testking 70-296 v38

70-296

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment

for an MCSE Certified on Windows 2000

Version 38.0

70 - 296

Leading the way in IT testing and certification tools, www.testking.com

- 2 -

Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides: * Online Testing. Check out an Online Testing Demo at http://www.testking.com/index.cfm?pageid=724 For this test TestKing plans to provide: * Study Guide (Concepts and Labs) Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version:

1. Go to www.testking.com 2. Click on Member zone/Log in 3. The latest versions of all purchased products are downloadable from here. Just click the links.

For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to [email protected]. You should state: Exam number and version, question number, and login ID. Our experts will answer your mail promptly. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws.

70 - 296


- 3 -

QUESTION NO: 1 You are a network administrator for TestKing. The network contains two Windows Server 2003 computers named TestKingA and TestKingB. These servers host an intranet application. Currently, 40 users connect to TestKingA and 44 users connect to TestKingB. The company is adding 35 employees who will need access to the intranet application. Testing shows that each server is capable of supporting approximately 50 users without adversely affecting the performance of the application. You need to provide a solution for supporting the additional 35 employees. The solution must include providing server fault tolerance. You need to minimize the costs and administrative effort required by your solution. You add a new server named TestKingC to the network and install the intranet application on TestKingC. What else should you do?

A. Use Network Load Balancing Manager to configure TestKingA, TestKingB, and TestKingC as a Network Load Balancing cluster.

B. Use Cluster Administrator to configure TestKingA, TestKingB, and TestKingC as a three-node server cluster. Use the Majority Node Set option. Configure the cluster so that all three nodes are active.

C. Use Cluster Administrator to configure TestKingA, TestKingB, and TestKingC as a three-node server cluster. Configure the cluster so that two nodes are active and one node is a hot standby node.

D. Use DNS load balancing to utilize all three servers by using the same virtual server name. Answer: A Explanation: We can use Network Load Balancing to balance the load on the three web servers. Reference: Deploying Network Load Balancing Overview of the NLB Deployment Process A Network Load Balancing cluster comprises multiple servers running any version of the Microsoft® Windows® Server 2003 2003 family, including Windows Server 2003 2003 Standard Edition, Windows Server 2003 2003 Enterprise Edition, Windows Server 2003 2003 Datacenter Edition, and Windows Server 2003 2003 Web Edition. Clustering allows you to combine application servers to provide a level of scaling, availability, or security that is not possible with an individual server. Network Load Balancing distributes incoming client requests among the servers in the cluster to more evenly balance the workload of each server and prevent overload on any one

70 - 296


- 4 -

server. To client computers, the Network Load Balancing cluster appears as a single server that is highly scalable and fault tolerant. The Network Load Balancing deployment process assumes that your design team has completed the design of the Network Load Balancing solution for your organization and has performed limited testing in a lab. After the design team tests the design in the lab, your deployment team implements the Network Load Balancing solution first in a pilot environment and then in your production environment. Upon completing the deployment process presented here, your Network Load Balancing solution (the Network Load Balancing cluster and the applications and services running on the cluster) will be in place. For more information about the procedures for deploying Network Load Balancing on individual servers, see the appropriate Network Load Balancing topics in Help and Support Center for Windows Server 2003 2003. Incorrect Answers: B: We already have three servers. A cluster would require different hardware and would thus be more expensive. C: We already have three servers. A cluster would require different hardware and would thus be more expensive. D: Round Robin DNS would load balance the servers, but if one server failed, clients would still be directed to the failed server. QUESTION NO: 2 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All domain controllers run Windows Server 2003. All application servers run Windows Server 2003. Client computers in the accounting department run Windows XP Professional. Client computers in the engineering department run Windows 2000 Professional. Client computers in the Sales department run either Windows NT Workstation 4.0 or Windows 98. All client computers access data files on the application server. You need to plan the method of securing the data transmissions for the client computers. You want to ensure that the data is not modified while it is transmitted between the application servers and the client computers. You also want to protect the confidentiality of the data, if possible. What should you do? To answer, drag the appropriate method or methods to the correct department’s client computers.

70 - 296


- 5 -

Answer:

Explanation We can use IPSEC on Windows 2000 and Windows XP but we cannot use IPSEC for Legacy clients except for VPNs. Sales contains Windows NT 4.0 and Windows 98; in this case we use SMB signing.

70 - 296


- 6 -

With Windows 2000 and Windows XP both methods are supported in this case and for security reasons we will use IPSEC rules. SMB signed is supported by Windows 2000 an XP by local policies or domain policies to be enforced To be supported in legacy clients you must modify the registry in Windows 98 and Windows NT SMB on Windows 98 KB article 230545 Windows 98 includes an updated version of the SMB authentication protocol. However, using SMB signing slows down performance when it is enabled. This setting should be used only when network security is a concern. The performance decrease usually averages between 10-15 percent. SMB signing requires that every packet is signed for and every packet must be verified. SMB on Windows NT KB article 161372 Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol IPSEC The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used. IPSEC is not supported on legacy clients just is supported for VPN http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec).

Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking version 1.4 upgrade.

Windows Me with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later)

Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later)

QUESTION NO: 3

70 - 296


- 7 -

You are the systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. A Windows Server 2003 computer named TESTKINGDNS1 functions as the internal DNS server and has zones configured as shown in the exhibit.

The network is not currently connected to the Internet. TestKing maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named testking.com. The testking.com zone is hosted by a UNIX-based DNS server named UNIXDNS, which is running the latest version of BIND. The company plans to allow users of the internal network to access Internet-based resources. The company’s written security policy states that resources located on the internal network must never be exposed to the Internet. The written security policy states that the internal network’s DNS namespace must never be exposed to the Internet. To meet these requirements, the design specifies that all name resolution requests for Internet-based resources from computers on the internal network must be sent from TESTKINGDNS1. The current design also specifies that UNIXDNS must attempt to resolve any name resolution requests before sending them to name servers on the Internet. You need to plan a name resolution strategy for Internet access. You need to configure TESTKINGDNS1 so that it complies with company requirements and restrictions. What should you do?

A. Delete the root zone form TESTKINGDNS1. Configure TESTKINGDNS1 to forward requests to UNIXDNS.

70 - 296


- 8 -

B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the C:\Windows\System32\Dns folder on TESTKINGDNS1.

C. Add a name server (NS) resource record for UNIXDNS to your zone. Configure UNIXDNS with current root hints.

D. On TESTKINGDNS1, configure a secondary zone named testking.com that uses UNIXDNS as the master server. Configure UNIXDNS to forward requests to your ISP’s DNS servers.

Answer: A Explanation: We need to delete the root zone from the internal DNS server. This will enable us to configure the server to forward internet name resolution requests to the external DNS server (UNIXDNS). A DNS server configured to use a forwarder will behave differently than a DNS server that is not configured to use a forwarder. A DNS server configured to use a forwarder behaves as follows:

1. When the DNS server receives a query, it attempts to resolve this query using the primary and secondary zones that it hosts and its cache.

2. If the query cannot be resolved using this local data, then it will forward the query to the DNS server designated as a forwarder.

3. The DNS server will wait briefly for an answer from the forwarder before attempting to contact the DNS servers specified in its root hints.

Incorrect Answers: B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don’t want the internal DNS server to query the root DNS servers, so we don’t need the cache.dns file. C: Unixdns already has root hints. An NS record on the internal DNS server won’t fulfil the requirements of the question. D: We don’t need a secondary zone on the internal DNS server. All external resolution requests must be forwarded to the external DNS server. QUESTION NO: 4 You are the system engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The network is connected to the Internet by a dedicated T3 line. TestKing enters into a partnership with another company for a new project. The partner company’s network consists of a single Active Directory forest that contains two domains. All servers in the network run Windows 2003 Server. The partner network is also connected to the Internet by a dedicated T3 line. The partner network is accessible by a VPN connection that was established between the two networks. The VPN connection was tested and was verified to provide a functional connection between the two networks.

70 - 296


- 9 -

Users from both companies need to connect to resources located on another network. A forest trust relationship exists between the two companies’ forests to allow user access to resources. Users in your company report that they can access resources on the partner network, but that it can take up to several minutes for the connection to be established. This problem is most pronounced during the morning. You verify that there is sufficient available bandwidth on the connection between the two networks to provide access. You also verify that both network’s routing tables are configured correctly to route requests to the appropriate destinations. When you attempt to connect to a server in the partner network by host name by using the ping command, the connection times out. However, when you attempt to connect to the server a second time by IP address by using the ping command, you receive a response within a few seconds. You need to improve the performance of the network connection between the two networks. What should you do?

A. Add the partner network’s domain names and DNS server addresses to the forwarders list on your DNS servers.

B. Update the root hints list on your DNS servers to include the host names and IP addresses of the partner network’s DNS servers.

C. Disable recursion on the DNS servers in both companies’ networks. D. Add the partner network’s DNS server addresses to the 006 DNS Servers scope option in your DHCP

scope. Answer: A Explanation: It is taking a long time to locate resources on the other network. This is because name resolution requests are being passed to the internet root servers, then down through the internet DNS hierarchy before the request finally reaches the appropriate DNS server. We can speed up this process by using conditional forwarding. This would enable resolution requests for resources in the partner network to be forwarded directly to the partner’s DNS server. Conditional forwarders A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Incorrect Answers: B: The root hints are used to locate internet root DNS servers. C: This won’t help. It would mean that the internal DNS servers wouldn’t forward external resolution requests to other DNS servers such as the root servers. D: The partner network’s DNS servers would never be used unless the local DNS server failed.

70 - 296


- 10 -

QUESTION NO: 5 You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest root domain is contoso.com. Contoso, Ltd,. recently merged with another company named TestKing, whose network consists of a single Active Directory forest. The functional level of the TestKing forest is Windows Server 2003. The forest root domain for TestKing is testking.com. You need to create a forest trust relationship between the two forests. Each company has dedicated connections to the Internet. You need to configure DNS to support the forest trust relationship. You want to maintain Internet name resolution capability for each company’s network. What should you do?

A. Configure the contoso.com DNS servers to forward to the testking.com DNS servers. Configure the testking.com DNS servers to forward to the contoso.com DNS servers.

B. Configure conditional forwarding of testking.com on the contoso.com DNS servers to the testking.com DNS servers. Configure conditional forwarding of contoso.com on the testking.com DNS servers to the contoso.com DNS servers.

C. Configure a standard primary zone for testking.com on one of the contoso.com DNS servers. Configure a standard primary zone for contoso.com on one of the testking.com DNS servers.

D. Configure an Active Directory-integrated zone for testking.com on the contoso.com DNS servers. Configure an Active Directory-integrated zone for contoso.com on the testking.com DNS servers.

Answer: B Explanation: This is a typical scenario for conditional forwarding Conditional forwarders. A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Incorrect Answers: A: We don’t want ALL resolution requests to be forwarded to the other DNS servers. C: We can’t host primary zones on multiple servers. D: We can’t host AD integrates zones on DNS servers in a different forest. QUESTION NO: 6

70 - 296


- 11 -

You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains three domains. Each domain contains domain controllers that run Windows 2000 Server and domain controllers that run Windows Server 2003. The DNS Server service is installed on all domain controllers. All client computers run Windows XP Professional. You need to add an additional DNS zone that is hosted on at least one DNS server on each domain. You want to configure the zone to allow secure updates only. What should you do?

A. Configure the new zone on DNS servers in the root domain. Configure stub zones that refer to DNS servers in another two domains.

B. Configure the new zone as a primary zone on one DNS server. Configure other DNS servers in the three domains as secondary servers for this zone. Enable the DNS Security Extensions (DNSSEC) protocol.

C. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains. Store the zone data in the DNS directory partition named DomainDNSZones.

D. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains. Store the zone data in the DNS directory partition named ForestDNSZones.

Answer: D Explanation: To enable secure updates, we need an Active Directory integrated zone. To replicate to the DNS servers in the other domains, the zone must be installed on a Windows 2003 domain controller in each domain. During the configuration of the zone, you can select the option to replicate the zone information to all domain controllers in the forest; this will store the zone data in the DNS directory partition named ForestDNSZones. Incorrect Answers: A: We need Active Directory integrated zones, not stub zones. B: Secondary zones are not writeable and so cannot accept updates. C: If we store the zone data in the DNS directory partition named DomainDNSZones, it will only be replicated in a single domain, not the entire forest. QUESTION NO: 7 You are the systems engineer for TestKing GmBh. The network consists of three Windows NT 4.0 domains in a master domain model configuration. The servers on the network run either Windows NT Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server 4.0. The network also contains 10 UNIX-based application servers. All host name resolution services are provided by a UNIX-based server running the latest version of BIND, which currently hosts the zone for the testking.com domain. All NetBIOS name resolution services are provided by two Windows 2000 Server WINS servers.

70 - 296


- 12 -

The company is in the process of migrating to a single Windows Server 2003 Active Directory domain-based network. The new domain is named testking-ad.com, and it will be hosted in an Active Directory-integrated zone that is stored on the domain controllers. Servers that are not domain controllers will not be updated at this time. The migration plan requires that all computers must use DNS to resolve host names and computer redundancy for the Windows-based DNS servers. You upgrade the domain controllers in the master domain to Windows Server 2003. You also migrate all user and computer accounts to the new Active Directory domain. The DNS zone on the Windows Server 2003 computers is configured as shown in the exhibit.

You now need to configure the required redundancy between the Windows-based DNS servers and the UNIX-based DNS server. You need to ensure that there will be no service interruption on any of the DNS server computers. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based DNS server as the master server.

B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS server as the master server.

C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS server as the master server.

D. Add a delegation in the testking.com zone that delegates authority of the testking-ad.com zone to a Windows Server 2003 DNS server.

E. Configure the testking-ad.com zone to not replicate WINS-specific resource records during zone transfers.

70 - 296


- 13 -

Answer: B, E Explanation: This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers. We can provide this by configuring the UNIX DNS server to resolve names in the testking-ad.com domain. With a secondary zone on the UNIX DNS server, the UNIX DNS server will be able to resolve host name resolutions requests in the testking-ad.com domain. The testking-ad.com DNS is configured to query WINS if required. When configuring a UNIX DNS server with a secondary zone, we should configure the zone to not replicate WINS-specific resource records during zone transfers. Incorrect Answers: A: This would provide redundancy for the UNIX server; the question isn’t asking for that. C: This won’t provide any redundancy. D: Testking-ad.com isn’t a subdomain of testking.com so no delegation is required. QUESTION NO: 8 You are the network administrator for TestKing. The network consists of an internal network and a perimeter network. The internal network is protected by a firewall. The perimeter network is exposed to the Internet. You are deploying 10 Windows Server 2003 computers as Web servers. The servers will be located in the perimeter network. The servers will host only publicly available Web pages. You want to reduce the possibility that users can gain unauthorized access to the servers. You are concerned that a user will probe the Web servers and find ports or services to attack. What should you do?

A. Disable File and Printer Sharing on the servers. B. Disable the IIS Admin service on the servers. C. Enable Server Message Block (SMB) signing on the servers. D. Assign the Secure Server (Require Security) IPSec policy to the servers.

Answer: A Explanation: We can secure the web servers by disabling File and Printer sharing. File and Printer Sharing for Microsoft Networks The File and Printer Sharing for Microsoft Networks component allows other computers on a network to access resources on your computer by using a Microsoft network. This component is installed and enabled by default for all VPN connections. However, this component needs to be enabled for PPPoE and dial-up connections. It is enabled per connection and is necessary to share local folders. The File and Printer Sharing for Microsoft Networks component is the equivalent of the Server service in Windows NT 4.0.

70 - 296


- 14 -

File and Printer sharing is not required on web servers because the web pages are accesses over web protocols such as http or https, and not over a Microsoft LAN. Incorrect Answers: B: This is needed to administer the web servers. Whilst it could be disabled, disabling File and Printer sharing will secure the servers more. C: SMB signing is used to verify, that the data has not been changed during the transit through the network. It will not help in reducing the possibility that users can gain unauthorized access to the servers. D: This will prevent computers on the internet accessing the web pages. QUESTION NO: 9 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. TestKing’s perimeter network contains 50 Web servers that host the company’s public Internet site. The Web servers are not members of the domain. The network design team completed a new design specification for the security of servers in specific roles. The network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings. You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort. What should you do?

A. Create a custom security template named Web.inf that contains the required security settings. Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU. Apply Web.inf to the WebServers OU.

B. Create a custom security template named Web.inf that contains the required security settings, and deploy Web.inf to each Web server by using Security Configuration and Analysis.

C. Create an image of a Web server that has the required security settings, and replicate the image to each Web server.

D. Manually configure the required security settings on each Web server. Answer: B Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings using the Security Configuration and Analysis tool. Incorrect Answers:

70 - 296


- 15 -

A: The web servers aren’t members of the domain. Therefore they cannot be moved to an OU in Active Directory. C: We cannot use imaging in this way. D: This is a long way of doing it. A security template would simply the task. QUESTION NO: 10 You are the network administrator for TestKing. The network contains a Windows Server 2003 Web server that hosts the company intranet. The human resources department uses the server to publish information relating to vacations and public holidays. This information does not need to be secure. The finance department wants to publish payroll information on the server. The payroll information will be published in a virtual directory named Payroll, which was created under the default Web site on the server. The company’s written security policy states that all payroll-related information must be encrypted on the network. You need to ensure that all payroll-related information is encrypted on the network. To preserve performance, you need to ensure that other information is not encrypted unnecessarily. You obtain and install a server certificate. What else should you do?

A. Select the Require secure channel (SSL) check box for the default Web site. B. Assign the Secure Server (Require Security) IPSec policy option for the server. C. Select the Encrypt contents to secure data check box for the Payroll folder. D. Select the Require secure channel (SSL) check box for the Payroll virtual directory.

Answer: D Explanation: Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:. Incorrect Answers: A: This will encrypt all data from the web server. We only need to encrypt the payroll data. B: This will encrypt all data from the web server. We only need to encrypt the payroll data. C: This will encrypt the data on the hard disk using EFS. It won’t encrypt the data as it is transferred over the network.

70 - 296


- 16 -

QUESTION NO: 11 You are a network administrator for TestKing Inc. The network consists of a single Active Directory forest as shown in the exhibit.

Your company’s written security policy requires that all domain controllers in the child1.testking.com domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group. You need to configure the domain controllers in the child1.testking.com domain to meet the new security requirements. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) on the child1.testking.com domain.

B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.testking.com domain.

C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1.testking.com domain.

D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.testking.com domain.

E. Run the system key utility (syskey) on each domain controller in the child1.testking.com domain. In the Account Database Key dialog box, select the Password Startup option.

70 - 296


- 17 -

F. Run the system key utility (syskey) on each domain controller in the child1.testking.com domain. In the Account Database Key dialog box, select the Store Startup Key Locally option.

Answer: C, E Secure (Secure*.inf) Template The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses.

• In order to apply Securews.inf to a member computer, all of the domain controllers that contain the accounts of all users that log on to the client must run Windows NT 4.0 Service Pack 4 or higher.

The system key utility (SYSKEY) A security measure used to restrict logon names to user accounts and access to computer systems and resources. By running the syskey utility with the Password startup option, the account information in the directory services is encrypted and a password needs to be entered during system start. The start of the Domain Controllers is therefore restricted to everybody with this password. Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/syskey_concept.asp

System key option Relative security

level Description

System Generated Password, Store Startup Key Locally

Secure

Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. This option provides strong encryption of password information in the registry, and it enables the user to restart the computer without the need for an administrator to enter a password or insert a disk.

Administrator generated password, Password Startup

More secure

Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. The key is also protected by an administrator-chosen password. Users are prompted for the system key password when the computer is in the initial startup sequence. The system key password is not stored anywhere on the computer.

System Generated Password, Store Startup Key on Floppy Disk

Most secure

Uses a computer-generated random key and stores the key on a floppy disk. The floppy disk that contains the system key is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer.

Incorrect Answers: A: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. B: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes.

70 - 296


- 18 -

D: We need to apply the policy to the domain controllers container, not the entire domain. F: The System Key Utility (syskey) is used to encrypt the account password information that is stored in the SAM database or in the directory services. By selecting "Store Key locally" the computer stores an encrypted version of the key on the local computer. This doesn’t help in controlling the start of the Domain Controllers. QUESTION NO: 12 You are a network administrator for Testking. The network consists of a single Active Directory domain named testking.com. The domain name is testking.com. The network contains three Windows Server 2003 domain controllers. You are creating the recovery plan for the company. According to the existing backup plan, domain controllers are backed up by using normal backups each night. The normal backups of the domain controllers include the system state of each domain controller. Your recovery plan must incorporate the following organization requirements:

• Active Directory objects that are accidentally or maliciously deleted must be recoverable. • Active Directory must be restored to its most recent state of quickly as possible. • Active Directory database replication must be minimized.

You need to create a plan to restore a deleted organizational unit (OU). Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Restart a domain controller in Directory Services Restore Mode. B. Restart a domain controller in Safe Mode. C. Use the Ntdsutil to perform an authorative restore operation of the Active Directory database. D. Restore the system state by using the Always replace the file on my computer option. E. Use the Ntdsutil utility to perform an authoritative restore operation of the appropriate subtree.

Answer: A, E Explanation: If an OU gets deleted from the Active Directory, we can restore it from a backup of the system state data. Directory Services Restore Mode is a sort of safe mode in which we can boot a domain controller without loading the Active Directory. This will enable us to restore all or part of the Active Directory database. To ensure that the deleted OU isn’t deleted again by replication from another domain controller, we must use the Ntdsutil utility to mark the restored subtree as authoritative. Incorrect Answers:

70 - 296


- 19 -

B: To restore part of the Active Directory, we must start a domain controller in Directory Services Restore Mode, not safe mode. C: We don’t need to restore the entire Active Directory database; we can just restore part of it. D: This will overwrite the existing Active Directory database. QUESTION NO: 13 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits. What should you do?

A. Create a custom security template and apply it by using Group Policy. B. Create a custom IPSec policy and assign it by using Group Policy. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS.

Answer: A Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings into a group policy. We can also use secedit to analyse the current security settings to verify that the required security settings are in place. Incorrect Answers: B: An IPSec policy will not configure the required auditing policy. C: We need a security template, not an administrative template. D: This will create multiple identical machines. We cannot use RIS images in this scenario. QUESTION NO: 14

70 - 296


- 20 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named TestKing5. You are planning a public key infrastructure (PKI) for the company. You want to deploy a certification authority (CA) on TestKing5. You create a new global security group named Cert Administrators. You need to delegate the tasks to issue, approve, and revoke certificates to members of the Cert Administrators group. What should you do?

A. Add the Cert Administrators group to the Cert Publishers group in the domain. B. Configure the Certificates Templates container in the Active Directory configuration naming context to

assign the Cert Administrators group the Allow – Write permission. C. Configure the CertSrv virtual directory on TestKing5 to assign the Cert Administrators group the Allow

– Modify permission. D. Assign the Certificate Managers role to the Cert Administrators group.

Answer: D Explanation: To be able to issue, approve and revoke certificates, the Cert Administrators group needs to be assigned the role of Certificate Manager. The following table describes different roles and their associated permissions.

Roles and groups

Security permission Description

CA Administrator

Manage CA permission Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate.

Certificate Manager

Issue and Manage Certificates permission Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA Officer.

Backup Operator

Back up file and directories and Restore file and directories permissions

Perform system backup and recovery. This is an operating system role.

Auditor Manage auditing and security log permission

Configure, view, and maintain audit logs. This is an operating system role.

Enrollees Authenticated Users Enrollees are clients who are authorized to request certificates from the CA. This is not a CA role.

QUESTION NO: 15 You are a network administrator for TestKing. The network contains a perimeter network. The perimeter network contains four Windows Server 2003, Web Edition computers that are configured as a Network Load Balancing cluster.

70 - 296


- 21 -

The cluster hosts an e-commerce Web site that must be available 24 hours per day. The cluster is located in a physically secure data center and uses an Internet-addressable virtual IP address. All servers in the cluster are configured with Hisecws.inf templates. You need to implement protective measures against the cluster’s most significant security vulnerability. What should you do?

A. Use Encrypting File System (EFS) for all files that contain confidential data stored on the cluster. B. Use packet filtering on all inbound traffic to the cluster. C. Use Security Configuration and Analysis regularly to compare the security settings on all servers in the

cluster with the baseline settings. D. Use intrusion detection on the perimeter network.

Answer: B Explanation: The most sensitive element in this case is the network card that uses an Internet-addressable virtual IP address. The question doesn’t mention a firewall implementation or and intrusion detection system (Usually Hardware). Therefore, we should set up packet filtering. REF: Deploying Network Services (Windows Server 2003 Reskit) Using a Perimeter Network IP packet filtering You can configure packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted because the port numbers are encrypted and therefore cannot be examined. In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection. QUESTION NO: 16 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. All servers run Windows Server 2003 and all client computers run Windows XP Professional. You are planning a security update infrastructure.

