exam 070-293 title planning and maintaining a microsoft ... server 2003 network infrastructure. ......

Exam : 070-293 Title : Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

070-293

Actualtests.com - The Power of Knowing

QUESTION 1: You are the network administrator for Certkiller .com. The network consists of a single Active Directory domain Certkiller .com. The network contains two Windows Server 2003 domain controllers, two Windows 2000 Server domain controllers, and two Windows NT Server 4.0 domain controllers. All file servers for the finance department are located in an organizational unit (OU) named Finance Servers. All file servers for the payroll department are located in an OU named Payroll Servers. The Payroll Servers OU is a child OU of the Finance Servers OU. Certkiller 's written security policy for the finance department states that departmental servers must have security settings that are enhanced from the default settings. The written security policy for the payroll department states that departmental servers must have enhanced security settings from the default settings, and auditing must be enabled for file or folder deletion. You need to plan the security policy settings for the finance and payroll departments. What should you do? A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU. B. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU. C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to apply the Hisecws.inf security template to computer objects, and link it to the Payroll Servers OU. D. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and link it to the Finance Servers and to the Payroll Servers OUs. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU. Answer: B Explanation: The Securews.inf template contains policy settings that increase the security on a workstation or member server to a level that remains compatible with most functions and applications. The template includes many of the same account and local policy settings as Securedc.inf, and implements digitally signed communications and greater anonymous user restrictions. Audit Object Access A user accesses an operating system element such as a file, folder, or registry key. To audit elements like these, you must enable this policy and you must enable auditing on the resource that you want to monitor. For example, to audit user accesses of a particular file or folder, you display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the Advanced Security Settings dialog box for that file or folder, and then add the users or groups whose access to that file or folder you want to audit. Incorrect Answers:

070-293


A, C: The Compatws.inf security template is designed for Windows NT compatible applications that require lower security settings in order to run. These settings are lower than the default settings. D: The Payroll Servers OU is a child OU of the Finance Servers OU. GPO settings applied to parent OUs are inherited by child OUs; therefore we do not need to link the GPO to both the finance Servers OU and the Payroll Servers OU. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapters 9 and 10

QUESTION 2: You are the network admin for Certkiller . Your network contains 50 application servers that run Windows Server 2003. The security configuration of the application servers is not uniform. The application servers were deployed by local administrators who configured the setting for each of the application servers differently based on their knowledge and skill. The application servers are configured with different authentication methods, audit settings and account policy settings. The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application server role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings. You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements. What should you do? A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf template B. Apply the Application.inf template and then the Hisecws.inf template. C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template D. Apply the Setup.inf template and then the application.inf template Answer: A. Explanation: The servers currently have different security settings. Before applying our modified settings, we should reconfigure the servers with their default settings. This is what the security.inf template does. Now that our servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now we can apply our custom settings using the application.inf template. Incorrect Answers: B: The hisecws.inf template would overwrite the custom application.inf template. C: Same as answer A. Also, the setup.inf security template doesn't exist. To return a system to its default security settings, we use the security.inf template. D: The setup.inf security template doesn't exist. To return a system to its default security settings, we use the security.inf template.

070-293


Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Trainning Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:62 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 8

QUESTION 3: Your network contains Terminal servers that host legacy applications that require users to be members of the Power Users group in order to run them. A new company policy states that the Power Users Group must be empty on all servers. You need to maintain the ability to run legacy applications on your servers when the new security requirement is enabled. What should you do? A. Add the domain users global group to the Remote Desktop Users built-in group in the domain B. Add the domain users global group to the Remote Desktop Users local group on each terminal server C. Modify the compatws.inf security template settings to allow members of the local users group to run the applications. Import the security settings into the default Domain Controllers Group Policy Object. D. Modify the compatws.inf security template settings to allow members of the local users group to run the applications. Apply the modified template to each terminal server Answer: D Explanation: The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000 users are members of the Power Users group in order to run applications not certified for Windows 2000, this may be too insecure for some environments. Some organizations may find it preferable to assign users, by default, only as members of the Users group and then decrease the security privileges for the Users group to the level where applications not certified for Windows 2000 run successfully. The compatible template (compatws.inf) is designed for such organizations. By lowering the security levels on specific files, folders, and registry keys that are commonly accessed by applications, the compatible template allows most applications to run successfully under a User context. In addition, since it is assumed that the administrator applying the compatible template does not want users to be Power Users, all members of the Power Users group are removed. Incorrect Answers: A, B: Global group is a group that is available domain-wide in any domain functional level, so why would you add to another group. C: The Compatws.inf template is not intended for domain controllers, so you should not link it to a site, to the domain, or to the Domain Controllers OU Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Trainning Kit (Exam 70-294); Planning,

070-293


Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8:5 Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Chapter 9

