Answers to Review Questions - Seneca

advertisement
CHAPTER ANSWERS
IMPLEMENTING,
MANAGING, AND
MAINTAINING A
MICROSOFT
WINDOWS SERVER
2003 NETWORK
INFRASTRUCTURE
2
TEXTBOOK CHAPTER 1 ANSWERS: IMPLEMENTING DHCP
CHAPTER 1
IMPLEMENTING DHCP
CHAPTER REVIEW QUESTIONS
1. Under what circumstances should network administrators use DHCP?
ANSWER
Network administrators should use DHCP in situations in which manually configuring each host on a network becomes inefficient. As the number of hosts on a network grows, and as the number of configuration options for each host also grows,
so does the need for and benefit of using DHCP.
2. Place the following DHCP message types in the order in which a successful initial IP address assignment procedure uses them.
a. DHCPACK
b. DHCPOFFER
c. DHCPREQUEST
d. DHCPDISCOVER
ANSWER
d, b, c, a. The client broadcasts a DHCPDISCOVER message to find the DHCP
server, the server responds with a DHCPOFFER message, the client accepts the
offer with a DHCPREQUEST message, and the server confirms by sending a
DHCPACK message.
3. How does a DHCP client respond when its attempt to renew its IP
address lease fails and the lease expires?
ANSWER
The IP address is released and the client begins the process of acquiring a new
lease.
4. You have configured a scope with an address range of 192.168.0.11
through 192.168.0.254. However, your DNS server on the same subnet
has already been assigned a static address of 192.168.0.200. With the least
administrative effort, how can you allow for compatibility between the
DNS server’s address and DHCP service on the subnet?
ANSWER
By configuring an exclusion for the address 192.168.0.200, you can most easily
allow for compatibility between the DNS server and the currently configured DHCP
scope.
5. Within your only subnet, you want 10 specific DHCP clients (out of 150
total on the network) to use a test DNS server that is not assigned to any
other computers through DHCP. How can you best achieve this objective?
ANSWER
The best way to achieve this objective is to create a new user class, configure a
006 DNS Servers option for the class that specifies the IP address of the test
DNS server, and then set the class of the 10 DHCP clients by running the Ipconfig
/setclassid command.
TEXTBOOK CHAPTER 1 ANSWERS: IMPLEMENTING DHCP
CHAPTER CASE SCENARIOS
Case Scenario 1-1: Obtaining an IP Address
Last month, a server was configured for DHCP and was functioning normally. Five
days ago, a test server on the same network segment was promoted to be the first
domain controller on the network. Today several users on the same subnet as the
original DHCP server have complained that they are unable to obtain an IP address
using DHCP. What is the most likely reason users are unable to obtain an IP
address?
a. The user’s IP address leases have expired.
b. A DHCP relay agent is missing or incorrectly configured.
c. There are duplicate IP addresses on the network.
d. The DHCP server must be authorized and is not.
ANSWER
d. Because Active Directory was introduced onto the network, the DHCP servers
must now be authorized. Expired IP address leases trigger the acquisition of a new
address and do not, by themselves, prevent a computer from obtaining a new
address. A missing DHCP relay agent would cause clients on remote subnets not
to obtain new addresses; however, the clients that have complained about not
receiving an address are not using a DHCP relay agent. Although a duplicate IP
address would prevent network communication, it does not prevent a computer
from obtaining a new IP address from the DHCP server.
Case Scenario 1-2: Maximizing Lease Availability
You are configuring DHCP scope options for Contoso, Ltd. The company has a limited number of IP addresses available for clients, and it wants to configure DHCP
to maximize lease availability. Choose all of the following actions that will accomplish this objective:
a. Set long lease durations for IP addresses.
b. Set short lease durations for IP addresses.
c. Configure a DHCP option to automatically release an IP address when the
computer shuts down.
d. Create DHCP reservations for all portable computers.
ANSWER
b, c. A is incorrect because setting long lease durations means that clients that
no longer need leases may still hold them. IP addresses not in use will not be
reclaimed unless the computer is configured to release the IP address lease at
shutdown, manually releases the lease, or the lease period expires. A long lease
period will ultimately result in fewer available addresses. B is correct because setting short lease durations enables faster recovery of IP addresses and results in
a greater number of available addresses. C is correct because configuring a client
to release an address on shutdown results in more available IP addresses. D is
incorrect because creating DHCP reservations does not increase the available
addresses, but in fact will decrease them.
3
4
TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP
CHAPTER 2
MANAGING AND MONITORING DHCP
CHAPTER REVIEW QUESTIONS
1. You have a Windows NT 4 client for which you want to enable dynamic
updates. You want the DHCP server to automatically update both the
A record and PTR record. Which action will accomplish this?
a. Take no action. Updating of the A record and PTR record happens
automatically by default.
b. In the DNS tab of the DHCP server properties dialog box, select
Dynamically Update DNS A And PTR Records For DHCP Clients That
Do Not Request Updates.
c. In the DNS tab of the DHCP server properties dialog box, select
Always Dynamically Update DNS A And PTR Records.
d. Register the client as a dynamic host with the DHCP server.
ANSWER
b. Because pre–Windows 2000 clients can neither directly update their records
nor request the DHCP server to update their records, you must select Update
DNS A And PTR Records For DHCP Clients That Do Not Request Updates.
2. You have not modified the default settings for DNS on the DHCP client
or server. Which of the following client record or records will the DHCP
server update in DNS? (Assume the clients are running Windows XP.)
a. The PTR resource record
b. The A resource record
c. Both the PTR and A resource records
d. Neither the PTR nor the A resource record
ANSWER
a. By default, the DHCP server updates only the PTR record for DHCP clients
running Windows 2000 and later. You can configure the DHCP server to update
Windows 2000 and later clients, as well as pre–Windows 2000 DHCP clients.
TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP
3. For a zone in which only secure dynamic updates are allowed, you have
configured your DHCP server to perform dynamic updates on behalf of
Windows NT 4 clients. Other dynamic DNS settings on the DHCP server
have the default settings. After you migrate the clients to Windows XP,
you find that their A resource records are no longer being updated. What
is the most likely explanation for this problem?
ANSWER
The DHCP server is not a member of the DnsUpdateProxy security group.
4. True or False: If a DNS zone accepts only secure dynamic updates and
the DHCP server is a member of the DnsUpdateProxy security group, the
resource records created by the Netlogon service for the domain controller
lack security? Explain your answer.
ANSWER
True. Being a member of the DnsUpdateProxy security group enables servers to
update records without taking ownership of records and without requiring credentials for update. Although this enables multiple entities to update the same
record, it also poses a security risk.
5. Automatic and manual backups of the DHCP database are successfully
performed. You want to restore the following: all of the scopes, reservations, leases, options, and security credentials. What should you do?
a. Restore from the automatic backup.
b. Restore from the manual backup.
c. Restore from an offline backup.
d. Restore from the automatic or manual backup, and reconfigure
security credentials manually.
ANSWER
d. Regardless of how you back up and restore a DHCP database, you must reconfigure security credentials manually.
5
6
TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP
6. You just completed a restoration of the DHCP database. You start the
DHCP console to verify a successful restoration. You notice the scope and
options are displayed, but active leases are not. What should you do to
repopulate the active leases?
a. The restoration failed. Perform the restoration again.
b. The restoration failed because the backup was corrupt. Locate a
valid backup and use it to restore the DHCP database.
c. Using the DHCP console, perform reconciliation.
d. Delete the Tmp.mdb file, and restart the DHCP service.
ANSWER
c. Because the scope and options are displayed, it is unlikely that the restoration
failed or that the backup was corrupt. Performing reconciliation will repopulate the
active lease information from the registry into the DHCP database. Deleting the
Tmp.mdb file has no effect on restoring the active leases.