70 - 296


- 22 -

You need to find out which computers are exposed to known vulnerabilities. You need to collect the information on existing vulnerabilities for each computer every night. You want this process to occur automatically. What should you do?

A. Schedule the secedit command to run every night. B. Schedule the mbsacli.exe command to run every night. C. Install Microsoft Baseline Security Analyzer (MBSA) on one of the servers.

Configure Automatic Updates on all other computers to use that server. D. Install Software Update Services (SUS) on one of the servers.

Configure the SUS server to update every night. Answer: B Explanation: We can schedule the mbsacli.exe command to periodically scan for security vulnerabilities. Running a Scan Against All Computers in a Domain Using a Batch File:

Create a batch file called mbsascan.cmd with the following text: @Echo Off CLS Set MBSA_Install_Path="C:\Program Files\Microsoft Baseline Security Analyzer" cls cd %MBSA_Install_Path% mbsacli.exe /d edc /n password Echo Scan complete Pause Exit

To run the tool from the command line (from the MBSA installation folder), type mbsacli.exe, and use the following parameters. To Select Which Computer to Scan

• no option - Scan the local computer. • r /c domainname\computername- Scan the named computer. • /i xxx.xxx.xxx.xxx - Scan the named IP address. • /r xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx - Scan the range of IP addresses. • /d domainname - Scan the named domain.

To Select Which Scan Options to Not Perform Note You can concatenate these options. For example, you can use/n OS + IIS + Updates.

70 - 296


- 23 -

• /n IIS - Skip IIS checks. • /n OS - Skip Windows operating system checks. • /n Password - Skip password checks. • /n SQL - Skip SQL checks. • /n Updates - Skip security update checks.

70 - 296


- 24 -

Security Update Scan Options • /sus SUS server - Check only for security updates that are approved at the specified SUS server. • /s 1 - Suppress security update check notes. • /s 2 - Suppress security update check notes and warnings. • /nosum - Security update checks will not test file checksums.

To Specify the Output File Name Template

• /o domain - computername (date) To Display the Results and Details

• /e - List the errors from the latest scan. • /l - List all the reports that are available. • /ls - List the reports from the latest scan. • /lr report name - Display an overview report. • /ld report name - Display a detailed report.

Miscellaneous Options

• /? - Usage help. • /qp - Do not display progress. • /qe - Do not display error list. • /qr - Do not display report list. • /q - Do not display progress, error list, or report list. • /f - Redirect the output to a file.

MBSA is the graphical interface of Mbsacli.exe. This can be installed and run on Microsoft® Windows® 2000 Server, Windows 2000 Professional, Windows XP Home Edition, Windows XP Professional, and Windows Server 2003. The tool can be run over the network against Microsoft Windows NT® 4.0 Server and Windows NT 4.0 Workstation, Windows 2000 Server, Windows 2000 Workstation, Windows XP Professional and Home Edition, and Windows Server 2003. MBSA does not run on or against Windows 95, 98 or Me systems.

• You can use MBSA by using the graphical user interface (GUI) or from the command line. The GUI executable is Mbsa.exe and the command line executable is Mbsacli.exe.

• MBSA uses ports 138 and 139 to perform its scans. • MBSA requires administrator privileges on the computer that you scan. The options /u (username) and

/p (password) can be used to specify the username to run the scan. Do not store user names and passwords in text files such as command files or scripts.

• MBSA requires the following software: • Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP (local scans only on Windows

XP computers that use simple file sharing) • IIS 4.0, 5.0 (required for IIS vulnerability checks) • SQL 7.0, 2000 (required for SQL vulnerability checks)

70 - 296


- 25 -

• Microsoft Office 2000, XP (required for Office vulnerability checks) • The following services must be installed/enabled: Server service, Remote Registry service, File

& Print Sharing • The section Additional Information later in this How To includes tips on working with MBSA.

Scanning for Security Updates and Patches You can run Mbsa.exe and Mbsacli.exe with options to verify the presence of security patches. QUESTION NO: 17 You are the security analyst for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The perimeter network contains an application server, which is accessible to external users. You view the logs on your intrusion-detection system (IDS) and on the router and discover that very large numbers of TCP SYN packets are being sent to the application server. The application server is responding with SYN-ACK packets to several different IP addresses, but is not receiving ACK responses. You note that all incoming SYN packets appear to be originating from IP addresses located within the perimeter network’s subnet address range. No computers in your perimeter network are configured with these IP addresses. The router logs show that these packets are originating from locations on the Internet. You need to prevent this type of attack from occurring until a patch is made available from the application vendor. Because of budget constraints, you cannot add any new hardware or software to the network. Your solution cannot adversely affect legitimate traffic to the application server. What should you do?

A. Relocate the application server to the company intranet. Configure the firewall to allow inbound and outbound traffic on the ports and protocols used by the application.

B. Configure network ingress filters on the router to drop packets that have local addresses but that appear to originate from outside the company network.

C. Create access control lists (ACLs) and packet filters on the router to allow perimeter network access to only authorized users and to drop all other packets originating from the Internet.

D. Configure the IDS on the perimeter network with a response rule that sends a remote shutdown command to the application server in the event of a similar denial-of-service attack.

Answer: B Explanation: This type of attack is known as a Denial of Service Attack. Dropping spoofed packets

70 - 296


- 26 -

In an ideal world, each router would be configured with ingress filters that would drop packets arriving from "internal" networks whose source address was not a member of the set of network addresses that this router serves. The majority of routers could be so configured. Backbone routers and edge routers for complex topologies probably could not be configured with such filters. These ingress filters should be required as part of a "good neighbor policy." Ingress filters would not totally eliminate denial of service attacks but could greatly reduce such attacks. An attacker could still spoof an address within a local subnet, but that would permit backtracking the packets to the source subnet. Cisco's unicast reverse path forwarding also can be used to block spoofed packets at edge routers. Routers that implement ingress filtering will not forward the packets sent by a mobile host in a foreign network. QUESTION NO: 18 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. The network contains a Windows Server 2003 computer named TestKingCA. The company uses an enterprise certification authority (CA) on TestKingCA to issue certificates. A certificate to encrypt files is autoenrolled to all users. The certificate is based on a custom Encryption File System (EFS) certificate template. The validity period if the certificate is set to two years. Currently, the network is configured to use data recovery agents. You are planning to implement key archival for the keys that users use to decrypt files. You configure the CA and the custom EFS certificate template to enable key archival of the encryption private keys. You need to ensure that the private EFS key of each user who logs on to the domain is archived. What should you do?

A. Configure a new issuance policy for the custom EFS certificate template. B. Configure the custom EFS certificate template to reenroll all certificate holders. C. Select the Automatically Enroll Certificates command in the Certificates console. D. Configure a logon script that runs the gpupdate.exe /force command for the users.

Answer: C Key Archival and Management in Windows Server 2003

70 - 296


- 27 -

Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/kyacws03.asp EFS always attempts to enroll for the Basic EFS template. The EFS driver generates an autoenrollment request that Autoenrollment tries to fulfill. For customers that want to ensure that a specific template is used for EFS (such as to include key archival), the new template should supercede the Basic EFS template. This will ensure that Autoenrollment will not attempt enrollment for Basic EFS any more. Key Archival The private key database is the same as the database used to store the certificate requests. The Windows Server 2003 Certification Authority database has been extended to support storing the encrypted private key along with the associated encrypted symmetric key and issued certificate. The recovery blob will be stored in the same row as the signed certificate request and any other information the CA persists in its database for each request transaction. The actual encrypted blob is stored as an encrypted PKCS #7 blob. The Microsoft Certification Authority uses the JET database engine upon which various JET utilities may be used for maintenance purposes. QUESTION NO: 19 You are the network administrator for TestKing. The network consists of a single Active Directory forest. The forest contains Windows Server 2003 servers and Windows XP Professional computers. The forest consists of a forest root domain named testking.com and two child domains named child1.testking.com and child2.testking.com. The child1.testking.com domain contains a member server named TestKingSrvC. You configure TestKingSrvC to be an enterprise certification authority (CA), and you configure a user certificate template. You enable the Publish certificate in Active Directory setting in the certificate template. You instruct users in both the child1.testking.com and the child2.testking.com domains to enroll for user certificates. You discover that the certificates for user accounts in the child1.testking.com domain are being published to Active Directory, but the certificates for user accounts in the child2.testking.com domain are not. You want certificates issued by TestKingSrvC to child2.testking.com domain user accounts to be published in Active Directory. What should you do?

A. Configure user certificate autoenrollment for all domain user accounts in the testking.com.

70 - 296


- 28 -

B. Configure user certificate autoenrollment for all domain user accounts in the child2.testking.com domain.

C. Add TestKingSrvC to the Cert Publisher group in the testking.com domain. D. Add TestKingSrvC to the Cert Publisher group in the child2.testking.com domain.

Answer: D Explanation: The problem here is that TestKingSrvC doesn’t have the necessary permission to publish certificates for users in child2.testking.com. We can solve this problem by adding TestKingSrvC to the Cert Publisher group in the child2.testking.com domain. Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;219059 QUESTION NO: 20 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. All domain controllers run Windows Server 2003. The domain controllers are configured as shown in the following table.

You plan to take TestKingSrvD offline for maintenance. Another network administrator plans to add 1,250 new user accounts while TestKingSrvD is offline. You need to ensure that the network administrator can add the user accounts while TestKingSrvD is offline. You also need to ensure that there is no disruption of user account creation after TestKingSrvD is brought back online. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Connect to TestKingA by using the Ntdsutil utility. B. Connect to TestKingSrvD by using the Ntdsutil utility. C. Remove the global catalog server role from TestKingSrvD. D. Add the global catalog server role to TestKingSrvD. E. Transfer the RID master role.

70 - 296


- 29 -

Answer: A, E Explanation: The RID master is assigned to allocate unique sequences of relative IDs to each domain controller in its domain. As the domain controllers use the IDs allocated, they contact the RID master and are allocated additional sequences as needed. At any time, the RID master role can be assigned to only one domain controller in each domain. The Relative ID is part of a security ID (SID) that uniquely identifies an account or group within a domain. We will be creating 1250 new user accounts so the domain controller will need to contact the RID master to obtain more RIDs. We can transfer the RID master role using the ntdsutil utility. Incorrect Answers: B: We need to connect to the computer we will be transferring the role to, not from. C: We have a Global Catalog on TestKingSrvA. We don’t need another one. D: TestKingSrvD is already a global catalog server. Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_adTransRIDMaster.asp QUESTION NO: 21 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains three domains. The functional level of all three domains is Windows 2000 native. Your company is merging with a company named Acme. The Acme., network consists of a single Active Directory forest that contains one domain named acme.com. The functional level of the domain is Windows 2000 native. The forests of both companies are shown in the exhibit.

70 - 296


- 30 -

You need to allow users in each forest to fully access resources in the domains of the other forest. In addition, users must be able to log on between domains by using Kerberos authentication. You need to ensure that users can continue to access all resources by using their existing user accounts. What should you do?

A. Demote the Windows 2000 domain controllers in the acme.com domain to become member servers. Promote these servers into the testking.com domain.

B. Demote the Windows 2000 domain controllers in the acme.com domain to become member servers. Upgrade these servers to Windows Server 2003. Promote the upgraded computers to become domain controllers for a new domain tree in the TestKing forest.

C. Upgrade the Windows 2000 domain controllers in the acme.com domain to Windows Server 2003. Create external trust relationships between the root domains of each forest.

D. Upgrade all domain controllers in both forests to Windows Server 2003. Raise the functional level of both forests to Windows Server 2003. Create a forest trust relationship between the root domains of each forest.

Answer: D Explanation: To enable users in each forest to fully access resources in the domains of the other forest and log on to either domain with Kerberos authentication, we need to create a forest trust between the two forests. To

70 - 296


- 31 -

create a forest trust, the forests must be in Windows 2003 domain functional level. This requires that all domain controllers in each domain are running Windows server 2003. Incorrect Answers: A: This will decommission the acme.com domain/forest. This isn’t a requirement. B: This will decommission the acme.com forest. This isn’t a requirement. C: We need a forest trust to enable Kerberos authentication across the trust link. QUESTION NO: 22 You are the network administrator for your company. The company consists of two subsidiaries named TestKing., and Fabrikam, Inc. The network consists of two Active Directory forests. All servers run Windows Server 2003. The domain configuration is shown in the exhibit.

The North American department in the company is renamed to Northwind Traders. You rename the NA.testking.com domain to northwindtraders.com. You change the NetBIOS name for the domain to northwindtraders. The northwindtraders.com domain is a second tree in the testking.com forest. After the domain is renamed, users in the northwindtraders.com domain report that they cannot access any shared resourced in the fabrikam.com domain. In addition, users in the fabrikam.com domain report that they cannot access shared resources in the northwindtraders.com domain.

70 - 296


- 32 -

You need to re-enable the sharing of resources between the northwindtraders.com domain and the fabrikam.com domain. What should you do?

A. Change the NetBIOS name for the northwindtraders.com domain to NA. B. Delete and re-create the two one-way trust relationships between the northwindtraders.com domain and

the fabrikam.com domain. C. Configure conditional forwarding on the DNS server in the fabrikam.com domain to forward requests

for the northwindtraders.com domain to the DNS servers in the testking.com domain. D. Reset the computer account passwords on all of the domain controllers in the northwindtraders.com

domain. Answer: B Explanation: After renaming the domain, the external trust relationships will need to be recreated. Creating Necessary Shortcut Trust Relationships You can reposition any domain within the domain tree hierarchy of a forest, with the exception of the forest-root domain. Remember that although the forest root domain can be renamed (its DNS and NetBIOS names can change), it cannot be repositioned in such a way that you designate a different domain to become the new forest root domain. If your domain rename operation involves restructuring the forest through repositioning of the domains in the domain tree hierarchy as opposed to simply changing the names of the domains in-place, you first need to create the necessary shortcut trust relationships between domains such that the new forest structure has two-way transitive trust paths between every pair of domains in the target forest, just as your current forest does. Forest restructuring Using domain rename, you can also restructure the hierarchy of domains in your forest so that a domain residing in one domain tree In DNS, the inverted hierarchical tree structure that is used to index domain names. Domain trees are similar in purpose and concept to the directory trees used by computer filing systems for disk storage. For example, when numerous files are stored on disk, directories can be used to organize the files into logical collections. When a domain tree has one or more branches, each branch can organize domain names used in the namespace into logical collections. In Active Directory, a hierarchical structure of one or more domains, connected by transitive, bidirectional trusts, that forms a contiguous namespace. Multiple domain trees can belong to the same forest. Domains can be moved to another domain tree. Restructuring a forest allows you to move a domain anywhere within the forest in which it resides (except the forest root domain). This includes the ability to move a domain so that it becomes the root of its own domain tree. You can use the domain rename utility (Rendom.exe) to rename or restructure a domain. The Rendom.exe utility can be found in the Valueadd\Msft\Mgmt\Domren directory on the operating system installation CD. A

70 - 296


- 33 -

domain rename will affect every domain controller in your forest and is a multistep process that requires a detailed understanding of the operation. Renaming a domain controller requires that you first provide a FQDN as a new computer name for the domain controller. All of the computer accounts for the domain controller must contain the updated SPN attribute and all the authoritative DNS servers for the domain name must contain the host (A) resource record for the new computer name. Both the old and new computer names are maintained until you remove the old computer name. This ensures that there will be no interruption in the ability of clients to locate or authenticate to the renamed domain controller, except when the domain controller is restarted Renaming domain controllers The SPN value of the computer account must be replicated to all domain controllers for the domain and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name. References: Server Help Window Server 2003 MS White paper Step-by-Step Guide to Implementing Domain Rename QUESTION NO: 23 You are the network administrator for TestKing. The company needs to implement a Web application that uses two Microsoft SQL Server 2000 database instances. You expect the size of each database instance to be between 200 GB and 300 GB at any given time. Several tables in each database contain data that is updated once every few seconds, on average. You estimate that each database instance requires 7 GB of memory, and that each instance requires 70 percent usage of four CPUs, on average. Using two servers TestKingSQL1 and TestKingSQL2, you need to plan the minimum highly available server infrastructure for the databases that meets the requirements. You also want to minimize the costs and administrative effort required to maintain the infrastructure. What should you do? To answer, drag the appropriate configuration settings to the Cluster Configuration.

70 - 296


- 34 -

Answer:

Explanation: We are running two different databases so we need a Cluster Service Cluster rather than a Network Load Balancing cluster (We can only use NLB if the two servers are hosting identical content). For a Cluster Service Cluster, we need to use Windows Server 2003 Enterprise Edition. We need to ensure that the database will still run if one of the cluster nodes fails. Therefore each cluster node will need enough resources to run both databases. Each database requires four CPUs, so each cluster node must have 8 CPUs in order to run both databases in the event of a cluster node failure. Each database requires 7 GB of RAM so each cluster node must have at least 14 GB of RAM in order to run both databases in the event of a cluster node failure (our only option above 14GB or RAM is to put 16GB of RAM in each cluster node). QUESTION NO: 24 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains a secure site and a main office site, as shown in the exhibit.

70 - 296


- 35 -

All domain controllers are configured as shown in the following table. Drive Contents C Boot partition, system partition, Active Directory database log filesD Active Directory database E Files and folders The motherboard on TESTKING2 fails and TESTKING2 is taken offline. One week later, an administrator connects to TESTKING3 and seizes the schema master role. You need to access files on drive E on TESTKING2. You replace the motherboard on TESTKING2 and bring TESTKING2 online on an isolated subnet. You need to be able to bring TESTKING2 back into the secure site as quickly as possible in order to access the files. What should you do?

A. Perform a full format of drive D on TESTKING2. Transfer the schema master role to a domain controller in the MainOffice site. Remove references to TESTKING2 from Active Directory by using the Ntdsutil utility and the ADSIEdit utility on TESTKING1.

B. Perform a full format of drive C on TESTKING2. Reinstall the operating system on TESTKING2. Remove references to TESTKING2 from Active Directory by using the Ntdsutil utility and the ADSIEdit utility on TESTKING1.

C. Perform a full format of drive E on TESTKING2. Run the dcpromo command on TESTKING2. Transfer the schema master role to a domain controller in the MainOffice site. Join TESTKING2 to the domain.

D. Perform a full format of drive C on TESTKING2. Transfer the schema master role to a domain controller in the MainOffice site.

70 - 296


- 36 -

Remove references to TESTKING2 from Active Directory by using the Ntdsutil utility and the ADSIEdut utility on TESTKING1.

Answer: B Explanation: We have seized the schema master role from Testking2 on Testking3. Therefore, we don’t want to bring Testking2 back online with it’s old schema master role. Having two schema masters will cause problems in the forest. To bring Testking2 back online, we should format the C drive and reinstall the operating system. We should also ‘clean’ the Active Directory database by removing references to TESTKING2 from Active Directory by using the Ntdsutil utility and the ADSIEdit utility on another domain controller. Incorrect Answers: A: We need to reinstall the operating system, so we should format drive C, not drive D. C: Formatting drive E will erase the data we want to access. D: The schema master role has already been transferred. We need to reinstall the operating system after formatting drive C. QUESTION NO: 25 You are a network administrator for TestKing. Your network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. A help desk user reports that a user object was accidentally deleted and the user can no longer log on to the domain and access resources. You confirm that the user object was included in the most recent backup. You need to enable the user to log on to the domain. You must ensure that the user retains access to resources. What should you do?

A. Install a new domain controller. Install Active Directory from media by using the most recent backup. Manually initiate replication.

B. Decrease the garbage collection interval. Perform a nonauthorative restoration of Active Directory by using the most recent backup.

C. Perform a nonauthorative restoration of Active Directory by using the most recent backup. Authoritatively restore the user object that was deleted.

D. Re-create a user object that has the same user principal name (UPN) as the user object that was deleted. Authoritatively restore this user object.

70 - 296


- 37 -

Answer: C Explanation: If you inadvertently delete or modify objects stored in the Active Directory directory service, and those objects are replicated or distributed to other servers, you will need to authoritatively restore those objects so they are replicated or distributed to the other servers. If you do not authoritatively restore the objects, they will never get replicated or distributed to your other servers because they will appear to be older than the objects currently on your other servers. Using the Ntdsutil utility to mark objects for authoritative restore ensures that the data you want to restore gets replicated or distributed throughout your organization. On the other hand, if your system disk has failed or the Active Directory database is corrupted, then you can simply restore the data nonauthoritatively without using the Ntdsutil utility. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects. Active directory service data can be restored using one of three restore methods:

• Primary restore • Normal (nonauthoritative) restore • Authoritative restore

In Backup, a type of restore operation performed on an Active Directory domain controller in which the objects in the restored directory are treated as authoritative, replacing (through replication) all existing copies of those objects. We need to restore the Active Directory database non-authoritatively, then from the restored copy of the database, we need to authoritatively restore the user object. Incorrect Answers: A: It isn’t necessary to install a new domain controller. B: We need to authoritatively restore the user object, otherwise AD replication will delete the user object again. D: Creating a new user account won’t work because the new user account will have a different SID from the deleted account. QUESTION NO: 26 You are the network administrator for Fabrikam, Inc. The network consists of a single Active Directory domain that contains one domain controller. All servers run Windows Server 2003. All client computers run Windows XP Professional. The company uses Group Policy objects (GPOs) to configure user and computer settings. A new user named Dr. King reports that his Windows desktop is different from others in the company and that he does not have access to the same applications as other users. You discover that none of the user settings from any GPOs are in effect in Dr. King’s computer after Dr. King logs on. You instruct Dr.

70 - 296


- 38 -

King to run the gpresult command, and he reports that he receives the following error message: “INFO: The group policy object does not exist”. You run the gpotool command on the domain controller and receive the output shown in the exhibit.

You need to ensure that Group Policy settings can be applied correctly. What should you do?

A. Run the gpupdate /force command on the domain controller. B. Run the gpupdate /force command on Dr. King’s computer. C. Restore the system state on the domain controller from a valid backup. D. Restore the backup state on Dr. King’s computer from a valid backup.

Answer: C Explanation: We can see from the exhibit that there is a problem with the group policy. It seems to have become corrupted. To restore the group policy, we’ll need to restore the system state data on a domain controller. The gpotool is the Group Policy Object verification tool Usage: gpotool [options]

70 - 296


- 39 -

Options: /gpo:GPO[,GPO...] Preffered policies. Partial GUID and friendly name match accepted. If not specified,

process all policies in the domain. /domain:name Specify the DNS name for the domain hosting the policies. If not present, assume user's domain. /dc:DC[,DC...] Preffered list of domain controllers. If not specified, find all controllers in the domain. /checkacl Verify sysvol ACL. For faster processing, this step is skipped /verbose Display detailed information. Identifying the File-Based GPO Structure on the System Volume

1. On a domain controller in the domain identified above, determine which drive hosts the system volume (Sysvol).

2. Using Windows Explorer, open the Sysvol folder. 3. The following folders exist: Domain, Staging, Staging Areas, and Sysvol. Change to the Sysvol folder. 4. A folder with the name of the domain that the local domain controller is a member of should exist.

Change to the following folder: Path to Sysvol\Sysvol\DomainName\Policies. A folder for each GPO created in the domain, each identified by its GUID, should exist.

5. Open the folder identified by the GUID of the GPO that you recorded in the previous section of this article.

Note: The Group Policy structure on the system volume contains a Gpt.ini file that contains version information (of the GPO) and other optional data. Additionally, the file-based policy is broken into Machine and User folders with the appropriate policy for each. An Adm folder may also be present when software policies (administrative templates) are being used. Without access to the properties of a given GPO, the administrator can use other methods of attaining either the GUID for a known GPO or the friendly name of a GPO of which the administrator has the associated GUID. Reference: Troubleshooting Group Policy Application Problems. Microsoft Knowledge Base Article – 216359 Troubleshooting Group Policy Application Problems. Microsoft Knowledge Base Article - 250842 QUESTION NO: 27 You are a network administrator for TestKing. The company consists of a single Active Directory domain named testking.com. All client computers run Windows XP Professional.

70 - 296


- 40 -

The company’s main office is located in Dallas. You are a network administrator at the company’s branch office in Boston. You create a Group Policy object (GPO) that redirects the Start menu for users in the Boston branch office to a shared folder on a file server. Several users in Boston report that many of the programs that they normally use are missing from their Start menus. The programs were available on the Start menu he previous day, but did not appear when the users logged on today. You log on to one of the client computers. All of the required programs appear on the Start menu. You verify that users can access the shared folder on the server. You need to find out why the Start menu changed for these users. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. In the Group Policy Management Console (GPMC), select the file server that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant Set Of Policy (RSoP) in planning mode.

B. In the Group Policy Management Console (GPMC), select one of the affected user accounts and run Resultant Set of Policy (RSoP) in logging mode.

C. On one of the affected client computers, run the gpresult command. D. On one of the affected client computers, run the gpupdate command. E. On one of the affected client computers, run the secedit command.

Answer: B, C Explanation: We need to view the effective group policy settings for the users or the computers that the users are using. We can use gpresult or RSoP. Gpresult Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer. RSoP overviewResultant Set of Policy (RSoP) is an addition to Group Policy RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. RSoP consists of two modes: Planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user.

