Best Microsoft 70-291 Exam Questions for Free, Download the Latest 70-291 Dumps, Practice Test and Study Guide
Enjoy Free Microsoft 70-291 Exam Questions. Download the Best 70-291 Cheat-Test Sample Questions.
Version: 8.5 Release Date: May, 2012
Q: 1
You work as It Admin at ABC.com. The ABC.com network consists of a domain named ABC.com.
The servers at the ABC.com network run Windows Server 2003. The ABC.com network has a file
server named ABC-SR18. ABC-SR18 hosts shared folders.
During your routine monitoring, you notice that ABC-SR18 has a connectivity issue. To investigate
further you run Network Monitor, but notices that during capturing, network packets were dropped.
What actions must you take to minimize the dropping of packets while monitoring ABC-SR18?
A. You should configure a persistent demand-dial connection.
B. You should configure a two-way initiated demand-dial connection.
C. You should use dedicated capture mode when utilizing the Network Monitor.
D. You should select the Do not overwrite events option in the Event Viewer.
Answer: C
Explanation: The CPU of ABC-SR18 runs on 80%, which indicates that there are not enough
resources to the network Monitor. Running Network Monitor in dedicated capture mode frees
resources on the computer for capturing datA. This results in fewer frames being dropped. The
capture statistics are not displayed or refreshed because the frames are copied to the capture
buffer.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, p. 841
Q: 2
You work as the network administrator at ABC.com. The ABC.com network consists of a single
Active Directory domain named ABC.com. The servers at the ABC.com network run Windows
Server 2003 and the workstations, Windows XP Professional.
The ABC.com network has a DNS server named ABC-SR03 that does name resolution for host on
the Internet. ABC.com users complain that they do not get the correct site when trying to access
Web site known to them.
What actions must you take to stop this from happening without disrupting production?
A. You should restart the DNS Server service.
B. You should select the Secure cache against pollution setting.
C. You should run the ipconfig/flushdns on ABC-SR03.
D. You should run the ipconfig/registerdns on ABC-SR03.
Answer: B
Explanation: When the Secure cache against pollution setting is disabled, all records received in
response to DNS queries are cached. This is true even when the records do not match to a
queried domain name. Enabling the Secure cache against pollution setting disables the ability to
pollute the DNS cache with incorrect information, and spoof DNS queries. With Windows Server
2003 the default setting is that caches are secured against pollution. This will then prevent users
that browse the Internet from being directed to the wrong websites.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, MCSA/MCSE:
Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network
Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 496-
497
J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, Part 1, Chapter 3, pp. 285, 291
Q: 3
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has a server named ABC-SR10 that runs Windows Server Update
Services (WSUS). During synchronization you notice that you cannot connect to the Windows
Update servers, however, you can access to other Web site not residing in the intranet.
What actions must you take to connect to the Windows Update servers?
A. You must run the ipconfig/registerdns.
B. You must configure the forwarders on ABC-SR10.
C. You must set the authentication to the proxy server in the WSUS settings.
D. You must run the gpupdate /force command on ABC-SR10.
Answer: C
Explanation: In the Software Update Services administration console, there is an option to
configure your internet connection settings. These settings include proxy server settings. If you
have a proxy server between the SUS server and the internet, you need to configure the proxy
server settings in the SUS options.
Q: 4
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003. ABC.com has a
subsidiary named Test Labs, Inc. that has a domain named testlabs.com.
The ABC.com network has a DNS server named ABC-SR05. ABC-SR05 acts as a secondary
zone for testlabs.com
What actions must you take to track when the DNS server at Test Labs, Inc. sends notifications of
modifications in the zone of testlabs.com to ABC-SR05?
A. You must run the gpresult command in verbose mode.
B. You must select debug logging and set the log to store Notification events on ABC- SR05.
C. You must run the secedit command in analysis mode.
D. You must configure a two-way initiated demand-dial connection.
Answer: B
Explanation: Debug logging is disabled by default and has to be enabled on ABC-SR05. Select
the Log packets for debugging check box to configure Debug Logging. To receive useful debug
logging information, you should select a Packet direction, a Transport protocol, and at least one
more option. You can also specify the file path and name, and the maximum size for the log file.
Enabling Debug Logging slows DNS server performance.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, MCSA/MCSE:
Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network
Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 551
Q: 5
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003.
The ABC.com network has a Web server named ABC-SR11. During a routine monitoring you
notice an increase in network traffic. Due to this you need to find out the MAC address of the
workstation that initiated the transfers and the command that was used. However, you action must
not effect ABC-SR11.
What actions must you take?
A. You must run the ipconfig/registerdns.
B. You must use the Netmon utility.
C. You must capture the IP traffic to ABC-SR11.
D. You must Enable Server Message Block (SMB) signing on all the workstations.
Answer: C
Explanation: Network Monitor tool allows you to capture datA. The tool also allows you to identify
its source from where it came from. The Network Monitor tool also allows you to analyze the
content of the message. Use a Network Monitor capture filter to capture IP traffic from any
computer to ABC-SR11, and apply the capture filter before capturing the data.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, MCSA/MCSE:
Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network
Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 198,
543
J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, Part 1, Chapter 3, pp. 140, 144, 145.
Q: 6
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003.
The ABC.com network has only one DNS server named ABC-SR11 that only hosts the zone for
ABC.com. During the course of the day you have received complaints that the response time of
the connections to other workstations is very poor.
What actions must you take to see if it is the DNS client traffic on ABC-SR11?
A. You must set up a log of the Total queries/sec and the DNS counters Dynamic updates/sec.
B. You must configure a Network Monitor capture filter.
C. You must run the gpresult command.
D. You must set up the Performance Logs and Alerts to note down the Physical-Disk object.
Answer: A
Explanation: The System Monitor utility is used to collect and measure the real-time performance
data for a local or remote computer on the network. Through System Monitor, you can view
current data or data from a log file. When you view current data, you are monitoring real-time
activity. When you view data from a log file, you are importing a log file from a previous session.
Using the System Monitor, you can generate statistics on the following types of information
regarding DNS services:
AXFR requests (all-zone transfer requests), IXFR requests (incremental zone transfer requests),
DNS server memory usage, Dynamic updates, DNS Notify events, Recursive queries, TCP and
UDP statistics, WINS statistics and Zone transfer issues. Thus to find out where DNS client traffic
is responsible for the slow speed at which computers connect within the ABC.com domain, then
you should create a log of the Dynamic Updated/sec and the Total queries/sec given the fact that
ABC-SR05 is the only DNS server in the domain.
Reference:
James Chellis, Paul Robichaux and Matthew Sheltz, MCSA/MCSE: Windows Server 2003
Network Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc.
Alameda, 2003, pp. 70-73, 304
Q: 7
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has a Web server named ABC-SR10 that has the Internet Information
Services (IIS) 6.0 installed. ABC-SR10 hosts a Web site that can be reached from the internal
network and the Internet. The internal traffic at ABC.com needs authentication without a secure
protocol to access the Web site; however Internet traffic needs to authenticate with a secure
protocol.
What actions must you take to ensure that the all accesses to ABC-SR10 use a secure protocol?
A. You need to configure the log to capture Notification events.
B. You need to apply the hisecdc.inf predefined security template.
C. You need to monitor network traffic and IIS logs.
D. You need to apply a custom security template.
Answer: C
Explanation: To make sure that the users are using a secure protocol, you must use the Network
Monitor. The Network Monitor allows you to capture frames directly from the network. As soon as
the frames are captured it will display and filter captured frames. The Network Monitor also allows
you to edit captured frames and transmit them on the network.
Reference:
Diana Huggins, Windows Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291),
Chapter 4
J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, 1: 26, 3: 3.
Q: 8
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has two servers, named ABC-SR30 and ABC-SR31, which contain file with
sensitive company information. You create a new OU named SenSrv and move ABC-SR30 and
ABC-SR31 to the new OU. You then create a new GPO that and configure it to encrypt all network
connections. You then link the GPO to the SenSrv OU.
How would you check to see if encrypted connections to ABC-SR30 and ABC-SR31 are taking
place?
A. By opening the Resultant Set of Policy console.
B. By running the Microsoft Baseline Security Analyzer (MBSA).
C. By applying the hisecdc.inf predefined security template.
D. By opening the IP Security Monitor console.
Answer: D
Explanation: Administrators can use the IP Security Monitor tool to confirm whether IP Security
(IPSec) communications are successfully secured. The tool can display the number of packets
that have been sent over the Authentication Header (AH) or Encapsulating Security Payload
(ESP) security protocols, and how many security associations and keys have been generated
since the computer was last started. The IP Security Monitor is implemented as a Microsoft
Management Console (MMC) snap-in on the Windows Server 2003 and Windows XP Professional
operating systems. It includes enhancements that allow you to view details about an active IPSec
policy, in addition to Quick Mode and Main Mode statistics, and active IPSec SAs. IP Security
Monitor also enables you to search for specific Main Mode or Quick Mode filters.
Reference:
Diana Huggins, Windows Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291),
Chapter 5
J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, p. 15: 20
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, p.795
Q: 9
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional. The ABC.com network has a DNS server named
ABC-SR03.