7. You are monitoring a DHCP server and you want to save the audit log
that was created last Tuesday. Today is Monday. What should you do?
a. Do nothing; the DHCP server automatically saves the log after
writing to it.
b. Remove the log file from the directory.
c. Change the location of the log files.
d. On Wednesday, stop and start the DHCP Server service.
ANSWER
b. To prevent the log file from being overwritten, remove it from the designated log
file directory. Although it is true that the DHCP server saves the file after writing
to it, if you do nothing, it will overwrite the file by default. Changing the location of
the log files will prevent you from overwriting the file, but changing the location
each time you want to prevent a file from being overwritten is not efficient. You can
prevent overwriting of the file by starting and stopping the DHCP Server service.
8. You want to determine how many IP addresses are available for lease
across all scopes. What tool should you use for this?
a. System Event Log
b. DHCP scope statistics
c. DHCP server statistics
d. DHCP audit log
ANSWER
c. Only the DHCP server statistics window shows you the addresses available
across different scopes.
TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP
CHAPTER CASE SCENARIOS
Case Scenario 2-1: Monitoring DHCP Requests
You have been monitoring DHCP server activity by using System Monitor. You
have been viewing the Discovers/sec counter. You observe a sudden increase in
the number of DHCP requests. Which of the following statements could explain
the sudden increase?
a. A large number of clients are initializing simultaneously and attempting to
locate a DHCP server.
b. A large number of clients are shutting down simultaneously and releasing
their IP address leases.
c. Scope leases are too short, forcing an increase in DHCPNACK messages.
d. Two new DHCP servers have been initialized on the network and are
querying the directory service for the enterprise root.
ANSWER
a. Clients send these messages when they log on to the network and obtain a new
address lease. When clients shut down, they do not send DHCPDISCOVER messages.
If the scope lease is too short, leases expire quickly. In this scenario, clients send
DHCPREQUEST messages, not DHCPNACK messages. When a DHCP server queries
the directory service, it sends DHCPINFORM messages, not DHCPDISCOVER
messages.
Case Scenario 2-2: Monitoring DHCP Network Traffic
Recently, users have complained that the network is slow at different periods
throughout the week. You suspect heavy DHCP traffic is a contributing cause.
When DHCP traffic is heavier than normal, you want notification of it. How can
you accomplish this?
ANSWER
To determine what is normal, you must first create a performance baseline for
comparison to current conditions. After you have created a performance baseline,
determine a threshold for notification (for example, a 50 percent to 100 percent
increase in traffic), and then set an alert to notify you.
7
8
TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS
CHAPTER 3
IMPLEMENTING NAME RESOLUTION USING DNS
CHAPTER REVIEW QUESTIONS
1. Describe the process by which secondary servers determine whether a
zone transfer should be initiated.
ANSWER
The secondary server conducts an SOA query, in which the serial number value in
the primary zone’s SOA resource record is compared to the serial number value
in the secondary server’s own version of the zone database. If the secondary
server determines that the master zone has a higher serial number, a transfer
is initiated.
2. What is the difference between an IXFR query and an AXFR query?
ANSWER
IXFR queries initiate an incremental zone transfer. In these transfers, only the
updated information is transferred across the network. AXFR queries initiate an
all-zone transfer. In these transfers, the complete zone database is transferred
across the network.
3. You discover that an administrator has adjusted the default TTL value for
your company’s primary DNS zone to 5 minutes. Which of the following
is the most likely effect of this change?
a. Primary servers initiate a zone transfer every 5 minutes.
b. DNS clients have to query the server more frequently to resolve
names for which the server is authoritative.
c. Secondary servers initiate a zone transfer every 5 minutes.
d. DNS hosts reregister their records more frequently.
ANSWER
d. Smaller TTL values help ensure that information about the domain is more consistent across the DNS databases, especially in environments in which the data
changes frequently, but because records expire more quickly, clients must query
the server more frequently. This also increases the load on the name servers that
contain the name, and it also increases Internet traffic.
Answer a is not correct because the TTL does not dictate the frequency of
zone transfers. Answer b is not correct because the TTL does not dictate the
frequency of zone transfers. Answer c is not correct because changing the TTL
has no impact on how frequently DNS hosts register their records.
TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS
4. Relative to file-backed zones, storing DNS zones in Active Directory
results in which of the following?
a. Less frequent transfer of information
b. Increased need for administration
c. Less saturation of network bandwidth
d. Ability to perform secure dynamic updates
ANSWER
a. Using Active Directory–integrated zones, or storing zones in Active Directory,
means less administration and more efficient replication, which results in lower
bandwidth utilization and access control to records resulting in secure dynamic
updates.
Answer b is not correct because storing zones in Active Directory requires less
need for administration. Answer c is not correct because storing zones in Active
Directory enables transfers to take advantage of the more efficient replication
process provided by Active Directory. Answer d is not correct because Active
Directory provides the capability for secure dynamic updates.
5. You want to consolidate DNS traffic between your network and the Internet.
How could you use a forwarder to accomplish this?
ANSWER
One possible answer is to configure the firewall used by your network to allow
only one DNS server to communicate with the Internet. Configure the other DNS
servers to forward queries they cannot resolve locally to the Internet-facing DNS
server. The Internet-facing DNS server acts as a forwarder to the other servers.
6. What are some reasons a source server might respond with an AXFR to an
IXFR request?
ANSWER
The primary server for a zone is not required to perform an incremental zone
transfer. It can choose to perform a full zone transfer if the primary DNS server
does not support incremental zone transfers, if the primary DNS server does not
have all the necessary data for performing an incremental zone transfer, or if an
incremental zone transfer would consume more network bandwidth than a full
zone transfer.
7. True or False: A primary server always initiates a zone transfer?
ANSWER
False. A secondary server always initiates a zone transfer.
9
10
TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS
CHAPTER CASE SCENARIOS
Case Scenario 3-1: Minimizing DNS Traffic and Administration
Contoso, Ltd., has a branch office connected to corporate headquarters with a slow
WAN link. The company wants to minimize the amount of traffic generated by the
local DNS server on this link and minimize DNS administration in the branch office.
How would you configure the DNS server to meet these requirements?
a. Disable round-robin and netmask ordering.
b. Reduce the refresh interval in the SOA resource record for the primary zone.
c. Do not configure any forward or reverse zones, but configure the server
to use a forwarder.
d. Configure the forward lookup zone with a WINS lookup record, and
decrease the cache time-out value.
ANSWER
c. This will make the server a caching-only server, which will eliminate zone transfer
network traffic. Answer a is incorrect because disabling round-robin and netmask ordering changes how addresses are returned to clients, but does nothing
to lower administration or use of bandwidth. Answer b is incorrect because
reducing the refresh interval will likely consume more, not less, bandwidth. Answer
d is incorrect because the DNS server will still create network traffic to use WINS
records. Decreasing the cache time-out value increases the number of lookups and
consequently the amount of network traffic.
TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS
Case Scenario 3-2: Troubleshooting Access to External Resources
You are the network administrator for Contoso, Ltd. Users are complaining that
they cannot access resources external to the local network. You eliminate connectivity issues to the DNS server and narrow the problem to name resolution. Using
Ping.exe, you are able to successfully resolve local hosts but cannot resolve names
external to the local network. Which of the following is the most likely cause of
this issue? Choose the correct answer.
a. The local DNS server is not authoritative for the Internet DNS domains.
b. Iterative queries are disabled on the DNS servers.
c. Recursive queries are disabled on the DNS servers.
d. DNS root hints are missing or incorrectly configured.
