Question 1:

Question 1: A smart card is a credit-card-sized device that is inserted into a smart card reader, which is either installed internally in your computer or connected externally to your computer. Which of the following protocols must be enabled to support smart card logon?

Correct Answer: E EAP

Explanation: If a certificate is installed either in the certificate store on your computer or on a smart card, and the Extensible Authentication Protocol (EAP) is enabled, you can use certificate-based authentication in a single network logon process, which provides tamper-resistant storage of authentication information.

Question 2: You currently are the administrator for a network with four servers and 150 clients. 50 of the clients have just had Windows XP Professional installed and have been configured with the default settings. You would like all of the Windows XP Professional clients to automatically register themselves with the DNS server. You install a domain controller for a domain named certtutor.net but do not configure DNS as part of the installation. After finishing the install of Active Directory, you configure a standard primary zone for the certtutor.net domain on the domain controller. What additional steps must you take to ensure that the Windows XP Professional clients will get registered with the DNS server? Choose all that apply. Correct Answer: C, E Enable the zone for the certtutor.net domain to accept dynamic updates. Install a DHCP server and configure the scope options so that the clients will use the new domain controller as their DNS server.

Explanation: If you create a DNS zone after installing Active Directory, the zone must be configured for dynamic updates. This can be done through the DNS console by setting the "Allow dynamic updates?" of the zone to Yes. By default, all Windows XP clients are DHCP clients and will attempt to register their DNS records with the DNS server. You do not need to configure the DHCP server to enable updates for DNS clients that do not support dynamic updates unless you have pre-Windows 2000 clients that you would like to be automatically registered with the DNS server.

Question 3: Marc is currently the network administrator for a large financial institution. Recently there have been cases of inconsistent network behavior, which Marc believes could be due to a malfunctioning router. Which Windows Server 2003 utility would be best for Marc to use to determine the amount of packet loss at a given router or link?

Correct Answer: E Pathping

Explanation: The pathping command is a route tracing tool that combines features of the ping and tracert commands with additional information that neither of those tools provides. The pathping command sends packets to each router on the way to a final destination over a period of time, and then computes results based on the packets returned from each hop. Since the command shows the degree of packet loss at any given router or link, it is easy to determine which routers or links might be causing network problems.

Question 4: You are assigning a range of IP addresses to hosts on your Windows 2003 network. You would like to use the network ID of 117.72.32.0/20. What is the available range of IP addresses that you can use given the network ID specified above?

Correct Answer: B 117.72.32.1 - 117.72.47.254

Explanation: A network ID of 117.72.32.0/20 means that a subnet mask will be used that contain 20 1s in its binary form (The decimal equivalent of this will be a subnet mask of 255.255.240.0). The subnet mask will look like the following: 11111111 11111111 11110000 00000000 Therefore, the first 20 digits if IP addresses will represent the network ID and the last 12 digits will represent the host ID. In this case the network portion will be: 01110101 01001000 0010 The smallest host ID will be: 0000 00000001 which will yield an IP address of 117.72.32.1. Note that all zeros is not a valid host ID. The largest host ID will be: 1111 11111110 which will yield an IP address of 117.72.47.254. Note that ones is not a valid host ID. Therefore the available address range given a network ID of 117.72.32.0/20 will be 117.72.32.1 - 117.72.47.254.

Question 5: Rooska is very concerned about someone gaining unauthorized access to several documents that he shares with co-workers. Rooska's computer is a member of a workgroup called ProjectA1 and he has local administrator rights to his machine. He has configured the NTFS permissions properly so that only the appropriate people have access to the files. He also would like to configure his computer so that the data sent to other machines is sent in an encrypted format. Rooska configures his machine with an IP Security (IPSec) policy of Client (Respond Only). However when Rooska tests the IPSec policy he finds that not all of the data being sent from his computer is being sent in an encrypted format. Which of the following is the best explanation for this behavior? Correct Answer: C The Client (Respond Policy) does not secure data unless the destination computer requests it. Therefore data sent from a machine with the IPSec policy of Client (Respond Policy) is not guaranteed to be encrypted.

Explanation: The long-term direction for secure networking, IPSec is a suite of cryptography-based protection services and security protocols. Because it requires no changes to applications or protocols, you can easily deploy IPSec for existing networks. Activating the Client (Respond Only) IPSec policy will not secure traffic unless the destination computer requests it. A server policy may need to be customized to work transparently with some programs and networks.

