Q.1) Your computer that is located in the data center is currently and temporarily unavailable for a while. You are required to create a OU for one of the team that has been freshly recruited and is starting its induction program in 30 minutes. You access one of the users� computers and see that it does not have enough memory for you to use the GUI tool to create the required OU. Which tool must you use?

    A. Use the CLI tool Dsmod   B. Use the CLI tool Dsquery   C. Use the CLI tool Dsadd (correct answer)   D. Use the CLI tool DCPromo

 Explanation Dsadd is the CLI tool that is used to add users, groups, organizational units, and contacts, to Active Directory

Unanswered Q.2) Which of the following Operations Masters is mainly responsible for creation of Active

Directory objects?     A. Global Catalog Server   B. Schema Master (correct answer)   C. Infrastructure Master   D. None of the above

 

Explanation The Schema Master is responsible for managing and maintaining the master list of all classes and attributes that will be used to create Active Directory objects.No object can be created in a domain that has lost its link with the Schema master.

Unanswered Q.3) You are required to bring one of the DC (Domain Controllers) out of the network for

maintenance task. It is required that you shift the database and the log files to one of the new DCs with better resources in the domain. What should you do?

    A. Restart the DC using Advanced Options and Choose DS Restore mode (missed)   B. Restart the DC in DS Restore mode (missed)   C. Choose the move DB option of the ntdsutil   D. Choose the shift DB option of the ntdsutil

 

Explanation You must restart the Domain Controller in the Directory Service Restore mode, by choosing Windows Advanced Option at restart. Use the ntdsutil command and choose the option moveDB to option to shift the database and the log file to the new DC.

Unanswered Q.4) Which of the following will help to defragment the hard disk on a DC in the Windows

Server 2003?     A. Running Scandisk on the DC   B. Running a defragment tool on the DC   C. Restarting the DC in DS Restore mode and using compact db. (correct answer)   D. Restarting the DC in DS Restore mode and using zip db.

 Explanation Ensure the said DC is offline. Restart the DC in DS Restore mode and use the compact db option in the ntdsutil command.

Unanswered Q.5) Assuming the domain name for your organization is MetroTech and that you have

created a new DFS root by name DFSR, which of the path will you choose while linking a new share to this root during the process of publishing?

    A. \\MetroTech.com\DFSR   B. \\MetroTech.MSFT\DFSR (correct answer)   C. \\MetroTech\DFSR   D. \\DFSR\{share name}

 Explanation The right path to be chosen while creating a link to the root of DFS in this case is \\MetroTech.MSFT\DFSR

Unanswered Q.6) Given the address 172.16.10.5 255.255.128.0, what would be the Subnet Id for this

network?     A. Subnet Id is 172.16.10.0 (correct answer)   B. Subnet Id is 172.16.0.1   C. Subnet Id is 172.16.0.2   D. Subnet Id is 172.16.10.3

 Explanation To arrive at the subnet Id you must perform AND operation between the subnet mask and the IP address. Considering the same, the subnet id is 172.16.10.0

Unanswered Q.7) Which of the following is referred to as an APIPA by the Microsoft Operating systems

such as Windows XP, Windows 2000 and Windows Server 2003?     A. 10.0.0.0/30   B. 169.254.0.0/16 (correct answer)   C. 172.16.0.0/30   D. 192.168.0.0/30

 

Explanation Automatic Private IP Address is a process of assigning IP address to a host within a private network in situations where the host is a DHCP client but is unable to reach the DHCP server either for the first time assignment of IP address or when the lease period of the existing IP address has lapsed before it could renew it with its DHCP server.

Unanswered Q.8) Your client has expanded their company recently and has moved to Windows Server 2003

based domains. They have hence decided to discard the existing static IP address configuration on the network and have moved to dynamic configuration. The total number of clients will be at least 100 and is bound to increase by at least 45 in the near future and by some more down the line. You are required to plan a private IP address range that will accommodate these numbers of clients. You are also required to propose a plan that will

help you provide name resolution without affecting the network traffic significantly and also will not require overseeing as their administrators are not yet trained for the proposed upgradation. What should you do? Each solution represents a part of the complete solution. Choose all that apply.

    A. Use Private IP address 172.16.0.0/30   B. Use Private IP address 192.168.2.0/24 (missed)   C. Configure DDNS and integrate it with ADS. (missed)   D. Configure DNS and integrate it with ADS   E. Also enable self registration of clients (missed)

 

Explanation The subnet mask with 24 bits in ht network portion for the Private network 192.168.2.0 provides for 255-2 = 253 addresses. This is adequate for the immediate as well as the future requirements of IP addresses. Configuring DDNS will integrate DNS with DHCP and self registration of clients will ensure the moment IP is assigned to a host from the DHCP server the registration of the clients with the DNS will be automatically taken care. Integrating DNS with ADS will take care of replicating DNS database to all DNS servers on the network automatically.

Unanswered Q.9) Lately you received complaints from many of your network users that their computers

no longer have an IP address. When you restart some of the clients when most of the computers are shut down, you are successful in getting the clients to be assigned with IP addresses. You decide to capture relevant data on the DHCP server to help you analyze if the DHCP is processing request as efficiently as it should. Which of the following is the correct information to be captured?

    A. DHCP replication notification   B. DHCP requests (missed)   C. DHCP acknowledgements (missed)   D. DHCP negative acknowledgements (missed)   E. DHCP lease duration

 

Explanation To analyze if the DHCP server is processing client request efficiently you must be able to judge the time gap between DHCP request and DHCP acknowledgements and the no. acknowledgements against he no. of negative acknowledgements.

Unanswered Q.10) After adding a new server to Dept1 of your network, you have been receiving too many

calls relating to resource access from the users. The new server will be accessed by three departments Dept1, Dept2 and Dept3. The network performance has drastically reduced after this latest addition. You decide to analyze the entire situation and collect the following data: � Old Server shows 80 percent utilization. � 45% of the network utilization is due to the new server � New hosts a database that is used extensively by all the Dept1, Dept2 and the Dept3. What should you do? Each choice represents a part of the solution. Choose all that apply.

    A. Old server does not need any action (missed)

  B. Add a replica of the new server in the other two departments (missed)   C. Move all the servers to switch ports rather than hubs   D. Add more hubs in the network

 

Explanation 80% utilization for a network server is acceptable and hence does not require action. Where as the new server has a database, that is constantly used across the network and is adding to the network congestion. To ease this congestion you may consider implementing replicas of these servers in each department where it is continuously accessed.Moving all servers to switch ports is not practical unless the network diagram for this network can be viewed.

Unanswered Q.11) You are concerned about the security of your servers within the network even though

you are constantly taking care of the vulnerabilities. You need to secure them from external attacks. You have implemented a perimeter network and have also implemented firewall services on the border of your internal network. What more can you do to ensure your perimeter network will secure your internal network against external attacks?

    A. Implement NAT in the perimeter network   B. Configure your routers with access lists (correct answer)   C. Configure your routers with relevant routing protocols   D. Implement proxy service in the perimeter network

 

Explanation NAT as well as Proxy services are required on the perimeter network even if security was not an issue because at the border of the perimeter network the private network address gets translated to public network address and vice versa for the purpose of Internet access.Even though NAT and Proxy service provide security by hiding internal network address from the outside world, the router can be more effective if you implement the accurate access list to ensure only authorized packets can enter the network and access the relevant service within the network.

Unanswered Q.12) A VLAN is also referred to as an isolated LAN. T/F?     A. True   B. False (correct answer)

 Explanation When a router splits one physical network into 2, each resulting network is referred to as an isolated LAN

Unanswered Q.13) Your client Delta Electronics is a production and sales company that has its office

across the globe. Their main office in London has 40 Domain Controllers and 2000 clients along with 65 member servers. Their network in the main office is spread across different departments. Of all the departments, the Finance and the Sales are the two departments that are extremely congested. This added to the fact that he rest of the network is also congested to quite an extent is bringing down the productivity and the

efficiency of the entire task force. The company is planning on adding about 25 more dedicated servers on to the network. They need your analysis regarding the improvisation of network efficiency. What would you suggest? Choose all that apply.

    A. The Finance and the Sales department need more switches than hubs

  B. The Finance and the Sales department need to be split from the rest of the network using routers with relevant access list on the router and permissions attached to the resources (missed)

  C. Avoid additional servers and accommodate the new services on the existing ones

  D. Design a server farm with a Layer 3 switch connecting the rest of the network to the server farm (missed)

  E. Design a server farm with a router connecting the rest of the network to the server farm

 

Explanation Since the Finance and the Sales department are most congested, it is a good plan to separate these two networks from the rest using routers. Usually these two departments have more of outgoing traffic rather than the incoming traffic due to the nature of their work, hence implementing access list and securing resources with relevant permissions will be easily manageable.Implementing a server farm along with splitting the above said networks from the main network will ease the congestion on the main network considerably. The server farm needs a layer 3 switch that can re-route services or access to service within the network rather than the router.

Unanswered Q.14) Which of the following features are supported by the IAS server?     A. Proxy service (missed)   B. Enterprise Firewall (missed)   C. Web Server cache (missed)   D. SNMP

 Explanation The IAS supports Proxy service, firewall service, Web caching service and Unified Internetworking management

Unanswered Q.15) View the exhibit. You are configuring a RADIUS client and in the process creating a

dial-in profile for the purpose of testing the connectivity alone. Which of the option given in the choices section would you chose for authentication type here?

 

  A. MS-CHAP v2   B. MS-CHAP   C. CHAP   D. SPAP   E. Unauthenticated access (correct answer)   Explanation

Since the dial-in profile being configured is just to check the connectivity of the RADIUS client with its server, it would be appropriate to check the �Unauthenticated

access� option. Unanswered Q.16) Network load balancing service requires the quorum for successful operation. T/F?  

  A. True   B. False (correct answer)

 Explanation Network load balancing clusters do not support Stateful applications and hence do not require the quorum.

Unanswered Q.17) Which of the following is maintained by the quorum service?  

  A. Configuration information (correct answer)   B. State information   C. Cluster information   D. None of the above

 Explanation The quorum service provides physical storage to store or maintain the configuration information which is combination of cluster service and state information.

Unanswered Q.18) The existing file servers on your network are not uniformly distributed withload, one of it

has more data stored in it than the others. You fear that it is near failure and intend to do something about its fault tolerance. All servers have the state of art hardware configuration and have uniform hardware resources. There are 3 such servers. What should you do?

 

  A. Nothing, just redistribute the data between the servers.   B. Configure Server cluster using the local hard disk of the overly loaded server.   C. Use a shared network volume and implement a Cluster service for the servers (missed)   D. Implement a standard cluster (missed)   E. Ensure the quorum is configured on a RAID system (missed)

 

Explanation Server cluster should be implemented and the quorum resource should be implemented on a shared network volume that will be accessible fully by all cluster nodes. It is ideal to implement the quorum resource either on a SCSI based RAID system or on a SAN, as this will provide it with adequate fail over.

Unanswered Q.19) The CHKDSK command results can be viewed using the event viewer. T/F?  

  A. True (correct answer)   B. False

 Explanation The CHKDSK command creates the �cluster.log� this information is also reported in the Application log of the Event viewer.

Unanswered Q.20) Which of the following statements is true regarding the NLB?  

  A. It can support multiple NICs only in Windows Server 2003 (missed)   B. It cannot support multiple NICs in Windows Server 2003   C. It can support multiple NICs in Windows 2000   D. It cannot support multiple NICs in Windows 2000 (missed)

 

Explanation Network Load Balancing could not be implemented for multiple NICs in Windows 2000, but now with Windows Server 2003, NLB can be implemented in scenarios where multiple NICs are required since this support is available with Windows Server 2003

Unanswered Q.21) You are the administrator for MetroTech World. Yours is an enterprise network. You

are responsible for all the domain controllers, member servers, routers and switches on your network. You perform maintenance of routers in remote locations too. Lately, you have deployed IPSec policies that strictly prohibit network traffic that is not either linked to any particular application or is not secured or accounted for. All applications required even rarely on the network have been audited for and IPSec policies were designed accordingly. You are now logging into a remote router and are unsuccessful in doing so. You suspect connectivity problem and try using commands such as Ping and Trace. You are unable to do so. What should you do?

 

  A. Re-deploy all IPSec policies and this time test thoroughly before deploying them.   B. Review the IPSec policies required for the network once again   C. Exempt all ICMP related traffic from IPSec policies (correct answer)   D. Request for the router on the other end to be restarted

 

Explanation Along with applications on the network being audited for requirement, you should have used monitoring tools to capture the type of network traffic that existed on the network before IPSec planning and deployment. This would have given you a fair idea of the protocols that would be required along with the applications. All connectivity related diagnostics will rely on ICMP and hence ICMP must be exempted from restrictions within the network.