ANSWER
d. Root hints are DNS resource records stored on a DNS server that list the IP
addresses for the DNS root servers on the Internet. If the DNS root hints are
missing or incorrectly configured, the DNS server will not be able to forward
requests for the queried Internet domain.
Answer a is incorrect. The local DNS server is authoritative for only the organization’s DNS domain. Internet DNS servers are authoritative for all first-level DNS
domains. Answer b is incorrect because you cannot disable iterative queries on the
DNS server. Answer c is incorrect. If recursive queries are disabled on the DNS
server, the DNS server would send DNS referrals back to the client. The client
would still be able to connect to Internet resources.
11
12
TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS
CHAPTER 4
MANAGING AND MONITORING DNS
CHAPTER REVIEW QUESTIONS
1. What is the function of round robin in DNS?
ANSWER
Round robin rotates the order of matching resource records in the response list
returned to DNS clients. Each successive DNS client that queries for a multihomed name gets a different resource record at the top of the list.
2. Which feature takes priority—round robin or netmask ordering?
ANSWER
Round robin is secondary to subnet prioritization. When the Enable Netmask
Ordering check box is also selected, round robin is used as a secondary means to
order returned resource records for multihomed computers.
3. Which of the following are valid reasons to monitor the TTL settings on
your DNS servers? Choose all that apply.
a. Query traffic increases as DNS clients request information that has
expired from their cache.
b. DNS clients may be caching outdated records.
c. DNS clients may not be able to resolve host names.
d. Query traffic decreases as DNS clients request information that has
expired from their cache.
ANSWER
a and b. Answer c is incorrect because TTL has no effect on whether clients are
able to resolve host names. Answer d is incorrect because traffic increases, not
decreases.
4. What type of test query can be run from the Monitoring tab of the DNS
server properties page?
a. Recursive query
b. Simple query
c. Verbose query
d. Interval query
ANSWER
a and b.
TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS
5. Which of the following approaches provides the best early warning of a
DNS service failure?
a. Create an alert based on the standard performance counters, and set
the threshold to notify you if the counters exceed 95 percent of the
recommended threshold.
b. Create an alert based on the counters that you decide are appropriate
indicators of a failure, and set the threshold to notify you when it is
10 percent below the baseline.
c. Create an alert based on the standard counters, and set the threshold
to notify you if the counters exceed 75 percent of the recommended
threshold.
d. Create an alert based on the counters that you decide are appropriate
indicators of a failure, and set the threshold to notify you when it
is 10 percent above the baseline.
ANSWER
d. Answers a and c are incorrect because standard counters should be customized
for your organization’s specific conditions. Answer b is incorrect because when
the threshold is at or slightly below the baseline, conditions are normal, not
problematic.
6. You are a systems administrator for Contoso, Ltd. Contoso is planning its DNS
zones, and you have been asked to recommend the best way to configure
the zones on the company’s Microsoft Windows Server 2003 computers.
You recommend using Active Directory–integrated zones. Why do you
recommend this configuration?
Choose all answers that apply.
a. DNS data is replicated with Active Directory.
b. You can configure secure dynamic updates.
c. The DNS load will be shared because the other domain controllers
will become secondary DNS servers.
d. You can configure a replication scope.
ANSWER
a, b, and d. However, the additional DNS servers will not become secondary DNS
servers but masters that can both read and write DNS data.
13
14
TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS
7. You are the administrator for Contoso, Ltd., and have updated the IP
address for a host by using the DNS console. Assuming it exists, which of
the following types of resource records is associated with the host record
and must also be updated?
a. A resource record
b. MX resource record
c. NS resource record
d. PTR resource record
e. SOA resource record
f. SRV resource record
ANSWER
d. A PTR record is associated with an address (A) resource record. It maps an IP
address to a host name. If the associated host name changes, so must the PTR
record. Answer a is incorrect because it is the record being updated. Answer b is
incorrect because a mail exchanger (MX) record specifies a mail server for the
domain and it may not be required to change if an A resource record changes.
Answer c is incorrect because an NS record specifies the server responsible for
the zone. Answer e is incorrect because it specifies the start of authority and is
not impacted by a change in a host record. Answer f is incorrect because an SRV
record specifies a server providing a specific service and is not necessarily associated with a host record.
8. A client computer on the internal network of Contoso, Ltd., is unable to
connect to a file server. You verify the file server is running and are able
to connect to it using another client computer on the same subnet. You
suspect the client computer that cannot connect has outdated information
in its local cache. Which of the following actions would fix the issue?
a. At the client computer, run the Ipconfig /flushdns command.
b. At the file server, run the Ipconfig /flushdns command.
c. At the file server, run Nslookup.
d. At the file server, stop and start the DNS Client service.
ANSWER
a. Running the Ipconfig /flushdns command clears the client cache.
Answer b is incorrect because although running Ipconfig /flushdns clears the cache
on the file server, it does not solve the problem on the client. Answer c is incorrect
because running Nslookup on the server does not remove the outdated information
on the client. Answer d is incorrect because stopping and starting the DNS Client
service on the server does not remove outdated information on the client.
TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS
CHAPTER CASE SCENARIOS
Case Scenario 4-1: Enabling Network Users to Connect
to Internet Host Names
You are the network administrator for Contoso, Ltd. The Contoso network consists
of a single domain, contoso.com, which is protected from the Internet by a firewall. The firewall runs on a computer named NS1 that is directly connected to the
Internet. NS1 also runs the DNS Server service, and its firewall allows DNS traffic
to pass between the Internet and the DNS Server service on NS1 but not between
the Internet and the internal network. The DNS Server service on NS1 is configured
to use round robin. Behind the firewall, two computers are running Windows
Server 2003—NS2 and NS3, which host a primary and secondary DNS server,
respectively, for the contoso.com zone.
Users on the company network report that, although they use host names to connect to computers on the local private network, they cannot use host names to
connect to Internet destinations, such as www.microsoft.com.
Which of the following actions requires the least amount of administrative effort to
enable network users to connect to Internet host names?
a. Disable recursion on NS2 and NS3.
b. Enable netmask ordering on NS1.
c. Configure NS2 and NS3 to use NS1 as a forwarder.
d. Disable round robin on NS1.
ANSWER
c. Disabling recursion will force NS2 and NS3 to use iterative queries, but will not enable
them to resolve external names. Enabling netmask ordering will provide results in the
most efficient order for clients, but does not enable internal clients to resolve external
addresses. Configuring NS2 and NS3 to use NS1 as a forwarder will result in successful
name resolution for internal clients. Disabling round robin will prevent any possible load
balancing, but does not enable internal clients to resolve external host names.
15
16
TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS
Case Scenario 4-2: Implementing DNS Updates
You are the system administrator for Contoso, Ltd. The company has grown
rapidly over the past year, and currently Contoso is using only a single DNS zone.
Recently, the Marketing department has made several requests for DNS changes
that were delayed. Users would like the ability to make their own DNS updates.
What should you do to try to address this problem?
a. Create a secondary server in the Marketing department so that users
can manage their own zone.
b. Delegate the marketing domain to a DNS server in the Marketing
department.
c. Place a domain controller running DNS in the Marketing department so
that people in the department can make changes.
d. Upgrade the network infrastructure to improve network performance.
ANSWER
b. The marketing domain would reside on a computer in the Marketing department
where marketing personnel could administer the zone themselves and make changes
as necessary.
TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY
CHAPTER 5
NETWORK SECURITY
CHAPTER EXERCISE
Exercise 5-5: Using the Security Configuration
And Analysis Snap-In
Analyzing System Security
7. In the details pane, review the policies that were analyzed. They display
the result of a comparison between actual settings and the database
setting.
QUESTION List some of the configuration settings that are the same in the
database and on the computer.