Question 6: Upon arriving at work one morning, you find that some of your users are complaining about connectivity problems. It turns out that they can communicate fine with some of the other machines on their network segment, but are having trouble communicating with other machines on their network segment. Furthermore, they are unable to access any network resources on other segments. What is most likely the issue here and how would you best resolve it? Correct Answer: D Some machines may have received Automatic Private IP Addresses. Use the Ipconfig utility to determine what IP addresses they have been assigned and check to see if a functioning DHCP server is available for their segment.

Explanation: Automatic Private IP Addressing can assign a TCP/IP address to DHCP clients automatically. However, Automatic Private IP Addressing doesn't generate all the information that typically is provided by DHCP, such as the address of a default gateway. Consequently, computers enabled with Automatic Private IP Addressing can communicate only with computers on the same subnet that also have addresses of the form 169.254.x.y (addresses that have also been assigned through Automatic Private IP Addressing). If the switch was broken, they could not communicate with other systems on their subnet.

Question 7: Your network contains two routed subnets: Subnet A and Subnet B. Subnet B contains a Windows Server 2003 system configured as a DHCP server. This server has scopes created for both Subnet A and Subnet B. Subnet A does not contain a DHCP server. The clients on Subnet A are not receiving IP addresses from the DHCP server. What can you do to enable clients in Subnet A to receive dynamically assigned IP addresses? Choose all that apply.

Correct Answer: C, D, F Configure an RFC 1542-compliant router to forward BOOTP messaging between subnets. Configure a DHCP relay agent on Subnet A to forward DHCP messages to Subnet B. Install and configure a DHCP server on Subnet A.

Explanation: If you require the DHCP service to support additional subnets on your routed network, you must first determine whether the routers used to connect adjoining subnets can support relaying of BOOTP and DHCP messages. If your routers are not RFC 1542-compliant and cannot be used for DHCP and BOOTP relay, you have two additional options. 1. You can configure a computer running either Windows Server 2003, Windows 2000 Server or Windows NT Server 4.0 as a DHCP Relay Agent component. This computer selectively forwards messages back and forth between clients on the local subnet and a remote DHCP server, using the IP address of the remote server. 2. A computer running Windows Server 2003 can be configured as a DHCP server for the local subnet. This server computer must contain and manage scope and other address-configurable information for the local subnet it serves. Question 8: Rooska is setting up dial-up connections for a group of users on the network that he administers. He would like to configure the dial-up connection to require data encryption for all connections. Which of the following protocols support data encryption? Choose all that apply.

Correct Answer: A, D, F MS-CHAP v2 MS-CHAP EAP/TLS

Explanation: Remote access connections, whether they be dial-up or virtual private network connections can be configured to enforce various levels of password authentication and data encryption. Security considerations and usability issues play the determining factors as to which methods of authentication and encryption to require. Authentication methods range from unencrytped to custom, such as the Extensible Authentication Protocol (EAP). Data is only encrypted if MS-CHAP, MS-CHAP v2, or EAP/TLS authentication is negotiated. These are the only authentication protocols that generate their own initial encryption keys, which are required for encryption. Question 9: Oksana has configured a Windows XP Professional machine in a small branch office to have a dial-up 56K connection to the Internet. She would like to make that connection available to the other users in the branch office through the Internet Connection Sharing (ICS) feature in Windows XP. How can she enable ICS on a network connection?

Correct Answer: C Open Network and Dial-up Connections, right-click the connection that you want to share, choose properties and select the "Enable Internet connection sharing for this connection" check box from the sharing tab.

Explanation: To enable Internet connection sharing on a network connection: 1. Open Network and Dial-up Connections 2. Right-click the dial-up, VPN, or incoming connection you want to share, and then click Properties. 3. On the Sharing tab, select the Enable Internet connection sharing for this connection check box. 4. If you want this connection to dial automatically when another computer on your home network attempts to access external resources, select the Enable on-demand dialing check box. Question 10: In Windows 2003 you are presented with two possible tunnelling protocols: L2TP and PPTP. Which of the following are correct statements about the differences between L2TP and PPTP? Choose all that apply.

Correct Answer: A, C, D PPTP has built-in encryption while L2TP does not. L2TP supports tunnel authentication while PPTP does not. L2TP can transmit over Frame Relay, X.25 or ATM while PPTP cannot.

Explanation: L2TP supports tunnel authentication while PPTP does not. L2TP supports header compression while PPTP does not. PPTP and L2TP can both run on IP-based networks although L2TP has the ability to encapsulate PPP frames over X.25, Frame Relay and ATM networks as well. L2TP provides the optional use of IPSec encryption while PPTP uses built-in PPP encryption, sometimes called Microsoft Point-to-Point Encryption (MPPE).Question 11: You are currently configuring a box running Windows Server 2003 named ServerWest7. Occasionally you will use a dial-up connection from this computer to connect to another computer in a different location and retrieve information. The remote computer does not currently have a connection to the Internet. Which remote access protocols can you use on ServerWest7 to establish the connection? Choose all that apply.