Unanswered Q.22) Which of the following should be used to protect corporate Wireless LAN?  

  A. IPSec transport mode   B. Wired Equivalent Privacy (WEP) encryption (missed)   C. IEEE 802.1X authentication (missed)   D. IPSec tunnel mode   Explanation

IPSec transport mode and tunnel mode does to agree too well with corporate networks that use Wireless LAN as they may have mobile devices that would be using dynamic IP configuration to connect to the network.

WEP encryption and IEEE 802.1X authentication are better for protecting corporate Wireless LAN

Unanswered Q.23) IPSec policies cannot negotiate security for which of the following type of

communication?  

  A. Wireless   B. Wired - Unicast   C. Multicast (missed)   D. Broadcast (missed)

 Explanation IPSec policies cannot negotiate security for multicast and broadcast communication types.

Unanswered Q.24) Which of the following authentications methods used by IPSec is/are most secure?  

  A. Kerberos V5   B. Certification (correct answer)   C. Preshared key   D. Token

 Explanation Of all the authentication types used by IPSec, certificates are the most secure.

Unanswered Q.25) Your company has just gone in for a merger with the competitor company. Both the

companies have been totally upgraded to Windows Server 2003 single domains respectively. You are required to enable sharing of resources between the two networks in a way such that the resources are protected from unauthorized access on both sides of the network. Authentication rules from both ends must be very strict. What would you suggest? Each solution forms a part of the total solution. Choose all that apply.

 

  A. Establish a two-way trust between the two networks. Audit resource access (missed)

  B. Establish a two-way trust between the child level domains.   C. Implement certificates (missed)   D. Implement Kerberos V5.   E. Implement tokens

 

Explanation Establishing a two-way trust ensures that the path or direction for resource access is set. Auditing resource access ensures that unauthorized access can be prohibited. Although Kerberos V5 would have sufficed for authentication, since the requirement for authentication is that it should be very strict, it is required that you implement certificates here.

Unanswered Q.26) You company has merged with another company. For the time being until the written

company policies for the network merger are in place, you are required to allow limited access to users from the other network to yours. You are unaware of the security implementation of the other network. You are required to implement IPSec policies for allowing access to the users from the other network but the priority is for connection and not security. What should you do?

 

  A. Deploy certificates   B. Implement Server (Request Security) on your end of the network   C. Implement Server (require Security) on your end of the network (correct answer)   D. Implement Client (Respond Only) on your end of the network

 

Explanation Since you are unaware of the security implementation on the other end and also the consideration here is more for connection than security, you must implement IPSec Server (request Security) on your end of the network. This will ensure that if the security on the other end matches the connection will be secured otherwise the connection will still be successful minus the security.

Unanswered Q.27) You are the administrator for Contoso Ltd. You have designed and created IPSec

policies for your network. You have tested these policies on a test environment and they have proved successful. You are now deploying these policies on a live network and they fail to achieve the desired results. Which of the following could be causing a problem?

 

  A. These policies are totally unsuitable for the network that you are deploying it on.

  B. There may be some existing default policies that you haven�t removed. (correct answer)

  C. You have not tested the connectivity before deployment.

  D. Nothing, just re-deploy the policies. It should work since it worked on the test environment.

 

Explanation Whenever deploying policies on a network, ensure the default policies have been removed in the first place. Since any mismatch in the new policies may call for the default policies to get applied, it is best to do away with default policies when new policies are being introduced to the network

Unanswered Q.28) Which of the following types of IPSec categories is incapable of initiating a connection

during authentication?  

  A. Server (Require Security)   B. Server (Request Security)   C. Client (Respond only) (correct answer)   D. None of the above   Explanation

Client (Respond Only) as the name suggests is supposed to respond to an initiated

connection only. It cannot initiate a connection on its own. Unanswered Q.29) Your client an IT-based customer service company has hosted all its call database on its

Intranet. These servers will be accessed by customer service representatives to refer to call history as well as the knowledge base to solve existing problems. Your client needs a fool proof method to protect these servers from unauthorized access. What should you do? Choose all that apply.

 

  A. Audit for success and failure of events.   B. Implement strict authentication of users using IPSec policies. (missed)   C. Implement strict authentication of computers using IPSec policies. (missed)   D. Use certificates to encrypt communication.

 

Explanation When users are authenticated using strict IPSec policies, unauthorized users cannot access these web servers. When computers are authenticated using IPSec policies, it will take care of eaves dropping or the man in the middle type of attacks. Certificates may also be used but since the situation is not requiring communication security, just using IPSec policies for authentication is sufficient.

Unanswered Q.30) You have hosted a new Web server that contains product catalog for all manufactured

products of your company. You are the internal as well as Web administrator for this company. The company policy states that this server must be accessible to dealers as well as vendors and should not be a part of the internal network. You are concerned for the safety of this server in terms of data as well as the server itself. What should you do?

 

  A. Bring the server into the internal network in spite of the company�s written policies.   B. Implement perimeter filtering. (missed)

  C. Shift the Web server to the data center and ensure its physical access is constantly monitored. (missed)

  D. Make this server a SNMP client.

 

Explanation Perimeter filtering is useful when a secure layer of access filtering is needed for the specific resources on the border of the network. By shifting the server to the server room you can monitor who is physically accessing this server and if they are the ones who are authorized to do so or no. SNMP clients retrieve information and are of no use here.

Unanswered Q.31) Which of the following is essential for server hardening?  

  A. Disable all guest accounts (missed)   B. Disable all unused services.   C. Encrypt all stored information. (missed)   D. None of the above.   Explanation

Disabling all guest accounts and disabling all unused service will to quite an extent

protect a server from unauthorized or unwarranted access. Unanswered Q.32) Hardware locks are more secure than BIOS passwords as far as securing a server goes.

T/F?  

  A. True   B. False (correct answer)

 

Explanation Hardware locks and BIOS passwords are meant for different purposes. Hardware locks are meant to physically secure a server where as BIOS passwords ensure that an unauthorized user does not gain access to the OS. They cannot be compared with each other for purpose of safe guarding the server. They are both equally important.

Unanswered Q.33) Whenever a Certificate Server gets upgraded the entire pending request will be deleted

and will have to be raised freshly by the clients. T/F?  

  A. True   B. False (correct answer)

 

Explanation Whenever a certificate server is being upgraded, if the same database has to carried over to the new version of the service then the database will have to be preserved. This configuration applies to the pending requests as well.

Unanswered Q.34) Which of the following servers are identical in their role and can replace each other in

different scenarios?  

  A. Root CA (missed)   B. Subordinate CA   C. Stand alone CA   D. Enterprise CA (missed)

 

Explanation The Root CA and the Enterprise CA both perform the same role in different network scenarios. Subordinate CA is in the bottom level of the hierarchy and the Standalone CA does not function in the top-level of the hierarchy.

Unanswered Q.35) You have just configured a server as a CA and you are required to introduce it to the

network to allow it to start issuing certificates. Which of the groups would you add this CA server to if you have to achieve the said goal?

 

  A. Enterprise admin group   B. Cert publishers group (correct answer)   C. Cert managers group   D. None of the above

 Explanation Cert publishers group is correct. Enterprise admin group and the cert managers group are irrelevant here.

Unanswered Q.36) You have implemented a single domain forest for your company which is a Windows

Server 2003 based network. Now, your company s taking over a competitor company, this company too is a similar sized Windows Server 2003 network. You have established an explicit two way trust between the forests to accommodate resource sharing between the two networks. Which of the following authentication methods would be ideal in this scenario? Choose two

 

  A. Kerberos V5 (missed)   B. Certificates (missed)   C. Preshared keys   D. Tokens

 

Explanation Kerberos is meant for secure environments that have trust established and certificates too are meant for higher level of security than preshared keys.Hence choice C is correct and choices A, B, D are incorrect.

Unanswered Q.37) Which of the following statements relating to the upgrade process from Windows NT

4.0 Certificate server to Windows 2003 based Certificate Server are true? Choose all that apply.

 

  A. The Certificate Service can automatically upgrade from Windows NT 4.0 to Windows Server 2003.

  B. Windows 200 Certificate Server cannot be automatically upgraded to Windows Server 2003.

  C. Windows NT 4.0 Certificate Service cannot be upgraded or migrated directly to Windows Server 2003 Certificate Service. (missed)

  D. If a Windows NT 4.0 based certificate server were to be forcibly upgraded to Windows Server 2003 based Certificate server, the service no longer exist on the upgraded server. (missed)

 

Explanation When migrating from Windows NT 4.0 Certificate Service to Windows Server 20003 based Certificate Server, You will have to migrate first to Windows 2000 and then to Windows Server 2003 Certificate service if the setting will have to be preserved. There are chances that a forced upgradation will result in the Certificate Service to uninstall itself at the end of the installation.

Unanswered Q.38) You are the administrator for MetroTech World. Metro Tech World uses certificate based

authentication. There already exists a CA in the network that has so far been issuing certificates. You are now trying to issue certificates for users in a child domain and get �Privilege violation� error. What should you do?

 

  A. Restart the CA server   B. Ensure the CA is not a stand alone server   C. Manually add the CA to the cert publishers group (correct answer)   D. Reinstall the CA.

 

Explanation In situations of ongoing upgradation to the network, the Enterprise CA is already in place and the will have to be added to the cert publishers group manually each time a child domain is added to the network. Otherwise the error message as stated may be generated whenever a certificate is being issued to the child domain

Unanswered Q.39) The certlog-warning level will log messages to the event viewer about the Certificate

server in maximum detail. T/F?  

  A. True   B. False (correct answer)

 Explanation The certutil command when used with the �certlog-verbose� level will log detailed errors into the Event viewer.

Unanswered Q.40) Which of the following cannot be directly upgraded to a Windows Server 2003 Enterprise

Root CA?  

  A. Windows NT 4.0 based CA (correct answer)   B. Windows 2000 Root CA   C. Windows 2000 Stand-alone CA   D. Windows 2003 Stand-alone CA

 Explanation The Windows NT 4.0 based CA needs to be first upgraded to Windows 2000 based CA and then to a Windows Server 2003 Enterprise Root CA.

Unanswered Q.41) For the purpose of Web enrollment, it is mandatory that the IIS server should be running

on the Root DC. T/F?  

  A. True (correct answer)   B. False

 Explanation It is snot required that the IIS server must be running on the Root DC for the purpose of Web enrollment. The IIS server may be running on any of the resource servers also.

Unanswered Q.42) Which of the following permissions is required by a user whose enrollment request can be

granted?  

  A. Read permission (missed)   B. Enroll permission (missed)   C. Auto enroll permission (missed)   D. Deny permission

 Explanation For a user who can request to be enrolled and whose request can be granted, he/she must have read, enroll, and auto enroll permissions.

Unanswered Q.43) You have just upgraded your CA in the domain. You notice that all clients whose

requests are freshly being granted are working all right but all clients whose keys were generated by the old CA are having problems with the new CA and also the new CA has failed to recognize all such clients. What could the problem be?

 

  A. The existing key pairs have not been backed up during upgrade.. (correct answer)   B. The CA database has not been backed up during upgrade.   C. The backup procedure was not carried out correctly.   D. The CA has not been restarted after upgrade.

 

Explanation It is mandatory to backup existing key pairs, CA Database, CA Certificate, and private keys explicitly when upgrading a CA from older version to a newer one. If the key pairs do not get preserved, the old clients will not be recognized by the new CA.

Unanswered Q.44) Which of the following will help to start the Certificate services from the command

prompt?  

  A. net start certsvc (missed)   B. net start   C. netstart certsvc   D. Service tool in the Administrative tools category (missed)   E. Service tool in the Control Panel

 Explanation Net start certsvc is the CLI to start the Certificate service where as the GUI for the same will be the Service tool in the Control Panel.

Unanswered Q.45) The CA version is the version of the Certificate service running on the OS. T/F?  

  A. True   B. False (correct answer)

 Explanation The CA version indicates the number of renewals the CA certificate has undergone and the number of keys that have been generated with the renewals.

Unanswered Q.1) To configure your resource server as a Web server, which of the following services is

mandatory on your resource server?     A. Internet Information Service (IIS) (correct answer)   B. RAS/VPN Service   C. Router Service   D. File Server Service

 

Explanation RAS/VPN service is required if your resource server will be accepting inbound dial-in connections from remote clients. Router Service is required on your resource server only if the server is bound to communicate between two distinct subnets. File Server Service is required if your resource server is going to be configured as a File Server. For your resource server to be a Web Server, you only require the IIS service running on it.