ANSWER
Any setting that is labeled with a green check mark is the same in the database
as it is on the computer.
QUESTION List some of the configuration settings that are different in the
database than on the computer.
ANSWER
Any setting that is labeled with a red X or exclamation point. Policies labeled with a
red X do not match. Policies labeled with an exclamation point exist in the database, but not on the computer.
CHAPTER REVIEW QUESTIONS
1. Which of the following are user rights?
a. Allow log on locally
b. Access a share with full control
c. Open a database file
d. Back up files and directories
ANSWER
a and d. Answers b and c are incorrect because they are permissions.
17
18
TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY
2. An administrator temporarily grants a user rights to log on locally to a
domain controller by applying a policy to the domain GPO. The administrator does not add the user to other groups. When the user attempts
to log on, Windows Server 2003 displays the following error: “User does
not have the right to log on interactively.” What is the most likely cause
of the problem?
ANSWER
The administrator applied the policy to the domain GPO. By default, the policy
setting at the domain controller’s OU does not allow users to log on locally to the
domain controller, and it overrides the domain-level policy settings.
3. You are the system administrator responsible for creating, configuring,
and managing GPOs for your organization. The systems engineers
present you with a plan, and you must determine whether you can use a
default template. Which of the following default Group Policy templates
provides the highest default security for clients?
a. Rootsec
b. Hisecws
c. Securews
d. Compatws
ANSWER
b. Hisecws is the template used for the highest level of security.
4. You are responsible for creating, configuring, and managing GPOs for
your organization. You must determine which settings on the domain
controller do not match the security policies that were applied using
a specific template. Which of the following tools can you use to
determine this?
a. Domain Security Policy
b. Security Configuration And Analysis snap-in
c. Group Policy Management
d. Active Directory Users And Computers
ANSWER
b. The Security Configuration And Analysis snap-in can evaluate security policy
against current settings on a computer. The other tools cannot evaluate security
policy against settings; therefore, answers a, c, and d are incorrect.
TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY
5. You are the system administrator responsible for creating, configuring,
and managing GPOs for your organization. Before you can determine
which Group Policy settings you should apply to each GPO, you must
determine which types of Group Policy settings you can configure. Which
of the following types of Group Policy settings can you configure in an
Active Directory environment? Choose all that apply.
a. Desktop settings
b. Network connections
c. Location of computers
d. Inventory-installed software
e. Who can log on to a computer and when
ANSWER
a, b, and e. Answers c and d are incorrect because you cannot configure the
location of computers and inventory-installed software with Group Policy.
CHAPTER CASE SCENARIOS
Case Scenario 5-1: Folder Redirection
You are the system administrator for Contoso, Ltd., and you want to centrally
store users’ data using folder redirection. Specifically, you want to configure folder
redirection of the My Documents folder to each user’s existing home directory.
Users should have exclusive access to their My Documents data. How will you
accomplish your objectives? Choose two answers.
a. Configure a GPO to set the Folder Redirection policy to redirect to the
user’s home directory setting, and link it to the appropriate OU.
b. Configure a GPO to set the Grant The User Exclusive Rights To My Documents setting to Disabled, and link it to the appropriate OU.
c. Configure a GPO to set the Folder Redirection policy to redirect special
OU units.
d. Configure a GPO to set the Grant The User Exclusive Rights To My Documents setting to Enabled, and link it to the appropriate OU.
ANSWER
c and d. Redirecting special folders to a specific path satisfies the requirements.
You must enable the Grant Exclusive Right To My Documents setting to satisfy
your requirements. Answer a is incorrect. Here, you redirect the My Documents
folder, not the home directory. Answer b is incorrect. You want to provide—not
disable—exclusive access to the My Documents folder.
19
20
TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY
Case Scenario 5-2: Auditing
Someone notifies you that users are having a difficult time accessing shared
resources on two of the organization’s file servers. You decide to review the audit
logs for these servers to determine the cause of the issues. When you review the
event logs, you discover that the log contains only data from the previous 12 hours.
What might be responsible for the lack of data? Choose all that apply.
a. The maximum size of the event log is too small.
b. You audited too many events.
c. The Overwrite Events Older Than [x] Days setting is set to 1 day.
d. Another administrator manually cleared the event logs.
e. The relevant events are logged to domain controllers, not member servers.
ANSWER
a, c, and d. Answer a is correct because when the maximum size of the event log is
too small, events that help you determine the problem can be overwritten.Answer c
is correct because it allows events to be overwritten every 24 hours, which
might not allow enough log activity time. Answer d is correct because the events
might have been cleared when another administrator tried to isolate a different
issue. Answer b is incorrect because you cannot determine how much log activity
the audit objects will produce. It is possible to audit many events that produce little log activity; or, conversely, you can audit only a few objects that produce
extremely heavy log activity. Answer e is incorrect because events are logged
locally to the servers that are performing the actions.
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
CHAPTER 6
SECURING NETWORK TRAFFIC WITH IPSEC
CHAPTER REVIEW QUESTIONS
1. Which of the following most accurately describes the functionality of the
Client (Respond Only) default policy rule?
a. The client will respond only to requests secured by IPSec.
b. The client will respond to unsecured requests, but will respond by
using IPSec.
c. The client will respond to unsecured requests with an unsecured
response, but will respond to secure requests with a secure response.
d. The client will respond to a server only if it can perform a reverse
lookup on the IP address of the server.
ANSWER
a. The client responds by using IPSec to secure the response if this is requested.
Answers b and c are incorrect because the client will not respond to unsecured
requests. Answer d is incorrect because the client does not distinguish between
the types of computers making the request and because a reverse lookup is not
required.
2. Fabrikam, Inc., recently joined two servers to its Active Directory domain.
After joining the servers to the domain, the company no longer is able
to communicate on the network. You suspect that applying the IPSec
policies caused the problem. Which tool would you use to determine
whether your suspicion is correct?
a. Network Monitor
b. The security log in Event Viewer
c. Resultant Set of Policies (RSoP)
d. IP Security Monitor
ANSWER
c. RSoP allows you to examine the Group Policy settings that are applied to the
computers. Because the computers have recently joined the domain, it is possible
that new Group Policy settings apply to the computers. Answer a is incorrect.
Although Network Monitor provides detailed information about network activity,
you cannot use it to investigate the application of a Group Policy. Answer b is
incorrect. Although the event log provides information about the application of
policies, it is not an effective tool with which to determine the active policies for a
particular computer. Answer d is incorrect. IP Security Monitor displays current
IPSec activity and statistics, but it does not indicate which policies are applied to
a particular computer.
21
22
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
3. You wish to determine whether a quick mode association is currently in
place. Which of the following tools can you use to make that determination?
a. RSoP
b. Event Viewer
c. Oakley log file
d. IP Security Monitor
ANSWER
d. Use the IP Security Monitor to determine which security associations (SAs)
exist. Because IP Security Monitor provides real-time quick mode association statistics, you can determine whether the association has been made. Answer a is
incorrect. RSoP enables you to verify policies in effect for a given user or computer,
but it does not indicate whether a quick mode association is currently in place.
Answer b is incorrect. Although IPSec events can be written to Event Viewer, you
cannot determine whether an association is currently in place. Answer c is
incorrect. Although the Oakley log file displays SA information, it does not display
real-time information about the association.
4. IPSec can be used to secure communications between two computers.
Which of the following would be good reasons to use IPSec? Choose all
that apply.
a. Examine Kerberos tickets
b. Block transfer of specific protocol packets
c. Allow transfer of packets with a destination TCP port of 23 from any
computer to the host computer
d. Permit one user to use Telnet to access the computer, while denying
another user
ANSWER
b and c. IPSec can be configured to block or accept specific protocol packets. Also,
IPSec can be configured to block or accept packets based on criteria, such as TCP
port number and IP address. Answer a is incorrect. Although IPSec uses Kerberos
as one method of authentication, it is not a tool for examining Kerberos tickets.