Correct Answer: A, C Point-to-Point Protocol Serial Line Internet Protocol

Explanation: The two protocols support for remote access connections in Windows 2003 are Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP). Windows 2003 operating systems can be PPP clients or SLIP clients. They can also host PPP connections. However, they can not host SLIP connections. Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) are protocols used in Virtual Private Networks (VPNs). A VPN allows two computers to communicate with each other through existing connections to the Internet. Since the remote computer in the above example is not connected to the Internet, L2TP and PPTP will not be used. The Microsoft RAS protocol is an older networking protocol used on clients running Windows NT version 3.1, Windows for Workgroups, Microsoft MS-DOS and Microsoft LAN Manager. Question 12: You have recently upgraded a server running Windows NT 4.0 to Windows Server 2003. After finished the upgrade to Windows Server 2003 you decide to promote the server to a domain controller through the use of the DCPromo.exe utility. Because you do not have any existing DNS servers on the network you choose to create a DNS zone during the Active Directory install. What type of zone is created when you perform such an action?

Correct Answer: C Active Directory-Integrated Zone

Explanation: If no DNS server is present on the network when you install Active Directory you have the option to install DNS and create a zone. By default, this zone will be an Active Directory-Integrated Zone.

Question 13: You wish to install a VPN server on one of the Windows Server 2003 systems that exist within your organization. The server has an Ethernet card that is connected to a cable modem which in turn is connected via an ISP to the Internet. The server also has another Ethernet card that is connected to the local intranet. You wish to secure the VPN server from sending or receiving any traffic on its Internet interface, except for PPTP or L2TP over IPSec traffic from branch office routers or remote access clients. Which of the following should you do?

Correct Answer: C Configure PPTP and L2TP over IPSec input and output filters on the Internet interface.

Explanation: PPTP and L2TP over IPSec input and output filters need to be configured on the Internet interface. Configuring them on the intranet interface will not secure the Internet interface from receiving and sending traffic other than that specified. You would not use a remote access policy to do this sort of protocol filtering.

Question 14: You are responsible for a Remote Access Server in a Windows 2003 functional level domain. The remote access permission for all user accounts is set to "Control access through Remote-Access Policy". One of your users named Suresh is a member of the Canadians group and the Tutors group. The Tutors group has been granted remote access permission through a remote access policy ("Policy1") However the Canadians group has been denied remote access permission through a different remote access policy ("Policy2"). Because Policy1 is listed first and Policy2 is listed second, Suresh is permitted to dial in to the Remote Access Server. Another user on your network named Mike is only a member of the Canadians group and therefore cannot access the Remote Access Server. He asks you to modify the configuration to allow members of the Canadians group to dial in to the server. If you agree to do so what action would you perform to accomplish this?

Correct Answer: C Using Routing and Remote Access, change the permission for Policy2 from "Deny remote access permission" to "Allow remote access permission".

Explanation: If you would like to allow connections only for those user accounts that belong to a specific set of groups perform the following steps: 1. Create a new policy. 2. Add the Windows-Groups condition to the new policy, and then add the groups that are allowed remote access. 3. Select the Grant remote access permission option on the new policy. Question 15: You would like to monitor the security of traffic on your corporate LAN. You are aware that certain types of traffic are being encrypted using IPSec. You decide to run the IPSecMon utility to view additional information. Which of the following statistics can you view through the IPSecMon utility? Choose all that apply.

Correct Answer: A, B, C, F Key Additions Authenticated Bytes Sent Active Associations Bad SPI Packets

Explanation: The IP Security Monitor (IPSecMon) is a Windows-based tool used to confirm whether your secured communications are successful by displaying the active security associations on local or remote computers. IPSecMon can be run locally or remotely if you have a network connection to the remote computer. IPSecMon displays an entry for each active security association. Among the statistics that you can view using IPSecMon are Active Associations, Authenticated Bytes Sent, Bad SPI Packets and Key Additions.

Question 16: A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to- point private link. Virtual private networking is the act of creating and configuring a virtual private network. Which of the following are protocols that you can use to connect to a Windows 2003 VPN Server via the Internet? Choose all that apply.

