MCSE 70-291(Prova 01)

You are the network administrator for a Windows Server 2003 network. Your network contains three Windows Server 2003 computers and 200 Windows XP Professional computers. Some employees work from home and connect to the corporate network by using Windows XP Professional computers. Most of these employees connect to the corporate network during the day and to their home network at night. When the remote employees connect to the corporate network, their IP configuration must be assigned by using the corporate DHCP server. However, these users need static configurations when they connect to their home networks. What should you do?

Explanation: The Alternate Configuration option allows a computer to use an alternate static IP address in the absence of a DHCP server. Without an alternate configuration, the computer automatically uses APIPA. Therefore, you should configure the Alternate Configuration option on each of the remote computers The scenario specifically states that the remote computers must use DHCP when they connect to the corporate network. Therefore, you should not configure static IP information for these computers. According to the scenario, the remote computers need configurations when they are connected to their home networks. DHCP address reservations only ensure that the remote computers receive the same IP address each time they connect to the DHCP server. These address reservations have no effect when the computers are not connected to the corporate network. Therefore, it is unnecessary to configure DHCP address reservations for each remote computer. APIPA addresses are assigned when computers that are configured to use dynamic IP addresses cannot contact a DHCP server. Addresses are automatically assigned from the 169.254.0.0/24 address range.

Item: 1 (Ref:Cert-70-291.1.1.40)

nmlkj Configure static IP information for each of the home computers.

nmlkj Configure DHCP address reservations for each of the home computers.

nmlkj Configure the Alternate Configuration option on each of the home computers.

nmlkji Configure Automatic Private IP Addressing (APIPA) on each of the home computers.

Answer:

Configure the Alternate Configuration option on eac h of the home computers.

Item: 2 (Ref:Cert-70-291a.1.1.41)

Situation: You administer a large Windows Server 2003 network. Your company's headquarters is located in Los Angeles, and branch offices are located in Denver, Phoenix and Seattle. Your company uses the Class C network address 192.168.50.0/24. You are required to assign network addresses so that Los Angeles can support 99 hosts, Denver can support 43 hosts, Phoenix can support 17 hosts and Seattle can support 7 hosts. All of your routers support classless interdomain routing (CIDR), variable-length subnet masks (VLSMs) and the use of subnets that contain all 0s and all 1s. Task: Match each company location with the network address range that can be used for that location. To complete the objective, select a network address range from the left and place it in the appropriate target

Página 1 de 49

Copyright © 2009 Transcender LLC, a Kaplan Professional Company. All Rights Reserved.

This graphic is not available in print format.

Explanation: Each company location can be associated with the corresponding network address range as shown in the following exhibit.

Subnet masks can be specified using either prefix length notation or dotted-decimal notation. The prefix length /24, which is equivalent to the dotted-decimal notation 255.255.255.0, indicates that 24 bits are used to specify the network portion of the address and 8 bits are used to specify the host portion of the address. VLSMs allow you to divide a network address range into subnets that have different sizes. To subnet an address range, bits are borrowed from the host portion of the address to extend the network portion of the address. The number of bits remaining in the host portion of the address determines how many hosts can exist on that subnet. The formula for determining the number of hosts that can exist on a subnet is 2n -2, where n is the number of bits remaining in the host portion of the address. Your company has been assigned the network address 192.168.50.0/24. Because 8 bits are used to specify the host portion of the address, 28-2, or 254, hosts are available within a single subnet. However, you must allocate space for four subnets of varying size. The network address range 192.168.50.0/25 indicates that 25 bits are used to specify the network portion and 7 bits are used to specify the host portion; one bit has been borrowed from the host portion of the address for subnetting. Therefore, 27-2, or 126, hosts are available within the 192.168.50.0/25 subnet. The following shows the relationship between prefix lengths, subnet masks and the hosts available per subnet. /24 255.255.255.0 28-2, or 254, hosts

/25 255.255.255.128 27-2, or 126, hosts

/26 255.255.255.192 26-2, or 62, hosts

/27 255.255.255.224 25-2, or 30, hosts

/28 255.255.255.240 24-2, or 14, hosts

position next to each location name on the right. Not all network addresses will be used.

Página 2 de 49


/29 255.255.255.248 23-2, or 6, hosts

/30 255.255.255.252 22-2, or 2, hosts The 192.168.50.0/25 subnet is sufficient for the Los Angeles location, which requires 99 host addresses. The host addresses within the 192.168.50.0/25 subnet are 192.168.50.1 through 192.168.50.126. The first and last addresses in the subnet, 192.168.50.0 and 192.168.50.127, are not available for host address allocation because 192.168.50.0 is used as the network address and 192.168.50.127 is used as the broadcast address. The Los Angeles location cannot use a /26 prefix length because only 62 hosts are available when a /26 prefix length is used. A /24 prefix length would use all of the available address space, leaving no address space to assign to Denver, Phoenix and Seattle. A /23 prefix length would be used to supernet, not subnet, an address range. Although the 192.168.50.128/25 subnet could be used for the Los Angeles location, the remaining subnet choices provided do not allow for the correct host address configurations for the branch offices. Denver requires 43 host addresses. Therefore, a /26 prefix length is required. Because the Los Angeles location is using addresses from 192.168.50.0 through 192.168.50.127, only addresses from 192.168.50.128 through 192.168.50.255 can be used for the branch offices. A /25 prefix length would consume this entire address range, which would leave no addresses remaining for the Phoenix and Seattle offices. Of the choices available, the 192.168.50.128/26 network address range is sufficient for the Denver location. The host addresses within the 192.168.50.128/26 subnet are 192.168.50.129 through 192.168.50.190. The address 192.168.50.128 is used for the network address, and 192.168.50.191 is used for the broadcast address. Phoenix requires 17 host addresses. Therefore, a /27 prefix length is required. Only addresses from 192.168.50.192 through 192.168.50.255 are available to be allocated to Denver and Seattle. Of the remaining choices, the 192.168.50.192/27 address range is sufficient for the Phoenix location. This address range includes the addresses from 192.168.50.192 through 192.168.50.223, which includes the network address and broadcast address. Seattle requires 7 host addresses. Therefore, a /28 prefix length is required. Only addresses from 192.168.50.224 through 192.168.50.255 remain. Of the choices available, the 192.168.50.224/28 address range is sufficient for the Seattle location. Addresses from 192.168.50.240 through 192.168.50.255 remain available for future allocation. When you implement VLSMs, it is sometimes helpful to graphically represent address ranges so that you can more easily determine those addresses that are used and those addresses that are remaining. The following graphic displays the 192.168.50.0/24 address range in 16-address groups along with the location to which those addresses are assigned.

Página 3 de 49


Item: 3 (Ref:Cert-70-291a.1.1.42)

Situation: You administer the Windows Server 2003 Active Directory network depicted in the following exhibit:

The network is configured in a single Windows Server 2003 Active Directory tree. The domains a.verigon.com and b.verigon.com are subdomains of the verigon.com domain. All the servers on the

Página 4 de 49



Explanation: The following exhibit depicts the solution to this simulation:

In this scenario, client computers in Subnet A obtain DHCP information from Server006 . By selecting the check box next to option 006 DNS Servers and entering the IP addresses 192.168.0.3 and 192.168.1.11, you configure client computers in Subnet A to use Server002 as their primary DNS server. If Server002 does not respond, then the client computers will attempt to use Server005 to resolve name resolution requests.

network are Windows Server 2003 computers that are configured with static TCP/IP settings. Server002 hosts the standard primary DNS zone for the a.verigon.com domain, and Server005 hosts the standard primary DNS zone for the b.verigon.com domain. All clients are Windows 2000 Professional computers, and they obtain their TCP/IP configurations from a DHCP server named Server006 . Server004 is a Windows Server 2003 RRAS computer that is configured to route data between the two subnets. Server003 is a DHCP relay agent that is configured to transmit DHCP broadcast requests from DHCP clients on Subnet A to Server006 . Server006 is configured to lease IP addresses from the following scopes: Subnet A: 192.168.0.21/24 through 192.168.0.254 Subnet B: 192.168.1.21/24 through 192.168.1.254 To provide a fault-tolerant configuration, you configure Server002 to host a standard secondary DNS zone for b.verigon.com , and you configure Server005 to host a standard secondary DNS zone for a.verigon.com . You want to configure DHCP to provide clients with the addresses of the DNS servers so that the clients will contact their secondary DNS server if their primary DNS server fails. Clients should attempt to resolve DNS queries on the local subnet before sending queries to a remote DNS server. Task: On Server006 , use the Scope Options dialog box to configure the appropriate DNS server addresses for the Subnet A scope. To complete the objective, select the appropriate options, and select the correct IP address or addresses and place them in the appropriate location in the dialog box.

Página 5 de 49


For the Subnet B scope, the order of the DNS server addresses should be reversed; the IP address 192.168.1.11 should appear above the IP address 192.168.0.3. Configuring the DNS server addresses in this order will cause client computers in Subnet B to use Server005 as their primary DNS server and Server002 as their secondary DNS server.

You are the network administrator for a large corporation. The network contains Windows XP Professional and Windows Server 2003 computers. A DHCP server has been configured to assign IP addresses on the network. Your company employs several research consultants who are only in the office one day a week. The consultants have been issued laptop computers. You want these laptops to receive DHCP leases for eight hours. You reconfigure the DHCP scope, create a user class for the laptop computers, and assign a lease duration of eight hours to the new user class. However, as these users connect to your network from their laptop computers, you discover that they are receiving the default lease duration. You want to resolve this problem with the least amount of administrative effort. What should you do?

Explanation: The ipconfig utility with the /setclassid parameter will enable you to configure the user class for each of the laptop computers. By setting the class ID using the ipconfig command, you ensure that the laptop computers will obtain the user class information from theuser class configured on the DHCP server. The laptop computers are receiving address leases; thus, the scope has been activated. Computers with static IP addresses are not part of the DHCP process, and thus could not obtain the user class information. It is not necessary to reserve certain addresses for the laptop computers. Doing so would not ensure that the appropriate lease duration would be configured on the laptop computers. Lease durations can only be configured for scopes and for user classes. You could configure the user class by using the registry editor. However, you should avoid using the registry editor unless absolutely necessary. It is recommended to use the ipconfig utility to configure the user class.

You administer your company's network. You configure a Windows Server 2003 computer with the DHCP Server service. All client computers run Windows XP Professional. You configure scope options to provide router and DNS server information to all client computers. You configure reservations in the DHCP scope for

Item: 4 (Ref:Cert-70-291a.1.1.43)

nmlkj On the DHCP server, activate the scope.

nmlkj On each of the laptop computers, configure a static IP address.

nmlkj On the DHCP server, create reservations for the laptop computers.

nmlkj On each of the laptop computers, use the registry editor to configure the user class.

nmlkj On each of the laptop computers, use the ipconfig utility to configure the user class.

Answer:

On each of the laptop computers, use the ipconfig u tility to configure the user class.

Item: 5 (Ref:Cert-70-291a.1.1.44)

Página 6 de 49


those computers that require a specific IP address. Your company purchases a router that will function as the new interface that connects your network to the Internet. You reconfigure the scope on the DHCP server to reflect the new router address. All computers on the network are then rebooted. You notice that the computers that have been assigned reserved addresses can no longer access the Internet. What should you do? (Choose two. Each correct answer presents part of the solution.)

Explanation: Reservation options override class options, which override scope options, which, in turn, override server options. Certain DHCP options can be configured specifically for reserved clients. When these options are configured for a reserved client, these settings override any similar parameters that are in effect through the configuration of class-based, scope-based, or server-based options. The most likely cause of these computers' inability to connect to the Internet is that an option has been configured at the reservation level. To resolve this issue, you should configure the appropriate option on each address reservation to include the new router. Then, you should run ipconfig /renew at each client computer for which an address reservation has been configured. Routers are configured at the scope level. The scenario does not indicate the configuration of address classes. It is not necessary to reconfigure the router option at the address class level. The Perform Router Discovery option will only allow clients to discover their own routers. Enabling this option would have no effect on the order of precedence by which options are applied. Issuing the ipconfig /release command merely releases an IP address. Issuing this command would not renew the lease, nor would it refresh all TCP/IP client options. Therefore, any option including ipconfig /release is incorrect.