Unanswered Q.2) You have configured a Windows Server 2003 network across 3 different physical sites,

Site 1, Site 2 and Site 3. Each of these sites has 2 domain controllers. One of these sites, Site 3 does not need replication. In between the other two sites Site 1 and Site 2, the domain controllers are named S1DC1, S1DC2, S2DC1 and S2DC2 respectively. You are required to configure replication between S1DC1 and S2DC1 only. What should you do? Choose the most practical solution.

 

  A. Ensure there is a dedicated physical WAN link between S1DC1 and S2DC1 only for the purpose of replication.

  B. Configure S1DC1 and S2DC1 as Preferred Bridgehead Servers (correct answer)   C. Configure S1DC2 and S2DC1 as Preferred Bridgehead Servers Standalone Servers   D. Configure S1DC2 and S2DC2 as Preferred Bridgehead Servers.

 

Explanation A dedicated WAN link between the DCs for the purpose of replication is not a practical solution at all. Configuring either S1DC2 or S2DC2 as a preferred Bridgehead server will not achieve the desired replication as stated in the question statement.Since you are required to configure replication between S1DC1 and S2DC1 only, You must configure S1DC1 and S2DC1 as Preferred Bridgehead Servers.

Unanswered Q.3) You have just configured your resource server as a File Server. Before allowing users to

access this resource server, you are required to ensure no user will be allowed to use more than 100 MB of disk space on this server and also will access resource as per the roles they play in the organization. What should you do? Choose all that apply.

 

  A. Create groups based on roles and assign local permissions to resources accordingly to each group (missed)

  B. Divide hard disk into as many partitions as users and ensure each partition is not exceeding 100 MB disk space.

  C. Assign 100 MB Disk quota (missed)

  D. Create groups based on roles and assign share permissions to resources accordingly to each group. (missed)

  E. None of the above.

 

Explanation To ensure the users are accessing resources as per their roles only, you must assign local permission as well as share permission to the users on those resources. The most strict permissions will be effective to users who are logged on to the network and are accessing those resource over the network.

To ensure each user, does not use up more than 100 MB of disk space on the resource server, you must assign disk quota

Unanswered Q.4) You are the administrator for Metro Tech World. Your company has recruited a team of

research executives who need to research on a new project. For this reason they will be extensively using the Internet and saving all relevant data on to the File Server that is already running a backend database for this project. You are required to ensure these executives will be assigned only 200 MB of disk space. As per written company policies, you are not allowed to use up the disk space on the server by logging the warnings relating to disk space as the team is quite large. What should you do next? Choose your course of action from the choices given below. Choose all that apply.

 

  A. Configure disk quota, by checking the option �setup disk quotas for new users�. Also check �deny disk usage exceeding disk limit�. (missed)

  B. Limit disk space to at least 200 MB   C. Limit Disk space to 200 MB (missed)   D. Email users who are nearing the disk limit to warn them.

  E. Set up a warning limit and the user will be informed through messages when they reach that limit. (missed)

 

Explanation The OS itself will pop-up messages to users when they near the disk limit if you enable the warning limit option.By checking the option �deny disk usage exceeding limit�, you have ensured that no user will be using more than 200 MB of disk space.

Unanswered Q.5) You are the administrator for MetroTech World. Yours is a Windows Server 2003

network that is spread over 5 geographical location. The Head office in Canada has a DFS root whose replica is situated in New Jersey. You have WAN links that will be used for replication by DCs, DNS servers and the said DFS connection. The priority of WAN link usage has been assigned to DCs provided the other replications are not already in progress. Lately the replication between the DFS root and its replica is so extensive that it is hampering the important replication process between the DCs and the DNS servers. You check the caching duration for the DFS and observe that it has been set for much lesser than default values. What should you do?

    A. Disable Caching   B. Set Caching to default values   C. Set Caching to values higher than the default values (correct answer)   D. Set up a DDR connection between the DFS root and the replica

 

Explanation The default time for caching links is 30 minutes. Since the replication between the DFS root and link is so extensive, even setting the values to default may not help. The priority replication here is DCs and then the DNS servers. Hence the replication between the DFS root and its replica must be much higher than default values and must be configured after careful analysis of the situation with exact data on hand.

Unanswered Q.6) Which of the utility is used to prepare for a forest upgrade?     A. Adprep / forestprep (correct answer)   B. Adprep / domainprep   C. Adprep   D. forestprep

 Explanation Adprep / forestprep is used to upgrade a forest, and Adprep / domainprep is used to prepare the domain for upgrade

Unanswered Q.7) Which of the following can disrupt the authentication process on a domain based

Windows Server 2003 network?     A. GC (correct answer)   B. DC   C. Member Server   D. Stand alone server

 

Explanation It is the Global Catalog (GC) server that contains the information of Universal Group Membership. Users who need forest wide access to resources are a part of the Universal Group. If for some reason this membership information is unavailable then such a user will be denied access

Unanswered Q.8) Which of the following is the most simple and a preliminary method of recovering a DC

that has crashed?     A. Restart the DC   B. Use the recovery console   C. Use safe mode restart   D. Last Known Good Configuration (correct answer)

 

Explanation The most preliminary way of recovering a server is to use the LKGC. Next would be the Safe mode restart, and then the Recovery console mode which is more complex than the other two methods.

Unanswered Q.9) Which of the following are the most effective methods of implementing Server

availability on the network?     A. Network load balancing (missed)   B. Server clustering (missed)   C. DFS implementation   D. EFS implementation

 

Explanation NLB and Clustering are the most effective methods of implementing server availability. DFS cannot be considered as Server availability rather a Data availability Service. EFS is a security for data and not a availability service.

Unanswered Q.10) Page file related inconsistencies are caused by which of the following components on the

Server?     A. Hard Disk Drive (HDD)   B. Hard Disk Controller (HDC)   C. Random Access Memory (RAM) (correct answer)   D. CPU

 

Explanation Page file related consistencies occur whenever the RAM on the server is insufficient to handle the load of application being used on that server. This can be overcome by upgrading the Ram to the required amount of memory in terms of MB or GB.

Unanswered Q.11) You are the administrator for MetroTech World. Your Windows Server 2003 network is

designed as follows: � Site 1, Site 2, Site 3 and Site 4 are very large in size. � Site 1 and Site 3 also have one stub network each communicating with them respectively. � There 12 DCs in the mentioned large sites. � The stub networks do not have DCs and depend upon their parent site for authentication and other ADS related activities. � The size of the stub network is very small and is negligible in terms of traffic. � The IP assignment for these stub networks also is taken care of by the DHCP server in the main site. � The stub networks each are connected to one DHCP relay agent respectively. You are now adding one more site to the network that is equally large as the other 4 large sites. This site has 15 DCs, 2 DHCP servers and DHCP relay agents that connect the clients to the Site 3 for IP assignment to provide load balancing and fault tolerance to the DHCP servers in the new site. You notice that over time quite a few clients are receiving IP duplication error message in the new site as well as the Site 3. What could the problem be?

 

  A. The site 3 and new site have duplicated IP address range for assigning to clients (correct answer)

  B. The DHCP relay agent is not correctly configured   C. The DHCP server in the new site is no longer functioning   D. The DHCP server in Site 3 is no longer functioning   Explanation

The Site 3 and the new site have either duplicate IP address range or a portion of the contiguous range is overlapping between the two networks which could be causing the �duplicate IP address� error message to be generated on the two sites.

Unanswered Q.12) You have recently configured fault tolerance between the DHCP servers on the 2 child

domains of your network. Over the time you notice that too many renewals and relinquished addresses have created an inconsistency on the DHCP database at both ends. What should you do?

    A. Just restart the DHCP server, it will take care of the needful   B. Right click on the database file and choose the refresh option   C. Backup the database, compact the database and then restore it (correct answer)   D. Compact the live database

 

Explanation Since transactions will be carried out every second of the uptime of the DHCP server, it is not advisable to compact a live database. It is always preferable to back up the database, compact the backed up version of the database and restore it. Restarting the server or refreshing the database in the mentioned fashion will not achieve any desired results.

Unanswered Q.13) Your network is suffering a bottle neck due to extensive replication by the DNS servers.

You have enabled debug logging for the said DNS servers as you would like to capture information that will help you analyze the problem in detail. Which of the files will contain the captured data?

    A. Application log of the Event viewer.   B. Debug.log file.   C. Dns.log file. (correct answer)   D. None of the above

 Explanation The data required for the said analysis must be captured and stored under the name dns.log as per recommendation.

Unanswered Q.14) You are the administrator for MetroTech World. Your Windows Server 2003 network

presently spans over 4 sites. Your company has taken over a competitor firm that has a single site. You are now required to accommodate this new site within your network. As per company policies, this site will not be an integral part of the IP network range for another two months. But the users from your network will need to access resources on the new site right away; the reverse direction of resource access must be prohibited. You are required to instruct the administrator of the new site on how he will be assisting you in the said plan and implementation process. You request the administrator of that site to bring up a DHCP server that will be linked to your network but will have a separate IP address range from your network and also connect the network to the router which will communicate with your network. The resources will be assigned relevant access permissions on your end of the network by you and also the relevant access lists will be put into place in the router. The administrator of the new site carries out all the tasks assigned to him by you and brings up the DHCP server on the live network. The clients of

that network are not able to receive an IP address from that DHCP server. What needs to be done?

    A. The administrator has to just restart the DHCP server one more time.   B. The administrator has to authorize the new DHCP server   C. You must authorize the new DHCP server (correct answer)   D. You must assign a new range of IP address

 

Explanation Authorizing a DHCP server is usually done at the root level. Since you are the administrator for the existing network, you will have to authorize the DHCP server. The administrator of the new site will not have the required authority over the network to authorize the DHCP server.

Unanswered Q.15) Your company has acquired a manufacturing unit a few miles from their administrative

office. You are required to configure a DC in this location. This DC will be a part of the company network�s ADS and will replicate with the DCs in the main office using dedicated T1 lines. You will be administering this network remotely as it contains some resource servers that need to be accessed by users in the main network as well. Which of the following need to be enabled on these servers to enable you to administer them remotely? Choose the services that are most apt in the said situation.

    A. RAS/VPN service   B. Remote Registry Service (missed)   C. Server Service (missed)   D. RPC service

 

Explanation For any server to be administered remotely, you require the registry to be accessible. For this reason you need to enable the remote registry service as well as the Server service which is a pre-requisite for this scenario.

Unanswered Q.16) Which of the following is an ideal location for the RAS server to reside? Choose two

relevant options.     A. Edge of the internal network (missed)   B. Perimeter network (missed)   C. Internal network   D. Demilitarized zone

 

Explanation Depending on the level of security desired by the network, you may place the RAS server on the edge of the internal network or use perimeter filtering for the internal network and place the RAS server on the perimeter network. Perimeter networks are used as a barrier in between the internal network and the public network. A strict filtering process is usually employed on all packets passing through the perimeter network.

Wrong Q.17) You have introduced a new subnet to the network. This subnet is a part of the perimeter

network. The router to be connected to this network will be a multi-homed Windows

Server 2003 based router that has one internal and one external interface to the subnet. You are required to configure this router to have logical path connection with 12 other subnets within the network. This network has a no hierarchy of subnets and is a linear network. Which of the following would be an ideal solution for this requirement?

    A. RIPv1 (correct answer)   B. RIPv2 (your answer)   C. OSPF   D. EIGRP

 

Explanation Considering that the scenario describes a network that needs the routing network of maximum 12 hop counts and is a linear network, it is sufficient to use RIPv1 as the routing protocol. RIPv2 and OSPF are a little too sophisticated and inappropriate for the given scenario. EIGRP is not supported by Windows Server 2003 network

Correct Q.18) When assigning IP address to the router interface, you can assign either a static or a

dynamic IP address, so long as the subnet mask matches with the network to which the interface is physically connected. T/F?

    A. True   B. False (your answer)

 

Explanation When assigning IP address to the router interface, you must ensure that the IP address is a unique and static IP address and that the subnet mask matches with the subnet mask of the subnet to which the interface is connected. If any one of these requirements is unfulfilled, the hosts in that subnet will not be able communicate with the router interface or treat it as their default gateway.

Wrong Q.19) OSPF is a routing protocol that has limitations of hop counts and cannot be used on

scalable routing networks. T/F?     A. True (your answer)   B. False (correct answer)

 Explanation OSPF (Open Shortest Path First) is a routing protocol that is scalable and does not use hop counts as one of its metrics.

