheets1 and Examsheets2 as a twonode server cluster. Examsheets1 and Examsheets2
are connected to a shared fiber-attached array. You configure the server cluster for file sharing.
You configure Examsheets1 as the preferred owner of the file sharing resources. You perform the
following backups by using the Backup or Restore Wizard.
Examsheets1
Examsheets2
Tuesday
Normal backup
including system state
Normal backup
including system state
Wednesday
Incremental backup and
Automated System Recovery (ASR) backup
Incremental backup and ASR backup
On Thursday morning, Examsheets2 experiences a hard disk failure. The failed disk contains
only the operating system for Examsheets2. You evict Examsheets2 from the server cluster. You
need to recover Examsheets2 and restore it to the cluster. You need to minimize data loss and
recovery time.
What should you do?
A. Restore the quorum disk signature and data from the Tuesday backup of Examsheets1, and
add Examsheets2 to the server cluster.
B. Restore Examsheets2 by using ASR, and add Examsheets2 to the server cluster.
C. Restore the Tuesday backup of Examsheets2, and add Examsheets2 to the server cluster.
D. Restore the Tuesday normal backup and the Wednesday incremental backup of
Examsheets2, and add Examsheets2 to the server cluster.
Answer: B
Explanation:
Page 138 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
When an ASR restore is performed, the operating system is reinstalled using the original
Windows Server 2003 media. However, instead of generating new disk signatures, security
identifiers, and Registry content, these
items are restored from the ASR set.
Incorrect Answers:
A: ExamSheets1 did not fail.
C, D: These types of backup do not restore the operating system.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder , and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, pp. 614.
Question: 129
You are a network administrator for Examsheets. The network contains two Windows Server
2003 database servers configured as a two-node server cluster. Each cluster node has a 100Mbit network adapter and a 10-Mbit network adapter. The 100-Mbit network adapter on each
server is connected to company network. The 10-Mbit adapters are connected to each other by
an Ethernet crossover cable. Cluster communications are configured to use the crossover
connection as the primary cluster network. The cluster provides mission-critical data to several
hundred users at any given time, 24 hours per day. You need to be able to ascertain if the
network performance ever becomes or might become a limiting performance factor. You want to
be able to identify trends over time. You need to choose which network adapters and
performance counters are the most important for you to monitor, and you need to choose which
method of monitoring to use to detect potential saturation of the network adapters.
What should you do?
Page 139 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer:
Explanation:
Since each cluster node has 100-Mbit network adapters that are connected to the network, it is
logical to choose them to monitor in stead of the 10-Mbit network adapters. The latter is just to
connect the clusters to each other by means of cross-over cable.
If you need to be able to ascertain if the network performance ever becomes or might become a
limiting performance factor and to be able to identify trends over time, then Packets Received/Sec
which specifies the number of packets received by the adapter each second, would be the
counter to configure for monitoring purposes. This can be viewed using the Performance logs.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 6: 20
Question: 130
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named ExamSheets.net that has two child domains: domain1.ExamSheets.net
and domain2.ExamSheets.net. All domain controllers run Windows Server 2003. All domain
controllers are configured as DNS servers. You use a proxy firewall to isolate your network from
the Internet. You configure the DNS servers in the ExamSheets.net domain as internal DNS root
servers. All client computers are configured with the proxy firewall client software. You need to
allow users to resolve host names on both the internal network and the Internet.
What should you do?
A. Configure the internal DNS root servers to use Active Directory-integrated stub zones to
resolve DNS queries for domain1.ExamSheets.net and domain2.ExamSheets.net.
Page 140 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B. Configure all client computers to use a Web browser automatic configuration script.
C. Configure the DNS servers in the child domains to use the internal DNS root servers as
forwarders.
D. Configure the DNS servers in the child domain with root hints that point to the internal DNS
root servers in the ExamSheets.net domain.
Answer: D
Explanation:
If you are using the DNS service on a private network, you can edit or replace the root hints file
with similar records that point to your own internal root DNS servers.
If you are configuring a DNS server within a large private namespace, you can use the Root Hints
tab, in DNS server properties, to delete the Internet root servers and specify the root servers in
your network instead.
Incorrect Answers:
A: Stub zones are used to keep all the NS resource records from a master zone current.
B: This option does not resolve name resolution.
C: This will only allow users to resolve host names on the internal network.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 4 and 5
Question: 131
You are a network administrator for Examsheets. The network consists of a single Active
Directory forest that contains three domains. The functional level of the forest and of all three
domains is Windows Server 2003. Examsheets has a main office and 30 branch offices. Each
branch office is connected to the main office by a 56-Kbps WAN connection. You configure the
main office and each branch office as a separate Active Directory site. You deploy a Windows
Server 2003 domain controller at the main office and at each branch office. Each domain
controller is configured as a DNS server. You can log on to the network from client computers in
the branch offices at any time. However, users in the branch offices report that they cannot log on
to the network during peak hours. You need to allow users to log on to the network from branch
office computers. You do not want to affect the performance of the branch office domain
controllers. You need to minimize Active Directory replication traffic across the WAN connections.
What should you do?
A. Use Active Directory Sites and Services to enable universal group membership caching for
each branch office site.
B. Use the DNS console to configure the branch office DNS servers to forward requests to a
DNS server in the main office.
C. Use Active Directory Sites and Services to configure each branch office domain controller as a
global catalog server.
D. Use the DNS console to configure the branch office DNS servers to use an Active Directoryintegrated zone.
Answer: A
Explanation:
When a user logs on to the network, the global catalog provides universal group membership
information for the account to the domain controller processing the user logon information. If a
global catalog is not available when a user initiates a network logon process, the user is able to
Page 141 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
log on only to the local computer unless the site has been specifically configured to cache
universal group membership lookups when processing user logon attempts. In this scenario the
domain controller must contact the global catalog server across a WAN
link that is saturated. Enabling universal group membership caching will overcome this problem.
Incorrect Answers:
B: When users log on, the requests are sent to the global catalog not the DNS server.
C: Configure each branch office domain controller as a global catalog server would result in
increased replication traffic. We want to avoid this.
D: An Active Directory-integrated zone is a DNS zone that is part of Active Directory and is part of
Active Directory replication. Making the DNS zone a part of Active Directory will not overcome
logon latency and will lead to an increase in replication traffic.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1-17 to 1-18, 5-41 to 5-43.
Question: 132
You are the network administrator for ExamSheets.net. Examsheets has 20,000 users in 20
physical locations worldwide. Examsheets is expecting to grow by 50 percent the next five years.
Examsheets recently become a subsidiary of Humongous Insurance. Humongous Insurance has
five other subsidiaries. Humongous Insurance has 100,000 users in 100 physical locations
worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries
integrate into this network. The network design team at Examsheets provides you with a network
design for integrating into the Humongous Insurance network. The design specifies that
Examsheets will use a single block of IP network numbers to assign IP addresses to its network.
You need to plan the IP address space to meet the design specification. You need to request a
block of IP addresses from Humongous Insurance that will accommodate all Examsheets users.
To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance
address space, you want to request the smallest block of IP addresses that meets the design
specification.
What should you do?
A. Request a
Insurance.
B. Request a
Insurance.
C. Request a
Insurance.
D. Request a
Insurance.
10.0.0.0 block of IP addresses with an 8-bit subnet mask from Humongous
10.0.0.0 block of IP addresses with a 16-bit subnet mask from Humongous
10.0.0.0 block of IP addresses with a 24-bit subnet mask from Humongous
10.0.0.0 block of IP addresses with a 32-bit subnet mask from Humongous
Answer: B
Explanation:
We have 20,000 users in 20 locations which would give us an average of 1,000 users per
location. We need to make provision for a 50% growth so that makes in 1,500 users per location.
We need to integrate this network with the Humongous Insurance network which uses the
10.0.0.0 network. This means we must use the 10.0.0.0 network.
Subnetting is the process of shifting the subnet mask so as to increase or decrease the number
of bits reserved for the network addresses. In this instance we are using a Class A address, so
the number of clients is important. A simple formula of 2(32-n)-2, where n is the number of bits in
the subnet mask, can be used to calculate the number of hosts a network will support.
Page 142 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The best subnet mask would be a 21-bit mask which would give us 2,097,150 networks with 2046
clients per network. However, a 21-bit subnet mask is not offered as an option so we must use
the next best subnet mask which would be 16. This would give us 65,534 networks with 65,534
clients per network.
Incorrect Answers:
A: The default subnet mask for a Class A network is and 8 bit subnet mask of 255.0.0.0. This
provides a total of 254 networks with 16,777,214 clients per network. This provides us with too
mush clients as we want the smallest block of IP addresses that meets the design specification.
C: A 24-bit subnet mask would give us 16,777,214 networks with 254 clients per network. This
would be too few clients per network.
D: We cannot use a 32-bit subnet mask as this is not a valid subnet mask.
Reference:
Thomas Shinder and Debra Littlejohn Shinder, Planning and Maintaining a Windows Server 2003
Network Infrastructure: Exam 70-293, Syngress, 2003, pp. 173-180.
Question: 133
You are the administrator of a network at Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows Server 2003. Client computers run
either Windows XP Professional or Windows 98. All Windows 98 computers have the Active
Directory Client Extensions software installed. The network consists of three physical subnets.
Each subnet contains a domain controller and a server that runs DHCP. Each subnet also
contains a server that runs both the DNS Server service and the WINS service. All client
computers receive their TCP/IP configuration from the DHCP server that is located on their local
subnet. All of the Windows 98 computers are located on a single subnet. The DHCP scope on
this subnet is configured with the options shown in the exhibit.
All DHCP servers are configured with similar options. Users of the Windows 98 computers report
that they cannot connect to resources on the Windows Server 2003 computers located on any
subnet. When they attempt to connect to a shared resource by using \\servername\sharename in
the Run command, they receive the following error message: “Server not found”. The users can
successfully connect to Web-based resources located on the same servers. When they attempt
to connect to the servers by using the ping command on an affected Windows 98 computer you
can connect successfully. The users of the Windows XP Professional computers do not report the
same problems. You need to ensure that the users of the Windows 98 computers can connect to
shared resources on the Windows Server 2003 computers.
What should you do?
Page 143 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. On the affected subnet’s DHCP server, configure the scope options to use the Windows 98
vendor class.
B. On the affected subnet’s DHCP server, remove the WINS/NTB Node Type from the scope
options.
C. On each DHCP server, remove the Microsoft Disable NetBIOS Option from the scope options.
D. On each DHCP server, add the NetBIOS over TCP/IP NBDD DHCP scope option to the scope
options.
Answer: C
Explanation:
The main advantage of disabling NetBIOS is improved network security. NetBIOS as a service
stores information about network resources that can be collected by any host through broadcastbased queries. Feasibly, this information could be exploited by a malicious intruder. Another
advantage of disabling NetBIOS is that doing so can simplify administration by reducing the
number of naming infrastructures that you must configure, maintain, and support.
Incorrect Answers:
A: Vendor Classes are used to identify DHCP clients according to their vendor and hardware
configuration type. This determines what options are available for you to give to your DHCP
client. This won’t change the options shown in the exhibit.
B: This cannot be removed, as there are servers on each subnet running the WINS service.
D: Only if all the computers on your network are running Windows 2000 or later and no
applications are using Net-BIOS, is it possible to remove WINS servers and disable the NetBIOS
Over TCP/IP (NetBT) protocol on your computers.
Reference:
J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, Chapter 4.
James Chellis, Paul Robichaux, and Matthew Sheltz MCSA/MCSE: Windows Server 2003
Network Infrastructure Implementation, Management, and Maintenance Study Guide Chapter 5
Question: 134
You are the system engineer for ExamSheets.net. The internal network consists of a Windows
NT 4.0 domain. The company maintains a separate network that contains publicly accessible
Web and mail servers. These Web and mail servers are members of a DNS domain named
ExamSheets.net. The ExamSheets.net zone is hosted by a UNIX-based DNS server running
BIND 4.8.1. Examsheets is planning to migrate to a Windows Server 2003 Active Directory
domain-based network. The migration plan states that all client computers will be upgraded to
Windows XP Professional and that all servers will be replaced with new computers running
Windows Server 2003. The migration plan specifies the following requirements for DNS in the
new environment:
• Active
Directory
data
must
not
be
accessible
from
the
Internet.
• The DNS namespace must be contiguous to minimize confusion for users and administrators.
• Users must be able to connect to resources in the ExamSheets.net domain.
• Users must be able to connect to resources located on the Internet.
• The existing UNIX-based DNS server will continue to host the ExamSheets.net domain.
• The existing UNIX-based DNS server cannot be upgraded or replaced. You plan to install a
Windows Server 2003 DNS server on the internal network.
You need to configure this Windows-based DNS server to meet the requirements specified in the
migration plan.
Page 144 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
What should you do?
A. Create a primary zone named ad.ExamSheets.net as your Windows-based DNS server.
Create a delegation record for the new zone on the UNIX-based DNS server. Configure
forwarders on your Windows-based DNS server.
B. Create a primary zone named ad.ExamSheets.net on the UNIX-based DNS server. Create a
secondary zone on your Windows-based DNS server for the ad.ExamSheets.net domain.
C. Create a primary zone named Examsheets-ad.com on your Windows-based DNS server.
Create a secondary zone on the UNIX-based DNS server for the Examsheets-ad.com domain.
D. Create a primary zone named Examsheets-ad.com on the UNIX-based DNS server. Create a
stub zone on the Windows-based DNS server for the Examsheets-ad.com domain. Configure
conditional forwarders on your Windows-based DNS server for the Examsheets-ad.com and
ExamSheets.net domain.
Answer: A
Explanation:
A primary zone contains the master copy of the zone database, where administrators make all
changes to the zone’s resource records. If the Store “The Zone In Active Directory” (Available
Only If DNS Server Is A Domain Controller) check box is cleared, the server creates a primary
master zone database file on the local drive. This is a simple text file that is compliant with most
non-Windows DNS server implementations.
To delegate a zone means to assign authority over portions of your DNS namespace to
subdomains within this namespace. A zone delegation occurs when the responsibility for the
resource records of a subdomain is passed from the owner of the parent domain to the owner of
the subdomain. The Forwarders tab of the DNS server properties dialog box allows you to
forward DNS queries received by the local DNS server to upstream DNS servers, called
forwarders. This tab also allows you to disable recursion for select queries (as specified by
domain).
Incorrect answers:
B, C: A Secondary zone is a duplicate of a primary zone on another server; the secondary zone
contains a backup copy of the primary master zone database file, stored as an identical text file
on the server’s local drive. You cannot modify the resource records in a secondary zone
manually; you can only update them by replicating the primary master zone database file, using a
process called a zone transfer. This is not that is required to comply with the requirements as
stated. Furthermore option B suggests the creation of a primary zone on the wrong server.
D: Stub zone is a copy of a primary zone that contains Start Of Authority (SOA) and Name Server
(NS) resource records, plus the Host resource records that identify the authoritative servers for
the zone, the stub zone forwards or refers requests. When you create a stub zone, you configure
it with the IP address of the server that hosts the zone from which you created the stub. When the
server hosting the stub zone receives a query for a name in that zone, it either forwards the
request to the host of the zone or replies with a referral to that host, depending on whether the
query is recursive or iterative. You should be creating a primary zone on the Windows-based
DNS server instead.
Reference:
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 Environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, 2004, Chapter 7 and 8.
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 5.
Page 145 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 34
Question: 135
You are the network administrator for ExamSheets.net. The relevant portion of the network is
shown in the exhibit.
All servers run Windows Server 2003. Each subnet of the network contains 100 Windows XP
Professional computers. Each subnet also contains a DHCP server, which provides TCP/IP
configuration information to all computers on its local subnet. You create and configure Subnet3
for a new department at your company. Users in Subnet3 report that they cannot connect to
resources located on servers in Subnet1 and Subnet2. When they attempt to connect to these
resources, they receive the following message: “Server not found”. The user can successfully
connect to resources located on servers in Subnet3. Users in Subnet1 and Subnet2 report that
they cannot connect to resources located on servers in Subnet3. When they attempt to connect to
these resources, they receive the following error message: “Server did not respond in a timely
manner”. The users can successfully connect to resources in both Subnet1 and Subnet2. You
need to ensure that all client computers can connect to server-based resources an all subnets.
What should you do?
A. Configure the DHCP server in Subnet3 to provide a subnet mask of 255.255.255.0
B. Configure the DHCP servers in Subnet1 and Subnet2 to provide a subnet mask of
255.255.0.0.
C. Configure the Examsheets2 Interface E1 to use a subnet mask of 255.255.0.0.
D. Configure the IP address of the Examsheets2 Interface E0 as the default gateway for
Subnet3.
E. Configure the IP address of the Examsheets2 Interface E1 as the default gateway for
Subnet2.
Answer: A
Explanation:
With a subnet mask of 255.255.255.0, you can assign IP addresses ranging from 172.30.2.1 to
172.30.2.254 to your computers. This will ensure that users in Subnet1 and subnet2 can connect
to resources that are located in subnet3.
Incorrect Answers:
Page 146 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B: The subnet mask for Subnet1 and Subnet2 are correctly configured. Thus you do not need to
configure the DHCP servers in Subnet1 and Subnet2 to provide a subnet mask.
C: You should configure the DHCP servers of Subnet3 to use the 255.255.255.0 subnet mask
and not theExamsheets2 Interface E1.
D, E: The IP addresses for interfaces E0 and E1 on Examsheets2 are correctly configured.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 2: 25
Question: 136
You are a network administrator for Examsheets. Examsheets has one main office and 30 branch
offices. The network consists of a single Active Directory domain ExamSheets.net. All servers run
Windows Server 2003. Examsheets needs to connect the main office network and all branch
office networks by using Routing and Remote Access servers at each office. The networks will be
connected by VPN connections over the Internet. You install three Routing and Remote Access
servers at the main office. You are configuring security for the Routing and Remote Access
servers. You need to provide centralized authentication for the branch office Routing and Remote
Access servers. You need to centrally configure the remote access policies for the main office
Routing and Remote Access servers. You need to centrally maintain remote access
authentication and connection logs for the main office Routing and Remote Access servers. You
install Internet Authentication Service (IAS) on a server in the main office and register it in Active
Directory. What else should you do?
A. Configure the remote access policies on the IAS server. On the IAS server, configure the main
office RADIUS clients. Configure the main office Routing and Remote Access servers to use
RADIUS authentication and accounting.
B. Configure the remote access policies on the IAS server. On the IAS server, configure the
branch office RADIUS clients. Configure the branch office Routing and Remote Access
servers to use RADIUS authentication and accounting.
C. Configure the remote access policies on the IAS server. On the IAS server, configure the main
office RADIUS clients. Configure the main office Routing and Remote Access servers to use
Windows authentication and accounting.
D. Run the netsh command to configure the remote access polices on the main office Routing
and Remote Access servers. On the IAS server, configure the main office RADIUS clients.
Configure the main office Routing and Remote Access servers to use RADIUS authentication
and accounting
Answer: A
Explanation:
Internet Authentication Service (IAS) is the Microsoft implementation of Remote
Authentication Dial-In User Service (RADIUS), an authentication and accounting system used
by many Internet Service Providers (ISPs). When a user connects to an ISP using a username
and password, the information is passed to a RADIUS server, which checks that the information
is correct, and then authorizes access to the ISP system. RADIUS proxy and server support is a
new feature in Windows Server 2003. You can install and use the Microsoft Internet
Authentication Service (IAS) server for both RADIUS servers and RADIUS proxies.
Incorrect Answers:
B: The main office RADIUS clients should be configured on the IAS server and not the other way
around.
Page 147 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C: The question states that “You need to centrally configure the remote access policies for
the main office” and with Windows authentication there is a separate set of policies for each
RRAS server.
D: NetSh.exe is a configuration tool that now adds the basic network diagnostic features provided
by older NetDiag.exe tool. Netsh is a command-line scripting utility that permits administrators to
display or modify the network configuration of a computer that is currently running.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 5: 28
Question: 137
You are the systems engineer for Examsheets. The network of a single Active Directory domain
ExamSheets.net. Examsheets has a main office and two branch offices. All servers run Windows
Server 2003. All client computers run either Windows XP Professional or Windows 2000
Professional. Each branch office maintains a dedicated 256-Kbps connection to the main office.
Each office also maintains a T1 connection to the Internet. Each office has a Microsoft Internet
Security and Acceleration (ISA) Server 2003 computer, which provides firewall and proxy
services on the Internet connection. Each branch office contains one domain controller and five
servers that are not domain controllers. There is a minimal administrative staff at the branch
offices. A new company policy states that all servers must now be remotely administered by
administrators in the main office. The policy states that all remote administrators connections
must be authenticated by the domain and that all traffic must be encrypted. The policy also states
that the remote administration traffic must never be carried in clear text across the Internet. You
choose to implement remote administration by enabling Remote Desktop connections on all
servers on the network. You decide to use the Internet-connected T1 lines for remote
administration connectivity between offices. Because administrative tasks might require
simultaneous connections to multiple servers across the network, you need to ensure that
administrators do not lose connections to servers in one office when they attempt to connect to
servers in another office.
What should you do?
A. Configure Routing and Remote Access on one server in each branch office. Create
L2TP/IPsec VPN ports on these servers. Create new VPN connections to the administrator’s
computers to connect to the VPN servers in the branch offices.
B. Configure a VPN sever in each branch office. Create connections that use IPSec
Authentication Header (AH) in tunnel mode from the main office connect to VPN servers in the
branch offices.
C. Configure a local L2TP/IPSec VPN connection on the ISA Server 2000 firewall computer in the
main office. Configure the ISA Server 2000 firewall computers at the branch offices as remote
L2TP/IPSec VPN servers.
D. Configure a local PPTP VPN connection on the ISA Server 2000 firewall computers in each
branch office. Configure the ISA Server 2000 firewall computer at the main office as a remote
PPTP VPN server.
Answer: C
Explanation:
Windows 2003 VPNs use the IP Security protocol (IPSec) to encrypt data sent over an L2TP
tunnel. This provides end-to-end encryption and greater security than the MPPE encryption used
with PPTP.
Incorrect answers:
Page 148 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A: This option might result in some administrators losing their connection to servers in one office
when they try to connect to servers in another office.
B: Authentication Header (AH) provides data authentication, integrity, and anti-replay to IP
packets. It is one of the two primary IPSec protocols. AH is used to (AH) provide data
authentication and integrity. It does not provide data confidentiality.
D: PPTP in Windows Server 2003 is based on the existing PPP infrastructure and supports the
same authentication methods as PPP, such as the Password Authentication Protocol (PAP) and
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). However, L2TP provides
greater security.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, pp.
258, 307-309
Question: 138
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The functional level of the domain is Windows 2000 mixes.
The network contains domain controllers that run Windows Server 2003, Windows 2000 Server,
or Windows NT Server 4.0. The network also contains application servers that run Windows
Server 2003, Windows 2000 Advanced Server, or Windows NT Server 4.0. All client computers
run Windows XP Professional. Examsheets has a main office and branch offices. Each office has
local administrator. Local administrators manage the client computers that are in their offices,
including the Group Policy settings. You want to reduce the possibility of passwords being
compromised through man-in-the-middle attacks during the authentication process between client
computers and servers. You want to ensure that the authentication protocols used by the client
computers are as secure as possible. You are planning the guideline that the local administrators
will use when they configure the Network Security policy setting for client computers. You want to
be as flexible as possible, while still meeting your goals. You need to select the appropriate
authentication type or types for the client computers.
What should you do?
A.
B.
C.
D.
Allow LM, NTLM, NTLMv2, and Kerberos.
Allow only NTLM, NTLMv2, and Kerberos.
Allow only NTLMv2 and Kerberos.
Allow only Kerberos.
Answer: C
Explanation:
NTLMv2 is the direct successor to the challenge/response NTLM authentication method. This
method is used when IIS machines are part of a workgroup or on Windows Server 2003 networks
that still have some legacy Windows NT domain controllers present.
Kerberos is an industry-standard, ticket-based authentication method. This method is used when
IIS machines are part of a domain and there are no legacy Windows NT domain controllers
present.
Incorrect Answers:
A: The LM authentication protocol is considered weak because of the method used to encrypt the
password. This weakness is known and exploited by hackers.
B: If NTLMv2 is the direct successor to the challenge/response NTLM authentication method,
then why should it be allowed.
D: There are legacy Windows NT domain controllers present, so this cannot be used on its own.
Page 149 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 9: 23
Question: 139
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The network contains 10 application servers running Windows
Server 2003. There are 500 client computers on the LAN. The LAN-based client computers are
members of the domain. There are 50 client computers on the Internet. The Internet-based client
computers are not members of the domain. All client computers run Windows XP Professional. All
client computers need to access the application servers. Examsheets purchases certificates from
a commercial certification authority (CA) when needed. The network design requires that all
access to the application servers must be encrypted by using IPSec. The application servers are
configured to refuse any connection that is not encrypted. You need to ensure that the client
computers are authorized to access the application servers. You need to achieve this goal by
using the minimum amount of administrative effort.