You administer your company's Windows 2003 network. Your network is configured as shown in the following exhibit.

gfedc Configure the appropriate option on each address class to include the new router.

gfedc Configure the scope options to include the Perform Router Discovery option.

gfedc Configure the server options to include the Perform Router Discovery option.

gfedc Configure the appropriate option on each address reservation to include the new router.

gfedc Run ipconfig /renew at each client computer with an address reservation.

gfedc Run ipconfig /release at each client computer with an address reservation.

Answer:

Configure the appropriate option on each address re servation to include the new router.Run ipconfig /renew at each client computer with an address reservation.

Item: 6 (Ref:Cert-70-291a.1.1.45)

Página 7 de 49


The router supports BOOTP forwarding. You want to configure the two DHCP servers for redundancy. Several static IP addresses have been configured on your network. You want to use the first 10 addresses of each range for static addresses. The remainder of the addresses should be configured by using the 80/20 rule. You configure the scopes on DHCPA and DHCPB as shown in the following exhibit.

Which of the following address ranges should be excluded? (Choose two. Each correct answer presents part of the solution.)

gfedc On DHCPA , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.11 through 208.15.15.205

gfedc On DHCPB , exclude the following ranges: 208.15.16.1 through 208.15.16.10 208.15.16.11 through 208.15.16.205

gfedc On DHCPA , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.206 through 208.15.15.254

gfedc On DHCPB , exclude the following ranges: 208.15.16.1 through 208.15.16.10 208.15.16.206 through 208.15.16.254

gfedc On DHCPB , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.206 through 208.15.15.254 208.15.16.1 through 208.15.16.10 208.15.16.11 through 208.15.16.205

gfedc On DHCPB , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.11 through 208.15.15.205 208.15.16.1 through 208.15.16.10 208.15.16.206 through 208.15.16.254

gfedc On DHCPA , exclude the following ranges:

Página 8 de 49


Explanation: The entire exclusion range for DHCPA is shown below: 208.15.15.1 through 208.15.15.10 208.15.15.206 through 208.15.15.254 208.15.16.1 through 208.15.16.10 208.15.16.11 through 208.15.16.205 The entire exclusion range for DHCPB is shown below: 208.15.15.1 through 208.15.15.10 208.15.15.11 through 208.15.15.205 208.15.16.1 through 208.15.16.10 208.15.16.206 through 208.15.16.254 DHCPA must include the exclusions both networks. DHCPB must include the exclusions for the both networks. By including portions from both subnets on each of the DHCP servers, you provide fault tolerance. By configuring exclusion ranges so that the scopes do not overlap prevents address conflicts that could occur if both DHCP server issued the same IP address. Because the ranges for both subnets are defined on both DHCP servers, the exclusions for DHCPB should be configured on DHCPA , and the exclusions for DHCPA should be configured on DHCPB . The exclusion for the static IP address on the 208.15.15.0 subnet is 208.15.15.1 through 208.15.15.10 because you want to use the first 10 addresses of each range for static addresses. The exclusion for the static IP address on the 208.15.16.0 subnet is 208.15.16.1 through 208.15.16.10 because you want to use the first 10 addresses of each range for static addresses. You do not want the two DHCP servers handing out the same address because it can cause conflicts. The remainder of the addresses on each subnet must be divided according to the 80/20 rule. When the 80/20 rule is used, 80 percent of the addresses should be available for distribution on the main DHCP server for that range. The remaining 20 percent should be available for distribution on the backup DHCP server. A DHCP scope is the range of IP addresses that can be assigned by a server. At a minimum, a DHCP server must have one scope. Each scope that is created has a number of options that can be defined, such as WINS

208.15.15.1 through 208.15.15.10 208.15.15.11 through 208.15.15.205 208.15.16.1 through 208.15.16.10 208.15.16.206 through 208.15.16.254

gfedc On DHCPA , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.206 through 208.15.15.254 208.15.16.1 through 208.15.16.10 208.15.16.11 through 208.15.16.205

Answer:

On DHCPB , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.11 through 208.15.15.205 208.15.16.1 through 208.15.16.10 208.15.16.206 through 208.15.16.254On DHCPA , exclude the following ranges: 208.15.15.1 through 208.15.15.10 208.15.15.206 through 208.15.15.254 208.15.16.1 through 208.15.16.10 208.15.16.11 through 208.15.16.205

Página 9 de 49


server, DNS server, router, etc. Sometimes, a particular address must be reserved for a client. When a client reservation is configured, that client is always assigned the same IP address. When a scope is created, static addresses should be excluded from that range. Some devices require static IP addresses by definition of their function. Servers need static IP addresses so that client computers can always contact them and so that DHCP can configure their settings automatically on the clients. For example, Windows 2003 requires that a DHCP server be assigned a static IP address.

You are the network administrator for TranTech Corporation. Your network contains Windows XP Professional and Windows Server 2003 computers. A DHCP server named DHCP1 is responsible for dynamic IP address assignment. A Windows XP Professional computer named Client45 hosts a Web site that is used primarily for research purposes. You create a DHCP reservation for the client computer. A few weeks later, the head of the Research department notifies you that users are unable to contact Client45 . You discover that the network interface card (NIC) in Client45 has failed. You replace the NIC with a new card and verify that it is functioning properly. However, users report that they are still unable to contact Client45 . When you run the ipconfig utility on Client45 , you notice that it is not receiving the reserved IP address. You must ensure that Client45 always receives the reserved IP address. What should you do?

Explanation: The MAC address is a unique identifier that is derived from a computer's NIC. Replacing the failed NIC in Client45 caused the MAC address to change. Client45 cannot receive its reservation because it no longer has the same MAC address. You should modify the existing reservation properties with the new MAC address of Client45 . Rebooting Client45 would not ensure that it receives the appropriate reserved address because its MAC address has changed. Running ipconfig /renew on Client45 would only renew the current IP address lease. Issuing this command on Client45 would not ensure that the computer receives its reserved address because its MAC address has changed. You should only delete a reservation if you plan to change the IP address. In this scenario, you plan to use the existing reservation.

Item: 7 (Ref:Cert-70-291a.1.1.46)

nmlkj Reboot Client45 .

nmlkj Update the existing reservation properties with the new MAC address of Client45 .

nmlkj Run ipconfig /renew on Client45 .

nmlkj Delete the existing reservation, and create a new reservation with the new MAC address of Client45 .

Answer:

Update the existing reservation properties with the new MAC address of Client45.

Item: 8 (Ref:Cert-70-291.1.1.48)

Página 10 de 49


You are the network administrator for Metroil. The network contains Windows XP Professional and Windows Server 2003 computers. Six Windows Server 2003 computers are configured as DHCP servers for the entire network. All Windows XP Professional computers retrieve their IP configuration dynamically. The DHCP server assigns the appropriate DNS suffix for the Windows XP Professional computers.

The network has three Active Directory domains: metroil.com , west.metroil.com , and east.metroil.com . SERVER1 is the main DHCP/DNS server for the metroil.com domain and uses the 190.10.10.1 IP address. SERVER2 is a backup DHCP/DNS server for the metroil.com domain and uses the 190.10.10.2 IP address. SERVER3 is the main DHCP/DNS server for the west.metroil.com domain and uses the 190.11.10.1 IP address. SERVER4 is the backup DHCP/DNS server for the west.metroil.com domain and uses the 190.11.10.2 IP address. SERVER5 is the main DHCP/DNS server for the east.metroil.com domain and uses the 190.12.10.1 IP address. SERVER6 is the backup DHCP/DNS server for the east.metroil.com domain and uses the 190.12.10.2 IP address.

The Windows XP Professional computer Client25 is part of the west.metroil.com domain. Someone has configured Client25 incorrectly. You should register its fully qualified domain name with DNS. Any unqualified name queries on Windows XP Professional computers must query the domain to which the querying computer belongs and the parent domain.

What should you do?

To answer the question, click the Launch Microsoft Simulation button to open the simulated desktop environment. Perform the appropriate actions in the simulation, and then click the Done button in the simulation to save your answer and return to the exam. If you need to erase your answer and begin again, click the Reset button in the simulation. If an exhibit is present, the Exhibit button in the simulation will be enabled. Click the Exhibit button to view the exhibit. For assistance, click the Help button in the simulation.


Explanation:

You need to navigate to the Internet Protocol (TCP/IP) Properties dialog box to configure the appropriate settings Client25 . There are several ways to accomplish this in the simulation:

� Click Start , Settings , and Control Panel . Double-click Network Connections . Right-click Local Area Connection , and select Properties . Select Internet Protocol (TCP/IP) , and click the Properties button.

� Right-click My Network Places , and select Properties . Right-click Local Area Connection , and select Properties . Select Internet Protocol (TCP/IP) , and click the Properties button.

� Click Start , Settings , and Network Connections . Right-click Local Area Connection , and select Properties . Select Internet Protocol (TCP/IP) , and click the Properties button.

From the Internet Protocol (TCP/IP) Properties dialog box, you should click the Advanced button. Click the DNS tab. Click the Add button that is under the DNS server addresses, in order of use: section. Type 190.11.10.1 in the DNS Server text box, and click Add . Click the Add button that is under the DNS server addresses , in order of use: section. Type 190.11.10.2 in the DNS Server text box, and click Add . The DNS Server address order must have the DNS servers listed in this order: 190.11.10.1 and 190.11.10.2. Select the Append primary and connection specific DNS suffixes radio button, and check the Append parent suffix of the primary DNS suffix check box. These settings ensure that any unqualified name queries on Client25 will query the domain to which Client25 belongs and the parent domain. Check the Register this connection's address in DNS check box, and click OK. This will ensure that its fully qualified domain name is registered with DNS. Click OK, and click OK.

It is possible to enter the DNS server address from the Internet Protocol (TCP/IP) Properties dialog box by

Página 11 de 49


selecting the Use the following DNS server addresses: radio button, typing 190.11.10.1 in the Preferred DNS server text box, and typing 190.11.10.2 in the Alternate DNS server text box.

You should not use the 190.10.10.1 and 190.10.10.2 DNS server addresses for this client because this client is located on the west.metroil.com domain, not the metroil.com domain. You should not use the 190.12.10.1 and 190.12.10.2 DNS server addresses for this client because this client is located on the west.metroil.com , not the east.metroil.com .


Item: 9 (Ref:Cert-70-291.2.1.49)

Situation: The relevant portion of the corporate network that you administer is depicted in the following exhibit:

All servers on the network run Windows Server 2003, and all client computers run Windows 2000 Professional. FirewallA is a Windows Server 2003 computer that is configured to act as a firewall. Server001 , Server002 and Server003 are configured as DNS servers. Server003 is also the IIS Web server for the company Web site. The ISP's DNS server provides Internet name resolution. The IP address of the ISP's DNS server is 204.127.10.230. All of the DNS servers are configured with the default root hints. Recently, your network has undergone attacks from malicious individuals who are using the open DNS ports on FirewallA that enable Server001 and Server002 to service DNS queries from their clients. You configure FirewallA so that inbound DNS traffic is allowed only from Server003 . Now, you need to configure DNS forwarding so that client computers on Subnet A and Subnet B can resolve Internet host names to IP addresses. Task: Match each appropriate IP address with the server or servers that should use that IP address as a forwarder. Each DNS server must be assigned a forwarder. To complete the objective, open the exhibit, select an IP address from the selections at the bottom and place it in the appropriate target position for each server in the exhibit.