70 - 296


- 41 -

Logging mode reports the existing policy settings for a computer and user that is currently logged on. Incorrect Answers: A: We need to test the effective policy from a user’s computer, not the file server. D: Gpudate, is the tool used to refresh the policy settings in Windows XP and Windows Server 2003. E: Secedit is the tool used to refresh the policy in Windows 2000 professional and server editions. QUESTION NO: 28 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. You are testing Group Policy object (GPOs) on an organizational unit (OU) named Test. The Test OU contains a Windows XP Professional client computer that you use as a test computer. The domain contains a group named Security. You create a new GPO and configure the Computer Configuration section to grant the Security group the Change the system time user right. You log on to the test computer and discover that the setting you set through the GPO is not in effect. You need to apply the GPO settings immediately. What should you do?

A. Log off the test computer and log on again. B. Log off the test computer.

Create a test user account in the Test OU and then log on as the test user account. C. On the test computer, run the gpresult command. D. On the test computer, run the gpupdate /force command.

Answer: D Explanation: We need to apply the group policy immediately, rather than wait for the next group policy refresh interval. We can do this using the gpupdate /force command. Gpupdate Refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command. The switch /force Ignores all processing optimizations and reapplies all settings.

70 - 296


- 42 -

Incorrect Answers: A: We need to apply a computer policy, so we would need to restart the computer rather than just logging off. B: There is no need to create another user account. C: Gpresult is used to display the effective group policy settings. It does not apply group policy settings. QUESTION NO: 29 You are the network administrator for TestKing GmBh. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The Active Directory structure is shown in the Active Directory exhibit.

The company’s written policy states that users in the manufacturing department are given only restricted access to settings and applications on their computers. The written policy also states that this limitation does not apply to members of a security group named Managers. You create a Group Policy object (GPO) named Restricted Settings and link the GPO to the domain. This GPO contains the policy settings required by the written company policy. You discover that the restricted settings apply to all users. You examine the Restricted Settings GPO by using the Group Policy Management Console (GPMC). The relevant information is shown in the GPMC exhibit.

70 - 296


- 43 -

You need to configure the network so that the written policy is enforced correctly. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Unlink the Restricted Settings GPO from the domain. Link it to the Manufacturing organizational unit (OU).

B. Unlink the Restricted Settings GPO from the domain. Link it to the Company Users organizational unit (OU).

C. Assign the Authenticated Users group to the Deny – Apply Group Policy permission for the Restricted Settings GPO.

D. Assign the Managers group the Deny – Apply Group Policy permission for the Restricted Settings GPO.

Answer: A, D Explanation: The question states that the restricted settings should apply to users in the Manufacturing OU. The policy is currently linked to the domain which is why it is being applied to all users in the domain. We should unlink the policy from the domain and link it to the Manufacturing organizational unit (OU). Members of the Managers group should not receive the settings from the OU. We can fulfil this requirement by assigning the Managers group the Deny – Apply Group Policy permission for the Restricted Settings GPO. Incorrect Answers: B: The restricted settings should apply to users in the Manufacturing OU, not the Company Users OU. C: This would prevent the policy applying to all users. The policy should apply to users in the Manufacturing OU. QUESTION NO: 30

70 - 296


- 44 -

You are the network administrator for TestKing. The company has a main office and six branch offices. Each branch office employs fewer than 15 users. The network consists of a single Active Directory domain configured as a single site. All servers run Windows Server 2003. Domain controllers are located in the main office. All branch offices are connected to the main office by WAN connections. All users are required to change their password every 10 days. They are further restricted from reusing a password until after they have used five different passwords. You discover that users in the branch office can log on by using recently expired passwords and access local resources during a WAN connection failure that lasts for 24 hours or longer. You need to ensure that users can log on to the domain only by using a current password. What should you do?

A. Enable universal group membership caching in the site. B. Instruct all users to log on by using their principal names (UPNs). C. In Active Directory Users and Computers, require all users to change their passwords to the next time

they log on to the domain. D. Configure the Default Domain Policy Group Policy object (GPO) to prevent logon attempts that use

cached credentials. Answer: D Explanation: When the client computers are unable to contact a domain controller at the main office, the users are being logged on using ‘cached credentials’. This means that the client computer remembers that the user successfully authenticated with the domain controller recently, so the client computer assumes it is ok to log the user on again after failing to contact a domain controller. We can disable this behaviour using a group policy. Incorrect Answers: A: Enabling universal group caching won’t prevent the logons. B: This won’t prevent the users’ ability to log on. C: This won’t prevent the users’ ability to log on. QUESTION NO: 31 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Most of the client computers are located in the offices of individual users. Some client computers are located in publicly accessible locations. The company’s written security policy includes the following requirements.

70 - 296


- 45 -

• All users must use smart cards to log on to a client computer. • Users using the publicly accessible client computers must be logged off if the smart card is

removed from the smart card reader. You configure all user accounts to require smart cards for interactive logon. You create an organizational unit (OU) named Public. You need to ensure that the appropriate result occurs on each client computer when a smart card is removed. You must achieve this goal without affecting other computers. What should you do?

A. Place all computer accounts for the publicly accessible client computers in the Public OU. Create a new Group Policy object (GPO) and link the GPO to the Public OU. Configure the Interactive Logon: Smart card removal behavior setting to Force Logoff.

B. Place the user accounts of all users who use the publicly accessible client computers in the Public OU. Create a new Group Policy object (GPO) and link the GPO to the Public OU. Configure the Interactive logon: Smart card removal behavior setting to Force loggoff.

C. On the Default Domain Policy Group Policy object (GPO), configure the Interactive logon: Smart card removal behavior setting to Force logoff.

D. On the Default Domain Controllers Policy Group Policy object (GPO), configure the Interactive logon: Smart card removal behavior setting to Force Logoff.

Answer: A Explanation: We can place the public computers in the Public OU; this will enable us to apply a group policy to the public computers. The question states that users must be logged off if the smart card is removed from the smart card reader. There is a specific setting in group policy for this. We can configure the Interactive Logon: Smart card removal behaviour setting to Force Logoff. MS White Paper Planning a Smart Card Deployment Selecting Group Policy Settings to Manage Smart Card Use Several Group Policy settings are specific to smart card management. You can use these Group Policy settings to manage smart cards in your organization. Note Other security policy settings, such as lockout policy or restricted logon times, can also impact smart card users if they use their cards for account logon. Smart card required for interactive logon

70 - 296


- 46 -

When you set this policy on a user account, the user cannot log on to the account by using a password. They can only log on by using a smart card. The advantage of using this policy setting is that it enforces strict security. However, if users are unable to log on by using conventional passwords, you must provide an alternate solution in the event that smart cards become unusable. Note This policy setting applies to interactive and network logons only. It does not apply to remote access logons, which are managed by policy settings that are configured on the remote access server. The Smart card required for interactive logon policy is not recommended for users who need to:

• Join a computer to a domain. • Perform administrative tasks such as installing Active Directory on a member server. • Configure a network connection for remote access.

If you choose not to use this security policy setting, users can revert to their standard network passwords if their smart cards are damaged or unavailable. However, this weakens security. In addition, users who use their passwords infrequently might forget them, and either write them down, or call the help desk for a password reset, increasing help desk costs to the organization. On smart card removal Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best if users either log off or lock their computers when they leave. The On smart card removal policy allows you to force users to log off or lock their computers when they remove their smart cards. Note If you select the forced logoff option, users need to make sure they have saved changes to documents and other files before they remove their smart cards. Otherwise, they lose any changes they have made. Whether or not you set the On smart card removal policy depends on how your users interact with their computers. For example, this policy is a good choice if using computers in an open floor or kiosk environment. This policy might not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users. Note The On smart card removal policy is a local computer policy that is administered on a per computer basis. Set the On smart card removal policy on a per user account basis, along with other domain security policy settings. Incorrect Answers: B: This is a computer setting, not a user setting. C: This will force logoff all users in the domain. Only users of the public computers should be logged off when they remove their smart cards. D: This will force logoff all users who log on to a domain controller. Only users of the public computers should be logged off when they remove their smart cards.

70 - 296


- 47 -

QUESTION NO: 32 You are a network administrator for TestKing. Your network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The company has users who work in the main office and users who work remotely by connecting to a server running Routing and Remote Access. The company’s written security policy requires that administrators in the main office log on by using smart cards. The written security policy also requires that remote users use smart cards to access network resources. No other users are required to use smart cards. You issue portable computers that contain smart card readers to administrators and remote users. You issue smart cards to administrators and remote users. Administrators and remote users report that they can log on without using a smart card. You need to ensure that only administrators are required to use smart cards when working in the main office. You must also ensure that remote users are required to use smart cards when accessing network resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. In the computer configuration settings of the Default Domain Policy Group Policy object (GPO), enable the Interactive logon: Require smart card setting.

B. On the server running Routing and Remote Access, select the Extensible authentication protocol (EAP) check box and require smart card authentication.

C. In the properties of each administrator account, select the Smart Card Required for Interactive Logon check box.

D. In the computer configuration settings of the Default Domain Controllers Policy Group Policy object (GPO), enable the Interactive logon: Requires smart card setting.

E. In the properties of each user account that requires remote access, select the Smart Card Required for Interactive Logon check box.

Answer: B, C Explanation: We can require remote users to log on using smart cards only by configuring the RRAS server that the remote users connect to to require smart card authentication. We can configure the administrators’ user accounts to require smart cards for interactive logons. This setting is defined in the user properties in Active Directory Users and Computers.

70 - 296


- 48 -

Incorrect Answers: A: This would require that all users log on using a smart card. D: This would require that users use a smart card to log on to only the domain controllers. The administrators must use smart cards to log on to any machine in the domain. E: This would require that the remote users log on using a smart card to any machine. They don’t need a smart card logon if they are using a machine in the office. QUESTION NO: 33 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains a single domain named testking.com. All servers run Windows Server 2003, and all client computers run Windows XP Professional. In a test lab that contains a separate forest, you develop and test a Group Policy object (GPO) that you need to apply to all computers and users in the domain.

70 - 296


- 49 -

You need to implement the new GPO on the network. You want to accomplish this task by using the minimum amount of administrative effort. What should you do?

A. Use a Distributed File System (DFS) to replicate the GPO information in the SYSVOL shared folder from the test lab to the domain.

B. Use the Group Policy Management Console (GPMC) to back up the GPO from the test lab and import it into the domain.

C. Copy the Group Policy Template (GPT) files in the SYSVOL shared folder from the test lab to the domain.

D. Use Active Directory Users and Computers to create a new GPO linked to the domain. In the new GPO, include all of the settings that exist in the GPO in the test lab.

Answer: B Explanation: We can use the Group Policy Management Console (GPMC) to back up the GPO from the test lab and import it into the domain. MS White Paper Migrating GPOs Across Domains with GPMC http://www.microsoft.com/windowsserver2003/docs/MigGPOs.doc The GPMC lets administrators manage Group Policy for multiple domains and sites within one or more forests, all in a simplified user interface (UI) with drag-and-drop support. Highlights include new functionality such as backup, restore, import, copy, and reporting of Group Policy objects (GPOs). These operations are fully scriptable, which lets administrators customize and automate management. QUESTION NO: 34 You are a network administrator for TestKing. All client computers run Windows XP Professional. You administer a Windows Server 2003 file server named TestKingSrvC. TestKingSrvC contains two volumes configured as drive G and Drive H. Shared folders for the accounting department are stored on drive G. Shared folders for the marketing department are stored on drive G and on drive H. Drive H has sufficient space to store all of the shared folders with 400 GB of free space. The design team specifies the following requirements for the files in the marketing shared folders on TestKingSrvC:

• The files must be backed up, even if they are open.

70 - 296


- 50 -

• Backups can be performed during business hours, if required. • Users must be able to restore the files.

You need to create a plan that will allow the backup and recovery of folders and files in accordance with the requirements. You need to minimize data loss. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Customize all shared folders by using the Documents template. B. Place all marketing shared folders on drive H.

Enable Shadow Copies of Shared Folders on the volume. C. Configure all backups by selecting the Disable volume shadow copy check box. D. Install the Previous Versions client software on all marketing client computers. E. Assign all users the Allow – Full Control NTFS permissions for the marketing shared folders.

Answer: B, D Explanation: The question states that drive H has sufficient space to hold all the files, and will have enough space left over to hold shadow copies of the files. The client computers will need the previous versions client software to access the previous versions of the files. Deploying the client software for shadow copies. The client software for Shadow Copies of Shared Folders is installed on the server in the \\%systemroot%\system32\clients\twclient directory. You can distribute the client software in a variety of ways; consider the various options before deployment. There are several tools included in the Windows Server 2003 family, such as Group Policy, that can make deploying and maintaining the clients software easier. Recover files that were accidentally deleted. If you accidentally delete a file, you can open a previous version and copy it to a safe location. Recover from accidentally overwriting a file. If you accidentally overwrite a file, you can recover a previous version of the file. Compare versions of file while working. You can use previous versions when you want to check what has changed between two versions of a file. Incorrect Answers: A: This is not necessary. C: This option should be enabled, not disabled, in order to back up the open files. E: It is not necessary to change the permissions on the marketing shared folders.

70 - 296


- 51 -

QUESTION NO: 35 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain contains Windows Server 2003 computers and Windows XP Professional client computers. The domain contains two organizational units (OUs) named Sales and Marketing. Both OUs have multiple Group Policy Objects (GPOs) linked to them. The Sales OU needs to be moved under the Marketing OU. You need to find out which objects in the Sales OU are adversely affected by GPOs linked to the Marketing OU. You need to achieve this goal without disruption to users. What should you do?

A. Use Resultant Set of Policy (RSoP) in logging mode for the Marketing OU. Review the policy results for the users in the OU.

B. Use Resultant Set of Policy (RSoP) in logging mode for the Sales OU. Review the policy results for the users in the OU.

C. Use Resultant Set of Policy (RSoP) in planning mode for the Marketing OU. Choose the Sales OU to simulate policy settings.

D. Use Resultant Set of Policy (RSoP) in planning mode for the Sales OU. Choose the Marketing OU to simulate policy settings.

Answer: D Explanation: We need to view the effective group policy without actually applying the group policy and disrupting the users. For this, we can use RSoP in planning mode. RSoP Modes Planning Mode In planning mode, you can determine how policy settings are applied to a target, and then analyze the results before deploying a change to Group Policy. For example, you can use planning mode to simulate moving a user to a different group, or to see the effects of placing the user in different security groups. In planning mode, the Group Policy Data Access Service mimics the function of the Windows logon service. Planning mode simulates calling each Group Policy client-side extension to allow the extension to write policy data to the Common Information Model Object Manager (CIMOM) database. Logging Mode In logging mode, you can assess which policy settings have been applied or failed to apply to a particular target (users or computers in Active Directory). Group Policy client-side extensions have a WMI interface that writes information (known as logging mode data) about their policy settings to a CIMOM database. You can use the RSoP user interface to query the CIMOM database for policy information

70 - 296


- 52 -

RSoP logging is enabled by default. You can use a policy setting to disable this option. To do so, disable the Turn off Resultant Set of Policy Logging policy under the Computer Configuration\Administrative Templates\System\Group Policy node for computers or disable the Disallow Interactive Users from generating Resultant Set of Policy setting under the User Configuration\Administrative Templates\System\Group Policy node for users. Incorrect Answers: A: We need to use planning mode, not logging mode. B: We need to use planning mode, not logging mode. C: We need to test the effects of applying the Marketing OU policies to the Sales OU, not vica versa. Reference: MS Knowledge Base article 323276: HOW TO: Install and Use RSoP in Windows Server 2003 Server Help: RSoP overview QUESTION NO: 36 You are the network administrator for Acme. The company consists of two subsidiaries named Litware Inc., and TestKing. Litware, Inc., has an office in Los Alamos. TestKing has two offices, one in New Delhi and the other in Berlin. The network consists of two Active Directory forests. A forest trust relationship exists between the two forests. One forest contains one domain named LosAlamos.litwareinc.com. The other forest contains two domains named NewDelhi.testking.com and Berlin.testking.com. All three offices are connected by two 128-Kbps connections. All servers run Windows Server 2003. The network uses roaming profiles and Group Policy objects (GPOs). Occasionally, users need to work at an office other than their usual office. Users must have the same desktop, no matter where they log on to the network. You need to ensure that the user’s profile and the GPO settings that apply to the user’s account will apply wherever the user logs on to the network. What should you do? To answer, drag the appropriate configuration or configurations to the correct policy or policies in the work area.

70 - 296


- 53 -

Answer:

Explanation: The question states that when a user logs on in the other forest to the one where his user account resides, the user MUST have his desktop settings and group policy settings. The first setting, “Wait for remote user profile” should be enabled so that the client computer waits to load the remote profile, no matter how long it takes. To enable the roaming profiles and group policy settings to apply to the user across a forest link, we should enable the third setting, “Allow Cross-Forest User Policy and User Roaming Profiles”. We need to prevent the speed of the link affecting the policies that are applied. However, we can’t do this by simply disabling the slow link detection, because a disabled slow link detection policy will use a default setting of 512Kbps (our link is slower than that, so some group policy settings won’t apply). We need to enable the policy and enter a connection speed of 0. This disables the setting in such a way that all group policies will be applied across the slow link, no matter how long they take to load. Reference: Designing a Group Policy Infrastructure Roaming Users

70 - 296


- 54 -

Roaming users access the corporate network through LAN links. They have permanent LAN connections when working locally, but if they roam between sites, they might have restricted network bandwidth back to some servers. They need to access their data from multiple workstations from many different areas in the same physical location. Mobile Users Mobile users need to access the network at different times and locations by using dial-up connections, varying LAN connections, or across a wide area network (WAN) link. Therefore, network services must be accessible at any time. The following characteristics apply:

• Their computers are often connected by slow or intermittent network links. • The bandwidth, quality, and consistency of their network connections are highly variable. • Users need to save data and settings locally when working offline (their data and settings might be

synchronized to a file server). • The availability of different types of services depends on whether the users are connected to the

corporate network and the speed and reliability of their connections. Optional Settings for Mobile Users Mobile users might require additional flexibility to configure their systems, for example, they need to configure virtual private network (VPN) connections. In such cases, enable the following settings:

• Enable deletion of remote access connections (belonging to the user). • Enable renaming of connections belonging to the current user. • Display and enable the Network Connection wizard. • Allow access to the current user's remote access connection properties. • Enable access to the properties of the components of a local area network (LAN) connection. • Enable access to the properties of the components of a remote access connection. • Enable status statistics for an active connection. • Enable the Dial-up Preferences item on the Advanced menu.

Consider using a separate Group Policy object for users who work mostly away from the office, and modify the following policy settings, which are located in the Computer Configuration\Administrative Templates\System\Logon node.

• Slow network connection timeout for user profiles: Defines a slow connection for roaming user profiles. o Defines a slow connection for roaming user profiles. If the server on which the user’s roaming

user profile resides takes longer to respond than the thresholds that are set by this policy permit, the system considers the connection to the profile to be slow. This policy and related policies in this folder together determine how the system responds when roaming user profiles are slow to load.

• Wait for remote user profile: Directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow.

o Directs the system to wait for the remote copy of the roaming user profile to load even when loading is slow. The system waits for the remote copy when the user is notified about a slow connection but does not respond within the time allowed.

70 - 296


- 55 -

o If you enable the Wait for remote user profile policy, the system loads the remote copy without prompting the user.

• Prompt user when slow link is detected: Notifies users when their roaming profile is slow to load. • Timeout for dialog boxes: Determines how long the system waits for a user response before it uses a

default value. Special Considerations for Site-linked GPOs Multiple domains (within a forest) can get the same Group Policy object (and included policies), although the Group Policy object only lives on a single domain and must be read from that domain when the affected clients read their site policy. If child domains are set up across wide area network (WAN) boundaries, the site setup typically reflects this. If it does not, the computers in a child domain might be accessing a site Group Policy object across a WAN link. By default, to manage site GPOs, you need to be either an Enterprise Administrator or domain administrator of the forest root domain. Replication between domain controllers in different sites occurs less frequently than replication between domain controllers in the same site, and during scheduled periods only. The replication schedule and frequency are properties of the site links that connect sites. The default inter-site replication frequency is three hours. To change it, go to the appropriate site link, into the IP link, and change the replication frequency or schedule as desired. Allow Cross-Forest User Policy and Roaming User Profiles Requirements: At least Microsoft Windows Server 2003 Location: Computer Configuration\System\Group Policy\ Description: Allows User based policy processing, Roaming User Profiles and User Object logon scripts for cross forest interactive logons. This setting affects all user accounts interactively logging on to a computer in a different forest when a Cross Forest or 2-Way trust exists. QUESTION NO: 37 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003.

70 - 296


- 56 -

A Group Policy object (GPO) named Software Restrictions prevents users from running unauthorized applications. This restriction does not apply to users who are local administrators on their client computers. Developers at the company create a new application for internal users. An administrator installs the application on a number of computers by running the Setup.exe file supplied by the developers. However, when users try to run the new application, they report that they cannot do so. You need to ensure that all users can run the new application. You also need to ensure that unauthorized applications cannot run. What should you do?

A. Install the application on computers that require its use. Create a VMI filter on the Software Restrictions GPO that detects where the software is installed and prevents the GPO from being applied.

B. Create a security group that contains all users who need to use the application. Modify the security settings on the Software Restrictions GPO so that its effects are bypassed for members of this group.

C. Create a hash value for the application’s executable code file, and revise the Software Restrictions GPO to allow executable code files that match the hash value to run.

D. Repackage the application as an .msi package and use a new GPO to assign the package to the computers that require the application.

Answer: C Explanation: We have a software restrictions policy that only allows authorised applications to run. The new application isn’t authorised, so we need to authorise it by creating a hash value of the program file and modify the software restrictions policy to permit the users to run the application. Reference: MS knowledge Base Article Q 324036 HOW TO: Use Software Restriction Policies in Windows Server 2003 How to Create a Hash Rule

1. Click Start, click Run, type mmc, and then click OK. 2. Open Software Restriction Policies. 3. In either the console tree or the details pane, right-click Additional Rules, and then click New Hash

Rule. 4. Click Browse to find a file, or paste a precalculated hash in the File hash box. 5. In the Security level box, click either Disallowed or Unrestricted. 6. In the Description box, type a description for this rule, and then click OK.

NOTES:

70 - 296


- 57 -

• You may have to create a new software restriction policy setting for this GPO if you have not already done so.

• You can create a hash rule for a virus or a Trojan horse to prevent the malicious software from running. • If you want other users to use a hash rule so that a virus cannot run, calculate the hash of the virus by

using software restriction policies, and then e-mail the hash value to other users. Never e-mail the virus itself.

• If a virus has been sent through e-mail, you can also create a path rule to prevent users from running mail attachments.

• A file that is renamed or moved to another folder still results in the same hash. • Any change to a file results in a different hash. • The only file types that are affected by hash rules are those that are listed in designated file types. There

is one list of designated file types that is shared by all rules. • For software restriction policies to take effect, users must update policy settings by logging off from and

then logging on to their computers. • When more than one rule is applied to policy settings, there is a precedence of rules for handling

conflicts. Incorrect Answers: A: The GPO prevents users running unauthorized software. Therefore, this GPO must be applied at all times – we cannot use a WMI filter to prevent the application of the GPO. B: The GPO prevents users running unauthorized software. Therefore, this GPO must be applied at all times – we cannot use security filtering to prevent the application of the GPO to the users who require access to the new application. D: Windows clients support setup.exe files. As long as the setup.exe file is written correctly, the users would be able to use the application. The users in this scenario cannot run the program because the software restrictions group policy is preventing them running the application. QUESTION NO: 38 You are the network administrator for TestKing. The network consists of two Active Directory forests, each consisting of a single domain. The functional level of both forests is Windows Server 2003. One forest is used for testing and the other forest is used for production. The test forest contains a single domain controller. You are using the test forest to test Group Policy objects (GPOs) that manage administrative templates before they are implemented in the production forests. This testing includes changes to the Default Domain Policy GPO and the Default Domain Controllers Policy GPO. You need to be able to restore the Default Domain Policy and Default Domain Controllers Policy GPOs for the test domain to the settings used in the production forest. You want to accomplish this task by using the minimum amount of administrative effort. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

70 - 296


- 58 -

A. Run the dcgpofix /both command in the test domain. B. Back up the Default Domain Policy and Default Domain Controllers Policy GPOs from the production

domain by using the Group Policy Management Console (GPMC). C. Import the Default Domain Policy and Default Domain Controllers Policy GPOs into the test domain by

using the Group Policy Management Console (GPMC) and a migration table. D. Back up the original GptTmpl.inf files for the Default Domain Policy and Default Domain Controllers

Policy GPOs from the production forests. E. Restore the backed up GpTmpl.inf files to the test domain. F. Increment the version in the Gpt.ini files for the Default Domain Policy and Default Domain Controllers

Policy GPOs. Answer: B, C Explanation: We can use the Group Policy Management Console (GPMC) to back up the GPOs from the production domain and import them into the test lab. MS White Paper Migrating GPOs Across Domains with GPMC http://www.microsoft.com/windowsserver2003/docs/MigGPOs.doc The GPMC lets administrators manage Group Policy for multiple domains and sites within one or more forests, all in a simplified user interface (UI) with drag-and-drop support. Highlights include new functionality such as backup, restore, import, copy, and reporting of Group Policy objects (GPOs). These operations are fully scriptable, which lets administrators customize and automate management.