QUESTION 4: You are the network administrator for Certkiller .com. The network consists of a single Active Directory domain named Certkiller .com. The functional level of the domain is Windows Server 2003. The domain contains an organizational unit (OU) named Servers that contains all of Certkiller 's Windows Server 2003 resource servers. The domain also contains an OU named Workstations that contains all of Certkiller 's Windows XP Professional client computers. You configure a baseline security template for resource servers named Server.inf and a baseline security template for client computers named Workstation.inf. The Server.inf template contains hundreds of settings, including file and registry permission settings that have inheritance propagation enabled. The Workstation.inf template contains 20 security settings, none of which contain file or registry permissions settings. The resource servers operate at near capacity during business hours. You need to apply the baseline security templates so that the settings will be periodically enforced. You need to accomplish this task by using the minimum amount of administrative effort and while minimizing the performance impact on the resource servers. What should you do? A. Create a Group Policy object (GPO) and link it to the domain. Import both the Server.inf and the Workstation.inf templates into the GPO. B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group Policy object (GPO). C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Create a Group Policy object (GPO) and link it to the Workstations OU. Import the Workstation.inf template into the GPO. D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO). Answer: C Explanation: The question states that you need to apply the baseline security templates so that the settings will be periodically enforced. To accomplish this you must create a scheduled task so that the performance impact on resource servers is minimized. Furthermore, the question also states that Workstation.inf is a baseline security template for client computers. Therefore, the GPO has to be linked to the OU that contains the client computers, and the Workstation.inf template must be imported to the said GPO so that it can be applied. Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in

070-293


scripts and batch files to automate security template deployments. You can create a baseline security configuration in a GPO directly, or import a security template into a GPO. Link the baseline security GPO to OUs in which member servers' computer objects exist. Incorrect Answers: A: GPOs process security templates from the bottom up; therefore, by import both the Server.inf and the Workstation.inf templates into a single GPO, we would ensure that the settings in the security template imported last are applied in cases where there are conflicting settings. If we apply this to the domain, then all computers would have the same settings. B, D: The Default Domain Policy Group Policy object (GPO) is applied only to the Domain Controllers group. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 10 Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 9

QUESTION 5: You are a network administrator for Certkiller . The network consists of a single Active Directory domain named Certkiller .com. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed. Certkiller is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers. You are planning a baseline security configuration for the Web servers. The company's written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled: 1. SMTP 2. Telnet Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers. What should you do? A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Web Servers OU. B. Create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Web Servers OU. C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU. D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU. Answer: C Explanation: Windows Server 2003 installs a great many services with the operating system, and configures quite a few with the Automatic startup type, so that these services load automatically when the

070-293


system starts. Many of these services are not needed in a typical member server configuration, and it is a good idea to disable the ones that the computer does not need. Services are programs that run continuously in the background, waiting for another application to call on them. Instead of controlling the services manually, using the Services console, you can configure service parameters as part of a GPO. Applying the GPO to a container object causes the services on all the computers in that container to be reconfigured. To configure service parameters in the Group Policy Object Editor console, you browse to the Computer Configuration\Windows Settings\Security Settings\System Services container and select the policies corresponding to the services you want to control. Incorrect Answers: A: The logon script would only run when someone logs on to the web servers. It's likely that the web servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Trainning Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:1-6

QUESTION 6: You are the network admin for Certkiller . All servers run Windows Server 2003. Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest critical updates installed. You run the mbsaclie.exe /hf command from a server named server1. When you scan a server named Certkiller B you receive the following error message stating Error 200, System not found, Scan failed. When you ping Certkiller B you receive a reply. You need to ensure that you can scan Certkiller B by using the mbsacli.exe /hf. What should you do? A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security analyzer folder on server1 B. Ensure that the Server service is running on Certkiller B C. Install IIS common files on Server1 D. Install the latest version of IE on Certkiller B Answer: B Explanation: From Microsoft: Error: 200 - System not found. Scan not performed. This error message indicates that mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error, verify that this computer is on the network and that the host name and IP address are correct. We know that the computer is on the network because we can successfully ping it. Therefore, the cause of the problem must be that the Server service isn't running. Incorrect Answers: A, C: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with Server1.

070-293


D: The version of IE that comes with Windows Server 2003 is sufficient, and therefore does not need to be upgraded. Reference: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q303/2/15.asp&NoW Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:5

QUESTION 7: You are the network administrator for Certkiller . The network consists of a single Active Directory domain named Certkiller .com. The network contains 10 application servers that run Windows Server 2003. The application servers are accessed from the Certkiller network and from the Internet. The network design requires that the application servers must have specifically configured security settings, including the password policy, audit policies, and security options settings. You create a security template named App.inf that contains the security settings required by the network design. You are concerned that an unauthorized user will modify the configuration and gain access to the application servers. You want to capture any changes made to the security settings of the application servers. You need to generate a report that compares the current settings of each application server with the required settings every 24 hours. What should you do? A. Use a Group Policy startup script to run the secedit command in analysis mode with the App.inf template, and set the Group Policy refresh interval for computers to 24 hours. B. Import the App.inf template into Group Policy, and set the Group Policy refresh interval for computers to 24 hours. C. Use Task Scheduler to run the gpresult command in verbose mode every 24 hours. D. Use a custom script in Task Scheduler to run the secedit command in analysis mode with the App.inf template every 24 hours. Answer: D Explanation: Secedit.exe is a command line version of the Security Configuration and Analysis tool. In 'analysis' mode, this tool can be used to compare the current system settings with the required settings. We can use the Task Scheduler to run a script that runs secedit.exe to analyse the current settings. Incorrect Answers: A: A Group Policy startup script will only run when the computer starts up. It does not run every time the group policy is refreshed. B: This will reapply the required settings every 24 hours, but the question states that you want to capture any changes by comparing the current settings to the required settings. C: The gpresult utility is a command line version of the RSoP utility. In verbose mode, it will list the effective policies on a computer. However, it won't list the differences between the current settings and the required