What should you do?
A. Configure both the LAN-based client computers and the Internet-based client computers to
use the Kerberos version 5 authentication protocol.
B. Configure both the LAN-based client computers and the Internet-based client computers to
use the certificate-based authentication method with certificate generated by a
commercial C A.
C. Configure the LAN-based client computers to use the Kerberos version 5 authentication
protocol and the Internet-based client computers to use the certificate-based authentication
method with certificates generated by a commercial CA.
D. Configure the LAN-based client computers to use the certificate-based authentication method
with certificates generated by a commercial CA and the Internet-based client computers to use
the Kerberos version 5 authentication protocol.
Answer: C
Explanation:
Kerberos is an industry-standard, ticket-based authentication method. This method is used when
IIS machines are part of a domain and there are no legacy Windows NT domain controllers
present. Kerberos version 5 is the default protocol used by computers running Windows Server
2003, Windows XP, and Windows 2000.
With certificates, you can protect network data and secure communications using a variety of
cryptographic algorithms and key lengths that enable you to implement as much security as you
need for your organization. For securing external transactions, the best practice is to obtain
certificates from a neutral third-party organization that functions as a commercial certification
authority.
Incorrect Answers:
A: The Internet-based client computers are not part of the domain.
B, D: If your organization engages in digital transactions with other companies, an internal CA is
typically not useful because the other companies are not going to trust your own CA to verify your
identity.
Reference:
Page 150 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 11: 35
Question: 140
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The network contains 50 Windows Server 2003 computers
and 200 Windows XP Professional computers. Examsheets does not use wireless networking.
The network at Examsheets is shown in the exhibit.
Examsheets enters into a strategic partnership with Adventure Works. Under the strategic
partnership, Adventure Works will regularly send employees to Examsheets. Your design team
interviews Adventure Works administrator and discovers the following:
•
Adventure Works employees require access to the Internet to retrieve e-mail messages and to
browse the Internet.
• Adventure Works employees do not need access to the internal network at Examsheets.
• Adventure Works employees all have portable computers that run Windows XP Professional,
and they use a wireless network in their home office.
• The wireless network client computers of Adventure Works employees must be protected from
Internet-based attacks.
Adventure Works sends you a wireless access point that its employees will use to access the
Internet through your network. You are allowed to change the configuration of the wireless access
point because any change will require changes to all of the wireless client computers. You need
to develop a plan that will meet the requirements of Adventure Works employees and the security
requirements of Examsheets. Your solution must be secure and must minimize administrative
effort.
What should you do?
A. Install the wireless access point on a separate subnet inside the Examsheets network.
Configure a router to allow only HTTP, IMAP4, and SMTP traffic out of the wireless network.
B. Install the wireless access point on a separate subnet inside the Examsheets network.
Configure a VPN from the wireless network to the Adventure Works office network.
C. Install the wireless access point on the Examsheets perimeter network. Configure Firewall1 to
allow wireless network traffic to and from the Internet. Configure Firewall2 to not allow wireless
traffic into the Examsheets network.
D. Install the wireless access point outside Firewall1 at Examsheets. Obtain IP addresses from
your ISP to support all wireless users.
Answer: C
Explanation:
Page 151 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
An infrastructure network consists of a standard cabled network with a wireless access point
connected to it. Wireless-equipped computers can then interact with the cabled network by
communicating with the access point. Firewall1 will now allow wireless network clients access to
the Internet for browsing and E-mail retrieval, while Firewall2 will not allow wireless network
clients access to ExamSheets’s internal network. Thus, ExamSheets and Adventure Works are
satisfied.
Incorrect Answers:
A, B: This does not satisfy ExamSheets’s security requirements, as they do not use wireless
networking.
D: If you use this option, you will not be able to even access the perimeter network.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, pp. 801-803
Question: 141
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The domain contains a Windows Server 2003 computer
named Examsheets1 that is located in an organizational unit (OU) named Servers. Examsheets1
contains confidential data, and all network communications with Examsheets1 must be encrypted
by using IPSec. The default Client (Respond Only) IPSec policy is enabled in the Default Domain
Policy Group Policy object (GPO). You create a new GPO and link it to the Servers OU. You
configure the new GPO by creating and enabling a custom IPSec policy. You monitor and
discover that network communications with Examsheets1 are not being encrypted. You need to
view all IPSec polices that are being applied to Examsheets1.
What should you do?
A. Use Local Security Policy to view the IP Security Policies on Local Computer for
Examsheets1.
B. Use Local Security Policy to view the Security Options for Examsheets1.
C. Use Resultant Set of Policy (RSoP) to run an RsoP logging mode query to view the IP
Security Policies on Local Computer for Examsheets1.
D. Use Resultant Set of Policy (RSoP) to run an RSoP planning mode query to view the Security
Options for Examsheets1.
E. Use IP Security Monitor to view the Active Policy for Examsheets1.
F. Use IP Security Monitor to view the IKE Policies for Examsheets1.
Answer: C
Explanation:
You can use RSoP to view all the effective group policy settings for a computer or user, including
the IPSec policies. To use RSoP, you must first load the snap-in into an MMC console, and then
perform a query on a specific computer (select Generate RSoP Data from the Action menu),
specifying the information you want to gather. The result is a display of the group policy settings
that the selected computer is using.
You can run an RSoP logging mode query to view all of the IPSec policies that are assigned to an
IPSec client. The query results display the precedence of each IPSec policy assignment, so that
you can quickly determine which IPSec policies are assigned but are not being applied and which
IPSec policy is being applied. The RSoP console also displays detailed settings for the IPSec
policy that is being applied, including the following:
• Filter rules
Page 152 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
• Filter actions
• Authentication methods
• Tunnel endpoints
• Connection type
When you run a logging mode query, RSoP retrieves policy information from the WMI repository
on the target computer, and then displays this information in the RSoP console. In this way,
RSoP provides a view of the policy settings that are being applied to a computer at a given time.
Incorrect Answers:
A, B: Local Security Policy is used for configuring purposes.
D: You can run an RSoP planning mode query only on a domain controller.
E, F: You need to view all IPSec polices that are being applied to ExamSheets1, not selected
ones.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Chapter 12
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, pp. 768.
Question: 142
You are the security analyst for Examsheets. The network consists of a single Active Directory
domain ExamSheets.net. All servers run Windows Server 2003. The network currently does not
have a connection to the Internet. You are in the process of designing an Internet connection
solution for Examsheets. Examsheets Internet security policy includes the following requirements:
• Traffic that originates from outside the Examsheets network must never be passed to the
Examsheets intranet.
• Internal Examsheets resources must not be directly accessible from the Internet.
• Examsheets public Web site must not contain any confidential Examsheets information.
• Examsheets public Web site must be accessible from the Internet, even in the event of the
failure of any Examsheets-owned network component.
You design a network solution that provides strict access control to the Examsheets intranet by
means of a firewall. You new design includes a perimeter network, which contains resources that
external users or computers might need to access. Your design also includes three computers
running intrusion-detection software: ISD1, IDS2, and IDS3. You now need to plan the placement
of five servers on the network in accordance with Examsheets Internet security policy. How
should you place the servers to comply with the security policy? To answer, drag the appropriate
server role to the correct network location in the Network Diagram.
Page 153 of 240
Exam Name:
Exam Type:
Doc Type:
Answer:
Page 154 of 240
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
We must ensure that traffic from outside the ExamSheets network never passes to the
ExamSheets intranet and that internal ExamSheets resources aren’t directly accessible from the
Internet. In addition, the public Web site must be accessible from the Internet even in the event of
the failure of any ExamSheets-owned network component.
To ensure that traffic from outside the ExamSheets network never passes to the ExamSheets
intranet but can access the public web site, we should place the Web server outside the firewall.
For security reasons, services that require access to the Internet should be placed in the
perimeter network. These include Email forwarders and VPN servers. File servers that store user
folders, and email servers that store mailboxes should be placed in the intranet.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 1: 23-28
Question: 143
You are the security analyst for Examsheets. Examsheets network consists of a single Active
Directory domain ExamSheets.net. Examsheets network consists of an intranet and a perimeter
network separated by a firewall. The perimeter network is connected to the Internet by a second
firewall. The perimeter network contains three Windows Server 2003 computers. The servers on
the perimeter network host a custom application that provides product inventory information to
customers. The application is managed by SNMP. Each server has the SNMP service installed.
Two Windows XP Professional computers running SNMP management software are located on
the Examsheets intranet. The internet firewall is configured to allow outbound SNMP traffic from
the intranet to the perimeter network. The firewall does not allow inbound SNMP traffic to the
intranet. The current read-only SNMP community name is Public. The current read-write SNMP
community name is AppCommRW. Examsheets management wants to ensure that the SNMP
traffic on the perimeter network cannot be intercepted by outside parties and used to compromise
application integrity. You need to design a method to secure the SNMP traffic as it passed from
the intranet to the perimeter network. Because of budget constraints, you cannot add any new
hardware or software. You solution must not affect customer access to the application. You need
to ensure that all SNMP management traffic for the application is secure and cannot be used to
compromise network security.
What should you do?
A. Change the read-only SNMP community name to AppCommRO. On each application server,
configure the SNMP, service to send only application-specific SNMP information to the
management client computers, to send authentication traps for both community names, and to
accept only SNMP packets from the IP addresses of the management client computers.
B. Create an IPSec filter named SNMP Messages for the default SNMP ports in the local security
policy on the management client computers and on the application server. Create and assign
a new IPSec policy that requires security by using the SNMP Messages filter in the local
security policy on the management client computers and on the application servers. Configure
the internal firewall to allow outbound IPSec traffic from the intranet.
C. Change the community rights for the Public community to Notify. Change the community rights
for the AppCommRW community to Read-Create. On each application server, configure the
SNMP service to log on by using a domain user account instead of the local system account
and to send authentication traps for the AppCommRW community name. Configure the
internal firewall to allow inbound SNMP traffic from the perimeter network.
D. Create an organization unit (OU) named SNMP Computers. Add the management client
computers and the application servers to the SNMP Computers OU. Assign the Secure Server
Page 155 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
(Require Security) IPSec policy to the SNMP Computers OU. Configure the internal firewall to
allow outbound IPSec traffic from the intranet.
Answer: B
Explanation:
You can use the IPSec console to manage IPSec policies and to add and remove filters applied
to the IPSec policies. IPSec filtering is used to permit or block certain types of IP traffic. With
IPSec filtering, you can secure workstations from outside security hazards.
Simple Network Management Protocol (SNMP) is an application layer Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol and query language used to transmit information
about the status of network components to a central network management console. Components
embedded in network hardware and software products, called SNMP agents, are responsible for
collecting data about the activities of the products they service, storing the data in a management
information base (MIB), and transmitting that data to the console at regular intervals using SNMP
messages. Keeping the above mentioned in mind, then it is clear that this option will provide the
necessary means for ensuring that all SNMP management traffic for the application is secure and
cannot be used to compromise network security.
Incorrect answers:
A: This option will not ensure that that all SNMP management traffic for the application is secure
and cannot be used to compromise network security. You should be making use of an IPSec filter
and IPSec policies instead.
C: This option will not ensure SNMP management will be secure. Furthermore, configuring the
firewall to allow inbound SNMP traffic from the perimeter network should not be.
D: There is no need to create new organizational units.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, pp. 728-730
http://support.microsoft.com/default.aspx?scid=kb;en-us;324261&Product=winsvr2003
Question: 144
You are the network administrator for ExamSheets.net. The network contains 20 Windows Server
2003 database servers. The written security policy for Examsheets requires that the following
services must be disabled on all database server computers:
•
•
•
•
•
•
Computer Browser
File Replication
Indexing Service
Remote Registry
Server
Task Scheduler The written security policy also required that the database servers must be
prohibited from having access to the Internet.
You use a Windows XP Professional client computer named Examsheets1 that has access to the
Internet. You need to perform a weekly analysis of the hotfix level of the database servers
compared with the latest available updates. You need to minimize the amount of administrative
effort.
What should you do?
Page 156 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. Schedule the mbsacli.exe command to run weekly on Examsheets1. Configure the
mbsacli.exe parameters to use a file that contains the names of all database servers.
B. Each week, copy the Mssecure.cab file from the Microsoft Web site to Examsheets1 and
initiate a Remote Desktop connection to each database server. Run the mbsacli.exe
command on each database server. Configure the mbsacli.exe parameters to reference
Examsheets1 as a data source for the hotfix information.
C. Each week, initiate a Remote Desktop connection to each database server. Run the wmic.exe
qfe command on each database server.
D. Each week, initiate a Remote Desktop connection to each database server. Run the hotfix.exe
command on each database server.
Answer: B
Explanation:
The command-line program for running MBSA is mbsacli.exe. MBSA scans for security
vulnerabilities in the operating system and other Microsoft components. MBSA gives
administrators a report after a scan has been completed. This report explains what security
issues were discovered and how to correct them.
The mbsacli.exe parameter /c domainname\computername performs a scan on the selected
computer. The mbsacli.exe parameter -i ipaddress specifies the IP address of the computer to
be scanned. If not specified, the default is the local computer.
Incorrect Answers:
A: mbsacli.exe should be run on each database server and not just on Examsheets1 as
suggested in this option. Furthermore, the parameters should be configured to reference
Examsheets1 as data source for the hotfix information.
C: The Windows Management Instrumentation Command (WMIC) utility is a command-line
interface to the WMI infrastructure.
D: Hotfixes basically are single-issue related, something like an individual update only. This will
definitely not be minimizing administrative effort.
Reference:
Laura E. Hunter, Brian Barber, and Melissa Craft; Planning, Implementing and Maintaining a
Windows Server 2003 Environment for an MCSE Certified on Windows 2000 Study Guide & DVD
Training System, Syngress Publishing, Rockland, MA, Chapter 8, pp. 480, 481 and 489.
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, pp. 828.
Question: 145
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All computers on the network are members of the domain.
You are planning a public key infrastructure (PKI) for Examsheets. You want to deploy smart
cards for all users in the domain. You want the members of a new group named Smartcard
Agents to be able to issue smart cards for all users. You create a new global group named
Smartcard Agents. You install an enterprise certification authority (CA) on a Windows Server
2003 computer named Examsheets1. You create a duplicate of the Enrollment Agent certificate
template and change the validity period of the new certificate template to three years. The name
of the new certificate template is SmartCard Enrollment. The configuration of permissions for the
Smartcard Enrollment certificate template as shown in exhibit.
Page 157 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
However, members of the Smartcard Agents group report that when they start the Certificate
Request Wizard, they do not see Smartcard Enrollment in the list of certificate types that they can
request. You want to ensure that members of the Smartcard Agents group request SmartCard
Enrollment certificates.
What should you do?
A. Assign the Smartcard Agents group the Allow – Autoenroll permission for the Smartcard
Enrollment certificate template.
B. Add the Enrollment Agent certificate template to the list of superseded templates on the
Smartcard certificate template.
C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template.
D. Configure the enterprise CA to assign the Certificate Managers role to the Smartcard Agents
group.
E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web
enrolment pages to request certificates.
Answer: A
Explanation:
A client has three ways to request a certificate from a CA. The most common is autoenrollment.
There is a group policy entitled Automatic Certificate Request Settings. The property sheet for
this policy enables you to choose to either Enroll certificates automatically or not. Also, you will
need to ensure that Enroll subject without requiring any user input option is selected on the
Request Handling tab of the certificate template property sheet.
Autoenrollment of certificates can be done through Group Policy for users and computers. When
using autoenrollment, users do not need to be aware of the certificates that are enrolled,
retrieved, or renewed. When you select autoenrollment behavior, you can establish a silent
Page 158 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
autoenrollment that requires zero user input. You can also require a user to provide input such as
when users have smart cards and personal identification numbers (PINs). You set autoenrollment
of computer and user certificates in the Autoenrollment Settings Properties dialog box, which you
can access by opening Autoenrollment Settings in Computer Configuration or
User Configuration/Windows Settings/ Security Settings/Public Kaey Policies in a GPO for a site,
domain, or OU.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 13: 12; 18: 16
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, pp. 892, 895-897
Question: 146
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The domain name is ExamSheets.net. The network contains
three Windows Server 2003 domain controllers. You are creating the recovery plan for
Examsheets. According to the existing backup plan, domain controllers are backed up by using
normal backups each night. The normal backups of the domain controllers include the system
state of each domain controller. Your recovery plan must incorporate the following organizational
requirements:
• Active Directory objects that are accidentally or maliciously deleted must be recoverable.
• Active Directory must be restored to its most recent state as quickly as possible.
• Active Directory database replication must be minimized. You need to create a plan to restore
a deleted organizational unit (OU).
Which two actions should you include in your plan? (Each correct answer presents part of the
solution. Choose two)
A.
B.
C.
D.
E.
Restart a domain controller in Directory Services Restore Mode.
Restart a domain controller in Safe Mode.
Use the Ntdsutil controller in Safe Mode.
Restore the system state by using the Always replace the file on my computer option.
Use the Ntdsutil to perform an authoritative restore operation of the appropriate subtree.
Answer: A E
Explanation:
If an OU gets deleted from the Active Directory, we can restore it from a backup of the system
state data. Directory Services Restore Mode is a sort of safe mode in which we can boot a
domain controller without loading the Active Directory. This will enable us to restore all or part of
the Active Directory database. To ensure that the deleted OU isn’t deleted again by replication
from another domain controller, we must use the Ntdsutil utility to mark the restored subtree as
authoritative.
Incorrect Answers:
B: To restore part of the Active Directory, we must start a domain controller in Directory Services
Restore Mode, not safe mode.
C: We don’t need to restore the entire Active Directory database; we can just restore part of it.
D: This will overwrite the existing Active Directory database.
References:
Page 159 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 2-49 to 2-53.
Question: 147
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All computers on the network are members of the domain.
You administer a Network Load Balancing cluster that consists of three nodes. Each node runs
Windows Server 2003 and contains a single network adapter, The Network Load Balancing
cluster can run only in unicast mode. The Network Load Balancing cluster has converged
successfully. To increase the utilization of the cluster, you decide to move a particular application
to each node of the cluster. For this application to run, you must add a Network Load Balancing
port rule to the nodes of the cluster. You start Network Load Balancing Manager on the second
node of the cluster. However, Network Load Balancing Manager displays a message that it
cannot communicate with the other two nodes of the cluster. You want to add the port rule the
nodes of the cluster.
What should you do?
A. Use Network Load Balancing Manager on the Network Load Balancing default host to add the
port rule.
B. Change the host priority of the second node to be the highest in the cluster, and then use
Network Load Balancing Manager to add the port rule.
C. Run the nlb.exe drain command on each node, and then use Network Load Balancing
Manager to add the port rule.
D. Add the port rule through Network Connections Properties on each node.
Answer: D
Explanation:
Network Load Balancing Manager is the preferred method, but since it cannot communicate with
the other two nodes of the cluster you can also open the Network Load Balancing Properties
dialog box through the Network Connections tool. If you use the Network Connections tool, you
must make the same configuration changes on every cluster host. Using both Network Load
Balancing Manager and the Network Connections tool together to change Network Load
Balancing properties may create unpredictable results.
The parameters that are set in the Network Load Balancing Properties dialog box are recorded
in the registry on each host. Changes to Network Load Balancing parameters are applied when
you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network
Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations.
Incorrect Answers:
A, B, C: The question states that the Network Load Balancing Manager: “cannot communicate
with the other two nodes of the cluster”.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 7: 21-25
http://support.microsoft.com/default.aspx?scid=kb;en-us;323437&Product=winsvr2003
Question: 148
You are a network administrator for Examsheets. You install an intranet application on three
Windows Server 2003 computers. You configure the servers as a Network Load Balancing
cluster. You configure each server with two network adapters. One network adapter provides
Page 160 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
client computers access to the servers. The second network adapter is for cluster
communications. Cluster communications is on a separate network segment. The network team
wants to reduce the cluster’s vulnerability to attack. These servers need to be highly available.
The network team decides that the Network Load Balancing cluster needs to filter IP ports. The
team wants the cluster to allow only the ports that are required for the intranet application. You
need to implement filtering so that only the intranet application ports are available on the cluster.
You need to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Use Network Load Balancing Manager to configure port rules. Allow only the intranet
application ports on the cluster IP address.
B. Use TCP/IP filtering one each server. Configure only the intranet application ports on the
network adapter that provides client computers access to the servers.
C. Use TCP/IP filtering on each server. Configure only the intranet application ports on both of
the network adapters.
D. Configure Routing and Remote Access on each server. Use Routing and Remote Access
input filters to allow only the intranet application ports on the network adapter that provides
client computers access to the servers.
Answer: A
Explanation:
The Port Rule tab, in the NLB Properties sheet, lets you specify the Port Rules used for your NLB
cluster. These settings enable you to control how your NLB cluster will function under load.
IP address filtering is useful for protecting part of a private network from users on the other parts.
You can create filters that give only certain computers access to the protected LAN, while
preventing all others from accessing it.
Incorrect answers:
B, C: This is not a TCP/IP filtering matter.
D: There is no need to configure Routing and Remote Access input filters and the likes and
described int his option.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Chapter 12.
Question: 149
You are a network administrator for Examsheets. The network contains four Windows Server
2003 computers configured as a four-node server cluster. Each cluster node is the preferred
owner of a clustered instance of Microsoft SQL Server 2000, and each cluster node is configured
as a possible owner of all other instances of SQL Server. All nodes have identically configured
hardware. All four nodes operate at a sustained 70 percent CPU average. You add a server that
has identically configured hardware to the cluster as a fifth node. You want each SQL Server
instance to continue operating at the same level of performance in the e vent of a single node
failure.
What should you do?
A. Clear the Affect group check box in the cluster resource properties for each SQL Server
instance.
B. Configure the fifth node as the only possible other than the existing preferred owner of the
cluster resources that are associated with each SQL Server instance.
Page 161 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Configure the fifth node as the preferred owner of each cluster group that contains an SQL
Server instance.
D. Enable failback on each group that contains an SQL Server instance.
Answer: B
Explanation:
Clustering is intended for organizations running applications that must be available, making any
server downtime unacceptable. In a server cluster, each computer is running the same critical
applications, so that if one server fails, the others detect the failure and take over at a moment’s
notice. This is called failover. In the question it is mentioned that a fifth node is added. The other
four nodes are each configured as preferred owner. Thus if you configure the added node as the
only possible other that are associated with each SQL Serer instance, then each SQL Server
instance will continue at the same level of performance in case a single node fails.
Incorrect answers:
A: Clearing the Affect group check box is not going to ensure that the other nodes will continue to
operate at the same level of performance in case of single node failure.
C: This would be the wrong configuration for the purposes of this question.
D: Failback is when the failed node returns to service, the other nodes take notice and the cluster
begins to use the recovered node again. This will not ensure that each of the SQL Server
instance continue to operate at the same level of performance.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;296799&Product=winsvr2003
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 2
Question: 150
You are a network administrator for Examsheets. The network contains a Windows Server 2003
computer named Examsheets1. You install a custom mission-critical application on Examsheets1
for the shipping department. You install the application on drive D of Examsheets1. You configure
the application database on drive D, and you configure the application database log files on drive
E of Examsheets1. After running successfully for six days, the custom application fails. You
investigate and find out that drive E is almost completely filled with the application’s log files. The
application’s backup program is not properly deleting log files. Security requirements do not allow
log files to be deleted unless the database on Examsheets1 has been backed up. You can keep
the application running by manually backing up the application database and then deleting the log
files. You need an automated process to keep the application running until a long-term solution
can be provided. Because of the size of the database, you need to minimize the number of
backups performed.
What should you do?
A. Create a script that backs up the database and then deletes the log files. Configure an alert on
Examsheets1 to run the script when there is less then 20 percent of free space on drive E.
B. Create a script that backs up the database and deletes the log files. Configure an event trigger
on Examsheets1 to run the script when drive D has 20 percent free space.
C. Create a script that backs up the log files and then deletes the log files. Configure a scheduled
task to run the script on Examsheets1 each night.
D. Create a script that backs up the database and then deletes the log files. Configure a
scheduled tasks to run the script on Examsheets1 each night.
Answer: A
Page 162 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
Set an alert on a counter with options to send an administrative message, an application is
executed, or a log is started when the configured threshold on the counter is breached.
Incorrect Answers:
B: The log files are located on drive E.
C: Security requirements state that the database has to be backed up, not the log files.
D: The question requires you to minimize the number of backups performed, and this option will
not.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 602
Question: 151
You are the network administrator for Examsheets. Examsheets has a main office in San
Francisco and branch offices in London and Vancouver. The network consists of a single Active
Directory domain ExamSheets.net. The network contains four Windows Server 2003 domain
controllers. There are two domain controllers in the main office and one in each branch office.