Answer d is incorrect. IPSec is designed for securing communication between
computers; it is not used to authorize or deny user access to resources.
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
5. What is a good reason for assigning an IPSec policy using Netsh instead
of using Group Policy?
a. Using Netsh is the only way to apply a policy that can be used to
permit a user’s computer to be used for a telnet session with another
computer while blocking all other telnet communications.
b. Using Netsh is more easily implemented than Group Policy when
multiple machines must be configured.
c. You can apply Netsh even if the computers are not joined in a
domain, whereas Group Policy can work only in a domain.
d. You can use Netsh to create a persistent policy if Group Policy cannot
be used.
ANSWER
d. You cannot use Group Policy to create a persistent IPSec policy. Answer a is
incorrect. IPSec is not designed to authorize or deny user access to resources.
Answer b is incorrect. Both Group Policy and Netsh can be used to restrict a
computer’s access to a particular protocol. Answer c is incorrect. Group policies
can be applied regardless of whether the computer is joined to the domain.
6. Netsh is used to create and assign an IPSec policy for a stand-alone server
running Microsoft Windows Server 2003. One of the commands used is
executed from the Netsh IPSec static context. It follows:
Add rule name="SMTPBlock" policy="smtp" filterlist="smtp computerlist"
filteraction="negotiate smtp" description="this rule negotiates smtp"
Why is the policy not working?
a. The policy is set with the wrong IP addresses.
b. Each policy specifies a different encryption algorithm.
c. A stand-alone server does not have a Simple Mail Transfer Protocol
(SMTP) service; therefore, the policy is unassigned.
d. The policy uses Kerberos for authentication and the computer is not
a member of a domain.
ANSWER
d. By default, Kerberos authentication is used and, for the policy to authenticate
using Kerberos, it must be a member of an Active Directory domain. Answer a is
incorrect. An IP address was not used for the command. Answer b is incorrect.
A difference in algorithms between policies does not prevent them from working.
Answer c is incorrect. Stand-alone servers do have an SMTP service; however, the
presence of the service has no impact on the policy assignment or effectiveness.
23
24
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
7. You wish to set up a tool for maintenance and monitoring of IP policies
on remote hosts in your domain. You add the IP Security Monitor and
IP Security Policy Management snap-ins to an MMC. However, when you
try to add the host 192.168.0.100 to the IP Security Monitor, you get the
error message shown in Figure 6-10.
FT06xx10
Figure 6-10
IPSec console error message
How can you manage and monitor IPSec on 192.168.0.100?
a. You cannot do so. The host 192.168.0.100 is a legacy host that does
not support IPSec.
b. The host 192.168.0.100 is not part of the domain. You must join the
host to your domain if you want to use IP Security Monitor.
c. Only IPSec policies that use your authentication can be managed
and monitored using IP Security Monitor. You must assign such a
policy to 192.168.0.100.
d. You should use legacy Ipsecmon.
e. You cannot add a computer using its IP address. You must use the
computer’s DNS host name.
ANSWER
d. This error occurs when you try to add a host running Windows 2000 to the IP
Security Monitor. Legacy Ipsecmon is the appropriate tool to use for such hosts.
Unfortunately, it is not possible to create a single-seat maintenance tool using
this method if some of the client hosts run Microsoft Windows 2000. Answer a
is incorrect. Figure 6-10 shows that the IP Security Policy Management snap-in
has already been added to the MMC for 192.168.0.100. Therefore, 192.168.0.100
supports IPSec. Answer b is incorrect. Hosts can be managed and monitored
using the IP Security Monitor snap-in whether or not they are joined to a domain.
Answer c is incorrect. The authentication method has no bearing on whether IP
Security Monitor can be used. Answer e is incorrect. You can add computers using
an IP address or host name.
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
8. During the testing of the IPSec policies, the workstation you use as a test
computer works correctly and the traffic is encrypted; however, when
you resume testing after making some changes on one of the servers, the
workstation can no longer communicate with that server. The policy that
you set on the server requires you to use Kerberos as the authenticating
protocol. What is the most likely cause of the communication issue?
a. Your workstation lost its connection to a domain controller.
b. Your workstation lost its connection to the CA.
c. The IPSec Policy Agent lost communication with the domain controller
and must be restarted.
d. You must reapply the server’s IPSec policy.
ANSWER
c. When you troubleshoot communication issues, first stop the IPSec Policy Agent
and verify communication, and then restart the IPSec Policy Agent and use the IP
Security Monitor to confirm that a security association is established between
the computers. Answer a is incorrect. Once the initial connection is made, the
IPSec service does not need to contact a domain controller. Answer b is incorrect.
It is not likely that the workstation lost its connection to the CA because the
connection uses Kerberos, which means a domain controller could authenticate
a new session. In addition, the question implies that this is the same session.
Answer d is incorrect. Policies are reapplied every time a new connection is made.
Reapplying a policy would have no effect on this issue.
CHAPTER CASE SCENARIOS
Case Scenario 6-1: Securing Communications
You administer a Windows Server 2003 Active Directory domain. All client PCs are
in a top-level OU called Clients, and all server PCs (apart from domain controllers)
are in a top-level OU called Servers. The domain controllers are in their default
OU. The Secure Server (Require Security) default IPSec policy has been assigned
to all servers, including domain controllers. The Client (Respond Only) default
IPSec policy has been assigned to all clients. All client PCs are Windows 2000
Professional hosts.
Management is concerned that the client computers in the Research department do
not securely communicate with each other and with other clients. Only four such
machines exist. On one of them, you create a custom policy that requires secure
communications. You export it to a file and import it into the other three client
machines in the Research department. You assign the policy on all four machines.
25
26
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
Next, you use the IP Security Monitor console on one of the machines and find
that no SAs are set up between the Research department hosts or between these
machines and clients in other departments. You capture traffic using Network
Monitor and discover that unencrypted traffic is passing between the Research
clients. What is the first step you should take to solve the problem?
a. Change the authentication method on the custom policy to use a
preshared key.
b. Change the encryption algorithm from Triple DES (3DES) to Data Encryption
Standard (DES).
c. Create an OU.
d. Move the Research department computer accounts into the Servers OU.
ANSWER
c. In this scenario, assigning an IPSec policy locally has no effect. This situation
happens when the hosts are in a domain and a policy has been assigned through
Group Policy. In this case, the Client (Respond Only) policy has been assigned to
a GPO that is linked to the Clients OU. You must create an OU called Research,
move the four client computer accounts into that OU, create a GPO linked to
Research, and then assign the custom IPSec policy to that GPO. Answer a is
incorrect. The policy was exported from one client and exported to the others,
so the same authentication method is specified in the policy on all four
machines. The authentication method is unlikely to be the problem. In addition,
the preshared key authentication method is weak authentication and is not
appropriate in this scenario. Answer b is incorrect. A system running Windows
2000 that does not have Service Pack 2 or later installed on it does not support 3DES. If 3DES is specified, the rule defaults to DES for communication
with that computer. Therefore, the encryption algorithm is not a factor in this
scenario. Answer d is incorrect. This approach would ensure that communication
among the Research department’s computers and between the Research
department’s computers and other hosts in the domain is encrypted. However,
it is not the best solution. Servers are often put into one OU and clients are put
into another OU for various reasons—not merely to assign IPSec policy. As a
result, the Research department clients would be configured with other settings
that might be inappropriate (such as the Log On Locally rights).