ABC.com changes ISPs. Now you receive complaints that ABC.com users cannot connect to Web
sites on the Internet by using the URL of the Web site.
You configure your workstation with the DNS server address of the new ISP. You can now
connect to Web sites by entering their URL in the browser.
How would you configure ABC-SR03 to allow all users to connect to Internet Web sites without
causing connectivity problems on the internal network?
A. You need run the Oclist.exe command and the Security Configuration and Analysis console on
ABC-SR03.
B. You need to utilize the default root hints of ABC-SR03 and set up a forwarder to the new ISP.
C. You need run the Dcgpofix on ABC-SR03 and set up forwarding to the new ISP.
D. You need to disable recursion and run the Security Configuration and Analysis console on
ABC-SR03.
Answer: B
Explanation: Forwarders are used to inform DNS where to look for name resolution when not in
the local DNS database. With Windows Server 2003 conditional forwarding, recursive query
requests can be subject to different DNS forwarder servers based on the domain name queried.
The root hints file (cache hints file) contains host information needed to resolve names external of
the authoritative DNS domains. It holds names and addresses of root DNS servers which are
normally located on the Internet. In this situation where your network is connected to the Internet,
the root hints file should contain the addresses of the root DNS servers on the Internet. With the
default installation of Windows Server 2003, DNS uses the root hints file. It is not necessary to
configure forwarders to access the Internet. Even though it is recommended to configure
forwarders to point to your external domain, root hints will function quite fine.
Reference:
Diana Huggins, Windows Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291),
Chapter 3
J. C. Mackin, Ian McLean, MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, Part 1, Chapters 4 & 5, pp. 193, pp. 194; and pp. 247.
Q: 10
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
ABC.com has a Web server named ABC-SR10 which is connected to the Internet. During the
course of the day you have received instructions from the CIO to use System Monitor to determine
how much bandwidth is used on ABC-SR10's Internet connection. You decide to use the Bytes
Total/sec counter with a sample rate of 10 seconds. You also plan to archive the logs once a day.
Due to limited hard drive space, you need to prevent the logs from getting too big.
What actions must you take to?
A. You should disable recursion.
B. You should create a one-way initiated demand-dial connection.
C. You should configure an alert trigger when the Datagrams/sec counter is high.
D. You should keep ABC-SR10 on the existing counter and set the sample rate to 60 seconds.
Answer: D
Explanation: The function of the Network Interface Bytes Total/Sec counter is to measures the
total number of bytes that are sent/ received from the network interface. You use less processor
cycles when you reduce the sampling frequency.
Reference:
Dan Holme and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond, 2003,
Chapter 12, p. 479
Q: 11
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com.
ABC.com has several subsidiary companies whose Web sites and DNS zones are hosted on
servers at ABC.com.
What actions must you take to allow the DNS server at ABC.com to generate a report of the listed
zones on a weekly basis?
A. You need to utilize the ipconfig/registerdns.
B. You need to NetMon utility on the DNS server.
C. You need to utilize the dnscmd utility on the DNS server.
D. You need to utilize the ADSIEdit utility on the DNS server.
Answer: C
Explanation: The dnscmd utility can be found with the support tools on the Windows Server 2003
CD-ROM. The dnscmd /unumzones list all the zones on a DNS server.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 442, 858
Q: 12
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has a server named ABC-SR18, which contains file with sensitive company
information. You receive instructions to ensure that network connections to ABC-SR18 are
encrypted using IPSec. You decide to implement the Server (Request Security) IPSec policy on
ABC-SR18. You later discover that there are still workstations connecting to ABC-SR18 that do
not use IPSec.
What actions must you take to on ABC-SR18 to have all workstations use IPSec when connecting
to ABC-SR18?
A. You need to run the wuauclt /detectnow command.
B. You need to assign the Secure Server (Require Security) IPSec policy.
C. You need to run the Security Configuration and Analysis console.
D. You need to use Kerberos authentication.
Answer: B
Explanation: The Secure Server (Require Security) policy specifies that all IP traffic must use
IPSec. The Secure Server (Require Security) default policy is ideal for ABC-SR18 that needs high
security. When this option is selected, the server requires all communications to be secure. If a
client is not IPSec-aware, the session will not be allowed.
Reference:
Diana Huggins, Windows Server 2003 Network Infrastructure Exam Cram 2 (Exam 70-291),
Chapters 4 & 5
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, MCSA/MCSE:
Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network
Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, pp. 867-
868
Zacker, Craig, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a
Microsoft Windows Server 2003 Network, Microsoft Press, Redmond, 2003, p. 629
Q: 13
You work as the network administrator at ABC.com. The ABC.com network has of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
The ABC.com network contains a server named ABC-SR20. ABC-SR20 contains an in-house
application that runs as a service named NetApp1, which fails from time to time. During the course
of the day you have received instructions from the CIO to implement the following process for
NetApp1:
• The NetApp1 service should be restarted if it fails after running for at least a day.
• ABC-SR20 should be restart if the NetApp1 service fails unsuccessful the entire workday, the
server should be rebooted.
What actions must you take to implement this plan? (Choose all that apply.)
A. You need to enable the Master Key perfect forward secrecy (PFS).
B. You need to set up the response to the first and second failure to restart NetApp1.
C. You need to apply the Securews.inf security template.
D. You need to set up the Reset fail count after value for NetApp1 to 1 day.
E. You need to disable all services that are not required.
Answer: B,D
Explanation: This question basically involves managing services through Control Panel. You can
indicate the number of days after which the number of times a failure has occurred should be reset
to 0 in the Reset fail Count dialog box. The Restart Service After dialog box is where you indicate
the number of minutes to wait prior to trying to restarting a service (NetApp1) subsequent to a
failure. The Restart Computer Options dialog box is where you indicate the number of minutes to
wait prior to restarting the computer (ABC-SR20).
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Chapter 12, Syngress Publishing Inc., Rockland, 2003, pp. 777 – 783
Q: 14
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has a Web server named ABC-SR24 that has the IIS 6.0 installed and
hosts Web site that is only accessible from the internal network. You configure the Web site to use
only secure HTTP.
How would you check if HTTPS connections to the Web site are being rejected?
A. You need to use the NetMon utility on ABC-SR24.
B. You need to use the Network Monitor to log the network traffic.
C. You need to use the Event Viewer to examine the logged event entries.
D. You need to check the log files of the IIS on ABC-SR24.
Answer: D
Explanation: We can review the log files created by IIS on the Web server to view connection
data.
Q: 15
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional. ABC.com network has a domain controller named ABC-DC01.
ABC.com employees complain that it sometimes takes a while to log on to ABC-DC01. You have
also notice that replications between the other domain controllers and ABC-DC01 is sluggish at
times.
You have received instruction to identify the cause of these problems and need determine if the
problem is linked to a shortage of hardware resources on ABC-DC01.
What actions must you take first?
A. You need to configure an alert trigger in the Datagrams/sec counter.
B. You need to track ABC-DC01’s queue lengths.
C. You need to monitor the LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface
performance objects.
D. You need to use a trace log to capture Page faults, File details, Network TCP/IP, and Process
creations/deletions events.
Answer: B
Explanation: One of the functions of the System monitor is to display performance data about the
local, or one or more remote computers in real time. The System Monitor tool also log a history of
performance results over time for local or remote computers. To monitor system performance, you
must identify performance objects, counters, and instances of those objects so that System
Monitor knows which areas of system performance to track and display.
Reference:
Dan Balter, MCSA/MCSE Managing and Maintaining a Microsoft Windows Server 2003
Environment Exam Cram 2 (Exam 70-290), Chapter 6
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, MCSA/MCSE:
Exam 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network
Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 551
Q: 16
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
either Windows XP Professional or Windows 2000 Professional.
You need to produce a report of all computers that indicates whether the computer has the latest
security updates installed, whether the computer has shared folders; and what file system(s) is
used on the computer.
How would you gather information from the computers for this repost?
A. You need to install and run mbsacli.exe with the suitable configuration switches.
B. You need to run gpresult.exe.
C. You need to install the latest version of the Mssecure.xml and copied to the program
files\microsoft baseline security analyzer folder.
D. You need to use Network Monitor in dedicated capture mode.
Answer: A
Explanation: The Microsoft Baseline Security Analyser can perform all the required assessments.
Mbsacli.exe includes HFNetChk.exe which is used to scan for missing security updates.
In general, the MBSA scans for security issues in the Windows operating systems (Windows NT 4,
Windows 2000, Windows XP), such as Guest account status, file system type, available file
shares, members of the Administrators group, etc. Descriptions of each OS check are shown in
the security reports with instructions on fixing any issues found.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd & Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 788-790
Q: 17
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
ABC.com has a server named ABC-TS12 that has the Terminal Server services installed. ABCTS12
is used by the employees to access their applications and connect to the Internet.
A ABC.com employee named Andy Reid complains that when he logs on to ABC-TS12, he cannot
change the security settings of Internet Explorer on his client computer.