70 - 296


- 59 -

70 - 296


- 60 -

The path must exist already

When we do the restore process, we need to restore both policies Domain and DCS. Therefore, for the DC’s we will need to use a migration table, to migrate the security principals. Migration Table TOOL

70 - 296


- 61 -

70 - 296


- 62 -

70 - 296


- 63 -

If we install GPMC in the default path we need to execute from C:\Program Files\GPMC\Scripts The script CreateMigrationTable.wsf . This script Creates migration tables that can be edited and used to map paths and security principals to new values when importing and copying GPOs across domains. Sample: C:\>cscript "C:\Program Files\GPMC\Scripts\CreateMigrationTable.wsf" Creates a migration table that can be edited and used for mapping paths and security principals when performing import and copy operations. The scripts can optionally pre-populate the table from various sources, including individual GPOs, a backup location containing GPO backups and all GPOs in the specified domain. If you specify the /MapByName switch, the entries will use the "MapByRelativeName" option, which will expect a corresponding account with the same name as the original in the destination domain. Usage: CreateMigrationTable.wsf TableName [/GPO:value] [/BackupLocation:value] [/AllGPOs] [/Overwrite] [/MapByName] [/Domain:value] Options: TableName : The file name of the migration table to be created GPO : The name of a GPO to process when building the migration table BackupLocation : File system location where backups are located AllGPOs : Flag specifying to process all GPOs in the domain Overwrite : If specified, will overwrite an existing XML instead of appending to it MapByName : If specified, will set the default destination to map by relative name Domain : DNS name of domain Example switches C:\>cscript "C:\Program Files\GPMC\Scripts\CreateMigrationTable.wsf" MigrationTable.migtable /BackupLocation:c:\PoliciesBackUP /OverWrite /MapByName OUTPUT message Processing backed up GPO 'Default Domain Controllers Policy' Processing backed up GPO 'Default Domain Policy' Entry 'Enterprise [email protected]' is defined in an external domain. This will not be mapped by name and will be set to be copied as is.

70 - 296


- 64 -

Entry '[email protected]' is defined in an external domain. This will not be mapped by name and will be set to be copied as is. Entry 'Domain [email protected]' is defined in an external domain. This will not be mapped by name and will be set to be copied as is. Done. Migration table 'MigrationTable.migtable' was created. Migration Table TOOL

Notes

• You must have Edit, delete, and modify security permissions on the GPO and Read permissions on the folder containing the GPO backup to restore an existing GPO.

• You must have privileges to create GPOs in the domain and Read permissions on the file system location of the backed up GPO to restore a GPO that has been deleted.

• You can also restore an existing or deleted GPO using the Manage backups function by right-clicking Domains or Group Policy Objects.

• The Manage Backups dialog box can be used to restore either an existing or deleted GPO. The Manage Backups dialog box can be opened either by right-clicking Domains or Group Policy Objects in a given domain. When Manage Backups is opened by right clicking Group Policy Objects, only GPO backups from that domain are shown. In contrast, when Manage Backups is opened by right clicking Domains, all GPO backups are shown, regardless of domain.

70 - 296


- 65 -

QUESTION NO: 39 You are the network administrator for TestKing. The network consists of a single Active Directory forest. The functional level of the forest is Windows 2000. The forest consists of a forest root domain named testking.com and two child domains named asia.testking.com and europe.testking.com. The functional level of all the domains is Windows 2000 mixed. Each domain contains one domain controller running Windows Server 2003. All of the other domain controllers in the forest run Windows 2000 Server. TestKing recently acquired another company named Acme that has an Active Directory forest named acme.com. The functional level of the forest is Windows Server 2003. You need to be able to establish a forest trust relationship between testking.com and acme.com. What should you do? To answer, drag the appropriate action or actions to the correct location or locations in the work area.

70 - 296


- 66 -

Answer:

Explanation: The question explicitly asks for a “Forest Trust Relationship”, rather than just an external trust. To create a forest trust relationship, both forests must be in Windows 2003 functional level. For this functional level, all domains must be in Windows 2003 functional level which requires that all domain controllers are running Windows 2003 Server. QUESTION NO: 40 You are the network administrator for TestKing. The network consists of a single Active Directory forest testking.com. The functional level of the forest is Windows 2000. The forest consists of a root domain named testking.com and two child domains named africa.testking.com and asia.testking.com. The functional level of the domains is Windows 2000 native. All domain controllers in the testking.com domain run Windows Server 2003. All domain controllers in the africa.testking.com and asia.testking.com domains run Windows 2000 Server.

70 - 296


- 67 -

You need to be able to rename all domain controllers in testking.com. You want to minimize impact to the network. What should you do? To answer, drag the appropriate action or actions to the correct location or locations in the work area.

Answer:

70 - 296


- 68 -

Explanation: To rename domain controllers, the domains have to be in Windows 2003 functional level. We don’t have the option to raise the domain functional levels, but upgrading the forest functional level will automatically upgrade the domain functional levels if the domains are in Windows 2000 native functional level. To rename a Windows Server 2003 domain controller, You must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory. Domain functional level is set to Windows Server 2003 NOTE: YOU do not need to raise the forest level, just domain level. Note :

70 - 296


- 69 -

Before you rename a domain controller in a domain with multiple domain controllers, make sure that the computer that you want to rename is not the global catalog server and that it does not hold other Flexible Single Master Operations (FSMO) roles.

70 - 296


- 70 -

TO Rename a Domain Controller in a Domain that Contains a Single Domain Controller To rename a domain controller in a domain that contains a single domain controller:

1. Install a second Windows Server 2003 computer in the same domain with the server that you want to rename.

Raising the forest functional level to Windows Server 2003 is not possible if there is any domain controller in the forest that remains to be upgraded to Windows Server 2003 or if any domain in the forest still has Windows 2000 mixed domain functionality. Assuming these requirements are satisfied, you can raise the forest level to Windows Server 2003. NOTE: Remember that although the forest root domain can be renamed (its DNS and NetBIOS names can change), it cannot be repositioned in such a way that you designate a different domain to become the new forest root domain. If your domain rename operation involves restructuring the forest through repositioning of the domains in the domain tree hierarchy as opposed to simply changing the names of the domains in-place, you first need to create the necessary shortcut trust relationships between domains such that the new forest structure has two-way transitive trust paths between every pair of domains in the target forest, just as your current forest does Reference: MS white paper Step-by-Step Guide to Implementing Domain Rename MS Knowledge base article Q814589 HOW TO: Rename a Windows 2003 Domain Controller QUESTION NO: 41 You are a network administrator for TestKing. The network consists of 20 Active Directory domains. All servers run Windows Server 2003. TestKing has 240 offices. Each office is configured as an Active Directory site. TestKing has a branch office that contains four users. User objects for these users are stored in the australia.testking.com domain. The branch office is connected to the corporate network by a 56-Kbps WAN connection. The branch office contains a domain controller named TestKing17 that is configured as an additional domain controller for the australia.testking.com domain. An Active Directory site is configured for the branch office. TestKing17 is a member of this site. An IP site link exists between the branch office and the main office.

70 - 296


- 71 -

The WAN connection is available only during business hours. Users in the branch office report slow response times on the WAN connection. You examine the WAN connection and discover that the problem is caused by Active Directory replication. You need to improve the performance of the WAN connection. What should you do?

A. Configure TestKing17 as a global catalog server. B. Enable universal group membership caching in the branch office. C. Remove Active Directory from TestKing17 and configure TestKing17 as a member server. D. On the site link that connects the branch office to the corporate network, increase the replication

interval. Answer: D Explanation: The branch office contains a domain controller from the australia.testking.com domain. Replication between this domain controller and a domain controller at the main office is using up the bandwidth of the 56Kbps link between the two sites. We can reduce the WAN link usage by increasing the replication interval, thus ensuring that replication across the WAN link occurs less frequently. Incorrect Answers: A: Configuring TestKing17 as a global catalog server will increase the bandwidth used by the replication. B: Enabling universal group membership caching in the branch office won’t decrease the bandwidth used the replication. C: It is not necessary to demote TestKing17 to a member server. Furthermore, this would cause logon authentication traffic to go over the WAN link. QUESTION NO: 42 You are the network administrator for Testking Ltd. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest contains a root domain named testking.com and two child domains named scotland.testking.com and wales.testking.com. All domain controllers run Windows Sever 2003. Each domain contains a DNS server. The DNS server in testking.com is named TESTKINGDNS1, the DNS server in scotland.testking.com is named TESTKINGDNS2, and the DNS server in wales.testking.com is named TESTKINGDNS3. Each DNS server in a child domain is responsible for name resolution in only its domain. The TCP/IP properties of all client computers in the child domains are configured to use only the DNS server in the domain. All records of all DNS servers are stored in Active Directory.

70 - 296


- 72 -

You create a new application directory partition named DSNdata.testking.com. You enlist TESTKINGDNS1 and TESTKINGDNS2 in this application directory partition. You need to enable all users in testking.com to access resources in the scotland.testking.com domain by using host names. Users in the testking.com domain do not need to access resources in the wales.testking.com domain. You need to configure the zone replication scope of the scotland.testking.com domain at TESTKINGDNS2. What should you do? To answer, configure the appropriate option or options in the dialog box.

Answer: Select the fourth radio button. Explanation: The application directory partition DNSdata.testking.com contains a DNS server from testking.com and Scotland.testking.com. By configuring the DNS information from the DNS server in Scotland.testking.com to be replicated to the DNS server in testking.com, we will enable users in testking.com to locate resources in Scotland.testking.com. QUESTION NO: 43 You are the network administrator for TestKing. The company has offices in Brasilia, Buenos Aires, and Mexico City. Each office employs 500 people. The network consists of a single Active Directory forest with one domain in each office. Each domain contains two domain controllers named TestKingSrvA and TestKingSrvB. All domain controllers run

70 - 296


- 73 -

Windows Server 2003. Each office is configured as an Active Directory site. The domain structure is shown in the exhibit.

The Windows Server 2003 computer named TestKingSrvA.testking.com holds all operations master roles for its domain, and it holds both forest-level operations master roles. The Windows Server 2003 computers named TestKingSrvA.sales.testking.com and TestKingSrvA.prod.testking.com hold all operations master roles for their respective domains. WAN connectivity between the offices is unreliable. You need to plan the placement of global catalog servers for the network. You need to ensure that each user can log on in the event of the failure of a single domain controller and WAN connection. You need to ensure that the consistency of universal group membership information remains intact. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure both domain controllers in testking.com as global catalog servers. B. Configure only TestKingSrvA in each domain as a global catalog server. C. Configure only TestKingSrvB in each domain as a global catalog server.

70 - 296


- 74 -

D. Enable universal group membership caching for each site. E. Enable universal group membership caching for the Buenos Aires office. F. Enable universal group membership caching for the Mexico City office and the Buenos Aires office.

Answer: A, F Explanation: We need to ensure that the consistency of universal group membership information remains intact in the event of a WAN failure or a single domain controller failure. We can do this by having two global catalog servers in the same place. In order for the users in the other offices to log on in the event of a WAN failure, we should enable universal group membership caching for the Mexico City office and the Buenos Aires office. Universal group membership caching Universal group membership caching allows the domain controller to cache universal group membership information for users. You can enable domain controllers that are running Windows Server 2003 to cache universal group memberships by using the Active Directory Sites and Services snap-in. Enabling universal group membership caching eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information Incorrect Answers: B: With a global catalog server in each domain, we could lose the consistency of universal group membership information if the WAN link fails. For example, we could add someone to a universal group in one domain, but the other domains won’t know about it if that information cannot be replicated due to a WAN link failure. C: With a global catalog server in each domain, we could lose the consistency of universal group membership information if the WAN link fails. For example, we could add someone to a universal group in one domain, but the other domains won’t know about it if that information cannot be replicated due to a WAN link failure. D: We don’t need universal group caching in the testking.com domain because there are global catalog servers in that domain. E: We need to enable universal group membership caching for the Mexico City office and the Buenos Aires office, not just Buenos Aires. QUESTION NO: 44 You are the network administrator for Acme Ltd. The company has a subsidiary named TestKing. The Acme Ltd network consists of a single Active Directory forest. The forest contains one domain named acme.com. The functional level of the domain is Windows Server 2003. The TestKing network consists of a single Windows NT 4.0 domain named TESTKING. A file server named Server4 is a member of the acme.com domain. All users in both domains need to save files on Server4 every day.

70 - 296


- 75 -

You need to allow users in the TESTKING domain to access files on Server4. You need to ensure that the domain administrators of the TESTKING domain cannot grant users in the acme.com domain permissions on servers in the TESTKING domain. What should you do?

A. Upgrade the TESTKING domain to Windows Server 2003 and make this domain the root domain of a second tree in the existing forest.

B. Upgrade the TESTKING domain to Windows Server 2003 and make this domain the root domain of a new forest. Create a two-way forest trust relationship.

C. Create a one-way external trust relationship in which the acme.com domain trusts the TESTKING domain.

D. Create a one-way external trust relationship in which the TESTKING domain trusts the acme.com domain.

Answer: C Explanation: We need a one-way external trust relationship in which the acme.com domain trusts the TESTKING domain. This will ensure that users who log on in the TESTKING domain will be able to access resources on server4 in the acme.com domain. Incorrect Answers: A: It is unnecessary to upgrade the Windows NT domain. Furthermore, this solution would establish two way transitive trusts with the acme.com domain. This means that the TESTKING domain administrator will be able to assign permissions to resources in the TESTKING domain to users from the acme.com domain. B: It is unnecessary to upgrade the Windows NT domain. Furthermore, this solution would establish two way transitive trusts with the acme.com domain. This means that the TESTKING domain administrator will be able to assign permissions to resources in the TESTKING domain to users from the acme.com domain. D: This trust is going in the wrong direction. This would enable the TESTKING domain administrator to assign permissions to resources in the TESTKING domain to users from the acme.com domain. QUESTION NO: 45 You are a network administrator for TestKing. The company has a main office and one branch office. The network consists of a single Active Directory domain named testking.com. The network contains three Windows Server 2003 domain controllers: TestKing1, TestKing2, and TestKing4. You configure two Active Directory sites, one for the main office and one for the branch office. The network is shown in exhibit.

70 - 296


- 76 -

The domain controllers are backed up each night by using a normal backup that also captures the system state. You are responsible for creating a domain controller recovery plan to be used if a domain controller fails in either office. The design team specifies that the domain controller recovery plan must minimize replication traffic across the link between the network in the main office and the network in the branch office. The plan must also minimize restoration time. You need to include in your recovery plan the process for restoring Active Directory services if any of the domain controllers suffers a hardware failure. Which two actions should you include in your plan? (Each correct answer presents part of the solution. (Choose two)

A. Restore the system state of any domain controller to an available member server in the same network subnet.

70 - 296


- 77 -

B. Perform an authoritative restore operation on a functioning domain controller. C. On an available member server in the same network subnet as the failed domain controller, run the

dcpromo /adv command and select the Over the network option. D. On an available member server in the same network subnet as the failed domain controller, run the

dcpromo /adv command and select the From these restored backup files option. Answer: A, D Explanation: For additional domain controllers in an existing domain, you have the option of using the install from media feature, which is new in Windows Server 2003. Install from media allows you to pre-populate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link. To use the install from media feature, you first create a backup of System State from the existing domain controller, then restore it to the new domain controller by using the Restore to: Alternate location option. In this scenario, we can restore the system state data to a member server, then use that restored system state data to promote a member server to a domain controller. Incorrect Answers: B: We don’t want to authoritatively restore the data. There is also no need to restore anything to a functioning domain controller. C: The Over the network option is incomplete. The full option is Over the network from a domain controller. We want to create a domain controller from the restored files. QUESTION NO: 46 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains multiple domains. The functional level of the forest is Windows Server 2003. The forest includes two Active Directory sites named TestKingSite1 and TestKingSite2. TestKingSite1 contains two domain controllers that are global catalog servers named TestKingA and TestKingB. TestKingSite2 contains two domain controllers that are not global catalog servers named TestKingC and TestKingD. The two sites are connected by a WAN connection. Users in TestKingSite2 report that logon times are unacceptably long. You need to improve logon times for the users in TestKingSite2 while minimizing replication traffic on the WAN connection. How should you configure the network?

70 - 296


- 78 -

To answer, drag the appropriate configuration option or options to the correct location or locations in the work area.

Answer:

Explanation: We need to improve logon times for the users in TestKingSite2 while minimizing replication traffic on the WAN connection. Logon times in TestKingSite2 are slow because the domain controllers need to contact a global catalog server in TestKingSite1 for universal group information. We can prevent this by enabling Universal group membership caching in TestKingSite2. Enabling Universal group membership caching at the site level will ensure that all the domain controllers in TestKingSite2 will be able to cache the information. We could improve logon times by placing a global catalog server in TestKingSite2 but this will increase replication between the two sites; therefore enabling Universal group membership caching is a better solution. Universal group membership caching Universal group membership caching allows the domain controller to cache universal group membership information for users. You can enable domain controllers that are running Windows Server 2003 to cache universal group memberships by using the Active Directory Sites and Services snap-in. Enabling universal group membership caching eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all

70 - 296


- 79 -

of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information. QUESTION NO: 47 You are the network administrator for TestKing. The company is deploying a network that consists of a single Active Directory domain named testking.com. All client computers run Windows XP Professional. You are planning the data transmission security for the sales department. You need to monitor the data transmissions to and from the client computers in the sales department at all times. You need to ensure the integrity of the data transmissions to and from the client computers. You also need to be able to implement intrusion detection on the sales department traffic. What should you do?

A. Assign a custom IPSec policy with the Integrity and Encryption security method to the sales department client computers.

B. Assign a custom IPSec policy with the Integrity only security method to the sales department client computers.

C. Assign a custom IPSec policy with a custom security method and the 3DES encryption algorithm to the sales department client computers.

D. Assign the Client (Respond Only) IPSec policy to the sales department client computers. Answer: B Explanation: We want to monitor IPSEC traffic. We can not use ESP; if we did, we wouldn’t be able to monitor the IPSEC traffic because it is encrypted. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers. We need to use AH; this way we can monitor network traffic and preserve the integrity of messages. Using both AH and ESP is the only way to both protect the IP header and encrypt the data. However, this level of protection is rarely used because of the increased overhead that AH would incur for packets that are already adequately protected by ESP. ESP protects everything but the IP header, and modifying the IP header does not provide a valuable target for attackers. Generally, the only valuable information in the header is the addresses, and these cannot be spoofed effectively because ESP guarantees data origin authentication for the packets Protocol Requirement Usage

AH The data and the header need to be protected from modification and

Use for data integrity in situations where data is not secret but must be authenticated — for example, where access is enforced

70 - 296


- 80 -

authenticated, but remain readable. by IPSec to trusted computers only, or where network intrusion detection, QoS, or firewall filtering requires traffic inspection.

ESP

Only the data needs to be protected by encryption so it is unreadable, but the IP addressing can be left unprotected.

Use when data must be kept secret, such as file sharing, database traffic, RADIUS protocol data, or internal Web applications that have not been adequately secured by SSL.

Both AH and ESP

The header and data, respectively, need to be protected while data is encrypted.

Use for the highest security. However, there are very few circumstances in which the packet must be so strongly protected. When possible, use ESP alone instead.

IPSEC MONITOR Use the IP Security Monitor snap-in to gather information you can use to identify problems and optimize performance where IPSec is deployed. For example, you can view details about IPSec policies and filters, statistics about performance, and SAs. IP Security Monitor allows you to view details about the active IPSec policies that are applied to the domain, the local computer, or a remote computer. Viewing IPSec and other network communication with Network Monitor You can install and use Network Monitor to view IPSec and other network communication. Note that the version of Network Monitor that is provided with the Windows Server 2003 family can be used only to view the network traffic that is sent to or from the computer on which it is installed. To view network traffic that is sent to or from another computer and is routed through your computer (using the Routing and Remote Access service), you must use the Network Monitor component that is provided with Microsoft Systems Management Server. The Network Monitor component that is provided with the Windows Server 2003 family includes parsers for the ISAKMP (IKE), AH, and ESP protocols. The Network Monitor parsers for ESP can parse inside the ESP packet only if null-encryption is being used and the full ESP packet is captured. Network Monitor cannot parse the encrypted portions of IPSec-secured ESP traffic when encryption is performed in software. However, if encryption is being performed by an IPSec hardware offload network adapter, the ESP packets are decrypted when Network Monitor captures them and as a result, can be parsed and interpreted into the upper-layer protocols. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers. References: Server HELP

• Troubleshooting tools

70 - 296


- 81 -

• Viewing details about active IPSec policies in IP Security Monitor

MS Windows Server 2003 Deployment Choosing the IPSec Protocol QUESTION NO: 48 You are a system engineer for TestKing. The network consists of four Active Directory domains. All servers on the network run Windows Server 2003. The Windows Server 2003 computers are distributed among three offices. All servers support out-of-band management by means of serial connections to terminal concentrators in each office’s data center. Each office maintains its own separate connection to the Internet. The company adopts a new written security policy, which includes the following requirements:

• Physical access to all servers is restricted to authorized personnel and only for the purpose of installing or maintaining hardware.

• All in-band remote administration connections must be authenticated by the Kerberos version 5 protocol.

• Administrators in each office must be able to access their servers for remote administration or troubleshooting even when the operating system is not running or experiences a Stop error.

• Services or programs that are not essential for remote administration or server operation must not be installed on any computer.

You need to plan a remote administration strategy for the network that compiles with the new policy. You are not responsible for permissions management in the domains. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure each server to accept Remote Desktop connections. B. On each server, enable the Telnet service with a startup parameter of Automatic. C. Install Terminal Services on each server. D. On each server, enable Emergency Management Services. E. Install IIS on each server.

Select the Remote Administration (HTML) check box in the properties for the Wide World Web Service.

Answer: A, D Explanation:

70 - 296


- 82 -

Emergency Management Services is a new feature in Windows Server 2003 that permits you to perform remote management and system recovery tasks when the server is not available by using the standard remote administration tools and mechanisms. Emergency Management Services provides alternative access to a server when the server is not accessible through the standard connection methods, typically a network. With Emergency Management Services, combined with the appropriate hardware, you can perform remote management and system recovery tasks, even when the server is not available through the standard remote administration tools and mechanisms. To manage a server from a remote computer when the server is not available on the network, you must enable Emergency Management Services. Emergency Management Services is a Windows Server 2003 service that runs on the managed server. This service is not enabled by default when you install the Windows Server 2003 operating system, but you can enable it during installation or at any later time. Emergency Management Services features are available when the Windows Server 2003 loader or kernel is at least partially running. You can access all Emergency Management Services output by using terminal emulator software that supports VT100, VT100+, or VT-UTF8 protocols on the management computer, although VT-UTF8 is the preferred protocol. For more information about terminal emulator software and the supported protocols

70 - 296


- 83 -

Management Software for Out-of-Band Connections Typically, you use terminal emulation software on the management computer to connect to and communicate with a server through an out-of-band connection. The two most common methods are the following:

• Use Telnet — or a secure alternative such as SSH — to connect to a terminal concentrator through an in-band connection, which then connects to the server through an out-of-band connection.

• Use HyperTerminal to connect directly to the server When Emergency Management Services is enabled:

• Console redirection automatically sends output to the out-of-band port for any supported operating state, Task Feature Selecting operating system during system load Console redirection Running Recovery Console Console redirection Viewing text mode setup messages Console redirection Viewing GUI mode setup messages SAC, including setup logs Viewing RIS loading messages Console redirection Viewing Stop error messages Console redirection Monitoring and managing with out-of-band connections SAC Performing last-resort system recovery !SAC • You can use SAC to issue supported commands or switch to the command shell (cmd.exe) whenever

the kernel is running. • You can view logs during the GUI-mode phase of Setup. • !SAC automatically becomes available whenever a system failure occurs.

Remote Administration using Terminal Services In Microsoft® Windows® Server 2003 family operating systems, Terminal Services technology is the basis for several features that enable you to connect to remote computers and perform administrative tasks.

• Remote Desktop for Administration (formerly known as Terminal Services in Remote Administration mode) provides remote server management capabilities for Windows Server 2003 family operating systems. Using this feature, you can administer a server from virtually any computer on your network. No license is required for up to two simultaneous remote connections in addition to the server console session. A corresponding desktop version of Remote Desktop for Administration is available on Microsoft® Windows® XP Professional, and is called Remote Desktop.

