mcse questions and answers

26
8/3/2019 MCSE Questions and Answers http://slidepdf.com/reader/full/mcse-questions-and-answers 1/26  What is an IP address? This definition is based on Internet Protocol Version 4. See Internet Protocol Version 6 (IPv6) for a description of the newer 128-bit IP address. Note that the system of IP address classes described here, while forming the basis for IP address assignment, is generally bypassed today by use of Classless Inter-Domain Routing (CIDR) addressing. In the most widely installed level of the Internet Protocol (IP) today, an IP address is a 32-bit number that identifies each sender or receiver of information that is sent in packets across the Internet. When you request an HTML page or send e- mail, the Internet Protocol part of TCP/IP includes your IP address in the message (actually, in each of the packets if more than one is required) and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e-mail address you're sending a note to. At the other end, the recipient can see the IP address of the Web page requestor or the e-mail sender and can respond by sending another message using the IP address it received. An IP address has two parts: the identifier of a particular network on the Internet and an identifier of the particular device (which can be a server or a workstation) within that network. On the Internet itself - that is, between the routers that move packets from one point to another along the route - only the network part of the address is looked at. IP V6 IPv6 (Internet Protocol Version 6) is the latest level of the Internet Protocol (IP) and is now included as Part of IP support in many products including the major computer operating systems. IPv6 has also been called "IPng" (IP Next Generation). Formally, IPv6 is a set of specifications from the Internet Engineering Task Force (IETF). IPv6 was designed as an evolutionary set of improvements to the current IP Version 4. Network hosts and intermediate nodes with either IPv4 or IPv6 can handle packets formatted for either level of the Internet Protocol. Users and service providers can update to IPv6 independently without having to coordinate with each other. The most obvious improvement in IPv6 over the IPv4 is that IP addresses are lengthened from 32 bits to 128 bits. This extension anticipates considerable future growth of the Internet and provides relief for what was perceived as an impending shortage of network addresses. IPv6 describes rules for three types of addressing: unicast (one host to one other host), any cast (one host to the nearest of multiple hosts), and multicast (one host to multiple hosts). Additional advantages of IPv6 are: Options are specified in an extension to the header that is examined only at the destination, thus speeding up overall network performance. The introduction of an "any cast" address provides the possibility of sending a message to the nearest of several possible gateway hosts with the idea that any one of them can manage the forwarding of the packet to others. Any cast messages can be used to update routing tables along the line. Packets can be identified as belonging to a particular "flow" so that packets that are part of a multimedia presentation that needs to arrive in "real time" can be provided a higher quality-of-service relative to other customers. The IPv6 header now includes extensions that allow a packet to specify a mechanism for authenticating its origin, for ensuring data integrity, and for ensuring privacy. What is a subnet mask? A subnet mask allows you to identify which part of an IP address are reserved for the network, and which part is available for host use. If you look at the IP address alone, especially now with classless inter-domain routing, you can't tell which part of the address is which. Adding the subnet mask, or net mask, gives you all the information you need to calculate network and host portions of the address with ease. In summary, knowing the subnet mask can allow you to easily calculate whether IP addresses are on the same subnet, or not. What is ARP? ARP is a very important part of IP networking. ARP is used to connect OSI Layer 3 (Network) to OSI Layer 2 (Data-Link). For most of us, that means that ARP is used to link our IP addressing to our

Upload: shaheen-shah

Post on 07-Apr-2018

238 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 1/26

 

What is an IP address?

This definition is based on Internet Protocol Version 4. See Internet Protocol Version 6 (IPv6) for a

description of the newer 128-bit IP address. Note that the system of IP address classes described

here, while forming the basis for IP address assignment, is generally bypassed today by use of 

Classless Inter-Domain Routing (CIDR) addressing. In the most widely installed level of the Internet

Protocol (IP) today, an IP address is a 32-bit number that identifies each sender or receiver of information that is sent in packets across the Internet. When you request an HTML page or send e-

mail, the Internet Protocol part of TCP/IP includes your IP address in the message (actually, in each of 

the packets if more than one is required) and sends it to the IP address that is obtained by looking up

the domain name in the Uniform Resource Locator you requested or in the e-mail address you're

sending a note to. At the other end, the recipient can see the IP address of the Web page requestor

or the e-mail sender and can respond by sending another message using the IP address it received.

An IP address has two parts: the identifier of a particular network on the Internet and an identifier of 

the particular device (which can be a server or a workstation) within that network. On the Internet

itself - that is, between the routers that move packets from one point to another along the route -

only the network part of the address is looked at.

IP V6 IPv6 (Internet Protocol Version 6) is the latest level of the Internet Protocol (IP) and is now

included as Part of IP support in many products including the major computer operating systems.

IPv6 has also been called "IPng" (IP Next Generation). Formally, IPv6 is a set of specifications from

the Internet Engineering Task Force (IETF). IPv6 was designed as an evolutionary set of 

improvements to the current IP Version 4. Network hosts and intermediate nodes with either IPv4 or

IPv6 can handle packets formatted for either level of the Internet Protocol. Users and service

providers can update to IPv6 independently without having to coordinate with each other.

The most obvious improvement in IPv6 over the IPv4 is that IP addresses are lengthened from 32 bits

to 128 bits. This extension anticipates considerable future growth of the Internet and provides relief 

for what was perceived as an impending shortage of network addresses. IPv6 describes rules for

three types of addressing: unicast (one host to one other host), any cast (one host to the nearest of 

multiple hosts), and multicast (one host to multiple hosts). Additional advantages of IPv6 are:

Options are specified in an extension to the header that is examined only at the destination, thus

speeding up overall network performance. The introduction of an "any cast" address provides the

possibility of sending a message to the nearest of several possible gateway hosts with the idea that

any one of them can manage the forwarding of the packet to others. Any cast messages can be used

to update routing tables along the line. Packets can be identified as belonging to a particular "flow"

so that packets that are part of a multimedia presentation that needs to arrive in "real time" can be

provided a higher quality-of-service relative to other customers. The IPv6 header now includes

extensions that allow a packet to specify a mechanism for authenticating its origin, for ensuring data

integrity, and for ensuring privacy.

What is a subnet mask?

A subnet mask allows you to identify which part of an IP address are reserved for the network, and

which part is available for host use. If you look at the IP address alone, especially now with classless

inter-domain routing, you can't tell which part of the address is which. Adding the subnet mask, or

net mask, gives you all the information you need to calculate network and host portions of the

address with ease. In summary, knowing the subnet mask can allow you to easily calculate whether

IP addresses are on the same subnet, or not.

What is ARP?

ARP is a very important part of IP networking. ARP is used to connect OSI Layer 3 (Network) to OSI

Layer 2 (Data-Link). For most of us, that means that ARP is used to link our IP addressing to our

Page 2: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 2/26

Ethernet addressing (MAC Addressing). For you to communicate with any device on your network,

you must have the Ethernet MAC address for that device. If the device is not on your LAN, you go

through your default gateway (your router). In this case, your router will be the destination MAC

address that your PC will communicate with.

What is ARP Cache Poisoning?