Wrong Q.20) Which of the following can be used for the RADIUS server in case of a Windows Server

2003 network?     A. IAS Server (correct answer)   B. IIS Server   C. RRAS Server (your answer)   D. RAS/VPN Server   Explanation

IAS (Internet Authentication Service) Server can be used as a RADIUS server in a

Windows Server 2003 network as the IAS uses RADIUS technology and is capable of being a RADIUS Server.

Wrong Q.21) Which of the following is minimum requirement to configure clustering as per

Microsoft recommendations?     A. At least 2 servers (missed)   B. At least 1 PCI network interface card per server   C. At least 2 PCI network interface card per server (your answer)   D. Local storage (missed)   E. Network storage

 

Explanation As per Microsoft�s recommendation, the following will be the minimum requirement for setting up server clustering:1. At least two servers2. At least 2 PCI NICs per server - one should be dedicated for cluster communication3. Local Storage.

Unanswered Q.22) Which of the following defines the term heartbeat? Choose the best answer.     A. Communication between DCs   B. Communication between cluster nodes (correct answer)   C. Time taken to bring up a crashed cluster service   D. Time taken to re-configure a quorum that has failed

 Explanation Since the information exchanged between the cluster nodes is very critical and is time bound, it is referred to as heartbeat.

Unanswered Q.23) You have implemented server clustering to share a database that is being accessed

across a WAN link over the Administration office as well as a Warehouse of the client�s company. The servers had fault tolerant network adapters that claimed to be of great use on the cluster service and hence you let them be, when you configured the cluster service between servers in the two locations. During one of the communication glitches, the server cluster service failed and refused to recover automatically, which it was supposed to as per configurations. What could the problem be? Choose all that apply.

 

  A. The NICs should have been PCI cards rather than the existing fault tolerant ones. (missed)

  B. Fault tolerant NICs can hamper the process of recovery during failures (missed)

  C. A secondary WAN link must exist for backup of cluster information interchange. (missed)

  D. This scenario did not require a clustering in the first place, just DFS with replica would have sufficed.

  Explanation When establishing cluster service on servers that physically separated over a long

distance using WAN links, it is always advisable to use a secondary connection to allow a backup path for the cluster information interchange between the two servers. The NIC cards used in the cluster servers as per recommendation should be PCI cards minus the fault tolerance capability, as the FT can hamper the recovery process.

Unanswered Q.24) You are the administrator for MetroTech World. Your company�s network is rapidly

expanding. You have implemented DFS in your network. The root domain is Windows 2000 based where as the entire new additional child domains are implementing Windows Server 20003 from the start. Your DFS server resides in the root domain. As a part of expansion the resources are getting shifted and relocated to new domains every now and then. These resources have links created for access in the DFS root. The flexibility in relocating these resources is creating utter confusion in the network. What should you do?

 

  A. Remove the DFS feature from your network until it has completely stabilized and share resources ordinarily as it was done in the pre-Windows 2000 era.

  B. Upgrade your root domain to Windows Server 2003 and the DFS also to Windows Server 2003 based DFS (correct answer)

  C. Ensure the resources that have DFS links created do not get relocated.   D. Make a schedule for mailing users each time a resource gets relocated.

 

Explanation Upgrading the root domain to Windows Server 2003 domain and the DFS also to the Windows Server 2003 based DFS is a good solutions as the DFS in Windows Server 2003 can dynamically select sites when resources keep getting relocated. This helps the DFS environment to be efficient and reliable and keep users to be transparent to these relocations.

Unanswered Q.25) Which of the following statements that relate to DFS are true?     A. It is a platform for distributed resource management (missed)   B. It provides uniform convention for file systems   C. It is a mapping of resources or collection of resources (missed)   D. It is a cheap implementation of server clusters

 

Explanation A DFS can be termed as a platform for resource management. It provides uniform naming convention for accessing of resources and is nothing but a listing or mapping of resources or collection of resources. It does not relate to server clusters in any way.

Unanswered Q.26) Which of the following statements are true?     A. TCP is the most secure protocol when concerned about network based attacks.   B. UDP is the most secure protocol when concerned about network based attacks.

  C. When securing a network against network based attacks you need to employ specialized applications that are built for that purpose. (missed)

  D. Neither TCP nor UDP can help against network based attacks. (missed)   Explanation

Neither TCP nor UDP can help against network based attacks. When considering security

for networks against network based attacks, you need to employ applications that are specifically built for that purpose. For ex: If you need protection for email, then that security will have to be built into the application through the SSL (Secure Socket Layer).

Unanswered Q.27) Which of the following user groups is meant for certificate authorization?     A. The CA group   B. Domain Admin group   C. Certificate Publisher   D. Certificate Manager (correct answer)

 Explanation The user who is responsible for authorizing certificates must be a part of the Certificate Manager group.

Unanswered Q.28) Which of the following protections is not possible by IPSec?     A. Data Integrity   B. Data Confidentiality (correct answer)   C. Data origin authentication   D. Anti-replay of data between trusted sources   E. Anti-replay of data between non-trusted sources.

 

Explanation Data can be secured only if the two ends are trusted by IPSec and not otherwise. Hence IPSec is capable of Data integrity, confidentiality, data authentication and anti-replay of data between trusted sources.

Unanswered Q.29) Your company is expanding its Windows Server 2003 network by bringing up sites that

hosts about 12 domains across the globe. It is required that you configure secure communication between the sites, since the communication across the network will be crossing the public domain across several geographical locations. The internal network resources must be totally secured against attacks that may be cause doe to remote logins. You are also to consider security for traveling users who will be logging to the network from remote locations using their laptop. The platform from where these remote users will be logging in is unknown. Ensure that you do not compromise on the efficiency of the network to a great extent due to the proposed security plan. What should you do? Choose all that apply.

 

  A. Configure ISDN connection between sites and implement RAS/VPN for remote users.

  B. Implement site-to-site VPN using L2TP/IPSec (missed)   C. Implement RADIUS using IAS server (missed)   D. Implement VPN for dial-in users as well (missed)   E. Secure the network by using end-to-end security of IPSec between all hosts.   Explanation

IPSec can be used in this scenario, for the following:� Site-o-Site VPN using L2TP/IPSec

� VPN for dial-in users with relevant IPSec policies in place.

To secure the internal network, it is better to add an additional tier to the network by using IAS service for authenticating remote clients.

Security for the said network by securing end-to-end communication for all hosts will not only compromise the efficiency of the network to a great extent, it is also not required by the scenario.

Unanswered Q.30) You have been asked to design a security system where in the access to the intranet web

servers will be granted only to users who login from a specific domain. The users who will be logging in are not IT-savvy and hence will not be able to go through any specific complex process to be granted permission to access the Web servers. What should you do? Choose all that apply. You create a certificate template called �User login� and then you create a GPO that applies to all authenticating users. The GPO states that the users must be enrolled. There exists an Enterprise CA on one of the Windows Server 2003 servers in the network. The users login and fail to access the web sites after login. What should you do? Each solution forms a part of the total solution. Choose all that apply.

 

  A. Create a Nat such that all authenticated users automatically get mapped to the Web servers.

  B. Deploy a certificate for all domain members to allow access to the Web server. (missed)

  C. Ensure the �auto-enroll� permission is assigned to the certificate. (missed)   D. Configure a domain that will have automated policies to map users to web servers.

 

Explanation It is neither possible to create a NAT mapping nor a domain configuration as stated in choices A and D. All you need to do here is to deploy a certificate to the domain members that allows access to the Web servers and ensure that certificate will be assigned the �auto-enroll� permission for the user.

Unanswered Q.31) You have just created a perimeter network to strengthen the security to your network.

The perimeter network will contain all the Web servers and the internal network will contain all the database servers. It is mandatory that there should be no communication between the internal network and the perimeter network. You have applied IPSec policies on both the networks to block traffic from the other. It is now required that an application hosted on the Web server needs to query the database server for its computing transactions and the Database Server need to communicate with the Web server to convey its response for queries. Which should you do? Choose all that apply.

 

  A. You will have to create an exception for the created IPSec policy in the internal network and allow the database server to accept queries from the Web server (missed)

  B. You will have to create an exception for the IPSec policy created and allow the Web server to receive response from the database server (missed)

  C. Do away with the existing IPSec policies and recreate the relevant one keeping in

mind the new requirements.   D. Move the database servers to the same network as the Web servers   E. Move the Web servers to the same network as the database servers.

 

Explanation On both the networks you will need to create an exception one way between the Database server and the Web Server respectively. This will ensure a possible two-way communication between the Web server and the database server. Recreating policies all over again is uncalled for. Moving either server to the other network can result in security issues.

Unanswered Q.32) Which of the following permissions are required by users who wish to auto enroll as well

as renew their certificates? Choose all that apply.     A. Read (missed)   B. Enroll (missed)   C. Auto-enroll (missed)   D. Modify

 Explanation To be able to auto enroll as well as renew the certificates nearing expiry, the user will need read, enroll and auto enroll permissions.

Unanswered Q.33) You have just enabled packet filtering and port filtering on your perimeter network. You

leave port no. 80 open for secure Web server communications. You notice that the Web server is still inaccessible to the outside users. What could the problem be?

 

  A. You must not enable port filtering for a network when the Web server is apart of that network.

  B. You must unblock port 443 as well. (correct answer)   C. You must block port 80 and unblock port 443.   D. You must block 443 when unblocking port 80.

 Explanation Since the Web server is a secure one, you must unblock port 443 as well since that accepts communication on the SSL.

Unanswered Q.34) Which of the following will secure an end-to-end communication for a Windows- based

VPN client? Choose the best     A. Point-To-Point Tunneling Protocol (PPTP)   B. Layer 2 Tunneling Protocol (L2TP)   C. L2TP with IPSec (L2TP/IPSEC) (correct answer)   D. IPSec   Explanation

Choice C is the correct answer.

Windows-based VPN clients should use �Layer 2 Tunneling Protocol (L2TP)� with �IPSec (L2TP/IPSec)� to make IPSec-secured, end-to-end connections through VPN

tunnels.

Choices A and B are incorrect because they are not as best suited as choice C.

Choice D is incorrect because IPSec is not a tunneling protocol. Unanswered Q.35) Which of the following statements is true? Choose the best statement.  

  A. If the Internet Key Exchange (IKE) protocol is targeted by a denial-of-service attack, it responds by disabling itself until the denial-of-service attack lessens or stops.

  B.

If the Internet Key Exchange (IKE) protocol is targeted by a denial-of-service attack, it responds by attempting to preserve existing IPSec security associations (SAs), but dropping requests for new SAs until the denial-of-service attack lessens or stops. (correct answer)

  C. If the Internet Key Exchange (IKE) protocol is targeted by a denial-of-service attack, it responds by attempting to permit requests for new SAs until the denial-of-service attack lessens or stops.

  D. If the Internet Key Exchange (IKE) protocol is targeted by a denial-of-service attack, it responds by attempting to preserve existing IPSec security associations (SAs) until the denial-of-service attack lessens or stops.

 

Explanation Choice B is the correct answer.

If the Internet Key Exchange (IKE) protocol is targeted by a denial-of-service attack, it responds by attempting to preserve existing IPSec security associations (SAs), but dropping requests for new SAs until the denial-of-service attack lessens or stops.

IKE cannot disable itself until the denial-of-service attack lessens or stops, and �permit requests for new SAs until the denial-of-service attack lessens or stops� does not mean anything without it being able to �preserve existing IPSec security associations (SAs) until the denial-of-service attack lessens or stops�, both these steps should go hand-in-hand, for the security to be complete.

Hence, choices A, C, and D are incorrect. Unanswered Q.36) You are the administrator for Global Airways. You are trying to protect your network

against internal as well as external attacks. You implement the Server (Require Security) level of security to guard against external attacks. How would you deal with the internal attack? Choose the best option from among the following.

    A. By using Kerberos authentication

  B. By setting up workgroups based on projects. Localize the resource servers to the workgroups and deny access to users outside of the project.

  C. By using host-based permit and block IP packets. (correct answer)   D. By using host-based block IP packets.

 

Explanation Choice C is the correct answer.

Choice C is correct because IPSec can be used for internal security by combining host-based permit and block packet filters with the ability to enforce trusted access for network connections.

Through host-based IPSec packet filtering, you can permit or block specific types of unicast IP traffic based on source and destination address combinations, specific protocols, and specific ports.

Through the enforcement of trusted access, you can ensure that only trusted computers that have specific IP addresses or those that are within specific IP address ranges can access an internal corporate network server.

In addition, you can use IPSec to audit which computers are connecting to the server and when.

Choice A is incorrect because Kerberos is not a considered option in this scenario.

Choice B is incorrect because the question statement does not specify a project-based security as a requirement at all.