070-293


settings. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Trainning Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 10:44

QUESTION 8: You are the network administrator for Certkiller 's Active Directory domain. Certkiller 's written security policy was updated and now requires a minimum of NTLM v2 for LAN manager authentication. You need to identify which Operating Systems on your network do not meet the new requirement Which OS would require an upgrade to the OS or software to meet the requirement? A. Windows 2000 Professional B. Windows Server 2003 C. Windows XP Professional D. Windows NT Workstation with service pack 5 E. Windows 95 Answer: E. Explanation: Windows 95 does not natively support NTLM v2 authentication. To enable it, you would need to install the Directory Services Client software. Incorrect Answers: A, B, C, D: Windows 2000 Professional, Server 2003, XP Professional, and NT Workstation with service pack 5 natively supports NTLM v2 authentication. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26

QUESTION 9: You are a network administrator for Certkiller Inc. The network consists of a single Active Directory forest as shown in the exhibit.

070-293


Certkiller 's written security policy requires that all domain controllers in the child1. Certkiller .com domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group. You need to configure the domain controllers in the child1. Certkiller .com domain to meet the new security requirements. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) on the child1. Certkiller .com domain. B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1. Certkiller .com domain. C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1. Certkiller .com domain. D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1. Certkiller .com domain. E. Run the system key utility (syskey) on each domain controller in the child1. Certkiller .com domain. In the Account Database Key dialog box, select the Password Startup option. F. Run the system key utility (syskey) on each domain controller in the child1. Certkiller .com domain. In the Account Database Key dialog box, select the Store Startup Key Locally option. Answer: C, E Explanation: Secure (Secure*.inf) Template - The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LANManager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LANManager responses. In order to apply Securews.inf to a member computer, all of the domain controllers that contain the accounts of all users that log on to the client must run WindowsNT4.0 Service Pack4 or higher. The system key utility (SYSKEY) is a security measure used to restrict logon names to user accounts and access to computer systems and resources. By running the syskey utility with the Password startup option, the account information in the directory services is encrypted and a password needs to be entered during system start. The start of the Domain Controllers is therefore restricted to everybody with this password. Incorrect Answers: A: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. B: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. D: We need to apply the policy to the domain controllers container, not the entire domain. F: The System Key Utility (syskey) is used to encrypt the account password information that is stored in the SAM database or in the directory services. By selecting "Store Key locally" the computer stores an encrypted version of the key on the local computer. This doesn't help in controlling the start of the Domain Controllers. Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard

070-293


Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 8

QUESTION 10: You are a network administrator for Certkiller . The network consists of a single Active Directory forest. All domain controllers run Windows Server 2003. The bank decides to provide access to its mortgage application services from a real estate agency that has offices throughout the country. You install a Certkiller domain controller in each real estate agency office. You need to further protect the domain controllers' user account databases from unauthorized access. You want to achieve this goal by using the minimum amount of administrative effort. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Use the system key utility (syskey) with the most secure security level on the domain controllers. B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the GPO to the domain controllers. C. Create a Group Policy object (GPO), configure the Network security: LAN Manager authentication level security option to the Send NTLMv2 response only\refuse LM setting, and apply the GPO to the domain controllers. D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply the GPO to the domain controllers. Answer: A, B Explanation: On domain controllers, password information is stored in directory services. It is not unusual for password - cracking software to target the Security Accounts Manager (SAM) database or directory services to access passwords for user accounts. The System Key utility (Syskey) provides an extra line of defence against offline password - cracking software. Syskey uses strong encryption techniques to secure account password information that is stored in directory services. Mode 3 is the most secure Syskey utility, because it uses a computer-generated random key and stores the key on a floppy disk. This disk is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer. Secure (Secure*.inf) Template define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LANManager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LANManager responses. Incorrect Answers: C: You should be importing the Securedc.inf security template instead of configuring the Network security: LAN Manager authentication level security option to the Send NTLMv2 response only\refuse LM setting. D: DC Security.inf templates contain a large number of settings, and in particular a long list of file-system permission assignments. For this reason, you should not apply these templates to a computer by using group policies. Reference:

070-293


David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 8

QUESTION 11: You are the network administrator for Certkiller . The network consists of a single Active Directory domain Certkiller .com. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional. Certkiller has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information. The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular, you want to configure stronger password settings, audit settings, and lockout settings. You want to minimize interference with the proper functioning of the legacy applications. You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers. What should you do? A. Apply the Setup security.inf template to the domain controllers. B. Apply the DC security.inf template to the domain controllers. C. Apply the Securedc.inf template to the domain controllers. D. Apply the Rootsec.inf template to the domain controllers. Answer: C Explanation: Securedc.inf contains policy settings that increase the security on a domain controller to a level that remains compatible with most functions and applications. The template includes more stringent account policies, enhanced auditing policies and security options, and increased restrictions for anonymous users and LanManager systems. Incorrect Answers: A: This template allows you to reapply the default security settings. B: The DC security.inf template is available to undo security template policy settings. D: Rootsec.inf contains only the default file system permissions for the system drive on a computer running Windows Server 2003. You can use this template to restore the default permissions to a system drive that you have changed, or to apply the system drive permissions to the computer's other drives. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 10 Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 Environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, 2004, Chapter 9