ARP cache poisoning, also known as ARP spoofing, is the process of falsifying the source MediaAccess Control (MAC) addresses of packets being sent on an Ethernet network. It is a MAC layer

attack that can only be carried out when an attacker is connected to the same local network as the

Target machines, limiting its effectiveness only to networks connected with switches, hubs, and

bridges; not routers.

What is the ANDing process?

Notice that when the resulting AND values are converted back to binary, it becomes clear that the

two hosts are on different networks. Computer A is on subnet 192.168.56.0, while the destination

host is on subnet 192.168.64.0, which means that Computer A will next be sending the data to a

router. Without ANDing, determining local and remote hosts can be difficult. Once you’re very

familiar with sub netting and calculating ranges of addresses, recognizing local and remote hosts will

become much more intuitive. Whenever you’re in doubt as to whether hosts are local or remote, use

the ANDing process. You should also notice that the ANDing process always produces the subnet ID

of a given host.

What is a default gateway? What happens if I don't have one?

In computer networking, a default network gateway is the device that passes traffic from the local

subnet to devices on other subnets. The default gateway often connects a local network to the

Internet, although internal gateways for connecting two local networks also exist.

What is APIPA?

Short for Automatic Private IP Addressing, a feature of later Windows operating systems. With

APIPA, DHCP clients can automatically self-configure an IP address and subnet mask when a DHCP

server isn't available. When a DHCP client boots up, it first looks for a DHCP server in order to obtain

an IP address and subnet mask. If the client is unable to find the information, it uses APIPA to

automatically configure itself with an IP address from a range that has been reserved especially for

Microsoft. The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures

itself with a default class B subnet mask of 255.255.0.0. A client uses the self-configured IP address

until a DHCP server becomes available.

The APIPA service also checks regularly for the presence of a DHCP server (every five minutes,

according to Microsoft). If it detects a DHCP server on the network, APIPA stops, and the DHCP

server replaces the APIPA networking addresses with dynamically assigned addresses.

APIPA is meant for non-routed small business environments, usually less than 25 clients.

What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)

Short for Request for Comments, a series of notes about the Internet, started in 1969 (when the

Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the

IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve

into an Internet standard. Each RFC is designated by an RFC number. Once published, an RFC never

changes. Modifications to an original RFC are assigned a new RFC number.

Can a workstation computer be configured to browse the Internet and yet NOT have a default

gateway?

Page 3: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 3/26

If we are using public IP address, we can browse the internet. If it is having an intranet address a

gateway is needed as a router or firewall to communicate with internet.

What is a subnet?

A subnet is a logical organization of network address ranges used to separate hosts and network

devices from each other to serve a design purpose. In many cases, subnets are created to serve as

physical or geographical separations similar to those found between rooms, floors, buildings, orcities.

11) What is RFC 1918?

RFC 1918 is Address Allocation for Private Internets the Internet Assigned Numbers Authority (IANA)

has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 -

10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 -

192.168.255.255 (192.168/16 prefix) we will refer to the first block as"24-bit block", the second as

"20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is

nothing but a single class A network number, while the second block is a set of 16 contiguous class B

network numbers, and third block is a set of 256 contiguous class C network numbers.

12) What is CIDR?

CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and

specify the Internet addresses used in inter-domain routing more flexibly than with the original

system of Internet Protocol (IP) address classes. As a result, the number of available Internet

addresses has been greatly increased.

13. You have the following Network ID:

192.115.103.64/27.What is the IP range for your network?

It ranges from 192.115.103.64 - 192.115.103.96 But the usable address are from 192.115.103.64 -

192.115.103.94

192.115.103.95 - it is the broadcast address

192.115.103.96 - will be the ip address of next range

We can use 30 hosts in this network

14.You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How

many networks can you create? What subnet mask will you use?

If you need 500 users then 2^9th would give you 512 (remember the first and last are network and

broadcast), 510 usable. So of your 32 bits you would turn the last 9 off for host and that would give

you give you a 255.255.254.0 subnet mask (11111111.11111111.11111110.00000000). Now that we

know that we can see that you have the first 7 of your third octet turned on so to figure out how

many subnets you have us the formula 2^7th= 128. So you can have 128 subnets with 500 people on

them.

15.You need to view at network traffic. What will you use?

Name a few tools

winshark or tcp dump

16. How do I know the path that a packet takes to the

destination?

use "tracert" command-line

Page 4: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 4/26

 

17. What does the ping 192.168.0.1 -l 1000 -n 100 command do?

The ping command will send roundtrip packets to a destination (other PC, router, printer, etc. ) and

see how long it takes. The 192.168.0.1 is the destination (which, by the way is a typical default

IP address of a router) the -l 1000 is how big the packet should be in bytes.

The default is 32, if the -l parameter is not used. And the -n 100 is saying to send it 100 times. Thedefault is 4, when this parameter is not used.

18. What is DHCP? What are the benefits and drawbacks of 

Using it?

Benefits:

1. DHCP minimizes configuration errors caused by manual IP

address configurationDHCP minimizes configuration errors

caused by manual IP address configuration

2. Reduced network administration.

Disadvantage

Your machine name does not change when you get a new IP

address. The DNS (Domain Name System) name is associated

with your IP address and therefore does

change. This only presents a problem if other clients try to

access your machine by its DNS name.

19. Describe the steps taken by the client and DHCP server in order to obtain an IP address.

* At least one DHCP server must exist on a network. Once the DHCP server software is installed,

you create a DHCP scope, which is a pool of IP addresses that the server manages. When clients log

on, they request an IP address from the server, and the server provides an IP

Address from its pool of available addresses. * DHCP was originally defined in RFC 1531 (Dynamic

Host Configuration Protocol, October 1993) but the most recent update is RFC 2131

(Dynamic Host Configuration Protocol (DHCP), March 1997) The IETF Dynamic Host Configuration

(DHC) Working Group is chartered to produce a protocol for automated allocation, configuration,

and management of IP addresses and TCP/IP protocol stack parameters.

20. What is the DHCPNACK and when do I get one? Name 2

scenarios.

DHCP server issues a NAK to DHCP clients.For simplification purposes, I am listing down the possible

scenarios in which the server should NOT issue a NAK. This should give you a good understanding

of DHCP NAK behavior.When a DHCP server receives a DHCPRequest with a previously assigned

address specified, it first checks to see if it came from the local segment by checking the GIADDR

field. If it originated from the local segment, the DHCP server compares the requested address to the

IP address and subnet mask belonging to the local interface that received the request. DHCP server

will issue a NAK to the client ONLY IF it is sure that the client, "on the local subnet", is asking for

an address that doesn't exist on that subnet. The server will send a NAK EXCEPT in the following

scenarios:-

1. Requested address from possibly the same subnet but not

in the address pool of the server:-

This can be the failover scenario in which 2 DHCP servers

are serving the same subnet so that when one goes down, the

Page 5: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 5/26

other should not NAK to clients which got an IP from the

first server.

2. Requested address on a different subnet:-

If the Address is from the same superscope to which the

subnet belongs, DHCP server will ACK the REQUEST.