Case Scenario 6-2: Troubleshooting IPSec
Your company does not use a domain structure; it uses workgroups. The Research
workgroup has six clients running Windows XP Professional, four clients running
Windows 2000 Professional, and two stand-alone servers running Windows
Server 2003. Communication between hosts in this workgroup must be secure. A
member of your support staff configures and assigns an IPSec security policy on all
hosts in the Research workgroup. All hosts can ping each other by IP address, but
the Research department staff cannot access files on the servers from their client PCs.
TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC
You log on to one of the servers using the local administrator account, you access
the Security Settings node within Local Computer Policy, and you enable success
and failure auditing for logon events. You open Event Viewer and locate a failure
audit event 547 in the security log. The failure reason given is, “Failed to obtain
Kerberos server credentials for the ISAKMP/ERROR_IPSEC_IKE service.” What is
the most likely cause of the problem?
a. The default response rule is not activated.
b. Kerberos has been specified as the initial authentication method.
c. The 3DES encryption algorithm has been specified, and it cannot be used
on the clients running Windows 2000.
d. The incorrect policy has been assigned.
ANSWER
d. The error detected occurs when Kerberos is specified as the authentication
protocol in an environment that cannot support it (such as a workgroup). It is not
possible to create a new policy in this environment, which means that one or more
of the default policies must have been assigned. The most common mistake in this
situation is to assign Secure Server (Require Security) on the servers. Answer a
is incorrect. This rule specifies that to communicate securely, the computer must
respond to requests for secure communication. Clearing the check box that specifies
this rule would make communication less secure, but would not prevent it altogether.
Answer b is incorrect. Kerberos cannot be used for authentication in this scenario
because the hosts are not in an Active Directory domain. The IP Security Policy
wizard would not create a policy if Kerberos were specified. Answer c is incorrect.
A system running Windows 2000 that does not have Service Pack 2 or later
installed does not support 3DES. If 3DES is specified, however, the rule defaults
to DES for communication with that computer.
27
28
TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES
CHAPTER 7
IMPLEMENTING AND MANAGING SOFTWARE
UPDATE SERVICES
CHAPTER REVIEW QUESTIONS
1. You are the system administrator for Contoso, Ltd., and you have been
given the responsibility of managing security patches and other updates
to operating systems that already have a SUS-compatible version of
Automatic Updates installed. Although you want the ability to approve
updates, you do not want to store them all locally. How can you
accomplish this?
ANSWER
Use the SUS Administration Web page to configure the server to use a Windows
Update Web server instead of storing them locally. To configure this, load the SUS
Administration Web page, click Set Options, and in the Select Where You Want
To Store Updates section of the details pane, click Maintain The Updates On A
Microsoft Windows Update Server, and then click Apply.
2. You want to obtain critical updates and security fixes for your PC that
runs Windows XP Professional. You access the Windows Update site.
However, you cannot find the Windows Update Catalog under See Also
in the left pane. What is the problem?
a. You have not installed and configured SUS.
b. You have not installed and configured Automatic Updates.
c. Transmission Control Protocol (TCP) port 80 is blocked for incoming
traffic on the firewall at your Internet service provider (ISP).
d. You must configure the Windows Update site.
ANSWER
d. You should select Personalize Windows Update and select the Display The Link
To The Windows Update Catalog Under See Also check box. Answer a is incorrect
because SUS is a server application and is not necessary in this situation.
Answer b is incorrect because Automatic Updates is installed by default on computers running Windows XP Professional. Answer c is incorrect because you could
not have accessed the Microsoft Windows Update site if port 80 were blocked.
TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES
3. You administer your company’s Windows Server 2003 Active Directory
domain. All client PCs run Windows XP Professional. Company policy
states that employees cannot download software or software updates
from the Internet. Software must be installed or upgraded on client
machines automatically through Group Policy. As the domain administrator,
you have been exempted from this policy so that you can download
operating system upgrades, security fixes, virus definitions, and Microsoft
utilities from the Windows Update site. You then want these upgrades,
fixes, and so forth to be installed automatically on other users’ PCs when
these users log on to the domain. What should you do after you have
downloaded the software?
a. Install and configure SUS on your PC.
b. Install Automatic Updates on the client computers.
c. Create a Windows installer package.
d. Configure Remote Installation Services (RIS) to distribute the software.
ANSWER
c. After you download the software you should create a Windows installer package
to be used with Group Policy to distribute the software to users on your network.
Answer a is incorrect because you would need SUS if users were permitted
to access an internal Web server as if they were accessing the Internet to download and install the relevant programs. However, they cannot perform this task;
so software must be installed automatically through Group Policy. Answer b is
incorrect. Automatic Updates is installed by default on computers that run
Windows XP Professional. The Windows Update site can be configured to send
updates automatically to a client. However, in this scenario, clients do not
receive updates or fixes by this method; instead, they receive them through Group
Policy. Answer d is incorrect because RIS is typically used to automatically install
operating systems and application software. It is not the appropriate tool for this
scenario.
4. You are the system administrator for Contoso, Ltd., and you have
deployed SUS. You open the SUS Administration Web page and perform
a synchronization that downloads several new updates. On the Approve
Updates page, you notice that the updates are already approved even
though you have not yet approved them. What is the most likely reason
the updates are already approved?
ANSWER
The SUS server has been configured to automatically approve all updates after
synchronization.
29
30
TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES
5. You have just finished installing SUS and realize that there is not enough
disk space to store all the updates locally. How can you configure SUS to
solve this problem? Select the best answer.
a. Compress the drive.
b. Configure the SUS server to store the updates on the client computers.
c. Configure the SUS server to download only 80 percent of the available
disk free space.
d. Configure the SUS server to use the Microsoft update site rather than
to store updates locally.
ANSWER
d. SUS can be configured to maintain the updates on a Microsoft Windows Update
server rather than downloading them locally. Answer a is incorrect. Although
compressing the drive can provide a temporary solution, it is unlikely to solve the
long-term disk space issue. Answer b is incorrect. You cannot configure clients to
store updates for SUS. Answer c is incorrect. SUS cannot be configured to download updates based only on percentage of free space.
6. You have deployed a SUS server; however, several clients running Windows XP (no service pack) and Windows 2000 Service Pack 2 are unable
to use the SUS server. What is the most likely reason for this problem?
ANSWER
Clients running Windows XP (with no service pack) and Windows 2000 Service Pack 2
and earlier must obtain a newer version of Automatic Updates to utilize SUS.
7. You have set up a second SUS server. You want to configure this server to
download only approved updates from another server. How can you
configure the second SUS server to only download approved items from
a local server?
ANSWER
To configure the SUS server to only synchronize approved items from a local
server, click Set Options, and in the Select Which Server To Synchronize Content
From, click Synchronize From A Local Software Update Services Server, type the
name of the server, and then click Synchronize List Of Approved Items Updated
From This Location (Replace Mode).
8. You are troubleshooting SUS client issues and want to check event log
messages. Which log should you examine to find SUS client messages?
a. Application log
b. Security log
c. System log
d. Directory Service log
ANSWER
c. SUS client logs are written to the System log.
TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES
CHAPTER CASE SCENARIOS
Case Scenario 7-1: Need for SUS
You are the systems administrator for Contoso, Ltd., and you are seeking a way
to keep all workstations and servers updated with the latest security patches,
driver updates, and recommended updates from Microsoft. You are considering
deploying SUS.
A colleague asked you why, since everyone in the company already has an
operating system with Automatic Updates enabled, is a SUS server still necessary?
Which of the following answers are valid responses to your colleague’s question?
a. Although Automatic Updates keeps systems updated, you cannot rely on
users to consistently accept and install updates.
b. Relying on individual users to individually download and install updates
from the Internet causes increased external network traffic relative to
downloading updates from an internal SUS server.
c. It is a recommended practice to test updates before deploying them.