Página 12 de 49


Explanation: The solution to this simulation is depicted in the following exhibit:

In this scenario, you are going to configure FirewallA to prevent Server001 and Server002 from communicating with any Internet DNS servers except Server003 . Therefore, to enable Server001 and Server002 to resolve Internet names, you should configure them to forward DNS queries for Internet names to Server003 . Server003 will communicate with the appropriate DNS servers on the Internet in order to resolve the queries, and it will communicate the responses to those queries to Server001 and Server002 . Generally, Server003 can use recursion to resolve any Internet names. Recursion involves querying the DNS servers that are authoritative for the appropriate domains, starting with root DNS servers, and then descending through the DNS namespace hierarchy to the target domain. However, the scenario stipulates that each DNS server be assigned a forwarder. Therefore, you should configure Server003 to use the ISP's DNS server as the forwarder. You should not configure Server001 or Server002 to use the ISP's DNS server as their forwarder because FirewallA allows inbound DNS traffic only from Server003 . You should not use any of the IP addresses of the client computers because they are not DNS servers. Server001 and Server002 should not use each other as forwarders because they are both located behind the firewall; therefore, neither of them can resolve Internet names without using a forwarder that is located in front of the firewall. You could configure Server1 to use Server2 as a forwarder and configure Server2 to use Server3 as forwarder, or you could configure Server2 to use Server1 as a forwarder and configure Server1 to use Server3 as a forwarder. However, either of these solutions would cause unnecessary delays in name resolution without producing any advantage. To configure forwarding on a Windows Server 2003 DNS server, you should open the DNS console, right-click the appropriate DNS server, select Properties and select the Forwarders tab, as depicted in the following exhibit:

Página 13 de 49


In this dialog box, you can specify DNS domains and the IP address or addresses of any forwarders. Queries for names in those domains will be forwarded to the corresponding forwarders. The Do not use recursion for this domain option specifies whether the server will attempt to use recursion to resolve a query if the forwarders cannot resolve it. In this scenario, you should enable this option on Server001 and Server002 because FirewallA prevents them from communicating with any external DNS servers, except Server003 . On Server003 , this option can be disabled so that Server003 can resolve Internet names itself if the ISP's DNS server should fail.

You are your company's network administrator. The company network consists of a single Active Directory domain named verigon.com . All servers run Windows Server 2003. All computers are configured to use a computer named Server1 as their preferred DNS server. Your company plans to establish a presence on the Internet. You register the name verigon.com on the Internet and install several servers on a perimeter network. You configure a computer named Server2 as a DNS server and place it on the perimeter network. All computers on the perimeter network are accessible from the Internet. Server2 will be used to resolve names of the computers on the perimeter network. The company's written security policy stipulates that Internet users should not be able to resolve names of the computers on your internal network. You must comply with the company policy, and you must also ensure that all computers on the internal network can resolve each other's names and the names of the computers on the perimeter network. Which of the following should you do on Server1 ?

Item: 10 (Ref:Cert-70-291.2.1.52)

nmlkj Configure conditional forwarding to Server2 .

nmlkj Create a stub zone, and specify Server2 as the master server.

nmlkj For each computer on the perimeter network, create an A record.

nmlkj Create a delegation to Server2 .

nmlkj Create a secondary zone, and specify Server2 as the master server.

Página 14 de 49


Explanation: Generally, it is not recommended to use the same DNS namespace on the internal network and on the perimeter or external network in order to avoid possible confusion and because such a configuration may be difficult to properly manage. To enable computers on the internal network to resolve names of the computers on the perimeter network in this scenario, you should manually create an A record in the zone for the verigon.com domain on Server1 for each server on the perimeter network. On Server2 , you should create another zone for the verigon.com domain. That zone should contain A records only for the computers on the perimeter network. Because the name verigon.com is registered on the Internet, a delegation for the verigon.com domain should exist on the Internet DNS servers that are authoritative for the .com domain. The delegation should reference Server2 as the authoritative server for the verigon.com domain. Because Server1 hosts a zone for the verigon.com domain, you cannot create a stub or secondary zone also named verigon.com on Server1 . Nor can you configure Server1 to perform conditional forwarding of queries for names in the verigon.com domain. A delegation can be created only in a parent domain for a child domain. Thus, you cannot create a delegation in the internal verigon.com domain for the external verigon.com domain.

You are a network administrator for your company. The company's central office is located in New York, and a branch office is located in Los Angeles. The network consists of a single Active Directory forest that contains two domains. All computers in the central office belong to the txglobe.com domain, and all computers in the branch office belong to the la.txglobe.com domain. All servers run Windows Server 2003. A member server named ServerA is located in the central office and hosts the primary zone for the txglobe.com domain. The zone is configured as presented in the following exhibit.

Answer:

For each computer on the perimeter network, create an A record.

Item: 11 (Ref:Cert-70-291.2.1.53)

Página 15 de 49


ServerB is located in the branch office and hosts the primary zone for the la.txglobe.com zone. All computers in the branch office are configured to use ServerB as the preferred DNS server. You must ensure that all computers in the branch office can resolve any computer names in the txglobe.com domain, including the most recently registered names. A firewall in the central office is configured to block all incoming DNS traffic, except traffic between ServerA and ServerB . Which of the following should you do?

Explanation: All computers in the branch office use ServerB as the preferred DNS server. Therefore, to enable all computers in the branch office to resolve names from the txglobe.com domain, you should enable ServerB to resolve those names. One possible solution is to configure conditional forwarding for the txglobe.com domain on ServerB and specify ServerA as the forwarder. Alternatively, you could create a stub zone on ServerB for the txglobe.com zone and specify ServerA as the master server. However, if there are other authoritative DNS servers for the txglobe.com domain in the central office, then those servers might be listed in the stub zone and, therefore, ServerB might attempt to query those servers. The firewall in the central

nmlkj Configure the scope of replication for the txglobe.com zone on ServerA to be all DNS servers in the forest.

nmlkj On ServerB , create a delegation for the txglobe.com domain, and specify ServerA as the name server.

nmlkj Configure all computers in the branch office to use ServerA as an alternate DNS server.

nmlkj Configure ServerB to forward queries for names in the txglobe.com domain to ServerA .

Answer:

Configure ServerB to forward queries for names in t he txglobe.com domain to ServerA.

Página 16 de 49


office would block those queries, thus causing delays in name resolution because ServerB would then attempt to query another authoritative server that is listed in the stub zone, until ServerB would query ServerA . ServerA is a member server, and the scenario stipulates that it hosts the primary DNS zone for the txglobe.com domain. Thus, the txglobe.com zone on ServerA can only be standard primary. Therefore, you cannot configure the txglobe.com zone to replicate to all DNS servers in the forest, unless you configured all DNS servers to host secondary zones for the txglobe.com domain. The exhibit indicates that the refresh interval for the txglobe.com zone is 12 hours. If you created a secondary zone for the txglobe.com domain on ServerB , then computers in the branch office would be able to resolve the names from the txglobe.com domain that were registered at least 12 hours before; they would not be able to resolve the most recently registered names. You cannot create a delegation in the la.txglobe.com domain for the txglobe.com domain because a delegation can be created only in a parent domain for a child domain. If you configured computers in the branch office to use ServerA as an alternate DNS server, then they would use only ServerB for name resolution as long as ServerB remained available. Additionally, if ServerB failed and computers in the branch office sent their queries to ServerA , then the firewall in the central office would block those queries.


Explanation: The Debug Logging tab of the Server-A Properties sheet should be configured as shown in the following exhibit.

Item: 12 (Ref:Cert-70-291.2.1.54)

Situation: You are responsible for administering your company's DNS servers, which all host only Active Directory-integrated zones. While using Replication Monitor, you notice that one of your DNS servers, Server-A , does not seem to be receiving changes to zone information. You want to capture information regarding all DNS dynamic update packets that are sent and received by Server-A by using the TCP and UDP protocols. Both requests and responses should be captured. Detailed information about each packet is not required. Task: Configure the fields on the Debug Logging tab of the Server-A Properties sheet. To complete the objective, open the exhibit and select the correct check boxes.

Página 17 de 49


Log packets for debugging should be selected to configure the DNS server to begin capturing debug packet information. This information is stored in the DNS debug log, which is named Dns.log . The Dns.log file can be opened only when the DNS Server service is stopped. The DNS debug log typically records only DNS error information. However, DNS queries, transfers, updates and notifications can also be recorded. You can also configure the debug log to record the information about incoming or outgoing DNS packets, DNS requests or responses, and DNS packets sent by using TCP or UDP. You can configure the recording of packet details by selecting Details . You can configure packets to be filtered according to IP address by selecting Filter packets by IP address , clicking Filter and specifying the IP addresses to filter. In this scenario, you should select Log packets for debugging in order to activate debug logging. You should select Outgoing and Incoming because the scenario requires that both sent and received information be logged. You should select TCP and UDP because the communications that are based on both of these protocols must be logged. You are not required to log information about name resolution queries. Active Directory-integrated zones are synchronized by using Active Directory replication; they do not use zone transfers. Therefore, you should not select Queries/Transfers . You should select Updates because you are required to log information about changes to the zones that occur due to dynamic updates. Notifications of zone transfers are sent from a master server to a server that hosts a secondary zone. All zones in this scenario are Active Directory-integrated. Therefore, you should not select Notifications . The scenario requires that requests and responses be logged. Therefore, you should select Requests and Responses . You are not required to log detailed information or to log information that pertains only to specific IP addresses; therefore, Details and Filter packets by IP address should not be selected.

You are the administrator of your company's DNS servers. The primary DNS server, which is named Jupiter , runs Windows Server 2003. A Windows 2000 Server DNS server named Mars hosts a secondary DNS zone for the Active Directory domain. Jupiter has been configured to allow zone transfers to Mars . Mars is configured with the default zone transfer settings. Some of your users complain that they cannot access some hosts by name. You decide to use System Monitor on Mars to determine whether it receives zone transfers from Jupiter . Which of the following counters should you select?

Item: 13 (Ref:Cert-70-291.2.1.55)

nmlkj AXFR Request Received

nmlkj AXFR Success Received

nmlkj IXFR Request Received

Página 18 de 49


Explanation: A secondary DNS zone is a read-only copy of a zone; its data can be loaded and updated only through zone transfers from a designated master server. Initially, a secondary zone is populated by using a full zone transfer. Subsequently, DNS servers on Windows 2000 or later use incremental zone transfers, which involve transmitting only the new and changed records. Earlier versions of DNS Server, such as those in Windows NT, do not support incremental zone transfers; they can use only full zone transfers. Both Jupiter and Mars support incremental zone transfers. Therefore, you should monitor the IXFR Success Received counter for the DNS performance object in System Monitor on Mars . This counter indicates the total number of successful incremental zone transfers on a secondary DNS server. The AXFR Request Received counter indicates the total number of full zone transfer requests that a master server received from secondary servers. The IXFR Request Received counter indicates the total number of requests for incremental zone transfers that are received on a master server. The scenario does not indicate that any DNS servers use Mars as their master server for zone transfers. Therefore, you do not need to monitor these counters. The AXFR Success Received counter indicates the total number of full zone transfers that have been received by a secondary server. The scenario stipulates that the secondary zone on Mars is configured with default settings. Mars runs Windows 2000 Server, which supports incremental zone transfers. By default, Mars should request only incremental zone transfers. Therefore, you do not need to monitor this counter.

You administer your company network, which consists of a single Active Directory domain. The network is not connected to the Internet. The network contains 2 Windows Server 2003 domain controllers, 10 Windows Server 2003 member servers and 100 Windows XP Professional client computers. Server01 hosts a standard primary DNS zone for the Active Directory domain. You must ensure that if a DNS client queries Server01 for external name resolution, Server01 will not attempt to contact DNS servers outside the corporate network. Which of the following should you do?

Explanation: When a DNS client submits a name resolution query to a DNS server, the server tries to resolve the name

nmlkj IXFR Success Received

Answer:

IXFR Success Received

Item: 14 (Ref:Cert-70-291.2.1.56)

nmlkj Remove all entries from the Root Hints tab.

nmlkj Clear the DNS Server cache.

nmlkj Disable recursion.

nmlkj Remove all forwarders from the Forwarders tab.

Answer:

Disable recursion.