21. What ports are used by DHCP and the DHCP clients?Requests are on UDP port 68, Server replies on UDP 67

22. Describe the process of installing a DHCP server in an AD infrastructure.

It is about how to install DHCP server...

In Windows server 2008:

Go to... START-->Administrative Tools --> Server Manager -->

Roles (Right Click) --> Add Roles (Here a Add roles wizard will appear) -->

Check the box of DHCP Server --> click next --> Next --> In IPv4 DNS settings Give the

Parent domain Name and DNS server IP address and validate it... Click Next --> Add the DHCP

Scopes --> Disable DHCPv6.. Click Next --> Finally Click on INSTALL

This was the process for installing the DHCP server

23. What is DHCPINFORM?

DHCP Inform is a DHCP message used by DHCP clients to obtain DHCP options While PPP remote

access clients do not use DHCP to obtain IP addresses for the Remote access connection, Windows

2000 and Windows 98 remote access clients use the DHCP Inform message to obtain DNS

server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPInform message

is sent after the IPCP negotiation is concluded. The DHCPInform message received by the remote

access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform

messages only if it has been configured with the DHCP Relay Agent..

24. Describe the integration between DHCP and DNS.

Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly,

changing authorization rights for a particular user on agroup of devices has meant visiting each one

and making configuration changes. DHCP integration with DNS allows theaggregation of these tasks

acrossdevices, enabling a company's network services to scale instep with the growth of network

users, devices, andpolicies, while reducing administrative operations and costs.

This integration provides practical operational efficiencies that lower total cost of ownership.

Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the

number of tasks required of network administrators. And integration of DNS and DHCP in the same

database instance provides unmatched consistency between service and management views of IP

address-centric network services data.

25.What options in DHCP do you regularly use for an MS

network?

Automatic providing IP address

Subnet mask

DNS server

Domain name

Default getaway or router

26. What are User Classes and Vendor Classes in DHCP?

Page 6: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 6/26

Microsoft Vendor Classes

The following list contains pre-defined vendor classes that are available in Windows 2000 DHCP

server. Collapse this tableExpand this table Class Data Class Name Description MSFT 5.0 Microsoft

Windows 2000 options Class that includes all Windows 2000 DHCP clients. MSFT 98 Microsoft

Windows 98 options Class that includes all Windows 98 and Microsoft Windows Millennium Edition

(Me) DHCP clients. MSFT Microsoft options Class that includes all Windows 98, Windows Me, and

Windows 2000 DHCP clients. If you have non-Microsoft DHCP clients, you can define othervendor-specific classes on the DHCP server. When you define such classes, make sure the vendor

class identifier that you define matches the identifier used by the clients.

Back to the top

User Classes

The following list contains pre-defined user classes that

are available in Windows 2000 DHCP server. Collapse this tableExpand this table

Class ID Class Type Description Unspecified Default user class All DHCP clients that have no user class

specified. RRAS.Microsoft Default Routing and Remote Access class All Dial-Up Networking (DUN)

clients. Bootp Default Bootp class All Bootp clients In addition to these pre-defined classes, you can

also add custom user classes for Windows 2000 DHCP clients. When you configure such classes, you

must specify a custom identifier that corresponds to the user class defined on the DHCP server.

27.How do I configure a client machine to use a specific

User Class?

The command to configure a client machine to use a specific user class is

ipconfig /setclassid "<Name of your Network card>" <Name of the class you created on DHCP and

you want to join (Name iscase sensitive)>

Eg:

ipconfig /setclassid " Local Area Network" Accounting

28. What is the BOOTP protocol used for, where might you

find it in Windows network infrastructure?

ootP (RFC951) provides

* a unique IP address to the requester (using port 67) similar to the DHCP request on port 68 AND

* can provide (where supported) the ability to boot a system without a hard drive (ie: a diskless

client) Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility allows the

Admin to maintain a selected set of configurations as boot images and then assign sets of client

systems to share(or boot from) that image. For example Accounting, Management, and Engineering

departments have elements in common, but which can be unique from other departments.

Performing upgrades and maintenance on three images is far more productive that working on all

client systems individually.

Startup is obviously network intensive, and beyond 40-50 clients, the Admin needs to carefully

subnet the infrastructure, use gigabit switches, and host the images local to the clients to avoid

saturating the network. This will expand the number of BootP servers and multiply the number of 

images, but the productivity of 1 BootP server per 50 clients is undeniable :)

Sunmicro, Linux, and AIX RS/600 all support BootP.

Todate, Windows does not support booting "diskless clients".

29. DNS zones – describe the differences between the 4 types.

Dns zone is actual file which contains all the records for a

Page 7: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 7/26

specific domain.

i)Forward Lookup Zones :-

This zone is responsible to resolve host name to ip.

ii)Reverse Lookup Zones :-

This zone is responsible to resolve ip to host name.

iii)Stub Zone :-

Stubzone is read only copy of primary zone.but it containsonly 3 records viz

the SOA for the primary zone, NS record and a Host (A) record.

30. DNS record types – describe the most important ones. Type of Record What it does

A (Host) Classic resource record. Maps hostname to IP(ipv4)

PTR Maps IP to hostname (Reverse of A (Host)

AAAA Maps hostname to ip (ipv6)

Cname Canonical name, in plain English an alias.such as Web Server,FTP Server, Chat Server

NS Identifies DNS name servers. Important for forwarders

MX Mail servers, particularly for other domains.MX records

required to deliver internet email.

 _SRV Required for Active Directory. Whole family of 

underscore service,records, for example, gc = global catalog.

SOA Make a point of finding the Start of Authority (SOA) tab

at the DNS Server.

31. Describe the process of working with an external domain name

Serving Sites with External Domain Name Servers If you host Web sites on this server and have a

standalone DNS server acting as a primary (master) name server for your sites, you may want to set

up your control panel's DNS server to function as a secondary (slave) name server:

To make the control panel's DNS server act as a secondary

name server:

1. Go to Domains > domain name > DNS Settings (in the Web

Site group).

2. Click Switch DNS Service Mode.

3. Specify the IP address of the primary (master) DNS server.

4. Click Add.

5. Repeat steps from 1 to 5 for each Web site that needs to have a secondary name server on this

machine. To make the control panel's DNS server act as a primary for a zone:

1. Go to Domains > domain name > DNS Settings (in the Web Site group).

2. Click Switch DNS Service Mode. The original resource records for the zone will be restored.

If you host Web sites on this server and rely entirely on other machines to perform the Domain

Name Service for your sites (there are two external name servers - a primary and a secondary),

switch off the control panel's DNS service for each site served by external name servers.

To switch off the control panel's DNS service for a site served by an external name server:

1. Go to Domains > domain name > DNS Settings (in the Web Site group).

2. Click Switch Off the DNS Service in the Tools group.

Turning the DNS service off for the zone will refresh the screen, so that only a list of name servers

remains.

Page 8: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 8/26

Note: The listed name server records have no effect on the system. They are only presented on the

screen as clickable links to give you a chance to validate the configuration of the zone maintained on

the external authoritative name servers.