Allowing individuals to deploy their own updates without first testing the
updates could be problematic.
d. A SUS server will automatically update clients running Microsoft Windows 95,
a practice that Automatic Updates does not support.
ANSWER
a, b, and c. Answer a is correct because, without a method of enforcing updates,
you cannot be certain they will be installed. Answer b is correct because requiring
each user to download updates from the Internet increases the amount of external network traffic relative to downloading updates and storing them centrally on
an internal server. Answer c is correct because it is important to test any system
configuration change before deploying it across your organization. Answer d is
incorrect because SUS does not support clients running Windows 95.
31
32
TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES
Case Scenario 7-2: Stage and Test Updates
You are deploying SUS in your organization. Several workstations in your
organization run a non-Microsoft application that was negatively impacted in the
past after downloading certain updates. As a result, many of the users of that
application have disabled the update feature and are reluctant to participate in
the SUS server deployment. How should you design your deployment plan so
that you can stage and test updates before distributing them to the rest of the
organization?
ANSWER
Include two SUS servers in your plan that share a parent-child relationship. Download all updates to the parent SUS server, test the updates, and approve only
updates that pass the test. When the parent has approved updates, the child
SUS server downloads them and makes them available to users.
TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS
CHAPTER 8
CONFIGURING ROUTING BY USING ROUTING
AND REMOTE ACCESS
CHAPTER EXERCISE
Exercise 8-1: Viewing the IP Routing Table
2. At the command prompt, type route print, and then press ENTER.
QUESTION What is the Netmask for the 10.1.0.0 Network Destination?
ANSWER
The Netmask is 255.255.0.0.
CHAPTER REVIEW QUESTIONS
1. You are the network administrator for Fabrikam, Inc. Fabrikam’s network
consists of several subnets. Current network users require access to only
the company intranet and other internal company resources such as file
shares and printers. Fabrikam, Inc., recently hired a team of developers
who will be joining your network and whose connectivity requirement
you must support. Which of the following options would require you
to implement a routing solution for the new developer team? Choose all
that apply.
a. The developer team needs corporate connectivity, but its test applications must be isolated from the rest of the network.
b. The developer team uses Internet access to connect to the corporate
network.
c. The developer team does not require Internet access, and its test
applications do not require corporate connectivity.
d. Source code repositories must be encrypted when stored and
accessed across the network.
ANSWER
a and b. Answer a is correct. This solution requires a separate subnet to isolate
the traffic to the test applications and requires a routing solution to connect the
two networks. Answer b is correct. This solution requires a routing solution to connect the two networks, the Internet, and the corporate network. Answer c is incorrect. Because there is no requirement for separate networks/subnets, no routing
solution is required. Answer d is incorrect. Encryption by itself does not require a
routing solution.
33
34
TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS
2. You are the network administrator for Fabrikam, Inc. Fabrikam’s network
consists of several subnets. Current network users require access to only
the company intranet and other internal company resources such as file
shares and printers. Fabrikam, Inc., recently hired a team of developers
who will be joining your network and whose connectivity requirements
you must support. Which of the following options would require you to
determine a packet-filtering solution for the new developer team? Choose
all that apply.
a. The developer team needs full corporate connectivity, but its test
applications must be isolated to only specific test computers.
b. The developer team needs corporate connectivity, but its test applications must be completely isolated from users on the rest of the network.
c. The developer team does not require Internet access and its test
applications do not require corporate connectivity.
d. The developer team uses a predetermined unique protocol to test its
applications.
ANSWER
a and d. Answer a is correct. Because you must isolate specific computers, you
can configure packet filtering to filter for the individual IP addresses of the test
computers. Answer d is correct. Because the developer team uses a predetermined unique protocol, you can configure packet filtering to filter for the specific
protocol. Answer b is incorrect. You cannot filter for an individual account. Answer
c is incorrect. A packet-filtering solution has no impact on this scenario.
3. Over the past several weeks, users have intermittently complained that
they were unable to connect to the VPN server. You examine the network
logs and determine that each of the complaints occurred when network
usage was peaking. You have ruled out addressing as the cause. What is
the most likely reason for the intermittent access problems?
ANSWER
At peak usage, the number of VPN users attempting to connect exceeds the number
of available VPN ports.
4. You have configured your remote access server to distribute addresses to
remote access clients through a DHCP server. However, you find that
your remote access clients assign themselves with only APIPA addresses.
Name two possible causes of this scenario.
ANSWER
1. A DHCP server is not available on the network segment, and a DHCP relay agent
has not been configured.
2. The DHCP server did not have 10 free addresses in its scope when the Routing
and Remote Access server started up.
TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS
5. Fabrikam, Inc., recently deployed smart cards to employees who require
remote access to the corporate network. Which authentication protocol
must you use to support the use of smart cards?
ANSWER
EAP-TLS.
6. Fabrikam, Inc., management wants to ensure that data transferred during
remote access are encrypted. Which authentication protocols provide
data encryption?
ANSWER
EAP-TLS, MS-CHAP v2, and MS-CHAP v1.
7. You have recently created a new domain in a Windows Server 2003 network, and the domain functional level is Windows 2000 mixed. How is
the Allow Access setting in the dial-in properties of a user account different in this environment from that in other server environments?
ANSWER
In Windows 2000 mixed-mode domains, the Allow Access setting does not
override the access permission set in the remote access policy. In other server
environments, the Allow Access setting does override the access permission
configured in the remote access policy.
8. You are troubleshooting a failed remote access connection. You verify
that the user account’s dial-in properties are set to Allow Access and that
the first matching remote access policy is set to Grant Remote Access Permission. The client still cannot connect. What should you check next?
ANSWER
You should check the remote access policy profile. Constraints configured in the
remote access policy profile, such as allowed dial-up hours, are preventing the connection from being established.
35
36
TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS
CHAPTER CASE SCENARIOS
Case Scenario 8-1: Phone Number Authentication
Fabrikam, Inc., has 10 vendors that must access the company network. For security
reasons, Fabrikam wants these 10 vendors to be authenticated only by their phone
numbers when dialing into the network. Because they are going to be authenticated
by their phone numbers, Fabrikam does not want them to be required to enter a username or password for authentication. How can you implement this configuration?
ANSWER
Create a remote access policy using Calling-Station-ID as the attribute on the
policy condition. Type the phone number for the first vendor. In the same policy,
add a similar condition for each of the nine remaining vendors. Configure the policy to
grant access to connections that match the policy conditions. Edit the policy
profile to allow unauthenticated access. After the policy is configured, configure
the server properties to allow unauthenticated access.
Case Scenario 8-2: Single-Credential Entry
You are a networking consultant for Fabrikam, Inc., which has already configured
a PPTP-type VPN. Although users are not having trouble connecting, they must
type their username and password twice. You have been asked to configure the
system so users have to type their password only once to connect to the company
domain. How can you allow users to avoid typing in their credentials in both the
Log On To Windows screen and the VPN connection dialog box? Which authentication protocols can be used over this VPN connection?
ANSWER
Instruct the employees to modify the properties of the VPN connection so that, in the
Security tab, the Automatically Use My Windows Logon Name And Password (And
Domain If Any) option is selected. Only MS-CHAP v1 and MS-CHAP v2 can be used.
TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE
CHAPTER 9
MAINTAINING A NETWORK INFRASTRUCTURE
CHAPTER REVIEW QUESTIONS
1. You receive a report that a user’s computer is responding slowly to user
network requests. You want a quick way to see which type of network
traffic the server is receiving. You use Network Monitor. You want to see
whether any general broadcast traffic is being sent. Which counter should
you enable?
a. Nonunicasts/Interval
b. Unicasts/Interval
c. Bytes Sent/Interval
d. Bytes Received/Interval
ANSWER
a. Broadcast traffic, by definition, is nonunicast traffic. Answer b is incorrect
because traffic displayed using this counter is again, by definition, not broadcast
traffic. Answers c and d are incorrect because they include more than just broadcast traffic and you will not be able to distinguish broadcast traffic from unicast
traffic.