What actions must you take to resolve this problem?
A. You need to enable the Configure Automatic Update setting on the workstations.
B. You need to enable the Reschedule Automatic Updates scheduled installations option on the
workstations.
C. You need to remove the Internet Explorer Enhanced Security Configuration on ABC-TS12.
D. You need to enable the user-level Terminal Server setting.
Answer: C
Explanation: Internet Explorer Enhanced Security Configuration is installed by default on
Windows 2003 Server computers. With Internet Explorer Enhanced Security Configuration
installed, web pages may not display in Internet Explorer as expected and applications that require
the browser may not work correctly because scripts, Microsoft ActiveX controls, the Microsoft
virtual machine (Microsoft VM) for HTML content, and file downloads have been disabled. This is
what is causing the security messages when users connect to the server via Terminal Services.
Therefore, the solution is to uninstall Internet Explorer Enhanced Security Configuration on ABCTS12.
Q: 18
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations run a mix of operating systems.
The ABC.com network has a multi-homed named ABC-SR24 that has the Routing and Remote
Access Service (RRAS) installed. A new ABC.com security policy requires that ABC-SR24 be
configured to only support connections from computers running Windows 95, Windows 98,
Windows 2000 Professional, and Windows XP Professional.
What actions must you take to use a secure authentication method suitable for the operating
system?
A. You need to enable Kerberos V5.
B. You need to enable NTLMv2.
C. You need to enable MS-CHAP Version 1 and 2.
D. You need to enable EAP-TLS.
Answer: C
Explanation: The MS-Chap Version 1 is a one-way authentication method encrypting both the
authentication data and connection data and MS-CHAP uses the same cryptographic key in all
connections and supports the older Windows clients.
The MS-CHAP version 2 is a mutual authentication method encrypting both authentication data
and connection data and MS-CHAP Version 2 uses a new cryptographic key for each connection
and each direction of transmission.
Reference:
J.C. Mackin, Ian McLean MCSA/MCSE Self-Paced Training Kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 network Infrastructure, Microsoft
Press, Redmond, 2003, pp. 10: 10
Q: 19
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
ABC.com is only utilizing Kerberos authentication on the internal network. During the course of the
day you receive a complaint from a ABC.com employee named Mia Hamm that she gets an
Access denied error when she tries to access a member server named ABC-SR05.
What actions must you take to check that Kerberos authentication is working properly on Mia
Hamm's workstation?
A. You need to use the netdom command.
B. You need to use the netdiag command.
C. You need to use the dcgpofix command.
D. You need to use the HFNetChk command.
Answer: B
Explanation: Netdiag is a command-line diagnostic tool that you can use to test network
connectivity. It performs a series of tests to determine the state and functionality of a network
client. You can use the results of these tests, and network status information provided by Netdiag
to assist you in isolating network and connectivity problems on your Windows 2000-based
workstation or server computer. The netdiag command is used to run a diagnostics test against
your server to see if anything is not working correctly.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 871-874
Q: 20
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The Default Domain Policy has been updated recently through a security template file. The
security template file contained a number of security configuration settings.
You notice that a server named ABC-SR05 can no longer run a program that is operational on
other network servers which have a similar configuration. You suspect that additional security
settings could have been added to the local security policy on ABC-SR05.
You want to run a utility on ABC-SR05 to compare the current security settings on ABC-SR05 to
that of the security template file. You want to use a tool that will automatically identify all settings
that might have been added to the local security policy on ABC-SR05.
What actions must you take on ABC-SR05?
A. Run the ADSIEdit on ABC-SR05.
B. Run the Security Configuration and Analysis console on ABC-SR05.
C. Run gpresult.exe on ABC-SR05.
D. Run the Dcgpofix on ABC-SR05.
Answer: B
Explanation: You can use the Security Configuration and Analysis console to analyse a system
by comparing the local security settings to a template. When you analyse a system, any
differences in configuration between the local computer and the defined template will be displayed.
Security Configuration and Analysis tool is used to compare the current security configuration with
a security configuration that is stored in a database. You can create a database that contains a
preferred level of security and then run an analysis that compares the current configuration to the
settings in the database. Security Configuration and Analysis includes the following features:
• Security Templates
• Security Configuration and Analysis
• Secedit command-line command
To analyze the security configuration of your computer, you must perform the following two steps:
• Create the security database by using a security template
• Compare the computer security analysis to the database settings.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 797, 868
Q: 21
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has two servers named ABC-SR10 and ABC-SR11. ABC-SR10 runs
Windows Server Update Services (WSUS) and ABC-SR11 is a file server. You want all approved
critical updates to be applied to ABC-SR11 as soon as possible.
What actions must you take?
A. You should run the Dcgpofix command on the ABC-SR01.
B. You should run the Secedit command on the ABC-SR01.
C. You should run the wuauclt /detectnow command on each of the five high-visibility servers.
D. None of the above
Answer: C
Explanation:
To ensure that the updates are applied within one hour, you need to type the wuauclt /detectnow
command at the command prompt on each of the six high-visibility servers. This is because the
automatic updates occur daily, at a configurable time; however, you can force a client computer to
synchronize immediately with its WSUS server. To do so, you need to enter the wuauclt.exe
/detectnow command at a command prompt on the client computer:
Reference:
Planning your deployment of Client Security / Client deployment using WSUS
http://technet.microsoft.com/en-us/library/bb418807.aspx
Q: 22
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com network has a server named ABC-SR13 that runs Terminal services and has
support for Telnet connects. The computer account for ABC-SR13 is located in an organizational
unit named TelnetServerOU.
A new ABC.com security policy requires the use of IPSec for all Telnet communications. You
configure a Group Policy object (GPO) to enforce the new security policy requirement and link the
GPO to the TelnetServerOU. During routine monitoring you discover that Telnet connections to
ABC-SR13 lack encryption. You thus need to determine the appropriate IPSec setting that needs
to be implemented on ABC-SR13.
What action must you take?
A. You should run the Security Configuration and Analysis console
B. You should use the IP Security Monitor console.
C. You should run the System Monitor snap-in.
D. You should run apply the hisecws.inf template.
Answer: B
Q: 23
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
The ABC.com domain uses only Kerberos authentication to servers. One morning a user named
Mia Hamm complains that she received an error message when attempting to connect to the
server.
What actions must you take to assess the Kerberos authentication on Mia Hamm’s computer?
A. You should run the msiexec.exe.
B. You should run the netdiag.
C. You should run the lpsetupui.exe.
D. You should run the Dcgpofix.
Answer: B
Explanation: Netdiag is a command-line diagnostic tool that you can use to test network
connectivity. It performs a series of tests to determine the state and functionality of a network
client. You can use the results of these tests, and network status information provided by Netdiag
to assist you in isolating network and connectivity problems on your Windows 2000-based
workstation or server computer. The netdiag command is used to run a diagnostics test against
your server to see if anything is not working correctly.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 871-874
Q: 24
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
A ABC.com employee named Rory Allen has been assigned a workstation named ABC-WS291.
Rory Allen visits Web site named www.testassist.net that should create cookies on ABC-WS291.
The cookies should allow Rory Allen to sign in to the Web site automatically. However, Rory Allen
complains that he must sign in to the Web site every time he visits the site.
You log on to ABC-WS291 and view the Internet Explorer Internet options. The Privacy tab is set
at High.
What should you do next?
A. You should access the Privacy tab and add the Web site of the supplier to the allow list.
B. You should run Network Monitor in dedicated capture mode.
C. You should configure the Internet Explorer settings to bypass the proxy server.
D. You should configure the demand-dial interface as the private interface.
Answer: A
Explanation: The Privacy tab indicates a setting of high, which is why cookies are being blocked.
You need to Edit the settings in the Privacy tab to allow cookies that will cause the supplier’s Web
site to display the last search results for each purchasing department user.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 850-853
Q: 25
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
The ABC.com network has a server named ABC-SR11 that runs Windows Server Update
Services (WSUS). ABC-SR11 has very little hard drive space. Therefore workstations must
download critical updates from the Microsoft Web site.
What actions must you take to make sure that the workstations download only approved updates
from the Web site?
A. You should disable the Network Monitor capture filter.
B. You should set the synchronization option to not store updates locally.
C. You should enable the Disable recursion option.
D. You should apply the Setup security.inf security template.
Answer: B
Explanation:
Because the ABCServer1 has limited hard disk space, you cannot store updates on the server
locally. Therefore to ensure that client computers download updates directly from Microsoft Update
and download only the approved updates, you need to modify the synchronization option to not
store updates locally in the WSUS console.
Update Files and Languages option in Synchronization Options store updates locally on the
server. When this option is disabled the updates will not be stored locally.
Reference:
Windows Server Update Services Implementation Plan / Configuring WSUS
http://about.zachcasper.com/WSUSImplementation.pdf.
Q: 26
You work as the network administrator at ABC.com. The ABC.com network a forest with a domain
named ABC.com. ABC.com has its headquarters in Dallas and a branch office in Phoenix. The
servers at the ABC.com network run Windows Server 2003 and the workstations, Windows XP
Professional.