1. Repeat the steps from 1 to 3 to switch off the local domain name service for each site served by

external name servers.

If you wish to validate the configuration of a zone maintained on authoritative name servers:

1. Go to Domains > domain name > DNS Settings (in the Web Site group).2. Add to the list the entries pointing to the appropriate name servers that are authoritative for the

zone: click Add, specify a name server, and click OK. Repeat this for each name server you would like

to test.

The records will appear in the list.

1. Click the records that you have just created. Parallels Plesk Panel will retrieve the zone file from

a remote name server and check the resource records to make sure that domain's resources are

properly resolved. The results will be interpreted and displayed on the screen.

32. Describe the importance of DNS to AD.

When you install Active Directory on a server, you promote

the server to the role of a domain controller for a

specified domain. When completing this

process, you are prompted to specify a DNS domain name for

the Active Directory domain for which you are joining and

promoting the server.If during this

process, a DNS server authoritative for the domain that you

specified either cannot be located on the network or does

not support the DNS dynamic update

protocol, you are prompted with the option to install a DNS

server. This option is provided because a DNS server is

required to locate this server or other

domain controllers for members of an Active Directory domain

33.Describe a few methods of finding an MX record for a

remote domain on the Internet.

In order to find MX Records for SMTP domains you can use

Command-line tools such as NSLOOKUP or DIG. You can also use

online web services that allow you to

perform quick searches and display the information in a

convenient manner.

34. What does "Disable Recursion" in DNS mean?

In the Windows 2000/2003 DNS console (dnsmgmt.msc), under a

server's Properties -> Forwarders tab is the setting Do not

use recursion for this domain. On the Advanced tab you will

find the confusingly similar option Disable recursion (also

disables forwarders).

Recursion refers to the action of a DNS server querying

additional DNS servers (e.g. local ISP DNS or the root DNS

servers) to resolve queries that it cannot

Page 9: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 9/26

resolve from its own database

35. What could cause the Forwarders and Root Hints to be

grayed out?

Win2K configured your DNS server as a private root server

36. What is a "Single Label domain name" and what sort of issues can it cause?

Single-label names consist of a single word like "contoso".

• Single-label DNS names cannot be registered by using an

Internet registrar.

• Client computers and domain controllers that joined to

single-label domains require additional configuration to

dynamically register DNS records in

single-label DNS zones. • Client computers and domain 

controllers may require additional configuration to resolve

DNS queries in single-label DNS zones.

• By default, Windows Server 2003-based domain members,

Windows XP-based domain members, and Windows 2000-based

domain members do not perform dynamic

updates to single-label DNS zones.

• Some server-based applications are incompatible with

single-label domain names. Application support may not exist

in the initial release of an application,

or support may be dropped in a future release. For example,

Microsoft Exchange Server 2007 is not supported in

environments in which single-label DNS is

used.

• Some server-based applications are incompatible with the

domain rename feature that is supported in Windows Server

2003 domain controllers and in Windows

Server 2008 domain controllers. These incompatibilities

either block or complicate the use of the domain rename

feature when you try to rename a single-label

DNS name to a fully qualified domain name.

37. What is the "in-addr.arpa" zone used for?

When creating DNS records for your hosts, A records make

sense. After all, how can the world find your mail server

unless the IP address of that server is associated with its

hostname within a DNS database? However, PTR records aren't

as easily understood. If you already have a zone file, why

does there have to be a separate in-addr.arpa zone

containing PTR records matching your A records? And who

should be making those PTR records--you or your provider?

Let's start by defining in-addr.arpa. .arpa is actually a

TLD like .com or .org. The name of the TLD comes from

Address and Routing Parameter Area and it has been

designated by the IANA to be used exclusively for Internet

infrastructure purposes. In other words, it is an important

Page 10: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 10/26

zone and an integral part of the inner workings of DNS. The

RFC for DNS (RFC 1035) has an entire section on the

in-addr.arpa domain. The first two paragraphs in that

section state the purpose of the domain: "The Internet uses

a special domain to support gateway location and Internet

address to host mapping. Other classes may employ a similar

strategy in other domains. The intent of this domain is toprovide a guaranteed method to perform host address to host

name mapping, and to facilitate queries to locate all

gateways on a particular network in the Internet. Note that

both of these services are similar to functions that could

be performed by inverse queries; the difference is that this

part of the domain name space is structured according to

address, and hence can guarantee that the appropriate data

can be located without an exhaustive search of the domain

space." In other words, this zone provides a database of all

allocated networks and the DNS reachable hosts within those

networks. If your assigned network does not appear in this

zone, it appears to be unallocated. And if your hosts don't

have a PTR record in this database, they appear to be

unreachable through DNS. Assuming an A record exists for a

host, a missing PTR record may or may not impact on the DNS

reachability of that host, depending upon the applications

running on that host. For example, a mail server will

definitely be impacted as PTR records are used in mail

header checks and by most anti-SPAM mechanisms. Depending

upon your web server configuration, it may also depend upon

an existing PTR record. This is why the DNS RFCs recommend

that every A record has an associated PTR record. But who

should make and host those PTR records? Twenty years ago

when you could buy a full Class C network address (i.e. 254

host addresses) the answer was easy: you. Remember, the

in-addr.arpa zone is concerned with delegated network

addresses. In other words, the owner of the network address

is authoritative (i.e. responsible) for the host PTR records

associated with that network address space. If you only own

one or two host addresses within a network address space,

the provider you purchased those addresses from needs to

host your PTR records as the provider is the owner of (i.e.

authoritative for) the network address. Things are a bit

more interesting if you have been delegated a CIDR block of 

addresses. The in-addr.arpa zone assumes a classful

addressing scheme where a Class A address is one octet (or

/8), a Class B is 2 octets (or /16) and a Class C is 3

octets (or /24). CIDR allows for delegating address space

outside of these boundaries--say a /19 or a /28. RFC 2317

provides a best current practice for maintaining

in-addr.arpa with these types of network allocations. Here

is a summary regarding PTR records: • Don't wait until users 

complain about DNS unreachability--be proactive and ensure

Page 11: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 11/26

there is an associated PTR record for every A record. • If  

your provider hosts your A records, they should also host

your PTR records. • If you only have one or two assigned IP

addresses, your provider should host your PTR records as

they are authoritative for the network those hosts belong

to. • If you own an entire network address (e.g. a Class C 

address ending in 0), you are responsible for hosting yourPTR records. • If you are configuring an internal DNS server 

within the private address ranges (e.g. 10.0.0.0 or

192.168.0.0), you are responsible for your own internal PTR

records. • Remember: the key to PTR hosting is knowing who 

is authoritative for the network address for your domain.

When in doubt, it probably is not you.

38. What are the requirements from DNS to support AD?

When you install Active Directory on a member server, the

member server is promoted to a domain controller. Active

Directory uses DNS as the location

mechanism for domain controllers, enabling computers on the

network to obtain IP addresses of domain controllers.

During the installation of Active Directory, the service

(SRV) and address (A) resource records are dynamically

registered in DNS, which are necessary for

the successful functionality of the domain controller

locator (Locator) mechanism.