Unanswered Q.37) Which of the following are the basic infrastructure requirements for Auto enrollment to

work? Choose all that apply.     A. Windows Server 2003 Schema (missed)   B. Windows 2000 or Windows Server 2003 Schema   C. Group policies or scripts   D. Group policy updates (missed)

 

Explanation Choices A and D are the correct answers.

The basic infrastructure requirements for Auto enrollment to work are

-- Windows Server 2003 Schema-- Group policy updates

Choices B and C are incorrect because group policies and scripts are only used for implementation of security and do not conform to the requirement of the same. The Schema for Auto enrollment will have to be that of the Windows Server 2003.

Unanswered Q.38) You are the administrator for WorldCom receivers. Their network has the existing Public

Key Infrastructure (PKI) and Group Policy infrastructure in place. The computers are grouped in different Organization Units (OU), as per their roles in the network: desktops, domain controllers, etc. Policies are deployed on to the OUs by creating Group Policy

Objects (GPOs) and linking them to the relevant OU. You have currently made some security policy changes; some of these changes apply to desktops, some to servers and some to domain controllers. In order to test these policies before deployment, you install a few XP machines, Windows Server 2003 Enterprise edition machines, and some Windows Server 2003 standard edition machines. Using the GPMC, you have duplicated the OUs for testing. While testing you want to achieve the following goals. -- Ensure that you do not disturb the production computers. -- Reduce administrative efforts. -- Minimize multiple links to GPOs. -- Decide where to place the test computers. What should you do? Choose all that apply.

    A. Create an OU named Policy test under the root. (missed)   B. Create a child OU, one each under Policy test named desktop and servers, respectively.

  C. Create a child OU, one each under Policy test named domain controllers and servers, respectively.

  D. Create a child OU, one each under Policy test named desktop, domain controllers and servers, respectively. (missed)

 

Explanation Choices A and D are the correct answers.

Choices A and D are correct because creating an OU named �Policy test� and creating a child container, one each for desktop, server, and domain controller, will reduce administrative efforts, number of multiple links, and solve the issue of placing servers for testing too.

Choices B and C are incorrect because as opposed to choices A and B, they do not help to minimize links, which is a criteria in the objectives.

Unanswered Q.39) You want to keep track of all errors of your Certificate Service in the Windows Server

2003 network. You are not happy about the kind of errors being logged in the Event viewer currently, as it does not furnish the details required by you. What must you do? Choose all that apply.

    A. Check the Event viewer now for detailed error logs. (missed)   B. Run the Network Monitor to capture packets.   C. Run the certutil �setreg command. (missed)   D. Use the certutil command with �certlog-warning� level.   E. Use the certutil command with �certlog-verbose� level. (missed)   Explanation

Choices A, C, and E are the correct answers.

Choices A, C, and E are correct because what is required is to run the �certutil �setreg� command with the �certlog-verbose� level. This will log errors into the �Event viewer� in much more detail.

Choice B is incorrect because the �network monitor� cannot help in this situation.

Choice D is incorrect because the �certlog �warning� mode is the default level that was decided as insufficient, as described in the question statement.

Wrong Q.40) If you were asked to implement a security template on a group of workstations that need

some common configuration, which of the following would you choose?     A. Hisecws.inf (correct answer)   B. Hisecserver.inf   C. Client (Respond only)   D. Server (Request Security) (your answer)

 

Explanation Choice A is the correct answer.

Choices C and D are incorrect because, �Client (Respond only)� and Server (Request Security) are IPSec policies used by client computers to respond to the security demanded by servers. They are not security templates.

Choice A is correct because �Hisecws.inf� is the template that will be used for deploying on a group of client/workstation computers to maintain security configuration, common to that group.

Wrong Q.41) You are the administrator for �Contoso Ltd�. Contoso Ltd has a root domain name

contoso.com and two child domains, ad1.contoso.com and ad2.contoso.com. The forest contains Windows Server 2003 servers and Windows XP clients. You are now implementing an enterprise CA on one of the resource servers of ad1.cSontoso.com. You configure the user certificate template and enable the Publish certificate in Active Directory setting, in the certificate template. You instruct users from both the child domains to enroll for certificates. The certificates for user accounts in ad1.contoso.com are being successfully published in Active Directory, whereas the certificates for users in the ad2.contoso.com are not. What could have gone wrong? Choose all that apply.

 

  A. The resource server in ad1.Contoso.com is not configured properly as Enterprise CA.

  B. There could be a WAN link problem prohibiting the changes from ad1.contoso.com to flow down to ad2.contoso.com.

  C. The resource server configured as Enterprise CA in ad1.cotoso.com does not have the required permissions in ad2.contoso.com. (your answer)

  D. Add the resource server of ad1.contoso.com that is configured as Enterprise CA to Cert Publishers group in the ad2.contoso.com. (missed)

  E. There is no trust between the ad1.contoso.com and the ad2.contoso.com.   Explanation

Choices C and D are the correct answers.

Adding the enterprise CA to the Cert Publishers group in ad2.contoso.com is essential for the certificates of users in ad2.contoso.com to be published in the Active Directory.

Choice A is incorrect because if there is a problem with configuration, none of the user certificates would get published, whereas the certificates of users in ad1.contoso.com are being published in the Active Directory.

Choice B is incorrect because there is no mention of problems relating to WAN links in the question statement.

Choice E is incorrect because trust between the two domains cannot be an issue, as a 2-way implicit trust will exist between the child domains and their parents, which is transitive in nature.

Unanswered Q.42) Which of the following permissions are required to request for a certificate renewal?

Choose all that apply.     A. Read (missed)   B. Enroll (missed)   C. Auto-Enroll   D. Renew

 

Explanation Choices A and B are the correct answers.

Choices A and B are correct because the permissions required for certificate renewal request are �read� and �enroll�.

�Auto enroll� will be required along with read and enroll for automatic enrollment of certificates.

Choice D is incorrect because there is no such permission as �renew�. Unanswered Q.43) During a CA migration. The CSP is insignificant. T/F?     A. True   B. False (correct answer)

 Explanation During a CA migration it is important to maintain the same CSP as the old one.

Wrong Q.44) You are migrating from a Standalone CA to an Enterprise CA. You have a backup folder

�C:\CA Backup� where you used to backup all the critical CA related information. As a first step towards migration, you begin with backing up the data. Which of the following needs to be backed up?

    A. Private keys (missed)   B. Database log (your answer)   C. The version of existing service   D. The database itself (missed)   Explanation

The private keys will ensure communication with old clients will be smooth even after upgrade. The database log may help in tracking previous transactions. The database itself will contain all the pending and successful queries

Q.1) MCSE Which of the following authentication protocols do you use with smart cards?     A. MS-CHAP v2   B. EAP-TLS (correct answer)   C. PEAP   D. PAP Unanswered   Q.2) Which of the following statements are true about the broadcast transmission method of

NetBIOS name resolution? (Choose all correct answers.) 

  A. The broadcast method generates more network traffic than the WINS method. (missed)

  B. Broadcasts can only resolve the names of computers on local networks. (missed)   C. To use the broadcast method, a computer must have an Lmhosts file.   D. The broadcast method is faster than WINS. Unanswered   Q.3) Which of the following TCP/IP tools is best suited to troubleshooting a situation in

which a router is dropping packets?    A. Ping.exe   B. Tracert.exe   C. Pathping.exe (correct answer)   D. Route.exe Unanswered   Q.4) Which of the following WAN technologies would be practical to use to create a mesh

remote networking topology? (Choose all answers that apply.)    A. ISDN (missed)   B. Dial-up modems   C. T-1   D. Frame relay (missed)   E. VPNs (missed) Unanswered   Q.5)    Replacing the hubs and routers on an internetwork with switches creates a network that

has which of the following? 

  A. One broadcast domain and one collision domain   B. One broadcast domain and multiple collision domains (correct answer)   C. One collision domain and multiple broadcast domains   D. Several collision domains and several broadcast domains Unanswered   Q.6) How many registered IP addresses does a dynamic NAT router require?    A. None   B. One   C. One for every unregistered IP address   D. One for each simultaneous connection (correct answer) Unanswered   Q.7) The DNS Update standard was developed as a response to the widespread use of

which of the following?    A. Active Directory   B. DHCP (correct answer)   C. Zone transfers   D. Protocol analyzers Unanswered   Q.8) When configuring RIP on Router01, which interfaces should you install?     A. None   B. LAN Connection only   C. WAN Connection only   D. Both LAN Connection and WAN Connection (correct answer) Unanswered   Q.9) When a TCP/IP computer can communicate with the local network but not with

computers on other networks, which of the following configuration parameters is probably incorrect?

    A. IP address   B. Subnet mask   C. Default gateway (correct answer)   D. Preferred DNS server Unanswered   Q.10) Which of the following forms of protection does Active Directory provide when you

create Active Directory-integrated zones instead of file-based zones? (Choose all correct answers.)

    A. Cache pollution prevention

  B. Encrypted zone replication (missed)   C. Authenticated zone replication (missed)   D. Secure dynamic updates Unanswered   Q.11) Why must a DHCP client use broadcast transmissions to request an IP address from a

DHCP server?     A. Because the DHCP server can only receive broadcasts   B. Because the DHCP client does not yet have an IP address (correct answer)

  C. Because the DHCP server can service requests only from computers on the same LAN

  D. Because the DHCP client must inform all the other clients on the network of its intention to request an IP address

Unanswered   Q.12) If a Web server with a registered IP address can access the Internet but client computers

with unregistered addresses cannot, which of the following components might be the source of the problem?

    A. The CSU/DSU   B. The Internet access router   C. he proxy server (correct answer)   D. The WAN connection Unanswered   Q.13) Which of the following is the correct formula for calculating the number of subnets or

hosts you can create with a given number of bits represented by x?    A. x2+2   B. 2x+2   C. 2x–2 (correct answer)   D. x2–2 Unanswered   Q.14) What is the correct subnet mask to use on a Class B network with a 10-bit subnet

identifier?    A. 255.192.255.255   B. 255.255.255.192 (correct answer)   C. 255.255.192.0   D. 255.192.0.0 Unanswered   Q.15) What is the maximum length of a single DNS domain name? 

  A. 255 characters   B. 15 characters   C. 16 characters   D. 63 characters (correct answer) Wrong   Q.16) When you are running the Routing And Remote Access Server Setup Wizard on Router2,

which option should you select in the Configuration page?     A. Network Address Translation (NAT) (correct answer)   B. Remote Access (Dial-Up Or VPN)   C. Secure Connection Between Two Private Networks   D. Virtual Private Network (VPN) Access And NAT (your answer) Unanswered   Q.17) Which of the following components must you have for your network to run its own

Internet e-mail server? (Choose all answers that are correct.)    A. A DNS server to host the domain (missed)   B. A registered IP address (missed)   C. A Web-based administration interface   D. A registered domain name (missed) Unanswered   Q.18)    Which of the following statements about NAT routers and proxy servers are true? Choose

all answers that are correct.    A. NAT routers and proxy servers must have two IP addresses.

  B. A NAT router can provide Internet access to any client application on the private network. (missed)

  C. Proxy servers can cache information they receive from Internet servers. (missed)   D. The Windows Server 2003 operating system includes a proxy server. Unanswered   Q.19) In what domain would you find the PTR resource record for a computer with the IP

address 10.11.86.4?    A. 10.11.86.4.in-addr.arpa   B. in-addr.arpa.4.86.11.10   C. 4.86.11.10.in-addr.arpa (correct answer)   D. in-addr.arpa.10.11.86.4 Unanswered   Q.20)   Which of the following network/transport layer protocols can you use for Windows file

sharing when installed alone? 

  A. TCP/IP only   B. TCP/IP and NetBEUI only   C. TCP/IP and IPX only   D. TCP/IP, IPX, and NetBEUI (correct answer) Unanswered   Q.21)    Assuming that all three networks are connected to a single backbone, on which network

would it make the most sense to connect the server hosting the company’s customer database? Explain your answer.

    A. The first floor network   B. The second floor network   C. The third floor network   D. The backbone network (correct answer) Unanswered   Q.22) When a client can successfully ping a DNS server, but fails to receive any response to a

name resolution query from that server, which of the following might be the cause of the problem?

    A. The server is not the authority for the requested name.   B. The server’s cache is polluted.   C. The DNS Server service is not started. (correct answer)   D. The server has an incorrect IP address. Unanswered   Q.23) Which of the following is not a component of a remote access policy?     A. Authentication protocol (correct answer)   B. Conditions   C. Remote access profile   D. Remote access permission Unanswered   Q.24) Which of the following is not a reason for a DNS server to supply an incorrect IP

address for a name for which it is authoritative?