Correct Answer: C, E L2TP PPTP

Explanation: L2TP is an industry-standard Internet tunneling protocol that does not require IP connectivity between the client workstation and the server. It requires only that the tunnel medium provide packet-oriented point-to-point connectivity. PPTP Networking technology that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet or other networks by dialing into an Internet service provider (ISP) or by connecting directly to the Internet. Question 17: You wish to set a Windows Server 2003 system as a WINS Proxy. Which of the following is the registry key that you should add the value EnableProxy to, and set it to 1?

Correct Answer: A HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NetBT\Parameters

Explanation: A WINS proxy is a WINS client computer configured to act on behalf of other host computers that cannot directly use WINS. WINS proxies help resolve NetBIOS name queries for computers located on routed TCP/IP networks.

Question 18: To properly configure DNS, it is essential to understand the various type of records that can be created. Which of the following answer choices properly matches the DNS resource record type with its proper description?

Correct Answer: D A = Host Record, CNAME = Alias Record, SRV = Service Resource Record

Explanation: An A record is a host record. A CNAME record is an alias record or a canonical name record. An SRV record is a service resource record. Question 19: A reverse DNS lookup does which of the following?

Correct Answer: D Provides IP to FQDN address resolution.

Explanation: An example of a reverse DNS lookup would be opening a command prompt in Windows Server 2003 and typing: Nslookup 128.250.213.163 If you are connected to the Internet and your DNS is properly configured, it should return: Name: adhocalypse.arts.unimelb.edu.au Address: 128.250.213.163 Question 20: You have just installed a brand new Primary Windows Server 2003 DNS server on your brand new network. This DNS server has been set up by you to host your new internet domain funkyj.com.au. This server is hosted on the IP address 203.31.20.2. At the moment you only have 5 hostnames listed in your database. This list is as follows: router.funkyj.com.au IN A 203.31.20.1 dns.funkyj.com.au IN A 203.31.20.2 mail.funkyj.com.au IN A 203.31.20.3 fileserv.funkyj.com.au IN A 203.31.20.4 wrkstn1.funkyj.com.au IN A 203.31.20.5 At present wrkstn1.funkyj.com.au is using your ISP's DNS servers to serve its requests. Up until this point in time you have been servicing internal addresses via a Hosts file. However in the next 2 months you plan on migrating fully to Active Directory and are hence aware that you need a proper DNS for internal resolution. Before you go on with installing a secondary server you want to check out whether or not things are working correctly on this DNS server. You run a command prompt on the Windows XP Professional workstation wrkstn1.funkyj.com.au. and type nslookup - 203.31.20.2 And then enter the following, one on each line. fileserv.funkyj.com.au 203.31.20.4 www.mcsetutor.com The queries for fileserv.funkyj.com.au and www.mcsetutor.com come back with the expected IP addresses. However, when you do a query for the IP address 203.31.20.4 you get an error. What is the most likely cause of the problem?

Correct Answer: B The reverse lookup zone is not correctly configured for your new DNS server.

Explanation: When an IP will not resolve to an FQDN on your local DNS server it most likely indicates that the reverse lookup zone has not been configured correctly. You do not need a reverse lookup zone to be properly configured for Active Directory to function but you will need it configured properly if you would like to resolve IP addresses to FQDNs.

Question 21: You are the new Network Administrator at FunkyJ Industries. FunkyJ has their headquarters in downtown Melbourne as well as 4 offices in different suburbs scattered throughout Melbourne. There is an existing WAN in place and all suburban sites are connected via ISDN to a central site that in turn has a T3 link to the Internet. Each site has about 100 hosts running Windows XP Professional and two Windows Server 2003 servers. One of the servers is used as a file server, and the other is running Terminal Services in Application Server mode. The XP Pro workstation users are using StarOffice for most of their productivity work, Outlook Express for e-mail and Internet Explorer for Web browsing. FunkyJ industries runs a legacy database called MikTek and users on their XP Pro desktops connect via the Terminal Services client to access it. The machine running Terminal Services in each site also has a 56K modem installed. From time to time this modem is used to dial into a supplier's server and exchange data. This exchange typically takes place on Thursdays at 4 PM. Your corporate e-mail server is located on the central site, an old Sun box running Sendmail. Your DNS servers are also located at the central site. On Monday, the router at one of the suburban sites (named Waverley) fails completely. You do not have a hot spare and you will not be able to get another one from your supplier for 2 days. You have been out to the site and the users are upset because now they can't retrieve their email from the mail servers at central office. Your manager would like you to find some way for the people at this site to access their e-mail and suggests that perhaps e-mail can be received over the 56K modem in the Terminal Server. Until the router is back up, she wants the traffic limited to sending and receiving e-mail off the server in head office. Which of the following should you do to accomplish this?