To find domain controllers in a domain or forest, a client

queries DNS for the SRV and A DNS resource records of the

domain controller, which provide the

client with the names and IP addresses of the domain

controllers. In this context, the SRV and A resource records

are referred to as Locator DNS resource

records.

When adding a domain controller to a forest, you are

updating a DNS zone hosted on a DNS server with the Locator

DNS resource records and identifying the

domain controller. For this reason, the DNS zone must allow

dynamic updates (RFC 2136) and the DNS server hosting that

zone must support the SRV resource

records (RFC 2782) to advertise the Active Directory

directory service. For more information about RFCs, see DNS

RFCs.

If the DNS server hosting the authoritative DNS zone is not

a server running Windows 2000 or Windows Server 2003,

contact your DNS administrator to

determine if the DNS server supports the required standards.

If the server does not support the required standards, or

the authoritative DNS zone cannot be

configured to allow dynamic updates, then modification is

required to your existing DNS infrastructure.

Page 12: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 12/26

39. How do you manually create SRV records in DNS?

this is on windows server

go to run ---> dnsmgmt.msc

rightclick on the zone you want to add srv record to and

choose "other new record"

and choose service location(srv).....

40. Name 3 benefits of using AD-integrated zones.

1. you can give easy name resolution to ur clients.

2. By creating AD- integrated zone you can also trace hacker

and spammer by creating reverse zone.

3. AD integrated zoned all for incremental zone transfers

which on transfer changes and not the entire zone. This

reduces zone transfer traffic.

4. AD Integrated zones suport both secure and dmanic updates.

5. AD integrated zones are stored as part of the active

directory and support domain-wide or forest-wide replication

through application pertitions in AD.

41. What are the benefits of using Windows 2003 DNS when

using AD-integrated zones?

Advantages:

DNS supports Dynamic registration of SRV records registered

by a Active Directory server or a domain controller during

promotion. With the help of SRV records client machines can

find domain controllers in the network.

1. DNS supports Secure Dynamic updates. Unauthorized access

is denied.

2. Exchange server needs internal DNS or AD DNS to locate

Global Catalog servers.

3. Active Directory Integrated Zone. If you have more than

one domain controller (recommended) you need not worry about

zone replication. Active Directory replication will take

care of DNS zone replication also.

4. If your network use DHCP with Active Directory then no

other DHCP will be able to service client requests coming

from different network. It is because DHCP server is

authorized in AD and will be the only server to participate

Page 13: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 13/26

on network to provide IP Address information to client machines.

5. Moreover, you can use NT4 DNS with Service Pack 4 or

later. It supports both SRV record registration and Dynamic

Updates.

Using Microsoft DNS gives the following benefits:If you implement networks that require secure updates.

If you want to take benefit of Active Directory replication.

If you want to integrate DHCP with DNS for Low-level clients

to register their Host records in Zone database.

42. You installed a new AD domain and the new (and first) DC

has not registered its SRV records in DNS. Name a few

possible causes.

The machine cannot be configured with DNS client her own

The DNS service cannot be run

43. What are the benefits and scenarios of using Stub zones?

One of the new features introduced in the Windows Server

2003-based implementation of DNS are stub zones. Its main

purpose is to provide name resolution in domains, for which

a local DNS server is not authoritative. The stub zone

contains only a few records: - Start of Authority (SOA)

record pointing to a remote DNS server that is considered to

be the best source of information about the target DNS

domain, - one or more Name Server (NS) records (including

the entry associated with the SOA record), which are

authoritative for the DNS domain represented by the stub

zone, - corresponding A records for each of the NS entries

(providing IP addresses of the servers). While you can also

provide name resolution for a remote domain by either

creating a secondary zone (which was a common approach in

Windows Server 2000 DNS implementation) or delegation (when

dealing with a contiguous namespace), such approach forces

periodic zone transfers, which are not needed when stub

zones are used. Necessity to traverse network in order to

obtain individual records hosted on the remote Name Servers

is mitigated to some extent by caching process, which keeps

them on the local server for the duration of their

Time-to-Live (TTL) parameter. In addition, records residing

in a stub zone are periodically validated and refreshed in

order to avoid lame delegations.

44. What are the benefits and scenarios of using Conditional Forwarding?

Page 14: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 14/26

Conditional forwarding is a new feature of DNS in Windows Server 2003 that can be used to speed

up name resolution in certain scenarios. They can also be used to help companies resolve each

other's namespace in a situation where companies collaborate a merger is underway. This article will

look in detail at how conditional forwarding works, how to configure it, and when you might use it.

But first, let's briefly review the concepts of forwarding and forwarders in traditional DNS, starting

with different types of name queries.

45. What are the differences between Windows Clustering,

Network Load Balancing and Round Robin, and scenarios for

each use?

I will make a few assumptions here: 1) By "Windows

Clustering Network Load Balancing" you mean Windows Network

Load Balancing software included in Windows Server software

a.k.a NLB., and 2) By Round Robin, you mean DNS Round Robin

meaning the absence of a software or hardware load balancing

device, or the concept of the Round Robin algorithm

available in just about every load balancing solution.

Microsoft NLB is designed for a small number (4 - 6) of 

Windows Servers and a low to moderate number of new

connections per second, to provide distribution of web

server requests to multiple servers in a virtual resource

pool. Some would call this a "cluster", but there are suttle

differences between a clustered group of devices and a more

loosely configured virtual pool. From the standpoint of 

scalability and performance, almost all hardware load

balancing solutions are superior to this and other less

known software load balancing solutions [e.g. Bright Tiger

circa 1998].

DNS Round Robin is an inherent load balancing method built

into DNS. When you resolve an IP address that has more than

one A record, DNS hands out different resolutions to

different requesting local DNS servers. Although there are

several factors effecting the exact resulting algorithm

(e.g. DNS caching, TTL, multiple DNS servers [authoritative

or cached]), I stress the term "roughly" when I say it

roughly results in an even distribution of resolutions to

each of the addresses specified for a particular URL. It

does not however, consider availability, performance, or any

other metric and is completely static. The basic RR

algorithm is available in many software and hardware load

balancing solutions and simply hands the next request to the

next resource and starts back at the first resource when it

hits the last one.

NLB is based on proprietary software, meant for small groups

of Windows servers only on private networks, and is dynamic

in nature (takes into account availability of a server, and

in some cases performance). "Round Robin", DNS or otherwise,

Page 15: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 15/26

is more generic, static in nature (does not take into

account anything but the resource is a member of the

resource pool and each member is equal), and ranges from DNS

to the default static load balancing method on every

hardware device in the market.

46. How do I work with the Host name cache on a client computer?A host name is an alias assigned to identify a TCP/IP host or its interfaces. Host names are used in all

TCP/IP environments. The following describes the attributes of a host name:

  The host name does not have to match the NetBIOS computer name, and a host name can

contain as many as 255 characters.

  Multiple host names can be assigned to the same host.

  Host names are easier to remember than IP addresses.