     A. An incorrect IP address in the root hints list. (correct answer)   B. A zone transfer failed to occur.   C. A dynamic update failed to occur.   D. A typographic error in a resource record. Unanswered   Q.25)

Unanswered   Q.26) In the company’s Active Directory deployment plan, each of the other Litware Inc.

offices is to be responsible for maintaining its own DNS records, once they deploy their own Active Directory domain controllers. Which of the following DNS namespace designs would best facilitate this intention?

 

  A.

Create a separate third-level domain beneath litware.com for each of the Litware Inc. offices. Create a separate file-based primary zone for each thirdlevel domain at the home office, and a file-based secondary zone at each branch office for that office’s domain only. Then give the administrators at each office permission to modify the zone on their local domain controller.

  B.

Use the litware.com domain for the entire enterprise. Create a file-based primary zone containing that domain at the home office and a file-based secondary zone at each of the branch offices. Then give the administrators at each office the permissions needed to modify their local zone.

  C.

Create a separate third-level domain beneath litware.com for each of the Litware Inc. offices. Create a separate Active Directory-integrated primary zone at each office for that office’s domain only, and replicate it on the domain controllers at the other offices. Then give the administrators at each office permission to modify the zone for their domain only on their local domain controller. (correct answer)

  D.

Use the litware.com domain for the entire enterprise. Create an Active Directory integrated primary zone containing that domain at the home office and replicate it to the Active Directory domain controllers at each of the branch offices. Then give the administrators at each office permission to modify the zone on their local domain controller.

Unanswered   Q.27) Unanswered   Q.28) The DNS namespace for a company consists of one second-level domain, which has three

child subdomains. Each of the three child subdomains also has three subdomains, at the fourth level. What is the maximum number of domains that you can include in a zone that does not contain the second-level domain?

    A. 1   B. 3   C. 4 (correct answer)   D. 12 Unanswered   Q.29) Which Lmhosts extension enables you to access an Lmhosts file on a shared network

drive?    A. #DOM

  B. #INCLUDE (correct answer)   C. #PRE   D. \0nn Unanswered   Q.30) Which of the following Internet connection types enables you to save money when the

network is not using any Internet bandwidth?

    A. ISDN (missed)   B. DSL   C. Fractional T-1   D. Frame relay (missed) Unanswered   Q.31) In the IP address assignment 10.54.113.0/24, what does the number 24 represent?    A. The number of bits in the subnet identifier   B. The number of bits in the host identifier   C. The number of bits in the combined subnet and host identifiers   D. The number of bits in the combined network and subnet identifiers (correct answer) Unanswered   Q.32)    Which of the following best describes the function of a subnet mask?    A. A subnet mask indicates whether an IP address is registered or unregistered.

  B. A subnet mask specifies the sizes of the network and host identifiers in an IP address. (correct answer)

  C. A subnet mask is a value assigned by the IANA to uniquely identify a specific network on the Internet.

  D. A subnet mask enables an IP address to be visible from the Internet. Unanswered   Q.33) Which of the following statements about a network’s infrastructure is true?    A. A network infrastructure includes hardware products only.   B. A network infrastructure includes software products only.

  C. A network infrastructure includes both hardware and software products. (correct answer)

  D. A network infrastructure is a design that does not include specific hardware or software products.

Unanswered   Q.34)  

  A. NetWare Core Protocol (NCP)   B. Transmission Control Protocol (TCP) (missed)   C. Sequenced Packet Exchange (SPX) (missed)   D. User Datagram Protocol (UDP) Unanswered   Q.35) Which of the following DNS zone types cannot be stored in the Active Directory

database?    A. Primary   B. Secondary (correct answer)   C. Stub   D. None of the above Unanswered   Q.36) Which of the following domain naming solutions is most suitable for the company

network?

  

  A. Use the litware.com domain for the company’s Internet servers and for the enterprise network’s internal Active Directory domain.

  B. Use the litware.com domain for the company’s Internet servers and create an internal.litware.com domain for the enterprise network’s Active Directory servers. (correct answer)

  C. Create an external.litware.com domain for the company’s Internet servers and an internal.litware.com domain for the enterprise network’s Active Directory servers.

  D. Use the litware.com domain for the company’s Internet servers and register a new domain called litware-int.com for the enterprise network’s Active Directory servers.

Unanswered   Q.37) Which of the following zoning solutions provides the most security for the internal

network and Web servers?  

  A. Connect one of the Active Directory domain controllers to the same network as the Web servers and create an Active Directory-integrated primary zone for the litware.com domain.

  B. Connect one of the Active Directory domain controllers to the same network as the Web servers and create an Active Directory-integrated primary zone for the litware.com domain.

  C. Install the DNS Server service on one of the Web servers and create a filebased primary zone for the litware.com domain.

  D. Connect a new computer running Windows Server 2003 to the same network as the Web servers, install the DNS Server service, and create a file-based primary zone for the litware.com domain. (correct answer)

Unanswered

  Q.38) To support IP multicasting, which of the following components must be installed on a

Windows Server 2003 router? (Choose all correct answers.)     A. The Protocol Independent Multicast (PIM) protocol   B. A network interface adapter that supports multicast promiscuous mode (missed)   C. The Routing And Remote Access MMC snap-in (missed)   D. Internet Group Management Protocol (missed) Unanswered   Q.39) Which of the following is the best reason to create sub domains in a DNS namespace?     A. To speed up the name resolution process   B. To delegate administrative authority over parts of the namespace (correct answer)   C. To create identical host names in different domains   D. To duplicate an existing Internet namespace Unanswered   Q.40) Port filtering can provide which of the following Internet access control capabilities?

     A. Limit the applications users can run   B. Prevent specific users from accessing the Internet   C. Limit the applications that can access the Internet (correct answer)   D. Prevent specific computers from accessing the Internet Unanswered   Q.41) Which of the following domain naming examples, for an organization with the

registered domain adatum.com, conforms to the practices recommended by Microsoft?

 

  A. An external domain called ext-adatum.com and an internal domain called int-adatum.com

  B. An external domain called ext.adatum.com and an internal domain called adatum.com

  C. An external domain called ext.adatum.com and an internal domain called int.adatum.com

  D. An external domain called adatum.com and an internal domain called int.adatum.com (correct answer)

Unanswered   Q.42) Which of the following WAN technologies are asymmetrical? (Choose all answers that

are correct.)    A. CATV (missed)

  B. ISDN   C. ADSL (missed)   D. T-1 Unanswered   Q.43) Storing DNS resource records in the Active Directory database eliminates the need for

which of the following? (Choose all correct answers.)     A. Stub zones   B. Secondary zones (missed)   C. Zone transfers (missed)   D. Primary zones Unanswered   Q.44) In which of the following WAN topologies can a single cable break totally disconnect one

site from the other sites?     A. Mesh   B. Ring   C. Star (correct answer)   D. None of the above Unanswered   Q.45) Which of the following IP address classes can you not use when selecting a network

address for your unregistered LANs? Choose all that apply.    A. Class A   B. Class B   C. Class C (missed)   D. Class D (missed) Unanswered   Q.46) Which of the following servers does not require a computer with a registered IP

address?    A. Internet Web servers   B. Internet e-mail servers   C. DNS servers used for Internet domain hosting   D. DNS servers used for Internet name resolution (correct answer) Unanswered   Q.47) When you replace the routers on an internetwork with switches that include no VLAN

or layer 3 capabilities, which of the following is a possible reason for poor network performance?

    A. Excessive collisions

  B. Excessive broadcast traffic (correct answer)   C. Excessive number of workstations on the LAN   D. Excessive number of collision domains Unanswered   Q.48) A DNS server that can resolve names for which it is the authority, but not other names,

is experiencing a failure in which of the following processes?    A. Zone transfer   B. Dynamic update   C. Authentication   D. Recursion (correct answer) Unanswered   Q.49) Which of the following Windows Server 2003 TCP/IP configuration parameters

specifies the address of a router?    A. Preferred DNS server   B. Subnet mask   C. Default gateway (correct answer)   D. IP address Unanswered   Q.50) A user is unable to access an Internet Web site but can access file system shares on the

same LAN. Which of the following might be the problem? (Choose all answers that are correct.)

     A. The user’s computer has an incorrect IP address.   B. The user’s computer has an incorrect default gateway address. (missed)   C. The user’s hub is malfunctioning.   D. The router connecting the LAN to the ISP is malfunctioning. (missed)

Unanswered Q.1) Which of the following are responsible for replication within the ADS?     A. Domains   B. Sites   C. Domain Controllers (correct answer)   D. Organization Units   Explanation

Each of the information to be replicated is systematically partitioned within the ADS. The domain partition resides in the physical domain controller and hence the the DC is

responsible for replicating domain information in the ADS. Unanswered Q.2) Which of the following can be used to create an Organizational Unit?     A. Dsmod   B. Dsquery   C. Dsadd (correct answer)   D. Dsmov

 Explanation Dsadd is the utility that is used to add organizational units to ADS.

Unanswered Q.3) Which of the following will be used by the DNS server for replication?     A. Domain Partition   B. Application Partition (correct answer)   C. Schema Partition   D. Configuration Partition

 Explanation The DNS server when configured to be integrated with the ADS, will write the information that it needs to be replicated into the Application partition of the ADS.

Unanswered Q.4) Single master replication means there will be only one DC for the entire domain. T/F?     A. True   B. False (correct answer)

 Explanation Single master replication will ensure a systematic hierarchy of replication.

Unanswered Q.5) Which of the following will not participate on the forest level of the hierarchy?     A. Infrastructure Master   B. PDC Emulator (correct answer)   C. Schema Master   D. Domain Naming Master

 

Explanation PDC emulator is responsible for changed-password replication and is a per-domain role. This role is often used when a migration from NT to 2000 or 2003 takes place. The rest are capable of interacting on the forest level of the hierarchy.

Unanswered Q.6) Each object created in the ADS is governed by the Domain Partition. T/F?     A. True   B. False (correct answer)

 Explanation Each object created int eh ADS is governed by the Schema

Unanswered

Q.7) Which of the following would help you to achieve a bulky task during migration? Ex: User database migration.

    A. Microsoft Management Console (MMC)   B. Active Directory Users and Computers   C. Dsmov   D. Windows Scripting Host (WSH) that use ADSI (correct answer)

 Explanation WSH allows usage of scripts that can carry out bulky tasks for a large import or export of user information.

Unanswered Q.8) Which of the following would be used to deploy administrative tools on selected user

session only?     A. Active Directory Users and Computers   B. Active Directory Site and Services   C. Group Policy Management Console (GPMC)   D. Adminpak.msi (correct answer)

 Explanation Adminpak.msi is the file that is used to deploy administrative tools on select computers or select user sessions only.

Unanswered Q.9) In ADS environment, User groups are created and linked to specific DCs on which they

get created. T/F?     A. True   B. False (correct answer)

 Explanation User groups are linked to the ADS and not to the DC.

Unanswered Q.10) To deploy an application to a set of computers you need to create it in the form of a batch

file. T/F?     A. True   B. False (correct answer)

 Explanation To deploy applications on the Windows 2003 environment you need to make a MS installer package of it. This file will be recognized by a .msi extension.

Unanswered Q.11) Which of the following needs to be registered for enabling the Schema snap-in?     A. schmmgmnt.dll   B. schema.dll   C. schemamgmnt.dl   D. schmmgmnt.dll. (correct answer)   Explanation

To enable the Schem snap-in you need the schmmgmnt.dll to be registered in that computer.

Unanswered Q.12) The Special Administrative Console (SAC) is used to ensure that administrative tools are

hidden from all users who do not belong to the administrative groups. T/F?     A. True   B. False (correct answer)

 Explanation Special Administrative Console (SAC) utility is needed when we need to manage headless servers in an out-of-band scenario.

Unanswered Q.13) Emergency Management Services (EMS) requires which of the following ports?     A. COM ports (correct answer)   B. Parallel ports   C. USB ports   D. PS/2 ports

 

Explanation COM ports are used to facilitate long distance communication, and hence they are used in EMS where servers need to be controlled remotely and when there is no direct physical access to servers.

Unanswered Q.14) Which of the following would be ideal naming schemes for the internal as well as the

perimeter networks of metrotech.com     A. Ad.metrotech.com for internal network (missed)   B. metrotech.com for perimeter network (missed)   C. metroext.com for perimeter network   D. metroint for internal network

 

Explanation Ad.metrotech.com is ideal for the internal network as it provides the security of hiding the internal name space from the external world and yet retaining the actual company name space. Metrotech.com is ideal for perimeter network as it is directly interfaced with the outside world.