2. You set up Performance Logs And Alerts to send a message to ComputerB
to notify an operator when the network bandwidth utilization on ComputerA
reaches a certain level. However, ComputerB never receives the message
sent from ComputerA. What must you do to enable messages to be sent
by ComputerA and received by ComputerB? Choose all that apply.
a. On ComputerA, start the Messenger service.
b. On ComputerA, start the Alerter service.
c. On ComputerB, start the Messenger service.
d. On ComputerB, start the Alerter service.
ANSWER
b and c. To successfully send messages, you must start the Alerter service on the
sending computer and the Messenger service on the receiving computer.
37
38
TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE
3. You suspect that a virus has infected your computer, which runs Windows Server 2003. You believe this virus transmits data from your server
over the network using a specific port. You want to determine which
process is using a specific port.
Which command should you run?
a. Nbtstat -RR
b. Nbtstat -r
c. Netstat -a
d. Netstat -o
ANSWER
d. Netstat -o displays the owning PID associated with each connection. Answers a
and b are incorrect because Nbtstat is a NetBIOS name resolution utility and
does not provide port information. Answer c is incorrect because, although it lists
all connections and listening ports, it does not list PIDs.
4. A user in the branch office reports that he cannot use Microsoft Internet
Explorer to open a commonly used Web site on the Internet. At your client computer in the main office, you are able to ping the target address.
What should you do to troubleshoot this problem? Choose all that apply.
a. From the user’s client computer, ping the destination address.
b. From the user’s client computer, use the Network Repair feature.
c. From the DNS server, perform a simple query test.
d. From the DNS server, perform a recursive query test.
ANSWER
a and b. Answer a is correct because pinging the destination address indicates
whether the client can communicate with the Web site. Answer b is correct
because the Repair feature performs a set of common troubleshooting commands
that might solve the problem. Answers c and d are incorrect because there is no
reason to suspect the DNS server as the source of the problem. In this scenario,
you should investigate client issues before considering the DNS server as the
source of the problem. Furthermore, because pinging the IP address was unsuccessful, name resolution was not performed.
TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE
5. A user in the branch office reports that he cannot use Internet Explorer to
view a commonly used Web site on the Internet. At your client computer
in the main office, you run Nslookup to verify the target address and
receive the correct address. At the user’s client computer, you also run
Nslookup, but the address returned is incorrect. What should you do to
troubleshoot this problem? Choose all that apply.
a. Verify that the client is using the correct DNS servers.
b. Run Ipconfig /flushdns.
c. Run Ipconfig /registerdns.
d. Run Ipconfig /renew.
ANSWER
a and b. You should first ensure the client is configured to use the correct DNS
servers, and then clear the DNS resolver cache. Answer c is incorrect because registering the client’s DNS address will not solve the Web site’s connection problem.
Answer d is incorrect because renewing the existing lease will not change any
configuration options on the client.
6. You install a new application, which reports that it is installing a service
on the computer. However, when you attempt to run the application for
the first time, it cannot start. You inspect the event log to determine the
nature of the problem. You receive an error that states, “The service did
not start due to a logon failure.” Which of the following steps should you
take to troubleshoot this problem?
a. Verify the service has been configured to start automatically.
b. Change the password to the same name as the account.
c. Verify the correct password has been supplied on the properties
page of the service.
d. Verify the account has been granted administrative rights.
ANSWER
c. The correct password must be specified on the properties page for the service
to use the account to log on. Answer a is incorrect. Although you might need to
configure the service account to start automatically, the error message indicates
a logon problem. Changing the service start behavior will not fix a logon problem.
Answer b is incorrect because there is no dependency between the name of the
account and the password. Answer d is incorrect because you should grant the
least amount of privilege required for a service to perform its functions.
39
40
TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE
7. You install a new application on a member server. The application
reports that it is installing a service on the computer. The installation for
the service requests a username and password to run the service. You
provide the name DOMAIN1\Service1. However, when you attempt to
run the application for the first time, it is unable to start. You suspect that
the account has not been given appropriate rights to start the service.
What do you do?
a. On the member server, grant the Service1 account the Log On As A
Service right.
b. In the domain, grant the Service1 account the Log On As A Service
right.
c. On the member server, grant the Service1 account the Log On As A
Batch Job right.
d. In the domain, grant the Service1 account the Log On As A Batch
Job right.
ANSWER
a. Service accounts must have the Log On As A Service right.
8. A user complains that after she rebooted her computer, she no longer has
access to the Internet. You examine her network settings and see that she
has an IP address in the wrong network subnet and that her default gateway is actually part of a test network. You suspect a rogue DHCP server.
Which tool should you use to locate the DHCP server?
a. Ipconfig
b. Dhcploc
c. Netdiag
d. Netstat
ANSWER
b. Use Dhcploc to locate DHCP servers on your network, including rogue DHCP
servers. Answer a is correct because Ipconfig will only indicate whether the client
is configured to use DHCP and the address of the DHCP server it last used.
Answer c is incorrect because Netdiag does not list all DHCP servers on your network. Answer d is incorrect because Netstat only provides information about
existing network connections of a computer running TCP/IP and network activity
statistics and does list DHCP servers.
TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE
CHAPTER CASE SCENARIO
Case Scenario 9-1: Using Diagnostic Tools
You are the network administrator for Fabrikam, Inc. Users and other administrators report issues on the network. You must decide which diagnostic tool will most
appropriately solve the problem.
Five different help desk issues are described. For each issue, determine which tool
is appropriate. Choose from the following tools. Provide a reason to justify each of
your choices. You might not need to use all of the possible answer choices.
The troubleshooting tools are as follows:
■
The standard version of Network Monitor
■
The Lite version of Network Monitor
■
Netstat
■
Ping
■
The testing feature in the DNS Monitoring tab
■
The Network Repair button
■
Network bridging
■
Service configurations
1. A user in Arkansas reports that he cannot browse the Internet. You ask
him to ping the local gateway, and after doing so, he does not receive a
successful reply from the local gateway. Other users on the network do
not have the same problem.
ANSWER
Use the Network Repair button. Because only one user is having difficulty in this
scenario, the loss of connectivity is probably an isolated instance and can be fixed
using the series of commands provided by the Repair feature.
2. All users in the company report that they cannot browse the Internet,
although the users receive replies when they ping the external resources
by IP address. Access to company resources is not affected.
ANSWER
Use the DNS monitoring tests to verify whether the DNS server is receiving proper
responses from the server to which it forwards.
3. A network administrator in Delaware wants to know the best way to implement a new segment on the network with a different physical topology.
She doesn’t want to buy a hardware router.
ANSWER
Network bridging is the best choice to connect two disparate networks together.
41
42
TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE
4. A network administrator in Delaware reports that a third-party service on
a server refuses to start. He has tried to restart the service several times,
but it does not start.
ANSWER
Check the service configuration. Specifically, check to see whether the service uses
a domain account, whether the account has been granted the Log On As A Service
right, and whether the correct password is specified in the properties page of the
service.
5. An administrator in a remote office thinks her server might have been
infected with a virus or a Trojan horse program. A specific port appears to be
open. How can the administrator determine which process uses which port?
ANSWER
Use Netstat -o to show the ports in use and their associated PIDs. Then display
Task Manager and match the PID obtained using the Netstat command to the list
of processes in Task Manager to identify the process using the port in question.
Download