  A user can specify host name instead of an IP address when using Windows Sockets

applications, such as the Ping tool or Internet Explorer.

  A host name should correspond to an IP address mapping that is stored either in the local

Hosts file or in a database on a DNS server. TCP/IP for Windows XP and Windows

Server 2003 also use NetBIOS name resolution methods for host names.

  The Hostname tool displays the computer name of your Windows –based computer, as

configured from the Computer Name tab of the System item of Control Panel.

47. How do I clear the DNS cache on the DNS server?

To clear the server names cache

* Using the Windows interface

* Using a command line

Using the Windows interface

1. Open DNS.

2. In the console tree, click the applicable DNS server.

Where?

* DNS/applicable DNS server

3. On the Action menu, click Clear Cache.

Notes

* To perform this procedure, you must be a member of the

Administrators group on the local computer, or you must have

been delegated the appropriate authority. If the computer is

 joined to a domain, members of the Domain Admins group might

be able to perform this procedure. As a security best

practice, consider using Run as to perform this procedure.

* To open DNS, click Start, click Control Panel,

Page 16: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 16/26

double-click Administrative Tools, and then double-click DNS.

Using a command line

1. Open Command Prompt.

2. Type the following command and then press ENTER:

Dnscmd ServerName /clearcache

48. What is the 224.0.1.24 address used for?

WINS server group address. Used to support autodiscovery and

dynamic configuration of replication for WINS servers. For

more information, see WINS replication overview

WINS server group address. Used to support autodiscovery and

dynamic configuration of replication for WINS servers.

49. What is WINS and when do we use it?

In the Windows Server family, the primary means for client

computer to locate and communicate with other computers on

an Internet Protocol (IP) network is by using Domain Name

System (DNS). However, clients that use older versions of 

Windows, such as Windows NT 4.0, use network basic I/O

system (NetBIOS) names for network communication. Some

applications that run on Windows Server 2003 may also use

NetBIOS names for network communication. Using NetBIOS names

requires a method of resolving NetBIOS names to IP .

Using a WINS server is essential for any Windows client

computer to work with other Windows computers over the

Internet. In addition, using a WINS server is essential for

any Windows client computer at Indiana University that

intends to use Microsoft network resources. To use WINS

services, you must insert into your TCP/IP networking

configuration the IP address of the WINS servers you wish to

use.

50. Can you have a Microsoft-based network without any WINS

server on it? What are the "considerations" regarding not

using WINS?

Yes, you can. WINS was designed to speed up information flow about the Windows workstations in a

network. It will work without it, and most networks do not utilize WINS servers anymore because it is

based on an old protocol (NetBUI) which is no longer in common use.

51. Describe the differences between WINS push and pull

replications.

To replicate database entries between a pair of WINS

servers, you must configure each WINS server as a pull

Page 17: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 17/26

partner, a push partner, or both with the other WINS server.

* A push partner is a WINS server that sends a message

to its pull partners, notifying them that it has new WINS

database entries. When a WINS server's pull partner responds

to the message with a replication request, the WINS server

sends (pushes) copies of its new WINS database entries (alsoknown as replicas) to the requesting pull partner.

* A pull partner is a WINS server that pulls WINS

database entries from its push partners by requesting any

new WINS database entries that the push partners have. The

pull partner requests the new WINS database entries that

have a higher version number than the last entry the pull

partner received during the most recent replication.

52. What is the difference between tombstoning a WINS record

and simply deleting it?

Simple deletion removes the records that are selected in the

WINS console only from the local WINS server you are

currently managing. If the WINS records deleted in this way

exist in WINS data replicated to other WINS servers on your

network, these additional records are not fully removed.

Also, records that are simply deleted on only one server can

reappear after replication between the WINS server where

simple deletion was used and any of its replication partners.

Tombstoning marks the selected records as tombstoned, that

is, marked locally as extinct and immediately released from

active use by the local WINS server. This method allows the

tombstoned records to remain present in the server database

for purposes of subsequent replication of these records to

other servers. When the tombstoned records are replicated,

the tombstone status is updated and applied by other WINS

servers that store replicated copies of these records. Each

replicating WINS server then updates and tombstones

53. Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in

WINS. 

If a Microsoft Windows NT 3.5-based client computer does not receive a response from the primary

Windows Internet Name Service (WINS) server, it queries the secondary WINS server to resolve a

NetBIOS name. However, if a NetBIOS name is not found in the primary WINS server's database, a

Windows NT 3.5-based client does not query the secondary WINS server.

In Microsoft Windows NT 3.51 and later versions of the Windows operating system, a Windows-

based client does query the secondary WINS server if a NetBIOS name is not found in the primary

WINS server's database. Clients that are running the following versions In Windows NT 3.51,

Windows NT 4, Windows 95, Windows 98, Windows 2000, Windows Millennium Edition, Windows

XP, and Windows Server 2003, you can specify up to 12 WINS servers. Additional WINS servers are

useful when a requested name is not found in the primary WINS server's database or in the

Page 18: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 18/26

secondary WINS server's database. In this situation, the WINS client sends a request to the next

server in the list.

54. Describe the role of the routing table on a host and on

a router.

During the process of routing, decisions of hosts and

routers are aided by a database of routes known as therouting table. The routing table is not exclusive to a

router. Depending on the routable protocol, hosts may also

have a routing table that may be used to decide the best

router for the packet to be forwarded. Host-based routing

tables are optional for the Internet Protocol, as well as

obsolete routable protocols such as IPX.

55. What are routing protocols? Why do we need them? Name a few.

A routing protocol is a protocol that specifies how routers

communicate with each other, disseminating information that

enables them to select routes between any two nodes on a

computer network, the choice of the route being done by

routing algorithms. Each router has a prior knowledge only

of networks attached to it directly. A routing protocol

shares this information first among immediate neighbors, and

then throughout the network. This way, routers gain

knowledge of the topology of the network. For a discussion

of the concepts behind routing protocols, see: Routing.

The term routing protocol may refer specifically to one

operating at layer three of the OSI model, which similarly

disseminates topology information between routers.

Many routing protocols used in the public Internet are

defined in documents called RFCs.[1][2][3][4]

Although there are many types of routing protocols, two

major classes are in widespread use in the Internet:

link-state routing protocols, such as OSPF and IS-IS; and

path vector or distance vector protocols, such as BGP, RIP

and EIGRP.

56. What are router interfaces? What types can they be?

Routers can have many different types of connectors; from

Ethernet, Fast Ethernet, and Token Ring to Serial and ISDN

ports. Some of the available configurable items are logical

addresses (IP,IPX), media types, bandwidth, and

administrative commands. Interfaces are configured in

interface mode which you get to from global configuration

mode after logging in.

Page 19: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 19/26

The media type is Ethernet, FastEthernet, GigabitEthernet,

Serial, Token-ring, or other media types. You must keep in

mind that a 10Mb Ethernet interface is the only kind of 

Ethernet interface called Ethernet. A 100Mb Ethernet

interface is called a FastEthernet interface and a 1000Mb

Ethernet interface is called a GigabitEthernet interface.