Página 19 de 49


from its cache, which contains name-to-IP address mappings that the server saved after resolving other queries. If the server cannot resolve the name from the cache, then it checks the DNS zones for which it is authoritative. If the zones do not contain the necessary information, then, by default, the server initiates the process of recursion. It queries the DNS root servers and the servers referred by the root servers. The information about the DNS servers that are authoritative for the Internet root zone is contained in the cache.dns file, which is located in the %systemroot% \system32\dns folder. This information is referred to as root hints, and it is pre-loaded in the DNS Server cache when the DNS Server service is started. In this scenario, if a user accidentally attempts to connect to an Internet host, the DNS server will start the recursion process by attempting to query the root DNS servers on the Internet. Because the network is not connected to the Internet the query will time out and fail. To minimize the response time to such queries, you should configure Server01 to return a negative response to the query without attempting to connect to the root DNS servers on the Internet. You can accomplish this task by selecting Disable recursion (also disables forwarders) on the Advanced tab of the DNS server's Properties sheet in the DNS console. If you removed all entries from the Root Hints tab of the DNS server's Properties sheet, then Server01 would still attempt to connect to the root DNS servers on the Internet because the root hints would remain in the DNS Server cache. If the DNS Server service were then restarted, the default root hints would be re-loaded from the cache.dns file and would re-appear on the Root Hints tab. If you cleared the DNS Server cache, the default hints would also be re-loaded from the cache.dns file. To prevent Server01 from using the default root hints without disabling recursion, you can delete or rename the cache.dns file and clear the DNS Server cache. A DNS server can be configured to forward queries that it cannot resolve from its cache and zones to another DNS server, which is referred to as a forwarder. By default, no forwarders are specified. If Server01 were configured to use forwarders and you removed all of the forwarders from the Forwarders tab, then Server01 would still attempt to use recursion, unless recursion were disabled or root hints were removed. Note that the Do not use recursion for this domain option on the Forwarders tab can be used to disable recursion only for the domains for which conditional forwarding is configured. To disable recursion for all domains, you should use the corresponding option on the Advanced tab.

You administer your company network. All servers on the network run Windows Server 2003, and all client computers run Windows XP Professional or Windows 2000 Professional. You add a DNS server to the network and then configure the network's DHCP server to automatically provide the IP address of the new DNS server to all of the DHCP client computers. You ask all of the network users to verify that the DHCP server has updated their computers' TCP/IP configurations to reflect the new DNS server's IP address. Which of the following commands should users type at a command prompt?

Explanation: Users should type ipconfig /all at the command prompt in order to display a computer's TCP/IP configuration information. The ipconfig command displays information such as the IP address, subnet mask and default gateway of the network adapters that are installed. When the /all switch is used, more detailed TCP/IP configuration information is displayed, including the computer's host name, the primary DNS suffix, the node

Item: 15 (Ref:Cert-70-291.2.1.57)

nmlkj ipconfig /all

nmlkj dnslint

nmlkj dnscmd

nmlkj netstat -a

Answer:

ipconfig /all

Página 20 de 49


type and whether a computer receives IP address configurations from a DHCP server. If a computer is configured to use DNS and WINS servers, then the IP addresses of those servers are also displayed. The dnslint command can be used to troubleshoot DNS name resolution problems by verifying the existence of specified DNS records, by diagnosing delegation issues, and by verifying Active Directory replication functionality. The dnscmd command can be used to configure and manage DNS servers from a command prompt. For example, the dnscmd servername /enumzones command can be used to display the list of all zones that are hosted on a specified DNS server. The netstat command can be used to view TCP/IP statistics; the -a switch can be used to determine the open ports on a computer.

You are a network administrator for your company. The corporate network consists of two Active Directory domains in a single forest. All servers run Windows Server 2003. Server1 is the DNS server that hosts a primary zone for the txglobe.com domain. Server2 is the DNS server that hosts a primary zone for the la.txglobe.com domain. On Server1 , you create a stub zone for the la.txglobe.com zone and specify Server2 as a master server. You want to verify whether the stub zone lists all of the authoritative servers for the la.txglobe.com domain. Which of the following should you do?

Explanation: A stub zone is a partial copy of a DNS zone; a stub zone contains only NS and glue A records for the authoritative servers for the corresponding full zone. Those records are loaded and updated through zone transfers from a master server. Thus, a stub zone should list the same servers that are listed on the Name Servers tab of the zone's Properties sheet on a primary server. To verify the list of authoritative servers for the la.txglobe.com domain, you should use the nslookup tool to issue the following query: nslookup -querytype=ns la.txglobe.com server2.la.txglobe.com. This query should be issued on Server1 or another computer that can resolve Server2 's name to its IP address. If you know Server2 's IP address, then you can reference Server2 by its IP address in the query: nslookup -querytype=ns la.txglobe.com Server2's_IP_address According to the scenario, you must verify that the list of the authoritative servers for the la.txglobe.com domain that is contained in the stub zone is correct. The same servers that are listed in the stub zone appear on the Name Servers tab of the Properties sheet for that stub zone. Therefore, you cannot meet the requirement of the scenario by viewing the information on the Name Servers tab of the stub zone's Properties sheet. On the Monitoring tab of the DNS server's Properties sheet, you can select the options to perform a simple query against that server and to perform a recursive query. A simple query tests whether the server can read resource records in its zones. A recursive query tests whether that DNS server can connect to an authoritative server for the root domain. Neither of these tests can provide the information about name servers in the la.txglobe.com domain. A delegation specifies one or more authoritative servers for a child domain and indicates that the child domain

Item: 16 (Ref:Cert-70-291.2.1.58)

nmlkj Use the nslookup tool to issue a query against Server2 .

nmlkj View the information on the Name Servers tab of the Properties sheet for the stub zone.

nmlkj Use the options on the Monitoring tab of the DNS server's Properties sheet for Server1 .

nmlkj On Server1 , configure a delegation for the la.txglobe.com domain.

Answer:

Use the nslookup tool to issue a query against Serv er2.

Página 21 de 49


is a starting point of another DNS zone. In this scenario, you might want to create a delegation on Server1 for the la.txglobe.com domain. However, a delegation will contain the information about only those name servers that you manually specify yourself. Thus, you cannot use the delegation to verify the list of authoritative servers for the la.txglobe.com domain.

You are your company's network administrator. The network consists of a single subnet. All servers run Windows Server 2003. The network is connected to the Internet through a private WAN link. A computer named Server1 provides Internet access for the network. Server1 is equipped with two NICs, and Internet Connection Sharing (ICS) is enabled on the NIC that is connected to the Internet. Your company employs several telecommuters who work from their homes. The remote employees require some files that contain information about the company's business operations. Those files are updated on a daily basis. To provide the remote employees with those files, you set up an FTP site on a computer named FTPSrv . You must ensure that the users on the corporate network can access Internet Web sites and that the remote employees can download the necessary files from FTPSrv . The corporate network must be protected against possible Internet-based attacks. Access to the corporate network from the Internet must be restricted to only the FTP site on FTPSrv . Which of the following should you do?

Explanation: Windows Server 2003 includes Internet Connection Firewall (ICF), which is a stateful packet filter. ICF allows only outbound traffic to pass freely. All inbound traffic is analyzed against the database that contains information about each outbound request. Only the inbound traffic that is generated in response to outbound requests is allowed to pass through the firewall; all unsolicited inbound traffic is blocked. To enable ICF on the NIC that is connected to the Internet, you should select Protect my computer and network by limiting or preventing access to this computer from the Interne t on the Advanced tab of the Properties sheet for the LAN connection that corresponds to the NIC that is connected to the Internet. To enable remote employees to initiate connections to the FTP site on FTPSrv , you should configure ICF to allow inbound FTP traffic to pass to FTPSrv . On the Advanced tab, you should click Settings to open the Advanced Settings sheet. On the Services tab, you should select FTP Server and then specify the name or IP address of FTPSrv in the Service Settings dialog box. ICF will then direct all inbound FTP traffic to FTPSrv . You should enable ICF on Server1 in order to protect the corporate network against unauthorized access from the Internet. If you enabled ICF on FTPSrv instead of Server1 , then the network would be exposed to the Internet; only FTPSrv would be protected. IPSec is a technology that provides authentication and encryption on TCP/IP connections. IPSec is configured by using policies, which apply to a computer as a whole; IPSec cannot be enabled on a per-NIC basis. If you configured Server1 to use IPSec for all its communications, then users on the corporate network would not be

Item: 17 (Ref:Cert-70-291.2.1.59)

nmlkj On FTPSrv , enable Internet Connection Firewall, and specify that FTP traffic be allowed to pass to FTPSrv .

nmlkj On Server1 , enable Internet Connection Firewall, and specify that FTP traffic be allowed to pass to FTPSrv .

nmlkj Configure Server1 to use IPSec for all communications on the NIC that is connected to the Internet.

nmlkj On Server1 , enable Internet Connection Firewall, and configure it to allow only HTTP and FTP traffic to pass to the corporate network.

Answer:

On Server1, enable Internet Connection Firewall, an d specify that FTP traffic be allowed to pass to FTPSrv.

Página 22 de 49


able to access public Web sites on the Internet. You should not configure ICF on Server1 to allow inbound HTTP traffic because the scenario does not indicate that your corporate network contains a Web site that must be accessible from the Internet. When a user on your network attempts to connect to an Internet Web site, the user's computer sends an HTTP request to that site. ICF allows all outbound traffic, and it registers the outgoing request. When the Web site responds to the user's request, ICF identifies the inbound HTTP packets as a response to the user's request and routes that response to the user's computer.

You are the network administrator for your company. The servers on your network run Windows Server 2003. The client computers on your network, which run Windows 2000 Professional, connect to server-based resources by host name and by IP address. You move an FTP server to a different subnet. Shortly after that, a user named Jennifer contacts you stating that she can connect to the FTP server by its new IP address, but not by name. You update the A record for the FTP server, but Jennifer still cannot connect to the FTP server by name. You try to connect to the FTP server by name from another computer on the same subnet, and your attempt is successful. You must ensure that Jennifer can immediately connect to the FTP server by name. Which of the following should you do?

Explanation: Originally, the FTP server's name was mapped in DNS to the FTP server's original IP address. When you moved the FTP server to another subnet, you changed its IP address, but you did not immediately change the existing A record in DNS. When Jennifer attempted to connect to the FTP server by name, her computer sent a name resolution request to a DNS server, which returned the original IP address of the FTP server. That incorrect name-to-IP address mapping was cached on Jennifer's computer. By default, that mapping would remain in the cache for one hour. You subsequently updated the A record for the FTP server in DNS. However, Jennifer's computer no longer queried the DNS server when Jennifer attempted to connect to the FTP server by name; instead, her computer used the cached DNS mapping information. To enable Jennifer to connect to the FTP server by name immediately, the DNS cache on Jennifer's computer should be flushed. To accomplish this task, you should instruct Jennifer to issue the ipconfig /flushdns command on her computer. The ipconfig /registerdns command can be used to dynamically register DNS names and to refresh DHCP leases. You do not need to issue this command on the FTP server because you have already manually updated the A record for the FTP server. Issuing the ipconfig /registerdns command on Jennifer's computer would refresh the lease for the IP address that her computer uses and would reregister the DNS name for her computer, but it would not enable her to connect to the FTP server by name. Issuing the ipconfig /flushdns command on the DNS server would purge the DNS client cache on the DNS server. Performing this action would have no effect on Jennifer's ability to connect to the FTP server by name because her computer would not query the DNS server until the cached mapping expires or the DNS client

Item: 18 (Ref:Cert-70-291.2.1.60)

nmlkj Instruct Jennifer to issue the ipconfig /flushdns command from her computer.

nmlkj Instruct Jennifer to issue the ipconfig /registerdns command from her computer.

nmlkj Issue the ipconfig /registerdns command from the FTP server.

nmlkj Issue the ipconfig /flushdns command from the DNS server.

Answer:

Instruct Jennifer to issue the ipconfig /flushdns c ommand from her computer.

Página 23 de 49


cache is purged on her computer.