QUESTION 12: You are the administrator of the Certkiller company network. The network consists of a single active directory domain named Certkiller .com. The network includes 20 servers running Windows Server 2003

070-293


and 200 client computers running Windows XP Professional. The company purchases 10 new servers to function as file servers for the domain. You install Windows Server 2003 on the new servers. The computer accounts for the file servers are located on an OU named File Servers. A security expert configures one of the servers named CKFile1 with various security settings. You need to apply and maintain the same security settings on the remaining 9 servers. You need to do this by using the minimum amount of administrative effort. What should you do? (Choose two) A. Use disk imaging software to take an image of CKFile1. Apply the disk image to the remaining 9 servers. B. Use gpedit.msc to create a new Group Policy object (GPO). Manually configure the GPO with the same security settings as CKFile1. Link the GPO to the File Servers OU. C. Use gpedit.msc to create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU. D. On the PDC Emulator, use Security Configuration and Analysis to export the security settings to a security template. E. On CKFile1, use Security Configuration and Analysis to export the security settings to a security template. Answer: C, E Explanation: The easiest way to configure multiple computers with multiple security settings is to use a GPO. In this question, we have a computer configured with the required settings. We can use the Security Configuration and Analysis to export the security settings to a security template. We can then import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This could work (if we changed the computer names and SIDS), but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings are maintained. B: This is a long way of doing it and definitely not the least amount of administrative effort that will also accomplish the task. Exporting the settings to a security template would be easier and less effort. D: This would have no effect on the file servers. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 8

QUESTION 13: You are the administrator of the Certkiller company network. The network consists of a single Active Directory domain Certkiller .com. The network includes 30 servers running Windows Server 2003 and 2000 client computers running Windows XP Professional. 20 member servers are located in an organisational unit (OU) named Servers. 10 domain controllers are in the default Domain Controllers container. All 2000 client computers are located in an organisational unit (OU) named Clients. The member servers are configured with the following security settings: 1. Logon events must be audited.

070-293


2. System events must be audited. 3. Passwords for local user accounts must meet complexity requirements. 4. Passwords must be changed every 30 days. 5. Password history must be enforced. 6. Connections to the servers must be encrypted. The written security policy states that you need to be able to verify the custom security settings during audits. You need to deploy and refresh the custom security settings on a routine basis. What should you do? A. Create a custom security template and apply it by using a Group Policy linked to the Servers OU. B. Create a custom security template and apply it by using a Group Policy linked to the domain. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS. Answer: A Explanation: The easiest way to deploy multiple security settings to a group of Windows 2003 computer is to create a security template with all the required settings and import the settings into a GPO. In this case, the security settings apply to local accounts on the servers. This means that we can apply the settings with a GPO assigned to an Organisation Unit containing the servers. Incorrect Answers: B: The security settings need to apply to the member servers only. Applying the GPO to the domain would affect all computers in the domain. C: We need a security template, not an administrative template. D: We cannot use imaging in this way. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 8

QUESTION 14: Certkiller has a single active directory domain named Certkiller .com. The company's written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed. You create a security template named fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using fileserver.inf and receive the results shown in the exhibit. ***MISSING*** You want to make only the changes that are required to meet the requirements. Which two actions should you take? A. Correct the maximum application log size setting on the file server B. Correct the maximum security log size setting on the file server

070-293


C. Correct the maximum system log size setting on the file server D. Correct the retention method for application log setting on the file server E. Correct the retention method for the security log setting on the file server F. Correct the retention method for the system log setting for the file server Answer: B, E. Explanation: The Event Log security area defines attributes related to the application, security, and system logs in the Event Viewer console for computers in a site, domain, or OU. The attributes are: maximum log size, access rights for each log, and retention settings and methods. Event log size and log wrapping should be defined to match your business and security requirements. In this particular case you should be correcting the maximum security log size setting and the retention method for the security log setting on the file server so as to comply with the stated requirements. Incorrect answers: A, C, D, F: The question states that the company's written security policy requires that computers in a file server role must have a minimum file size for event log settings. And given the past experiences of the company regarding the size of security events and its retention, you should be correct the maximum log size and retention methods of the security logs and not the application log or the system log. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 10 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:6

QUESTION 15: You are the network administrator for Certkiller . The network consists of a single Active Directory domain named Certkiller .com. Certkiller 's perimeter network contains 50 Web servers that host the company's public Internet site. The Web servers are not members of the domain. The network design team completed a new design specification for the security of servers in specific roles. The network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings. You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort. What should you do? A. Create a custom security template named Web.inf that contains the required security settings. Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU. Apply Web.inf to the WebServers OU. B. Create a custom security template named Web.inf that contains the required security settings, and deploy Web.inf to each Web server by using Security Configuration and Analysis. C. Create an image of a Web server that has the required security settings, and replicate the image to each Web server. D. Manually configure the required security settings on each Web server.