• The Remote Desktops MMC snap-in allows you to create remote connections to the console session of multiple terminal servers, as well as computers running Windows 2000 or Windows Server 2003 family operating systems.

70 - 296


- 84 -

• Remote Desktop Connection, available on Windows Server 2003 family operating systems as well as on Microsoft® Windows® XP operating systems, enables you to log on to a remote computer and perform administrative tasks, even from a client computer that is running an earlier version of Windows.

References: MS Knowledge Base article 815273 HOW TO: Perform an Unattended Emergency Management Services Installation of Windows Server 2003 MS Windows Server 2003 Planning Server Deployments Emergency Management Services Server help QUESTION NO: 49 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains two Windows Server 2003 domain controllers. All servers run Windows Server 2003, and all client computers run Windows XP Professional. You install a wireless network. You discover that the coverage for the executive offices is very poor. You need to improve wireless coverage for the executive team in their office area. The design team specifies the following requirements for the executive team:

• Executives must be able to access the wireless network in all locations in the building, including their offices.

• Non executive employees may use wireless access points in the executive office area only if other access points are unavailable.

You need to develop a plan to improve the coverage in the executive offices. You need to implement your plan by using the minimum amount of administrative effort. What should you do?

A. Use the Connection Manager Administration Kit (CMAK) wizard to create new service profiles. One profile will be used for executives only. Send an e-mail message that contains the proper profiles to the proper users.

B. Use the Windows Management Instrumentation command-line tool with the NIC and the NICCONFIG aliases.

C. Install new access points for the executive team with a new dedicated service set identifier (SSID).

70 - 296


- 85 -

Use wireless network policies to control use of the SSIDs on the wireless network. D. Install new access points for the executive team with a new dedicates service set identifier (SSID).

Use wireless network policies to control access for ad hoc networks. Answer: C Explanation The Network name (SSID) specifies the name for the specified wireless network. Under the IEEE 802.11 standard, the network name is also known as the Service Set Identifier (SSID). We will need to setup two different Network name (SSID)s, one for users and one for executives. Also we can to enhance the deployment and administration of wireless networks, using a Group Policy to centrally create, modify, and assign wireless network policies for Active Directory clients. Reference: MS Windows Server 2003 Deployment Kit: Designing a Managed Environment QUESTION NO: 50 You are the systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The servers on the network are located in a physically secured room, which is located in a central data center building on the company campus. All servers have the Recovery Console installed and support firmware-based console redirection by means of their serial ports, which are connected to a terminal concentrator. The terminal concentrator is connected to the company network by means of a standard LAN connection. It is required that all servers can be managed remotely. All IT staff in the company can establish connections to the servers by means of either a Remote Desktop connection or the Windows Server 2003 Administration Tools, which are installed locally on their client computers. Company management now requires that several servers that have high-availability requirements must also be remotely managed in the event of system failures and when the Recovery Console is used. Company management also requires that these servers can be remotely managed when the servers are slow or are not responding to normal network requests. You need to plan a remote management solution that complies with the new requirements. What should you do?

70 - 296


- 86 -

A. On each highly available server, enable Emergency Management Services by adding the Redirect=COM1 and /redirect parameters to the Boot.ini file on each server and the EMSPort=COM1 and EMSBaudRate=9600 parameters to the Winnt.sif file on each server.

B. On each highly available server, configure the Telnet service with a startup parameter of Automatic. Set the number of maximum Telnet connections to match the number of administrators in the company. Add the administrator’s user accounts to the TelnetClients security group.

C. Install IIS on each highly available server. Select the Remote Administration (HTML) check box in the properties for the World Wide Web Service. Add the administrator’s user accounts to the HelpServicesGroup security group.

D. Use the netsh command to create an offline configuration script that contains the network parameters for out-of-band remote management. Copy this script to the C:\Cmdcons folder on each highly available server.

Answer: A To enable Emergency Management Services after setting up a Windows Server 2003 operating system, you must edit the Boot.ini file to enable Windows loader console redirection and Special Administration Console (SAC). The Boot.ini file controls startup; it is located on the system partition root. Unattend.txt and Winnt.sif files These files are necessary in order to fully automate the process of installing Windows Server 2003 remotely. A sample Unattend.txt file is on the operating system CD. You can use default settings or customize your installations by modifying or adding parameters. When editing Unattend.txt files, insert the parameters in the [Data] section, as shown in the table, below.

[Data] Parameter Possible Values

EMSPort={com1|com2|usebiossettings} Comx (where x specifies serial port 1 or 2). This option is valid for x86-based systems only.

UseBIOSSettings. This instructs the operating system to detect firmware that supports Emergency Management Services and uses SPCR settings. If an SPCR table is not present, Emergency Management Services is not enabled. This is the default setting for Advanced Configuration and Power Interface (ACPI) systems.

EMSBaudRate=value 9600 baud is the default, with other values of 19200, 57600, and 115200 possible, depending on the capabilities of the serial port. This must be used with EMSPort=, or the parameter is ignored.

QUESTION NO: 51

70 - 296


- 87 -

You are a network administrator for TestKing. The network consists of an intranet and a perimeter network, as shown in the work area. The perimeter network contains:

• One Windows Server 2003, Web Edition computer named TestKing1. • One Windows Server 2003, Standard Edition computer named TestKing2. • One Windows Server 2003, Enterprise Edition computer named TestKing3. • One Web server farm that consists of two Windows Server 2003, Web Edition computers.

All servers on the perimeter network are members of the same workgroup. The design team plans to create a new Active Directory domain that uses the existing servers on the perimeter network. The new domain will support Web applications on the perimeter network. The design team states that the perimeter network domain must be fault tolerant. You need to select which server or servers on the perimeter network need to be configured as domain controllers. Which server or servers should you promote? To answer, select the appropriate server or servers in the work area.

70 - 296


- 88 -

Answer:

Explanation: We know web editions can’t be domain controllers, and we want fault tolerance, which means two Domain Controllers. The answer is promote the two servers that aren’t running Web Edition to dc’s (testking2 and testking3). Reference: MS training kit 70-290 chapter one lesson 1;”the server belongs to a domain but cannot be a domain controller” QUESTION NO: 52 You are a network administrator for TestKing. The network consists of a single Active Directory domain and contains Windows Server 2003 computers. You install a new service on a server named TestKing3. The new service requires that you restart TestKing3. When you attempt to restart TestKing3, the logon screen does not appear. You turn off and then turn on the power for TestKing3. The logon screen does not appear. You attempt to recover the failed server by using the Last Known Good Configuration startup option. It is unsuccessful. You attempt to recover TestKing3 by using the Safe Mode Startup options. All Safe Mode options are unsuccessful. You restore TestKing3. TestKing3 restarts successfully. You discover that TestKing3 failed because the new service is not compatible with a security path. You want to configure all servers so that you can recover from this type of failure by using the minimum amount of time and by minimizing data loss. You need to ensure that in the future, other services that fail do not result in the same type of failure. What should you do?

A. Use Add or Remove Programs. B. Install and use the Recovery Console.

70 - 296


- 89 -

C. Use Automated System Recovery (ASR). D. Use Device Driver Roll Back.

Answer: B Explanation: 1.We know that this service causes the failure. 2. We want minimum of time and minimum of data loss. 3. We want a solution for all servers. 4.. We want to make sure other services that fail do not result in the same type of failure. Server HELP Recovery Console overview Repair overview Safe Mode A method of starting Windows using basic files and drivers only, without networking. Safe Mode is available by pressing the F8 key when prompted during startup. This allows you to start your computer when a problem prevents it from starting normally.and other startup options do not work, consider using the Recovery Console. This method is recommended only if you are an advanced user who can use basic commands to identify and locate problem drivers and files. In addition, you will need the password for the built-in administrator account administrator account On a local computer, the first account that is created when you install an operating system on a new workstation, stand-alone server, or member server. By default, this account has the highest level of administrative access to the local computer, and it is a member of the Administrators group. In an Active Directory domain, the first account that is created when you set up a new domain by using the Active Directory Installation Wizard. By default, this account has the highest level of administrative access in a domain, and it is a member of the Administrators, Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners, and Schema Admins groups. to use the Recovery Console. Using the Recovery Console, you can enable and disable services A program, routine, or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided over a network, they can be published in Active Directory, facilitating service-centric administration and usage. Some examples of services are the Security Accounts Manager service, File Replication service, and Routing and Remote Access service., format drives, read and write data on a local drive (including drives formatted to use NTFS) NTFS

70 - 296


- 90 -

An advanced file system that provides performance, security, reliability, and advanced features that are not found in any version of file allocation table (FAT). For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. NTFS also provides advanced features, such as file and folder permissions, encryption, disk quotas, and compression.), and perform many other administrative tasks. The Recovery Console is particularly useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service that is preventing your computer from starting properly. Operating system does not start (the logon screen does not appear). Feature: Last Known Good Configuration startup option When to use it: When you suspect that a change you made to your computer before restarting might be causing the failure. What it does: Restores the registry settings and drivers that were in effect the last time the computer started successfully. For more information, see To start the computer using the last known good configuration. Feature: Recovery Console When to use it: If using the Last Known Good Configuration startup option is unsuccessful and you cannot start the computer in Safe Mode Safe Mode A method of starting Windows using basic files and drivers only, without networking. Safe Mode is available by pressing the F8 key when prompted during startup. This allows you to start your computer when a problem prevents it from starting normally. This method is recommended only if you are an advanced user who can use basic commands to identify and locate problem drivers and files. To use the Recovery Console, restart the computer with the installation CD for the operating system in the CD drive. When prompted during text-mode setup, press R to start the Recovery Console. What it does: From the Recovery Console, you can access the drives on your computer. You can then make any of the following changes so that you can start your computer:

• Enable or disable device drivers or services. • Copy files from the installation CD for the operating system, or copy files from other removable media.

For example, you can copy an essential file that had been deleted. • Create a new boot sector and new master boot record (MBR)

master boot record (MBR)

70 - 296


- 91 -

The first sector on a hard disk, which begins the process of starting the computer. The MBR contains the partition table for the disk and a small amount of executable code called the master boot code. You might need to do this if there are problems starting from the existing boot sector. QUESTION NO: 53 You are a network administrator for TestKing. The network contains a Windows Server 2003 application server named TestKingSrv. TestKingSrv has one processor. TestKingSrv has been running for several weeks. You add a new application to TestKingSrv. Users now report intermittent poor performance on TestKingSrv. You configure System Monitor and track the performance of TestKingSrv for two hours. You obtain the performance metrics that are summarized in the exhibit.

The values of the performance metrics are consistent over time. You need to identify the bottleneck on TestKingSrv and upgrade the necessary component. You need to minimize hardware upgrades. What should you do?

A. Install a faster CPU in TestKingSrv. B. Add more RAM to TestKingSrv. C. Add additional disks and spread the disk I/O over the new disks. D. Increase the size of the paging file.

Answer: B Explanation:

70 - 296


- 92 -

Reference, Windows help: Determining acceptable values for counters In general, deciding whether or not performance is acceptable is a judgment that varies significantly with variations in user environments. The values you establish as the baselines for your organization are the best basis for comparison. Nevertheless, the following table containing threshold values for specific counters can help you determine whether values reported by your computer indicate a problem. If System Monitor consistently reports these values, it is likely that hindrances exist on your system and you should take tune or upgrade the affected resource.

For tuning and upgrade suggestions, see Solving performance problems.

Resource Object\Counter Suggested

threshold Comments

Disk

Physical Disk\% Free Space Logical Disk\% Free Space

15%

Disk

Physical Disk\\% Disk Time Logical Disk\% Disk Time

90%

Disk

Physical Disk\Disk Reads/sec, Physical Disk\Disk Writes/sec

Depends on manufacturer's specifications

Check the specified transfer rate for your disks to verify that this rate does not exceed the specifications. In general, Ultra Wide SCSI disks can handle 50 to 70 I/O operations per second.

Disk

Physical Disk\Current Disk Queue Length

Number of spindles plus 2

This is an instantaneous counter; observe its value over several intervals. For an average over time, use Physical Disk\Avg. Disk Queue Length.

Memory

Memory\Available Bytes

Less than 4 MB Research memory usage and add memory if needed.

Memory

Memory\Pages/sec 20 Research paging activity.

Paging File

Paging File\% Usage

Above 70%

Review this value in conjunction with Available Bytes and Pages/sec to understand paging activity on your computer.

Processor

Processor\% Processor Time 85% Find the process that is using a high percentage of processor time.

Upgrade to a faster processor or install an additional processor. Processor

Processor\Interrupts/sec

Depends on

A dramatic increase in this counter value without a corresponding increase in system activity indicates a hardware problem. Identify the

70 - 296


- 93 -

processor; 1000 interrupts per second is a good starting point

network adapter causing the interrupts. You might need to install an additional adapter or controller card.

Server Server\Bytes Total/sec

If the sum of Bytes Total/sec for all servers is roughly equal to the maximum transfer rates of your network, you might need to segment the network.

Server Server\Work Item Shortages 3

If the value reaches this threshold, consider adding the DWORD entries InitWorkItems (the number of work items allocated to a processor during start up) or MaxWorkItems (the maximum number of receive buffers that a server can allocate) to the registry (under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters). The entry InitWorkItems can range from 1 to 512 while MaxWorkItems can range from 1 to 65535. Start with any value for InitWorkItems and a value of 4096 for MaxWorkItems and keep doubling these values until the Server\Work Item Shortages threshold stays below 3. For information about modifying the registry, see Registry Editor Help. Caution

• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Server Server\Pool Paged Peak

Amount of physical RAM

This value is an indicator of the maximum paging file size and the amount of physical memory.

Server Server Work Queues\Queue Length

4 If the value reaches this threshold, there may be a processor hindrance. This is an instantaneous counter; observe its value over several intervals.

Multiple Processors

System\Processor Queue Length 2 This is an instantaneous counter; observe its value over several intervals.

QUESTION NO: 54

70 - 296


- 94 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. You administer a three-node Network Load Balancing cluster. Each cluster node runs Windows Server 2003 and has a single network adapater. The cluster has converged successfully. You notice that the nodes in the cluster run at almost full capacity most of the time. You want to add a fourth node to the cluster. You enable and configure Network Load Balancing on the fourth node. However, the cluster does not converge to a four-node cluster. In the System log on the existing three nodes, you find the exact same TCP/IP error event. The event has the following description: “The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 02:BF:0A:32:08:46.” In the System log on the new fourth node, you find a similar TCP/error event with the following description: “The system detected an address conflict for IP address 10.50.8.70 with the system having network hardware address 03:BF:0A:32:08:46.” Only the hardware address is different in the two descriptions. You verify that IP address 10.50.8.70 is configured as the cluster IP address on all four nodes. You want to configure a four-node Network Load Balancing cluster. What should you do?

A. Configure the fourth node to use multicast mode. B. Remove 10.50.8.70 from the Network Connections Properties of the fourth node. C. On the fourth node, run the nlb.exe resume command. D. On the fourth node, run the wlbs.exe reload command.

Answer: A Explanation: This normally happens when you don’t enable the network load balancing service in TCP/IP of the server when adding two IP’s (one for the server and one for the load balancing IP). When you want to manage a NLB cluster with one network adapter you use multicast option. My idea is since reload/suspend and remove the IP are all garbage answers could be that the other nodes are using multicast and this new node is using unicast that’s why on a single network adapter configuration it will cause an IP conflict. Reference: Syngress 070-293, Page 689 QUESTION NO: 55

70 - 296


- 95 -

You are the network administrator for TestKing. You need to provide Internet name resolution services for the company. You set up a Windows Server 2003 computer running the DNS Server service to provide this network service. During testing, you notice the following intermittent problems:

• Name resolution queries sometimes take longer than one minute to resolve. • Some valid name resolution queries receive the following error message in the Nslookup command

and-line tool: “Non-existent domain”. You suspect that there is a problem with name resolution. You need to review the individual queries that the server handles. You want to configure monitoring on the DNS server to troubleshoot the problem. What should you do?

A. In the DNS server properties, on the Debug Logging tab, select the Log packets for debugging option. B. In the DNS server properties, on the Event Logging tab, select the Errors and warnings option. C. In the System Monitor, monitor the Recursive Query Failure counter in the DNS object. D. In the DNS server properties, on the Monitoring tab, select the monitoring options.

Answer: A Explanation: If you need to analyze and monitor the DNS server performance in greater detail, you can use the optional debug tool. You can choose to log packets based on the following: �Their direction, either outbound or inbound �The transport protocol, either TCP or UDP �Their contents: queries/transfers, updates, or notifications �Their type, either requests or responses �Their IP address Finally, you can choose to include detailed information. Note: That’s the only thing that’s going to let you see details about packets. Reference: Syngress 070-293, page 414 Troubleshooting DNS servers Using server debug logging options The following DNS debug logging options are available:

• Direction of packets

70 - 296


- 96 -

Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file.

• Content of packets Standard queries Specifies that packets containing standard queries (per RFC 1034) are logged in the DNS server log file. Updates Specifies that packets containing dynamic updates (per RFC 2136) are logged in the DNS server log file. Notifies Specifies that packets containing notifications (per RFC 1996) are logged in the DNS server log file.

• Transport protocol UDP Specifies that packets sent and received over UDP are logged in the DNS server log file. TCP Specifies that packets sent and received over TCP are logged in the DNS server log file.

• Type of packet Request Specifies that request packets are logged in the DNS server log file (a request packet is characterized by a QR bit set to 0 in the DNS message header). Response Specifies that response packets are logged in the DNS server log file (a response packet is characterized by a QR bit set to 1 in the DNS message header).

• Enable filtering based on IP address Provides additional filtering of packets logged in the DNS server log file. This option allows logging of packets sent from specific IP addresses to a DNS server, or from a DNS server to specific IP addresses.

• File name Lets you specify the name and location of the DNS server log file. For example:

• dns.log specifies that the DNS server log file should be saved as dns.log in the systemroot QUESTION NO: 56 You are a network administrator for TestKing. The network contains four Windows Server 2003 computers configured as a four-node server cluster. The cluster uses drive Q for the quorum resource. You receive a critical warning that both drives of the mirrored volume that are dedicated to the quorum disk have failed. You want to bring the cluster and all nodes back into operation as soon as possible. Which four actions should you take to achieve this goal? To answer, drag the action that you should perform first to the First Action box. Continue dragging actions to the corresponding numbered boxes until you list all four required actions in the correct order.

70 - 296


- 97 -

Answer:

70 - 296


- 98 -

Explanation: To recover from a corrupted quorum log or quorum disk

1. If the Cluster service is running, open Computer Management. 2. In the console tree, double-click Services and Applications, and then click Services. 3. In the details pane, click Cluster Service. 4. On the Action menu, click Stop. 5. Repeat steps 1, 2, 3, and 4 for all nodes. 6. If you have a backup of the quorum log, restore the log by following the instructions in "Backing up and

restoring server clusters" in Related Topics. 7. If you do not have a backup, select any given node. Make sure that Cluster Service is highlighted in the

details pane, and then on the Action menu, click Properties. Under Service status, in Start parameters, specify /fixquorum, and then click Start.

8. Switch from the problematic quorum disk to another quorum resource. For more information, see "To use a different disk for the quorum resource" in Related Topics.

9. In Cluster Administrator, bring the new quorum resource disk online. For information on how to do this, see "To bring a resource online" in Related Topics.

70 - 296


- 99 -

10. Run Chkdsk, using the switches /f and /r, on the quorum resource disk to determine whether the disk is corrupted.

For more information on running Chkdsk, see "Chkdsk" in Related Topics. If no corruption is detected on the disk, it is likely that the log was corrupted. Proceed to step 12.

11. If corruption is detected, check the System Log in Event Viewer for possible hardware errors. Resolve any hardware errors before continuing.

12. Stop the Cluster service after Chkdsk is complete, following the instructions in steps 1 - 4. 13. Make sure that Cluster Service is highlighted in the details pane. On the Action menu, click Properties.

Under Service status, in Start parameters, specify /resetquorumlog, and then click Start. This restores the quorum log from the node's local database. Important

• The Cluster service must be started by clicking Start on the service control panel. You cannot click OK or Apply to commit these changes as this does not preserve the /resetquorumlog parameter.

14. Restart the Cluster service on all other nodes. QUESTION NO: 57 You are a network administrator for TestKing. TestKing has a main office and two branch offices. The branch offices are connected to the main office by T1 lines. The network consists of three Active Directory sites, one for each office. All client computers run either Windows 2000 Professional or Windows XP Professional. Each office has a small data center that contains domain controllers, WINS, DNS, and DHCP servers, all running Windows Server 2003. Users in all offices connect to a file server in the main office to retrieve critical files. The network team reports that the WAN connections are severely congested during peak business hours. Users report poor file server performance during peak business hours. The design team is concerned that the file server is a single point of failure. The design team requests a plan to alleviate the WAN congestion during business hours and to provide high availability for the file server. You need to provide a solution that improved file server performance during peak hours and that provides high availability for file services. You need to minimize bandwidth utilization. What should you do?

A. Purchase two high-end servers and a shared fiber-attached disk array. Implement a file server cluster in the main office by using both new servers and the shared fiber-attached disk array.

B. Implement Offline Files on the client computers in the branch offices by using Synchronization Manager. Schedule synchronization to occur during off-peak hours.

C. Implement a stand-alone Distributed File System (DFS) root in the main office.

70 - 296


- 100 -

Implement copies of shared folders for the branch offices. Schedule replication of shared folders to occur during off-peak hours by using scheduled tasks.

D. Implement a domain Distributed File System (DFS) root in the main office. Implement DFS replicas for the branch offices. Schedule replication to occur during off-peak hours.

Answer: D Explanation: A DFS root is effectively a folder containing links to shared files. A domain DFS root is stored in Active Directory. This means that the users don’t need to know which physical server is hosting the shared files; they just open a folder in Active Directory and view a list of shared folders. A DFS replica is another server hosting the same shared files. We can configure replication between the file servers to replicate the shared files out of business hours. The users in each office will access the files from a DFS replica in the user’s office, rather than accessing the files over a WAN link. Incorrect Answers: A: This won’t minimize bandwidth utilization because the users in the branch offices will still access the files over the WAN. B: This doesn’t provide any redundancy for the server hosting the shared files. C: You need DFS replicas to use the replicas of the shared folders. QUESTION NO: 58 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named TestKingA. You are planning a public key infrastructure (PKI) for the company. You want to deploy an enterprise certification authority (CA) on TestKingA. You create a new global security group named Cert Approvers. You install an enterprise CA and configure the CA to issue Key Recovery Agent certificates. The company’s written security policy states that issuance of a Key Recovery Agent certificate requires approval from a member of the Cert Approvers group. All other certificates must be issued automatically. You need to ensure that members of the Cert Approvers group can approve pending enrolment requests for a Key Recovery Agent certificate. What should you?

70 - 296


- 101 -

A. Assign the Cert Approvers group the Allow – Enroll permissions for the Key Recovery Agent. B. Assign the Cert Approvers group the Allow – Issue and Manage Certificates permission for the CA. C. For all certificate managers, add the Cert Approvers group to the list of managed subjects. D. Add the Cert Approvers group to the existing Cert Publisher group in the domain. E. Assign the Cert Approvers group the Allow – Full Control permission for the Certificate Templates

container in the Active Directory configuration naming context. Answer: B Explanation: The permission Allow – Issue and Manage Certificates will enable the Cert Approvers group to issue the certificates. QUESTION NO: 59 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers on the network are members of the domain. You are planning a public key infrastructure (PKI) for the company. You want to ensure that users who log on to the domain receive a certificate that can be used to authenticate to Web sites. You create a new certificate template named User Authentication. You configure a Group Policy object (GPO) that applies to all users. The GPO specifies that user certificates must be enrolled when the policy is applied. You install an enterprise certification authority (CA) on a computer that runs Windows Server 2003. Users report that when they log on, they do not have certificates to authenticate to Web sites that require certificate authentication. You want to ensure that users receive certificates that can be used to authenticate to Web sites. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. On the User Authenticate certificate template, select the Reenroll All Certificate Holders command. B. Assign the Domain Users group the Allow – Autoenroll permission for the User Authentication

certificate template. C. Configure the CA to enable the User Authentication certificate template. D. Assign the Domain Users group the Allow – Issue and Manage Certificates permission for the CA.

Answer: B, C Certificate enrollment methods and domain membership

70 - 296


- 102 -

The domain membership of computers for which you want to enroll certificates affects the certificate enrollment method that you can choose. Certificates for domain member computers can be enrolled automatically (also known as auto-enrollment), while an administrator must enroll certificates for non-domain member computers using the Web or a floppy disk. The certificate enrollment method for non-domain member computers is known as a trust bootstrap process, through which certificates are created and then manually requested or distributed securely by administrators, to build common trust. Allowing for autoenrollment You can use autoenrollment so that subjects automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without subject interaction. For certificate templates, the intended subjects must have Read, Enroll and Autoenroll permissions before the subjects can enroll. To ensure that unintended subjects cannot request a certificate based on this template, you must identify those unintended subjects and explicitly configure the Deny permission for them. This acts as a safeguard, further ensuring that they cannot even present an unacceptable request to the certification authority. Note that Read permission does not allow enrollment or autoenrollment, it only allows the subject to view the certificate template. Renewal of existing certificates requires only the Enroll permission for the requesting subject. Certificates obtained in any way, including autoenrollment and manual requests, can be renewed automatically. These types of renewals do not require Autoenroll permission, even if they are renewed automatically. Planning for autoenrollment deployment Autoenrollment is a useful feature of certification services in Windows XP and Windows Server 2003, Standard Edition. Autoenrollment allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject. To properly configure subject autoenrollment, the administrator must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of subject autoenrollment.