You administer a Windows Server 2003 Active Directory network that spans four physical locations in New York, Los Angeles, Chicago and Berlin. A standard DNS zone named cdpress.com is configured on the network. ServerA is the primary DNS server in the cdpress.com DNS zone. ServerB , ServerC and ServerD are secondary servers in the zone. ServerA is the master DNS server. ServerA , ServerB , ServerC and ServerD are Windows Server 2003 member servers in the cdpress.com Windows Server 2003 Active Directory domain. You have installed Windows Support Tools on all Windows Server 2003 computers in the domain. ServerA is in New York, ServerB is in Los Angeles, ServerC is in Chicago and ServerD is in Berlin. The locations are connected in a mesh topology by T1 WAN links. In each location, computers are configured to use the local DNS server for name resolution. Name resolution has been intermittently failing in Los Angeles and Berlin for host (A) records that have been added to the zone recently. The WAN links seem to be working correctly, and bandwidth usage on each of the T1 links is typically between 30 and 50 percent. Which of the following troubleshooting procedures will most likely reveal the cause of the name resolution problem?

Explanation: Opening the Performance Microsoft Management Console (MMC) snap-in on ServerA and viewing the Zone Transfer Failure counter in System Monitor will most likely reveal the cause of the name resolution problem. In this scenario, failed DNS zone transfers are most likely causing the name resolution problem. If a zone transfer from ServerA to ServerB or ServerD fails after a new host resource record is added to the cdpress.com Domain Name System (DNS) zone, then name resolution failures for the new record will occur for users in Berlin and Los Angeles. If you open System Monitor on ServerA and view the Zone Transfer Failure counter, then you will be able to determine whether zone transfers are failing. The following exhibit depicts the System Monitor snap-in with the Zone Transfer Failure counter added:

Item: 19 (Ref:Cert-70-291.2.1.61)

nmlkj opening the Performance MMC on ServerA , and viewing the Caching Memory counter in System Monitor

nmlkj opening the Performance MMC on ServerA , and viewing the Zone Transfer Failure counter in System Monitor

nmlkj opening the Active Directory Replication Monitor on ServerD , and viewing information in the Monitored Servers pane

nmlkj issuing the replmon command at a command prompt on ServerA

nmlkj issuing the perfmon command at a command prompt on ServerD

Answer:

opening the Performance MMC on ServerA, and viewing the Zone Transfer Failure counter in System Monitor

Página 24 de 49


The Caching Memory counter will show the amount of RAM that the DNS Server service is using for caching. This counter will not reveal useful information for troubleshooting the DNS name resolution problem that is occurring in this scenario. Issuing the replmon command will start the Active Directory Replication Monitor, which is useful for troubleshooting the replication of DNS zone information in an Active Directory-integrated zone. The replmon.exe utility is contained in Windows Support Tools. The cdpress.com zone is a standard DNS zone, so running the Active Directory Replication Monitor will not reveal useful information for troubleshooting the name resolution problem in this scenario. Issuing the perfmon command on ServerD will start the System Monitor utility with the Pages/sec , Avg. Disk Queue Length and % Processor Time counters active. The default counters might be useful for troubleshooting bottlenecks on ServerD , but they will not reveal useful information for determining the cause of the DNS name resolution problem in this scenario.

Item: 20 (Ref:Cert-70-291.3.1.57)

Situation: You administer a Windows Server 2003 Active Directory domain for an airline. Pilots need to be able to remotely log on to the domain to view and update flight plans, crew rosters and schedules. Some pilots need to use smart cards and Windows XP Professional laptop computers equipped with smart card readers to remotely log on to the network. A public key infrastructure (PKI) has been configured in the domain, and the smart cards that pilots will use to log on to the network have been configured with certificates. Other pilots need to use Windows 98 laptop computers to remotely log on to the network. Pilots that use Windows 98 computers to log on to the network will not use smart cards. The Windows XP Professional and Windows 98 computers support only default authentication methods. No Service Packs have been installed on the Windows XP Professional or Windows 98 computers. You configure a Windows Server 2003 member server named Trans1 as an RRAS server. You need to

Página 25 de 49



Explanation: You should configure the Authentication Methods dialog box as depicted in the following exhibit:

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is typically used to support smart cards. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a one-way authentication protocol, which enables the server to authenticate the client but does not enable the client to authenticate the server. MS-CHAP supports the encryption of authentication and connection data. By default, Windows 98 computers do not support MS-CHAP v2; Service Pack 1 or later must be installed on a Windows 98 computer in order for it to support MS-CHAP v2. MS-CHAP v2 is a two-way authentication protocol that encrypts both authentication and connection data. Challenge Handshake Authentication Protocol (CHAP), Shiva Password Authentication Protocol (SPAP) and Password Authentication Protocol (PAP) do not support encryption of connection data. The Unauthenticated access setting allows users to anonymously establish dial-up connections to a Routing and Remote Access Service (RRAS) server.

configure the appropriate authentication methods on the server to enable the pilots to establish authenticated dial-up connections with Trans1 . To configure authentication, you open the Routing and Remote Access MMC snap-in, click the server name in the left pane, click the Action menu, and select Properties to display the TRANS1 (local) Properties dialog box. Next, you click the Security tab in the dialog box, and click the Authentication Methods... button to display the Authentication Methods dialog box. You need to select the fewest possible authentication methods in the Authentication Methods dialog box to enable pilots to establish remote access connections with the network. After you finish configuring Trans1 , the RRAS server should support smart card authentication and encryption of authentication and connection data. Task: Configure the authentication methods for Trans1 in the Authentication Methods dialog box. To complete the objective, select the correct check boxes.

Item: 21 (Ref:Cert-70-291.3.1.60)

Página 26 de 49



Explanation: The following exhibit depicts the folder you should select in the Default Domain Policy Group Policy object (GPO):

The Windows Update folder contains the following four group policy configurations: Configure Automatic Updates , No auto-restart for scheduled Automatic Updates ins tallations , Reschedule Automatic Updates scheduled installations and Specify intranet Microsoft update service location . The Configure Automatic Updates group policy setting enables you to configure a day and time for automatic updating to occur. The No auto-restart for scheduled Automatic Updates ins tallations enables you to configure whether a computer is automatically restarted after automatic updating occurs. If this policy is enabled, then Automatic Updates will not automatically restart a computer as part of an automatic updating process. If this policy is disabled or not configured, the Automatic Updates will notify any logged on users that the computer will automatically restart in five minutes.

Situation: You administer a Windows Server 2003 Active Directory domain named verigon.com for Verigon Corporation, a scientific research company. You have installed and configured SUS on a Windows Server 2003 member server named Updater . Scientists at Verigon use Windows XP Professional computers with Service Pack 1 installed. You need to configure the Default Domain Policy GPO for the verigon.com domain so that the scientists' computers will be automatically updated with approved security updates and Service Packs stored on Updater . The Default Domain Policy GPO is the only GPO defined in the domain. Task: To complete the objective, select one or more folders in the Default Domain Policy GPO that contain the group policy settings that you are required to configure. You should select the fewest possible number of folders.

Página 27 de 49


The Reschedule Automatic Updates scheduled installation s group policy enables you to configure Automatic Updates to wait a certain number of minutes after a computer starts to begin a previously missed Automatic Updates installation. If you want Windows Server 2003, Windows XP or Windows 2000 clients to use a Software Update Services (SUS) server, such as Updater , on the local intranet to retrieve updates, then you should configure the Specify intranet Microsoft update service location group policy setting. Windows XP computers require Service Pack 1 or later and Windows 2000 computers require Service Pack 2 or later in order to use SUS. The Default Domain Policy GPO is linked to the verigon.com domain. If you change Windows Update policies contained in the Computer Configuration portion of the Default Domain Policy GPO, then the changes will apply to all the Windows Server 2003 and Windows XP computers in the domain.

You are the network administrator for your company's single Active Directory domain. The company has a main office and one branch office. A demilitarized zone (DMZ) segment is configured between the internal network and the Internet. The DMZ contains three Windows Server 2003 Web servers in a Web farm configuration. These three servers are not members of the domain. The internal network consists of Windows Server 2003 domain controllers. The network also contains 10 Windows Server 2003 member servers. Two member servers run SQL Server 2000. No Web servers are located on the internal network. All servers and computers located in the internal network are domain members. The Active Directory structure is shown in the exhibit.

All internal policies are applied through Group Policy objects (GPOs). Your company plans to implement a new security template that will affect all Web servers. You must implement this template by using the least amount of administrative effort. Which actions should you take? (Choose all that apply. Each correct answer presents part of the solution.)

Item: 22 (Ref:Cert-70-291.3.1.68)

gfedc Create a GPO and import the new security template into it.

gfedc Link the template to the Servers OU.

gfedc Link the security template to the Domain Controllers OU.

Create a Web Servers OU in the Servers OU that contains the computer accounts of the three Web

Página 28 de 49


Explanation: To apply the security template, you should use the Secedit.exe tool to create a batch file that contains the new security template. Then, you should run the batch file on the three Web servers on the demilitarized zone (DMZ). Secedit.exe is used to analyze or configure multiple computers. You can invoke the Secedit.exe tool at a command prompt, from a batch file, or by using the automatic task scheduler, and you can use it to automatically create and apply templates and to analyze system security. Servers that reside on a DMZ are generally not members of the Active Directory domain. This is for protection of the internal network. In this scenario, the security template should only apply to the Web servers, and they are not part of the domain. Therefore, it is not necessary to create a Web Servers OU in the Servers OU or in the Domain Controllers OU that would contain the computer accounts of the three Web servers.

You administer your company's network. The network contains Windows Server 2003 and Windows XP Professional computers in a single Active Directory domain. You use a Windows Server 2003 computer in your office. You have logged on to your computer with a user account that is a member of the Users group. You must import a security template into a Group Policy object (GPO). You have the appropriate Microsoft Management Console (MMC) installed on your computer. You want to accomplish this task by using the most secure method and the principle of least privilege. What should you do?

Explanation: The principle of least privilege stipulates that an administrator should use an account with restricted permissions when performing routine tasks. An account with administrative privileges should only be used when performing administrative tasks. In this scenario, you should invoke the Run as command and enter your administrative credentials. Using the Run as command is the most secure method of following the principle of least privilege.

gfedc servers.

gfedc Create a batch file that contains the new security template with the Secedit.exe tool.

gfedc Run the batch file on the three Web servers on the demilitarized zone (DMZ).

Answer:

Create a batch file that contains the new security template with the Secedit.exe tool.Run the batch file on the three Web servers on the demilitarized zone (DMZ).

Item: 23 (Ref:Cert-70-291.3.1.69)

nmlkj Log off and log back in as a member of the Domain Admins domain local group.

nmlkj Invoke the Run as command and enter your administrative credentials.

nmlkj Delegate your user account administrative privileges over the appropriate GPO.

nmlkj You cannot perform this task remotely. You must interactively log on to a Windows Server 2003 domain controller.

Answer:

Invoke the Run as command and enter your administra tive credentials.

Página 29 de 49


You should not log off from the network and log back on as a member of the Domain Admins domain local group. Although doing so is in accordance with principle of least privilege, this is not the most secure method. Delegating your user account administrative privileges over the appropriate GPO would grant administrative privileges on the GPO to your regular user account, which does not implement the principle of least privilege. You can open the appropriate management console on any Windows Server 2003 computer that is a member of the domain and perform any task for which your user account has been assigned the necessary administrative privileges.

You administer a single Active Directory domain named florawoods.com . All servers on the network run Windows Server 2003 computers, and all client computers run Windows XP Professional. Your company is planning an update infrastructure. You want to use Microsoft Baseline Security Analyzer (MBSA) to identify all security weaknesses for the network. You want to use MBSA to scan only for updates that have been approved by your network's Software Update Services server. What should you do?

Explanation: Microsoft Baseline Security Analyzer (MBSA) is used to scan computers for vulnerabilities. One of the checks involves scanning for critical security updates. By default, MBSA attempts to connect to the Microsoft Download Center Web site on the Internet and download the most recent version of the mssecure.cab compressed file. From that file, MBSA extracts the mssecure.xml file, which contains the list of the available operating system updates. MBSA analyzes the target computer to determine which of the updates that are listed in the mssecure.xml file are installed on that computer and includes the results in its report. The mbsacli.exe command is the GUI version of MBSA. You should type this command with the /sus switch at a command prompt from the folder where the tool was installed. The /sus switch is added to the command with the SUS server name to check only for security updates that are approved at the specified Software Update Services (SUS) server. The mbsacli.exe /hf command is used to perform a HFNetChk-style scan. This type of scan checks for missing security updates and displays the scan results as text in the command line window. The mssecure.xml file is used by the MBSA to check for all updates that are listed on the Microsoft Update Web site. It cannot be edited.