070-293


Answer: B Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings using the Security Configuration and Analysis tool. Incorrect Answers: A: The web servers aren't members of the domain. Therefore they cannot be moved to an OU in Active Directory. C: We cannot use imaging in this way. D: This is a long way of doing it. A security template would simply the task. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57

QUESTION 16: You are the network administrator for Certkiller . The network consists of a single Active Directory domain named Certkiller .com. The company plans to deploy 120 Windows Server 2003 member servers as file servers in the domain. The new file servers will be located in a single organizational unit (OU) named File Servers. The security department provides you with a security template that must be applied to the new file servers. You need to apply and maintain the security settings contained in the security template to the new file servers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. On a reference computer, use the Local Security Settings console to import the security template. Use imaging technology to install and configure the new file servers based on the configuration of the reference computer. B. On a reference computer, run the secedit command to apply the security template. Make use of imaging technology to install and configure the new file serves based on the configuration of the reference computer. C. Create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU. D. On the PDC emulator master in the domain, run the secedit command to apply the security template. Answer: C Explanation: We have a security template with the required security settings. We can simply import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This would work, but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the

070-293


settings will be periodically refreshed, ensuring that the security settings 'maintained'. B: This would work, but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings 'maintained'. D: This would have no effect on the file servers. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:73

QUESTION 17: You are the network administrator for Certkiller . Certkiller is deploying a public Web server farm on Windows Server 2003 computers. This Web server farm will allow the public to view company information. The Web servers in the Web server farm will be placed in Certkiller 's perimeter network, which uses a public Internet address space. Certkiller wants to reduce the probability of external unauthorized users breaking into the public Web servers. You need to make the Web servers less vulnerable to attack. You also want to ensure that the public will be able to view information that is placed in Certkiller 's perimeter network. What should you do? A. Configure each Web server's IP address to a private reserved Internet address. B. Configure the Web servers to allow only IPSec communications. C. Disable any unneeded services on the Web servers. D. Disable TCP/IP filtering on all adapters in the Web servers. Answer: C Explanation: We should disable any unneeded services on the Web servers. This includes unneeded web services and unneeded server services. This will also ensure that no unnecessary ports are open on the servers. Reducing the Attack Surface of the Web Server - Immediately after installing Windows Server2003 and IIS6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker. However, if you reduce the attack surface of the Web server too much, you can eliminate functionality that is required by the Web sites and applications that the server hosts. You need to ensure that only the functionality that is necessary to support your Web sites and applications is enabled on the server. This ensures that the Web sites and applications will run properly on your Web server, but that the attack surface is minimized. Incorrect Answers: A: The public web servers need public IP addresses. B: You can not use IPSec on public web servers. No one would be able to access the web pages.

070-293


D: TCP/IP filtering should be enabled, not disabled. Reference David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 1 MS Windows Server 2003 Deployment Kit Deploying Internet Information Services (IIS) 6.0 Reducing the Attack Surface of the Web Server

QUESTION 18: You are the network administrator for Certkiller . The network consists of a single Active Directory domain named Certkiller .com. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits. What should you do? A. Create a custom security template and apply it by using Group Policy. B. Create a custom IPSec policy and assign it by using Group Policy. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS. Answer: A Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings into a group policy. We can also use secedit to analyse the current security settings to verify that the required security settings are in place. Incorrect Answers: B: An IPSec policy will not configure the required auditing policy. C: We need a security template, not an administrative template. D: This will create multiple identical machines. We cannot use RIS images in this scenario. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57

QUESTION 19: Certkiller is a network administrator for Certkiller . The network consists of a single Active Directory domain Certkiller .com. The network contains 12 domain controllers and 50 servers in the application

070-293


server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Applications servers are required to audit account logon events, object access events, and system events. Application servers required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. Jack needs to deploy and refresh the custom security settings on a routine basis. She also needs to be able to verify the customer security settings during audits. What actions should Certkiller take? A. She should create a custom security template and apply it by using Group Policy. B. She should create a customer IPSec policy and assign it by using Group Policy. C. She should create and apply a custom Administrative Template. D. She should create a custom application server image and deploy it by using RIS. Answer: A Explanation: A security template is a physical file representation of a security configuration that can be applied to a local computer or imported to a Group Policy Object (GPO) in Active Directory. When you import a security template to a GPO, Group Policy processes the template and makes the corresponding changes to the members of that GPO, which can be users or computers. A Group Policy Object (GPO) is a collection of configuration parameters that you can use to create a secure baseline installation for a computer running Windows Server 2003. To deploy a GPO, you associate it with an Active Directory container, and all the objects in the container inherit the GPO configuration settings. Audit and Event Log policies enable you to specify what information a computer logs, how much information the computer retains in logs, and how the computer behaves when logs are full. Windows Server 2003 loads many services by default that a member server usually doesn't need. You can use a GPO to specify the startup type for each service on a computer. GPOs include a great many security options that you can use to configure specific behaviours of a computer running Windows Server 2003. Incorrect Answers: B: IPSec is required to secure network traffic, not application servers. C: Administrative templates are used to provide settings required to allow for the performance of administrative tasks. Security templates are used to provide security settings, such as minimum password lengths. D: Custom application server images deployed through RIS are used to install automate the installation of operating systems with applications pre-installed. It is not used to apply security settings. Reference: J. C. Mackin, and Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing, managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft Press, Redmond, Washington, 2004, Glossary Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 9.