Unanswered Q.15) Which of the following would not be required for the DCs of a 2003 domain that will be

supporting a few 100 users and very limited data resources to be accessed?     A. Windows Server 2003 Standard Edition   B. Windows Server 2003 Enterprise Edition   C. Windows Server 2003 Data Center Edition (correct answer)   D. Window Server 2003 Web Edition

 Explanation A Data center server is not required for the situation where there will be only a few 100 users sharing limited data resources.

Unanswered Q.16) The best way to utilize a DC as a file server is to ensure security by implementing strict

IPSec policies. T/F?     A. True   B. False (correct answer)

 Explanation Ideally DCs must not be used as files servers. Even if used, you must ensure the disk quota must be assigned to all users so that the disk space is not misused.

Unanswered Q.17) Which of the following types of DFS is least fault tolerant?     A. Standalone DFS (correct answer)   B. Root DFS   C. Replica DFS   D. Subordinate DFS

 Explanation Standalone DFS is not a part of Active Directory and hence, cannot provide fault tolerance.

Unanswered Q.18) Which of the following can help user accounts to migrate across domains?     A. Dsmove (correct answer)   B. Dsquery   C. Dsadd   D. Dsmod

 Explanation Dsmove is the CLI tool used to move or migrate user account across domains. Dsmove can only help with a single object at a time.

Unanswered Q.19) Which of the following relates to memory issues on a server?     A. RAM utilization   B. Disk drive utilization   C. CPU utilization   D. Page files (correct answer)

 Explanation The number of page files being used will gradually increase and result in memory related issues if the RAM used in the system is not sufficient.

Unanswered Q.20) Which of the following would indicate hardware failures in the server?     A. System log (correct answer)   B. Application log   C. Security log   D. None of the above

 Explanation System log is used to log all information and notifications generated by hardware related services running on the server.

Unanswered Q.21) 20/80 rule is an ideal formula for DHCP fault tolerance. T/F?     A. True   B. False (correct answer)

 

Explanation To ensure DHCP fault tolerance across domains, you must employ the 80/20 method of splitting the scope or range of IP addresses between the available servers. This will ensure fault tolerance in the event of any one of the DHCP servers going down on the network.

Unanswered Q.22) Which of the following is the best method of IP address assignment in case of a private

subnet containing 25 systems only?     A. 2 DHCP servers with 80/20 rule in place   B. 2 DHCP servers with 50/50 rule in place   C. Implement static IP address assignment (correct answer)   D. Implement APIPA.

 

Explanation In a network that has only 25 systems, it is ideal to implement static IP assignment as it is easy to manage it that way. Multiple DHCP servers in this scenario would be beyond requirement.

Unanswered Q.23) Which of the following protocols will ensure server availability for DHCP Server on a

cluster?  

  A. Multicast Address Dynamic Client Allocation Protocol (MADCAP) (correct answer)

  B. Automatic Private IP Addressing (APIPA)   C. Light Weight Directory Access Protocol (LDAP)   D. Kerberos

 Explanation Multicast Address Dynamic Client Allocation Protocol (MADCAP) helps with server availability for DHCP servers on a cluster.

Unanswered Q.24) Which of the following could be issues when considering scaling the scope of a DHCP

server?     A. Network requirement   B. Disk space limitation (correct answer)   C. Bandwidth limitation   D. Service pack on DHCP server   Explanation

Ideally all scopes on the DHCP server will require some amount of disk space, Ram and in result paging files as well. If either of them starts becoming a limitation, the DHCP server may not be able to handle the request from the clients very efficiently.

Unanswered Q.25) In a forest scenario in which the root domain has many levels of hierarchy beneath it

and several clients per each domain in each level, it is ideal to implement centralized DHCP server for the entire forest at the root level. T/F?

    A. True   B. False (correct answer)

 Explanation This scenario calls for at least one DHCP server per domain per level.

Unanswered Q.26) Centralized DHCP servers with DHCP relay agents across location require a robust link in

each location to keep the DHCP infrastructure functioning effeceintly. T/F?     A. True (correct answer)   B. False

 Explanation Since the DHCP server is centralized it is mandatory to have robust links in each location to aid dynamic IP allocation for clients through DHCP relay agents in each location.

Unanswered Q.27) When recursion is disabled on the DNS servers, which of the following types of queries

will not be handles by that DNS server?     A. Iterative queries   B. Recursive queries (correct answer)   C. Cached queries   D. None of the above

 

Explanation One way of ensuring the DNS server does not handles recursive queries is to disable recursion on that DNS server. This is usually done on servers that are not meant to handle any queries for resolution outside of that domain.

Unanswered Q.28) A Cache only DNS server can handle only iterative queries and not recursive queries. T/F?     A. True   B. False (correct answer)

 Explanation A cache only DNS server can only cache already resolved DNS queries. It is not capable of resolving any type of fresh queries itself.

Unanswered Q.29) If you do not want your DNS server to resolve queries but only accept queries from

clients and pass it on to other DNS servers, which of the following must you configure it as?

 

  A. Cache only DNS   B. Forwarder (correct answer)   C. Root DNS   D. Secondary DNS

 Explanation Forwarders are those DNS servers that can accept query request from clients and forward those request to designated DNS servers that are meant to resolve queries.

Unanswered Q.30) If a DNS has to resolve forwarded requests of specific domains only, which of the

following has to be configured?     A. Forwarding   B. Conditional forwarding (correct answer)   C. Recursion   D. None of the above

 Explanation If a DNS has to resolve queries of only specific domain then conditional forwarding will have to be configured.

Unanswered Q.31) Which of the following is capable of being a DHCP relay agent?     A. Router (correct answer)   B. Switch   C. Hub   D. None of the above

 Explanation A router is capable of being a BootP/DHCP relay agent.

Unanswered Q.32) When assigning dynamic IP addresses to a vendor specific group of resources on the

network, which of the following must be configured?     A. Vendor defined class (correct answer)   B. User defined class   C. Custom class   D. None of the above

 Explanation There is no such thing as custom class. Vendor defined class is usually used to assign dynamic IP addresses to resources from a specific vendor on the network.

Unanswered Q.33) Which of the following is mandatory for any DHCP server that needs to assign IP

addresses on the ADS network?     A. It needs to be authorized by the ADS (correct answer)   B. It needs to be authorized by the root DC.   C. It needs to be authorized by the first DHCP server on the network.   D. None of the above

 Explanation Any DHCP server t hat needs to be assigning IP addresses on the ADS network needs to be authorized by the ADS.

Unanswered Q.34) Which of the following tools will help to manage your DNS server?     A. Dsdns   B. Dnscmd (correct answer)   C. Administrative tools   D. Active Directory Domains and Trusts

 Explanation The appropriate tools to manage the DNS Server is the Dnscmd.

Unanswered Q.35) Which of the following relates to cache.dns?     A. Root hints file. (correct answer)   B. Cached queries   C. Resolved and cached queries   D. None of the above

 Explanation Root hints is a list of primary records that helps to locate other DNS servers that are authoritative for the root of the DNS domain namespace tree.

Unanswered Q.36) The RAS server is ideally placed within the internal network. T/F?     A. True   B. False (correct answer)

 Explanation The RAS server must be placed ideally in the perimeter network

Unanswered Q.37) Which of the following is the most practical way of implementing a DHCP server?     A. One centralized server that has a scope defined for entire network   B. One DHCP server for each subnet   C. One DHCP server per physical site.   D. At least 2 DHCP servers per physical site. (correct answer)   E. At least 2 DHCP servers per entire network.

 

Explanation Depending upon the size of the geographical site in terms of the number of users on the network requiring dynamic IP addresses, it is ideal to have at least 2 DHCP servers in the site and split the scope between the two servers for fault tolerance.

Unanswered Q.38) Which of the following is the default lease period for an assigned DHCP lease in the

Windows Server 2003 environment?     A. 45 days

  B. 1 week   C. 8 days (correct answer)   D. 5 days

 Explanation The default lease period for an IP address assigned to the DHCP client, in a Windows Server 2003 environment is 8 days.

Unanswered Q.39) NLB is an ideal solution for load balancing the DNS environment. T/F?     A. True   B. False (correct answer)

 Explanation Round robin rotation is used for load balancing the DNS environment.NLB is ideally used for resource other than DNS on the network.

Unanswered Q.40) Which of the following is the default refresh interval for a DNS?     A. 5 minutes   B. 10 minutes   C. 15 minutes (correct answer)   D. 20 minutes

 Explanation The default refresh interval after which the secondary server requests for the renewal of the SOA record from the source is 900 seconds or 15 minutes.

Unanswered Q.41) RRAS on Windows Server 2003 environment supports IGRP as a routing protocol. T/F?     A. True   B. False (correct answer)

 Explanation RRAS on Windows Server 2003 environment supports only RIP and OSPF as routing protocols.

Unanswered Q.42) RRAS on Windows Server 2003 environment supports only RIP and OSPF as routing

protocols.     A. True   B. False (correct answer)

 Explanation Choice B is the correct answer.

Unanswered Q.43) Which of the following is the IEEE specification for Wireless communication?     A. IEEE 802.3   B. IEEE 802.3U   C. IEEE 802.2

  D. IEEE 802.11b / IEEE 802.11g (correct answer)

 Explanation IEEE 802.11b and IEEE 802.11g are Ethernet specifications for Wireless communication.

Unanswered Q.44) Which of the following should not be placed on the border of the network?     A. Router   B. Firewall   C. Layer 3 Switch (correct answer)   D. RAS server

 Explanation A Layer 3 switch is ideally meant to connect the server farm to the rest of the internal network and should not ideally be placed on the edge of the network.

Unanswered Q.45) Layer 3 are nothing but routers with more Ethernet ports. T/F?.     A. True   B. False (correct answer)

 Explanation A Layer 3 switch cannot be compared to the router as its function is more within the network rather than the edge of the network as is in case of the router.

Unanswered Q.46) Which of the following commands can be used to trace a path taken by the data packets?     A. Ping   B. Tracert (correct answer)   C. IPCONFIG   D. None of the above

 Explanation Tracert command is used to trace the path taken by the data packets to reach the destination.

Unanswered Q.47) A Router can relate protocols of layer-3 and above. T/F?     A. True   B. False (correct answer)

 Explanation A Router is alyer-3 device and hence can relate to and understand Layer-3 protocols only and not protocols of the layers above layer-3.

Unanswered Q.48) L2TP is the ideal protocol for securing communication between two routers. T/F?     A. True (correct answer)   B. False   Explanation

Ideally PPTP as well as L2TP can be used to secure communication between two routers. L2TP is ideal on the Windows Server 2003 environment.

Unanswered Q.49) Which of the following is the most simple method of exchanging routing information in

a routing network that has at least 12 routers?     A. RIP (correct answer)   B. OSPF   C. IGRP   D. Static routes

 Explanation RIP is a distance vector routing protocols that is ideal for routing networks ranging from small to medium in size.

Unanswered Q.50) Routers use firewalls for packet filtering. T/F?     A. True   B. False (correct answer)

 Explanation Routers use access lists for packet filtering.

Unanswered Q.51) Which of the following can be used as a dedicated authentication service on a Windows

Server 2003 network?     A. IAS (correct answer)   B. IIS   C. RAS   D. RRAS

 Explanation IAS (Internet Authentication Service) employs the RADIUS technology to facilitate dedicated authentication service on the Windows Server 2003 network.

Unanswered Q.52) Which of the following can record security negotiations on a Windows Server 2003

network?     A. Event viewer � System log   B. Event viewer � Security log   C. Event viewer � Application log   D. Oakley Log (correct answer)

 Explanation Enabling the Oakley log will allow recording of all Internet Security Association and Key Management Protocol (ISAKMP) negotiations.

Unanswered Q.53) Which of the following can be used for troubleshooting a remote network?     A. Performance monitor

  B. Netsh ras diag (correct answer)   C. Event viewer   D. System monitor

 Explanation Netsh ras diag is a diagnostic command line tool meant for diagnosing remote connections. Hence, choice B is correct.

Unanswered Q.54) RRAS can be implemented only Windows Server 2003 resource servers and DCs. T/F?     A. True   B. False (correct answer)

 Explanation RRAS can be implemented on all server OS flavors of Windows Server 2003.

Unanswered Q.55) Routers help to split collision domains. T/F?     A. True   B. False (correct answer)

 Explanation Routers help to split broadcast domains

Unanswered Q.56) VLANs are implemented to avoid broadcasts within the switched network. T/F?     A. True (correct answer)   B. False

 Explanation VLANs are implemented to restrict broadcasts within a switched network.

Unanswered Q.57) A hub is not capable of operating in full duplex mode. T/F?     A. True   B. False (correct answer)

 Explanation A hub is not capable of working in full duplex mode, it can only work in half duplex mode.