The domain controllers are DNS servers. Network services are monitored centrally from the main
office. You review the DNS server event logs remotely from the main office during the monthly
maintenance routine. During the monthly maintenance, you find out that some of the DNS event
history is missing. You need to ensure that all DNS event history is retained until you manually
clear it. How should you modify each domain controller?
A. Use DNS Manager to select the All Events option on the Event Logging tab in the DNS Server
properties.
B. Use DNS Manager to select the Do not overwrite events option on the General tab in the DNS
Events properties.
C. Use Event Viewer to set the Maximum log size to 512 KB in the DNS Server properties.
D. Use Event Viewer to select the Do not overwrite events option in the Application properties.
Answer: D
Explanation:
Leaving the default setting of Overwrite Events As Needed on the Security log could overwrite
important resource access or other security-related data if the log is not checked often. The
question mentions that some of the DNS event history is missing and it could be a result of the
Overwrite Events as needed settings. To ensure that all events are retained, you should check
the Do Not Overwrite Events (Clear Log Manually) This configuration will halt event logging when
the log reaches the maximum size and will afford you the opportunity to manually clear the log.
To ensure that the information is not deleted automatically you
should configure the setting that states DO not overwrite events (clear log manually) to ensure
that information is deleted only through user intervention.
Incorrect answers:
A: This will not ensure that you will not lose information of the DNS history that is logged.
B: The General tab will not yield the proper options for you to set the required retention method
so as not to lose DNS history that should have been logged.
C: Setting the Maximum log size to 512 KB in the DNS server properties only specifies the size of
the log. You still have to choose a retention method.
Page 163 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Laura E. Hunter and Will Schmied,
Managing and Maintaining a Windows Server 2003 Environment Study Guide & DVD Training
System, Syngress Publishing Rockland, 2004, p. 767
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering
Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 1477-1478
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond,
Washington, 2004, pp. 12-5, 12-34.
Question: 152
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. All servers run Windows Server 2003. All client computers run
Windows XP Professional. The network consists of three physical subnets, which corresponds to
the three buildings on Examsheets campus, as shown in the Network Diagram exhibit.
All servers have manually configured IP addresses. All client computers receive their TCP/IP
configuration information from a DHCP server located on the Building1 subnet. The DHCP server
has one scope configured for each subnet. Users on the Building2 subnet and the Building3
subnet report that they periodically cannot connect to network resources located on any subnet.
You discover that during times of high network usage, client computers in Building2 and Building3
are configured as shown in the Network Connection Details exhibit.
Page 164 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to ensure that all client computers receive valid IP addresses for their subnet even
during times of high network usage.
What should you do?
A. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each
DHCP server, configure identical scopes for each subnet.
B. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each
DHCP server, configure a single subnet-specific scope.
C. Configure one DHCP relay agent on the Building2 subnet and one on the Building3 subnet to
forward DHCP requests to the Building1 subnet DHCP server.
D. Configure an administrative template in the Default Domain Policy Group Policy object (GPO)
to disable Automatic Private IP addressing (APIPA) on the client computers.
Answer: B
Explanation:
DHCP is a service that, when installed and configured correctly, will take a massive
administration burden off any network administrator or engineer. DHCP works with the
assignment of IP addresses on your network. In other words, when you want your network clients
to communicate with any device on the network, they need to speak the same protocol and be
assigned with a unique logical address. This address (called an IP address) allows for this.
Scope is the pool of Internet Protocol (IP) addresses on a given subnet that a Dynamic Host
Configuration Protocol (DHCP) server is configured to assign to clients when using the automatic
or dynamic allocation method.
Page 165 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A subnet is a group of computers on a Transmission Control Protocol/Internet Protocol (TCP/IP)
network that share a common network identifier. In some cases, a TCP/IP network is divided into
multiple subnets by modifying the subnet mask and designating some of the host identifier bits as
subnet identifier bits
.
Incorrect Answers:
A: Configuring identical scopes on two separate networks will create a network address conflict.
C: DHCP Relay agents are used when the router cannot pass DHCP requests; however, the
problem in this case only occurs during times of high network usage. A DHCP Relay agent won’t
resolve this problem.
D: APIPA is used automatically when the DHCP client cannot located the DHCP server. If we
disable APIPA on all client computers, we would need to configure each computer with alternative
IP configuration.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure
Question: 153
You are the network administrator for Examsheets. Examsheets has an internal network and a
perimeter network, as shown in the work area. The internal network consists of a single Active
Directory domain ExamSheets.net. The internal network contains a Windows Server 2003
domain controller named DC1, which runs the DNS Server service. The internal network also
contains a Windows Server 2003 file server named Examsheets1, which runs the DHCP Server
service. The network contains 500 Windows XP Professional computers. The perimeter network
contains a public Web server named WebES1. The internal network is connected to the perimeter
network by a firewall. The perimeter network is connected to the Internet. You need to plan an IP
address strategy. The IP address strategy must provide TCP/IP connectivity from the internal
network to WebES1. Examsheets wants to reduce administrative overhead by automatically
assign IP addresses whenever possible. You need to choose the appropriate IP addressing
distribution method for the computers on the networks. To answer, drag the appropriate IP
addressing distribution method or methods to the correct computer or computers in the work
area.
Page 166 of 240
Exam Name:
Exam Type:
Doc Type:
Answer:
Page 167 of 240
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
Static and dynamic routing both provide the same level of router performance. The drawbacks of
static routing are the amount of manual maintenance the process requires and the routers’
inability to compensate for changes in the network configuration. Dynamic routing enables routers
to compensate for a failed router or WAN link, but it can generate a considerable amount of
additional network traffic. Thus to comply with the requirements of providing TCP/IP connectivity
from the internal network to WebES1 and still reducing administrative overhead, the above
configuration will be the solution.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 5: 12-13
Question: 154
You are a network administrator for Examsheets. All servers run Windows Server 2003. All client
computers run Windows XP Professional. The network contains a single DHCP server that
services two subnets named SubnetES1 and SubnetES2, as shown in the work area. All servers
and the administrator client computer have manually assigned IP addresses. All other client
computers are DHCP clients. The router on your network fails and is replaced by another router.
After the router is replaced, client computers on SubnetES2 cannot receive IP addressing from
the DHCP server. You need to configure an appropriate host to be a DHCP relay agent. Which
component should you use?
To answer, select the appropriate component in the work area.
Page 168 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: Select the print server
Explanation:
DHCP relay agents intercept DHCP Discover packets and forward them to a remote DHCP
server whose address has been preconfigured. Although DHCP Relay Agent is configured
through Routing And Remote Access, the computer hosting the agent does not need to be
functioning as an actual router between subnets.
Reference:
J. C. Mackin, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and
Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond,
Washington, Chapter 9.
Question: 155
You are the network administrator for ExamSheets.net. The network contains Windows Server
2003 computers and Windows XP Professional computers. Examsheets deploys two DNS
servers. Both DNS servers run Windows Server 2003. One DNS server is inside of the corporate
firewall, and the other DNS server is outside of the firewall. The external DNS server provides
Page 169 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
name resolution for the external Internet name of Examsheets on the Internet, and it is configured
with root hints. The internal DNS server hosts the DNS zones related to the internal network
configuration, and it is not configured with root hints. You want to limit the exposure of the client
computers to DNS-related attacks from the Internet, without limiting their access to Internet-based
sites. Which two actions should you take? (Each correct answer presents part of the solution.
Choose two)
A.
B.
C.
D.
E.
F.
Configure the client computers to use only the internal DNS server.
Configure the client computers to use both DNS servers. List the internal DNS server first.
Configure the firewall to allow only network traffic on the DNS ports.
On the internal DNS server, disable recursion.
On the internal DNS server, configure the external DNS server as forwarder.
On the internal DNS server, add the external DNS server as the only root hint.
Answer: A E
Explanation:
Install one server on your perimeter network, for Internet name resolution, and another on your
internal network, to host your private namespace and provide internal name resolution services.
Then configure the internal DNS server to forward all Internet name resolution requests to the
external DNS server. This way, no computers on the Internet communicate directly with your
internal DNS server, making it less vulnerable to all kinds of attacks.
Incorrect Answers:
B: The internal DNS server is not configured with root hints, so it will not be able to resolve
names outside its domain.
C: Clearly this is incorrect, as it will not limit the exposure of the client computers to DNS-related
attacks from the Internet
D: If disable recursion is enabled, the internal DNS server still needs root hints for referrals.
F: The root hints are a DNS server’s list of root name server addresses, which it uses to resolve
names outside its domain. In this way DNS can resolve internet queries, but its not a best
practice because can give negative answers to domain.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Chapter 4.
Question: 156
You are the network administrator for ExamSheets.net. The network contains 10 Web servers
that run Windows Server 2003, Web Edition. The Web servers are located in an organizational
unit (OU) named Web_Servers A security analysis of the Web servers reveals that they all
contain several security settings that are critical vulnerabilities. You need to modify the security
settings on the Web as quickly as possible while minimizing the performance impact on the
servers. You want the new settings to be periodically enforced without administrative intervention.
What should you do?
A. Create a Group Policy object (GPO) and link to the Web_Servers OU. Configure the
appropriate security settings in the GPO. On each server, run the secedit /refreshpolicy
machine_policy command.
B. Create a Group Policy object (GPO) and link it to the Web_Servers OU. Configure the
appropriate security settings in the GPO. On each server, run the gpupdate /target:computer
command.
Page 170 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Configure a security template that contains the appropriate security settings and name it
Websec.inf. On each server, run the secedit /configure /db secedit.sdb /cfg websec.inf
command.
D. Configure a security template that contains the appropriate security settings and name it
Websec.inf. On each server, run the secedit /import /db secedit.sdb /cfg websec.inf command.
Answer: B
Explanation:
/target : computer allows you to specify that only Computer policy settings should be refreshed.
By default, both User and Computer policy settings are refreshed.
Incorrect Answers:
A: The secedit /refreshpolicy machine_policy is a command available to Windows 2000
Servers, but is replaced by gpupdate in Windows Server 2003.
B: Configures local security policy settings by applying the stored database settings
C: Imports a security template into the named database
Reference:
Laura E. Hunter, Brian Barber, Melissa Craft, Norris L. Johnson, Jr., and Tony Piltzecker;
Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE
Certified on Windows 2000 Study Guide & DVD Training System, Syngress Publishing, Inc.,
Rockland, MA, Chapter 7, pp. 376.
Question: 157
You are the network administrator for Examsheets. All servers run Windows Server 2003. You
configure a baseline security template Baseline.inf. Several operations groups are responsible for
creating templates containing settings that satisfy operational requirements. You receive the
templates shown in the following table.
Operations group
File and Print
Database
Security
Template name
ExamsheetsExamsheetsFile.inf
ExamsheetsExamsheetsDB.inf
ExamsheetsExamsheetsSec.inf
Applies to
File servers
Database servers
All resource servers
The operations groups agree that in the case of conflicting settings, the priority order listed in the
following table establishes the resultants setting.
Template
ExamsheetsSec.inf
Baseline.inf
Specific server role template
Priority
1
2
3
You need to create one or more Group Policy objects (GPOs) to implement the security settings.
You want to minimize the amount of administrative effort required when changes are requested
by the various operations groups.
What should you do?
A. Create a GPO and import the following templates in the following order: Baseline.inf,
ExamsheetsSec.inf. Create a GPO for each server role and import only the specific template
for that role into each respective GPO.
B. Create a GPO and import the following templates in the following order: ExamsheetsSec.inf,
Baseline.inf. Create a GPO for each server role and import only the specific template for that
role into each respective GPO.
Page 171 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Create a GPO for each server role and import the following templates in the following order:
Baseline.inf, specific server role template, ExamsheetsSec.inf.
D. Create a GPO and import the following templates in the following order: ExamsheetsSec.inf,
ExamsheetsDB.inf, ExamsheetsFile.inf, Baseline.inf.
Answer: A
Explanation:
Windows Server 2003 processes GPOs from the bottom of the list to the top of the list, with the
topmost GPO having the final authority. Because policies contained in GPOs will, by default,
overwrite policies of previously applied, we would need to import the Baseline.inf before the
ExamSheetsSec.inf template.
Incorrect Answers:
B: Because policies contained in GPOs will, by default, overwrite policies of previously applied;
we would need to import the Baseline.inf before the ExamSheetsSec.inf template.
C, D: Because we need to import templates specific to each of two server roles, we need a
separate GPO for each server role.
Reference:
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Chapter 5
Question: 158
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The network contains Web servers that run Windows Server
2003. You use Sysprep to create a baseline image for Web servers. You instruct a technique to
install Windows Server 2003 on 20 new Web servers by using the baseline image. A new service
pack is subsequently released. You need to install the new service pack on all Web servers. You
want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Copy the service pack installation files to a shared folder. Install the service pack on each Web
server from the shared folder.
B. Create an organizational unit (OU) named Web servers. Create a Group Policy object (GPO)
to assign the service pack package to users. Link the GPO to the Web Servers OU. Move the
Web servers into the Web Servers OU.
C. Create an organizational unit (OU) named Web Servers. Create a Group Policy object (GPO)
to assign the service pack package to computers. Link the GPO to the Web Servers OU. Move
the Web servers into the Web Servers OU.
D. Create a Cmdlines.txt file for use with the baseline Sysprep image in order to run the service
pack package.
Answer: C
Explanation:
A service pack is a software update package provided by Microsoft for one of its products. A
service pack contains a collection of fixes and enhancements packaged into a single selfinstalling archive file. To distribute a service pack, create a shared folder and either extract the
service pack to that folder or copy the contents of the service pack CD to the folder. Then, using
the Active Directory Users And Computers snap-in, create or select an existing GPO. Click Edit
and the Group Policy Object Editor console appears, focused on the selected GPO. Expand the
Page 172 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Computer Configuration\Software Settings node. Right-click Software Installation and choose
New, then Package. Enter the path to the service pack’s Update.msi file. Be certain to use a UNC
format (for example, \\Server\Share) and not a local volume path, such as Drive:\Path. In the
Deploy Software dialog box, select Assigned. Close the Group Policy Object Editor console.
Computers within the scope of the GPO—in the site, domain, or OU branch to which the policy is
linked—automatically deploy the service pack at the next startup.
You can create a baseline security configuration in a GPO directly, or import a security template
into a GPO. Link the baseline security GPO to OUs in which member servers’ computer objects
exist.
Incorrect Answers:
A: Installing the service pack on each server would require a lot of administrative effort.
B: Service packs must be applied to the computers not the users.
D: Service packs can be applied without running the Sysprep image.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Glossary.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond,
Washington, Chapter 9.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, 2004, Chapter 9.
Question: 159
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The network contains 80 Web servers that run Windows 2000
Server. The IIS Lockdown Wizard is run on all Web servers at they are deployed. Examsheets is
planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an
organizational unit (OU) named Web Servers. You are planning a baseline security configuration
for the Web servers. Examsheets written security policy states that all unnecessary services must
be disabled on servers. Testing shows that the server upgrade process leaves the following
unnecessary services enabled:
• SMTP
• Telnet
Your plan for the baseline security configuration for Web servers must comply with the written
security policy. You need to ensure that unnecessary services are always disabled on the Web
servers.
What should you do?
A. Create a Group Policy Object (GPO) to apply a logon script that disabled the unnecessary
services. Link the GPO to the Web Servers OU.
B. Create a Group Policy Object (GPO) and import Hisecws.inf security template. Link the GPO
to the Web Servers OU.
C. Create a Group Policy Object (GPO) to set the startup type of the unnecessary services to
Disabled. Link the GPO to the Web Servers OU.
D. Create a Group Policy Object (GPO) to apply a startup script to stop the unnecessary
services. Link the GPO to the Web Servers OU.
Page 173 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Answer: C
Explanation:
Windows Server 2003 installs a great many services with the operating system, and configures
quite a few with the Automatic startup type, so that these services load automatically when the
system starts. Many of these services are not needed in a typical member server configuration,
and it is a good idea to disable the ones that the computer doesn’t need. Services are programs
that run continuously in the background, waiting for another application to call on them. Instead of
controlling the services manually, using the Services console, you can configure service
parameters as part of a GPO. Applying the GPO to a container object causes the services on
all the computers in that container to be reconfigured. To configure service parameters in the
Group Policy Object Editor console, you browse to the Computer Configuration\Windows
Settings\Security Settings\System Services container and select the policies corresponding to the
services you want to control.
Incorrect Answers:
A: The logon script would only run when someone logs on to the web servers. It’s likely that the
web servers will be running with no one logged in.
B: The Hisecws.inf security template is designed for workstations, not servers.
D: The startup script would only run when the servers are restarted. A group policy would be
refreshed at regular intervals.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:1-6
Question: 160
You are the network administrator for Examsheets. The network consists of a single Active
Directory domain ExamSheets.net. The network contains two Windows Server 2003 domain
controllers, two Windows 2000 Server domain controllers, and two Windows NT Server 4.0
domain controllers. All file servers for the finance department are located in an organizational unit
(OU) named Finance Servers. All file servers for the payroll department are located in an OU
named Payroll Servers. The Payroll Servers OU is a child OU of the Finance Servers OU.
Examsheets written security policy for the finance department states that departmental servers
must have security settings that are enhanced from the default settings. The written security
policy for the payroll department states that departmental servers must have enhanced security
settings from the default settings, and auditing must be enabled for file or folder deletion. You
need to plan the security policy settings for the finance and payroll departments.
What should you do?
A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to
computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the
Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.
B. computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the
Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.
C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to
computer objects, and link it to the Finance Servers OU. Create a second GPO to apply the
Hisecws.inf security template to computer objects, and link it to the Payroll Servers OU.
D. computer objects, and link it to the Finance Servers and to the Payroll Servers OUs. Create a
second GPO to enable the Audit object access audit policy on computer objects, and link it to
the Payroll Servers OU.
Answer: B
Page 174 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
The Securews.inf template contains policy settings that increase the security on a workstation or
member server to a level that remains compatible with most functions and applications. The
template includes many of the same account and local policy settings as Securedc.inf, and
implements digitally signed communications and greater anonymous user restrictions.
Audit Object Access
A user accesses an operating system element such as a file, folder, or registry key. To audit
elements like these, you must enable this policy and you must enable auditing on the resource
that you want to monitor. For example, to audit user accesses of a particular file or folder, you
display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the
Advanced Security Settings dialog box for that file or folder, and then add the users or groups
whose access to that file or folder you want to audit.
Incorrect Answers:
A, C: The Compatws.inf security template is designed for Windows NT compatible applications
that require lower security settings in order to run. These settings are lower than the default
settings.
D: The Payroll Servers OU is a child OU of the Finance Servers OU. GPO settings applied to
parent OUs are inherited by child OUs; therefore we don’t need to link the GPO to both the
Finance Servers OU and the Payroll Servers OU.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Chapter 9 and 10.
Question: 161
You are the network administrator for ExamSheets. The network consists of a single Active
Directory domain Examsheets.net. ExamSheets has an internal network and a perimeter network.
The internal network is protected by a firewall. Application servers on the perimeter network are
accessible from the Internet.
You are deploying 10 Windows Server 2003 computers in application server roles. The servers
will be located in the perimeter network and will not be members of the domain. The servers will
host only publicly available Web pages.
The network design requires that custom security settings must be applied to the application
servers.
These custom security settings must be automatically refreshed every day to ensure compliance
with the design.
You create a custom security template named Baseline1.inf for the application servers. You need
to comply with the design requirements.
What should you do?
A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO).
B. Create a task on each application server that runs Security and Configuration Analysis with
Baseline1.inf every day.
C. Create a task on each application server that runs the secedit command with Baseline1.inf
every day.
D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the
secedit command with Baseline1.inf.
Answer: C
Explanation:
Page 175 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Secedit.exe is a command line tool that performs the same functions as the Security
Configuration And Analysis snap-in, and can also apply specific parts of templates to the
computer. You can use Secedit.exe in scripts and batch files to automate security template
deployments.
Incorrect Answers:
A, D: The Default Domain Policy Group Policy object (GPO) is applied to the domain controllers.
We need to configure the application servers, not the domain controllers.
B: Security and Configuration Analysis analyzes the security settings. It doesn’t apply it.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington
98052-6399, Chapter 10.
Question: 162
ExamSheet is a network administrator for ExamSheets. The network consists of a single Active
Directory domain Examsheets.net. The network contains 12 domain controllers and 50 servers in
the application server roles. All servers run Windows Server 2003.
The application servers are configured with custom security settings that are specific to their roles
as application servers. Applications servers are required to audit account logon events, object
access events, and system events. Application servers required to have passwords that meet
complexity requirements, to enforce password history, and to enforce password aging.
Application servers must also be protected against man-in-the-middle attacks during
authentication.
Exams needs to deploy and refresh the custom security settings on a routine basis. She also
need to be able to verify the customer security settings during audits.
What actions should ExamSheet take?
A. She should create a custom security template and apply it by using Group Policy.
B. She should create a customer IPSec policy and assign it by using Group Policy.
C. She should create and apply a custom Administrative Template.
D. She should create a custom application server image and deploy it by using RIS.
Answer: A
Explanation:
A security template is a physical file representation of a security configuration that can be applied
to a local computer or imported to a Group Policy Object (GPO) in Active Directory. When you
import a security template to a GPO, Group Policy processes the template and makes the
corresponding changes to the members of that GPO, which can be users or computers.
A Group Policy Object (GPO) is a collection of configuration parameters that you can use to
create a secure baseline installation for a computer running Windows Server 2003. To deploy a
GPO, you associate it with an Active Directory container, and all the objects in the container
inherit the GPO configuration settings. Audit and Event Log policies enable you to specify what
information a computer logs, how much information the computer retains in logs, and how the
computer behaves when logs are full. Windows Server 2003 loads many services by default that
a member server usually doesn’t need. You can use a GPO to specify the startup type for each
service on a computer. GPOs include a great many security options that you can use to configure
specific behaviours of a computer running Windows Server 2003.
Incorrect Answers:
B: IPSec is required to secure network traffic, not application servers.
Page 176 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C: Administrative templates are used to provide settings required to allow for the performance of
administrative tasks. Security templates are used to provide security settings, such as minimum
password lengths.
D: Custom application server images deployed through RIS are used to install automate the
installation of operating systems with applications pre-installed. It is not used to apply security
settings.
Reference:
J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, 2004, Glossary
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, Chapter 9.
Question: 163
You are the network administrator for Examsheets.net. The network consists of a single Active
Directory domain named Examsheets.net. The functional level of the domain is Windows Server
2003. The domain contains an organizational unit (OU) named Servers that contains all of
ExamSheets’s Windows Server 2003 resource servers. The domain also contains an OU named
Workstations that contains all of ExamSheets’s Windows XP Professional client computers.
You configure a baseline security template for resource servers named Server.inf and a baseline
security template for client computers named Workstation.inf. The Server.inf template contains
hundreds of settings, including file and registry permission settings that have inheritance
propagation enabled. The Workstation.inf template contains 20 security settings, none of which
contain file or registry permissions settings.
The resource servers operate at near capacity during business hours.
You need to apply the baseline security templates so that the settings will be periodically
enforced. You need to accomplish this task by using the minimum amount of administrative effort
and while minimizing the performance impact on the resource servers.
What should you do?
A. Create a Group Policy object (GPO) and link it to the domain.
Import both the Server.inf and the Workstation.inf templates into the GPO.
B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy
Group Policy object (GPO).
C. On each resource server, create a weekly scheduled task to apply the Server.inf settings
during off-peak hours by using the secedit command.
Create a Group Policy object (GPO) and link it to the Workstations OU.
Import the Workstation.inf template into the GPO.
D. On each resource server, create a weekly scheduled task to apply the Server.inf settings
during off-peak hours by using the secedit command.
Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO).
Answer: C
Explanation:
The question states that you need to apply the baseline security templates so that the settings will
be periodically enforced. To accomplish this you must create a scheduled task so that the
performance impact on resource servers is minimized.
The question also states that Workstation.inf is a baseline security template for client computers.
Therefore, the GPO has to be linked to the OU that contains the client computers, and the
orkstation.inf template must be imported to the said GPO so that it can be applied.
Secedit.exe is a command line tool that performs the same functions as the Security
Configuration And Analysis snap-in, and can also apply specific parts of templates to the
Page 177 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
computer. You can use Secedit.exe in scripts and batch files to automate security template
deployments. You can create a baseline security configuration in a GPO directly, or import a
security template into a GPO. Link the baseline security GPO to OUs in which member servers’
computer objects exist.
Incorrect Answers:
A: GPOs process security templates from the bottom up; therefore, by import both the Server.inf
and the Workstation.inf templates into a single GPO, we would ensure that the settings in the
security template imported last are applied in cases where there are conflicting settings. If we
apply this to the domain, then all computers would have the same settings.
B, D: The Default Domain Policy Group Policy object (GPO) is applied only to the Domain
Controllers group.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Chapter 10.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, Chapter 9.