Headquarters has a server named ABC-SR01 that has Windows Server Update Services (WSUS)
Server installed and contains their updates. You receive an instruction from the CIO to configure a
WSUS server called ABC-SR02 in the branch office to receive the same updates as the
computers at headquarters. The branch office should however obtain their updates from ABCSR02.
What action must you take?
A. You should run the Security Configuration and Analysis console at the Phoenix office.
B. You should run gpupdate /force command on the entire client computer in the Phoenix office.
C. You should set up ABC-SR02 in order to inherit all settings from ABC-SR01 and assign the
Phoenix client computers to the GPO.
D. You should the wuauclt /detectnow on the entire client computer in the Phoenix office.
Answer: C
Explanation:
To configure a WSUS server called ABC-SR02 in the Phoenix office and ensure that the client
computers in Phoenix must automatically receive the same updates as client computers in Dallas
they get updates from ABC-SR02, you need to configure ABC-SR02 to inherit all settings from
ABC-SR01. Create a new GPO and assign all client computers in Phoenix the GPO.
When ABC-SR02 will inherit all settings from ABC-SR01, it will become a replica of ABC-SR01.
The ABC-SR02 will then have all the updates that ABC-SR01has. The
ABC-SR02 will then be used by the client computers in Phoenix to have the same updates as
client computers in Dallas.
Reference:
Setting Up Local WSUS Server
http://download.swsoft.com/virtuozzo/virtuozzo4.0/docs/en/win/VzWindowsUG/20709.htm
Q: 27
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
During the course of the day you have received instructions from the CIO to implement Windows
Server Update Services (WSUS) on a server named ABC-SR10. However, ABC0SR10 has limited
disk space so you must conserve disk space usage. You must also ensure that all updates are
approved before they are applied.
What steps must you take after clearing the Automatically Approve Updates for Installation
checkbox and opening the WSUS console? (Choose all that apply.)
A. You should modify the Revisions to Updates setting to deselect the automatically approve all
updates.
B. You should set the demand-dial connection to Persistent.
C. You should execute the gpupdate command on all client computers.
D. You should modify the Advanced Synchronization Options dialog box to stop the locally stored
updates.
E. You should apply the Setup security.inf security template.
F. You should deselect the Automatically Approve Updates for Installation checkbox.
Answer: A,D,F
Explanation:
To make sure that the least amount of disk space is used on ABC-SR10, you need to change the
Advanced Synchronization Options dialog box so that updates are not stored locally. Update Files
and Languages option in Synchronization Options store updates locally on the server, download
update files to the server only and when updates are approved, download express installation
files, and download only those updates that match the locale of this server (English). When this
Update Files and Languages option is disabled the updates will not be stored locally.
To make sure that all the updates must be tested before being deployed to the client computers,
you need to Change the Revisions to Updates setting to disable the automatically approve all
updates. Typically, all updates are set to Approved upon first installation. Even though some
updates are superseded by others, all the updates should be approved.
There are many situations where a superseded update is still installed. For example, some
superseding updates apply only to newer versions of an operating system while the superseded
update applies to older operating systems
Revisions to Updates setting in Automatic Approval Options allow you to Automatically approve
the latest revision of the update. If you disable this setting the automatic approval of latest versions
of updates will be stopped.
Reference:
Windows Server Update Services Implementation Plan / Configuring WSUS
http://about.zachcasper.com/WSUSImplementation.pdf.
Q: 28
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
ABC.com contains a Web server named ABC-SR12. During the course of the day you receive
instructions to find out number of network users accessing ABC-SR12.
What actions must you take?
A. You should run the wuauclt /detectnow.
B. You should look at the current Sessions.
C. You should run the Net start /show all.
D. You should run the Ipsecmon.
Answer: B
Q: 29
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
What actions must you take to check which approved updates have been replaces with new
updates, with the least amount effort?
A. You need to run the Net start /show all on the WSUS server.
B. You need to display the WSUS Updates update view.
C. You need to run the wuauclt /detectnow command on the WSUS server.
D. You need to disable round robin on the WSUS server.
Answer: B
Q: 30
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
Which of the following commands can be used to perform automated management of ABC.com's
DNS servers?
A. You should use the gpresult.exe.
B. You should use the msiexec.exe.
C. You should use the wuauclt.exe.
D. You should use the Dnscmd.exe.
Answer: D
Explanation: Dnscmd.exe is a command line utility used to perform management of DNS servers.
With a command line tool, you can create a script that contains a list of commands to manage one
or multiple DNS servers.
Q: 31
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional Service Pack 2.
ABC.com makes use of a firewall between their intranet and the Internet. The firewall is configured
to allow only HTTP traffic through. You have implemented a DNS server named ABC-SR04 with
the default settings.
What actions must you take to make sure that ABC-SR04 can perform name resolution for Internet
names?
A. You should use port 110.
B. You should use port 53.
C. You should use port 80.
D. You should use port 443.
Answer: B
Q: 32
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
ABC.com issues a new software restriction policy that states that java script files may not be used
on any computer.
What actions must you take to implement this policy?
A. You should run the wuauclt /detectnow command.
B. You should run HFNetChk.exe with the appropriate configuration switches.
C. You should use a path rule on the software restriction policy.
D. You should enable Disable recursion.
Answer: C
Q: 33
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
ABC.com has recently configured a server named ABC-SR01 to make use of IPSec to
connections to it.
What actions must you take to check if there are any IPSec connections to ABC-SR01?
A. You should run the Netsh ipsec dynamic show all.
B. You should run the Net start /show all.
C. You should run the wuauclt /detectnow.
D. You should run the Nslookup.
Answer: A
Q: 34
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.local. The servers at the ABC.com network run Windows Server 2003 and the workstations,
Windows XP Professional.
You need to implement a stand-alone Web server named ABC-SR12 in a perimeter network.
ABC-SR12 will host ABC.com's e-business web site: http://www.ABC.com.
What actions must you take to make sure that the employees on the domain can access ABCSR12
using the URL http://ABCSite?
A. You should install and run mbsacli.exe in ABCSite.
B. You should run the Nbtstat -R in the ABC.local DNS zone.
C. You should have a host record for ABCSite added to the ABC.local DNS zone.
D. You should run the ipconfig /release in the ABC.local DNS zone.
Answer: C
Q: 35
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
You have implemented a VPN server named ABC-SR10 that has Routing and Remote Access
Services (RRAS) installed.
What actins must you take to configure trace logging?
A. You should use the Secedit /analyze.
B. You should use the Netcap.exe tool.
C. You should use the Dnscmd.exe.
D. You should use the Msconfig.exe.
Answer: B
Q: 36
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
You have implemented a Web server certificate on a Web server named ABC-SR15. During
routine monitoring you notice that employees can still access ABC-SR15 by using http://ABCSR15.
What actions must you take to make sure that encrypted traffic is used on ABC-SR15?
A. You should implement IPSec encryption.
B. You should select the Require secure channel (SSL) option.
C. You should implement NTLMv2 authentication.
D. You should implement the Kerberos V5 authentication protocol.
Answer: B
Q: 37
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
ABC.com contains a SMTP server named ABC-SR21. During the course of the CIO has instructed
you to look at the SMTP requests to ABC-SR21 that occurred in the last hour.
What actions must you take?
A. You should run the Netsh ipsec dynamic show all.
B. You should run the Net start /show all.
C. You should use a new capture and thereafter set up a display filter.
D. You should create a log of the Network Interface counter.
Answer: C
Q: 38
You work as the network administrator at ABC.com. The ABC.com network consists of a domain
named ABC.com. The servers at the ABC.com network run Windows Server 2003 and the
workstations, Windows XP Professional.
ABC.com contains a DNS server named ABC-SR11. What actions must you take to allow ABCSR11
to only generate errors event log entries?
A. You should implement Auditing on ABC-SR01.
B. You should use the Network Monitor to capture errors.
C. You should assign the Server (Request Security) IPSec Policy.
D. You should change the properties of ABC-SR01 through the DNS snap-in.
Answer: D
Q: 39
You have been asked to set up a Windows 2003 dial-up RAS server for your company.
Your clients use Windows XP and Windows 2000 Professional computers.
Company policy requires the most secure authentication possible. How will you configure your
dial-up RAS server to meet company policy?
A. Configure CHAP authentication.
B. Configure MS-CHAP v2 authentication.
C. Configure PAP authentication.
D. Configure EAP-TLS authentication.
Answer: D
Q: 40
You configure a Windows 2003 dial-up RAS gateway for a remote office in your corporate
network. A dial-up ISDN connection is used to connect the remote office to the corporate LAN. In
order to provide access for the remote users to the corporate LAN, what two configuration settings
do you need to complete? (Choose all that apply.)
A. Configure NAT on the ISDN interface.
B. Configure a demand-dial interface on the ISDN interface.
C. Configure a DHCP relay agent on the ISDN interface.
D. Configure a default static route on the ISDN interface.
Answer: B,D
Q: 41
You approve several updates on your test environment SUS server. After testing, you decide to
put the updates into production. How will you accomplish this?