57. In Windows 2003 routing, what are the interface filters?

NAT actsas a middle man between the internal and external network; packets coming from the

private network are handled by NAT and then transferred to their intended destination. A single

external address is used on the Internet so that the internal IP addresses are not shown. A table is

created on the router that lists local and global addresses and uses it as a reference when translating

IP addresses.

NAT can work in several ways:

Static NAT

An unregistered IP address is mapped to a registered IP address on a one-to-one basis - which is

useful when a device needs to be accessed from outside the network.

Dynamic NAT

An unregistered IP address is mapped to a registered IP address from a group of registered IP

addresses. For example, a computer 192.168.10.121 will translate to the first available IP in a range

from 212.156.98.100 to 212.156.98.150.

Overloading

A form of dynamic NAT, it maps multiple unregistered IP addresses to a single registered IP address,

but in this case uses different ports. For example, IP address 192.168.10.121 will be mapped to

212.56.128.122:port_number (212.56.128.122:1080).

Overlapping

This when addresses in the inside network overlap with addresses in the outside network - the IP

addresses are registered on another network too. The router must maintain a lookup table of these

addresses so that it can intercept them and replace them with registered unique IP addresses.

How NAT works

A table of information about each packet that passes through is maintained by NAT.

When a computer on the network attempts to connect to a website on the Internet:

the header of the source IP address is changed and replaced with the IP address of the NAT

computer on the way out the "destination" IP address is changed (based on the records in the table)

back to the specific internal private class IP address in order to reach the computer on the local

network on the way back in Network Address Translation can be used as a basic firewall – the

administrator is able to filter out packets to/from certain IP addresses and allow/disallow access to

specified ports. It is also a means of saving IP addresses by having one IP address represent a group

of computers.

Setting up NAT

To setup NAT you must start by opening the Configure your server wizard in administrative tools and

selecting the RRAS/VPN Server role. Now press next and the RRAS setup wizard will open. The screen

below shows the Internet Connection screen in which you must specify which type of connection to

Page 20: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 20/26

the Internet and whether or not you want the basic firewall feature to be enabled.

Press next to continue. The installation process will commence and services will be restarted, after

which the finish screen will be displayed - showing what actions have taken place.

Configuring NAT

Configuration of NAT takes place from the Routing and Remote Access mmc found in theAdministrative Tools folder in the Control Panel or on the start menu.

The screenshot below shows the routing and remote access mmc.

Select which interface you wish to configure and double click it. This will bring up the properties

window giving you the option to change settings such as packet filtering and port blocking, as well as

enabling/disabling certain features, such as the firewall. The remote router (set up previously)

properties box is shown below. The NAT/Basic Firewall tab is selected.

You are able to select the interface type

 – to specify what the network connection will be. In my example I have selected for the interface to

be a public interface connected to the internet. NAT and the basic firewall option have also been

enabled. The inbound and outbound buttons will open a window that will allow you restrict traffic

based on IP address or protocol packet attributes. As per your instructions, certain TCP packets will

be dropped before they reach the client computer. Thus, making the network safer and giving you

more functionality. This is useful if, for example, you wanted to reject all packets coming from a

blacklisted IP address or restrict internal users access to port 21 (ftp).

For further firewall configuration, go to the Services and Ports tab. Here you can select which

services you would like to provide your users access to. You can also add more services by specifying

details such as the incoming and outgoing port number.

The list of services shown in the above screenshot are preset. Press Add to bring up the window that

will allow the creation of a new service or select an available service and press Edit to modify that

service. You will be asked to specify the name, TCP and UDP port number and the IP address of the

computer hosting that service.

If the services in the list aren’t enabled then any client computer on the Windows 2003 domain will

not be able to access that specific service. For example, if the computer was configured as shown in

the image above and a client computer tried to connect to an ftp site, he would be refused access.

This section can prove to be very useful for any sized networks, but especially small ones.

That concludes this article. As you have seen, Network Address Translation is a useful feature that

adds diversity and security to a network in a small to medium sized company. With the advent,

58. What is NAT?

Windows Server 2003 provides network address translation

(NAT) functionality as a part of the Routing and Remote

Access service. NAT enables computers on small- to

medium-sized organizations with private networks to access

resources on the Internet or other public network. The

computers on a private network are configured with reusable

private Internet Protocol version 4 (IPv4) addresses; the

computers on a public network are configured with globally

Page 21: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 21/26

unique IPv4 (or, rarely at present, Internet Protocol

version 6 [IPv6]) addresses. A typical deployment is a small

office or home office (SOHO), or a medium-sized business,

that uses Routing and Remote Access NAT technology to enable

computers on the internal corporate network to connect to

resources on the Internet without having to deploy a proxy

server.

59. What is the real difference between NAT and PAT?

Take NAT (Network Address Translation) and PAT (Port Address

Translation). NAT allows you to translate or map one IP

address onto another single ip address. PAT on the other

hand is what is most commonly referred to as NAT. In a PAT

system you have a single or group of public IP addresses

that are translated to multiple internal ip addresses by

mapping the TCP/UDP ports to different ports. This means

that by using some "magic" on a router or server you can get

around problems that you might have with two web browsers

sending a request out the same port.

60. How do you configure NAT on Windows 2003?

http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.

html

Configure Routing and Remote Access

To activate Routing and Remote Access, follow these steps:

1. Click Start, point to All Programs, point to

Administrative Tools, and then click Routing and Remote Access.

2. Right-click your server, and then click Configure and

Enable Routing and Remote Access.

3. In the Routing and Remote Access Setup Wizard, click

Next, click Network address translation (NAT), and then

click Next.

4. Click Use this public interface to connect to the

Internet, and then click the network adapter that is

connected to the Internet. At this stage you have the option

to reduce the risk of unauthorized access to your network.

To do so, click to select the Enable security on the

selected interface by setting up Basic Firewall check box.

5. Examine the selected options in the Summary box, and

then click Finish.

Configure dynamic IP address assignment for private network

clients

You can configure your Network Address Translation computer

to act as a Dynamic Host Configuration Protocol (DHCP)

server for computers on your internal network. To do so,

follow these steps:

1. Click Start, point to All Programs, point to

Page 22: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 22/26

Administrative Tools, and then click Routing and Remote Access.

2. Expand your server node, and then expand IP Routing.

3. Right-click NAT/Basic Firewall, and then click Properties.

4. In the NAT/Basic Firewall Properties dialog box, click

the Address Assignment tab.

5. Click to select the Automatically assign IP addresses

by using the DHCP allocator check box. Notice that defaultprivate network 192.168.0.0 with the subnet mask of 

255.255.0.0 is automatically added in the IP address and the

Mask boxes. You can keep the default values, or you can

modify these values to suit your network.

6. If your internal network requires static IP assignment

for some computers -- such as for domain controllers or for

DNS servers -- exclude those IP addresses from the DHCP

pool. To do this, follow these steps:

1. Click Exclude.

2. In the Exclude Reserved Addresses dialog box,

click Add, type the IP address, and then click OK.

3. Repeat step b for all addresses that you want to

exclude.