Question: 164
You are the network administrator for Examsheets.net. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. All client
computers run Windows XP Professional.
The human resources department has servers that contain confidential information stored in files.
The client computers in the human resources department access the confidential information over
the LAN.
The network design requires that any access to the human resources department servers must
be encrypted to protect the confidentiality of the data transmissions.
You need to automatically enforce the network design requirement at regular intervals.
What should you do?
A. Assign the Secure Server (Require Security) IPSec policy to the human resources department
servers by using Group Policy.
B. Assign the Secure Server (Require Security) IPSec policy to the human resources department
servers by using local policy.
C. Apply the Hisecws.inf security template to the human resources department servers by using
Group Policy.
D. Apply the Hisecws.inf security template to the human resources department servers by using
the secedit command.
Answer: A
Explanation:
Secure Server (Require Security) configures the computer to require IPSec security for all
communications. If the computer attempts to communicate with a computer that does not support
IPSec, the initiating computer terminates the connection. The Secure Server (Require Security)
policy is intended for computers working with sensitive data that must be secured at all times.
Before implementing this policy, you must make sure all the computers that need to access the
secured server support IPSec. When security settings are imported to a GPO in Active Directory,
they affect the local security settings of any computer accounts to which that GPO is applied.
Incorrect Answers:
Page 178 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B: Network design dictates that any access to the human resources department servers must be
encrypted, but using local policy only affects an individual computer.
C, D: The question asks for encryption, not authentication.
Reference:
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows
Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington,
Chapter 11.
Question: 165
You are the network administrator for Examsheets.net. The network consists of a single Active
Directory domain named Examsheets.net. ExamSheets has a main office and five branch offices.
The branch offices are connected to the main office by a WAN connection. All servers run
Windows Server 2003. All client computers run Windows XP Professional.
The audit department has users in the main office and in all branch offices. The audit department
users share files on an audit department secured server at the main office. The files must be kept
confidential.
The audit department is concerned that files will be captured while they are transmitted between
the audit department server and the client computers. The audit department server is configured
to protect the confidentiality of network transmissions.
You need to configure the audit department client computers to further ensure the confidentiality
of network transmissions. You need to ensure that the configuration of the client computers is
periodically enforced.
What should you do?
A. Use a Group Policy object (GPO) to assign the Client (Respond Only) IPSec policy to the client
computers.
B. Run the secedit command with the Hisecws.inf predefined security template on the client
computers.
C. Use a Group Policy object (GPO) to configure Server Message Block (SMB) signing on the
client computers.
D. Run the secedit command with the Rootsec.inf predefined security template on the client
computers.
Answer: C
Explanation:
Server Message Block (SMB) is an application-layer protocol that allows a client to access files
and printers on remote servers. Clients and servers that are configured to support SMB can
communicate using SMB over transport- and network-layer protocols, including Transmission
Control Protocol (TCP/IP). By using a GPO, you are ensuring that the of the client computers is
periodically enforced.
Incorrect Answers:
A: This configures the computer to use IPSec only when another computer requests IPSec. The
computer using this policy never initiates an IPSec negotiation; it only responds to requests from
other computers for secured communications.
B, D: This does not ensure that the configuration of the client computers is periodically enforced.
Reference:
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond,
Washington, Glossary.
Page 179 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 3
Question: 166
You are the security analyst for Examsheets.net. The network consists of ExamSheets’s intranet
and a perimeter network. The networks are separated by a firewall. ExamSheets’s intranet
consists of a single Active Directory domain named corp.Examsheets.net. The perimeter network
consists of a DNS domain named Examsheets.net. The perimeter network contains publicly
accessible Web servers.
The intranet contains a Windows Server 2003 DNS server named ExamSheets1. ExamSheets1
hosts an Active Directory-integrated primary zone for the corp.Examsheets.net domain.
ExamSheets1 also hosts a secondary zone that is not integrated with Active Directory for the
Examsheets.net domain. The perimeter network contains a Windows Server 2003 DNS server
named ExamSheets2. ExamSheets2 is authoritative for the Examsheets.net DNS domain, which
contains the resource records for the publicly accessible servers.
ExamSheets1 is configured to forward requests to ExamSheets2. ExamSheets2 is configured
with root hints.
ExamSheets’s written DNS security includes the following requirements:
• The internal DNS namespace must never be accessible by external users or computers.
• External users must not be able to retrieve zone information from either DNS server.
You need to plan a DNS security solution that meets the DNS security policy requirements. Your
solution must not adversely affect required or allowed name resolution functions in the network.
What should you do?
A. On ExamSheets2, allow zone transfers to only servers listed in the Name Servers list.
Disable recursion on ExamSheets1.
B. On ExamSheets2, allow zone transfers to only servers listed by IP address.
On ExamSheets1, do not allow zone transfers.
C. On ExamSheets1, allow zone transfers to only servers listed in the Name Servers list.
Disable recursion on ExamSheets2.
D. On ExamSheets1, allow zone transfer to only servers listed by IP address.
On ExamSheets2, do not allow zone transfers.
Answer: A
Explanation:
Zone transfer data can be protected by specifying the IP addresses of the DNS servers that you
allow to participate in zone transfers. If you do not do this, a potential intruder can simply install a
DNS server, create a secondary zone, and request a zone transfer from your primary zone. The
intruder then has a complete copy of your zone and all the information in it. To limit zone transfers
on a Windows Server 2003 DNS server, you open the DNS console, display the Properties dialog
box for a primary zone and then click the Zone transfers tab to display the dialog box shown in
Figure 4-15. Select the Allow Zone Transfers check box and then choose either the Only To
Servers Listed On The Name Servers Tab or the Only To The Following Servers option button.
You can then specify the IP addresses of the DNS servers that contain your secondary zones, in
either the IP Address text box or the Name Servers tab.
When the Disable Recursion option is enabled, however, the DNS Server service does not
answer the query for the client but instead provides the client with referrals, which are resource
records that allow a DNS client to perform iterative queries to resolve an FQDN. This option might
be appropriate, for example, when clients need to resolve Internet names but the local DNS
server contains resource records only for the private namespace.
Incorrect Answers:
Page 180 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B: For a secondary DNS server to operate, it has to copy the information in the primary DNS
server’s zone files to its own zone files to ensure that its database of names and IP addresses is
up-to-date.
C: This is incorrect because ExamSheets 2 contains the resource records for the publicly
accessible servers.
D:
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
Chapter 4.
Question: 167
You are the network administrator for Examsheets.net. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. All client
computers run Windows XP Professional. The network contains a Windows Server 2003
computer named ExamSheets1 that is not a member of the domain and a Windows Server 2003
member server named ExamSheets2.
You need to implement a public key infrastructure (PKI) for the network. You configure
ExamSheets1 as a root certification authority (CA). You intend to disconnect ExamSheets1 from
the network. You configure ExamSheets2 as a subordinate CA, and you leave ExamSheets2
connected to the network.
You need to configure ExamSheets1 to support updates to the certificate revocation list (CRL)
and to support certificate chain verification on the network while it is offline.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. On ExamSheets1, use the Certification Authority snap-in to configure the CRL Distribution
Point (CDP) setting to point to a shared folder.
Regularly copy the CRL from ExamSheets1 to the shared folder.
B. On ExamSheets1, use the Certification Authority snap-in to configure the CRL Distribution
Point (CDP) setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder.
C. On ExamSheets1, use the Certification Authority snap-in to configure the Authority
Information Access (AIA) setting to point to a shared folder.
Regularly copy the AIA from ExamSheets1 to the shared folder.
D. On ExamSheets1, use the Certification Authority snap-in to configure the Authority
Information Access (AIA) setting to point to the C:\Windows\System32\CertSrv\CertEnroll
folder.
E. Configure the Default Domain Policy Group Policy object (GPO) to enable the Enroll
Certificates automatically setting and then select the Remove expired certificates, update
pending certificates and remove revoked certificates option.
F. Configure all certificate templates on ExamSheets2 to be published in Active Directory.
Answer: B D
Explanation:
Most CA configuration after installation is done through the Certification Authority snap-in. this
snap-in can be used to install and manage certification services. CRL Distribution Points or CDPs
are locations on the network to which a CA publishes the CRL. In the case of an enterprise CA
under Windows Server 2003, Active Directory holds the CRL and for a standalone, the CRL is
located in the certsrv\certenroll directory. Each certificate has a location listed for the CDP, when
the client views the certificate; it then understands where to go for the latest CRL.
For Examsheets1 to support CRL and certificate verification on the network while it is offline, you
need to use the Certification authority snap-in to configure a CDP- as well as an AIA setting to
point to the C:\Windows\System32\CertSrv\CertEnroll folder.
Page 181 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect answers:
A, C: Setting the CDP setting as well as the AIA setting on Examsheets1 to point to a shared
folder will need the network to be online to work.
E: This is not a matter of enrollment and selecting the Remove expired certificates, etc. that is the
function of CRLs.
F: Subordinate CAs are child CAs in the hierarchy. They are certified by the root authority and
bind its public key to its identity. Just as the root CA can issue and manage certificates and certify
child CAs, a subordinate CA can also perform these actions and certify CAs that are subordinate
to it in the hierarchy. Examsheets2 is a subordinate CA. But this is not what is required.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, pp. 886, 907
Question: 168
You are a network administrator for Examsheets.net. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003.
You install Certificate Services and configure an offline root certification authority (CA). You also
configure an enterprise subordinate CA in the domain.
Employees in the marketing department use a public key infrastructure (PKI) enabled application
to store secure marketing data. Employees require a certificate that supports client authentication
to gain access to this application. User objects for employees in the marketing department are
stored in an organizational unit (OU) named Marketing.
You create a Group Policy object (GPO) that configures users for autoenrollment, and you link
the GPO to the Marketing OU. You create a duplicate of the User certificate template named
Employee and assign permission to allow autoenrollment for users in the marketing department.
You configure the Employee template to prompt the user during enrolment.
An employee in the marketing department named David Lindberg reports that when he attempts
to use the marketing application, he receives a message stating that he does not have a client
authentication certificate. David is unable to use the marketing application. You examine David
Lindberg’s user object, shown in the exhibit.
**MISSING**
You need to ensure that David can use the marketing application.
What should you do?
A. Edit David Lindberg’s user object to include an e-mail address.
B. Add David Lindberg’s user object to the Exam Publishers domain local group.
C. On David Lindberg’s computer, use the Web enrolment tool to connect to the subordinate CA
and download a copy of the subordinate CA’s certificate.
D. On David Lindberg’s computer, use the Web enrolment tool to connect to the subordinate CA
and download the most recent certificate revocation list (CRL).
Answer: D
Explanation:
CAs can revoke as well as issue certificates. After a certificate is revoked, it needs to be
published to a CRL distribution point. Clients check the CRL periodically before they can trust a
certificate. Following this reasoning it could be that his certificate could have been revoked. To
make sure that he can use the marketing application he should make use of the Web enrolment
tool to connect to the subordinate CA and download the latest CRL.
Incorrect answers:
Page 182 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A: This is probably a case of a revoked CA and editing Lindberg’s user object to include an e-mail
address will not address the issue at hand.
B: This will not ensure that David will be able to make use of the marketing application. C: You
should not be downloading a copy of the subordinate CA’s certificate; it is a matter of
downloading the latest CRL from the subordinate CA.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 909
Question: 169
You are a network administrator for a consulting company. You need to create a wireless network
that will be used by consultants from your company at a customer location.
The wireless network will consists of nine portable computers, three servers, and four wireless
digital cameras. All computers and cameras can use either static or dynamic IP addressing. The
cameras do not support data encryption. Both the portable computers and the servers must be
able to initiate communication over the Internet to VPN servers in your company’s main data
center. Only the wireless point is connected to the customer’s corporate network.
You need to plan the wireless IP network so that it minimizes the risk of unauthorized use of the
wireless network and prevents unsolicited communication from the Internet to the hosts on the
network. What should you do?
Page 183 of 240
Exam Name:
Exam Type:
Doc Type:
Answer:
Page 184 of 240
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
Network Address Translation (NAT) is a service that allows multiple LAN clients to share a single
public IP address and Internet connection by translating and modifying packets to reflect the
correct addressing information. Thus making use of static IP addressing should minimize the risk
of unauthorized use of the wireless network and prevents unsolicited communication from the
Internet to the hosts on the network
Reference:
James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE: Windows Server 2003
Network Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc.,
Alameda, 2004,
Question: 170
You are the network administrator for Examsheets.net. The network contains an application
server running Windows Server 2003.
Users report that the application server intermittently responds slowly. When the application
server is responding slowly, requests that normally take 1 second to complete take more than 30
seconds to complete. You suspect that the slow server response is because of high broadcast
traffic on the network.
Page 185 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to plan how to monitor the application server and to have a message generated when
broadcast traffic is high. You also want to minimize the creation of false alarms when
nonbroadcast traffic is high.
What should you do?
A. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert trigger
when the Datagrams/sec counter in the UDPv4 object is high.
B. Use System Monitor and configure it to monitor the Segments/sec counter in the TCPv4
object.
C. Use System Monitor and configure it to monitor the Datagrams/sec counter in the UDPv4
object.
D. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert to
trigger when the Datagrams/sec counter in the TCPv4 object is high.
Answer: A
Explanation:
Performance Logs And Alerts is an MMC snap-in that uses System Monitor’s performance
counters to capture information to log files over a long period of time. Although the Performance
console works well when systems are actively performing poorly, when you can’t wait around, you
can set up triggers using the Performance console to catch bad systems in action.
UDPv4 is one of the performance objects that provide network traffic monitoring capabilities. It
monitors the number of User Datagram Protocol (UDP) packets the computer transmits and
receives. Service applications, such as the Domain Name System (DNS) and the Dynamic Host
Configuration Protocol (DHCP), typically use UDP for client–server communications.
Incorrect Answers:
B: TCPv4 tracks the number of successful and failed Transmission Control Protocol (TCP)
connections.
C: An alert needs to be configured as well, to prevent false alarms.
D: Datagrams/sec counter is found in the UDPv4 object.
Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond,
Washington, 2004, p. 6: 6
Question: 171
You are the network administrator for Examsheets.net. The network consists of a single Active
Directory domain named Examsheets.net. All servers run Windows Server 2003. All client
computers run Windows XP Professional. The network also contains 10 network printers. All
servers have manually configured IP addresses. The client computers and network printers
receive their TCP/IP configuration information from a DHCP server.
ExamSheets IP policy states that each of the network printers will always be configured with the
same IP address. You configure a DHCP server and create a DHCP scope as shown in the
exhibit.
Page 186 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Users report that they cannot submit print jobs to any of the network printers. You investigate and
discover that none of the network printers are receiving their IP addresses from the DHCP server.
You need to ensure that the network printers receive their IP addresses from DHCP.
What should you do?
A. Remove the IP address reservations for the network printers from the DHCP scope.
B. Delete the IP address exclusion range for the network printers from the DHCP scope.
C. Add the 009 LPR Servers option to the DHCP server options.
D. Enable address conflict detection on the DHCP server.
Answer: B
Explanation:
An exclusion range is a set of one or more IP addresses, included within the range of a defined
scope that you do not want to lease to DHCP clients. Exclusion ranges assure that the server
does not offer to DHCP clients on your network any addresses in these ranges.
Therefore, you would want to perform the action described in “B”, so that ExamSheets IP policy is
adhered to.
Incorrect Answers:
A: Using address reservations in DHCP, allows devices the ability to always have the same
address.
C: There are no LPR Servers mentioned in the question.
D: It is an optional server-side mechanism for detecting whether a scope IP address is in use on
the network.
Reference:
J. C. Mackin, and Ian McLean MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Chapter 7.
Deborah Littlejohn Shinder, and Dr. Thomas W. Shinder; Implementing, Managing, and
Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System.
Question: 172
Page 187 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are a network administrator for Examsheets.net. The network consists of a Windows NT 4.0
domain.
All servers run Windows NT Server 4.0 and all client computers run Windows NT Workstation 4.0.
ExamSheets has two offices that are connected by a 56-Kbps WAN connection. All computers
are configured to use WINS for name resolution and network browsing capability between the two
offices.
ExamSheets is planning to upgrade the domain controllers to Windows Server 2003 and to
deploy Windows Server 2003 and Windows XP Professional computers. You need to maintain
name resolution and network browsing support during and after the upgrade process.
You need to allow users of Windows NT Workstation 4.0 and Windows XP Professional
computers to browse and connect to both Windows NT Server 4.0 and Windows Server 2003
computers. You need to minimize name resolution traffic across the WAN connection.
What should you do?
A. Install a Windows Server 2003 DNS server at each office.
Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both
WINS and DNS for name resolution.
Configure all Windows Server 2003 computers to use WINS.
B. Install a Windows Server 2003 DNS server at only one office.
Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both
WINS and DNS for name resolution.
Configure all Windows Server 2003 computers to use WINS
C. Upgrade the WINS servers at each office to Windows Server 2003.
Install a Windows Server 2003 DNS server at only one office and configure it to use WINS
lookup.
Configure all Windows Server 2003 computers to use WINS.
D. Upgrade the WINS servers at each office to Windows Server 2003.
Install a Windows Server 2003 DNS server at each office.
Configure each DNS server to use WINS lookup.
Configure all Windows Server 2003 computers to use WINS.
Answer: A
Explanation:
A DNS server provides host name resolution by translating host names to IP addresses (forward
lookups) and IP addresses to host names (reverse lookups).
WINS provides computer name resolution by translating NetBIOS names to IP addresses. It is
not necessary to install Windows Internet Name Service (WINS) unless you are supporting legacy
operating systems, such as Windows 95 or Windows NT.
Operating systems such as Windows 2000 and Windows XP do not require WINS, although
legacy applications on those platforms may very well require NetBIOS name resolution.
Incorrect Answers:
B: The question requires name resolution and network browsing support, during and after the
upgrade process, to be maintained in both offices.
C, D: There is no need to upgrade any of the servers because NetBIOS names supports
computers with earlier versions of Windows. Furthermore, configuring the usage of WINS lookup
will not minimize name resolution traffic across the WAN connection.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 41
Question: 173
Page 188 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are the network administrator for ExamSheets. The network consists of a single Active
Directory domain named ExamSheets.net. The network contains 10 application servers that run
Windows Server 2003.
The application servers are accessed from the ExamSheets network and from the Internet. The
network design requires that the application servers must have specifically configured security
settings, including the password policy, audit policies, and security options settings. You create a
security template named App.inf that contains the security settings required by the network
design. You are concerned that an unauthorized user will modify the configuration and gain
access to the application servers. You want to capture any changes made to the security settings
of the application servers.
You need to generate a report that compares the current settings of each application server with
the required settings every 24 hours.
What should you do?
A. Use a Group Policy startup script to run the secedit command in analysis mode with the
App.inf template, and set the Group Policy refresh interval for computers to 24 hours.
B. Import the App.inf template into Group Policy, and set the Group Policy refresh interval for
computers to 24 hours.
C. Use Task Scheduler to run the gpresult command in verbose mode every 24 hours.
D. Use a custom script in Task Scheduler to run the secedit command in analysis mode with the
App.inf template every 24 hours.
Answer: D
Explanation: Secedit.exe is a command line version of the Security Configuration and Analysis
tool. In ‘analysis’ mode, this tool can be used to compare the current system settings with the
required settings. We can use the Task Scheduler to run a script that runs secedit.exe to analyse
the current settings.
Incorrect Answers:
A: A Group Policy startup script will only run when the computer starts up. It does not run every
time the group policy is refreshed.
B: This will reapply the required settings every 24 hours, but the question states that you want to
capture any changes by comparing the current settings to the required settings.
C: The gpresult utility is a command line version of the RSoP utility. In verbose mode, it will list
the effective policies on a computer. However, it won’t list the differences between the current
settings and the required settings.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 10:44
Question: 174
You are the network administrator for ExamSheets. ExamSheets is deploying a public Web
server farm on Windows Server 2003 computers. This Web server farm will allow the public to
view company
information. The Web servers in the Web server farm will be placed in ExamSheets’s perimeter
network, which uses a public Internet address space.
ExamSheets wants to reduce the probability of external unauthorized users breaking into the
public Web servers.
You need to make the Web servers less vulnerable to attack. You also want to ensure that the
public will be able to view information that is placed in ExamSheets’s perimeter network.
What should you do?
Page 189 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
A. Configure each Web server’s IP address to a private reserved Internet address.
B. Configure the Web servers to allow only IPSec communications.
C. Disable any unneeded services on the Web servers.
D. Disable TCP/IP filtering on all adapters in the Web servers.
Answer: C
Explanation: We should disable any unneeded services on the Web servers. This includes
unneeded web services and unneeded server services. This will also ensure that no unnecessary
ports are open on the servers.
Reducing the Attack Surface of the Web Server
Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web
server is configured to serve only static content. If your Web sites consist of static content and
you do not need any of the other IIS components, then the default configuration of IIS minimizes
the attack surface of the server. When your Web sites and applications contain dynamic content,
or you require one or more of the additional IIS components, you will need to enable additional
features. However, you still want to ensure that you minimize the attack surface of the Web
server. The attack surface of the Web server is the extent to which the server is exposed to a
potential attacker.
However, if you reduce the attack surface of the Web server too much, you can eliminate
functionality that is required by the Web sites and applications that the server hosts. You need to
ensure that only the functionality that is necessary to support your Web sites and applications is
enabled on the server. This ensures that the Web
sites and applications will run properly on your Web server, but that the attack surface is
minimized.
Incorrect Answers:
A: The public web servers need public IP addresses.
B: You can’t use IPSec on public web servers. No one would be able to access the web pages.
D: TCP/IP filtering should be enabled, not disabled.
Reference:
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 1
MS Windows Server 2003 Deployment Kit
Deploying Internet Information Services (IIS) 6.0
Reducing the Attack Surface of the Web Server
Question: 175
You are a consultant for several different companies. You design the security policies for the
computers running Windows 2003 Server and Windows 2000 Professional in your customers'
networks. You use these security policies to configure a server named Server1. You want to
deploy the security configuration on Server1 to computers in your customer's networks by using
the least amount of administrative effort.
What should you do first?
A. Create a Group Policy Object (GPO) that configures the security settings for all computers to
match the settings on Server1, and then link the GPO to the domain.
Export the console list to a file.
B. In the Security Configuration and Analysis snap-in, analyze Server1 and export the security
template in a file.
C. In the System Information snap-in, save the system summary as a system information file.
D. In the Security Templates snap-in, export the console list to a file.
Answer: B
Page 190 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
We can use the Security Configuration and Analysis snap-in to export all the security settings
from a computer to a template file. This will enable us to apply the same security settings to other
computers. We can apply the template to other computers either by using the Security
Configuration and Analysis snap-in (for single computers) or by importing the template into a
group policy object (for multiple computers).
Incorrect Answers:
A: You have already manually configured the settings on Server1. It would be quicker to export
them to a template file, rather than manually enter the settings into a GPO.
C: The system summary does not contain the security settings.
D: The console list does not contain the security settings.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, pp. 13-57 to 13-65, 13- 70-13-80.
Question: 176
You are the network administrator for ExamSheets.net. ExamSheets has offices in New York,
Copenhagen, and Ankara. The network consists of a single Active Directory domain and three
sites. The sites are named NYsite, CopSite, and AnkSite.
ExamSheets is adding a new division at the New York office for publishing fiction books. You
create a new organizational unit (OU) named Fiction for the fiction division. You add a new
network segment and subnet for the fiction division. You plan to place new Windows XP
Professional computers for the fiction division in the new subnet. You also plan to add a new
domain controller to NYSite. You need to ensure that users in the fiction division use the domain
controllers in the New York office when logging on to the network.
What should you do?
A. Decrease the metric for the default gateway on the new Windows XP Professional computers.
B. Create a new subnet object for the new subnet.
Add the new subnet object to NYSite.
C. Configure the location attribute for the new Windows XP Professional computers to be NYSite.
D. Move the domain controller objects for the domain controllers in the New York office to the
Fiction OU.
Answer: B
Explanation:
Subnets can be associated with a site by using subnet objects. This will ensure that users on a
particular subnet log on to a domain controller in a particular site.
Incorrect Answers:
A: this won’t accomplish anything
C: The location attribute is for information only. It will not link the computer to the site.
D: This will give the administrators of the Fiction OU control over the domain controllers in the
New York office. It won’t ensure that the users on the new subnet logon to the domain controller
in the New York office.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 2: 27-30
Page 191 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 177
You are the network administrator for ExamSheets. The network consists of a single Active
Directory domain named ExamSheets.net. You configure a new Windows Server 2003 file server
named ExamSheetsSrvl. You restore user files from a tape backup, and you create a logon script
that maps drive letters to shared files on ExamSheets Srv1. Users report that they cannot access
ExamSheetsSrvl through the drive mappings you created. Users also report that ExamSheetsSrvl
does not appear in My Network Places. You log on to ExamSheetsSrvl and confirm that the files
are present and that the NTFS permissions and share permissions are correct. You cannot
access any network resources. You run the ipconfig command and see the following output.