• On the Request Handling tab of the selected certificate template, the selection of an autoenrollment user interaction setting will affect autoenrollment:

•

70 - 296


- 103 -

Setting Affect on autoenrollment behavior

Enroll subject without requiring any user input

This setting will allow "silent" autoenrollment without requiring the user to take any action. This setting is preferred when clients require certificates but may not be aware that they are using them.

Prompt the user during enrollment

The user will receive a message and may need to take an action when enrollment is performed. This action may be necessary when the certificate is intended for a smart card, which would require the user to provide their personal identification (PIN).

Prompt the user during enrollment and require user input when the private key is used

This setting prompts the user both during enrollment and whenever the private key is used. This is the most interactive autoenrollment behavior, as it requires the user to confirm all use of the private key. It is also the setting that provides the highest level of user awareness regarding key usage. Caution

• This setting is provided to the client during certificate enrollment. The client should follow the configuration setting, but the setting is not enforced by the certification

QUESTION NO: 60 You are a network administrator for TestKing. The network consists of a single Windows 2000 Active Directory forest that has four domains. All client computers run Windows XP Professional. The company’s written security policy states that all e-mail messages must be electronically signed when sent to other employees. You decide to deploy Certificate Services and automatically enroll users for e-mail authentication certificates. You install Windows Server 2003 on two member servers and install Certificate Services. You configure one Windows Server 2003 computer as a root certification authority (CA). You configure the other Windows Server 2003 server as an enterprise subordinate CA. You open Certificate Templates on the enterprise subordinate CA, but you are unable to configure certificates templates for autoenrollment. The Certificate Templates administration tool is shown in the exhibit.

70 - 296


- 104 -

You need to configure Active Directory to support autoenrollment of certificates. What should you do?

A. Run the adprep /forestprep command on the schema operations master. B. Place the enterprise subordinate CA’s computer account in the Cert Publisher Domain Local group. C. Run the adprep /domainprep command on a Windows 2000 Server domain controller that is in the

same domain as the enterprise subordinate CA. D. Install Active Directory on the Windows Server 2003 member server that is functioning as the enterprise

subordinate CA. Configure this server as an additional domain controller in the Windows 2000 Active Directory domain.

Answer: A Explanation: The autoenrollment feature has several infrastructure requirements. These include: Windows Server 2003 schema and Group Policy updates Windows 2000 or Windows Server 2003 domain controllers Windows XP Client Windows Server 2003, Enterprise Edition running as an Enterprise certificate authority (CA)

70 - 296


- 105 -

Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/certenrl.asp?frame=true In this question, we have a Windows 2000 domain; therefore, we have Windows 2000 domain controllers. The Enterprise CA is running on a Windows Server 2003 member server which will work ok, but only if the forest schema is a Windows Server 2003 schema. We can update the forest schema with the adprep /forestprep command. Incorrect Answers: B: This will happen in the domain in which the CAs are installed. C: The adprep /domainprep command prepares a Windows 2000 domain for an upgrade to a Windows Server 2003 domain. We are not upgrading the domain, so this isn’t necessary. D: The CA doesn’t have to be installed on a domain controller. You can’t install AD on a Windows 2003 server until you run the adprep commands. QUESTION NO: 61 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed. TestKing is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers. You are planning a baseline security configuration for the Web servers. The company’s written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled:

• SMTP • Telnet

Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers. What should you do?

A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Web Servers OU.

70 - 296


- 106 -

B. Create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Web Servers OU.

C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU.

D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU.

Answer: C Explanation: The web servers have been moved to an OU. This makes it easy for us to configure the web servers using a group policy. We can simply assign a group policy to the Web Servers OU to disable the services.

Incorrect Answers: A: The logon script would only run when someone logs on to the web servers. It’s likely that the web servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. QUESTION NO: 62

70 - 296


- 107 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains Windows Server 2003 computers and Windows XP Professional computers. The domain consists of the containers shown in the exhibit.

All production server computer accounts are located in an organizational unit (OU) named Servers. All production client computer accounts are located in an OU named Desktops. There are Group Policy objects (GPOs) linked to the domain, to the Servers OU, and to the Desktop OU. The company recently added new requirements to its written security policy. Some of the new requirements apply to all of the computers in the domain, some requirements apply to only servers, and some requirements apply to only client computers. You intend to implement the new requirements by making modifications to the existing GPOs. You configure 10 new Windows XP Professional computers and 5 new Windows Server 2003 computers in order to test the deployment of settings that comply with the new security requirements by using GPOs. You use the Group Policy Management Console (GPMC) to duplicate the existing GPOs for use in testing. You need to decide where to place the test computer accounts in the domain. You want to minimize the amount of administrative effort required to conduct the test while minimizing the impact of the test on production computers. You also want to avoid linking GPOs to multiple containers. What should you do?

A. Place all test computer accounts in the testking.com container. B. Place all test computer accounts in the Computers container. C. Place the test client computer accounts in the Desktops OU and the test server computer accounts in the

Servers OU. D. Create a child OU under the Desktops OU for the test client computer accounts.

Create a child OU under the Servers OU for the test server computer accounts. E. Create a new OU named Test under the testking.com container.

Create a child OU under the Test OU for the test client computer accounts. Create a second child OU under the Test OU for the test server computer accounts.

Answer: E

70 - 296


- 108 -

Explanation: To minimize the impact of the test on production computers, we can create a test OU with child OUs for the servers and the client computer accounts. Settings that should apply to the servers and client computers can be applied to the Test OU, and settings that should apply to the servers or the client computers can be applied to the appropriate child OUs. Incorrect Answers: A: You cannot place computer accounts directly under the domain container. They must be in an OU or in a built in container such as the Computers container. B: We need to separate the servers and the client computers into different OUs. C: This solution would apply the new settings to existing production computers. D: This could work but you would have more group policy links. For example, the GPO settings that need to apply to the servers and the client computers would need to be linked to both OUs. It would easier to link the GPO to a single parent OU.

70 - 296


- 109 -

QUESTION NO: 63 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains a Windows Server 2003 member server named TestKingSrvA. The network also contains a Windows XP Professional computer named Client1. You use Client1 as an administrative computer. You plan to use Microsoft Baseline Security Analyzer (MBSA) on Client1 to analyze TestKingSrvA. However, the recent application of a custom security template disabled several services on TestKingSrvA. You need to ensure that you can use MBSA to analyze TestKingSrvA. Which two services should you enable? To answer, select the appropriate services to enable in the dialog box.

70 - 296


- 110 -

Answer:

Explanation: The Remote Registry and Server services should be enabled. Reference MS White Paper Baseline Security Analyzer http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsaqa.asp The following are the requirements for a computer to be scanned remotely by the tool:

• Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), or Windows Server 2003

• IE 5.01 or greater • IIS 4.0, 5.0 (required for IIS vulnerability checks) • SQL 7.0, 2000 (required for SQL vulnerability checks) • Microsoft Office 2000, XP (required for desktop application vulnerability checks) • The following services must be installed/enabled: Server service, Remote Registry service, File &

Print Sharing QUESTION NO: 64 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains 10 application servers that run Windows Server 2003. The application servers are accessed from the TestKing network and from the Internet. The network design requires that the application servers must have specifically configured security settings, including

70 - 296


- 111 -

the password policy, audit policies, and security options settings. You create a security template named App.inf that contains the security settings required by the network design. You are concerned that an unauthorized user will modify the configuration and gain access to the application servers. You want to capture any changes made to the security settings of the application servers. You need to generate a report that compares the current settings of each application server with the required settings every 24 hours. What should you do?

A. Use a Group Policy startup script to run the secedit command in analysis mode with the App.inf template, and set the Group Policy refresh interval for computers to 24 hours.

B. Import the App.inf template into Group Policy, and set the Group Policy refresh interval for computers to 24 hours.

C. Use Task Scheduler to run the gpresult command in verbose mode every 24 hours. D. Use a custom script in Task Scheduler to run the secedit command in analysis mode with the App.inf

template every 24 hours. Answer: D Explanation: Secedit.exe is a command line version of the Security Configuration and Analysis tool. In ‘analysis’ mode, this tool can be used to compare the current system settings with the required settings. We can use the Task Scheduler to run a script that runs secedit.exe to analyse the current settings. Incorrect Answers: A: A Group Policy startup script will only run when the computer starts up. It does not run every time the group policy is refreshed. B: This will reapply the required settings every 24 hours, but the question states that you want to capture any changes by comparing the current settings to the required settings. C: The gpresult utility is a command line version of the RSoP utility. In verbose mode, it will list the effective policies on a computer. However, it won’t list the differences between the current settings and the required settings. QUESTION NO: 65 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The company has remote users in the sales department who work from home. The remote users’ client computers run Windows XP Professional, and they are not members of the domain. The remote users’ client computers have local Internet access through an ISP.

70 - 296


- 112 -

TestKing is deploying a Windows Server 2003 computer named TestKingA that has Routing and Remote Access installed. TestKingA will function as a VPN server, and the remote users will use it to connect to the company network. Confidential research data will be transmitted from the remote users’ client computers. Security is critical to the company and TestKingA must protect the remote users’ data transmissions to the main office. The remote client computers will use L2TP/IPSec to connect to the VPN server. You need to choose a secure authentication method. What should you do?

A. Use the authentication method of the default IPSec policies. B. Create a custom IPSec policy and use the Kerberos version 5 authentication protocol. C. Create a custom IPSec policy and use certificate-based authentication. D. Create a custom IPSec policy and use preshared authentication. E. Use the authentication method of the Routing and Remote Access custom IPSec policy for L2TP

connection. Answer: C Explanation The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. Tunneling and authentication protocols, and the encryption levels applied to VPN connections, determine VPN security. L2TP/IPSec provides the highest level of security. For a VPN design, determine which VPN protocol best meets your requirements. Windows Server 2003 supports two VPN protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec). L2TP/IPSec The more secure of the two VPN protocols, L2TP/IPSec uses PPP user authentication methods and IPSec encryption to encrypt IP traffic. This combination uses certificate-based computer identity authentication to create IPSec security associations in addition to PPP-based user authentication. L2TP/IPSec provides data integrity, data origin authentication, data confidentiality, and replay protection for each packet. Support for L2TP/IPSec is provided with Windows Server 2003, as well as with Windows 2000 and Windows XP. To use L2TP/IPSec with the Microsoft® Windows® 98, Windows® Millennium Edition (Windows Me), or Windows NT® Workstation 4.0 operating system, download and install Microsoft L2TP/IPSec VPN Client (Mls2tp.exe).

70 - 296


- 113 -

Incorrect Answers: A: The default IPSec policies don’t require encryption. B: We cannot use the Kerberos version 5 authentication protocol because the remote users are not members of the domain. D: Pre-shared authentication uses a “password” that is known by the server and the client computers. This method is less secure than a certificate based method. E: This answer sounds plausible, but the actual setting on RRAS "Allow Custom IPSec policy for L2TP connection" in the RRAS Server properties only allows a pre-shared key which is NOT secure compared to certificate-based IPSec policies. Reference: MS Windows Server 2003 Deployment Kit Deploying Network Services Planning Security for a VPN Selecting a VPN Protocol QUESTION NO: 66 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The network contains 100 Windows XP Professional computers. You configure a wireless network that requires IEEE 802.1x certificate-based authentication. Only 10 of the client computers are approved for wireless network access. You need to enable the approved computers to access the wireless network while restricting access for all other computers. What should you do?

A. Establish an enterprise certification authority (CA) for the domain. Create a global group that contains the user accounts for the employees who will use the approved computers. Create a certificate template for IEEE 802.1x authentication. For the global group, configure autoenrollment for certificates based on the certificate template.

B. Establish an enterprise certification authority (CA) for the domain. Create a global group that contains the approved computer accounts. Create a certificate template for IEEE 802.1x authentication. For the global group, configure the autoenrollment for certificates based on the certificate template.

C. Create a global group that contains the user accounts for the employees who will use the approved computers.

70 - 296


- 114 -

Configure the security permissions for the Default Domain Policy Group Policy object (GPO) so that only the new global group can apply to the GPO settings. Establish an enterprise certification authority (CA) for the domain.

D. Create a global group that contains the approved computer accounts. Configure the security permissions for the Default Domain Controllers Policy Group Policy object (GPO) so that only the new global group can apply the GPO settings. Establish an enterprise certification authority (CA) for the domain.

Answer: B Explanation: The question states that only 10 of the client computers are approved for wireless network access. Therefore we need to authenticate the computers to allow wireless access. Answer A is wrong because it suggests authenticating the users rather than the computers. To plan for the configuration of Active Directory for your wireless clients, identify the user and computer accounts for wireless users, and add them to a group that will be used in conjunction with a remote access policy to manage wireless access. You must also determine how to set the remote access permission on the user and computer accounts Provides options that allow you to specify how computer authentication works with user authentication. If you select Computer only, authentication is always performed using the computer credentials. User authentication is never performed. If you select With user re-authentication (recommended), when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. If you select With user authentication, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials. To create a policy we can do it at any level To support a secure wireless solution, your existing network infrastructure must include the following components:

• Active Directory, to store account properties and validate password-based credentials. • DHCP services, to provide automatic IP configuration to wireless clients. • DNS services, to provide name resolution.

70 - 296


- 115 -

• RADIUS support, to provide centralized connection authentication, authorization, and accounting. • A certificate infrastructure, also known as a PKI, to issue and validate the certificates required for

Extensible Authentication Protocol–Transport Level Security (EAP-TLS) and Protected EAP (PEAP)–TLS authentication. TLS can use either smart cards or registry-based user certificates for authenticating the wireless client.

• For PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) authentication, computer certificates for the RADIUS servers and root CA certificates of the issuing CAs on the wireless clients (if needed).

Windows Server 2003 provides all of these components, with some variations in the levels of features supported and capabilities in different editions of the operating system (Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition). IEEE 802.1X The 802.1X standard defines port-based network access control to provide authenticated network access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard is designed for wired Ethernet networks, it applies to 802.11 WLANs as well. Design Considerations for Wireless Network Policies Consider the following issues that pertain to authentication methods and wireless network policies:

• Computer authentication is recommended. By default, authentication is set to Enabled. • The access point must support the authentication method that you select. For example, the access point

must support 802.1X. If you choose EAP-TLS, all computers must support it (for example, a RADIUS server must support EAP-TLS).

• Your servers and wireless clients must support the authentication method you plan to deploy. Whether you choose EAP-TLS or PEAP as the authentication method over 802.1X, both your RADIUS server and your wireless clients need to support it.

• It is recommended that you permit certificate autoenrollment for users and computer when you use EAP-TLS.

• The wireless network configuration settings that are defined in GPOs take precedence over user-defined settings. The only exception to this is the list of preferred networks, where the policy-defined list is merged with the user-defined list..

• If a domain policy for wireless configuration exists, the local user (whether the user is an administrator or non-administrator) cannot remove or disable the domain policy.

• When a Group Policy change occurs, the Wireless Configuration service breaks the current association if and only if the new policy takes precedence (for example, a visible network is now a more preferred network according to the policy’s list of preferred networks). In all other cases, the association does not change.

• If a GPO that contains wireless network policies is deleted, the Wireless Configuration service clears its policy cache, initiates and processes a soft reset, and then reverts to the user-configured settings.

70 - 296


- 116 -

Creating Wireless Network Policies You can define wireless network policies for your organization by using the Group Policy Object Editor snap-in. To access Wireless Network (IEEE 802.11) Policies

1. Open GPMC. 2. Right-click the GPO that you want to edit, and then click Edit. 3. In the Group Policy Object Editor console tree, click Computer Configuration, click Windows

Settings, and then click Security Settings. 4. Right-click Wireless Network (IEEE 802.11) Policies on Active Directory, and then click Create

Wireless Policies. The Wireless Policy Wizard starts. Defining Wireless Configuration Options for Preferred Networks By using the Properties page for your wireless configuration policy, you can define a list of preferred networks to use. You can use the General tab to specify how often to check for policy changes, which networks to access, whether to disable Zero Configuration, or automatically connect to non-preferred networks. To define preferred wireless networks

1. Open GPMC. 2. In the console tree, expand the domain or OU that you want to manage, right-click the Group Policy

object that you want to edit, and then click Edit. 3. In the Group Policy Object Editor console tree, click Computer Configuration, click Windows

Settings, and then click Security Settings. 4. Click Wireless Network (IEEE 802.11) Policies, right-click the wireless network policy that you want

to modify, and then click Properties. 5. Click the Preferred Networks tab, and then click Add. 6. Click the Network Properties tab, and then in the Name box, type a unique name. 7. In the Description box, type a description of the wireless network, such as the type of network and

whether WEP and IEEE 802.1X authentication are enabled. 8. In the Wireless network key (WEP) box, specify whether a network key is used for encryption and

authentication, and whether a network key is provided automatically. The options are: o Data encryption (WEP enabled). Select this option to require that a network key be used for

encryption. o Network authentication (Shared mode). Select this option to require that a network key be

used for authentication. If this option is not selected, a network key is not required for authentication, and the network is operating in open system mode.

o The key is provided automatically. Select this option to specify whether a network key is automatically provided for clients (for example, whether a network key is provided for wireless network adapters).

9. To specify that the network is a computer-to-computer (ad hoc) network, click to select the This is a computer-to-computer (ad hoc) network; wireless access points are not used check box.

To define 802.1X authentication 1. Open GPMC.

70 - 296


- 117 -

2. In the console tree, expand the domain or OU that you want to manage, right-click the Group Policy object that you want to edit, and then click Edit.

3. In the Group Policy Object Editor console tree, click Computer Configuration, click Windows Settings, and then click Security Settings.

4. Click Wireless Network (IEEE 802.11) Policies, right-click the wireless network policy that you want to modify, and then click Properties.

5. On the Preferred Networks tab, under Networks, click the wireless network for which you want to define IEEE 802.1X authentication.

6. On the IEEE 802.1X tab, check the Enable network access control using IEEE 802.1X check box to enable IEEE 802.1X authentication for this wireless network. This is the default setting. To disable IEEE 802.1X authentication for this wireless network, clear the Enable network access control using IEEE 802.1X check box.

7. Specify whether to transmit EAPOL-start message packets and how to transmit them. 8. Specify EAPOL-Start message packet parameters. 9. In the EAP type box, click the EAP type that you want to use with this wireless network. 10. In the Certificate type box, select one of the following options:

o Smart card. Permits clients to use the certificate that resides on their smart card for authentication.

o Certificate on this computer. Permits clients to use the certificate that resides in the certificate store on their computer for authentication.

11. To verify that the server certificates that are presented to client computers are still valid, select the Validate server certificate check box.

12. To specify whether client computers must try authentication to the network, select one of the following check boxes:

o Authenticate as guest when user or computer information is unavailable. Specifies that the computer must attempt authentication to the network if user information or computer information is not available.

o Authenticate as computer when computer information is available. Specifies that the computer attempts authentication to the network if a user is not logged on. After you select this check box, specify how the computer attempts authentication.

References: MS Windows Server 2003 Deployment Deploying Network Services, Designing a Managed Environment Overview of Deploying a Wireless LAN Creating Wireless Network Policies WLAN Technology Background Defining Wireless Configuration Options for

Preferred Networks

70 - 296


- 118 -

QUESTION NO: 67 You are the senior systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Client computers in the sales department run Windows NT Workstation 4.0 with the Active Directory Client Extension software installed. All other client computers run Windows XP Professional. All servers are located in an organizational unit (OU) named Servers. All client computers are located in an OU named Desktops. Four servers contain confidential company information that is used by users in either the finance department or the research department. Users in the sales department also store files and applications in these servers. The company’s written security policy states that for auditing purposes, all network connections to these resources must require authentication at the protocol level. The written security policy also states that all network connections to these resources must be encrypted. The TestKing budget does not allow for the purchase of any new hardware or software. The applications and data located on these servers may not be moved to any other server in the network. You define and assign the appropriate permissions to ensure that only authorized users can access the resources on the servers. You now need to ensure that all connections made to these servers by the users in the finance department and in the research department meet the security guidelines states by the written security policy. You also need to ensure that all users in the sales department can continue to access their resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Create a new Group Policy object (GPO) and link it to the Servers OU. Enable the Secure Server (Require Security) IPSec policy in the GPO.

B. Create a new Group Policy object (GPO) and link to the Servers OU. Enable the Server (Request Security) IPSec policy in the GPO.

C. Create a new Group Policy object (GPO) and link to the Desktops OU. Enable the Client (Respond only) IPSec policy in the GPO.

D. Create a new Group Policy object (GPO). Edit the GPO to enable the Registry Policy Processing option and the IP Security Policy Processing option. Copy the GPO files to the Netlogon shared folder.

E. Use the System Policy Editor to open the System.adm file and enable the Registry Policy Processing option and the IP Security Policy Processing option. Save the system policy as NTConfig.pol.

Answer: B, C Explanation: We need to ensure that the connections made to the servers by the users in the finance department and in the research department meet the security guidelines states by the written security policy.

70 - 296


- 119 -

The computers in these departments use Windows XP Professional. We can therefore enable IPSec communication between the servers and the clients in the finance and research departments. However, the sales users use Windows NT, which cannot use IPSec. Therefore, to ensure that the NT clients can still communicate with the servers, we should enable the Server (Request Security) IPSec policy on the servers and the Client (Respond only) IPSec policy for the client computers. QUESTION NO: 68 You are the systems engineer for TestKing. The company has a main office in Las Palmas and two branch offices, one in Barcelona and one in Madrid. The offices are connected to one another by dedicated T1 lines. Each office has its own local IT department and administrative staff. The company network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers support firmware-based console redirection by means of the serial port. The server hardware does not support any other method of console redirection and cannot be upgraded to do so. The company is currently being reorganized. The IT department from each branch office is being relocated to a new central data center in the Las Palmas office. Several servers from each branch office are also being relocated to the Las Palmas data center. Each branch office will retain 10 servers. A new written security policy includes the following requirements:

• All servers must be remotely administered for all administrative tasks. • All servers must be administered from the Las Palmas office. • All remote administration connections must be authenticated and encrypted.

Your current network configuration already adheres to the new written security policy for day-to-day server administration tasks performed on the servers. You need to plan a configuration for out-of-band management tasks for each office that meets the new security requirements. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. Connect each server’s serial port to a terminal concentrator. Connect the terminal concentrator to the network.

B. Connect a second network adapter to each server. Connect the second network adapater in each server to a separate network switch. Connect the management port on the switch to a WAN port on the office router. Enable IPSec on the router.

C. Enable Routing and Remote Access on a server in each branch office, and configure it as an L2TP/IPSec VPN server. Configure a remote access policy to allow only authorized administrative staff to make a VPN connection.

D. On each server, enable the Telnet service with a startup parameter of Automatic.

70 - 296


- 120 -

Configure Telnet on each server to use only NTLM authentication. Apply the Server (Request Security) IPSec policy to all servers.

E. On each server, enable Emergency Management Services console redirection and the Emergency Management Services Special Administration Console (SAC).

Answer: A, C, E Explanation: Special Administration Console Helper You can use the Special Administration Console Helper system service to perform remote management tasks if the Windows Server 2003 family operating system stops functioning due to a Stop error message. The main functions of Special Administration Console (!SAC)are to:

• Redirect Stop error message explanatory text • Restart the system • Obtain computer identification information

The !SAC is an auxiliary Emergency Management Services command – line environment that is hosted by Windows Server 2003 family operating systems. It also accepts input, and sends output through the out – of – band port. SAC is a separate entity from both !SAC and Windows Server 2003 family command – line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC.!SAC becomes available automatically if SAC fails to load or is not functioning. If the Special Administration Console Helper service is stopped, SAC services will no longer be available. If this service is disabled, any services that explicitly depend on this service will not start. Service Name Member Server

Default Legacy Client Enterprise Client High Security

Sacsvr Manual Disabled Disabled Disabled Terminal concentrators A terminal concentrator is a hardware device that consolidates serial access to multiple servers into a single networked device. You can use this device to monitor a large number of servers simultaneously from one location. Terminal concentrators include many serial ports serial ports An interface on the computer that allows asynchronous transmission of data characters one bit at a time. Also called a communication port or COM port. connected to multiple servers using null modem cables null modem cables

70 - 296


- 121 -

Special cabling that eliminates the modem's need for asynchronous communications between two computers over short distances. A null modem cable emulates modem communication. Typically, you access terminal concentrators over the network through the Telnet Telnet A protocol that enables an Internet user to log on to and enter commands on a remote computer linked to the Internet, as if the user were using a text-based terminal directly attached to that computer. Telnet is part of the TCP/IP suite of protocols. The term telnet also refers to the software (client or server component) that implements this protocol. protocol. Terminal concentrators provide an interface through which you can remotely view data on multiple servers that use serial ports as their out-of-band connection out-of-band connection A connection between two computers that relies on a nonstandard network connection, such as a serial port connection, and nonstandard remote administration tools, such as Special Administration Console (SAC). An out-of-band connection is usually used only when a remote computer cannot access a network or is not in a functional state because of hardware or software failure. Terminal concentrators can improve your management of servers because they can establish in-band connections to the servers and then perform out-of-band management tasks. In addition, terminal concentrators make it easier to manage servers for the following reasons:

• You can use terminal concentrators to manage multiple servers without needing to be within a serial cable's distance to the computer.