Correct Answer: C Set up routing and remote access on two Terminal Servers on the Waverley Office Terminal Server and on one of the other suburban servers running Terminal Services. Run the Remote Access Server Setup Wizard on the suburban server that you want to be dialed into from the Waverley server. Set up a static pool of IP addresses from spare IP addresses on the suburban subnet and allow the suburban RRAS/Terminal server to allocate these to dial-in clients. Use remote access policies on the RRAS/Terminal server to set the Calling-Station-ID to that of the phone line connected to the Modem on the Waverley RRAS/Terminal server and set up the IP Packet Filters on the Suburban RRAS/ Terminal server to allow TCP traffic on port 25. Similarly set up the IP Packet Filters on the Suburban RRAS/Terminal server to deny TCP traffic on ports 21, 22 and 80. Run the demand-dial interface wizard on the Waverley RRAS/Terminal server. Select a Username/Password combination that will be authenticated by the suburban RRAS/Terminal server. Enter the phone number of the Suburban RRAS/Terminal server. Give the interface a name and create a static IP route with the interface name, the address of the suburban network with the RRAS/Terminal server and the subnet mask of that network. Change the default gateway on all clients on the Waverley subnet to the IP address of the Waverley RRAS/Terminal server.

Explanation: None of the other options come close to attempting to fulfill all of the requirements specified in the scenario. The best way to limit the temporary link to all traffic but mail is by denying the popular ports (FTP/Telnet/Web) and only allowing the Mail port. The question specified that a Sendmail server was being used with Outlook Express clients. Therefore traffic between this client server is going to run over TCP port 25.

Question 22: You are running Windows Server 2003 DNS servers. You have one primary server and several secondary servers. At the moment changes are processed by the primary and then pulled to the secondary. The hardware on your primary server and your secondary servers is the same and your enviroment is entirely Windows 2003 with XP workstations. You wish to load balance changes to the DNS database more effectively and allow all servers to accept DNS updates (rather than just the primary DNS server). Which of the following should you do?

Correct Answer: B Start the DNS MMC on the Primary DNS server. Select the DNS zone you want to change. Right-click and select change. Select "Active Directory integrated" and select OK. Repeat this step on all of the secondary DNS servers.

Explanation: Active Directory-integrated zones offer load balancing and fault tolerance. It offer the benefits of multi-master replication versus the signle-master replication present in standard DNS zones. You may only run Active Directory-integrated zone of servers running Windows 2000.

Question 23: You are the administrator for a manufacturing company. You want to institute smart card security on your network so that certain people can only log onto their machines if they have swiped their card through a reader and entered their PIN. Which of the following protocols is required on the Routing and Remote Access Server if you wish to require this for remote users as well?

Correct Answer: C EAP

Explanation: EAP stands for Extensible Authentication Protocol. There is an extension to PPP called EAP/TLS. When EAP/TLS is enabled, a remote access user is prompted to insert the smart card and enter the PIN during network logon authentication.

Question 24: There are two Windows Server 2003 systems in the Accounting Department of the company that you work for. You need to make sure communicate securely with one another. You perform the following actions on each: 1. Run MMC 2. On the Console menu, click Add/Remove Snap-in. 3. In the Add/Remove Snap-in dialog box, click Add. 4. In the Add Standalone Snap-in dialog box, click Computer Management, and then click Add. 5. Verify that Local Computer is selected, and click Finish. 6. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add. 7. Verify that Local Computer is selected in the Group Policy Object dialog box, and click Finish. 8. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 9. Select Computer Account, and click Next. 10. Verify that Local Computer is selected, and click Finish. 11. Close the Add Standalone Snap-in dialog box. 12. Close the Add/Remove Snap-in dialog box.

Repeat steps 1-12 on the second machine. 13. In the MMC console, select IP Security Policies on Local Machine from the left pane. 14. Right-click Secure Server, and then choose Assign. 15. Repeat step 13 on second server.

Right-click Client, and then choose Assign. From the second server, you run a command prompt and ping the IP address of the first server. You receive the following response: Pinging 192.168.0.25 with 32 bytes of data: Negotiating IP Security Negotiating IP Security Negotiating IP Security Negotiating IP Security

Ping statistics for 192.168.0.25: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss) What do you need to do to get a normal ping response and reduce the packet loss to an acceptable level?

Correct Answer: A Ping the first server again. The two servers will have now established IPSec security association and the ping will work fine.