You need to configure the TCP/IP properties on ExamSheetsSrv1 to resolve the problem. What
should you do?
A. Add ExamSheets.net to the DNS suffix for this connection field.
B. Configure the default gateway.
C. Configure the DNS server address.
D. Configure a static IP address.
Answer: D
Explanation: The IP address shown in the exhibit is an APIPA (automatic private IP addressing)
address. This means that the server is configured to use DHCP for it’s IP configuration but is
unable to contact a DHCP server (a likely cause for this is that there isn’t a DHCP server on the
network). We can fix the problem by configuring a static IP address in the same IP range as the
rest of the network.
Incorrect Answers:
A: A DNS suffix isn’t necessary.
B: A default gateway isn’t necessary unless this is a routed network.
C: The server not having a DNS server address wouldn’t prevent clients connecting to the server.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4:59
Question: 178
You are the network administrator for ExamSheets.net. The network consists of a single Active
Directory forest that contains three domains. Each domain contains domain controllers that run
Windows 2000 Server and domain controllers that run Windows Server 2003. The DNS Server
service is installed on all domain controllers. All client computers run Windows XP Professional.
Page 192 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to add an additional DNS zone that is hosted on at least one DNS server on each
domain. You want to configure the zone to allow secure updates only.
What should you do?
A. Configure the new zone on DNS servers in the root domain.
Configure stub zones that refer to DNS servers in another two domains.
B. Configure the new zone as a primary zone on one DNS server.
Configure other DNS servers in the three domains as secondary servers for this zone.
Enable the DNS Security Extensions (DNSSEC) protocol.
C. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three
domains. Store the zone data in the DNS directory partition named DomainDNSZones.
D. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three
domains.
Store the zone data in the DNS directory partition named ForestDNSZones.
Answer: D
Explanation:
To enable secure updates, we need an Active Directory integrated zone. To replicate to the DNS
servers in the other domains, the zone must be installed on a Windows 2003 domain controller in
each domain. During the configuration of the zone, you can select the option to replicate the zone
information to all domain controllers in the forest; this will store the zone data in the DNS directory
partition named ForestDNSZones.
Incorrect Answers:
A: We need Active Directory integrated zones, not stub zones.
B: Secondary zones are not writeable and so cannot accept updates.
C: If we store the zone data in the DNS directory partition named DomainDNSZones, it will only
be replicated in a single domain, not the entire forest.
References:
J.C. Mackin & Ian McLean, MCSA/MCSE self-paced training kit (Exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, pp. 5-25, 6-22.
Question: 179
You are the network administrator for ExamSheets. The network consists of two physical subnets
connected by a hardware-based router. Each subnet contains two domain controllers running
Windows 2000 Advanced Server. All other servers run Windows 2000 server.
ExamSheets is in the process of migrating to a Windows Server 2003 Active Directory domainbased
network. You plan to install two new Windows Server 2003 computers as domain controllers in
the domain. The migration plan does not currently allow for upgrading the Windows 2000 domain
controllers or changing any operations master roles.
Currently, host name resolution is performed by one of the Windows 2000 domain controllers that
is running the DNS Server service. The DNS server hosts a standard primary zone for the
domain. The migration plan requires that the DNS zone must be implemented as an Active
Directory-integrated zone. You need to redesign the DNS infrastructure to comply with the
requirements of the migration plan. You need to ensure that the Active Directory-integrated zone
will be loaded and hosted on all domain controllers.
What should you do?
A. Configure the zone replication scope to replicate the zone to all DNS servers in the Active
Directory forest.
Page 193 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B. Configure the zone replication scope to replicate the zone to all DNS servers in the Active
Directory domain named ExamSheets.net.
C. Configure the zone replication scope to replicate the zone to all domain controllers in the
Active Directory domain named ExamSheets.net.
D. Configure the zone replication scope to replicate the zone to all domain controllers specified
for a separate DNS application directory partition.
Answer: C
Explanation
The question states that You need to ensure that the Active Directory-integrated zone will be
loaded and hosted on all domain controllers. This is the only answer that states “all domain
controllers”. This option replicates zone data to all domain controllers in the Active Directory
domain. If you want Windows 2000 DNS servers to load an Active Directory zone, this setting
must be selected for that zone.
Incorrect Answers:
A, B: These options suggest that zone replication scope should be replicated to all DNS servers
in the forest and in the domain respectively. This is contradictory to what is required if you are to
ensure that the Active Directory-integrated zone is to be loaded and hosted on all domain
controllers.
D: Zone replication should be configured to replicate the zone to all domain controllers in the
Active directory domain and not for a specified separate DNS application directory partition.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows
Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4: 36
Question: 180
You are the network administrator for Contoso, Ltd. The network consists of a single Active
Directory forest. The functional level of the forest is Windows Server 2003. The forest root domain
is contoso.com. Contoso, Ltd., recently merged with another company named ExamSheets,
whose network consists of a single Active Directory forest. The functional level of the
ExamSheets forest is Windows Server 2003. The forest root domain for ExamSheets is
ExamSheets.net. You need to create a forest trust relationship between the two forests. Each
company has dedicated connections to the Internet. You need to configure DNS to support the
forest trust relationship. You want to maintain Internet name resolution capability for each
company’s network.
What should you do?
A. Configure the contoso.com DNS servers to forward to the ExamSheets.net DNS servers.
Configure the ExamSheets.net DNS servers to forward to the contoso.com DNS servers.
B. Configure conditional forwarding of ExamSheets.net on the contoso.com DNS servers to the
ExamSheets.net DNS servers.
Configure conditional forwarding of contoso.com on the ExamSheets.net DNS servers to the
contoso.com DNS servers.
C. Configure a standard primary zone for ExamSheets.net on one of the contoso.com DNS
servers.
Configure a standard primary zone for contoso.com on one of the ExamSheets.net DNS servers.
D. Configure an Active Directory-integrated zone for ExamSheets.net on the contoso.com DNS
servers. Configure an Active Directory-integrated zone for contoso.com on the ExamSheets.net
DNS servers.
Answer: B
Page 194 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
A conditional forwarder is a DNS server on a network that is used to forward DNS queries
according to the DNS domain name in the query. For example, a DNS server can be configured
to forward all the queries it receives for names ending with widgets.example.com to the IP
address of a specific DNS server or to the IP
addresses of multiple DNS servers.
Incorrect Answers:
A: We don’t want ALL resolution requests to be forwarded to the other DNS servers.
C: We can’t host primary zones on multiple servers.
D: We can’t host Active Directory integrates zones on DNS servers in different forests.
References:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-58, 4-61.
Question: 181
You are the network administrator for Acme. The network consists of a single Active Directory
forest root domain named acme.com. The functional level of the forest is Windows Server 2003.
A Windows Server 2003 domain controller named DC1.acme.com is the Active Directoryintegrated DNS server for acme.com. All servers and client computers in the acme.com domain
use DC1.acme.com as their DNS server for name resolution.
Acme acquires a company named ExamSheets. The ExamSheets network consists of a single
Active Directory forest root domain named ExamSheets.net. The functional level of this domain is
Windows Server 2003.
A Windows Server 2003 domain controller named DC1.ExamSheets.net is the Active Directoryintegrated DNS server for ExamSheets.net. All servers and client computers in the
ExamSheets.net domain use DC1.ExamSheets.net as their DNS server for name resolution.
You create a two-way forest trust relationship with forest-wide authentication between acme.com
and ExamSheets.net.
You need to ensure that all users in both companies can log on to both forest root domains. You
need to achieve this goal without adversely affecting Internet access.
What should you do?
A. Set the Stub Zone as the zone type for the acme.com domain on DC1.acme.com and for the
ExamSheets.net domain on DC1.ExamSheets.net.
B. Select the Do not use recursion for this domain check box on DC1.ExamSheets.net and on
DC1.acme.com.
C. Add the fully qualified domain name (FQDN) and the IP address of DC1.ExamSheets.net to
the Root hints list in DC1.acme.com.
Add the FQDN and the IP address of DC1.acme.com to the Root hints list on
DC1.ExamSheets.net.
D. Configure conditional forwarding on DC1.acme.com to forward all requests for resources in the
ExamSheets.net domain to DC1.ExamSheets.net.
Configure conditional forwarding on DC1.ExamSheets.net to forward all requests for
resources in the acme.com domain to DC1.acme.com.
Answer: D
Explanation:
To log on to a computer in acme.com with a user account in ExamSheets.net, the acme.com
DNS server needs to be able to locate a domain controller in ExamSheets.net to authenticate the
login. You can use Conditional forwarding which enables a DNS server to forward DNS queries
Page 195 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
based on the DNS domain name in the query. Conditional forwarding in Windows Server 2003
DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to
different servers based on the domain name.
Incorrect Answers:
A: A stub zone is a copy of a zone containing only those resource records necessary to identify
the authoritative DNS servers for the master zone
B: Recursion is the process of a DNS server querying other DNS servers on behalf of an original
querying client. If recursion is disabled, the client performs iterative queries by using root hint
referrals from the DNS server. Iteration refers to the process of a DNS client making repeated
queries to different DNS servers.
C: Root hints is a list of preliminary resource records used by the DNS service to locate servers
authoritative for the root of the DNS domain namespace tree.
Reference
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering
Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 451.
Question: 182
You are the system engineer for ExamSheets. The network consists of a single Active Directory
domain named ExamSheets.net. All servers run Windows Server 2003. The network is connected
to the Internet by a dedicated T3 line.
ExamSheets enters into a partnership with another company for a new project. The partner
company’s network consists of a single Active Directory forest that contains two domains. All
servers in the network run Windows 2003 Server. The partner network is also connected to the
Internet by a dedicated T3 line. The partner network is accessible by a VPN connection that was
established between the two networks. The VPN connection was tested and was verified to
provide a functional connection between the two networks.
Users from both companies need to connect to resources located on another network. A forest
trust relationship exists between the two companies’ forests to allow user access to resources.
Users in your company report that they can access resources on the partner network, but that it
can take up to several minutes for the connection to be established. This problem is most
pronounced during the morning. You verify that there is sufficient available bandwidth on the
connection between the two networks to provide access. You also verify that both network’s
routing tables are configured correctly to route requests to the appropriate destinations. When
you attempt to connect to a server in the partner network by host name by using the ping
command, the connection times out. However, when you attempt to connect to the server a
second time by IP address by using the ping command, you receive a response within a few
seconds. You need to improve the performance of the network connection between the two
networks.What should you do?
A. Add the partner network’s domain names and DNS server addresses to the forwarders list on
your DNS servers.
B. Update the root hints list on your DNS servers to include the host names and IP addresses of
the partner network’s DNS servers.
C. Disable recursion on the DNS servers in both companies’ networks.
D. Add the partner network’s DNS server addresses to the 006 DNS Servers scope option in
your DHCP scope.
Answer: A
Explanation: It is taking a long time to locate resources on the other network. This is because
name resolution requests are being passed to the internet root servers, then down through the
internet DNS hierarchy before the request finally reaches the appropriate DNS server. We can
Page 196 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
speed up this process by using conditional forwarding. This would enable resolution requests for
resources in the partner network to be forwarded directly to the partner’s DNS server.
Conditional forwarders
A conditional forwarder is a DNS server on a network that is used to forward DNS queries
according to the DNS domain name in the query. For example, a DNS server can be configured
to forward all the queries it receives for names ending with widgets.example.com to the IP
address of a specific DNS server or to the IP addresses of multiple DNS servers.
Incorrect Answers:
B: The root hints are used to locate internet root DNS servers.
C: This won’t help. It would mean that the internal DNS servers wouldn’t forward external
resolution requests to other DNS servers such as the root servers.
D: The partner network’s DNS servers would never be used unless the local DNS server failed.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering
Windows Server 2003, Sybex Inc. Alameda, 2003, p. 451
Question: 183
You are a network administrator for ExamSheets. The network consists of a single Active
Directory domain named ExamSheets.net. The network contains two Windows Server 2003
domain controllers named ExamSheetsA and ExamSheetsB, which both run the DNS Server
service. All of the resource servers on the network are DHCP clients, including a Windows Server
2003 file server named ExamSheetsC. The DNS configuration consists of a primary forward
lookup zone that allows dynamic updates on ExamSheetsA and a secondary zone on
ExamSheetsB. Users report that they cannot connect to ExamSheetsC. You discover that the IP
address that is associated with the host resource record for ExamSheetsC is assigned to a test
computer that is not a member of the domain. This computer is also named ExamSheetsC. You
need to configure DNS to ensure that A records resolve to the IP addresses of the computers that
made the original registration.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. Configure the Secure Only dynamic updates setting on the forward lookup zone on
ExamSheetsA.
B. Configure the None dynamic updates setting on the forward lookup zone on ExamSheetsA.
C. Manually create A record entries for each server on ExamSheetsA.
D. Convert the zone type on ExamSheetsA to Active Directory-integrated.
E. Convert the zone type on ExamSheetsB to primary.
Answer: A, D
Explanation:
By configuring Secure only updates, only domain members can register their A records with DNS.
The zone is currently a primary zone; we need to convert the zone to Active Directory integrated
to enable “secure only” updates.
Incorrect Answers:
B: It is not necessary (or recommended) to disable dynamic updates on the zone.
C: This would only be necessary if we disabled dynamic updates on the zone.
E: You can’t have two primary zones for one domain.
Reference:
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering
Windows Server 2003, Sybex Inc. Alameda, 2003, p. 387
Page 197 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 184
You are the network administrator for ExamSheets. The network consists of a single Active
Directory domain named ExamSheets.net. The network contains Windows Server 2003
computers and Windows XP Professional computers. The network also contains UNIX servers
and UNIX client computers. Many users share files on their client computers with other users. All
client computers also access shared resources on both the Windows Server 2003 computers and
the UNIX servers, which use a third-party Server Message Block (SMB) server product. The
written security policy for ExamSheets requires that SMB packet signing must be used whenever
possible.
You need to edit the Computer Configuration section of the Default Domain Policy Group Policy
object (GPO) to ensure that all computers in the domain meet the written security policy
requirement. Which two security settings should you enable?
To answer, select the appropriate security settings in the Group Policy Object Editor Results
Pane.
Answer:
Explanation:
All Windows operating systems support both a client-side SMB component and a server-side
SMB component. To take advantage of SMB packet signing, both the client-side SMB component
and server-side SMB component that are involved in a communication must have SMB packet
signing either enabled or required. For Windows 2000 and above, enabling or requiring packet
signing for client and server-side SMB components is controlled by the following four policy
settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not
the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls
whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not
the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls
whether or not the server-side SMB component has packet signing enabled.
Page 198 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
If server-side SMB signing is required, a client will not be able to establish a session with that
server unless it has client-side SMB signing enabled. By default, client-side SMB signing is
enabled on workstations, servers, and domain controllers.
Similarly, if client-side SMB signing is required, that client will not be able to establish a session
with servers that do not have packet signing enabled. By default, server-side SMB signing is
enabled only on domain controllers.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that
have client-side SMB signing enabled.
Using SMB packet signing can impose up to a 15 percent performance hit on file service
transactions.
Reference
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft WindowsServer 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 9:13
Question: 185
You are the systems engineer for Acme Inc. The network consists of a single Active Directory
domain named acme.com. All servers run Windows Server 2003. The network is not currently
connected to the Internet.
Acme enters into a partnership with ExamSheets. The ExamSheets network consists of a single
Active Directory domain named ExamSheets-ad.com. All servers in the ExamSheets-ad.com
domain run Windows Server 2003. ExamSheets maintains a separate network that contains
publicity accessible Web and mail servers. These Web and mail servers are members of a DNS
domain named ExamSheets.net. The ExamSheets.net zone is hosted by a UNIX-based DNS
server running the latest version of BIND.
Both companies require that users from each company must be able to access resources in
either network. A new dedicated T1 line is established between the two offices to provide
connectivity. The Active Directory project team plans to create a forest trust relationship between
the two forests. Both companies’ written security policies state that resources located on the
internal network must never be exposed to the Internet. The ExamSheets written security policy
also states that the internal network’s DNS namespace must never be exposed to the Internet.
You need to plan a name resolution strategy for internetwork connectivity. You need to configure
both Windows Server 2003 DNS servers so that they comply with both companies’ requirements
and restrictions. Your plan must provide for minimal disruption of network connectivity in both
networks. What should you do?
A. Create a conditional forwarder on the acme.com DNS server to forward all requests for hosts
in the ExamSheets-ad.com domain to the ExamSheets-ad.com DNS server.
Create a conditional forwarder on the ExamSheets-ad.com DNS server to forward all requests for
hosts in the acme.com domain to the acme.com DNS server.
B. Create a conditional forwarder on the acme.com DNS server to forward all requests for hosts
in the ExamSheets-ad.com domain to the ExamSheets.net UNIX-based DNS server.
Configure the ExamSheets.net UNIX-based DNS server to forward all requests for hosts in the
acme.com domain to the acme.com DNS server.
C. Configure root hints on each Windows Server 2003 DNS server.
Configure each Windows Server 2003 DNS server to forward requests to the ExamSheets.net
UNIX-based DNS server.
D. Configure a secondary zone on the ExamSheets.net UNIX-based DNS server for each
company’s domain. Configure each company’s Windows Server 2003 DNS server to allow zone
transfers to only the ExamSheets.net UNIX-based DNS server.
Answer: A
Explanation:
Page 199 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
If your internal network does not have a private root and your users need access to other
namespaces, such as a network belonging to a partner company, use conditional forwarding to
enable servers to query for names in other namespaces. Conditional forwarding in Windows
Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to
forward queries to different servers based on the domain name. By creating conditional
forwarders to work in both directions between the two companies as described in this option will
result in the least amount of disruption in connectivity while still complying with all the
requirements as set out in the question.
Incorrect answers:
B: The first section of this option is correct; however you should also be configuring a conditional
forwarder on the Examsheets-ad.com DNS server to forward all requests to the Examsheets.net
UNIX-based DNS server.
C: There is no need to configure root hints when you make use of conditional forwarders between
the two parties as suggested in option A.
D: If you make use of conditional forwarders, then you do not have to make use of secondary
zones. Secondary zone application as described in this option will also cause unnecessary
disruption in connectivity that can be avoided. Furthermore, conditional forwarders render
secondary zones obsolete.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 34
Question: 186
You are the administrator of ExamSheets’s network, which links the main office and 15 branch
offices. The network contains 5,000 computers running Windows 2000 Professional and 180
computers running Windows 2000 Server.
The main office has two WINS servers, and each branch office has one WINS server. The WINS
servers in the branch offices are configured for push/pull replication with one of the WINS servers
in the main office. Both WINS servers in the main office are configured for push/pull replication
with each other. You enable periodic database consistency checking. You then notice an
increase in network traffic during the check periods. You need to reduce or eliminate the
additional traffic, while maintaining the integrity of the database records.
What should you do?
A. Configure all WINS servers to use the automatic partner configuration.
B. Disable periodic database consistency checking and manually perform consistency checking.
C. Increase the verification interval on each of the WINS servers.
D. Configure the DHCP client options for WINS so that the primary WINS servers are evenly
divided among the DHCP clients.
Answer: B
Explanation:
Periodic database consistency checking increases network traffic, so it should be disabled and
manually perform consistency checking.
Incorrect answers:
A: Making use of automatic partner configuration will not solve the problem as the question states
clearly that there is an increase in network traffic during check periods.
C: Increasing the verification interval on each of the WINS servers will result in an increase in
network traffic.
D: This option might compromise the integrity of the database records.
Page 200 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 44-47
Question: 187
You are the administrator of the Woodgrove Bank company network. The network consists of a
single active directory domain. The network includes 10 domain controllers running Windows
Server 2003, 30 member servers running Windows Server 2003, 500 client computers running
Windows XP Professional and 200 client computers running Windows NT 4.0 Workstation.
WINS and DNS are used for name resolution. You log in to a member server named Server15.
You attempt to connect to another member server named Server5, but you are unable to connect.
You receive the following error message: “System error 67 has occurred. The network name
cannot be found”. To troubleshoot the problem, you try to ping Server5. The results are shown in
the exhibit.
You need to be able to connect to Server5 by host name and IP address.
What should you do? (Each correct answer presents a complete solution. Choose two)
A. Open compmgmt.msc. Use the “Connect to another computer” option.
B. Open a command prompt on Server5. Run the nbtstat –RR command.
C. Open a command prompt on Server15. Run the ipconfig /flushdns command.
D. Open a command prompt on Server5. Run the ipconfig /renew command.
E. Open a command prompt on Server5. Run the ipconfig /registerdns command.
Answer: B, E
Explanation: The server doesn’t answer to dns name or ip address which means either he is
offline or he has changed his ip and is still registered with the old ip(192.168.202.8).
Ipconfig /registerdns will register server5 in dns. The nbtstat –RR command will re-register
Server5 with WINS.
Page 201 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect answers:
A: This option will not work because you need to register the host name and ip address in the
DNS cache.
C: Ipconfig /flushdns - Flushes the DNS cache. Flushing the DNS cache is not the same as
registering.
D: Ipconfig /renew - Attempts to renew the DHCP lease. This is not what is required. The host
name and ip address has to be registered for you to be able to connect to Server5 by either of the
two.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 60
Question: 188
You are a network administrator for ExamSheets.net. The network consists of a single Active
Directory domain named ExamSheets.net. The domain contains three sites named MainOffice,
EastCoast, and WestCoast. Each site contains four domain controllers and 100 client computers.
One server in the EastCoast site is named ExamSheets1. All DNS servers contain Active
Directory-integrated zones. Other administrators report that they cannot connect to ExamSheets1
when attempting to perform Active Directory administration. They report they can perform these
tasks locally at ExamSheets1. You verify that Server1 is operational and that file and print
resources are accessible by using the host name. You need to ensure that administrators can
perform Active Directory administration on ExamSheets1 without requiring physical access to the
server.
What should you do?
A. On Server1, force registration of DNS hosts resource records.
B. On Server1, restart the Net Logon service.
C. Install DNS on ExamSheets1.
D. Configure ExamSheets as a local bridgehead server for the EastCoast site.
Answer: B
Explanation:
ExamSheets1 is a domain controller. We know this because administrators are trying to perform
Active Directory administration on ExamSheets1. File and print resources on ExamSheets1 are
accessible by usin the host name.This means that the A records are present in DNS. The
problem in this question is that the SRV records are missing. We need to restore the SRV in
DNS. The Net Logon service on a domain controller registers the DNS resource records required
for the domain controller to be located in the network every 24 hours. To initiate the registration
performed by Net Logon service manually, you can restart the Net Logon service.
Incorrect Answers:
A: File and print resources on ExamSheets1 are accessible by using the host name. This means
that the A records are present in DNS.
C: It is not necessary to install DNS on ExamSheets1.
D: ExamSheets1 does not need to be a bridgehead server to enable the administrators to access
it.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 12
Page 202 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 189
You are the network administrator for ExamSheets.net. The network consists of a single Active
Directory forest that contains one domain named ExamSheets.net.
You need to deploy a new domain named NA.ExamSheets.net as a child domain of
ExamSheets.net.
You install a new stand-alone Windows Server 2003 computer named ES1. You plan to make
ES1 the first domain controller in the NA.ExamSheets.net domain. You configure ES1 with a
static IP configuration. You run the Active Directory Installation Wizard on ES1. The wizard
prompts you for the network credentials to use to join the NA.ExamSheets.net domain to
ExamSheets.net.
You receive an error message stating that a domain controller in the ExamSheets.net domain
cannot be located. You need to be able to promote ES1 to a domain controller as the first domain
controller of the child domain in the existing forest.
What should you do?
A. Configure the client WINS settings on ES1 to use a WINS server that contains entries for the
ExamSheets.net domain controllers.
B. Configure the client DNS settings on ES1 to use a DNS server that is authoritative for the
ExamSheets.net domain.
C. Configure the DNS Server service on ES1 to have a zone for NA.ExamSheets.net.
D. Configure ES1 to be a member server in the ExamSheets.net domain.
Answer: B
Explanation:
This is typically the effect of a DNS problem because the client (in this case a member server)
can't locate the SRV records of a domain.
The process needs to contact the DNS server that is authoritative for the parent domain that you
want to make a child domain in.
First, in the Active Directory installation wizard, you specify the DNS name of the Active Directory
domain for which you are promoting the server to become a domain controller. Later in the
installation process, the wizard tests for the following:
Based on its TCP/IP client configuration, it checks to see whether a preferred DNS server is
configured. If a preferred DNS server is available, it queries to find the primary authoritative
server for the DNS domain you specified earlier in the wizard.
It then tests to see whether the authoritative primary server can support and accept dynamic
updates as described in the DNS dynamic update protocol.
If, at this point in the process, a supporting DNS server cannot be located to accept updates for
the specified DNS domain name you are using with Active Directory, you are provided with the
option to install the DNS Server service.