A. Select Production Update under the set options page to update the production server with the
changes.
B. Use the Produpdate script to update the production server with the changes.
C. Make sure the production server has synchronized. Manually approve the tested updates for
the production SUS server.
D. Use the gpupdate command to force an update for the SUS server policies.
Answer: C
Q: 42
You are responsible for the SUS infrastructure deployment in your organization. Based on
recommended best practice, you inform your manager that a test environment is necessary for
software update testing. How many computers will be needed to accomplish this?
A. The environment should be a one-to-one correlation between the test lab and the production
environment.
B. One or two systems for each type of client hardware used in your network as well as one or
two systems representative of the software environment used in your network.
C. One SUS server and a terminal server to simulate the client environments.
D. One or two systems for each type of client hardware used in your network as well as one or
two systems representative of the software environment used in your network. An SUS server and
possibly servers to represent some of the other servers on your network.
Answer: D
Q: 43
Your HR department has spreadsheets with payroll information on a Windows Server 2003 file
server to which only HR personnel have access. You have implemented IPSec policies on the
server to ensure that data exchanged is more secure, by requiring IPSec for all connections to the
server. All of your HR desktops are Windows XP Professional and Window NT 4.0 Workstation
SP5 clients. The Windows XP clients can access the files without problems, but the Windows NT
4.0 clients cannot. What can you do to resolve this issue without changing the security on the file
server?
A. Install Windows NT 4.0 SP6a on the Windows NT clients.
B. UABCrade the Windows NT 4.0 Workstation clients to Windows XP Professional.
C. Install the IPSec client on the Windows NT 4.0 Workstations.
D. Enable NetBIOS over TCP/IP on the Windows Server 2003 machine.
Answer: B
Q: 44
You are using Network Monitor to analyze IPSec packets that are using ESP. The data packet
section is not viewable. What must you do to properly view the data packet section of the frames?
A. Set ESP to use the same encryption policy as the Network Monitor machine.
B. Disable AH policies.
C. Install the ESP filter DLL and update the parser.ini file.
D. Configure the ESP policy to use null encryption.
Answer: D
Q: 45
You have recently added a Windows Server 2003 Web Edition system to your company's private
network. The server is used to host the company's private Web site. Users are complaining that
response time is often slow. You want to analyze the traffic coming to and from the Web server.
What should you do?
Choose the best answer.
A. Open Task Manager and use the Networking tab to gather network statistics.
B. Open System Monitor to capture and analyze network traffic.
C. Open Network Diagnostics to analyze the traffic coming to and from the Web server.
D. Install Network Monitor on the Web server to capture and analyze network traffic.
Answer: D
Q: 46
Felicia is the network administrator for a Windows Server 2003 network. There are several junior
network administrators employed. Felicia suspects that changes have bee made to the security
settings on several servers. There is a standard security template with which all new servers are
configured. What tool can Felicia use to verify the current security settings against those within the
original template?
Select the best answer.
A. Active Directory Users and Computers
B. System Monitor
C. Security Templates
D. Security Configuration and Analysis
E. IP Security Monitor
Answer: D
Q: 47
You have just installed the DHCP service on a stand-alone Windows Server 2003 system. You
place the server on one of the subnets. You soon discover that clients are not leasing an IP
address from the server. You open the DHCP console and see that the DHCP service is not
started.
What should you do?
A. Reinstall the DHCP service.
B. Add the DHCP server to the domain.
C. Authorize the DHCP server.
D. Check the system event log to find any clues as to why the service will not start.
Answer: D
Q: 48
You administer your company's Windows 2003 domain. The domain contains 10 Windows Server
2003 computers, 750 Windows XP Professional computers, and 300 Windows NT 4.0 Workstation
computers Four of the Windows Server 2003 computers are DHCP servers, and two of the
Windows Server 2003 computers are DNS servers. All network computers are configured to use
DHCP. All four DHCP servers are configured with scopes for every subnet in the network.
You configure the DHCP servers to always register and update client computer information in
DNS. To increase security, you configure DNS to only allow secure updates.
Immediately following this, you discover that the resource records for the DHCP clients are no
longer updated when IP addresses change. You want the resource records for the client
computers to have the most recent information.
What should you do?
A. Add the computer accounts of the four DHCP servers to the DNSUpdateProxy global security
group.
B. Add the computer accounts of the two DNS servers to the DHCP Users domain local security
group.
C. Add the computer accounts of the four DHCP servers to the DNSAdmins domain local security
group.
D. Configure the four DHCP servers to enable updates for DNS client computers that do not
support dynamic update.
E. Configure the DHCP server to not release the DHCP lease for Windows XP Professional
computers and the Windows NT 4.0 Workstation computers at shutdown.
F. Configure the two DNS servers to use a Time to Live (TTL) interval on resource records that
are shorter than the lease time used by the DHCP servers.
Answer: A
Q: 49
You are the network administrator for Verigon Research. The network contains Windows Server
2003 and Windows XP Professional computers in a single Active Directory domain.
Field researchers have been issued Windows XP Professional laptop computers to use when
performing research in remote locations. When they return to the office, they need to connect
these laptops to the corporate network.
You decide to create a 802.1x wireless network for the research department laptops. You create a
separate subnet on which you install a wireless access point. You configure a Windows Server
2003 computer named RAD1 to be a Remote Access Dial In User Authentication Service
(RADIUS) server for the researchers. The wireless access points are RADIUS clients.
You must select a protocol for this wireless network to use. The protocol you select must support
the use of certificates, and must provide the strongest authentication and enhanced security.
Which protocol should you use?
A. Extensible Authentication Protocol - Message Digest 5 (EAP-MD5)
B. Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
C. Extensible Authentication Protocol - Microsoft Challenge Handshake Protocol v2 (EAP-MSCHAP
v2)
D. Protected EAP (PEAP) with EAP-TLS
E. Protected EAP (PEAP) with EAP-MD5
F. Protected EAP (PEAP) with EAP-MS-CHAP v2
Answer: D
Q: 50
You administer a Windows Server 2003 Active Directory domain for your company. The domain is
divided into two subnets. SubnetA uses the network address 192.168.12.0/24, and SubnetB uses
the network address 192.168.14.0/24. All domain controllers and member servers are Windows
Server 2003 computers, and all clients are Windows 2000 Professional computers.
Clients in SubnetA obtain TCP/IP settings from a DHCP server named DHCPA, which resides in
SubnetA . Clients in SubnetB cannot obtain DHCP settings at all, even though you configured a
scope for SubnetB on DHCPA . Your need to enable clients on SubnetB to automatically obtain
TCP/IP settings from DHCPA .
What should you install on SubnetB?
A. a primary DNS server
B. an SUS server
C. a DHCP relay agent
D. a master DNS server
E. an SMTP server
Answer: C
Q: 51
You administer your company's network. A single-domain Active Directory forest is configured on
the network. All servers run Windows Server 2003.
The network contains a server named Server5 that hosts confidential business datA. Access to
Server5 must be restricted to only a few authorized personnel. You must ensure that those users,
including designated Server5 administrators, cannot share Server5's desktop with other users.
What should you do?
A. Disable Remote Assistance in the local policy on Server5.
B. Create a new OU, move Server5 to the OU, create a GPO that disables Remote Assistance,
and link the GPO to the OU.
C. Create a new OU, move Server5 to the OU, create a GPO that disables Remote Desktop, and
link the GPO to the OU.
D. Disable Remote Desktop in the local policy on Server5.
E. Disable Remote Assistance in System Properties on Server5.
F. Disable Remote Desktop in System Properties on Server5.
Answer: B
Q: 52
You are the security administrator for your company. The company's network supports 500 users.
All network server computers run Windows Server 2003. All network client computers run
Windows XP Professional. All domain account logon events are audited.
A human resources manager requests that you produce a listing of the times and dates a user
named JohnP logged on to the domain. The user was assigned to a client computer named HR09.
You should achieve this objective while reviewing the minimum amount of information.
What should you do? (Choose two. Each correct answer presents part of the solution.)
A. Create a filter that will list all events for the JohnP user account.
B. Use the Find option to list only the events for the JohnP user account.
C. Open Event Viewer and access the security log on each domain controller.
D. Use the Find option to list only the events for the HR09 computer account.
E. Create a filter that will list only the events for the HR09 computer account.
F. Log onto HR09 as a local administrator, and open Event Viewer to view the local security log.
Answer: A,C
Q: 53
You are the DNS administrator for TXGlobal, which is headquartered in Dallas and has branch
offices in Austin, Houston, San Antonio and El Paso. The headquarters location hosts the parent
domain, txglobal.com. Each branch office has been delegated a child domain. Austin hosts
austin.txglobal.com, Houston hosts houston.txglobal.com, San Antonio hosts
sanantonio.txglobal.com, and El Paso hosts elpaso.txglobal.com.
The primary DNS server in Dallas is named TXDNS. The primary DNS servers in the branch
offices are named AUSDNS, HOUDNS, SADNS and EPDNS. The secondary DNS servers in the
branch offices are named AUSDNS-2, HOUDNS-2, SADNS-2, and EPDNS-2.