QUESTION 20: You are the network administrator for Certkiller . The network consists of a single Active Directory domain Certkiller .com. Certkiller has an internal network and a perimeter network. The internal network

070-293


is protected by a firewall. Application servers on the perimeter network are accessible from the Internet. You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web pages. The network design requires that custom security settings must be applied to the application servers. These custom security settings must be automatically refreshed every day to ensure compliance with the design. You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements. What should you do? A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO). B. Create a task on each application server that runs Security and Configuration Analysis with Baseline1.inf every day. C. Create a task on each application server that runs the secedit command with Baseline1.inf every day. D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the secedit command with Baseline1.inf. Answer: C Explanation: Secedit.exe is a command line tool that performs the same functions as the Security Configuration And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use Secedit.exe in scripts and batch files to automate security template deployments. Incorrect Answers: A, D: The Default Domain Policy Group Policy object (GPO) is applied to the domain controllers. We need to configure the application servers, not the domain controllers. B: Security and Configuration Analysis analyzes the security settings. It doesn't apply it. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 10.

QUESTION 21: You are the network administrator for Certkiller . The network consists of a single Active Directory domain named Certkiller .com. The network contains a Windows Server 2003 member server named Certkiller Srv A. The network also contains a Windows XP Professional computer named Client1. You use Client1 as an administrative computer. You plan to use Microsoft Baseline Security Analyzer (MBSA) on Client1 to analyze Certkiller SrvA. However, the recent application of a custom security template disabled several services on Certkiller SrvA. You need to ensure that you can use MBSA to analyze Certkiller SrvA. Which two services should you enable? To answer, select the appropriate services to enable in the dialog box.

070-293


Answer:

Explanation: The Remote Registry and Server services should be enabled. The following are the requirements for a computer running the tool that is scanning a remote machine(s): 1. Windows Server 2003, Windows 2000, or Windows XP 2. Internet Explorer 5.01 or greater 3. An XML parser (MSXML version 3.0 SP2 or later) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.01 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not install the XML parser that is bundled with the tool, see the notes below on obtaining an XML parser separately. 4. The IIS Common Files are required on the computer on which the tool is installed if performing remote scans of IIS computers. The following services must be enabled: Workstation service and Client for Microsoft Networks. The following are the requirements for a computer to be scanned remotely by the tool: 1. Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), or Windows Server 2003 2. IIS 4.0, 5.0, 6.0 (required for IIS vulnerability checks) 3. SQL 7.0, 2000 (required for SQL vulnerability checks) 4. Microsoft Office 2000, XP (required for Office vulnerability checks) The following services must be installed/enabled: Server service, Remote Registry service, File & Print Sharing Reference: From the readmefile for MBSA

070-293


Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12:50-51

QUESTION 22: You are a consultant for several different companies. You design the security policies for the computers running Windows 2003 Server and Windows 2000 Professional in your customers' networks. You use these security policies to configure a server named Server1. You want to deploy the security configuration on Server1 to computers in your customer's networks by using the least amount of administrative effort. What should you do first? A. Create a Group Policy Object (GPO) that configures the security settings for all computers to match the settings on Server1, and then link the GPO to the domain. Export the console list to a file. B. In the Security Configuration and Analysis snap-in, analyze Server1 and export the security template in a file. C. In the System Information snap-in, save the system summary as a system information file. D. In the Security Templates snap-in, export the console list to a file. Answer: B Explanation: We can use the Security Configuration and Analysis snap-in to export all the security settings from a computer to a template file. This will enable us to apply the same security settings to other computers. We can apply the template to other computers either by using the Security Configuration and Analysis snap-in (for single computers) or by importing the template into a group policy object (for multiple computers). Incorrect Answers: A: You have already manually configured the settings on Server1. It would be quicker to export them to a template file, rather than manually enter the settings into a GPO. C: The system summary does not contain the security settings. D: The console list does not contain the security settings. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 13-57 to 13-65, 13-70-13-80.

QUESTION 23: You are a network administrator for Certkiller . The network consists of an intranet and a perimeter network, as shown in the work area. The perimeter network contains: 1. One Windows Server 2003, Web Edition computer named Certkiller 1. 2. One Windows Server 2003, Standard Edition computer named Certkiller 2. 3. One Windows Server 2003, Enterprise Edition computer named Certkiller 3. 4. One Web server farm that consists of two Windows Server 2003, Web Edition computers.

070-293


All servers on the perimeter network are members of the same workgroup. The design team plans to create a new Active Directory domain that uses the existing servers on the perimeter network. The new domain will support Web applications on the perimeter network. The design team states that the perimeter network domain must be fault tolerant. You need to select which server or servers on the perimeter network need to be configured as domain controllers. Which server or servers should you promote? To answer, select the appropriate server or servers in the work area.