• Several administrators can simultaneously view the output of different servers. • Using an out-of-band connection, you can use terminal concentrators to monitor servers methodically.

You can also manage multiple servers from one location. Several companies manufacture terminal concentrators; their setup, features, and configuration details vary. When assessing the appropriateness of a particular terminal concentrator, consider the following:

• The number of serial ports available. • Built-in Telnet security features, such as passwords. • Remote-access capabilities. • The number of Ethernet

Ethernet The IEEE 802.3 standard that uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) as the medium access control. Ethernet supports different mediums, such as coaxial cable, fiber-optic cable, and twisted-pair wiring, and different data rates, such as 10 megabits per second (Mbps). ports available. Telnet security features are not standard across terminal concentrators. If your device does not include security features, consider using a secondary private management network accessible through a direct-dial remote access connection or a virtual private network (VPN) Make sure that the terminal emulation software you use supports serial port and terminal definition settings that are compatible with Emergency Management Services, as well as with your service processor or system firmware. If possible, use terminal emulation software that supports the VT-UTF8 protocol because

70 - 296


- 122 -

VT-UTF8 support for Unicode provides for multilingual versions of Windows. If English is the only language you need to support, the VT100+ terminal definition is sufficient. At minimum, you can use the VT100 definition, but this terminal definition requires that you manually enter escape sequences for function keys and so forth. virtual private network (VPN) The extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet. connection. You can also use a router router Hardware that helps local area networks (LANs) and wide area networks (WANs) achieve interoperability and connectivity and that can link LANs that have different network topologies (such as Ethernet and Token Ring). Routers match packet headers to a LAN segment and choose the best path for the packet, optimizing network performance. to secure network traffic going to the terminal concentrator. References: Server Help QUESTION NO: 69 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain contains four organizational units (OUs), as shown in the work area. The HR_Servers OU contains 10 Windows Server 2003 computers that contain confidential human resources information. The Workstation OU contains all of the Windows XP Professional computers in the domain. All client computers need to communicate with the human resources servers. The company’s written security policy requires that all network communications with the servers that contain human resources data must be encrypted by using IPSec. Client computers must also be able to communicate with other computers that do not support IPSec. You create three Group Policy objects (GPOs), one for each of the three default IPSec polices. You need to link the GPOs to the appropriate Active Directory container or containers to satisfy the security and access requirements. You want to minimize the number of GPOs that are processed by any computer. What should you do?

70 - 296


- 123 -

To answer, drag the appropriate GPO or GPOs to the correct Active Directory container or containers in the work area.

70 - 296


- 124 -

Answer:

Explanation: The servers in the HR_Servers OU require secure communications, so we must enable the Secure Server (Require Security) IPSec policy. The clients should have the Client (Respond Only) IPSec policy assigned. This means that when the clients communicate with an HR server, the server will demand the use of IPSec, and the client will be able to use IPSec. The clients will still be able to communicate with other computers without using IPSec. IPSEC for High security Computers that contain highly sensitive data are at risk for data theft, accidental or malicious disruption of the system (especially in remote dial-up scenarios), or any public network communications. Understanding Default IPSec Policies Windows Server 2003 includes three default IPSec policies that are provided as examples only. Do not use any part of the examples as templates to edit or change when creating your own IPSec policies. Instead, design new custom IPSec policies for operational use. The example policies will be overwritten during operating system upgrades and when IPSec policies are imported (when the import files contain other definitions of the same example policies). The three default IPSec policies are as follows:

• Client (Respond Only). This default policy contains one rule, the default response rule. The default response rule secures communication only upon request by another computer. This policy does not attempt to negotiate security for any other traffic.

70 - 296


- 125 -

• Server (Request Security). This default policy contains two rules: the default response rule and a second rule that allows initial incoming communication to be unsecured. The second rule then negotiates security for all outbound unicast IP traffic (security is not negotiated for multicast or broadcast traffic). The filter action for the second rule allows IKE to fall back to unsecured communication when required. This policy can be combined with the Client (Respond Only) policy when you want traffic secured by IPSec when possible, yet allow unsecured communication with computers that are not IPSec-enabled. If IKE receives a response from an IPSec-enabled client, but the IKE security negotiation fails, the communication is blocked. In this case, IKE cannot fall back to unsecured communication.

• Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections.

Reference Server Help QUESTION NO: 70 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Client computers run Windows 2000 Professional, Windows XP Professional, or Windows NT Workstation 4.0. TestKing wants to increase the security of the communication on the network by using IPSec as much as possible. The company does not want to upgrade the Windows NT Workstation 4.0 client computers to another operating system. The servers use a custom IPSec policy named Domain Servers. The rules of the Domain Servers IPSec policy are shown in the exhibit.

70 - 296


- 126 -

You create a new Group Policy object (GPO) and link it to the domain. You configure the GPO to assign the predefined IPSec policy named Client (Respond Only). After these configuration changes, users of the Windows NT Workstation 4.0 computers report that they cannot connect to the servers in the domain. You want to ensure that Windows NT Workstation 4.0 client computers can connect to servers in the domain. What should you do?

A. Change the All IP Traffic rule in the Domain Servers IPSec policy to use a preshared key for authentication.

B. Change the All IP Traffic rule in the Domain Servers IPSec policy to use the Request Security (Optional) filter action.

C. Activate the default response rule for the Domain Servers IPSec policy. D. Install the Microsoft L2TP/IPSec VPN Client software on the Windows NT Workstation 4.0 computers. E. Install the Active Directory Client Extensions software on the Windows NT Workstation 4.0 computers.

Answer: B

70 - 296


- 127 -

Explanation: The exhibit shows that the server has the “Require Security” IPSec policy. The Windows NT Workstation clients are unable to use IPSec, and so cannot communicate with the server. We can fix this by changing the IPSec policy to Request Security (Optional). This will configure the server to use IPSec whenever possible, but to allow unsecured communications if required. Client Only Default Response Picture

Server Require Security Default Picture

Server Request Security Default Picture

70 - 296


- 128 -

IPSEC for High security Computers that contain highly sensitive data are at risk for data theft, accidental or malicious disruption of the system (especially in remote dial-up scenarios), or any public network communications. Understanding Default IPSec Policies Windows Server 2003 includes three default IPSec policies that are provided as examples only. Do not use any part of the examples as templates to edit or change when creating your own IPSec policies. Instead, design new custom IPSec policies for operational use. The example policies will be overwritten during operating system upgrades and when IPSec policies are imported (when the import files contain other definitions of the same example policies). The three default IPSec policies are as follows:



70 - 296


- 129 -

• Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections.

Reference Server Help QUESTION NO: 71 You are a network administrator for Woodgrove Bank. All servers run Windows Server 2003. The company uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used. A user on a server named Server2 reports that when she attempts to map a network drive to a shared folder on a server named Server5 by name, she received the following error message: “System error 67 has occurred. The network name cannot be found”. The user was previously able to map network drives by name to shared folders on Server5 from Server2. You run the ping command on Server2 to troubleshoot the problem. The results of your troubleshooting are shown in the exhibit.

70 - 296


- 130 -

You need to allow the user on Server2 to connect to resources on Server5 both by name and by address. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. On Server2, purge and reload the remote NetBIOS cache name table. B. Re-register Server5 with WINS. C. On Server2, run the ipconfig command with the /flushdns option. D. On Server5, run the ipconfig command with the /renew option. E. On Server5, run the ipconfig command with the /registerdns option.

Answer: B, E Explanation: In the exhibit, you pinged using the fully qualified domain name. The exhibit shows that DNS has resolved the hostname to 192.168.202.8. The NBTstat command also shows that the NetBIOS cache has cached the IP address of 192.168.202.8. However, pinging the IP address 192.168.202.8 failed. It is likely that the IP address of Server5 has changed but WINS and DNS still have the old address. We can fix this by reregistering Server5 with WINS and running the ipconfig command with the /registerdns option to update the DNS record.

70 - 296


- 131 -

QUESTION NO: 72 You are a network administrator for TestKing. The network consists of multiple physical segments. The network contains two Windows Server 2003 computers named TestKingSrvA and TestKingSrvB, and several Windows 2000 Server computers. TestKingSrvA is configured with a single DHCP scope for the 10.250.100.0/24 network with an IP address range of 10.250.100.10 to 10.250.100.100 Several users on the network report that they cannot connect to file and print servers, but they can connect to each other’s client computers. All other users on the network are able to connect to all network resources. You run the ipconfig.exe /all command on one of the affected client computers and observe the information in the following table:

You need to configure all affected client computers so that they can communicate with all other hosts on the network. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Disable the DHCP service on TestKingSrvB. B. Increase the IP address range for the 10.250.100.0/24 scope on TestKingSrvA. C. Add global DHCP scope options to TestKingSrvA for default gateway, DNS servers, and WINS servers. D. Delete all IP address reservation in the scope on TestKingSrvA. E. Run the ipconfig.exe /renew command on all affected client computers. F. Run the ipconfig.exe /registerdns command on all affected client computers.

Answer: A, E Explanation: We can see from the exhibit that the affected computer received it’s IP configuration from TestKingSrvB. We can also see that the IP configuration has no default gateway, WINS or DNS addresses. Obviously, TestKingSrvB is misconfigured. Other client computers have no problems; it is likely that they get their IP configuration from TestKingSrvA. We can either correctly configure the DHCP service on TestKingSrvB or we can disable it and just use TestKingSrvA as the DHCP server. The only option given is to disable the DHCP service on TestKingSrvB, so answer A is correct. We need to run the ipconfig /renew command on all affected client computers so that they can update their IP configurations using TestKingSrvA as their DHCP server. Incorrect Answers:

70 - 296


- 132 -

B: The client computer received its IP configuration from TestKingSrvB. Therefore, the problem is likely to be with TestKingSrvB, not TestKingSrvA. C: Some client computers have no problems; it is likely that they get their IP configuration from TestKingSrvA. Therefore, TestKingSrvA is correctly configured. D: The client computer received its IP configuration from TestKingSrvB. Therefore, the problem is likely to be with TestKingSrvB, not TestKingSrvA. F: The affected client computers have no DNS configuration; therefore this command will have no affect. QUESTION NO: 73 You are the network administrator for TestKing. The company has a main office and two branch offices. The network in the main office contains 10 servers and 100 client computers. Each branch office contains 5 servers and 50 client computers. Each branch office is connected to the main office by a direct T1 line. The network design requires that company IP addresses must be assigned from a single classful private IP address range. The network is assigned a class C private IP address range to allocate IP addresses for servers and client computers. TestKing acquires a company named Acme. The acquisition will increase the number of servers to 20 and the number of client computers to 200 in the main office. The acquisition is expected to increase the number of servers to 20 and the number of client computers to 200 in the branch offices. The acquisition will also add 10 more branch offices. After the acquisition, all branch offices will be the same size. Each branch office will be connected to the main office by a direct T1 line. The new company will follow the TestKing network design requirements. You need to plan the IP addressing for the new company. You need to comply with the network design requirement. What should you do?

A. Assign the main office and each branch office a new class A private IP address range. B. Assign the main office and each branch office a new class B private IP address range. C. Assign the main office and each branch office a subnet from a new class B private IP address range. D. Assign the main office and each branch office a subnet from the current class C private IP address range.

Answer: C Explanation After the expansion the situation will be:

• Main office

70 - 296


- 133 -

o Need 220 IP, 20 for servers and 200 for clients • Branch Offices

o Need 220 IP, 20 for servers and 200 for clients o We will have 12 branch offices o 12 x 220 = 2640

Total for all offices is 2640 + 220 = 2860. The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets. Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP address range. D: The class C network doesn’t have enough IP addresses to accommodate all the computers in all the offices. QUESTION NO: 74 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains an application server running Windows Server 2003. Users report intermittent slow performance when they access the application server throughout the day. You find out that the network interface on the application server is being heavily used during the periods of slow performance. You suspect that a single computer is causing the problem. You need to create a plan to identify the problem computer. What should you do?

A. Monitor the performance monitor counters on the application server by using System Monitor. B. Monitor the network traffic on the application server by using Network Monitor. C. Monitor network statistics on the application server by using Task Manager. D. Run network diagnostics on the application server by using Network Diagnostics.

Answer: B Network Monitor Capture Utility

70 - 296


- 134 -

Network Monitor Capture Utility (Netcap.exe) is a command-line Support Tool that allows a system administrator to monitor network packets and save the information to a capture (.cap) file. On first use, Network Monitor Capture Utility installs the Network Monitor Driver. You can use information gathered by using Network Monitor Capture Utility to analyze network use patterns and diagnose specific network problems. This command-line tool allows a system administrator to monitor packets on a LAN and write the information to a log file. NetCap uses the Network Monitor Driver to sniff packets on local network segments. Notes

• You must run NetCap from the command window. • If the Network Monitor Driver is not installed, NetCap installs it the first time the tool is run. To remove

the driver, use netcap /remove. Corresponding UI This tool provides a command-line interface to some of the capture functionality of Netmon. Concepts NetCap captures frames directly from the network traffic data stream so they can be examined. You can use it to create capture files for support personnel. Frames are packages of information transmitted as a single unit over a network. Every frame follows the same basic organization and contains the following:

• Control information such as synchronizing characters • Source and destination addresses • Protocol information • An error-checking value • A variable amount of data

System Requirements NetCap requires one of the following operating systems:

• Windows Server 2003 • Windows XP Professional • Windows 2000

File Required • Netcap.exe

References: Resource Kit Windows XP:

• Appendix D - Tools for Troubleshooting Server Help:

• Performance Monitoring and Scalability Tools Network Monitor

70 - 296


- 135 -

Network Monitor captures network traffic information and gives detailed information about the frames being sent and received. This tool can help you analyze complex patterns of network traffic. Network Monitor can help you view the header information included in HTTP and FTP requests. Generally, you need to design a capture filter, which functions like a database query and singles out a subset of the frames being transmitted. You can also use a capture trigger that responds to events on your network by initiating an action, such as starting an executable file. An abbreviated version of Network Monitor is included with members of the Windows Server 2003 family. A complete version of Network Monitor is included with Microsoft Systems Management Server. QUESTION NO: 75 You are a network administrator for TestKing. The internal network has an Active Directory-integrated zone for the testking.org domain. Computers on the internal network use the Active Directory-integrated DNS service for all host name resolution. The TestKing Web site and DNS server are hosted at a local ISP. The public Web site for TestKing is accessed at www.testking.com. The DNS server at the ISP hosts the testking.com domain. To improve support for the Web site, TestKing wants to move the Web site and DNS service from the ISP to the company’s perimeter network. The DNS server on the perimeter network must contain only the host (A) resource records for computers on the perimeter network. You install a Windows Server 2003 computer on the perimeter network to host the DNS service for the testking.com domain. You need to ensure that the computers on the internal network can properly resolve host names for all internal resources, all perimeter resources, and all Internet resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. On the DNS server that is on the perimeter network, install a primary zone for testking.com. B. On the DNS server that is on the perimeter network, install a stub zone for testking.com. C. Configure the DNS server that is on the internal network to conditionally forward lookup requests to the

DNS server that is on the perimeter network. D. Configure the computers on the internal network to use one of the internal DNS servers as the preferred

DNS server. Configure the TCP/IP settings on the computers on the internal network to use the DNS server on the perimeter network as an alternate DNS server.

E. On the DNS server that is on the perimeter network, configure a root zone. Answer: A, C Explanation:

70 - 296


- 136 -

By configuring a primary zone for testking.com on a DNS server in the perimeter network, we have a DNS server that can resolve requests for the www.testking.com website. To enable users on the LAN to quickly resolve testking.com resources, we can configure conditional forwarding on the internal testking.org server so that requests for testking.com resources get forwarded straight to the perimeter network DNS server. Incorrect Answers: B: A stub zone is no good to us here. The perimeter DNS server must be authoritative for the testking.com domain. Therefore, we need a primary zone on the perimeter DNS server. D: As long as the internal DNS servers are working, the external DNS server will never be used. Internal clients will not be able to resolve www.testking.com. E: There is no need to configure a root zone on the perimeter network DNS server. QUESTION NO: 76 You are a network administrator for Test King. The network consists of a single Active Directory domain named testking.com. All domain controllers and member servers run Windows Server 2003, Enterprise Edition. All client computers run Windows XP Professional. Test King has one main office and one branch office. The two offices are connected to a T1 WAN connection. There is a hardware router at each end of the connection. The main office contains 10,000 client computers, and the branch office contains 5,000 client computers. You need to use DHCP to provide IP addresses to the Windows XP Professional computers in both offices. You need to minimize network configuration traffic on the WAN connection. Your solution needs to prevent any component involved in the DHCP architecture from becoming a single point of failure. What should you do?

A. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. Configure the branch office router as a DHCP relay agent.

B. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. At the branch office, configure a Windows Server 2003 computer as a DHCP relay agent.

C. At the main office, configure two Windows Server 2003 computers as a DHCP server cluster. At the branch office, configure two Windows Server 2003 computers as a DHCP server cluster.

D. At the main office, configure two Windows Server 2003 computers as DHCP servers. Configure one DHCP server to handle 80 percent of the IP address scope and the other DHCP server to handle 20 percent. Configure the branch office router as a DHCP relay agent.

Answer: C

70 - 296


- 137 -

Explanation: The best fault tolerant solution here would be to implement a DHCP server cluster in each office. Cluster support for DHCP servers The Windows Server 2003 DHCP Server service is a cluster-aware application cluster-aware application An application that can run on a cluster node and that can be managed as a cluster resource. Cluster-aware applications use the Cluster API to receive status and notification information from the server cluster. You can implement additional DHCP (or MADCAP) server reliability by deploying a DHCP server cluster using the Cluster service Cluster service The essential software component that controls all aspects of server cluster operation and manages the cluster database. Each node in a server cluster runs one instance of the Cluster service provided with Windows Server 2003, Enterprise Edition. By using clustering support for DHCP, you can implement a local method of DHCP server failover, achieving greater fault tolerance. You can also enhance fault tolerance by combining DHCP server clustering with a remote failover configuration, such as by using a split scope configuration. Other options for DHCP failover Another way to implement DHCP remote failover is to deploy two DHCP servers in the same network that share a split scope configuration based on the 80/20 rule Incorrect Answers: A: The branch office router would be a single point of failure in this solution. B: The server hosting the DHCP relay agent would be a single point of failure in this solution. D: The branch office router would be a single point of failure in this solution. QUESTION NO: 77 You are a network administrator for TestKing. The network consists of two Active Directory forests. No trust relationships exist between the two forests. All computers in both forests are configured to use a common root certification authority (CA). Each forest contains a single domain. The domain named hr.testking.com contains five Windows Server 2003 computers that are used exclusively to host confidential human resources applications and data. The domain named testking.com contains all other servers and client computers. A firewall separates the human resources servers from the other computers on the network. Only VPN traffic from testking.com to a remote access server in hr.testking.com is allowed through the firewall. Managers need to access data on the servers in hr.testking.com from their Windows XP Professional computers. The company’s written security policy requires that all communication containing human resources data must be secured by using the strongest IPSec encryption available.

70 - 296


- 138 -

You need to configure an IPSec policy for the servers that host the human resources data that complies with the written security policy and gives the managers in testking.com access to the data they need. What should you do? To answer, drag the appropriate configuration settings to the IPSec Policy Configuration.

Answer:

70 - 296


- 139 -

Explanation: We can not use Kerberos because there is no trust between the forests; we must use certificates, we must affect all traffic, and the server must require security. The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. Understanding Default IPSec Policies Windows Server 2003 includes three default IPSec policies that are provided as examples only. Do not use any part of the examples as templates to edit or change when creating your own IPSec policies. Instead, design new custom IPSec policies for operational use. The example policies will be overwritten during operating system upgrades and when IPSec policies are imported (when the import files contain other definitions of the same example policies). The three default IPSec policies are as follows:

70 - 296


- 140 -



Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections Reference Server Help QUESTION NO: 78 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains a Windows Server 2003 computer named TestKing26 that is running Routing and Remote Access. The domain contains a universal group named Managers and a global group named Operations. User accounts in the Managers group require remote access between the hours of 8:00 A.M. and 8:00 P.M. User accounts in the Operations group require remote access 24 hours per day. You configure a remote access policy on TestKing26 named RA_Managers with the appropriate settings for the Managers group, and you configure a second remote access policy named RA_Operations on TestKing26 with the appropriate settings for the Operations group. The default remote access polices on TestKing26 remain unmodified. Members of the Managers group report that they can establish a remote access connection to TestKing26, but members of the Operations group report that they cannot establish a remote access connection to TestKing26.

70 - 296


- 141 -

You open the Routing and Remote Access administrative tool and note that the remote access polices are in the order presented in the following table. Remote access policy name Order RA_Managers 1 Connections to Microsoft Routing and remote Access server

2

RA_Operations 3 Connections to other access servers

4

You need to enable the appropriate remote access for the members of the Managers and Operations groups while restricting remote access to all other users. What should you do?

A. Delete the Connections to other access servers policy. B. Re-create the Operations global group as a universal group. C. Move the Connections to Microsoft Routing and Remote Access server policy up so that it is the first

policy in the order. D. Move the RA_Operations policy up so that it is the second policy in the order.

Answer: D Explanation: The remote access policies are processed in order. If a user meets a condition in a policy, the user is allowed or denied access according to that policy. No other policies are checked. The Connections to Microsoft Routing and Remote Access server policy is being processed before the RA-Operations policy. The users meet the condition in the Connections to Microsoft Routing and Remote Access server policy and are being denied access. The RA-Operations policy isn’t being checked. Therefore, we need to move the RA-Operations policy above the Connections to Microsoft Routing and Remote Access server policy. Incorrect Answers: A: This policy isn’t preventing the remote access. The Connections to Microsoft Routing and Remote Access server policy is preventing the access. B: The global group is fine. Changing it won’t help. C: The Connections to Microsoft Routing and Remote Access server policy is preventing the access. The RA-Operations policy isn’t being checked. Therefore, we need to move the RA-Operations policy above the Connections to Microsoft Routing and Remote Access server policy. QUESTION NO: 79 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains two IP subnets connected by a Windows Server 2003

70 - 296


- 142 -

computer running Routing and Remote Access. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each subnet contains a domain controller. Each subnet contains a DHCP server, which provides TCP/IP configuration information to the computers on only its subnet. The relevant portion of the network is shown in the exhibit.

You recently implemented a Microsoft Internet Security and Acceleration (ISA) Server 2000 array on the network to provide Internet connectivity. The ISA Server array uses Network Load Balancing on the internal adapters. The array’s Network Load Balancing cluster address is 172.30.32.1. You configure the DHCP server on Subnet1 to provide the array’s Network Load Balancing cluster address as the default gateway. You configure the DHCP server on Subnet2 to provide the IP address 172.30.64.1 as the default gateway for Subnet2. Users on Subnet2 report that they cannot connect to Internet-based resources. They can successfully connect to resources located on Subnet1. Users on Subnet1 can successfully connect to Internet-based resources. You investigate and discover that no Internet requests from computers on Subnet2 are being received by the ISA Server array. You need to provide Internet connectivity to users on Subnet2. What should you do?

A. Configure the DHCP server on Subnet2 to provide the address 172.30.32.1 as the default gateway.

70 - 296


- 143 -

B. Configure the DHCP server on Subnet2 to provide the address 172.30.32.2 as the default gateway. C. On the Routing and Remote Access server, add a default route to 172.30.32.1. D. On the Routing and Remote Access server, add a default route to 131.107.72.17.