To increase fault tolerance, you want to add another secondary DNS server in each location. The
new DNS servers will be named AUSDNS-3, HOUDNS-3, SADNS-3, and EPDNS-3. You want
TXDNS to be aware that the new servers are authoritative for their respective zones.
Which server or servers should host one or more stub zones?
A. AUSDNS, HOUDNS, SADNS and EPDNS
B. AUSDNS-3, HOUDNS-3, SADNS-3 and EPDNS-3
C. all of the DNS servers within the child domains
D. TXDNS
Answer: D
Q: 54
You are a network administrator for your company. The company network consists of two Active
Directory forests. Verigon.com is the single-domain forest that contains all user accounts and
resources for the corporate network, except the resources that are allocated to the Development
department. Dev.corp is the single-domain forest that is used only by the Development
department. You configure an external trust between the two domains.
Developers must be able to log on from their computers to the verigon.com domain. In the
verigon.com forest, you create a new user principal name (UPN) suffix of dev.corp and configure
UPNs for the developers' user accounts in the verigon.com domain with this suffix. Developers
report that they cannot log on to the verigon.com domain from their computers, which belong to
the dev.corp domain, by using their UPNs. You must enable developers to log on to the
verigon.com domain from their computers by using UPNs.
What should you do?
A. Replace the external trust with a forest trust.
B. Change the UPN suffix for the developers' user accounts to verigon.com.
C. Configure selective authentication on the trust.
D. Configure domain-wide authentication on the trust.
Answer: A
Q: 55
You are the administrator for your company's network. Your company's logical network design
consists of a single Active Directory domain. All servers have the Windows Server 2003 operating
system installed. All client computers run Windows XP Professional.
Woody is the manager for the company. He uses his client computer to read and edit large
documents from the publishing department. The computer is configured with a single basic disk
consisting of two partitions. One partition is used as the boot and system partition. The other
partition hosts user data folders. Both partitions are formatted using NTFS. The user data partition
contains shared folders and files that use both share and NTFS permissions to grant access to
employees in the editorial department.
Woody informs you that his computer is beginning to perform at a speed that is moderately slower
than other client computers in the editorial department. You use System Monitor and discover that
a disk bottleneck exists.
How can Woody improve performance on this computer?
A. Defragment the hard disk.
B. Reformat the data partition using FAT32.
C. Convert the hard disk to a dynamic disk.
D. Delete the two existing partitions on the hard disk, and create a single partition.
Answer: A
Q: 56
You are your company's network administrator. The network consists of a single subnet. All
servers run Windows Server 2003. The network is connected to the Internet through a private
WAN link. A computer named Server1 provides Internet access for the network. Server1 is
equipped with two NICs, and Internet Connection Sharing (ICS) is enabled on the NIC that is
connected to the Internet.
Your company employs several telecommuters who work from their homes. The remote
employees require some files that contain information about the company's business operations.
Those files are updated on a daily basis. To provide the remote employees with those files, you
set up an FTP site on a computer named FTPSrv.
You must ensure that the users on the corporate network can access Internet Web sites and that
the remote employees can download the necessary files from FTPSrv. The corporate network
must be protected against possible Internet-based attacks. Access to the corporate network from
the Internet must be restricted to only the FTP site on FTPSrv.
What should you do?
A. On FTPSrv, enable Internet Connection Firewall, and specify that FTP traffic be allowed to
pass to FTPSrv.
B. On Server1, enable Internet Connection Firewall, and specify that FTP traffic be allowed to
pass to FTPSrv.
C. Configure Server1 to use IPSec for all communications on the NIC that is connected to the
Internet.
D. On Server1, enable Internet Connection Firewall, and configure it to allow only HTTP and FTP
traffic to pass to the corporate network.
Answer: B
Q: 57
Mark works as a Network Administrator for ABC.com. The company has a Windows 2003 single
domain-based Active Directory network. The network has five Windows 2003 member servers and
200 Windows XP Professional client computers. The network has a Windows 2003 Server that
works as a DNS server. The DNS server contains the following types of resource records:
· Name Server (NS) resource record
· A resource record
· PTR resource record
· SRV resource record
· MX resource record
Mark updates the A resource record. Which of the following types of resource records can be
associated with the A resource record and needs to be updated?
A. The associated PTR resource record needs to be updated.
B. The associated SRV resource record needs to be updated.
C. The associated MX resource record needs to be updated.
D. The associated NS resource record needs to be updated.
Answer: A
Q: 58
Andrew works as a Network Administrator for ABC.com. The company has a Windows 2003
domain-based network. The company has two Windows 2003 servers and 150 Windows 2000
Professional client computers.
The company has a Windows 2003 server named NATSERV that has a dial-up connection to the
Internet.
NATSERV has two network interfaces named EthernetA and EthernetB .
EthernetA is connected to the LAN and has an IP address of 192.168.1.121. EthernetB is
connected to the Internet and has an IP address of 132.103.102.71. The client computers on the
LAN connect to the Internet by using NATSERV. NAT also has Routing and Remote Access
installed.
Andrew enables the NAT/Basic Firewall routing protocol on NATSERV. The configuration of the
NAT/Basic Firewall routing on NATSERV is shown in the image below:
The client computers on the network are unable to connect to the Internet. When Andrew tries to
ping
132.103.102.71 from the client computers on the local network, he receives a message as shown
in the image below:
Andrew wants to ensure that the client computers on the local network are able to connect to the
Internet.
What will he do to accomplish this?
Each correct answer represents a part of the solution. Choose two.
A. For EthernetB, configure Outbound Filters under Static packet filters.
B. For EthernetA, configure Inbound Filters under Static packet filters.
C. For EthernetA, configure NAT/Basic Firewall as 'Private interface connected to private
network'.
D. For EthernetB, configure NAT/Basic Firewall as 'Public interface connected to the Internet'.
Answer: C,D
Q: 59
Mark works as a Network Administrator for ABC.com. The company has a Windows 2003
domainbased network. The domain contains four Windows 2003 servers and 500 Windows 2000
Professional client computers.
The company's Marketing department uses a member server named Fserv that stores confidential
files. The files are stored in a folder named DATA. The Marketing department users are members
of a group named Market. The NTFS permissions on the DATA folder and files in that folder allow
access only to the Administrators group and the Market group.
The NTFS permissions are configured to allow full control on the DATA folder. The share
permissions are the default permissions. Mark wants to track users who attempt to gain access to
files in the DATA folder on Fserv. For this purpose, he configures auditing on the DATA folder and
files in that folder. He configures auditing on the Failed attempts for each access type on the
Everyone group. When he checks the auditing configuration by attempting to access the files with
a domain user account that does not have access permissions to the files, he receives an "Access
Denied" message. However, this Failed attempt does not appear in the security log on Fserv.
What will Mark do to resolve the issue?
A. Grant the Generate security audits privilege to the Fserv computer account.
B. Enable the Audit object access policy for Failed and Successful attempts in a new Group
Policy object (GPO) that applies only to Fserv.
C. Configure the auditing entries to apply to the Administrators group and the Market group,
instead of the Everyone group.
D. Enable the Audit object access policy for Failed attempts in a new Group Policy object (GPO)
that applies only to Fserv.
Answer: D
Q: 60
Mark works as a Network Administrator for ABC.com. The company has a Windows 2003
domainbased network. The network has six Windows 2003 member servers and 120 Windows XP
Professional client computers. All the member servers are using static IP configuration. Five of the
member servers work as Intranet Web servers, and one of them named ISERV works as a
Routing and Remote Access server. The NAT/Basic routing protocol is enabled to route traffic
between the local network and the Internet. ISERV's internal IP address is 192.168.1.1. The Web
servers' static IP configuration is shown in the image below:
The Web servers require Internet access to display Web pages from the Internet. The Web
servers are configured with the Internet Explorer LAN settings as shown in the image below:
The users on the intranet report that only the local Web pages stored on the Web servers are
displayed. Mark attempts to view the Web pages on the Internet from one of the Web servers, but
he is unable to do so. Mark wants all the Web servers to be able to access the Web pages on the
Internet. What will he do to accomplish this?
A. On the TCP/IP Properties page on the Web servers, configure the default gateway as
192.168.1.1.
B. Configure the Web servers to receive IP addresses from the DHCP server.
C. In the LAN settings dialog box on all the Web servers, configure port 80.
D. On the TCP/IP Properties page on the Web servers, configure the default gateway as
255.255.255.0.
Answer: A
Q: 61
You work as a Network Administrator for ABC.com. The company has a Windows 2003
domainbased network. In order to automate the TCP/IP configuration for the client computers in
the network, you install the DHCP Server service on a Windows 2003 member server. You want to
ensure that all the network printers always use the same IP address. In order to accomplish this,
you create IP address reservations for the network printers while creating the DHCP scope. You
also define an exclusion range for the printers. Now, none of the printers are receiving the IP
addresses. However, the client computers are not experiencing this problem. What will you do to
resolve the issue?