Item: 24 (Ref:Cert-70-291.3.1.70)

nmlkj Install the Microsoft Baseline Security Analyzer (MBSA) on a Windows Server 2003 server. Type mbsacli.exe /hf at a command prompt.

nmlkj Install the Microsoft Baseline Security Analyzer (MBSA) on a Windows Server 2003 server. Type mbsacli.exe /sus at a command prompt.

nmlkj Install the Microsoft Baseline Security Analyzer (MBSA) on a Windows Server 2003 server. Edit the mssecure.xml file with the approved security updates, and scan the client computers by running the MBSA utility.

nmlkj Install the Microsoft Baseline Security Analyzer (MBSA) on a Windows Server 2003 server. Edit the approvedsecurity.txt file with the approved security updates, and scan the client computers by running the MBSA utility.

Answer:

Install the Microsoft Baseline Security Analyzer (M BSA) on a Windows Server 2003 server. Type mbsacli.exe /sus at a command prompt.

Página 30 de 49


The approvedsecurity.txt file does not exist in the MBSA folder. You can also scan the client computers by using the MBSA tool and choosing the SUS option. When the SUS option is chosen, all security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA.

You are a systems administrator for your company. All network server computers in the company run Microsoft Windows Server 2003. All client computers run either Microsoft Windows XP Professional or Windows 2000 Professional. The company's written security policy stipulates that the most recent security updates that are made available by Microsoft must be deployed to all computers on the network. Prior to the deployment, the updates must be tested for compatibility problems, and only approved updates should be made available on the network. You install and configure Software Update Services (SUS) on your company's internal Web server. All servers have been configured to obtain security updates directly from this server. You want to prevent users from installing updates that have not been tested. You decide to enable the Configure Automatic Updates policy. Which of the following actions should you perform?

Explanation: SUS is an application that allows you to implement a local Windows Update server so that computers on your network can download updates from that server rather than from Windows Update servers that are operated by Microsoft on the Internet. An SUS server can be configured to download updates from the Internet or from another SUS server for subsequent deployment on the network. The computers that must be updated can be configured as Automatic Update clients so that they download updates from the Internet or from a specified SUS server and install the updates automatically. You can create a Group Policy object (GPO), enable the Configure Automatic Updates policy, and specify the SUS server in the Specify intranet Microsoft update service location policy. The Remove access to use all Windows Update features setting would disable Automatic Updates on network computers, thereby preventing them from contacting the network's SUS server. Using Software Installation to assign or publish the updates to the computers would require you to repackage the updates for distribution and would prevent you from using the SUS server for update delivery.

Item: 25 (Ref:Cert-70-291.3.1.71)

nmlkj Expand the Software Settings node under Computer Configuration and assign the security updates to the computers.

nmlkj Expand the Software Settings node under Computer Configuration and publish the security updates to the computers.

nmlkj Expand the Administrative Templates node under User Configuration and enable the Remove access to use all Windows Update features policy.

nmlkj Expand the Administrative Templates node under Computer Configuration and configure the Specify intranet Microsoft update service location policy.

Answer:

Expand the Administrative Templates node under Comp uter Configuration and configure the Specify intranet Microsoft update service location policy.

Item: 26 (Ref:Cert-70-291.3.1.72)

Página 31 de 49


You administer a single Active Directory domain that includes Windows Server 2003 and Windows XP Professional computers. Software Update Services (SUS) has been installed and configured on a Windows Server 2003 computer named SUS1. All computers have been configured to receive Windows updates from SUS1. A new Windows XP Professional computer has been joined to the domain with the fully qualified domain name (FQDN) of client25.corp.local . You must verify that all unnecessary services must be removed from computers and that the computer is formatted with NTFS. In addition, you must ensure that all operating system updates have been installed on client25.corp.local . You have created a service.txt file and placed it on client25.corp.local . On client25.corp.local , you open the Microsoft Baseline Security Analyzer (MBSA) and select the Scan a computer option. You must select the appropriate scans to perform while minimizing the impact on performance. What should you do? (Choose all that apply. Each correct answer presents part of the solution.)

Explanation: The Check for Windows vulnerabilities check box will ensure that unnecessary services are removed from the computer and that only the NTFS file system is used. The Check for security updates check box will verify which updates have been installed on client25.corp.local . Selecting SUS1 from the Use SUS Server drop-down list will force client25.corp.local to download its updates from your corporate SUS server. The Check for weak passwords check box verifies password complexity for a computer's local account(s). The Check for IIS vulnerabilities check box performs various IIS security checks. The Check for SQL vulnerabilities check box performs various SQL security checks. The scenario does not indicate the presence of SQL or IIS on client25.corp.local and does not specify that MBSA should check for weak passwords. Performing any of these scans could negatively impact performance and thus should be avoided.

You are the network administrator for Goliath Industries. The network contains a single Active Directory domain as shown in the following exhibit.

gfedc Select the Check for weak passwords check box.

gfedc Select the Check for security updates check box.

gfedc Select the Check for IIS vulnerabilities check box.

gfedc Select the Check for SQL vulnerabilities check box.

gfedc Select SUS1 from the Use SUS Server drop-down list.

gfedc Select the Check for Windows vulnerabilities check box.

Answer:

Select the Check for security updates check box.Select SUS1 from the Use SUS Server drop-down list.Select the Check for Windows vulnerabilities check box.

Item: 27 (Ref:Cert-70-291.3.1.74)

Página 32 de 49


According to your company's written security policy, Encrypting File System (EFS) can only be used on client computers. You create a domain account named EFSRec as the data recovery agent for the entire domain. A Group Policy object (GPO) named DomainGPO contains all security settings that are required on all computers in the domain. DomainGPO currently allows users to encrypt files with EFS. You must configure the appropriate settings to ensure the written company security is enforced by using the minimum number of GPOs. What should you do?

nmlkj Create a new GPO that allows users to use EFS. Link the new GPO to the Clients OU.

nmlkj Create a new GPO that allows users to use EFS. Link the new GPO to the Desktop computers and Portable computers OUs.

nmlkj Configure DomainGPO to prevent users from using EFS. Create a new GPO that allows users to use EFS. Link the new GPO to the Clients OU.

nmlkj Configure DomainGPO to prevent users from using EFS. Create a new GPO that allows users to use EFS. Link the new GPO to the Desktop computers and Portable computers OUs.

Answer:

Configure DomainGPO to prevent users from using EFS. Create a new GPO that allows users to use EFS. Link the new GPO to the Clients OU.

Página 33 de 49


Explanation: Encrypting File System (EFS) can be used to encrypt data on NTFS volumes. EFS is not used to encrypt network traffic; an EFS-encrypted file must be decrypted before it can be transmitted over the network. In this scenario, DomainGPO is configured at the domain level and enables the use of EFS. Thus, all computers, including servers, support EFS. This is in violation of your company's written security policy. To ensure that data cannot be encrypted on server computers by using EFS, you should disable support for EFS in DomainGPO . To enable client computers to encrypt data on their computers with EFS, you should create a new GPO that supports EFS and link the new GPO to the Clients OU. The new GPO should only be applied to Clients in order to meet the requirement that the minimum number of GPOs be configured.

You administer a single Active Directory domain that includes Windows Server 2003 and Windows XP Professional computers. You have imported a security template that contains several security settings into a domain-level Group Policy Object (GPO). A user notifies you that his computer, Client19 , cannot run an application that is running on other client computers. You want to determine whether other security settings in addition to those that have been applied through the domain-level GPO are in effect on this computer. You must compare the current settings on Client19 against the security template to identify any conflicts. Which tool should you use?

Explanation: Secedit is the command-line version of Security Configuration and Analysis, the tool that can be used to perform various tasks related to applying and analyzing security templates. You can use secedit.exe to enable you to compare the security settings that are in effect on Client19 with those in the security template and discover any conflicts. The gpotool.exe tool verifies the group policies that have been applied to a computer. Gpresult is the command-line version of Resultant Set of Policy (RSoP), the tool that can be used to determine the effect of applying multiple GPOs to the same computer or user. Microsoft Baseline Security Analyzer (MBSA) analyzes a computer to check for security vulnerabilities. None of these tools can be used to compare computer settings with those contained in a security template.

Item: 28 (Ref:Cert-70-291.3.1.75)

nmlkj secedit.exe

nmlkj gpotool.exe

nmlkj gpresult.exe

nmlkj Resultant Set of Policy

nmlkj Microsoft Baseline Security Analyzer

Answer:

secedit.exe

Item: 29 (Ref:Cert-70-291.3.1.76)

Página 34 de 49


You are the network administrator for a large clothing manufacturer. The network contains 100 Windows Server 2003 computers and 7,500 Windows XP Professional computers. Remote employees connect to your network through an L2TP VPN. Several top-level executives have been given Windows XP Professional laptop computers for use at home. They will connect using IPSec. You must be able to view the active security associations (SAs) of these connections. Which tools could you use on a Windows XP Professional computer? (Choose all that apply. Each correct answer presents a unique solution.)

Explanation: The executives will connect to the network from their Windows XP Professional computers. Therefore, you could use ipseccmd or the IP Security Monitor console to monitor the active SAs. The correct syntax for the ipseccmd command is shown below: ipseccmd show all If you wanted to monitor the active SAs generated by Windows Server 2003 computers, then you could issue the netsh ipsec dynamic show all command. If you wanted to monitor the active SAs generated by Windows 2000 Server computers, then you could issue the netdiag /test:ipsec /v /debug command. System Monitor is used to view information related to the components and services on a computer. It cannot be used to view IPSec information.

You administer your company's network. The network contains Windows Server 2003, Windows 2000 Server, and Windows XP Professional computers and is connected to the Internet. All data transmission is protected by Internet Protocol Security (IPSec). You suspect that certain IPSec policies are not being assigned to the Windows 2000 Server computers. You must view the name of the active IPSec policies that are being used by each computer. Which tool should you use?

gfedc netsh

gfedc netdiag

gfedc ipseccmd

gfedc System Monitor

gfedc IP Security Monitor

Answer:

ipseccmdIP Security Monitor

Item: 30 (Ref:Cert-70-291.3.1.77)

nmlkj netsh

nmlkj netdiag

nmlkj ipseccmd

nmlkj IP Security Monitor

nmlkj Group Policy Verification

Página 35 de 49


Explanation: You should use netdiag to view the name of the active IPSec policies that are being used by Windows 2000 Server computers. The netdiag tool can only view IPSec policies on Windows 2000 computer. You could also use the Transmission Control Protocol/Internet Protocol (TCP/IP) properties of each computer or ipsecmon.exe , which is the executable for IP Security Monitor in Windows 2000. IP Security Monitor is a Microsoft Management Console (MMC) available only in Windows Server 2003. On Windows Server 2003 computers, you should use the netsh tool to view active IPSec policy information. On Windows XP Professional computers, you should use the ipseccmd tool to view active IPSec policy information. To view active IPSec policy information on Windows Server 2003 or Windows XP Professional computers, you should use the IP Security Monitor console. The Group Policy Verification tool would enable you to view any group policies for which IPSec policies had been configured.

You administer a single Active Directory domain. The domain contains 1,000 Windows XP Professional client computers and 20 Windows Server 2003 computers. Internet Protocol Security (IPSec) is implemented on your network. You suspect that a user has been changing your network's IPSec policies. You want to identify the user or users who are making these changes, as well as any user who attempts to change these policies. What should you do?

Explanation: To identify the user or users who are modifying your network's IPSec policies, you should enable success auditing for the Audit policy change audit policy for your domain. This is best accomplished using a Group Policy Object (GPO). To identify any users who attempt to make changes to IPSec policies, you should enable failure auditing as well.

Answer:

netdiag

Item: 31 (Ref:Cert-70-291.3.1.79)

nmlkj Enable success auditing for the Audit logon events audit policy for your domain.

nmlkj Enable success auditing for the Audit policy change audit policy for your domain.

nmlkj Enable success auditing for the Audit privilege use audit policy for your domain.

nmlkj Enable success and failure auditing for the Audit logon events audit policy for your domain.

nmlkj Enable success and failure auditing for the Audit privilege use audit policy for your domain.

nmlkj Enable success and failure auditing for the Audit policy change audit policy for your domain.