Answer:

Explanation: We know that web editions cannot be domain controllers, and we want fault tolerance, which means two Domain Controllers. The answer is to promote the two servers that aren't running Web Edition to Domain Controllers ( Certkiller 2 and Certkiller 3). Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 1

QUESTION 24: You are the network administrator for Certkiller .com. Certkiller has 20,000 users in 20 physical locations worldwide. Certkiller is expecting to grow by 50 percent the next five years. Certkiller recently became a subsidiary of Humongous Insurance. Humongous Insurance has five other subsidiaries. Humongous Insurance has 100,000 users in 100 physical locations worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries integrate into this network. The network design team at Certkiller provides you with a network design for integrating into the Humongous Insurance network. The design specifies that Certkiller will use a single block of IP network numbers to assign IP addresses to its network. You need to plan the IP address space to meet the design specification. You need to request a block of IP addresses from Humongous Insurance that will accommodate all Certkiller users. To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance address space, you want to request the smallest block of IP addresses that meets the design specification.

070-293


What should you do? A. Request a 10.0.0.0 block of IP addresses with an 8-bit subnet mask from Humongous Insurance. B. Request a 10.0.0.0 block of IP addresses with a 16-bit subnet mask from Humongous Insurance. C. Request a 10.0.0.0 block of IP addresses with a 24-bit subnet mask from Humongous Insurance. D. Request a 10.0.0.0 block of IP addresses with a 32-bit subnet mask from Humongous Insurance. Answer: B Explanation: We have 20,000 users in 20 locations which would give us an average of 1,000 users per location. We need to make provision for a 50% growth so that makes in 1,500 users per location. We need to integrate this network with the Humongous Insurance network which uses the 10.0.0.0 network. This means we must use the 10.0.0.0 network. Subnetting is the process of shifting the subnet mask so as to increase or decrease the number of bits reserved for the network addresses. In this instance we are using a Class A address, so the number of clients is important. A simple formula of 2(32-n)-2, where n is the number of bits in the subnet mask, can be used to calculate the number of hosts a network will support. The best subnet mask would be a 21-bit mask which would give us 2,097,150 networks with 2046 clients per network. However, a 21-bit subnet mask is not offered as an option so we must use the next best subnet mask which would be 16. This would give us 65,534 networks with 65,534 clients per network. Incorrect Answers: A: The default subnet mask for a Class A network is and 8 bit subnet mask of 255.0.0.0. This provides a total of 254 networks with 16,777,214 clients per network. This provides us with too mush clients as we want the smallest block of IP addresses that meets the design specification. C: A 24-bit subnet mask would give us 16,777,214 networks with 254 clients per network. This would be too few clients per network. D: We cannot use a 32-bit subnet mask as this is not a valid subnet mask. Reference: Thomas Shinder and Debra Littlejohn Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293, Syngress Publishing, Rockland, MA, 2004, pp. 173-180.

QUESTION 25: You are the network administrator for Certkiller . The company has a main office and two branch offices. The network in the main office contains 10 servers and 100 client computers. Each branch office contains 5 servers and 50 client computers. Each branch office is connected to the main office by a direct T1 line. The network design requires that company IP addresses must be assigned from a single classful private IP address range. The network is assigned a class C private IP address range to allocate IP addresses for servers and client computers. Certkiller acquires a company named Acme. The acquisition will increase the number of servers to 20 and the number of client computers to 200 in the main office. The acquisition is expected to increase the number of servers to 20 and the number of client computers to 200 in the branch offices. The acquisition will also add 10 more branch offices. After the acquisition, all branch offices will be the same size. Each branch office will be connected to the main office by a direct T1 line. The new company will follow the Certkiller network design requirements. You need to plan the IP addressing for the new company. You need to comply with the network design

070-293


requirement. What should you do? A. Assign the main office and each branch office a new class A private IP address range. B. Assign the main office and each branch office a new class B private IP address range. C. Assign the main office and each branch office a subnet from a new class B private IP address range. D. Assign the main office and each branch office a subnet from the current class C private IP address range. Answer: C Explanation: After the expansion the situation will be: 1. Main office 1. Need 220 IP, 20 for servers and 200 for clients 1. Branch Offices 1. Need 220 IP, 20 for servers and 200 for clients 2. We will have 12 branch offices 3. 12 x 220 = 2640 Total for all offices is 2640 + 220 = 2860. The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets. Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP address range. D: The class C network does not have enough IP addresses to accommodate all the computers in all the offices. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 23-26

QUESTION 26: You are the systems engineer for Certkiller . Certkiller has 20,000 users in a large campus environment located in London. Each department in the company is located in its own building. Each department has its own IT staff. The company's network is divided into several IP subnets that are connected to one another by using dedicated routers. Each building on the company's main campus contains at least one subnet, and possibly up to five subnets. Each building has at least one router. All routers use RIP v2 broadcasts. A new office in Dortmund has 25 users. Dortmund is connected to the main office with a Frame Relay line. Dortmund installs a server with RRAS and implements RIP v2. Later the Dortmund admin reports that his router is not receiving routing table updates from the routers at the main office. He must manually add routing entries to the routing table to enable connectivity between the locations. You investigate and discover that the RIPv2 broadcasts are not being received at