A. Remove the exclusion range for the addresses that are being used by the printers.
B. Assign the IP addresses to the printers manually.
C. Run the IPCONFIG /release command-line utility on the printers.
D. Remove the client reservations for the addresses that are being used by the printers.
Answer: A
Q: 62
Mark works as a Network Administrator for ABC.com. The company has a Windows 2003 Active
Directorybased single domain single forest network. The network contains five member servers
and 110 Windows XP Professional client computers. The client computers in the network receive
IP addresses from the DHCP server.
One of the member servers named DBSERV works as a database server. Mark configures the
DHCP server to lease the reserved IP address 192.168.1.10 to DBSERV. He also creates an A
record for DBSERV on the DNS server that uses the IP address 192.168.1.10.
Users complain that they are unable to access DBSERV. Mark runs the IPCONFIG /all command
from the command prompt on DBSERV. He finds the following results:
Now, Mark wants to ensure that DBSERV receives the IP address 192.168.1.10. What will he do
to accomplish this?
A. Write the MAC address of the DBSERV network adapter with dashes in the client reservation.
B. Change the MAC address in the client reservation setting.
C. Authorize the DHCP server.
D. Remove the A record for DBSERV from the DNS server.
Answer: B
Q: 63
Mark works as a Network Administrator for ABC.com. The company has its headquarters at New
York and a branch office at Miami. The headquarters has a Windows 2003 domain-based network
named Nettech.com. The network has three Windows 2003 member servers and 120 Windows
XP Professional client computers. One of the member servers named DNSServ is working as a
DNS server.
The branch office in Miami also has a Windows 2003 domain-based network named
Nettech1.com.
One Windows 2003 member server named DNSServ1 is working as a primary DNS server in
Nettech1.com. DNSServ is a secondary zone server for Nettech1.com. Mark wants to monitor the
notification traffic between these two domains and keep a record of when the primary DNS server
for Nettech1.com informs DNSServ if there are available changes in the Nettech1.com zone. What
will he do to accomplish this?
A. Enable debug logging on DNSServ by selecting the Log packets for debugging check box and
select the Notification check box.
B. Configure auditing on DNSServ.
C. Enable debug logging on DNSServ by selecting the Log packets for debugging check box.
D. Execute the REPLMON command on DNSServ.
Answer: A
Q: 64
Mark works as a Network Administrator for ABC.com. The company has a Windows 2003
domainbased network. The network contains two domain controllers, four Windows 2003 member
servers, and 300 Windows XP Professional client computers. One of the member servers named
RRASSRV works as a Routing and Remote Access Server. RRAS is configured as a VPN server.
A company employee named Rick works from a remote location. Rick daily connects to
RRASSRV by using a VPN connection and uploads daily reports on RRASSRV. He is the only
person who connects to RRASSRV by using the VPN connection. Mark notices that Rick is able to
access the other computers on the network while he is connected to RRASSRV. Mark wants to
prevent Rick from accessing the other computers on the network. What will he do to accomplish
this?
A. In the Routing and Remote Access management console on RRASSRV, click the IP tab page
in the server properties dialog box and deselect the Enable IP routing check box.
B. In the Routing and Remote Access management console on RRASSRV, click the General tab
page in the server properties dialog box and deselect the Remote access server check box.
C. In the Routing and Remote Access management console on RRASSRV, click the PPP tab
page in the server properties dialog box and deselect the Multilink connections check box.
D. In the Routing and Remote Access management console on RRASSRV, click the IP tab page
in the server properties dialog box and disable the IP routing radio button.
Answer: A
Q: 65
A beta version of an application you’re testing to send and receive data on your network does not
seem to be sending compressed data before sending packets across the network. You’re looking
at the architecture of the application to see if you can determine where the problem likely
originates. Using the OSI model, from where is the problem probably originating?
A. Transport layer
B. Application layer
C. Presentation layer
D. Physical layer
Answer: C
Q: 66
Your firm is designing a new software driver that will employ a proprietary method of flow control
for data being sent across a network medium. On which layer of the OSI model would be this flow
control likely be implemented?
A. Application
B. Data Link
C. Transport
D. Media Access Control
Answer: B
Q: 67
Your corporate network uses variable length subnetting to make more efficient use of IP
addresses. One of the IP addresses for a host is 131.39.161.17 with a subnet mask of
255.255.248.0.What is the proper notation for the network to which this host is connected?
A. 131.39.160.0/21
B. 131.36.161.0/20
C. 131.39.161.17/21
D. 131.36.160.0/20
Answer: A
Q: 68
You need to create several subnets for your corporate network. Each subnet should have no more
than two host addresses available per subnet. You have a subnet with the address of
136.42.255.0/24.What are the first two subnet addresses that would be created in this
configuration?
A. 136.42.255.0/31, 136.42.255.4/31
B. 136.42.255.2/30, 136.42.255.4/30
C. 136.42.255.4/29, 136.42.255.8/29
D. 136.42.255.0/30, 136.42.255.4/30
Answer: D
Q: 69
Jennifer, the network administrator at a chain of bakery stores called The Cheesecake Factory,
recently uABCraded the corporate office of a single segmented network to one that supports four
separate virtual networks, or Virtual Local Area Network segments (VLANS). Jennifer is very
conscious of production change and thus contacted the systems group in order to make sure all
the technical aspects of the project were met. Jennifer wanted to make sure that when all the
client workstations were on the new network segments, they were still able to gain IP connectivity
to the rest of the network as they had before. The Cheesecake Factory has been running a
Windows Server 2003 Active Directory domain at the Windows 2000 mixed functional level for
over two months. Jennifer created four network segments and labeled them VLAN1,VLAN2,
VLAN3, and VLAN4.VLAN1 was the original network and hosts the original DHCP server, called
SERVER1. Its network address did not change. The systems team decided to put DHCP Relay
Agents on VLAN2 and VLAN3, configured to relay DHCP messages to the original DHCP server
on VLAN1. Due to a reluctance to permit more DHCP broadcast traffic than the router could
handle, Jennifer suggested to her systems team that VLAN4 should host its own DHCP server.
The systems group installed another DHCP server on VLAN4, set up the appropriate DHCP
scopes on that server and set up the additional DHCP scopes for VLAN2 and VLAN3 on
SERVER1.After the work was completed, all clients on all VLANs seemed to be working fine for
about two weeks, until Jennifer got a call from the Help Desk stating that the users in the
warehouse cannot boot up from their diskless workstations, where they run monthly accounting
statistics, but can connect from all other workstations. Jennifer looks at her network diagram and
determines that the warehouse is located on VLAN4. She also checks with users in the accounting
department on VLAN1 to see if they can connect using their diskless workstations. They tell
Jennifer that they can and have had no problems.
What did the systems team most likely forget to do?
A. Install a DHCP Relay Agent on VLAN4.
B. Configure a BOOTP table on the new DHCP server on VLAN4.
C. Replace the router with an RFC 2131 compliant router.
D. Cold boot all the diskless workstations.
Answer: B
Q: 70
Ceste has been working for the client services department at a local bank in Richmond, Virginia
for over a year. He is responsible for client connectivity to the corporate network backbone. Ceste
is a member of the DHCP Users group and uses his privileges as a member of this group to gauge
the status of DHCP leases and available IP addresses. Jamie is a systems engineer for the same
bank, and is responsible for the back-end configuration of all DHCP servers and scope
configuration. He is a member of both the Domain Users and DHCP Administrators groups. On
Monday morning, SERVER2, the DHCP server servicing the first and second floor of the bank,
crashes. SERVER2 sits on the same network segment as the first floor users’ client machines.
The second floor network segment has a Windows Server 2003 server with RRAS and a DHCP
Relay Agent configured. Ceste is the first to be alerted that clients are unable to obtain an IP
address, and further notices that he cannot connect to the DHCP Console on SERVER2. He
notifies Jamie, telling him that he thinks SERVER2 has crashed. Jamie is already in the process of
activating all the pre-existing backup scopes for all the DHCP network segments at the bank. He
tells Ceste to have all users on the first and second floor reboot their machines and everything
should work. About 10 minutes later, Jamie receives a call from Ceste with the news that all first
floor users’ computers are now working, but nobody on the second floor can connect to any of
their daily resources. What did Jamie forget to do in order to be fully prepared for this type of
disaster?