Explanation: The client initially sends unprotected ICMP packets to the server but the server requires some sort of security from the client. This will be automatically negotiated so that the next time a ping is attempt it should be successful. If the second computer is switched to "secure server" as answer choice C states it would not send any traffic until it had negotiated IPSec protection. If the first computer is set to "client" as answer choice D states, no data is protected as neither side will request security and therefore the objective will not be achieved. Question 25: You would like to apply encryption settings to the dial-in connections of your users. You would like to configure this through the Encryption tab of the Dial-in Profile. You notice four check boxes there to choose from: No Encryption, Basic, Strong and Strongest. Which of the following correctly describes the types of encryption that can be used with the Basic, Strong and Strongest levels of encryption?

Correct Answer: C Basic encyrption allows for IPSec 56-bit DES or MPPE 40-bit encryption. Strong encryptions allows for IPSec 56-bit DES or MPPE 56-bit encryption. Strongest encryption allows for IPSec Triple DES (3DES) or MPPE 128-bit encryption.

Explanation: There are four levels of encyrption that you can process as part of a Remote Access Profile: No Encryption When selected, this option allows a non-encrypted connection. To require encryption, clear the No Encryption option. Basic For dial-up and PPTP-based VPN connections, Microsoft Point-to-Point Encryption (MPPE) with a 40-bit key is used. For L2TP over IPSec-based VPN connections, 56-bit DES encryption is used. Strong For dial-up and PPTP-based VPN connections, MPPE with a 56-bit key is used. For L2TP over IPSec-based VPN connections, 56-bit DES encryption is used. Strongest For dial-up and PPTP-based VPN connections, MPPE with a 128-bit key is used. For L2TP over IPSec-based VPN connections, triple DES (3DES) encryption is used. Question 26: You want to set up an IPSec connection on two computers located on two different sides of the city via the corporate Intranet. Each computer is connected to a local Cisco 2501 router which in turn is connected to the ISP's router. Traffic travels across 3 routers on the ISP's network then to the corresponding router on the other side and finally to the other PC. These routers are all part of the corporate Intranet, though one of them routes traffic out to the Internet as well. Most of your WAN infrastructure has been outsourced so you are only responsible for the LAN up to the 2501 routers. Which of the following do you need to do to set up an IPSec connection between these two locations?

Correct Answer: B Configure the end node computers with IPSec. The routers will not need configuration to pass this encrypted traffic across your WAN.

Explanation: It is important to understand that IPSec only needs to be activated on the clients. A tunnel is activated between the two endpoints using encrypted IP communication. Similar to encrypted e-mail, the e-mail is sent normally. The difference is merely that one end encrypts it and the other end decrypts it. IPSec can be configured in other way but ultimately things like routers and switches do not need to be IPSec aware.

Question 27: You are the Remote Access Administrator at the company Crunchyteeth. You wish to set up your remote access policy so that users are locked out for 48 hours if they enter the wrong password 5 consecutive times when dialing up to the remote access server. The Routing and Remote Access Server has been set up and installed with default settings. A new group has been created called crunchyrasusers consisting of those users who require the ability to dial in. Your boss also suspects that people who aren't members of the authorized RAS users group are somehow gaining access to the dialup server. Also, she wants to limit the servers access to normal users non-business hours. Primary Goal: Deny Users Access for 48 hours if they enter the incorrect password 5 times. Secondary Goals: 1. Limit access to RAS service to members of the crunchyrasusers group. 2. Restrict RAS access to between 5pm and 8am for normal users. 3. Allow Administrators unlimited access to the RAS server at all times. Which of the following achieves your primary goal but does not achieve any of your secondary goals?

Correct Answer: D Perform the following actions: - Run regedit or regedt32. - Go to the subkey HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\RemoteAccess\Parameters\ AccountLockout - Change the entry on MaxDenials from zero to five.

Explanation: In this question you were asked to make sure that the primary goal was satisfied and that all the secondary goals were not. The default lockout period is 48 hours which is represented in hexadecimal as b40. If that doesn't make any sense to you translate it back into decimal and divide by 60. If you wanted to change it to 24 hours simply multiply 24 by 60 and translate it into hexadecimal. The subkey to change is in the same area and is called ResetTime.

Question 28: You have two servers on your network that you would like to have communicate using IPSec. You use the MMC to configure IP Security Policies for each server. You assign the "Client" policy to each computer. After performing these actions, which of the following will be true? Choose all that apply.

Correct Answer: B, D All communication that passes between these servers is insecure. These servers will not authenticate before starting to transmit traffic.

Explanation: Without one of the servers being set to be a "secure server", the data transferred between them will not be secure. To set one of them to be a secure server, instead of selecting "client", select "secure server" and then right click and select assign in the IP Security Policies area of Local Machine in the MMC.