4. Click OK.

Configure name resolution

To configure name resolution, follow these steps:

1. Click Start, point to All Programs, point to

Administrative Tools, and then click Routing and Remote Access.

2. Right-click NAT/Basic Firewall, and then click Properties.

3. In the NAT/Basic Firewall Properties dialog box, click

the Name Resolution tab.

4. Click to select the Clients using Domain Name System

(DNS) check box. If you use a demand-dial interface to

connect to an external DNS server, click to select the

Connect to the public network when a name needs to be

resolved check box, and then click the appropriate dial-up

interface in the list.

61. How do you allow inbound traffic for specific hosts on Windows 2003 NAT?

You can use the Windows Server 2003 implementation of IPSec

to compensate for the limited protections provided by

applications for network traffic, or as a network-layer

foundation of a defense-in-depth strategy. Do not use IPSec

as a replacement for other user and application security

controls, because it cannot protect against attacks from

within established and trusted communication paths. Your

authentication strategy must be well defined and implemented

for the potential security provided by IPSec to be realized,

because authentication verifies the identity and trust of 

the computer at the other end of the connection.

Page 23: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 23/26

 

62. What is VPN? What types of VPN does Windows 2000 and

beyond work with natively?

L2TP (layer 2 tunneling protocol )

vpn server is also know as L2TP server in native mode & in

PPTP in mixed mode

PN gives extremely secure connections between private

networks linked through the Internet. It allows remote

computers to act as though they were on the same secure,

local network.

63. What is IAS? In what scenarios do we use it?

IAS is called as Internet Authentication Service. It's used

by for configuring centralised authentication using RADIUS

server.

64. What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?

When you are in Mixed mode certain options in the dial-in

tab of the user proeprties are disabled. And some of the

RRAS policies are also disabled. So if you want high level

security with all the advanced feature then change the AD to

Native mode.

65. What is the "RAS and IAS" group in AD?

Used for managing security and allowing administration for

the respective roles of the server.

66. What are Conditions and Profile in RRAS Policies?

The conditions and profiles are used to set some

restrictions based on the media type, connection method,

group membership and lot more. So if used matches those

conditions mentioned in the profile then he can allowed /

denied access to RAS / VPN server.

67. What types or authentication can a Windows 2003 based

RRAS work with?

It supports authentication methods like MSCHAPv2, MSCHAP,

SPAP, EAP, Digest authentication. ( You can check it by

going to properties of your server in RRAS )

68. How does SSL work?

Internet communication typically runs through multiple

program layers on a server before getting to the requested

data such as a web page or cgi scripts.

The outer layer is the first to be hit by the request. This

is the high level protocols such as HTTP (web server), IMAP

Page 24: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 24/26

(mail server), and FTP (file transfer).

Determining which outer layer protocol will handle the

request depends on the type of request made by the client.

This high level protocol then processes the request through

the Secure Sockets Layer. If the request is for a non-secure

connection it passes through to the TCP/IP layer and theserver application or data.

If the client requested a secure connection the ssl layer

initiates a handshake to begin the secure communication

process. Depending on the SSL setup on the server, it may

require that a secure connection be made before allowing

communication to pass through to the TCP/IP layer in which

case a non-secure request will send back an error asking for

them to retry securely (or simply deny the non-secure

connection).

69. How does IPSec work?

IPSec is an Internet Engineering Task Force (IETF) standard

suite of protocols that provides data authentication,

integrity, and confidentiality as data is transferred

between communication points across IP networks. IPSec

provides data security at the IP packet level. A packet is a

data bundle that is organized for transmission across a

network, and it includes a header and payload (the data in

the packet). IPSec emerged as a viable network security

standard because enterprises wanted to ensure that data

could be securely transmitted over the Internet. IPSec

protects against possible security exposures by protecting

data while in transit.

70. How do I deploy IPSec for a large number of computers?

Just use this program Server and Domain Isolation Using

IPsec and Group Policy

71. What types of authentication can IPSec use?

Deploying L2TP/IPSec-based Remote Access

Deploying L2TP-based remote access VPN connections using

Windows Server 2003 consists of the following:

* Deploy certificate infrastructure

* Deploy Internet infrastructure

* Deploy AAA infrastructure

* Deploy VPN servers

Page 25: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 25/26

 

* Deploy intranet infrastructure

* Deploy VPN clients

Implantando L2TP/IPSec-based Acesso Remoto

Implantando L2TP com base em conexões VPN de acesso remotousando o Windows Server 2003 é constituída pelos seguintes

elementos:

* Implantar certificado infra-estrutura

* Implantar infra-estrutura Internet

* Implantar infra-estrutura AAA

* Implementar VPN servidores

* Implantar intranet infra-estrutura

* Implementar clientes VPN

72. What is PFS (Perfect Forward Secrecy) in IPSec?

In an authenticated key-agreement protocol that uses public

key cryptography, perfect forward secrecy (or PFS) is the

property that ensures that a session key derived from a set

of long-term public and private keys will not be compromised

if one of the (long-term) private keys is compromised in the

future.

Forward secrecy has been used as a synonym for perfect

forward secrecy [1], since the term perfect has been

controversial in this context. However, at least one

reference [2] distinguishes perfect forward secrecy from

forward secrecy with the additional property that an agreed

key will not be compromised even if agreed keys derived from

the same long-term keying material in a subsequent run are

compromised.

73. How do I monitor IPSec?

To test the IPSec policies, use IPSec Monitor. IPSec Monitor

(Ipsecmon.exe) provides information about which IPSec policy

is active and whether a secure channel between computers is

established.

74. Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?

You can see the packages to pass, but you can not see its

contents

IPSec Packet Types

IPSec packet types include the authentication header (AH)

for data integrity and the encapsulating security payload

(ESP) for data confidentiality and integrity.

The authentication header (AH) protocol creates an envelope

Page 26: MCSE Questions and Answers

8/3/2019 MCSE Questions and Answers

http://slidepdf.com/reader/full/mcse-questions-and-answers 26/26

that provides integrity, data origin identification and

protection against replay attacks. It authenticates every

packet as a defense against session-stealing attacks.

Although the IP header itself is outside the AH header, AH

also provides limited verification of it by not allowing

changes to the IP header after packet creation (note that

this usually precludes the use of AH in NAT environments,which modify packet headers at the point of NAT). AH packets

use IP protocol 51.

The encapsulating security payload (ESP) protocol provides

the features of AH (except for IP header authentication),

plus encryption. It can also be used in a null encryption

mode that provides the AH protection against replay attacks

and other such attacks, without encryption or IP header

authentication. This can allow for achieving some of the

benefits of IPSec in a NAT environment that would not

ordinarily work well with IPSec. ESP packets use IP protocol 50.

75. What can you do with NETSH?

Netsh is a command-line scripting utility that allows you

to, either locally or remotely, display, modify or script

the network configuration of a computer that is currently

running.

76. How do I look at the open ports on my machine?

Windows: Open a command prompt (Start button -> Run-> type

"cmd"), and type:

netstat -a

Linux: Open an SSH session and type:

netstat -an