A. Add the IP address of the backup DHCP server to the DHCP Relay Agents.
B. Configure a DHCP Relay Agent for the backup DHCP server.
C. Authorize the backup DHCP server.
D. Activate the DHCP scopes.
Answer: A
Q: 71
You work in the shipping and receiving warehouse for a small OEM computer supply company
called The T-Group. It is your job as a desktop engineer to make sure that all clients are able to
log on and authenticate to the corporate office from their NT 4.0 workstations. Currently, your
client base of five workstations point to a WINS server at the corporate office to resolve logon and
to authenticate to the correct domain controller. You get word that the systems engineering team
is converting the functional level of the current Windows Server 2003 interim mode Active
Directory domain over the weekend. They are raising the domain level to Windows Server 2003
native mode. You call the manager of this group and inquire about any changes you may need to
make, so that your warehouse clients can still authenticate on Monday. Robert said that nothing
would affect logon authentication, and in fact logon should be a lot quicker because he was
removing some legacy protocols and services. Nervous about what he meant by this, as he is
notorious for abrupt change without the correct research, you sit back and wait. Contrary to what
was told to you, on Monday morning none of your NT 4.0 clients could log on. Knowing a little
about network resolution, and more about Robert, you have a hunch and try to log on to using
your Windows 2000 laptop machine that you built for emergencies. As you suspected, you are
able to log on without a problem. You call Robert and ask him if he uninstalled the WINS server
because he had heard that Windows Server 2003 no longer required NetBIOS. Robert replied,
Yes. What can you do to quickly get your workstations logging onto the network again?
A. Distribute an LMHOSTS file using the #PRE and #DOM tags with the name and IP address of
the new PDC Emulator and have everybody reboot.
B. Edit the default LMHOSTS file on everybody’s workstation and use the #PRE and #DOM tags
with the name and IP address of the new PDC Emulator.
C. Install WINS on one of the NT 4.0 workstations and have all your clients point to it.
D. Install a WINS proxy agent on one of your NT 4.0 workstations and have everybody point to it.
Answer: A
Q: 72
As the network administrator, Kristy decides to implement the ability for clients to dial-in to the
network to allow them the option to work from home if they want to, by installing and configuring
an RRAS server. Kristy’s internal network consists of a Windows 2000 domain, a single DNS and
WINS server, multiple segmented broadcast domains, and a single DHCP server, configured to
distribute the following information via four different IP address scopes:
· DNS Server (local option)
· Router (local option)
· WINS Server (local option)
· Node Type (global option)
· Domain Name (global option)
· ARP Timeout (local)
Kristy installs her RRAS server and configures the DHCP Relay Agent to point to the only internal
DHCP server. She then configures a fifth DHCP scope to accommodate the DMZ network into
which she has installed her RRAS server. Kristy hopes to be able to offer both internal Web mail
and resource access to her NT 4.0 file server in the same way she is able to successfully offer it
now to only internal users. Kristy composes an e-mail with detailed instructions on how to set up
her Windows ME laptop users with the correct VPN settings to dial-in the company RRAS server.
With the e-mail, Kristy asks for feedback as to ease of installation, setup, connectivity, speed,
resource access, and so on. A few days later, Kristy receives e-mails from most of the users she
sent the e-mail to. All of them said that they were able to access e-mail just fine and that the
speeds were great. They also said they were able to browse the Internet without a problem, but
none of them could access any of the file server resources that they needed to do their work. What
is the easiest thing Kristy can do to facilitate this need?
A. Change the DNS server to a global option in DHCP
B. Change the WINS server to a global option in DHCP
C. Change the node type to a local option for each scope in DHCP
D. Add another WINS server to facilitate the dial-in users
Answer: B
Q: 73
Your network is running three DNS servers, NS1, NS2, and NS3. NS1 is running Windows Server
2003, whereas NS2 and NS3 are still running Windows NT 4.0. In reviewing the error log on NS1,
you notice an error that lists NOTIMPL(4) being returned by NS3.What does this error indicate?
A. NS3 does not support extended DNS (EDNS0).
B. NS1 does not support extended DNS (EDNS0).
C. The OPT record received from NS3 contained an illegal Time-To-Live.
D. The OPT record needs to be added to all three name servers.
Answer: A
Q: 74
You’ve just created a new zone in DNS on a Windows Server 2003-based computer. You check
the zone and notice that the only records in it are the SOA and NS RRs. You check the
configuration and see that the zone is configured to accept dynamic updates. What should you do
next?
A. Manually add all RR for the zone including A, CNAME, PTR, and SRV records.
B. Manually add A RR for all hosts that cannot use dynamic updating.
C. Manually add A RR and PTR RR for all hosts that will be using dynamic updating.
D. Manually initiate a zone transfer to replicate all the needed RR to the new zone.
Answer: B
Q: 75
Your network contains a mix of Windows 2000 and Windows Server 2003.You have three domain
controllers running Windows Server 2003.Your file server, print server, and Exchange server are
running Windows 2000 Server. Your DNS, DHCP, and WINS servers are running Windows Server
2003. All of your clients are running Windows XP Professional with service pack 1. All machines,
other than the servers that require a static IP address, are configured as DHCP clients with the
default settings.
Your DNS server has been configured to allow dynamic updates. Which of the following records
will be registered in DNS automatically? (Choose all that apply.)
A. MX
B. Host
C. SRV
D. PTR
Answer: B,C,D
Q: 76
You are using WINS Forward Lookup integration in your mixed UNIX/Windows environment to
allow your DNS-only UNIX clients to use only their configured Windows Server 2003 DNS server
to query and resolve resolution requests for downlevel Windows NT 4.0 machines’ NetBIOS
names. This has been working well for your company for several months. You are informed that
over the next several weeks, the Windows NT 4.0 servers are being moved to a different subnet in
order to create a separate broadcast domain. They will still continue to register with the same
WINS server, but their IP addresses will be changing, and they will no longer be able to be
accessed via broadcasts. As these servers start their migration to the new subnet you begin to
receive calls only from your UNIX community, complaining that they can no longer access servers
that have moved until a day or so later. What can you do to fix the problem for all future migrated
servers?
A. Type nbtstat -RR on the migrated NT servers.
B. Increase the TTL for WINS forward lookup records.
C. Type ipconfig /registerdns on the migrated NT servers.
D. Decrease the TTL for WINS forward lookups records.
Answer: D
Q: 77
The president of your company has asked you if VPN technology could benefit the company. What
is the greatest benefit provided by VPN?
A. VPN solutions provide secure connectivity at a significant price savings compared to long
distance analog or dedicated circuit connections.
B. VPN solutions utilize fewer resources than dedicated circuits or analog connections.
C. VPN solutions provide better remote control capabilities than other third-party alternatives.
D. VPN solutions provide higher speed connections than dedicated circuits or analog
connections.
Answer: A
Q: 78
Your company’s corporate security policy is very strict. No username or password information may
be passed over the Internet without using the strongest encryption available. Your company does
not yet have a certificate infrastructure in place. Which of these methods would be the best choice
for VPN authentication to ensure that you are within your company’s corporate security policy
requirements?
A. MS-CHAP v2
B. PAP
C. CHAP
D. SPAP
Answer: A
Q: 79
Katherine has been asked for her opinion on increasing the fault tolerance of the corporate
network, which uses TCP/IP, Active Directory, and Windows 2000 computers. Specifically, the one
DNS server on subnet A. Users may run into serious problems if that machine ever experiences
downtime, or if the link between the two subnets goes down. Each subnet has its own Windows
2003 domain controller. What would you suggest to provide fault tolerance for the network?
Select the best answer.
A. Set up a secondary DNS server on subnet B Configure the primary DNS server on subnet A to
send notifications of zone changes to the secondary DNS server.
B. Configure DNS on both domain controllers using Active Directory Integrated zones.
C. Install a caching-only DNS server on subnet B
D. Set up a secondary DNS server on subnet B and configure it to request refreshes from the
master DNS server on subnet A.
Answer: B
Q: 80
You are the network administrator for ABC.com. You are implementing dynamic IP addressing on
the network. A new server has recently been purchased. You install Windows Server 2003 on the
new computer and add the DHCP service. The server will lease IP addresses to clients on subnet
A with an IP address range of 192.168.1.0/24. You configure the DHCP server as shown in the
exhibit. Clients are unable to lease an IP address. What is causing the problem?
Select the best answer.
A. The DHCP service has been installed on a member server.
B. The scope has not yet been activated.
C. The DHCP server has not yet been authorized to lease IP addresses.
D. The DHCP server has been configured with an incorrect scope.
Answer: C
Q: 81
Jim is configuring the IP security policy for a computer running Windows Server 2003.
Some of the client computers on the network are not IPSec aware, while others are. Jim wants all
data to be encrypted and still allow those computers that do not support IPSec to authenticate.
Which of the following settings should he select?
Select the two best answers.
A. Server (request security)
B. Client (request security)
C. Client (respond only)
D. Server Secure (require security)
Answer: A,C
Q: 82
John is the network administrator for a Windows Server 2003 network. Software Update Services
will be used to deploy updates throughout the network. John wants to deploy the Automatic
Updates settings for all clients through a group policy object. He opens the appropriate GPO but
cannot find any automatic update settings. What is causing the problem?
Select the best answer.
A. The settings cannot be configured through a group policy object.
B. John does not have administrative privileges.
C. The Automatic Updates ADM template has not been loaded.
D. Software Update Services has not been installed.
Answer: C
Latest Version: 9.5 Last Update: December, 2012
Need the Latest version of 70-291 Exam Prep Or the other Microsoft Exam Prep, Visit the Cheat-Test.com Official website.
70-291,70-291 exam,70-291 dumps,70-291 study guide,70-291 practice test,Microsoft 70-291