Question 29: In the course of your duties as RAS server administrator at the company Unseen Enterprises, you have begun experimenting with the NETSH command line utility. You have found that it can quickly and easily tell you such things as the Radius Authentication Server, remote access configuration and a larger amount of other useful diagnostic information. You go to the Start Menu, select Run, type in "netsh" and press enter. This brings up the netsh prompt. Which of the following lists of commands using the NETSH command line utility will: 1) Tell you which remote access servers on the network are running Windows 2000 2) Display IP remote access configuration 3) display NetBEUI remote access configuration 4) Display RADIUS authentication server.

Correct Answer: B ras show activeservers ras ip show config ras netbeui show config ras aaaa show authserver.

Explanation: This question is rather difficult unless you are already aware of this Windows 2003 utility and have used it to administer a RAS server. As an exercise we suggest that you run netsh from the start menu of your Windows 2003 server and type ?. This will bring up a list of commands. In the case of this question you can just type "ras", which will put you in the ras context. Typing ? again will give you a list of commands that are available at that level.

Question 30: You wish to configure Network Address Translation (NAT) on a machine running Windows 2003 Server that is connected via a cable modem/Ethernet card combination to the Internet. From the Administrative Tools menu you select Routing and Remote Access. On the Action Menu you select "Configure and Enable Routing and Remote Access". After reading the next dialogue you are confronted with a menu. Which of the following options should you select?

Correct Answer: D Internet Connection Server.

Explanation: Internet Connection Server allows you to use NAT which is similar to, but more complex than, Internet Connection Sharing (ICS). It is important for you to know your way through the most common wizards in Windows 2003 as you may receive simulation questions during the exam.

Question 31: A very important consideration when planning your implmentation of Windows 2003 is what type (or types) of DNS you will run in your organization. There are several options including Windows 2003 & 2000 DNS, Windows NT 4.0 DNS (with Service Pack 4 or greater), and various versions of BIND including 8.2, 8.1.2 and 4.9.7. Which of the following statements regarding these different options are true? Choose all that apply.

Correct Answer: A, C, D BIND 8.2 supports dynamic updates, IXFR and SRV records but does not support UTF-8. Windows 2000 DNS supports dynamic updates, IXFR, SRV records and UTF-8. BIND 4.9.7 supports SRV records but does not support dynamic updates, IXFR or UTF-8.

Explanation: Windows 2003 & 2000 DNS supports dynamic updates, IXFR, SRV records and UTF-8. Windows NT 4.0 DNS (with Service Pack 4 or greater) supports SRV records but does not support dynamic updates, IXFR or UTF-8. BIND 8.2 supports dynamic updates, IXFR and SRV records but does not support UTF-8. BIND 8.1.2 supports dynamic updates and SRV records but does not support IXFR or UTF-8. BIND 4.9.7 supports SRV records but does not support dynamic updates, IXFR or UTF-8. Question 32: Your company currently has use 30 users who connect to your corporate network from their Windows XP Professional laptop computers when traveling. Currently they are dialing in to your company's network using analog modems. Your plan is to migrate them away from direct-dial remote access and toward the use of a Virtual Private Network (VPN). You are debating whether to implement the Layer Two Tunnelling Protocol (L2TP) or rather to use Point-to-Point Tunnelling Protocol (PPTP). You desire the following in a VPN solution: -For maximum security, tunnel authentication without the use of IPSec is favorable. -For performance reasons, maximum header compression is favorable. -The VPN solution should be able to support transmission over an IP-based network. -The VPN solution should be compatible with both Windows XP Professional (the RAS clients in your company) and Windows Server 2003 (the RAS server platform in your company). You decide to implement a PPTP VPN solution. Which of the following objectives are achieved with this type of solution? Choose all that apply.

Correct Answer: B, C Transmission can occur over an IP-based network. The solution is compatible with both Windows XP Professional and Windows Server 2003.

Explanation: Here are some difference between L2TP and PPTP: -PPTP requires that the internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented point-to-point connectivity. -PPTP can support only a single tunnel between end points. L2TP allows for the use of multiple tunnels between end points -L2TP provides for header compression. When header compression is enabled, L2TP operates with 4 bytes of overhead, as compared to 6 bytes for PPTP. -L2TP provides for tunnel authentication, while PPTP does not. However, when either protocol is used over IPSec, tunnel authentication is provided by IPSec so that Layer 2 tunnel authentication is not necessary. Both L2TP and PPTP are compatible with all of the Windows 2000/2003/XP platforms. Question 33: Your company is currently running Windows Server 2003 Active Directory (AD). Which of the following accurately describes the process by which unauthorized Windows Server 2003 DHCP servers that are members of a domain are detected and prevented from handing out IP addresses?