Answer:

Enable success and failure auditing for the Audit p olicy change audit policy for your domain.

Página 36 de 49


The Audit logon events audit policy audits each time a user attempts to log on or log off a computer or successfully logs on or logs off a computer. The Audit privilege use audit policy audits each successful instance of a user exercising a user right and each failed attempt to exercise a user right.


Explanation: The solution to this simulation is depicted in the following exhibit:

The settings depicted on the Environment tab will cause the Termstart.exe program to start when a user establishes a Terminal Services connection with Term01 . Termstart.exe will use the C:\Program Files\termscratch folder to store temporary files. Configuring this setting in the Terminal Services

Item: 32 (Ref:Cert-70-291.4.1.27)

Situation: You administer an Active Directory domain. All servers run Windows Server 2003, and all client computers run Windows XP Professional. Term01 is a member server that provides Terminal Services for network clients and remote users who connect to the network through a RADIUS infrastructure. A developer has written a program named Termstart.exe , which handles some connection-related requirements when Terminal Services clients connect to Term01 . You place the Termstart.exe file in the C:\termstart folder on Term01 . You also create a directory named C:\Program Files\termscratch on Term01 . Termstart.exe will use this directory for temporary information storage. On Term01 , you open the Terminal Services Configuration console, click the Connections node, right-click RDP-Tcp in the right pane, select Properties , and select the Environment tab. Task: Configure the Environment tab so Termstart.exe will run each time a user establishes a Terminal Services connection with Term01 . To complete the objective, open the exhibit, configure the necessary options, and select the text on the left and place it in the appropriate text boxes on the right.

Página 37 de 49


Configuration console overrides these settings in user profiles and in the Remote Desktop Connection client. You can also configure the Start a program on connection Group Policy setting in either the Computer Configuration node or the User Configuration node of a Group Policy object (GPO). Note that Terminal Services policies that are configured in the Computer Configuration node of a GPO override conflicting Terminal Services policies that are configured in the User Configuration node. The Start a program on connection Properties dialog box is depicted in the following exhibit:

You are the network administrator for your company. The network contains a single Windows 2003 Active Directory domain. Routing and Remote Access has been installed on a Windows Server 2003 computer named Remote1 . Remote1 allows both dial-up and virtual private network (VPN) connections. Smart cards are issued to all users who will access the network remotely. The smart cards will be used for both dial-up and VPN connections. All remote users have been issued Windows 2000 Professional laptops with smart card readers. The written security policy for your company states that these users are required to use the smart cards only when they connect to the network remotely. They should not use smart cards when they connect to the network locally. You must implement a remote access solution that will enforce this security policy. What should you do?

Item: 33 (Ref:Cert-70-291.4.1.35)

nmlkj In the Active Directory Users and Computers console, enable the Smart card is required for interactive logon option for each user account that will access the network remotely.

nmlkj Install a computer certificate on Remote1 . Configure the remote access policy on Remote1 to accept only EAP-TLS authentication. Use the Remote1 computer certificate for authentication.

nmlkj Install a computer certificate on Remote1 . Configure the remote access policy on Remote1 to accept only EAP-MD5 authentication. Use the Remote1 computer certificate for authentication.

Página 38 de 49


Explanation: Smart card authentication is the strongest form of user authentication available in the Windows Server 2003 family. Its use requires the Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication method. You should install a computer certificate on Remote1 , configure the remote access policy on Remote1 to accept only EAP-TLS authentication, and use the Remote1 computer certificate for authentication. No other authentication protocol, such as EAP-MD5, can be used with smart card authentication. Enabling the Smart card is required for interactive logon option for each user who will access the network remotely would force smart card authentication to be used for local connections. A computer certificate should be installed on Remote1 , not on the laptop computers.

You are the network administrator for Roberts Enterprises, Inc. The network consists of a single Active Directory domain that consists of 8 Windows Server 2003 domain controllers, 5 Windows Server 2003 member servers, 1 enterprise certification authority (CA) and 500 Windows XP Professional computers. Recently, your company updated its security policy. Now, all wireless computers must use 802.1x certificate-based authentication with Protected Extensible Authentication Protocol (PEAP). Wireless Networking must be configured on 25 Windows XP Professional laptops. The security policy also states that administrative effort should be minimized. You must configure these 25 computers to meet the new security policy. What should you do? (Choose three. Each correct answer presents part of the solution)

nmlkj Install a computer certificate on each of the laptops. Configure the remote access policy on Remote1 to accept only EAP-TLS authentication. Use the laptop certificate for authentication.

nmlkj Install a computer certificate on each of the laptops. Configure the remote access policy on Remote1 to accept only EAP-MD5 authentication. Use the laptop certificate for authentication.

Answer:

Install a computer certificate on Remote1. Configure the remote access policy on Remote1 to ac cept only EAP-TLS authentication. Use the Remote1 computer certificate for authentica tion.

Item: 34 (Ref:Cert-70-291.4.1.36)

gfedc Create a certificate template for IEEE 802.1X authentication.

gfedc Configure the Default Domain Policy GPO with the appropriate wireless security settings.

gfedc Create a global group named WL_clients , and add the 25 user accounts to it.

gfedc Create a global group named WL_comps , and add the 25 computer accounts to it.

gfedc Configure certificate autoenrollment for the members of WL_clients .

gfedc Configure certificate autoenrollment for the members of WL_comps .

Answer:

Página 39 de 49


Explanation: You should create a global group named WL_comps and add the 25 computer accounts to it. The certificates should be installed on each laptop computer. When PEAP is the authentication protocol, certificates are required for both the servers and the connecting computers. PEAP further protects the authentication process by encrypting the negotiation packets. The autoenrollment feature automatically assigns certificates, retrieves issued certificates, and renews expiring certificates without requiring user interaction, as long as the certificate template is configured to support autoenrollment. It is not necessary to create a global group named WL_clients and add the 25 user accounts to it. The scenario stipulates that certificate should be configured for the computer accounts, not the users account. You should only configure the Default Domain Policy GPO when you must make changes that apply to the entire domain.

You administer your company's Windows 2003 network. The Routing and Remote Access service has been installed on a Windows Server 2003 member server named RA1. Your company's sales employees require remote access to inventory reporting. You must ensure that all sales employees can establish a network connection, regardless of the location from which the call originates. Your company's customers must be able to log on to your network in order to view and track their orders. However, your company wants to limit the locations from which customers can dial into your network. You must configure RA1 to allow the appropriate access for your sales staff and customers. You want to ensure that mutual authentication is used to protect against remote server impersonation. Which three settings should you configure? (Choose three. Each correct answer presents part of the solution.)

Create a certificate template for IEEE 802.1X authe ntication.Create a global group named WL_comps, and add the 2 5 computer accounts to it.Configure certificate autoenrollment for the member s of WL_comps.

Item: 35 (Ref:Cert-70-291.4.1.37)

gfedc Set the Callback option to No Callback for customers.

gfedc Set the Callback option to Set by Caller for customers.

gfedc Set the Callback option to Set by Caller for salespeople.

gfedc Set the Callback option to Always Callback to for customers.

gfedc Set the Callback option to Always Callback to for salespeople.

gfedc Enable Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1).

gfedc Enable Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

Answer:

Set the Callback option to Set by Caller for salesp eople.Set the Callback option to Always Callback to for c ustomers.Enable Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

Página 40 de 49


Explanation: The Routing and Remote Access Callback option consists of three suboptions: Set by Caller , Always Callback to , and No Callback . When callback is enabled with either Set by Caller or Always Callback to , the remote access client will be called back at a number specified by the client or at a pre-determined number, respectively, after the user credentials are verified. Choosing No Callback will prevent the server from calling back the remote client. Because this option provides no security, is not recommended. In this scenario, members of your Sales department must be able to dial into the network from any location. Thus, you should set the Callback option to Set by Caller for the sales staff. To limit the locations from which customers can dial into your network, you should set the Callback option to Always Callback to for customers. Because the Always Callback to option only permits a customer to remotely connect from a certain number, enabling this option provides greater security than enabling Set by Caller . Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a one-way authentication protocol, which enables the server to authenticate the client but does not enable the client to authenticate the server. MS-CHAP supports the encryption of authentication and connection data. MS-CHAP v2 is a two-way authentication protocol that encrypts both authentication and connection data. Because you want to implement mutual authentication, you should use the MS-CHAP v2 authentication protocol.

You administer a single Active Directory domain that consists of Windows Server 2003 computers and Windows XP Professional computers. A Windows Server 2003 computer named ABR1 is connected to AreaA. Another Windows Server 2003 computer named ABR2 is connected to AreaB. AreaA has a summarized route of 204.29.18.0/26. AreaB has a summarized route of 204.29.19.0/27. You must identity valid subnets that you can include in AreaA and AreaB. Which two subnets are valid? (Choose two.)

Explanation: The 204.29.18.64/26 and 204.29.19.192/27 subnets are valid in AreaA and AreaB. The 204.29.18.0/26 area can contain these subnets: 204.29.18.0/26, 204.29.18.64/26, 204.29.18.128/26, and 204.29.18.192/26. The 204.29.19.0/27 area can contain these subnets: 204.29.19.0/27, 204.29.19.32/27, 204.29.19.64/27, 204.29.19.96/27, 204.29.19.128/27, 204.29.19.160/27, 204.29.19.192/27, and 204.29.19.224/27.

Item: 36 (Ref:Cert-70-291.4.1.38)

gfedc 204.29.18.16/26

gfedc 204.29.18.32/26

gfedc 204.29.18.64/26

gfedc 204.29.18.96/26

gfedc 204.29.19.168/27

gfedc 204.29.19.176/27

gfedc 204.29.19.192/27

gfedc 204.29.19.208/27

Answer:

204.29.18.64/26204.29.19.192/27

Página 41 de 49


The 204.29.18.16/26 subnet is not a valid subnet. This is a host address in the 204.29.18.0/26 subnet, which includes the 204.29.18.1 through 204.29.18.62 host addresses. The 204.29.18.32/26 subnet is not a valid subnet. This is a host address in the 204.29.18.0/26 subnet, which includes the 204.29.18.1 through 204.29.18.62 host addresses. The 204.29.18.96/26 subnet is not a valid subnet. This is a host address in the 204.29.18.64/26 subnet, which includes the 204.29.18.65 through 204.29.18.126 host addresses. The 204.29.19.168/27 subnet is not a valid subnet. This is a host address in the 204.29.19.160/27 subnet, which includes the 204.29.19.161 through 204.29.19.190 host addresses. The 204.29.19.176/27 subnet is not a valid subnet. This is a host address in the 204.29.19.160/27 subnet, which includes the 204.29.19.161 through 204.29.19.190 host addresses. The 204.29.19.208/27 subnet is not a valid subnet. This is a host address in the 204.29.19.224/27 subnet, which includes the 204.29.19.225 through 204.29.19.254 host addresses.

You are the network administrator for a clothing retailer with stores throughout the United States. The network contains Windows XP Professional and Windows Server 2003 computers. Your company's headquarters is located in Los Angeles, California. The distribution warehouse is located in Houston, Texas. A Windows Server 2003 computer in Houston named LAtoHous is configured as the default gateway for the Houston warehouse. LAtoHous contains four network adapters that connect it to headquarters. Interface1 is connected to a standard phone line. Interface2 is connected to an ISDN line. Interface3 is connected to a T1 line. Interface4 is connected to a second standard phone line. The Automatic metric check box is enabled for each network adapter installed on LAtoHous . Which interface will LAtoHous prefer?

Explanation: LAtoHous will prefer Interface3. The Automatic metric check box allows TCP/IP to determine the routing metric based on the speed of the network adapters. The interface with the highest speed has the lowest metric for its default route. Therefore, if all interfaces are operational, the fastest interface will be used. LAtoHous will not prefer Interface1 because it is connected to a standard phone line, which is slower than a T1 line. LAtoHous will not prefer Interface2 because it is connected to an ISDN line, which is slower than a T1 line. LAtoHous will not prefer Interface4 because it is connected to a standard phone line, which is slower than a T1 line.