Unanswered Q.58) Which of the following levels of filtering does a standard firewall use?     A. Packet level   B. Circuit level   C. Application level   D. Protocol level (correct answer)

 Explanation Usually firewalls restrict traffic based on the protocols that are used by applications hosted on the server. Hence the standard firewall is said to be using protocol level filtering.

Unanswered

Q.59) Which of the following is responsible for hiding the internal network address from the external world?

    A. Firewall   B. Network Address Translation (NAT) (correct answer)   C. Port Address Translation (PAT)   D. DHCP server

 Explanation Nat is a process of mapping the Public address to the internal address and vice versa and in the process of which, it hides the internal network address from the external world.

Unanswered Q.60) Which of the following is generally used as a backup link?     A. Leased line   B. ISDN   C. PSTN   D. Demand dial (correct answer)

 Explanation Demand dial is usually used as backup for the main link, when the main link either fails or is unable to handle the load at that instant.

Unanswered Q.61) Which of the following disk architectures is not used for fault tolerance

implementations?     A. Storage Area Network (SAN)   B. Redundant Array of Intelligent Drives (RAID)   C. Network Attached Storage (NAS)   D. Integrated Device Electronic (IDE) (correct answer)

 Explanation The IDE cannot be used for fault tolerance implementation on the network.

Unanswered Q.62) Windows Server 2003 Cluster service quorum resource need not be on a storage device

attached to a shared bus.     A. True (correct answer)   B. False

 Explanation Windows Server 2003 Cluster service quorum resource need not be on a storage device attached to a shared bus.

Unanswered Q.63) Windows Server 2003 does not support third party quorum resource. T/F?     A. True   B. False (correct answer)

 Explanation Windows Server 2003 does support pre-installed third party quorum resources as well.

Unanswered Q.64) It is mandatory to restart the server on which the Cluster service has just been un-installed.

T/F?     A. True   B. False (correct answer)

 Explanation On Windows Server 2003 environment, it is not required to restart the server after the cluster service has been uninstalled.

Unanswered Q.65) Which of the following is not supported on a cluster service?     A. RAID   B. Dynamic disks (correct answer)   C. SAN   D. NAFT

 Explanation RAID and SAN are supported for disk fault tolerance on the Cluster service and NAFT is supported for NIC fault tolerance. Dynamic disks are not supported on cluster service.

Unanswered Q.66) Which of the following statements is true?     A. Cluster service can be administered using physical interface alone   B. Cluster service can be remotely administered as well. (correct answer)   C. Cluster service can be remotely administered only with NLB implementation   D. Cluster service cannot be remotely administered only with NLB implementation.

 Explanation Cluster service can be remotely administered to create new Server clusters and to add additional nodes to an existing Server cluster.

Unanswered Q.67) Enter the command that facilitates scripting to administer the cluster service.      

   

Possible correct answers:  

cluster

 Explanation Cluster.exe is the command line tool that allows scripting for cluster administration.

Unanswered Q.68) Which of the following is an exact description of the quorum log?     A. It is a configuration database (correct answer)   B. It is an error log file   C. It is a transaction log file

  D. None of the above

 Explanation A quorum log is a configuration database for the server cluster that contains cluster configuration information

Unanswered Q.69) The default quorum log size in Windows Server 2003 is 4096KB. T/F?     A. True (correct answer)   B. False

 Explanation The default quorum log size in Windows Server 2003 is 4096KB.

Unanswered Q.70) Which of the following is a diagnostic tool used to troubleshoot Cluster service?     A. CLUSTER   B. Clusdiag (correct answer)   C. System monitor   D. Performance monitor

 Explanation Clusdiag is a diagnostic tool used to troubleshoot Cluster service in Windows Server 2003 environment.

Unanswered Q.71) Cluster names cannot be resolved using DNS service. T/F?     A. True   B. False (correct answer)

 Explanation Cluster names are linked to their respective IP addresses and can hence be resolved using DNS service

Unanswered Q.72) Which of the following is not the best configuration mode for NICs on the cluster?     A. Half duplex mode   B. Full duplex mode   C. Auto speed detection (correct answer)   D. None of the above

 Explanation All NICs on a cluster must be configured to a common speed. Auto detection of speed will not allow this to be achieved and is hence not the correct setting for a NIC in the cluster.

Unanswered Q.73) Which of the following provides fault tolerance to NIC on the cluster?     A. Using 2 NICs of the same bandwidth with one IP address for each card   B. Using 2 NICs with a common IP address for cards   C. NAFT (correct answer)   D. None of the above

 Explanation NAFT provides fault tolerance to NICs on the cluster and thus increasing the service availability on the network.

Unanswered Q.74) Which of the following is not possible by the DFS (Distributed File Service)?     A. Redirecting clients to nearest available file resource   B. Optimizing network utilization   C. Replicating data resources across network (correct answer)   D. Distributing links to resources, across the network

 Explanation DFS only is a distributed file resource access service used to ensure network usage optimization and enhance data availability. It does not replicate data across the network.

Unanswered Q.75) Which of the following authentication methods is not relevant to DFS?     A. Built-in Server Message Block (SMB)   B. LAN Manager (LM)   C. Clear text (correct answer)   D. None of the above

 Explanation Since DFS requires security for authentication it will not be using clear text as clear text is not a secure method of authentication.

Unanswered Q.76) It is mandatory to implement DFS on a single name space alone. T/F?     A. True   B. False (correct answer)

 Explanation When DFS has to be installed as a stand alone service it will require a single namespace other wise it integrates to the ADS and relies on ADS for security and reliability.

Unanswered Q.77) Which of the following services is not used by the DFS?     A. Remote Procedure Call (RPC)   B. Light Weight Directory Access Protocol (LDAP)   C. File Replication Service (FRS)   D. Remote Access Service (RAS) (correct answer)

 

Explanation RPC is a service used by most network related servers; LDAP can also be used for querying. FRS is used as a pre-requisite service. The only service that DFS does not relate to here is the RAS.

Unanswered Q.78) FRS can compress stored files only if implemented on NTFS volume. T/F?     A. True (correct answer)

  B. False

 Explanation FRS is capable of compressing data during transmission only and not while storing them. Hence it relies on NTFS for this purpose.

Unanswered Q.79) Which of the following is a criterion when accepting files for replication when using the

FRS?     A. File name   B. File extension   C. Update Sequence Number (USN). (correct answer)   D. Time stamp

 Explanation Whenever a file has been altered the file is sent to all replicas with a USN attached to it. The file will be accepted or rejected only on the basis of this USN.

Unanswered Q.80) Which of the following Windows NT servers can be a DFS server?     A. Windows NT 3.51   B. Windows NT 4 with service pack 4   C. Windows NT 4 with Service pack 5   D. Windows NT 4 with Service pack 6a (correct answer)

 Explanation A Windows NT 4 server running service pack version 6a can act as a DFS server.

Unanswered Q.81) Which of the following statements are correct regarding cluster support in Windows

Server 2003?     A. Windows Server 2003 standard edition supports 5-node cluster.   B. Windows Server 2003 enterprise edition supports 4-node cluster.   C. Windows Server 2003 enterprise edition supports 6-node cluster.   D. Windows Server 2003 enterprise edition supports 8-node cluster. (correct answer)

 Explanation Windows Server 2003 enterprise edition supports 8-node cluster.

Unanswered Q.82) It is not possible to build a cluster without shared disks using Windows Server 2003. T/F?     A. True   B. False (correct answer)

 Explanation It is possible to build a cluster without shared disks using Windows Server 2003.

Unanswered Q.83) Cluster service must always be installed with default value and then customized. T/F?     A. True (correct answer)   B. False

 Explanation It is best practice to always install the cluster service with default values and then customized according to each specific scenario.

Unanswered Q.84) Which of the following rights are required by the Cluster Service (ClusSvc) to run

efficiently? (Choose two)     A. Logon locally   B. Logon as a service (missed)   C. Lock pages (missed)   D. Administrator

 Explanation The rights required by the Cluster service to run efficiently are Log on as a service and Lock pages rights.

Unanswered Q.85) Which of the following will not use FRS?     A. Netlogon Shared folder   B. Winnt\system32 folder (correct answer)   C. System policies   D. Group Policy settings

 Explanation Winnt\system32 does not need to be replicated and will not require the FRS.

Unanswered Q.86) The FRS uses hub and spoke topology to collect configuration files from the spoke

replica. T/F?     A. True   B. False (correct answer)

 Explanation The FRS uses the reverse topology to collect configuration files from the spoke replica.

Unanswered Q.87) Which of the following is not a criterion for the FRS?     A. ADS namespace   B. NetBIOS names (correct answer)   C. DFS namespace   D. DNS namespace

 Explanation The FRS relates to ADS namespace, DFS namespace and the DNS namespace. It can function without the NetBIOS name.

Unanswered Q.88) FRS does not rely on NTFS for reliability of service. T/F?     A. True   B. False (correct answer)

 Explanation NTFS is required to detect changes in files and folders, to maintain USN, and for compressing files and folders that need to be transmitted into a pre-staged folder.

Unanswered Q.89) The FRS does not have a highly reliable topology for fault tolerance. T/F?     A. True   B. False (correct answer)

 

Explanation The replication of FRS is very fault tolerant, if one of the replicas fails, the replication path is immediately redirected to another existing replica so that the replication data will not be lost.

Unanswered Q.90) Which of the following commands will help fix a failed quorum resource?     A. Cluster   B. Use the command Chkdsk/fixquorum. (correct answer)   C. Clusdiag   D. None of the above

 Explanation It is required to use the command Chkdsk/fixquorum for temporary redirection of the quorum resource location to another location.

Unanswered Q.91) Persistent IPSec policies will always have precedence over other types of IPSec

policies. T/F?     A. True (correct answer)   B. False

 Explanation Persistent IPSec policies are called so because they will always have precedence over other IPSec policies.

Unanswered Q.92) Only one IPSec policy can be applied to each level of hierarchy. T/F?     A. True (correct answer)   B. False

 Explanation Only a single IPSec policy can be assigned at a specific level in Active Directory hierarchy levels.

Unanswered Q.93) An acquired policy is usually over-ridden by the local policy at the lowest level of

hierarchy. T/F?     A. True (correct answer)   B. False   Explanation

At the lowest level of hierarchy, when one policy is first acquired and then a local policy gets applied, the local policy will over-ride the acquired IPSec policy.

Unanswered Q.94) In case of a local Group Policy Object (GPO), policy settings can be stored on a computer

only if that computer is a member of the Active Directory.     A. True   B. False (correct answer)

 

Explanation When using the local GPO, you can store Group Policy settings on individual computers regardless of whether they are members of an Active Directory domain or not. Thus, the given statement is False.

Unanswered Q.95) In an Active Directory environment, domain based policies will over-ride local policies.

T/F?     A. True (correct answer)   B. False

 Explanation In an Active Directory environment, domain based policies will over-ride local policies.

Unanswered Q.96) Which of the following IPSec policies will have highest precedence?     A. The lowest level of hierarchy (correct answer)   B. Highest level of hierarchy   C. The parent level of the current level   D. The child level of the current level

 Explanation The assignment precedence for IPSec policies goes from lowest level in the hierarchy to the highest level in the hierarchy.

Unanswered Q.97) Which of the following statements about modifying IPSec policies is true?     A. Only the Enterprise Admin can modify the IPSec policies.   B. Only the creator owner can modify the IPSec policies.

  C. Users with delegated permissions to the IPSec policy container can also modify IPSec policies. (correct answer)

  D. Only local administrators can modify IPSec policies

 Explanation Users with delegated permissions to the IPSec policy container can also modify IPSec policies.

Unanswered Q.98) An administrator who manages IPSec policies will require which of the following

permissions?     A. Change

  B. Read   C. List   D. Write (correct answer)

 Explanation IPSec policy administrator will require Write access to all IPSec policy objects.

Unanswered Q.99) Is it mandatory to locally test IPSec policies before deploying it on the network?     A. Yes (correct answer)   B. No

 

Explanation It is mandatory to locally test IPSec policies before deploying it on the network. This helps to iron out issues in the policies as well as employ a systematic approach to deploying policies. Especially in a huge network that has many administrators.

Unanswered Q.100) Which of the following tools can be used to do a batch job of assigning permissions to

administrators to policy containers?     A. IPSec monitor   B. IPSecpol.exe   C. ADSI edit (correct answer)   D. Active Directory users and computers

 

Explanation Choice C is the correct answer.

The correct tool that can be used to do a batch job of assigning permissions to administrators to policy containers is ADSI edit.