Correct Answer: B Active Directory keeps a list of all legitimate DHCP servers. When a DHCP server is started, AD is used to verify the status of that server. If the server is not in the list of legitimate servers, no response is returned to DHCP requests. The DHCP server is aware that it isn't authorized on that network and doesn't serve requests for IP configuration.

Explanation: A feature of Windows 2000 and 2003 is the detection of unauthorized or "rogue" DHCp servers. There is no DHCP Group Policy Object that is checked. Also, there is no Master/Slave concept in DHCP. The closest thing to this is the Master Browser/Backup Browser concept. Finally, there can be (and often is) more than one DHCP server for a given domain.

Question 34: In order to gain a better understanding of your network traffic patterns, you recently installed the version on Network Monitor that is included with Windows Server 2003 on a computer named Server8-A. Server8-A is located on a subnet in your company that you have named SubnetA. You also have another subnet that you have named SubnetB. These subnets are separated by a router. Which of the following types of traffic will you be able to monitor using Network Monitor? Choose all that apply

Correct Answer: A, B, E Packets received by Server8-A Packets sent from Server8-A Packets broadcast to SubnetA

Explanation: The version of Network Monitor included with Windows 2000 captures and displays frame that a computer receives from the local area network. This includes packets adddressed specifically to that computer as well as broadcast packets for the subnet that the computer is on. This version of Network Monitor does not have the ability to capture frames sent to and from all computers in a network segment. That functionality is provided by the full version of Network Monitor included with System Management Server (SMS).

Question 35: Your company currently uses Network Address Translation (NAT) to avoid the need to have a large pool of valid external IP addresses. The external IP address assigned to the computer performing NAT is 217.49.101.72. Internally you are using the IP address range 10.0.0.1 through 10.0.255.254 with a subnet mask of 255.255.0.0. You have a web server with an internal IP address of 10.0.14.200. You would like this web server to be available to clients on the Internet when they go to IP address 217.49.101.72. Is this possible to do through NAT and if so, how can it be performed?

Correct Answer: B Yes, this is possible to do through NAT. Create a mapping on the NAT server which maps 217.49.101.72:80 to 10.0.14.200:80.

Explanation: If you have services running on the private network that need to be accessed from the Internet you will need to map the public IP address and port number to the appropriate private IP address and port number. In the case of a web server, the default port number is 80.

Question 36: Network Address Translation (NAT) can provide many benefits to an organization including a reduced need for IP addresses and better security for internal hosts. When NAT must translate beyond the IP, TCP and UDP headers of a packet, a NAT editor is required. Windows Server 2003 provides a built-in NAT editor for which of the following protocols? Choose all that apply.

Correct Answer: A, B, C, E NetBIOS over TCP/IP FTP PPTP ICMP

Explanation: A NAT editor makes modifications to the IP packet beyond the translation of the IP address in the IP header, the TCP port in the TCP header, and the UDP port in the UDP header. Windows Server 2003 includes built-in NAT editors for the following protocols: FTP ICMP PPTP NetBIOS over TCP/IP

Question 37: You are the Systems Administrator for a large company's Windows Server 2003 network. You have well over 5000 hosts on your network however you have only been allocated part of a class C IP address range by your ISP. The IP range that has been assigned is 203.31.128.1 through 203.31.128.127. Internally you are using the IP range 10.5.0.1 through 10.5.255.255. You wish to provide several services to the Internet from servers that exist on your internal network. You want it so that when a host on the Internet addresses one of these addresses your RRAS server will translate it automatically into one of your internal IP numbers. The first step in doing this is configuring the public interface of your Routing and Remote Access Server with the IP range delegated to you by the ISP. You are logged onto the Routing and Remote Access Server as the administrator. Which of the following sequences of commands will do this correctly?

Correct Answer: C Go to the Routing and Remote Access console. Double Click IP Routing Node. Click Network Address Translation Node. Right click on external connection, select properties. Click Address Pool. Select Add. In Start Address type 203.31.128.1 In Subnet Mask type 255.255.255.128 Click OK.

Explanation: You need to select the IP Routing Node to configure the public interface with a given IP range. The Routing Interfaces node will not allow you to configure this. The other thing that is important to note in this particular question is that when you type the subnet mask into the address pool dialogue box, you automatically have the finishing IP address configured for you by Windows 2000 if you enter the correct subnet mask (.e.g /25). It is important to note that this is only the first step in configuring Network Address Translation. All that we have done here is set up a particular set of IP addresses for the external (i.e. Internet) interface. More setup is required to map each of these Internet IP addresses to the appropriate internal IP address.