Item: 37 (Ref:Cert-70-291.4.1.39)

nmlkj Interface1

nmlkj Interface2

nmlkj Interface3

nmlkj Interface4

Answer:

Interface3

Página 42 de 49


You are the network administrator for your company. The network contains Windows XP Professional and Windows Server 2003 computers in a single Active Directory domain. A portion of the network is shown in the following exhibit.

A Windows Server 2003 computer named RAS1 is configured as a virtual private network (VPN) server. A Windows Server 2003 computer named DNS1 is configured as a DNS server. Your router is not configured to forward NetBIOS broadcasts. RAS1 is configured as a NetBIOS over TCP/IP (NetBT) proxy. VPN clients connect to your network by using RAS1. VPN clients run applications that use NetBIOS names. To which computers can the VPN clients connect by using NetBIOS names? (Choose all that apply. Each correct answer presents part of the solution.)

Explanation: The NetBT proxy on RAS1 will only resolve names on local subnets. Therefore, VPN clients will be able to connect only to IIS1, FileSrv1 , and PrntSrv1 . VPN clients will not be able to connect to IIS2, DNS1, FileSrv2 , or PrntSrv2 because the router is not configured to forward NetBIOS broadcasts.

Item: 38 (Ref:Cert-70-291.4.1.40)

gfedc IIS1

gfedc IIS2

gfedc DNS1

gfedc FileSrv1

gfedc FileSrv2

gfedc PrntSrv1

gfedc PrntSrv2

Answer:

IIS1FileSrv1PrntSrv1

Página 43 de 49


You administer a Windows Server 2003 computer named Data1 that hosts a mission-critical database. This database is accessed by most of the users on your network. Data1 is configured with a 2.6-MHz CPU, 512 MB of RAM, and three 25-GB hard disks. A single network adapter has been installed, and it is configured to connect to the LAN at 100 Mbps. Users report slow response times when they connecting to the database on Data1. You open the Performance console and review the performance data from System Monitor as shown in the following exhibit.

Which system component is the most likely cause of the problem?

Explanation: The following threshold limits for are suggested by Microsoft: Memory - Pages/sec : less than 1 page per second for each page file Memory - Available Bytes : more than 4 MB PhysicalDisk - Current Disk Queue Length : less than the number of spindles + 2 Processor - % Processor Time : less than 85% The Memory - Pages/sec counter monitors the rate at which pages are read from or written to disk to resolve hard page faults. This counter is one of the primary indicator of the kinds of faults that cause system-wide delays. A value greater than 20 in the Memory - Pages/sec counter indicates the need for additional memory. Ideally, this value should be 5 or below. An acceptable value for the PhysicalDisk - Current Disk Queue Length counter can be determined by adding 2 to the number of spindles present in the system. This system has three hard disks and, thus, three spindles. Therefore, an acceptable average for this counter in this scenario is 5 or less. Note that a 100-Mbps network adapter will support a throughput of 104,857,600 bytes per second (100 x 1,048,576 bytes). The network adapter speed must be converted to determine the performance baseline when data from the Network Interface - Bytes Total/sec counter.

You are the network administrator for your company. The company's logical network design consists of three Active Directory domains. The network includes seven sites. All servers run Windows Server 2003. The

Item: 39 (Ref:Cert-70-291.5.1.39)

nmlkj processor

nmlkj memory

nmlkj hard disk

nmlkj network adapter

Answer:

memory

Item: 40 (Ref:Cert-70-291.5.1.40)

Página 44 de 49


company's hours of operation are from 7 A.M. to 10 P.M. Monday through Friday. A server named Mail1 runs Exchange 2003. Mail1 is configured with a Pentium IV 2.6-MHz CPU, 512 MB RAM, and two 74.5-GB hard disks. A single 10/100 network adapter has been installed, and it is configured to connect to the LAN at 100 Mbps. Mail1 has a single storage group configured that hosts three mailbox stores. The server supports 3,500 user mailboxes. During business hours, users continually access their mailboxes. Users report slow response times when they access their mailboxes and open large e-mail messages. You investigate by using System Monitor and view the results shown in the exhibit.

Which system component is causing this bottleneck?

Explanation: The most likely reason that users report slow response times is due to a lack of memory. The various Windows operating systems automatically create a paging file, or swap file, to provide virtual memory support. By default, the size of the paging file is 1.5 times larger than the amount of physical memory. When a computer runs low on memory, its disk subsystem can be negatively impacted as paging to virtual memory causes high levels of read I/O operations from and write I/O operations to the disk. This combination can severely reduce the operating efficiency of the system. In the exhibit, the Memory - Available Mbytes counter reports an average available memory of 20 MB. To promote efficient operations, this value should remain at or above 5 percent of the total system memory. For example, when 512 MB of RAM is installed, the average available memory should remain above 25.6 MB. The Memory - Page Faults/sec counter is the average number of pages faulted per second, including both hard faults, which require disk access, and soft faults, which occur in physical memory. An acceptable level of page faults is indicated by a value below 5 for this counter. The Memory - Pages/sec counter represents the rate at which pages are read from or written to disk to resolve hard page faults. This value should remain between 0 and 20 and should average below 5 to indicate efficient memory usage. Ideally it should be under 1. The Physical Disk: %Disk Time counter indicates the amount of time the disk was busy servicing read or write requests. This value should remain at or below 50% for the disk to be operating efficiently. However, factors related to memory and other system components must first be considered before identifying the hard disk as the source of the bottleneck. In this scenario, it is clear that memory must be added to Mail1 before the efficiency of the hard disks can be properly evaluated. A value over 100 percent can occur when multiple disks are installed and the counter is configured to monitor the _Total instance. None of the counters in the exhibit indicate that either the CPU or the network adapter is a cause for the bottleneck.

nmlkj processor

nmlkj memory

nmlkj hard disk

nmlkj network adapter

Answer:

memory

Página 45 de 49


You administer your company's network, and its configuration is shown in the following exhibit.

Routing and Remote Access has been installed on FW1 and FW2. Corporate users need access to internal and external resources every day. Customers who must access resources on your corporate network connect to the Customer subnet. The customers connect to this subnet with Windows 2000 Professional computers through a virtual private network (VPN) connection that uses an L2TP over IPSec tunnel. Customers who are permitted to connect to the Customer subnet must be prevented from accessing Internet resources. You plan to configure a TCP/IP filter on one of the router interfaces that will drop any HTTP or HTTPS traffic that originates from the Customer subnet. On which interface should you configure the filter?

Explanation: In order to prevent your company's customers from accessing the Internet when they are connected to the Customer subnet, you should configure the filter on FW1-Interface2. Doing so will drop any HTTP or HTTPS traffic from being sent to the Internet through FW1. By default, HTTP uses port 80, and HTTPS uses port 443. You should not configure the filter on FW1-Interface1. You should place the filter on the internal interface of FW1, not the external interface. To allow the customers' HTTP and HTTPS traffic to reach FW1-Interface1 would unnecessarily increase the level of traffic on FW1. Configuring the filter on FW2-Interface1 or FW2-Interface2 would prevent the customers from accessing HTTP and HTTPS resources on the customer subnet.

You administer your company's network, which contains Windows XP Professional and Windows Server 2003 computers in a single Active Directory domain. You must configure several Windows Server 2003 computers to send notifications when certain performance thresholds are reached. These notifications must be sent to several computers on the network. What should you do?

Item: 41 (Ref:Cert-70-291.5.1.41)

nmlkj FW1-Interface1




Answer:

FW1-Interface2

Item: 42 (Ref:Cert-70-291.5.1.42)

Página 46 de 49


Explanation: The Alerter service generates alerts when performance thresholds are reached. The Messenger service receives the alerts when performance thresholds are reached. Therefore, you should enable the Alerter service on the server computers that will be monitored and enable the Messenger service on the client computers that will receive the notifications. Enabling the Alerter service on both the server and client computers would allow each of these computers to generate alerts. However, implementing such a configuration would not ensure that the alerts would be delivered to the appropriate computers. Enabling the Messenger service on both the server and client computers would allow each of these computers to receive alerts. However, implementing this configuration would not ensure that the alerts would be generated appropriately. Enabling the Messenger service on the server computers and enabling the Alerter service on the client computers would achieve the opposite of the scenario's stated goal.

You administer your company's network, which consists of Windows Server 2003 and Windows XP Professional computers in a single Active Directory domain. Your company has decided to implement an e-commerce Web site. The site will include both public and private Web sites for customers. The site will be configured on a Windows Server 2003 computer named Web1, and it will run a third-party Web application. You must ensure that the appropriate services are enabled on Web1 to support this Web site. Which services should be enabled to support the Web site? (Choose all that apply. Each correct answer presents part of the solution.)

nmlkj Enable the Alerter service on the server computers that will be monitored and on the client computers that will receive the notifications.

nmlkj Enable the Messenger service on the server computers that will be monitored and on the client computers that will receive the notifications.

nmlkj Enable the Alerter service on the server computers that will be monitored. Enable the Messenger service on the client computers that will receive the notifications.

nmlkj Enable the Messenger service on the server computers that will be monitored. Enable the Alerter service on the client computers that will receive the notifications.

Answer:

Enable the Alerter service on the server computers that will be monitored. Enable the Messenger service on the client computer s that will receive the notifications.

Item: 43 (Ref:Cert-70-291.5.1.43)

gfedc HTTP SSL

gfedc WebClient

gfedc DNS Client

gfedc DNS Server

gfedc IIS Admin Service

gfedc World Wide Web Publishing Service

gfedc WinHTTP Web Proxy Auto-discovery Service

Página 47 de 49


Explanation: HTTP SSL will provide services for the private portion of the Web site. The World Wide Web Publishing Service will provide services for the public portion of the Web site. HTTP SSL in the encrypted version of the HTTP protocol and is used for secure, private Web sites. The World Wide Web Publishing Service is the service that runs the HTTP protocol and is used for non-secure, public Web sites. Private sites can only be accessed if you have the appropriate certificate or credentials. Public sites can be accessed by anyone. Both services must be installed to ensure that both types of sites can operate on the server. The WebClient service enables Windows programs to create, access, and modify Internet-based files. The DNS Client service provides the ability to browse the Internet. However, it alone will not ensure that your Web site is available. The DNS Server service provides name resolution services to the Internet. However, it alone will not ensure that your Web site is available. The IIS Admin Service is only necessary if you use Internet Information Services (IIS) to manage the Web site. According to the scenario, a third-party Web application will be used to manage the Web site. The WinHTTP Web Proxy Auto-discovery Service enables an HTTP client to automatically discover a proxy configuration.

You are the network administrator for your company. The network consists of Windows 2000 Professional, Windows XP Professional, and Windows Server 2003 computers in a single Active Directory domain. A Windows Server 2003 computer named DHCP1 functions as the DHCP server for the network. You want to configure several services on DHCP1 for automatic recovery in the event that any of these services fail. For which service or services can you enable automatic recovery? (Choose all that apply.)

Answer:

HTTP SSLWorld Wide Web Publishing Service

Item: 44 (Ref:Cert-70-291.5.1.44)

gfedc Event Log

gfedc Net Logon

gfedc DNS Client

gfedc DHCP Server

gfedc Plug and Play

gfedc Protected Storage

gfedc Error Reporting Service

Answer:

DNS ClientDHCP ServerError Reporting Service

Página 48 de 49


Explanation: Automatic recovery can be enabled for the DNS Client, DHCP Server, and Error Reporting Service services. To configure automatic service recovery, you can open the Services console, right-click the service, and select Properties . On the Recovery tab, you can configure the appropriate options. No other services support automatic recovery. If these services fail, the computer must be restarted. NetLogon automatic recovery can only be configured for automatic recovery if the computer is a member of a workgroup. Members servers and domain controllers cannot be conifgured for automatic recovery of the NetLogon service.

Página 49 de 49


MCSE 70-291(Prova 01)

Documents

Transcript of MCSE 70-291(Prova 01)