Incorrect Answers:
A: WINS is used for name resolution for down level clients. ES1 is a Windows Server 2003
computer.
C: NA.ExamSheets.net does not yet exist.
D: We want to install ES1 as a domain controller for the na.ExamSheets.net domain. Making ES1
a member server would me demoting the server and then promoting it again al a later point. This
does not make sense.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 6
Question: 190
Page 203 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are the network administrator for ExamSheets. The network consists of a single Active
Directory
domain named ExamSheets.net. The network contains a Windows Server 2003 computer named
ExamSheets4 that functions as a mail server. ExamSheets4 is configured as a member server in
the domain. To improve service to users, ExamSheets launched a single sign-on initiative.
Currently, users need to authenticate to the mail server after they log on to the domain to send or
receive e-mail messages. You use IIS Manager to configure the properties for the Default SMTP
Virtual Server on ExamSheets4. You need to allow users to send e-mail messages without
explicitly logging on to ExamSheets4. You need to prevent unauthorized users from sending email messages.
What should you do?
To answer, configure the appropriate option or options in the dialog box.
Answer: Uncheck anonymous access, Check Integrated Windows Authentication
Explanation:
Integrated Windows Authentication
Select this option to enable the standard security mechanism that is provided with servers
running Windows Server.
This security feature makes it possible for businesses to provide secure logon services for their
customers. Virtual servers that already use Integrated Windows Authentication in an internal
system can benefit by using a single, common security mechanism.
Integrated Windows Authentication uses a cryptographic technique for authenticating users and
does not require the user to transmit actual passwords across the network.
Note: Using Integrated Windows Authentication requires a mail client that supports this
authentication method. Microsoft Outlook and Microsoft Outlook Express support Integrated
Windows Authentication.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 5: 27
Page 204 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 191
You are the administrator of ExamSheets’s network, which consists of a single Windows 2003
domain named ExamSheets.net. The network includes a stand-alone Windows 2003 Server
computer named RAS 1, which runs Routing and Remote Access.
All employees use computers running Windows XP Professional to dial in to the network.
Your remote access polices permit members of the Domain Users group to dial in to RAS1
between 7:00 P.M and 6:00 A.M. every day. To increase dial-up security, your company issues
smart cards to all employees.
You need to configure RAS1 and your remote access polices to support the use of the smart
cards for dial-up connections.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two)
A. Create a remote access policy that requires users to authenticate by using the EAP-TLS.
B. Create a remote access policy that requires users to authenticate by using the MS-CHAP v2.
C. Create a remote access policy that requires users to authenticate by using SPAP protocol.
D. Add RAS1 to the Windows 2000 domain.
E. Install the Internet Authentication Service (lAS) on RAS 1
F. Install Certificate Services on RAS1 and configure it to issue encryption certificates upon
request.
Answer: A, F
Explanation: Smart cards require certificates. To authenticate using certificates, the RRAS
server needs to be configured to use EAP-TLS. When configuring EAP-TLS, you can select the
smart card option. The RRAS server is a standalone server, so we’ll need to configure Certificate
Services on it to issue the certificates for the smart cards.
Incorrect Answers:
B: EAP-TLS is required for smart card authentication, not MS-CHAP v2.
C: EAP-TLS is required for smart card authentication, not SPAP.
D: The RRAS server does not need to be a member of the domain.
E: Internet Authentication Service (lAS) is Microsoft’s implementation of the RADIUS service.
This is used when you have multiple RRAS servers and require centralized authentication.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter,
Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide
& DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 591, 594-595
Question: 192
You are the network administrator for ExamSheets. ExamSheets’s Web site is hosted at a local
ISP. ExamSheets needs to move the Web site from the ISP to ExamSheets’s perimeter network.
The design team specifies that five servers will be needed to host the Web site. The five servers
must balance the network load of requests from the Internet. The Web site must remain available
in the event that up to three servers fail at the same time. Each server will have four processors
and 4 GB of RAM. Discussions with the design team and the Web developers reveal that the site
can be implemented by using either shared storage or local server storage.
You need to select the proper operating system to install on each server. You need to select the
proper Windows Server 2003 technology to provide fault tolerance. You need to select the lowest
edition of Windows Server 2003 that meets the requirements in order to minimize costs.
What should you do?
A. Install Windows Server 2003, Enterprise Edition on all five servers.
Connect all five servers to a shared fiber-attached disk array.
Page 205 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Configure the five servers as a server cluster.
Configure the cluster so that all five nodes are active.
B. Install Windows Server 2003, Enterprise Edition on all five servers.
Connect all five servers to a shared fiber-attached disk array.
Configure the five servers as a server cluster.
Configure the cluster so that three nodes are active and two nodes are hot standby nodes.
C. Install Windows Server 2003, Standard Edition on all five servers.
Connect all five servers by using Network Load Balancing.
D. Install Windows Server 2003, Web Edition on all five servers.
Connect all five servers by using Network Load Balancing.
Answer: C
Explanation:
The question states that you need to select the lowest edition of Windows Server 2003 that meets
the requirements in order to minimize costs. Windows 2003 Standard Edition supports up to 4
processors and 4 GB of RAM. If three server fail, we will still have two servers serving the web
site.
Incorrect Answers:
A: The question states that you need to select the lowest edition of Windows Server 2003 that
meets the requirements in order to minimize costs. We can use Windows 2003 Standard Edition
with NLB.
B: The question states that you need to select the lowest edition of Windows Server 2003 that
meets the requirements in order to minimize costs. We can use Windows 2003 Standard Edition
with NLB. D: Web server edition only supports two-way symmetric multiprocessing (SMP) and 2
gigabytes (GB) of RAM.
Reference
Overview of Windows Server 2003, Web Edition
http://www.microsoft.com/windowsserver2003/evaluation/overview/web.mspx
Overview of Windows Server 2003, Standard Edition
http://www.microsoft.com/windowsserver2003/evaluation/overview/standard.mspx
Introducing the Windows Server 2003 Family
http://www.microsoft.com/windowsserver2003/evaluation/overview/family.mspx
Question: 193
You are a network administrator for ExamSheets. You administer a file server named
ExamSheetsSrvC. The file server stores all data files on a logical volume.
You perform a full normal backup of the file server every Saturday. You perform a differential
backup of the file server each day on Sunday through Friday. You perform a copy backup of the
file server every Wednesday after the differential backup is complete. The copy backup is sent to
an off-site facility that requires two hours for tape delivery.
The logical volume fails on Friday morning.
You need to restore the data that was stored on the failed volume. You need to minimize the loss
of data and the time required to perform the restoration.
What should you do?
A. Restore the tapes from the copy backup that was performed on Wednesday and from the
differential backup that was performed on Thursday.
B. Restore the tapes from the normal backup that was performed on Saturday and from the
differential backup that was performed on Thursday.
C. Restore the tapes from the normal backup that was performed on Saturday and from the
differential backups that were performed on Monday through Thursday
Page 206 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
D. Restore the tapes from the normal backup that was performed on Saturday, from the copy
backup that was performed on Wednesday, and from the differential backup that was performed
on Thursday
.
Answer: B
Explanation:
A copy backup copies all the files you select, but does not mark each file as having been backed
up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up
files between normal and incremental backups because copying does not affect these other
backup operations. A differential backup copies files that have been created or changed since the
last normal or incremental backup. It does not mark files as having been backed up (in other
words, the archive attribute is not cleared). If you are performing a combination of normal and
differential backups, restoring files and folders requires that you have the last normal as well as
the last differential backup. The logical volume fails on Friday morning. The most recent backup
of all the files was Wednesday’s copy backup. However, if we restored this, we would lose and
new or changed data between the copy backup and Friday morning. The correct answer is to
restore the normal backup that was performed on Saturday and the differential backup that was
performed on Thursday. This would ensure that the restored files will be up to date as of
Thursday.
Incorrect Answers:
A: This would work but the copy backup is offsite. It’s quicker to use Saturday’s full backup.
C: This is more than necessary. We only need the last differential backup with the full backup.
D: This is more than necessary. We only need the last differential backup with the full backup.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, pp. 596-597
Question: 194
You are a network administrator for ExamSheets. You install Windows Server 2003 on a server
named ExamSheetsA. You install a production application on ExamSheetsA. You create a
shared folder named ProdData on ExamSheetsA to support the needs of the production
application. All critical data files for the application are stored in the ProdData shared folder on
ExamSheetsA.
You install Windows Server 2003 in another server named ExamSheetsB. You create a shared
folder on ExamSheetsB named ProdDataBackup.
The production application keeps many data files open. All the files in the ProdData folder must
be backed up during each shift change. You are not allowed to stop and restart the production
application without special approval.
You need to provide a backup solution for the critical files in the ProdData on ExamSheetsA. Your
solution must not affect the production application.
What should you do?
A. On ExamSheetsA, use the Backup or Restore Wizard to select the ProdData folder.
Type \\ExamSheetsB\ProdDataBackUp for the backup destination, and the advanced backup
options to select the Disable volume shadow copy check box.
B. On ExamSheetsB, use the Backup or Restore Wizard to select the ProdData folder.
Type \\ExamSheetsA\ProdData for the backup destination, and use the advanced backup
options
to select the Disable volume shadow copy check box.
C. On ExamSheetsA, use the Backup or Restore Wizard to select the ProdData folder.
Page 207 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Type \\ExamSheetsB\ProdDataBackUp for the backup destination.
D. On ExamSheetsA, use the Backup or Restore Wizard to select the ProdData folder.
Type \\ExamSheetsA\ProdData for the backup destination.
Answer: C
Explanation: To back up open files, the backup needs to be configured to use Shadow Copies.
This is the default behaviour for the Windows Server 2003 backup program. Therefore, we just
need to configure the backup program to backup the files to \\ExamSheetsB\ProdDataBackUp.
Incorrect Answers:
A: We need to use Shadow Copies. This is enabled by default. We should not select the Disable
volume shadow copy check box.
B: We need to use Shadow Copies. This is enabled by default. We should not select the Disable
volume shadow copy check box.
D: \\ExamSheetsA\ProdData is the wrong backup destination.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 602
Question: 195
You are a network administrator for ExamSheets. All client computers run Windows XP
Professional.
You administer a Windows Server 2003 file server named ExamSheetsSrvC. ExamSheetsSrvC
contains two volumes configured as drive G and Drive H. Shared folders for the accounting
department are stored on drive G. Shared folders for the marketing department are stored on
drive G and on drive H. Drive H has sufficient space to store all of the shared folders with 400 GB
of free space.
The design team specifies the following requirements for the files in the marketing shared folders
on ExamSheetsSrvC:
• The files must be backed up, even if they are open.
• Backups can be performed during business hours, if required.
• Users must be able to restore the files.
You need to create a plan that will allow the backup and recovery of folders and files in
accordance with the requirements. You need to minimize data loss.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. Customize all shared folders by using the Documents template.
B. Place all marketing shared folders on drive H.
Enable Shadow Copies of Shared Folders on the volume.
C. Configure all backups by selecting the Disable volume shadow copy check box.
D. Install the Previous Versions client software on all marketing client computers.
E. Assign all users the Allow – Full Control NTFS permissions for the marketing shared folders.
Answer: B, D
Explanation: The question states that drive H has sufficient space to hold all the files, and will
have enough space left over to hold shadow copies of the files. The client computers will need
the previous versions client software to access the previous versions of the files.
Deploying the client software for shadow copies.
The client software for Shadow Copies of Shared Folders is installed on the server in the
Page 208 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
\\%systemroot%\system32\clients\twclient directory.
You can distribute the client software in a variety of ways; consider the various options before
deployment. There are several tools included in the Windows Server 2003 family, such as Group
Policy, that can make deploying and maintaining the clients software easier.
Recover files that were accidentally deleted.
If you accidentally delete a file, you can open a previous version and copy it to a safe location.
Recover from accidentally overwriting a file. If you accidentally overwrite a file, you can recover a
previous version of the file.
Compare versions of file while working.
You can use previous versions when you want to check what has changed between two versions
of a file.
Incorrect Answers:
A: This is not necessary.
C: This option should be enabled, not disabled, in order to back up the open files.
E: It is not necessary to change the permissions on the marketing shared folders.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 602
Question: 196
You are a network administrator for ExamSheets. All client computers on the network run
Windows XP Professional.
You administer a Windows Server 2003 file sever named ExamSheetsB. On ExamSheetsB, you
create a shared folder named SharedDocs. SharedDocs contains data files. All client computers
connect to the shared folder by using a mapped drive connected to \\ExamSheetsB\SharedDocs.
ExamSheetsB is configured to support volume shadow copies. You install the Previous Versions
client software on all client computers.
You perform a full normal backup of ExamSheetsB every day, seven days per week.
You need to document the recovery process to be used if a user accidentally deletes a file from
SharedDocs. The process must allow you to recover the file as quickly as possible and to
minimize data loss.
Which process should you use?
A. On ExamSheetsB, restore the file from the normal backup that was performed on the day
before the file was deleted.
Use the advanced restore options to select the Replace existing files check box.
B. On ExamSheetsB, restore the file from the normal backup that was performed on the day
before the file was deleted.
Use the advanced restore options to select the Preserve existing volume mount points check
box. C. Run the volume shadow copy command-line tool to list all shadow copies.
Instruct the user to open the mapped drive and use the folder view options to expose hidden files.
D. Instruct the user to open the mapped drive and navigate to the folder from which the file was
deleted. In the properties for the shared folder, select the Previous Versions tab.
View the most recent version and navigate until the file is located.
Restore the file by copying it to its new location.
Answer: D
Explanation:
Although shadow copies are taken for an entire volume, users must use shared folders to access
shadow copies. Administrators on the local server must also specify the \\servername\sharename
Page 209 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
path to access shadow copies. If you or your users want to access a previous version of a file that
does not reside in a shared folder, you must first share the folder.
Note: This will only work if the deleted file was in a subfolder in the shared folder.
You can give users access to previous versions of files by enabling shadow copies, which provide
point-in-time copies of files stored on file servers running Windows Server 2003. By enabling
shadow copies, you can reduce the administrative burden of restoring previously backed up files
for users who accidentally delete or overwrite important files. Shadow copies work for both open
and closed files; therefore, shadow copies can be taken even when files are in use.
Shadow copies work by making a block-level copy of any changes that have occurred to files
since the last shadow copy. Only the changes are copied, not the entire file. As a result, previous
versions of files do not usually take up as much disk space as the current file, although the
amount of disk space used for changes can vary depending on the application that changed the
file. For example, some applications rewrite the entire file when a change is made, whereas other
applications append changes to the existing file. If the entire file is rewritten to disk, the shadow
copy contains the entire file. Therefore, consider the type of applications in your organization, as
well as the frequency and number of updates, when you determine how much disk space to
allocate for shadow copies.
Incorrect answers:
A: This option does not represent the quickest way to locate and restore an accidentally deleted
file.
B: Restoring the file from a normal backup is not the quickest way to locate and restore the file if
it was deleted. Since ExamsheetsB is configured to support volume shadow copies, it would be
quicker to locate and restore the deleted files from it.
C: Listing all the shadow copies as suggested in this option does not represent the quickest way
to recover a file it would be quicker to navigate amongst the most recent versions of shadow
copies. This option also does not state anything regarding actually restoring the file. It stops after
locating the file.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, pp. 599-602
Question: 197
You are the network administrator for ExamSheets. The network consists of a single Active
Directory
domain named ExamSheets.net. All domain controllers and servers run Windows Server 2003.
Client computers in the human resources department run Windows XP Professional. Employees
in the human resources department use the human resources client computers to transmit
confidential data to the file servers.
The network also contains kiosk computers. The kiosk computers are used by temporary
employees to transmit data to file servers. The kiosk computers run Windows XP Professional.
ExamSheets’s written security policy requires that all data transmissions from the kiosk
computers must be able to be monitored by using a protocol analyzer.
You need to ensure that the confidential data transmissions to and from the human resources
client computers remain confidential. You also need to ensure that you can detect any alterations
in the data transmissions made by any computer. You need to comply with the written security
policy. What should you do?
A. Use IPSec encryption on both the human resources client computers and the kiosk computers.
B. Use IPSec encryption on the human resources client computers and IPSec integrity on the
kiosk computers.
Page 210 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
C. Use IPSec integrity on the human resources client computers and IPSec encryption on the
kiosk computers.
D. Use IPSec integrity on both the human resources client computers and the kiosk computers.
Answer: B
Explanation:
We want to monitor IPSEC traffic. We can not use ESP because it encrypts the IP header. If you
need to diagnose ESP software-encrypted communication, you must disable ESP encryption and
use ESP-null encryption by changing the IPSec policy on both computers.
We need to use AH so that we can monitor network traffic and preserve the integrity of
messages, If you need to provide both integrity and encryption for data confidentiality, select
the Data integrity and encryption (ESP) check box. Then under Integrity algorithm, click None (for
no data integrity; if you have AH enabled and for increased performance, you can choose this),
MD5, or SHA1. Under Encryption algorithm, choose None, DES, or 3DES.
Using both AH and ESP is the only way to both protect the IP header and encrypt the data.
However, this level of protection is rarely used because of the increased overhead that AH would
incur for packets that are already adequately protected by ESP. ESP protects everything but the
IP header, and modifying the IP header does not provide a valuable target for attackers.
Generally, the only valuable information in the header is the addresses, and these cannot be
spoofed effectively because ESP guarantees data origin authentication for the packets
Incorrect answers:
A: Making use of IPSec encryption alone is not enough to comply with company written security
policy.
C: To be able to have all data transmissions from the kiosk computers must be able to be
monitored by using a protocol analyzer, you should use IPSec integrity and IPSec encryption in a
vice versa fashion from what is suggested in this option.
D: Making use of IPSec integrity on both the human resources client computers and the kiosk
computers, will not comply with company written security policy.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, p. 735
Question: 198
You are the network administrator for ExamSheets. The network consists of a single Active
Directory
domain named ExamSheets.net. All servers run Windows Server 2003. One of the domain
controllers is configured as an enterprise root certification authority (CA). All client computers run
Windows XP Professional.
ExamSheets uses IPSec to secure communications between computers in ExamSheets and
computers at other companies. These IPSec connections require computer certificates. Your
IPSec policies require every computer to be able to make an IPSec connection when connecting
to other computers. You need to configure the network so that all computers can make IPSec
connections. What should you do?
A. In the computer settings section of the Default Domain Policy Group Policy object (GPO),
configure the domain members to always digitally encrypt or sign secure channel data.
B. Create a new automatic certificate request in the computer settings section of the Default
Domain Policy Group Policy object (GPO),
C. Obtain a new computer certificate from a public CA. Import a copy of this certificate into the
Trusted Root Certification Authorities section of the Default Domain Policy Group Policy object
Page 211 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
(GPO).
D. Issue a new computer certificate from your enterprise CA. Place a copy of this certificate on an
Internal Web page. Instruct users to install this certificate in their trusted certificate store the
first time they need to make an IPSec connection.
Answer: D
Explanation:
Enterprise CAs are integrated into the Active Directory directory service. They use certificate
templates, publish their certificates and CRLs to Active Directory, and use the information in the
Active Directory database to approve or deny certificate enrollment requests automatically.
Because the clients of an enterprise CA must have access to Active Directory to receive
certificates, enterprise CAs are not suitable for issuing certificates to clients outside the
enterprise. Enterprise CAs requires and uses Active Directory to issue certificates, often
automatically. AN IPSec connection comprises of two modes: Main mode and Quick mode.
Main Mode is the first part of an IPSec connection. In Main Mode, each computer authenticates to
the other and then IKE is used to calculate the master key. All other keys are generated from the
master key. An IKE security association (SA) is created over which Quick Mode can be
negotiated. Quick Mode is the second phase of IPSec. In Quick Mode, agreement is reached for
the encryption, integrity algorithms, and other policy settings. Two SAs are created, one incoming
and one outgoing.
Incorrect answers:
A: Always digitally encrypting or signing secure channel data does not necessarily ensure the
ability to make IPSec connections.
B: An automatic certificate request in the computer settings section of the Default Domain GPO is
not the solution.
C: Obtaining a new certificate from a public CA is not going to ensure that all computers will have
the ability to make IPSec connections. What is needed is to have a new computer certificate
issued from your enterprise CA which should be installed on users’ trusted certificate store.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p.11: 88 James Chellis, Paul Robichaux, and Matthew
Sheltz, MCSA/MCSE: Windows Server 2003 Network Infrastructure Implementation,
Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2004, p.
11: 15
Question: 199
You are the systems engineer for ExamSheets.
The network consists of a single Active Directory domain named ExamSheets.net.
All servers on the network run Windows Server 2003. All client computers run either Windows XP
Professional or Windows 2000 Professional.
All servers that are not domain controllers are located in an organizational unit (OU) named
Servers. All client computers used by administrative personnel are located in an OU named
AdminDesktops. Both the Domain Controllers OU and the Servers OU have the Server (Request
Security) IPsec policy applied. The AdminDesktops OU has the Client (Respond Only) IPSec
policy applied. You implement remote administration for all servers on the network. All servers
are configured to allow Remote Desktop connections for administration. The company’s written
security policy requires that the highest security levels possible must be enforced during remote
administration of the servers. The Terminal Services encryption settings are set to High in the
Default Group Policy object (GPO).
Administrators who use Windows 2000 Professional computes soon report that they cannot
establish Remote Desktop connections to the servers. Administrators can successfully establish
Page 212 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
network connections to shared resources on the servers. Administrators who use Windows XP
Professional computers do not experience the same problem.
You verify that the servers to which the administrators are attempting to connect are online and
have Remote Desktop connections enabled. You also verify that the maximum number of remote
connections has not been exceeded on any server.
You need to ensure that all administrators can establish Remote Desktop connections to the
servers regardless of which operating system is running on their client computers.
What should you do?
A. In the properties for the Remote Desktop Protocol (RDP) connection on each server, set the
encryption level to FIPS Compliant.
B. Deploy the Remote Desktop Protocol (RDP) 5.2 client software to the AdminDesktops OU.
C. On each server, use Terminal Services Manager to configure the servers to use standard
Windows authentication.
D. Configure the Terminal Services permission compatibility to Relaxed Security.
Answer: B
Explanation:
Computers running earlier versions of Microsoft Windows, including Windows 2000 Server,
Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95 can not connect to
a Windows Server 2003 Terminal Services if they are using the old client Terminal server.
Client can not connect because they are using the full security. But when install the new version
allows older Windows platforms to remotely connect to a computer running Windows XP
Professional with Remote Desktop enabled
In Windows Server 2003 you do not need to install Terminal Server. Instead, you can use
Remote Desktop for Administration (formerly Terminal Services in Remote Administration mode),
which is installed by default on computers running one of the Windows Server 2003 operating
systems. After you enable remote connections, Remote Desktop for Administration allows you to
remotely manage servers from any client over a LAN, WAN, or dial-up connection. Up to two
remote sessions, plus the console session, can be accessed at the same time, without requiring
Terminal Server Licensing.
Incorrect Answers
A. If this setting is enabled, the security channel provider of the operating system is forced to use
only the following security algorithms: TLS_RSA_WITH_3DES_EDE_CBC_SHA. This behavior
forces the security channel provider to negotiate only the stronger Transport Layer Security (TLS)
1.0
C. Specifies whether the connection defaults to the standard Windows authentication when
another authentication package has been installed on the server.
D. Relaxed security enables you to run programs that otherwise might not work at all in the more
rigorous Full security mode. However, in Relaxed security mode (also known as Windows NT
4.0/Terminal Server Edition permissions compatibility mode), any user on the system can change
files and registry settings in many places throughout the system, although others users' data files
might not be visible. A malicious user could exploit this situation by replacing a known and trusted
program with a program of the same name but some harmful intent. If the operating system on
your terminal server was installed using the Upgrade method, the security mode might be set to
Relaxed security. The question asks to provide the highest level of security.
References:
http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp Martin Grasdal, Laura E.
Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W.
Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293
Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, p. 11: 30
Page 213 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 200
You are a system engineer for ExamSheets. The network consists of four Active Directory
domains. All servers on the network run Windows Server 2003. The Windows Server 2003
computers are distributed among three offices. All servers support out-of-band management by
means of serial connections to terminal concentrators in each office’s data center. Each office
maintains its own separate connection to the Internet.
The company adopts a new written security policy, which includes the following requirements:
• Physical access to all servers is restricted to authorized personnel and only for the purpose of
installing or maintaining hardware.
• All in-band remote ad ministration connections must be authenticated by the Kerberos version 5
protocol.
• Administrators in each office must be able to access their servers for remote administration or
troubleshooting even when the operating system is not running or experiences a Stop error.
• Services or programs that are not essential for remote administration or server operation must
not be installed on any computer.
You need to plan a remote administration strategy for the network that compiles with the new
policy. You are not responsible for permissions management in the domains.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. Configure each server to accept Remote Desktop connections.