070-293


the Dortmund office. You also discover that no routing table announcements from the Dortmund office are being received at the main office. You need to ensure that the network in the Dortmund office can communicate with the main campus network and can send and receive automatic routing table updates as network conditions change. What should you do to the router in the Dortmund office? A. Configure the router to use RIPv1 broadcasts B. Configure the router to use auto-static update mode C. Add the IP address ranges of the main campus network to the routers accept list and announce list D. Add the IP addresses of the main campus routers to the router's neighbors list Answer: D Explanation: Routers need to read from an IP packet only the destination network address of which the particular destination host is a member. The routers then use information stored in their routing tables to determine how to move the packet toward the network of the destination host. Only after the packet is delivered to the destination's network segment is the precise location of the destination host determined. It looks like the Dortmund router is configured to use neighbors. Therefore, we need to add the IP addresses of the main campus routers to the router's neighbors list. Incorrect answers: A: Making Use of RIP v1 broadcast is not going to ensure that Dortmund will be able to communicate with the main campus since there are no routing table announcements from Dortmund at the main office. B: When you configure an interface to use auto-static update mode, the router sends a request to other routers and inherits routes. The routes are saved in the routing table as auto-static routes and are kept even if the router is restarted or the interface goes down. But this is not what is required here. C: This would be unnecessary since it will not be addressing the problem. Since Dortmund is configured to use neighbors, then you should rather add the IP addresses of the main campus routers to the router's neighbor list. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2:14

QUESTION 27: You are the administrator of the Certkiller company network. The network consists of a single Active Directory domain Certkiller .com. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional. The office uses a single class C private IP address range. The company announces a major expansion. Certkiller will open 12 branch offices. The 12 branch offices will connect to the existing office by direct T1 lines. Each branch office will have the same number of computers as the main office. You need to plan the IP addressing for the new company. You want to assign all company IP addresses from a single classful private IP address range. What should you do? A. Assign each office a new class C private IP address range.

070-293


B. Assign each office a new class B private IP address range. C. Assign each office a subnet from a new class B private IP address range. D. Assign each office a subnet from the current class C private IP address range. Answer: C Explanation: The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets. Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP address range. D: The class C network does not have enough IP addresses to accommodate all the computers in all the offices. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 23-26

QUESTION 28: You are the network administrator for Certkiller .com. Certkiller has offices in New York, Copenhagen and Ankara. The network consists of a single Active Directory domain and three sites. The sites are named NYsite, CopSite, and AnkSite. Certkiller is adding a new division at the New York office for publishing fiction books. You create a new organizational unit (OU) named Fiction for the fiction division. You add a new network segment and subnet for the fiction division. You plan to place new Windows XP Professional computers for the fiction division in the new subnet. You also plan to add a new domain controller to NYSite. You need to ensure that users in the fiction division use the domain controllers in the New York office when logging on to the network. What should you do? A. Decrease the metric for the default gateway on the new Windows XP Professional computers. B. Create a new subnet object for the new subnet. Add the new subnet object to NYSite. C. Configure the location attribute for the new Windows XP Professional computers to be NYSite. D. Move the domain controller objects for the domain controllers in the New York office to the Fiction OU. Answer: B Explanation: Subnets can be associated with a site by using subnet objects. This will ensure that users on a particular subnet log on to a domain controller in a particular site. Incorrect Answers:

070-293


A: This will not accomplish anything. C: The location attribute is for information only. It will not link the computer to the site. D: This will give the administrators of the Fiction OU control over the domain controllers in the New York office. It will not ensure that the users on the new subnet logon to the domain controller in the New York office. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 27-30

QUESTION 29: You are a network administrator for Certkiller . All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains a single DHCP server that services two subnets named Subnet CK1 and Subnet CK2 , as shown in the work area. All servers and the administrator client computer have manually assigned IP addresses. All other client computers are DHCP clients. The router on your network fails and is replaced by another router. After the router is replaced, client computers on Subnet CK2 cannot receive IP addressing from the DHCP server. You need to configure an appropriate host to be a DHCP relay agent. Which component should you use? To answer, select the appropriate component in the work area.

Answer: Explanation: Select the Print Server. DHCP relay agents intercept DHCP Discover packets and forward them to a remote DHCP server whose address has been preconfigured. Although DHCP Relay Agent is configured through Routing And Remote Access, the computer hosting the agent does not need to be functioning as an actual router between subnets. Reference: J. C. Mackin, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, 2004, Chapter 9

070-293


QUESTION 30: You are a network administrator for Certkiller . All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional computers, and 150 Windows XP Professional computers. According to the network design specification, the Kerberos version 5 authentication protocol must be used for all client computers on the internal network. You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network. What should you do? A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic. B. Replace all Windows 98 computers with new Windows XP Professional computers. C. Install the Active Directory Client Extension software on the Windows 98 computers. D. Upgrade all Windows 98 computers to Windows NT workstation 4.0. Answer: B Explanation: By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use Kerberos as their authentication protocol. Windows 98 doesn't support Kerberos authentication. Therefore, we need upgrade the Windows 98 computers. Incorrect Answers: A: This will not enable the Windows 98 clients to use Kerberos authentication. C: The Active Directory Client Extension software does not enable Windows 98 clients to use Kerberos authentication. D: Windows NT 4.0 does not support Kerberos authentication. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 39-42

exam 070-293 title planning and maintaining a microsoft ... server 2003 network infrastructure. ......

Documents