B. On each server, enable the Telnet service with a startup parameter of Automatic.
C. Install Terminal Services on each server.
D. On each server, enable Emergency Management Services.
E. Install IIS on each server.
Select the Remote Administration (HTML) check box in the properties for the Wide World Web
Service.
Answer: A, D
Explanation:
Emergency Management Services is a new feature in Windows Server 2003 that permits you to
perform remote management and system recovery tasks when the server is not available by
using the standard remote administration tools and mechanisms. Emergency Management
Services provides alternative access to a server when the server is not accessible through the
standard connection methods, typically a network.
With Emergency Management Services, combined with the appropriate hardware, you can
perform remote management and system recovery tasks, even when the server is not available
through the standard remote administration tools and mechanisms.
To manage a server from a remote computer when the server is not available on the network, you
must enable Emergency Management Services. Emergency Management Services is a Windows
Server 2003 service that runs on the managed server. This service is not enabled by default
when you install the Windows Server 2003 operating system, but you can enable it during
installation or at any later time. Emergency Management Services features are available when
the Windows Server 2003 loader or kernel is at least partially running. You can access all
Emergency Management Services output by using terminal emulator software that supports
VT100, VT100+, or VT-UTF8 protocols on the management computer, although VTUTF8
is the preferred protocol. For more information about terminal emulator software and the
supported protocols
Management Software for Out-of-Band Connections
Typically, you use terminal emulation software on the management computer to connect to and
communicate with a server through an out-of-band connection. The two most common methods
are the following:
Page 214 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
• Use Telnet — or a secure alternative such as SSH — to connect to a terminal concentrator
through an in-band connection, which then connects to the server through an out-of-band
connection.
• Use HyperTerminal to connect directly to the server
Remote Administration using Terminal Services
In Microsoft® Windows® Server 2003 family operating systems, Terminal Services technology is
the basis for several features that enable you to connect to remote computers and perform
administrative tasks.
• Remote Desktop for Administration (formerly known as Terminal Services in Remote
Administration mode) provides remote server management capabilities for Windows Server 2003
family operating systems. Using this feature, you can administer a server from virtually any
computer on your network. No license is required for up to two simultaneous remote connections
in addition to the server console session. A corresponding desktop version of Remote Desktop for
Administration is available on Microsoft® Windows® XP Professional, and is called Remote
Desktop.
• The Remote Desktops MMC snap-in allows you to create remote connections to the console
session of multiple terminal servers, as well as computers running Windows 2000 or Windows
Server 2003 family operating systems.
Remote Desktop Connection, available on Windows Server 2003 family operating systems as
well as on Microsoft® Windows® XP operating systems, enables you to log on to a remote
computer and perform administrative tasks, even from a client computer that is running an earlier
version of Windows.
References:
MS Knowledge Base article 815273
HOW TO: Perform an Unattended Emergency Management Services Installation of Windows
Server 2003
MS Windows Server 2003 Planning Server Deployments
Emergency Management Services
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8: 13
Question: 201
You are a network administrator for ExamSheets. The network consists of a single Active
Directory domain named ExamSheets.net. The network contains two Windows Server 2003
domain controllers. All servers run Windows Server 2003, and all client computers run Windows
XP Professional.
You install a wireless network. You discover that the coverage for the executive offices is very
poor. You need to improve wireless coverage for the executive team in their office area.
The design team specifies the following requirements for the executive team:
• Executives must be able to access the wireless network in all locations in the building, including
their offices.
• Non executive employees may use wireless access points in the executive office area only if
other access points are unavailable.
You need to develop a plan to improve the coverage in the executive offices. You need to
implement your plan by using the minimum amount of administrative effort.
What should you do?
A. Use the Connection Manager Administration Kit (CMAK) wizard to create new service profiles.
One profile will be used for executives only.
Send an e-mail message that contains the proper profiles to the proper users.
B. Use the Windows Management Instrumentation command-line tool with the NIC and the
NICCONFIG aliases.
C. Install new access points for the executive team with a new dedicated service set identifier
Page 215 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
(SSID). Use wireless network policies to control use of the SSIDs on the wireless network.
D. Install new access points for the executive team with a new dedicates service set identifier
(SSID). Use wireless network policies to control access for ad hoc networks.
Answer: C
Explanation
The Network name (SSID) specifies the name for the specified wireless network. Under the
IEEE 802.11 standard, the network name is also known as the Service Set Identifier (SSID). To
distinguish different wireless networks from one another, the 802.11 standard defines the service
set identifier (SSID).The SSID can be considered the identity element that “glues” various
components of a wireless local area network (LAN) together. Traffic from wireless clients that use
one SSID can be distinguished from other wireless traffic using a different SSID. Using the SSID,
an AP can determine which traffic is meant for it and which is meant for other wireless networks.
We will need to setup two different Network name (SSID) s, one for users and one for
executives. Also we can to enhance the deployment and administration of wireless networks,
using a Group Policy to centrally create, modify, and assign wireless network policies for Active
Directory clients. Thus installing new access points with a new dedicated service set identifier
(SSID) for the executive team and making use of policies to control
the use of the SSIDs on the wireless network involves the least amount of administrative effort to
accomplish the task at hand.
Incorrect answers:
A: This option suggests far too much administrative effort than is necessary.
B: There is no need to make use of the WMI command line when all that is necessary is to install
new access points with new SSIDs and making use of a wireless network policy to control its
use.
D: The network policies should be to control the user of SSIDs on the wireless network and not
for controlling access for ad hoc networks.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, pp. 801-802
Question: 202
You are the network administrator for ExamSheets. All servers run Windows Server 2003. All
client computers run Windows XP Professional. All computers are connected to the network by
using a wireless access point.
You configure a certification authority (CA). You require certificate-based IEEE 802.1x
authentication on the wireless access point.
You need to enable all computers to communicate on the wireless network.
What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two)
A. Enter a 128-bit Wired Equivalent Privacy (WEP) key on the wireless access point and on the
computers.
B. In the Wireless Network Connection properties on each computer, select the The key is
provided for me automatically check box.
C. Temporarily connect each computer to an available Ethernet port on the wireless access point
and install a computer certificate.
D. Install a computer certificate on each computer by using a floppy disk.
Answer: C, D
Page 216 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 203
You are the network administrator for ExamSheets. The network consists of a single Active
Directory
domain named ExamSheets.net. All servers run Windows Server 2003. All client computers run
Windows XP Professional.
The users in the accounting department use their client computers to access confidential files
over the network. The files must not be altered by unauthorized users as the files traverse the
network.
You need to secure the data transmissions to and from client computers in the accounting
department. You also need to be able to monitor the traffic on the network and report to IT
management the percentage of bandwidth used for each protocol.
What should you do?
A. Use IPSec encryption.
B. Use Server Message Block (SMB) signing.
C. Use NTLMv2 authentication.
D. Use the Kerberos version 5 authentication protocol.
Answer: B
Explanation:
Server Message Block (SMB) signing Determines whether the computer always digitally signs
client communications. The Windows 2000 Server, Windows 2000 Professional, and Windows
XP Professional authentication protocol Server Message Block (SMB) supports mutual
authentication, which closes a "man-in-the-middle" attack and supports message authentication,
which prevents active message attacks. SMB signing provides this authentication by placing a
digital signature into each SMB, which is then verified by both the client and the server.
We can’t use IPSec “encryption” because this uses ESP to encrypt the IP header. If we use
IPSec encryption, we won’t be able to monitor the traffic. We could use IPSec “integrity” but that
isn’t listed as an option. Instead, we should use Server Message Block (SMB) signing.
Incorrect answers:
A: IPSec makes use of ESP and AH. ESP is to encrypt the IP header, we cannot make use of
IPSec for then monitoring would not be possible.
C, D: Highly secure templates shut down NTLM communication as well as Kerberos
communication. There would thus not be anything to monitor.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13: 59
Question: 204
You are the network administrator for ExamSheets. The network includes a perimeter network.
The perimeter network consists of a single Active Directory domain named ExamSheets.net. The
domain contains four Windows Server 2003 Web servers configure as a Network Load Balancing
cluster.
The cluster hosts an Internet e-commerce Web site.
You upgrade the Web site to require users to log on in order to gain full access to the site. You
will use Active Directory to store the user accounts. Web site users may access the site by using
various Web browsers.
Page 217 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to enable and require SSL when users log on to the Web site. You need to minimize
the administrative impact for users of the Web site.
What should you do?
A. Obtain a Web server certificate from an external certification authority (CA) that is widely
trusted on the Internet.
Install the certificate on each Web server in the cluster.
B. Configure a stand-alone certification authority (CA) in the perimeter network.
Obtain a Web certificate from the CA.
Install the certificate on each Web server in the cluster.
C. Install Certificate Services on each Web server in the cluster, and configure each Web server
as enterprise certification authority (CA).
Configure certificate autoenrollment for all users.
D. Install Certificate Services on each Web server in the cluster, and configure each Web server
as a standalone certification authority (CA).
Configure Web-based certificates enrollment for users.
Answer: A
Explanation:
To enable SSL on the web cluster we need a Web server certificate. The web site is a publicly
accessible site, so the Web server certificate needs to be trusted by the public computers. We
should use a Web server certificate from an external certification authority (CA) that is widely
trusted on the Internet such as Verisign.
Incorrect Answers:
B: The public client computers will display a message saying that the server certificate isn’t
trusted.
C: The web server needs a Web server certificate from an external certification authority. It
doesn’t need to be a CA.
D: The web server needs a Web server certificate from an external certification authority. It
doesn’t need to be a CA.
Reference
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, pp. 882-884
Knowledge base Articles:
How to Configure Certificate Server for Use with SSL on IIS KB 218445
HOW TO: Configure IIS Web Site Authentication in Windows Server 2003 KB 324274
HOW TO: Load Balance a Web Server Farm Using One SSL Certificate in IIS KB 313299
Question: 205
You are the network administrator for ExamSheets. All servers run Windows Server 2003.
ExamSheets has 1,000 users that need to use certificates for secure e-mail. ExamSheets also
uses certificates for Encrypting File Systems (EFS) and for authentication to Web-based
applications that are located in the perimeter network.
ExamSheets is legally required to maintain access to files and e-mail messages even after
employees leave ExamSheets. ExamSheets also has internal requirements stating that
administrators must be able to restore lost certificate keys for network users.
You need to provide a backup and recovery plan to be used in the event that users accidentally
delete or lose their certificates and the associated private keys.
You need to plan the steps for configuring the certification authority (CA) to issue user certificates
for EFS, secure e-mail, and client authentication. Your plan must also provide all requirements for
Page 218 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
recovering private keys for user certificates. Your plan must minimize administrative effort.
Which three actions should you take? (Each correct answer presents part of the solution. Choose
three)
A. Create a key recovery agent and acquire the Key Recovery Agent certificate for the account.
B. Configure the CA with a policy module that requires the administrator to explicitly issue
certificates.
C. Configure the CA to allow key archival.
D. Create a new certificate template that has the proper application policies and allows key
archiving. Add the certificate template to the CA.
Allow authenticated users to enrol for certificates by using the new certificate template.
E. Configure the certificate template to supersede the Domain Controller Authentication
Certification template.
Answer: A, C, D
Explanation:
Windows Server 2003 provides a locksmith of sorts (called a Registration Authority, or RA) that
earlier versions of Windows did not have. A key recovery solution, however, is not easy to
implement and requires several steps. The basic method is as follows:
1. Create an account to be used for key recovery.
2. Create a new template to issue to that account.
3. Request a key recovery certificate from the CA.
4. Have the CA issue the certificate.
5. Configure the CA to archive certificates by using the Recovery Agents tab of the CA property
sheet
6. Create an archive template for the CA.
Key archival and recovery rely on a version 2 template, which is only available in Windows Server
2003 Enterprise or datacenter Editions.
Incorrect answers:
B: The CA should be configured to allow key archival not a policy module that requires the
administrator to explicitly issue certificates.
E: This option will not minimize administrative effort under the given circumstances.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 884
Question: 206
You are a network administrator for ExamSheets. All servers run Windows Server 2003.
The company uses a public key infrastructure (PKI) enabled sales application that enforces
strong certificate revocation list (CRL) checking.
On average, 100,000 users require access to this application.
A stand-alone root certification authority (CA) is configured to issue certificates to users.
Certificate Services is configured as shown in the exhibit.
Page 219 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Certificates you issue are valid for three years.
You issue and revoke approximately 10,000 certificates per month for 12 months.
After 12 months, users begin to report delays when they open the sales application.
You discover that the delays occur periodically.
You need to improve the performance when users open the sales application.
What should you do?
A. Configure Certificate Services to publish the delta CRL daily and the base CRL monthly.
B. Configure Certificate Services to publish the base CRL to a Web server on the network.
Include this location in the CRL distribution point of certificates.
C. Configure a subordinate CA.
Instruct new users to enroll for certificates by using this CA.
D. Configure Certificate Services to publish the base CRL daily and the delta CRL monthly.
Answer: A
Explanation:
The CRL is a list of certificates that are expired or invalid, and it is made available so that
network users can identify whether certificates they receive are valid. CRLs can become very
long on large CAs that have experienced significant amounts of certificate revocation. This can
become a burden for clients to download frequently. To help minimize frequent downloads of
Page 220 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
lengthy CRLs, delta CRLs can be published. This allows the client to download the most current
delta CRL and combine that with the most current base CRL to have a complete list of revoked
certificates. Because the client will normally have the CRL cached locally, the use of delta CRLs
can potentially improve performance. Delta CRL is a list containing only the certificates that have
been revoked since the last certificate revocation list was published.
Delta lists enable new additions to a CRL to be published without the need to publish the entire
CRL again. Much like an incremental backup in theory, this advancement helps optimize network
speed and simplifies the distribution of CRLs.
Incorrect answers:
B: Configuring Certificate Services to publish the base CRL to a Web server on the network will
not ensure that you have a current up to date revocation list and network performance will thus
not be improved.
C: Any certification authority that is established after the root CA is a subordinate CA.
Subordinate CAs gain their authority by requesting a certificate from either the root CA or a
higher-level subordinate CA. They are certified by the root authority and bind its public key to its
identity. Just as the root CA can issue and manage certificates and certify child CAs, a
subordinate CA can also perform these actions and certify CAs that are subordinate to it in the
hierarchy. However, since many certificates are revoked on a monthly basis, it will not improve
performance if new users enroll for certificates using subordinate CAs. This will only
result in even more revocations.
D: Publishing the base CRL on a daily basis and the delta CRL on a monthly basis will not
improve performance. You should rather have it done vice versa.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, pp.
71-72, 872
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 11: 32
Question: 207
You are a network administrator for ExamSheets.net. Your network consists of a single Active
Directory domain named ExamSheets.net. All servers run Windows Server 2003.
The company has users who work in the main office and users who work remotely by connecting
to a server running Routing and Remote Access. The company’s written security policy requires
that administrators in the main office log on by using smart cards. The written security policy also
requires that remote users use smart cards to access network resources. No other users are
required to use smart cards.
You issue portable computers that contain smart card readers to administrators and remote
users. You issue smart cards to administrators and remote users. Administrators and remote
users report that they can log on without using a smart card.
You need to ensure that only administrators are required to use smart cards when working in the
main office. You must also ensure that remote users are required to use smart cards when
accessing network resources.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. In the computer configuration settings of the Default Domain Policy Group Policy object (GPO),
enable the Interactive logon: Require smart card setting.
B. On the server running Routing and Remote Access, select the Extensible authentication
protocol (EAP) check box and require smart card authentication.
C. In the properties of each administrator account, select the Smart Card Required for
Page 221 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Interactive Logon check box.
D. In the computer configuration settings of the Default Domain Controllers Policy Group Policy
object (GPO), enable the Interactive logon: Requires smart card setting.
E. In the properties of each user account that requires remote access, select the Smart Card
Required for Interactive Logon check box.
Answer: B, C
Explanation:
We can require remote users to log on using smart cards only by configuring the RRAS server
that the remote users connect to require smart card authentication.
We can configure the administrators’ user accounts to require smart cards for interactive logons.
This setting is defined in the user properties in Active Directory Users and Computers.
Incorrect Answers:
A: This would require that all users log on using a smart card.
D: This would require that users use a smart card to log on to only the domain controllers. The
administrators must use smart cards to log on to any machine in the domain.
E: This would require that the remote users log on using a smart card to any machine. They don’t
need a smart card logon if they are using a machine in the office.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 7-9 to 7-10.
Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering
Windows Server 2003, Sybex Inc. Alameda, 2003, p. 655
Question: 208
You are a network administrator for ExamSheets.net. The network consists of a single Active
Directory domain named ExamSheets.net. All servers run Windows Server 2003. Most of the
client computers are located in the offices of individual users. Some client computers are located
in publicly accessible locations.
The company’s written security policy includes the following requirements.
• All users must use smart cards to log on to a client computer.
• Users using the publicly accessible client computers must be logged off if the smart card is
removed from the smart card reader.
You configure all user accounts to require smart cards for interactive logon. You create an
organizational unit (OU) named Public.
You need to ensure that the appropriate result occurs on each client computer when a smart card
is removed.
You must achieve this goal without affecting other computers.
What should you do?
A. Place all computer accounts for the publicly accessible client computers in the Public OU.
Create a new Group Policy object (GPO) and link the GPO to the Public OU.
Configure the Interactive Logon: Smart card removal behavior setting to Force Logoff.
B. Place the user accounts of all users who use the publicly accessible client computers in the
Public OU.
Create a new Group Policy object (GPO) and link the GPO to the Public OU.
Configure the Interactive logon: Smart card removal behavior setting to Force loggoff.
C. On the Default Domain Policy Group Policy object (GPO), configure the Interactive logon:
Smart card removal behavior setting to Force logoff.
D. On the Default Domain Controllers Policy Group Policy object (GPO), configure the
Interactive logon:
Page 222 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Smart card removal behavior setting to Force Logoff.
Answer: A
Explanation:
We can place the public computers in the Public OU; this will enable us to apply a group policy to
the public computers. The question states that users must be logged off if the smart card is
removed from the smart card reader. There is a specific setting in group policy for this. We can
configure the Interactive Logon: Smart card removal behaviour setting to Force Logoff.
Incorrect Answers:
B: This is a computer setting, not a user setting.
C: This will force logoff all users in the domain. Only users of the public computers should be
logged off when they remove their smart cards.
D: This will force logoff all users who log on to a domain controller. Only users of the public
computers should be logged off when they remove their smart cards.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 10-4 to 10-12, 10-15
Question: 209
You are the Network administrator for ExamSheets. The network consists of a single domain
Active
Directory forest and a single Windows NT 4.0 domain. The functional level of the forest is
Windows 2000. The Active Directory domain contains computer accounts and two Windows
Server 2003 domain controllers. The Active Directory domain also uses Group Policy objects
(GPOs). The Windows NT 4.0 domain contains user Accounts. The Windows NT 4.0 domain also
uses System Policy to configure users’ computers.
You no longer want the settings that were configured by using the system polices applied to
computers. What should you do?
A. Create a new system policy that contains user configuration settings that reverse the previous
system policies. Replace the old system policies with the new system policies.
B. Create a new GPO that contains user configuration settings that reverse the previous system
policies. Apply the new GPO to the Active Directory domain.
C. Raise the functional level of the Active Directory domain to Windows Server 2003 interim.
D. Raise the functional level of the forest to Windows Server 2003 interim.
Answer: A
Explanation: Unlike Windows 2000 (or later) GPOs, Windows NT system policy settings stay in
place even after the system policy is removed. To remove the system policy settings, we must
create another system policy that reverses the settings from the previous system policies.
Incorrect Answers:
B: Group Policy Objects (GPOs) have no effect on Windows NT computers.
C: The functional level of the forest or domain will have no effect on the computers in the
Windows NT domain.
D: The functional level of the forest or domain will have no effect on the computers in the
Windows NT domain.
Reference:
Page 223 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 830
Question: 210
You are a network administrator for ExamSheets. The network contains a Windows Server 2003,
Enterprise Edition file server named ExamSheets3 that contains two volumes configured as drive
H and drive J. Drive H contains 40 GB of unused space and drive J contains 12 GB of unused
space. ExamSheets3 contains the shared folders shown in the following table.
Each file in the ExamSheetsData folder is modified or deleted every seven days on average, and
new files are added frequently. Users often request that prior versions of files be restored from
backup tapes. All users have Windows XP Professional computers.
You want to enable users to restore prior versions of modified or deleted files in the
ExamSheetsData folder. Which two actions should you take? (Each correct answer presents part
of the solution. Choose two)
A. Enable Shadow Copies of Shared Folders on drive J and configure an 8-GB storage area on
drive J.
B. Enable Shadow Copies of Shared Folders on drive J and configure a 20-GB storage area on
drive H.
C. Enable automatic caching of documents for ESData.
D. Enable manual caching of documents for ESData.
E. Install Twcli32.msi on each user’s client computer.
F. Install Adminpak.msi on each user’s client computer.
Answer: B, E
Explanation:
To store the shadow copies of another volume on the same file server, a volume can be
dedicated on separate disks. For example, if user files are stored on H:\, another volume such as
S:\ can be used to store the shadow copies. Using a separate volume on separate disks provides
better performance and is recommended for heavily used file servers.
Note: If shadow copies are stored on the same volume as the user files, note that a burst of disk
input/output (I/O) can cause all shadow copies to be deleted. If the sudden deletion of shadow
copies is unacceptable to administrators or end users, it is best to use a separate volume on
separate disks to store shadow copies. Windows Server 2003 includes the client software for
volume shadow copy in its %Systemroot%\System32\Clients\Twclient folder. The client software
to access previous versions of files is Twcli32.msi. This needs to be installed on every client
computer. This is a difficult question because answer A or B will work. We need to decide which
disk to store the shadow copies on. Drive H has enough spare space. With more space, we can
store more shadow copies. Also, placing the shadow copies on a separate disk or volume
provides better performance.
Incorrect answers:
C, D: This is not a caching concern that will address the issue. You should rather enable shadow
copies so that you can enable users to restore prior versions of modified and deleted files.
F: The Adminpak.msi can be used to repair console issues related to file corruption and software
deployment, but in this case you would need the Twcli32.msi.
Page 224 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 6: 41
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 3: 10
Question: 211
You are the network administrator for a new branch office of Examsheets. The office network is
connected to the Internet by a T1 line.
Examsheets’s Internet service provider (ISP) gives you a single public IP address and provides
firewall services to protect the office network.
The office network includes five windows XP Professional client computers and a Windows
Server 2003 computer named ExamsheetsA. All client computers are configured to use DHCP to
obtain their IP configuration settings.
ExamsheetsA is configured as a DHCP server and contains two network adapters. You connect
one network adapter to the ISP connection, and you connect the other network adapter to the
office network. You want to configure ExamsheetsA so that client computers can access the
Internet.
Which two courses of action should you take? (Each correct answer presents part of the solution.
Choose two)
A. Remove the DHCP Server service.
B. Install the DNS Server service.
C. Run the route command to add a route to the internal network.
D. Assign the public IP address to the external network adapter. Install and configure Routing and
Remote Access.
Answer: B, D
Explanation:
We have a single public IP address from the ISP. This should be assigned to the external network
adapter. This will enable the server to send and receive data on the internet. The LAN clients will
use private IP addresses. We need to install the Routing and Remote Access service on the
server and configure NAT (Network Address Translation). This will enable the server to route
traffic between the internet and the LAN. We need to install the DNS service on the router so that
the clients can resolve external (internet) host names.
Incorrect Answers:
A: It is not necessary to remove the DHCP service.
C: We do not need to add a route into the internal network. The question doesn’t say that people
will be connecting to the LAN computers from the internet.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Iinfrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 1: 23-28
Question: 212
You are a network administrator for Examsheets. The network consists of 20 Active Directory
domains. All servers run Windows Server 2003. Examsheets has 240 offices. Each office is
configured as an Active Directory site. Examsheets has a branch office that contains four users.
User objects for these users are stored in the australia.Examsheets.net domain. The branch
Page 225 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
office is connected to the corporate network by a 56-Kbps WAN connection. The branch office
contains a domain controller named Examsheets17 that is configured as an additional domain
controller for the australia.Examsheets.net domain. An Active Directory site is configured for the
branch office. Examsheets17 is a member of this site. An IP site link exists between the
branch office and the main office.
The WAN connection is available only during business hours. Users in the branch office report
slow response times on the WAN connection. You examine the WAN connection and discover
that the problem is caused by Active Directory replication.
You need to improve the performance of the WAN connection.
What should you do?
A. Configure Examsheets17 as a global catalog server.
B. Enable universal group membership caching in the branch office.
C. Remove Active Directory from Examsheets17 and configure Examsheets17 as a member
server.
D. On the site link that connects the branch office to the corporate network, increase the
replication interval.
Answer: D
Explanation:
The branch office contains a domain controller from the australia.Examsheets.net domain.
Replication between this domain controller and a domain controller at the main office is using up
the bandwidth of the 56Kbps link between the two sites. We can reduce the WAN link usage by
increasing the replication interval, thus ensuring that replication across the WAN link occurs less
frequently.
Incorrect Answers:
A: Configuring Examsheets17 as a global catalog server will increase the bandwidth used by the
replication.
B: Enabling universal group membership caching in the branch office won’t decrease the
bandwidth used the replication.
C: It is not necessary to demote Examsheets17 to a member server. Furthermore, this would
cause logon authentication traffic to go over the WAN link.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 36
Question: 213
You are the network administrator for Examsheets Ltd. The network consists of a single Active
Directory forest. The functional level of the forest is Windows Server 2003. The forest contains a
root domain named Examsheets.net and two child domains named scotland.Examsheets.net and
wales.Examsheets.net. All domain controllers run Windows Sever 2003.
Each domain contains a DNS server. The DNS server in Examsheets.net is named
EXAMSHEETSDNS1,
the
DNS
server
in
scotland.Examsheets.net
is
named
EXAMSHEETSDNS2, and the DNS server in wales.Examsheets.net is named
EXAMSHEETSDNS3. Each DNS server in a child domain is responsible for name resolution in
only its domain. The TCP/IP properties of all client computers in the child domains are configured
to use only the DNS server in the domain. All records of all DNS servers are stored in Active
Directory.
You create a new application directory partition named DSNdata.Examsheets.net. You enlist
EXAMSHEETSDNS1 and EXAMSHEETSDNS2 in this application directory partition.
Page 226 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You need to enable all users in Examsheets.net to access resources in the
scotland.Examsheets.net domain by using host names. Users in the Examsheets.net domain do
not need to access resources in the wales.Examsheets.net domain. You need to configure the
zone replication scope of the scotland.Examsheets.net domain at EXAMSHEETSDNS2.
What should you do?
To answer, configure the appropriate option or options in the dialog box.
Answer: Select the fourth radio button.
Explanation:
The application directory partition DNSdata.Examsheets.net contains a DNS server from
Examsheets.net and Scotland.Examsheets.net. By configuring the DNS information from the
DNS server in Scotland.Examsheets.net to be replicated to the DNS server in Examsheets.net,
we will enable users in Examsheets.net to locate resources in Scotland.Examsheets.net.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 4: 36
Question: 214
You are the network administrators for Examsheets. Two of Examsheets’s customers are
Contoso Pharmaceuticals and City Power and Light. Your domain infrastructure is shown in the
exhibit.
Page 227 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
All users in the Examsheets.net domain need to access resources in the contoso.com domain.
Some users in the Examsheets.net domain need to access resources in the sales.cpandl.com
domain. No users in the Examsheets.net domain need to access resources in the
sales.contoso.com domain.
Although a two-way trust relationship exists between the Examsheets.net and cpandl.com
domains. You discover that the users in the Examsheets.net domain cannot access resources in
the sales.cpandl.com domain.
You need to ensure that all users in the Examsheets.net domain can access the appropriate
resources in the other forests.
What should you do?
A. Enable the routing status of the sales.contoso.com name suffix on the forest trust from
Examsheets.net to contoso.com Disable the routing status of the sales.cpandl.com name suffix
on the forest trust from Examsheets.net to cpandl.com
B. Disable the routing status of the sales.contoso.com name suffix on the forest trust from
Examsheets.net to contoso.com Enable the routing status of the sales.cpandl.com name suffix on
the forest trust from Examsheets.net to cpandl.com
C. Enable the routing status of the sales.contoso.com name suffix on the forest trust from
Examsheets.net to contoso.com Enable the routing status of the sales.cpandl.com name suffix on
the forest trust from Examsheets.net to cpandl.com
D. Disable the routing status of the sales.contoso.com name suffix on the forest trust from
Examsheets.net to contoso.com Disable the routing status of the sales.cpandl.com name suffix
on the forest trust from Examsheets.net to cpandl.com
Answer: B
Explanation:
A forest trust must be explicitly created by a systems administrator between two forest root
domains. This trust allows all domains in one forest to transitively trust all domains in another
forest. A forest trust is not transitive across three or more forests. E.g., forest A trusts forest B and
forest B trusts forest C. There is no trust relationship between forest A and forest C. The trust is
transitive between two forests only and can be one-way or two-way. Forest trusts are only
available when the forest is at the Windows Server 2003 functional level. Following this argument,
it is clear that you should disable routing status between the sales.contoso.com name suffix on
the forest trust from Examsheets.net to contoso.com and then enable the routing status of the
sales.cpandl.com name suffix on the forest trust from Examsheets.net to cpandl.com. This should
ensure that all users in the Examsheets.net domain can access the appropriate resources in the
other forests.
Incorrect answers:
A, C, D: Forest trusts are not transitive over three or more forests. Thus these options will result
in some of the resources being inaccessible to the Examsheets.net domain users.
References:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure,
Microsoft
Press,
Redmond,
Washington,
2004,
p.
1:
27
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/enu /
Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/enus/
x_c_forestauthentication.asp
Question: 215
Page 228 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
You are the network administrator for Examsheets. The company needs to implement a Web
application that uses two Microsoft SQL Server 2000 database instances.
You expect the size of each database instance to be between 200 GB and 300 GB at any given
time. Several tables in each database contain data that is updated once every few seconds, on
average. You estimate that each database instance requires 7 GB of memory, and that each
instance requires 70 percent usage of four CPUs, on average.
Using two servers ExamsheetsSQL1 and ExamsheetsSQL2, you need to plan the minimum
highly available server infrastructure for the databases that meets the requirements. You also
want to minimize the costs and administrative effort required to maintain the infrastructure.
What should you do?
To answer, drag the appropriate configuration settings to the Cluster Configuration.
Answer:
Explanation:
We are running two different databases so we need a Cluster Service Cluster rather than a
Network Load Balancing cluster (We can only use NLB if the two servers are hosting identical
content). For a Cluster Service Cluster, we need to use Windows Server 2003 Enterprise Edition.
We need to ensure that the database will still run if one of the cluster nodes fails. Therefore each
cluster node will need enough resources to run both databases. Each database requires four
CPUs, so each cluster node must have 8 CPUs in order to run both databases in the event of a
cluster node failure. Each database requires 7 GB of RAM so each cluster node must have at
least 14 GB of RAM in order to run both databases in the event of a cluster node failure (our only
option above 14GB or RAM is to put 16GB of RAM in each cluster node).
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 5
Question: 216
You are a network administrator for Examsheets. Examsheets is developing a new Web
application that connects to an SQL back-end environment. The design team decides that the
Page 229 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
new application must be fault tolerant. You interview the Web developers and the SQL
administrators to establish the size of the environment.
The Web developers state that they need at least three Web servers to share the load. Each Web
server requires two processors and 1 GB of RAM. The Web developers state if one of the Web
servers fails, the Web application can run for several hours in a degraded state. Responsiveness
will be below specifications in a degraded state.
The SQL administrators state that they need two Microsoft SQL Server computers to support the
new application. They want the SQL server environment to be redundant. Each SQL Server
computer requires four processors and 3 GB of RAM. The SQL administrators state that only one
SQL Server computer is required to maintain the application.
You need to ensure that two of the Web servers and one of the SQL Server computers are
always available. You need to select the lowest edition of Windows Server 2003 that meets the
requirements in order to minimize costs.
Which two actions should you take? (Each correct answer presents part of the solution. Choose
two)
A. Install Windows Server 2003, Web Edition on all three Web servers.
Connect all three servers by using Network Load Balancing.
B. Install Windows Server 2003, Standard Edition on all three Web servers.
Connect all three servers by using Network Load Balancing.
C. Install Windows Server 2003, Enterprise Edition on all three Web servers.
Install a shared fiber-attached disk array for the Web servers.
Implement a three-node server cluster for the Web servers.
Configure the cluster so that all three nodes are active.
D. Install Windows Server 2003, Standard Edition on both SQL Server computers.
Connect the SQL Server computers by using Network Load Balancing.
E. Install Windows Server 2003, Enterprise Edition on both SQL Server computers.
Connect the SQL Server computers by using Network Load Balancing.
F. Install Windows Server 2003, Enterprise Edition on both SQL Server computers.
Install a shared fiber-attached disk array for the SQL Server computers.
Implement a two-node server cluster for the SQL servers.
Configure the cluster so that one node is active and the second node is a hot standby node.
Answer: A, F
Explanation:
For the web servers we can three servers connected using Network Load Balancing. We can use
Network Load Balancing because the content will be the same on the web servers. Windows
Server 2003 Web Edition supports Network Load Balancing.
For the SQL servers we need a two-node server cluster. For a server cluster, we need Windows
Server 2003 Enterprise edition.
Incorrect Answers:
B: Windows Server 2003 Web Edition supports Network Load Balancing. We don’t need
Windows Server 2003, Standard Edition:
C: We can use Network Load Balancing because the content will be the same on the web
servers. We don’t need a server cluster.
D: We can not use Network Load Balancing for the SQL servers. Network Load Balancing should
only be used when you have static content.
E: We can not use Network Load Balancing for the SQL servers. Network Load Balancing should
only be used when you have static content.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 5
Page 230 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Question: 217
You are a network administrator for Examsheets. The network design team decides that the DNS
Server service must always be available.
The network design team requires that all computers on the network must always access the
DNS Server service by using a single IP address. TCP/IP configurations for client computers and
servers will contain a single DNS entry. The DNS Server service must be authoritative for all host
and service locator (SRV) resource records for the network. The DNS Server service must
maintain all records in the event that there is a hardware failure of the DNS server.
You need to deploy DNS on the network. You need to comply with the network design team’s
requirements.
What should you do?
A. Deploy DNS by using the Cluster service to configure a two-node server cluster in a failover
configuration.
B. Deploy DNS by using the Cluster service to configure a two-node server cluster that hosts
DNS on both nodes simultaneously.
C. Deploy DNS stub zones by using Network Load Balancing.
D. Deploy multiple DNS servers that host secondary zones that are load balanced by using
Network Load Balancing.
Answer: A
Explanation:
We can use the Cluster service to configure a two-node server cluster in a failover configuration.
Using the failover configuration, if one machine fails, the other machine will continue to run.
Incorrect Answers:
B: This configuration will not work.
C: We need a primary zone, not a stub zone. The DNS Server service must be authoritative for
all host and service locator (SRV) resource records for the network.
D: We need a primary zone, not secondary zones. The DNS Server service must be authoritative
for all host and service locator (SRV) resource records for the network.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington,
2004, p. 7: 5
Question: 218
You are a network administrator for Examsheets. The company has a main office and one branch
office. The network consists of a single Active Directory domain named Examsheets.net. The
network contains three Windows Server 2003 domain controllers: Examsheets1, Examsheets2,
and Examsheets4. You configure two Active Directory sites, one for the main office and one for
the branch office. The network is shown in
exhibit.
Page 231 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
The domain controllers are backed up each night by using a normal backup that also captures the
system state. You are responsible for creating a domain controller recovery plan to be used if a
domain controller fails in either office. The design team specifies that the domain controller
recovery plan must minimize replication traffic across the link between the network in the main
office and the network in the branch office. The plan must also minimize restoration time.
You need to include in your recovery plan the process for restoring Active Directory services if
any of the domain controllers suffers a hardware failure.
Which two actions should you include in your plan? (Each correct answer presents part of the
solution. (Choose two)
A. Restore the system state of any domain controller to an available member server in the same
network subnet.
B. Perform an authoritative restore operation on a functioning domain controller.
C. On an available member server in the same network subnet as the failed domain controller,
run the dcpromo /adv command and select the Over the network option.
D. On an available member server in the same network subnet as the failed domain controller,
run the dcpromo /adv command and select the From these restored backup files option.
Answer: A, D
Explanation:
For additional domain controllers in an existing domain, you have the option of using the install
from media feature, which is new in Windows Server 2003. Install from media allows you to prepopulate Active Directory with System State data backed up from an existing domain controller.
This backup can be present on local CD, DVD, or hard disk partition. Installing from media
drastically reduces the time required to install directory information by reducing the amount of
data that is replicated over the network. Installing from media is most beneficial in large domains
or for installing new domain controllers that are connected by a slow network link. To use the
install from media feature, you first create a backup of System State from the existing
domain controller, and then restore it to the new domain controller by using the Restore to:
Alternate location option.
In this scenario, we can restore the system state data to a member server, then use that restored
system state data to promote a member server to a domain controller.
Page 232 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Incorrect Answers:
B: We do not want to authoritatively restore the data. There is also no need to restore anything to
a functioning domain controller.
C: The Over the network option is incomplete. The full option is Over the network from a
domain controller. We want to create a domain controller from the restored files.
References:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 27
Question: 219
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net.
You are responsible for planning the backup and recovery of all servers and services for
Examsheets. A Windows Server 2003 computer named Examsheets4 runs the enterprise root
certification authority (CA). No subordinate CAs are installed on the network.
You need to create a plan to back up and restore the CA database. Your plan must ensure that
the database and log files can be completely recovered in the event that the database is
corrupted.
What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two)
A. On Examsheets4, use the Certificates console to export all Trusted Root Certification
Authorities
certificates.
On Examsheets4, use the Certificates console to import the certificates to the Trusted
Root Certification Authorities node.
B. On Examsheets4, run the certreq command with the –submit option.
On Examsheets4, run the certreq command with the –retrieve option.
C. On Examsheets4, use the Certification Authority snap-in to back up the CA.
On Examsheets4, use the Certification Authority snap-in to restore the CA.
D. On Examsheets4, run the certutil command with the –backup option.
On Examsheets4, run the certutil command with the –restore option.
Answer: C, D
Explanation:
C: Certificate needs are based upon which applications and communications an organization
uses and how secure they need to be. Based on these needs, CAs is created by installing
certificate services and is managed using the Certification Authority snap-in.
The options on the Certificate Managers Restrictions tab enable you to grant or deny each
administrator’s capability to manage users, groups, and computers. Renewing the CA’s certificate
is a capability given only to the CA administrator with Manage CA permission. The Certification
Authority snap-in is available only for the CA.
D: You can backup and restore the database and keys with the certutil command line utility
certutil -backupDB -- Backup Certificate Services database
-backupKey -- Backup Certificate Services certificate and private key
-restore -- Restore Certificate Services
-restoreDB -- Restore Certificate Services database
-restoreKey -- Restore Certificate Services certificate and private key
Incorrect answers:
A: The Certificates console is responsible for certificate revocation lists and the like and not for
backingup and restoring corrupted CA data.
Page 233 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
B: Making use of these commands with the -submit and -retrieve options will not ensure that you
database and the log files can be completely recovered in the event of CA-data corruption.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 908
Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and
Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond,
Washington, 2004, p. 18: 7
Question: 220
You are the systems engineer for Examsheets. The network consists of a single Active Directory
domain named Examsheets.net. All servers run Windows Server 2003. All client computers run
Windows XP Professional. All administrative staff use portable computers. The relevant portion of
the network is shown in the exhibit.
The private Web server uses non-standard ports for connections. The external firewall is
configured to allow inbound connections on these non-standard ports.
Company policy requires that all administrative tasks must be performed remotely. You enable
Remote Desktop connections on all servers on the company intranet. Each administrative client
computer has two Windows Server 2003 Administrative Tools and Remote Desktops snap-in
installed.
The administrators request that they be able to use Remote Desktop connections to administer
the servers when they are at home. The company’s written security policy requires that
connections originating from the Internet are not allowed into the company intranet. Currently,
only the Web servers are accessible from the Internet. The written security policy does not allow
any other connections to the perimeter network from the Internet.
You need to provide a solution that allows Remote Desktop connections to the company intranet
and that complies with the written security policy.
What should you do?
A. Install the Remote Administration Web site on the private Web server.
Configure the external firewall to allow inbound connections on the IIS Remote Administration
port. Configure the internal firewall to allow inbound connections on the Remote Desktop
Protocol (RDP) port.
B. Install the Remote Administration Web site on the private Web server.
Configure the external firewall to allow inbound connections on the Remote Desktop Protocol
(RDP) port. Configure the internal firewall to allow inbound connections on the IIS Remote
Administration port.
C. Install the Remote Desktop Web Connection Web site on the private Web server. Configure
the internal firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port.
D. Install the Remote Desktop Web connection Web site on the Private Web server.
Page 234 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Configure the internal firewall to allow inbound connections on the IIS Remote Administration
port.
Answer: C
Explanation:
The Remote Desktop Web Connection is a high-encryption, Remote Desktop Protocol (RDP) 5.0
client and uses RSA Security’s RC4 cipher with a key strength of 40-, 56-, or 128-bit, as
determined by the computer to which it is connecting. The Remote Desktop Web Connection
uses the well-known RDP TCP port (3389) to communicate to the host. Unlike some other display
protocols, which send data over the network using clear text or with an easily decodable
"scrambling" algorithm. Remote Desktop Web Connection's built-in encryption makes it safe to
use over any network—including the Internet—as the protocol cannot be easily sniffed to discover
passwords and other sensitive data. This will provide the necessary security.
With this solution, we can access the private web server from the internet over a non-standard
port by configuring RDP to listen on the non-standard port. Then we can open a remote desktop
connection from the private web server to the intranet servers. That would be without
contravening the company written security policy that states that connections originating from the
Internet are not allowed into the company intranet and it also will not allow any other connections
to the perimeter network from the Internet.
Incorrect answers:
A: Configuring the external firewall to allow inbound connections on the IIS Remote
Administration port would be wrong in this case. It should be omitted.
B: The internal and not the external firewall should be configured to allow inbound connections on
the RDP port.
D: It is not the IIS Remote Administration port that should be considered here but rather the RDP
port that should be considered regarding the firewall configuration to allow inbound connections.
References:
MS Knowledge Base article 306759: How to Change the Listening Port for Remote Desktop
MS Knowledge Base article 308127: How to Manually Open Ports in Internet Connection Firewall
in Windows XP
MS Knowledge Base article 304034: Configuring the Remote Desktop Client to Connect to a
Specific Port Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn
Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network
Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc.,
Rockland, MA, Chapter 7, p. 530
http://msdn.microsoft.com/library/default.asp?url=/library/ens/termserv/termserv/providing_for_rdp
_client_security.asp.
http://www.microsoft.com/windowsxp/pro/downloads/rdwebconn.asp
Question: 221
You are the network administrator for Examsheets. The network consists of a single ActiveDirectory
domain named Examsheets.net. All computers on the network are members of the domain.
You are planning a public key infrastructure (PKI) for Examsheets. Examsheets’s written security
policy
states that the private keys that are used to encrypt files must be archived for later recovery.
You install an enterprise certification authority (CA) on a server that runs Windows Server 2003.
You create a new certificate template for file encryption. You configure the certificate template so
that the private key is archived. All users on the domain are issued certificates from this template.
You separate the roles of key recovery agent and certificate manager. As part of the planning of
the CA deployment, you want to document the procedure for how to recover a private key for a
user.
Page 235 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Which three actions should you include in your procedure?
Answer:
Page 236 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
Explanation:
The Certutil.exe program is a command-line alternative to the Certification Authority console that
administrators use to manage a CA. The Certutil.exe program is a command-line utility that can
perform the same tasks as the Certification Authority console.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter12,p.884
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2
003/proddocs /standard/sag_CS_keyarch_walk.asp
Question: 222
You are the network administrator for Examsheets. The company is deploying a network that
consists of a single Active Directory domain named Examsheets.net. All client computers run
Windows XP Professional.
You are planning the data transmission security for the sales department.
You need to monitor the data transmissions to and from the client computers in the sales
department at all times. You need to ensure the integrity of the data transmissions to and from
the client computers.
You also need to be able to implement intrusion detection on the sales department traffic.
What should you do?
A. Assign a custom IPSec policy with the Integrity and Encryption security method to the sales
department client computers.
B. Assign a custom IPSec policy with the Integrity only security method to the sales department
client computers.
C. Assign a custom IPSec policy with a custom security method and the 3DES encryption
Page 237 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
algorithm to the sales department client computers.
D. Assign the Client (Respond Only) IPSec policy to the sales department client computers.
Answer: B
Explanation: The two primary protocols used by IPSec: AH and ESP. AH provides for data
authentication and integrity, and ESP also provides those services, and also adds data
confidentiality. AH and ESP can be used separately or together.
When you select the Data and address integrity without encryption (AH) check box if you need
to provide data integrity for the packet’s IP header and the data. Then for Integrity algorithm,
select either MD5 (which uses a 128-bit key) or SHA1 (which uses a 160-bit key)
If you need to provide both integrity and encryption for data confidentiality, We want to monitor
IPSEC traffic. We can not use ESP; if we did, we would not be able to monitor the IPSEC traffic
because it is encrypted. If you need to diagnose ESP software-encrypted communication, you
must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both
computers. We need to use AH; this way we can monitor network traffic and preserve the integrity
of messages.
Incorrect answers:
A: Using both AH and ESP is the only way to both protect the IP header and encrypt the data.
However, this level of protection is rarely used because of the increased overhead that AH would
incur for packets that are already adequately protected by ESP. ESP protects everything but the
IP header, and modifying the IP header does not provide a valuable target for attackers.
Generally, the only valuable information in the header is the addresses, and these cannot be
spoofed effectively because ESP guarantees data origin authentication for the packets.
C: This option will work if youi want both integrity and encryption for data confidentiality then
select the Data integrity and encryption (ESP) checkbox. Then under Integrity algorithm, click
None (for no data integrity; if you have AH enabled and for increased performance, you can
choose this), MD5, or SHA1. Under Encryption algorithm, choose None, DES, or 3DES.
However, this is not what is needed.
D: Client (Respond Only) is the least secure default policy.You might want to implement this
policy for intranet computers that need to respond to IPSec requests but do not require secure
communications. If you implement this policy, the computer will use secured data
communications when requested to do so by another computer. This policy uses the default
response rule, which creates dynamic IPSec filters for inbound/outbound traffic based on the
port/protocol requested. This will not enable you to implement intrusion detection of the Sales
department traffic.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, pp. 732-735
Question: 223
You are a network administrator for Examsheets. The network consists of a single Active
Directory domain named Examsheets.net.
You install a wireless network. You configure the network to use Wired Equivalent Privacy (WEP).
You install Windows Server 2003 on a server named ExamsheetsSrv3. You install a wireless
network adapter in ExamsheetsSrv3.
The company’s written security policy for implementing wireless devices includes the following
requirements:
• Administrators must be able to identify unauthorized wireless devices that attempt to connect to
the wireless network.
Page 238 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
• Administrators must be able to monitor wireless network device status, including radio channels
information and signal strength, for wireless devices.
You need to comply with the security monitoring requirements.
What should you do?
A. Add the Wireless Monitor snap-in to enable logging and to view Wireless Client Information.
B. Configure preferred networks in the wireless network policy for the Default Domain Policy
Group Policy object (GPO).
C. Install and configure Network Monitor on ExamsheetsSrv3 to capture and analyze network
traffic,
D. In the wireless network policy for the Default Domain Policy Group Policy object (GPO), in the
Networks to access list, select Any available network (access point preferred).
Answer: A
Explanation:
Wireless Monitor allows you to view details about access points and wireless clients. You can
use this information to troubleshoot your wireless service. The Wireless Configuration service
logs information in Wireless Monitor that allows you to:
• Identify service configuration changes.
• Check the events logged in the Wireless Configuration service log that are generated from
outside of your network, such as media event notifications, 802.1X events, and timer expiration
events.
• Check how the Wireless Configuration service reacts to external events by following transitions,
as they are reflected in the log.
If you want to enable or disable logging of client information then right-click the Wireless Client
Information node and make the appropriate selection. This should comply with the company
security monitoring requirements.
Incorrect answers:
B: This tab is used mainly to add a new wireless network to the existing one. This is not the same
as monitoring.
C: Network Monitor allows you to capture data, identify the source, and analyze the content and
format of the message. However, the version of Network Monitor that ships with Windows Server
2003 can analyze only traffic addressed to the network interface card (NIC) on the server itself or
that is sent by the server on which it is running. This will not comply with the company’s
monitoring requirements.
D: When you configure new or existing wireless network connections or connect to an available
wireless network, you can choose the wireless network types of which Any available network
(access point preferred) is one. In access point preferred wireless networks; a connection to an
access point wireless network is always attempted first, if there are any available. If an access
point network is not available, a connection to a computer-to-computer wireless network is
attempted. E.g., if you use your laptop at work in an access point wireless network, and then you
take your laptop home to use in your computer-to-computer home network, the Windows
Configuration service will change your wireless network settings as needed so
that you can connect to your home network. This poses a security risk and does not comply with
the company’s security monitoring requirements.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 817
Page 239 of 240
Exam Name:
Exam Type:
Doc Type:
Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Microsoft
Exam Code:
70-293
Q & A with Explanations
Total Questions:
223
End of document
Page 240 of 240
Download