Answer: C Explanation: The routing and remote access server knows how to route traffic between subnet 1 and subnet 2. However, it doesn’t know how to route traffic to the internet. We can fix this by adding a default route on the routing and remote access server. The default route will tell the routing and remote access server that any traffic that isn’t destined for subnet1 or subnet2 (i.e. any external destination) should be forwarded to the internal interface of the ISA server (172.30.32.1). Incorrect Answers: A: 172.30.32.1 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gateway. B: 172.30.32.2 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gateway. Furthermore, this address isn’t the internal address of the ISA server. D: The default route needs to forward traffic to the internal interface of the ISA server. QUESTION NO: 80 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The Active Directory domain contains three organizational units (OUs): Payroll Users, Payroll Servers, and Finance Servers. The Windows XP Professional computers used by the users in the payroll department are in the Payroll Users OU. The Windows Server 2003 computers used by the payroll department are in the Payroll Servers OU. The Windows Server 2003 computers used by the finance department are in the Finance Servers OU. You are planning the baseline security configuration for the payroll department. The company’s written security policy requires that all network communications with servers in the Payroll Servers OU must be secured by using IPSec. The written security states that IPSec must not be used on any other servers in the company. You need to ensure that the baseline security configuration for the payroll department complies with the written security policy. You also need to ensure that members of the Payroll Users OU can access resources in the Payroll Servers OU and in the Finance Servers OU. What should you do?

70 - 296


- 144 -

A. Create a Group Policy object (GPO) and assign the Secure Server (Require Security) IPSec policy setting. Link the GPO to only the Payroll Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

B. Create a Group Policy object (GPO) and assign the Secure Servers (Require Security) IPSec policy setting. Link the GPO to the Payroll Servers OU and to the Finance Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

C. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy setting. Link the GPO to only the Payroll Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

D. Create a Group Policy object (GPO) and assign the Server (Request Security) IPSec policy setting. Link the GPO to the Payroll Serves OU and to the Finance Servers OU. Create a second GPO and assign the Client (Respond Only) IPSec policy setting. Link the second GPO to the Payroll Users OU.

Answer: A Explanation: Assigning the Secure Server (Require Security) IPSec policy to the payroll servers will ensure that they will only communicate using IPSec. Assigning the Client (Respond Only) IPSec policy to the payroll clients will ensure that they are able to use IPSec when asked to do so by the payroll servers. All other network communications will not use IPSec. The three default IPSec policies are as follows:



• Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded

70 - 296


- 145 -

and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections

Reference Server Help QUESTION NO: 81 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. TestKing’s main office is in Boston, and it has branch offices in Washington and Los Alamos. The company has no immediate plans to expand or relocate the offices. The company wants to connect the office networks by using a frame relay WAN connection and Routing and Remote Access servers that are configured with frame relay WAN adapters. Computers in each office will be configured to use their local Routing and Remote Access server as a default gateway. You are planning the routing configuration for the Routing and Remote Access servers. You need to allow computers in Boston, Washington, and Los Alamos to connect to computers in any office. You want to minimize routing traffic on the WAN connection. What should you do?

A. At each office, add the OSPF routing protocol to Routing and Remote Access, add the WAN adapater to the OSPF routing protocol, and deploy OSPF as a single-area internetwork.

B. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and configure the WAN adapter to use RIP version 2. Configure the outgoing packet protocol as RIP version 2 broadcast and the incoming packet protocol as RIP version 1 and 2.

C. At each office, add the RIP version 2 routing protocol to Routing and Remote Access, and configure the WAN adapter to use RIP version 2. Configure the outgoing packet protocol as RIP version 2 multicast and the incoming packet protocol as RIP version 2 only.

D. At each office, configure the Routing and Remote Access server with static routes to the local networks at the other two offices.

Answer: D Explanation: We need to configure the routers to route traffic between the offices. As we only have three offices, we can use simple static routes. Once we have configured the routing tables with static routes, the

70 - 296


- 146 -

offices will be able to communicate with each other. This solution is preferable to using a routing protocol such as RIP because there will be no routing information going over the WAN links. Incorrect Answers: A: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary. Static routes will suffice. B: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary. Static routes will suffice. C: We have a simple network configuration with just three offices. Using a routing protocol is unnecessary. Static routes will suffice. QUESTION NO: 82 You are a network administrator for TestKing. The network consists of a single Active Directory forest. All domain controllers run Windows Server 2003. The bank decides to provide access to its mortgage application services from a real estate agency that has offices throughout the country. You install a TestKing domain controller in each real estate agency office. You need to further protect the domain controllers’ user account databases from unauthorized access. You want to achieve this goal by using the minimum amount of administrative effort. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Use the system key utility (syskey) with the most secure security level on the domain controllers. B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the GPO to

the domain controllers. C. Create a Group Policy object (GPO), configure the Network security: LAN Manager authentication

level security option to the Send NTLMv2 response only\refuse LM setting, and apply the GPO to the domain controllers.

D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply the GPO to the domain controllers.

Answer: A, B Using Syskey On domain controllers, password information is stored in directory services. It is not unusual for password – cracking software to target the Security Accounts Manager (SAM) database or directory services to access passwords for user accounts.

70 - 296


- 147 -

The System Key utility (Syskey) provides an extra line of defense against offline password – cracking software. Syskey uses strong encryption techniques to secure account password information that is stored in directory services. Table 4.19 Syskey Modes System Key Option Security Level Description Mode 1: System Generated Password, Store Startup Key Locally

Secure Uses a computer – generated random key as the system key and stores an encrypted version of the key on the local computer. This option provides strong encryption of password information in the registry, and enables the user to restart the computer without the need for an administrator to enter a password or insert a disk.

Mode 2: Administrator generated password, Password Startup

More secure Uses a computer – generated random key as the system key and stores an encrypted version of the key on the local computer. The key is also protected by an administrator – chosen password. Users are prompted for the system key password when the computer is in the initial startup sequence. The system key password is not stored anywhere on the computer.

Mode 3: System Generated Password, Store Startup Key on Floppy Disk

Most secure Uses a computer-generated random key and stores the key on a floppy disk. The floppy disk that contains the system key is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer.

Syskey is enabled on all Windows Server 2003 servers in Mode 1 (obfuscated key). There are many reasons to recommend using Syskey in Mode 2 (console password) or Mode 3 (floppy storage of Syskey password) for any domain controller that is exposed to physical security threats. From a security standpoint, this appears sensible at first, as the domain controller would be vulnerable to being restarted by an attacker with physical access to it. Syskey in Mode 1 allows an attacker to read and alter the contents of the directory. However, the operational requirements for ensuring that domain controllers can be made available through restarts tend to make Syskey Mode 2 or Mode 3 difficult to support. To take advantage of the added protection provided by these Syskey modes, the proper operational processes must be implemented in your environment to meet specific availability requirements for the domain controllers. The logistics of Syskey password or floppy disk management can be quite complex, especially in branch offices. For example, requiring one of your branch managers or local administrative staff to come to the office at 3 A.M. to enter the passwords, or insert a floppy to enable other users to access the system is expensive and makes it very challenging to achieve high availability service level agreements (SLAs). Alternatively, allowing your centralized IT operations personnel to provide the Syskey password remotely requires additional hardware — some hardware vendors have add – on solutions available to remotely access server consoles.

70 - 296


- 148 -

Finally, the loss of the Syskey password or floppy disk leaves your domain controller in a state where it cannot be restarted. There is no method for you to recover a domain controller if the Syskey password or floppy disk is lost. If this happens, the domain controller must be rebuilt. Nevertheless, with the proper operational procedures in place, Syskey can provide an increased level of security that can greatly protect the sensitive directory information found on domain controllers. For these reasons, Syskey Mode 2 or Mode 3 is recommended for domain controllers in locations without strong physical storage security. This recommendation also applies to domain controllers in any of the three environments described in this guide. To create or update a system key: Click Start, click Run, type syskey, and then click OK. Click Encryption Enabled, and then click Update. Click the desired option, and then click OK. Secure (Secure*.inf) Template The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses. QUESTION NO: 83 You are a network administrator for TestKing. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional computers, and 150 Windows XP Professional computers. According to the network design specification, the Kerberos version 5 authentication protocol must be used for all client computers on the internal network. You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network. What should you do?

A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic.

B. Replace all Windows 98 computers with new Windows XP Professional computers. C. Install the Active Directory Client Extension software on the Windows 98 computers. D. Upgrade all Windows 98 computers to Windows NT workstation 4.0.

Answer: B Explanation:

70 - 296


- 149 -

By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use Kerberos as their authentication protocol. Windows 98 doesn’t support Kerberos authentication; therefore, we need upgrade the Windows 98 computers. Incorrect Answers: A: This won’t enable the Windows 98 clients to use Kerberos authentication. C: The Active Directory Client Extension software doesn’t enable Windows 98 clients to use Kerberos authentication. D: Windows NT 4.0 doesn’t support Kerberos authentication. QUESTION NO: 84 You are the network administrator for TestKing. The company has a main office and 20 branch offices. You recently completed the design of the company network. The network design consists of a single Active Directory domain named testking.com. All domain controllers will run Windows Server 2003. The main office will contain four domain controllers, and each branch office will contain one domain controller. The branch office domain controllers will be administered from the main office. You need to ensure that the domain controllers are kept up-to-date with software updates for Windows Server 2003 after their initial deployment. You want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. You also want to configure the settings by using the minimum amount of administrative effort. What should you do?

A. In System Properties, on the Automatic Update tab, enable Keep my computer up to date, and then select Download the updates automatically and notify me when they are ready to be installed.

B. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 3 – Auto download and notify for install.

C. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 4 – Auto download and schedule the install.

D. In System Properties, on the Automatic Updates tab, enable Keep my computer up to date, and then select Automatically download the updates, and install them on the schedule that I specify.

Answer: C Explanation: The question states that You want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. The way to do this is to configure the automatic updates with the option to Auto download and schedule the install. The easiest way

70 - 296


- 150 -

to configure the domain controllers with this setting is to configure a group policy object for the domain controllers. The problem with this solution is that the domain controllers may automatically restart after the updates are installed. Scheduling the updates to install out of business hours will minimize any disruption. Incorrect Answers: A: It is easier to configure the domain controllers using group policy. B: This solution will download the updates, but it won’t install them until an administrator manually clicks the install button in the notification dialog box. Answer C automates the procedure more by scheduling the installation to occur at a set time without any further administrative intervention. D: It is easier to configure the domain controllers using group policy. QUESTION NO: 85 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The company plans to deploy 120 Windows Server 2003 member servers as file servers in the domain. The new file servers will be located in a single organizational unit (OU) named File Servers. The security department provides you with a security template that must be applied to the new file servers. You need to apply and maintain the security settings contained in the security template to the new file servers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

A. On a reference computer, use the Local Security Settings console to import the security template. Use imaging technology to install and configure the new file servers based on the configuration of the reference computer.

B. On a reference computer, run the secedit command to apply the security template. Use imaging technology to install and configure the new file servers based on the configuration of the reference computer.

C. Create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU.

D. On the PDC emulator master in the domain, run the secedit command to apply the security template.

70 - 296


- 151 -

Answer: C Explanation: We have a security template with the required security settings. We can simply import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This would work, but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings ‘maintained’. B: This would work, but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings ‘maintained’. D: This would have no effect on the file servers. QUESTION NO: 86 You are a network administrator for TestKing. You install Windows Server 2003 on two servers named TestKing1 and TestKing2. You configure TestKing1 and TestKing2 as a two-node cluster. You configure a custom application on the cluster by using the Generic Application resource, and you put all resources in the Application group. You test the cluster and verify that it fails over properly and that you can move the Application group from one node to the other and back again. The application and the cluster run successfully for several weeks. Users then report that they cannot access the application. You investigate and discover that TestKing1 and TestKing2 are running but the Application group is in a failed state. You restart the Cluster service and attempt to bring the Application group online on TestKing1. The Application group fails. You discover that TestKing1 fails, restarts automatically, and fails again soon after restarting. TestKing1 continues to fail and restart until the Application group reports that it is in a failed state and stops attempting to bring itself back online. You need to configure the Application group to remain on TestKing2 while you research the problem on TestKing1. What should you do?

A. On TestKing2, configure the failover threshold to 0. B. On TestKing2, configure the failover period to 0. C. Remove TestKing1 from the Possible owners list. D. Remove TestKing1 from the Preferred owners list.

70 - 296


- 152 -

Answer: C Explanation: We don’t want the application group to move to TestKing1 – we want the application group to remain on TestKing2. We can do this by removing TestKing1 from the possible owners list. QUESTION NO: 87 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains three domains named testking.com, texas.testking.com, and dakota.testking.com. The functional level of the forest is Windows Server 2003. Both texas.testking.com and dakota.testking.com contain employee user accounts, client computer accounts, and resource server computer accounts. The domain named testking.com contains only administrative user accounts and computer accounts for two domain controllers. Each resource server computer provides a single service of file server, print server, Web server, or database server. TestKing plans to use Group Policy objects (GPOs) to centrally apply security settings to resource server computers. Some security settings need to apply to all resource servers and must not be overridden. Other security settings need to apply to specific server roles only. You need to create an organizational unit (OU) structure to support the GPO requirements. You want to create as few GPOs and links as possible. What should you do?

A. Create a top-level OU for each server role under the testking.com domain. Create a top-level OU named Servers under the texas.testking.com domain. Create a top-level OU named Servers under the dakota.testking.com domain.

B. Create a top-level OU named Servers under the texas.testking.com domain. Create a child OU for each server role under the Servers OU. Create a top-level OU named Servers under the Dakota.testking.com domain. Create a child OU for each server role under the Servers OU.

C. Create a top-level OU named Servers under the testking.com domain. Create a child OU for each server role under the Servers OU.

D. Create a top-level OU for each server role under the texas.testking.com domain. Create a top-level OU for each server role under the dakota.testking.com domain.

Answer: B Explanation: With a top-level OU named Servers, we can apply group policies to all the resource servers. With child OUs for each server role, we can apply group policies to individual server roles. Two domains have resource servers, dakota.testking.com and texas.testking.com. We need to create the OU structure in each of these two domains.

70 - 296


- 153 -

Incorrect Answers: A: We need an OU for each server role in dakota.testking.com and texas.testking.com, because the resource servers are in those domains. C: We need a top level OU for all the resource servers in dakota.testking.com and texas.testking.com, so we can apply group policies to all the servers. D: We need a top level OU for all the resource servers in dakota.testking.com and texas.testking.com, so we can apply group policies to all the servers. QUESTION NO: 88 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. TestKing has one office in Hong Kong and another office in Beijing. Each office is configured as an Active Directory site. Each site contains two domain controllers. The network is configured to display a legal notice on the computer screens of all users before they log on to their client computers. At the request of the legal department, you make changes to the wording of the notice by changing the settings in a Group Policy object (GPO). The GPO is linked to the domain. The legal department reports that not all users are receiving the new notice. You discover that users in the Beijing office receive the new notice, but users in the Hong Kong office receive the old notice. The problem continues for several days. You need to ensure that the new notice appears correctly on all computers in the network. What should you do?

A. Create a new security group that contains the computer accounts for all computers in the Hong Kong site. Grant permissions to this security group to read and apply the GPO.

B. Temporarily assign one of the domain controllers in the Hong Kong site to the Beijing site. Wait 24 hours, and then reassign the domain controller to the Hong Kong site.

C. Force replication of Active Directory between the two sites. D. Log on to one of the domain controllers in the Hong Kong site, and seize the infrastructure master role.

Answer: C Explanation: It looks like the GPO settings haven’t been replicated to the Hong Kong office – they are still receiving the old notice. We can manually force replication between the two sites to ensure that the Hong Kong office receives the new GPO settings. Incorrect Answers:

70 - 296


- 154 -

A: The Hong Kong users still receive the old legal notice. Therefore, this is not a permissions problem on the group policy object. B: This is unnecessary an impractical. D: This has nothing to do with the replication of the GPO. QUESTION NO: 89 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit (OU) named Sales. You create three Group Policy objects (GPOs) that have four configuration settings, as shown in the following table. Location GPO name GPO configuration Setting Domain ScreenSaver Hide Screen Saver tab Disabled Sales OU Display and Wallpaper Hide Screen Saver tab Enabled Sales OU Display and Wallpaper Set Active Desktop Wallpaper to

c:\WINNT\web\wallpaper\bliss.jpg Enabled

Sales OU Wallpaper Set Active Desktop Wallpaper to c:\WINNT\web\wallpaper\autumn.jpg

Enabled

The ScreenSaver GPO has the No Override setting enabled. The Sales OU has the Block Policy inheritance setting enabled. The priority for GPOs linked to the Sales OU specifies first priority for the Display and Wallpaper GPO and second priority for the Wallpaper GPO. For user accounts in the Sales OU, you want the Screen Saver tab to be hidden and the desktop wallpaper to be Autumn.jpg. You log on to a test computer by using a user account from the Sales OU, but you do not receive the settings you wanted. You need to configure the settings to hide the Screen Saver tab and set the desktop wallpaper to Autumn.jpg for the user accounts in the Sales OU. You want to avoid affecting user accounts in other OUs. What should you do?

A. Enable the No Override setting for the Display and Wallpaper GPO. B. Disable the No Override setting on the ScreenSaver GPO.

Reorder the Wallpaper GPO to be first in the list. C. Create a GPO and link it to the Default-First-Site-Name.

Configure the GPO to set the Active Desktop Wallpaper to c:\WINNT\web\wallpaper\autumn.jpg. D. Disable the Block Policy inheritance setting on the Sales OU.

Change the Display and Wallpaper GPO to set the Active Desktop Wallpaper to c:\WINNT\web\wallpaper\autumn.jpg.

70 - 296


- 155 -

Answer: B Explanation: The No Override setting on the Screensaver GPO is causing all computers in the domain to display the Screensaver tab. We want to hide the screensaver tab for the sales OU, so we’ll have to remove the No Override settings from the Screensaver GPO. This will enable the Screensaver GPO settings to be overwritten by other GPOs. By configuring the Wallpaper GPO to be first in the list, we are giving it a higher priority than the Display and Wallpaper GPO. This means that the Wallpaper GPO settings will overwrite the Display and Wallpaper GPO settings, thus setting the wallpaper to Autumn.jpg. Group Policy Order of application

1. The unique local Group Policy object. 2. Site Group Policy objects, in administratively specified order. 3. Domain Group Policy objects, in administratively specified order. 4. Organizational unit Group Policy objects, from largest to smallest organizational unit (parent to child

organizational unit) and in administratively specified order at the level of each organizational unit.

Enforcing policy from above You can set policies that would otherwise be overwritten by policies in child organizational units to No Override at the Group Policy object level.

• Policies set to No Override cannot be blocked. • The No Override and Block options should be used sparingly. Casual use of these advanced features

complicates troubleshooting.

Reference: Server Help QUESTION NO: 90 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Each client computer runs Windows NT Workstation 4.0, Windows 2000 Professional, or Windows XP Professional. The computer accounts for all client computers are located in an organizational unit (OU) named CompanyComputers. All user accounts are located in an OU named CompanyUsers. TestKing has a written policy that requires a logon banner to be presented to all users when they log on to any client computer on the network. The banner must display a warning about unauthorized use of the computer. You need to ensure that the logon banner appears when a user logs on to a client computer. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

70 - 296


- 156 -

A. Create a Group Policy object (GPO) that includes the appropriate settings in the interactive logon

section. Link the GPO to the domain.

B. Create a script that presents the required warning. Create a Group Policy object (GPO) that will cause the script to run during the startup process.

Link the GPO to TestKingUsers OU. C. Create a system policy file named Ntconfig.pol that includes the appropriate settings.

Place a copy of this file in the appropriate folder on the domain controller. D. Create a batch file named Autoexec.bat that presents the required warning.

Copy the file to root folder on ***MISSING*** Answer: A, C Explanation: We need to configure a GPO to display the logon message that will apply to the Windows 2000 and Windows XP clients. We need to configure a system policy to display the logon message that will apply to the Windows NT clients. This policy is created with System policies and the System Policy Editor, System policies are used by network administrators to configure and control individual users and their computers. Administrators use POLEDIT.EXE to set Windows NT profiles that are either network- or user-based. Using this application, you can create policies, which are either local or network-driven, that can affect Registry settings for both hardware and users. The file created to apply the policy is named NTConfig.pol. Interactive logon: Message text for users attempting to log on Description This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Configuring this security setting You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

70 - 296


- 157 -

Reference Group Policy Help QUESTION NO: 91 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Except for IT staff, users are not local administrators on client computers. TestKing obtains a new application for order processing. This application must be installed on each client computer. The application is contained in an .msi file. You copy the .msi file to a shared folder on a file server. You assign the Authenticated Users group the Allow – Read permissions for the shared folder. To deploy the application, you instruct users to double-click the .msi file in the shared folder. When users attempt to install the application, they receive an error message, and setup fails. You need to configure the network so that the application can be installed successfully.

70 - 296


- 158 -

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Modify the Default Domain Policy Group Policy object (GPO) and assign the new application to all client computers.

B. Grant the users the permissions required to create temporary files in the shared folder that contains the .msi file.

C. Modify the Default Domain Policy Group Policy object (GPO) and disable the Prohibit User Installs setting in the Windows Installer section of the computer settings.

D. Modify the Default Domain Policy Group Policy object (GPO) and enable the Always install with elevated privileges setting in the Windows Installer section of the computer settings.

Answer: A, D Explanation: The software installation fails because the users don’t have the necessary permissions to install the software. We can solve this problem by either assigning the application to the users in a group policy, or by using a group policy to enable the Always install with elevated privileges setting in the Windows Installer section of the computer settings. Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the

70 - 296


- 159 -

Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. To take advantage of all of the features of Group Policy Software Installation, it is best to use applications that include a Windows Installer (.msi) package. For example, published MSI packages support installation for users who do not have administrative credentials. However, you can also publish legacy setup programs using a .zap file. These applications will be displayed in Add or Remove Programs like any other published application, but typically can only be installed by users with administrative credentials. A .zap file is a simple text file that describes the path to the setup program, as well as any arguments to be passed on the command line. A simple example illustrating the syntax of a .zap file is shown below: [Application] FriendlyName = Microsoft Works 4.5a SetupCommand = ""\\DeploymentServer\Apps\Works 4.5a\Standard\Setup.exe"" Note When using quotes in zap files, the following rules apply:

• The path and name of the setup executable must always be quoted. • If there are no command-line arguments, they must be quoted twice.

Non-Windows Installer Applications It is possible to publish applications that do not install with the Windows Installer. They can only be published to users and they are installed using their existing Setup programs. Impersonate a client after authenticationDescription Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution Assigning this user right can be a security risk. Only assign this user right to trusted users. Non Windows installer applications Because these non-Windows Installer applications use their existing Setup programs, such applications cannot:

Use elevated privileges for installation. Install on the first use of the software. Install a feature on the first use of the feature. Rollback an unsuccessful operation, such a install, modify, repair, or removal, or take advantage of other

features of the Windows Installer. Detect a broken state and automatically repair it.

70 - 296


- 160 -

References: Group policy help Step-by-Step Guide to Software Installation and Maintenance http://www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp QUESTION NO: 92 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains two domains. All servers run Windows Server 2003. The domains and organizational units (OUs) are structured as shown in the work area. Users in the research department have user accounts in the research.testking.com domain. All other user accounts and resources are in the testking.com domain. All domain controllers are in the Domain Controllers OU of their respective domain. No other computer or user accounts are in the Domain Controllers OUs. A written company policy requires that all users working in the research department must use complex passwords of at least nine characters in length. The written policy states that no other users are to have password restrictions. All affected users have user accounts in an OU named Research Users in the research.testking.com domain. You create a Group Policy object (GPO) that contains the required settings. You need to ensure that these settings affect the users in the research department, and that the settings do not affect any other domain users or local accounts. Where should you link the GPO? To answer, select the appropriate location or locations in the work area.

70 - 296


- 161 -

Answer: Select the research.testking.com domain.

70 - 296


- 162 -

Explanation: Password restrictions for domain user accounts must always be set at domain level. Password policies applied at OU level will only apply to local user accounts. In this scenario, research.testking.com contains only research users so applying the policy at the domain level will not affect any other others. QUESTION NO: 93 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers that are not domain controllers have computer accounts in an organizational unit (OU) named ApplicationServers. Client computers have computer accounts in 15 OUs organized by department. All users have user accounts in an OU named CompanyUsers. TestKing wants all users to have Microsoft Word available on their client computers. TestKing does not want to install Word on domain controller or other servers. You need to configure the network to install the application as required, without affecting any existing policies or settings.

70 - 296


- 163 -

What should you do?

A. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation section of the computer settings. Link this GPO to the domain. Configure the Domain Controllers OU and the ApplicationServers OU to block policy inheritance.

B. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation section of the computer settings. Link this GPO to the domain. Configure permissions on the GPO so that all servers and domain controller accounts are denied the permissions to read and apply the GPO.

C. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation section of the user settings. Link this GPO to the domain. Configure the Domain Controllers OU and the ApplicationServers OU to block policy inheritance.

D. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation section of the user settings. Link this GPO to the domain. Configure permissions on the GPO so that all server and domain controller accounts are denied the permissions to read and apply the GPO.

Answer: B Explanation: The software can be installed on all the client computers, but not the domain controllers or application servers. Because the client computers are in 15 OUs, it would be easier to link the GPO at the domain level. The OUs containing the client computers would then inherit the GPO settings. To prevent the GPO applying to the domain controllers and servers, we can simply deny the permissions to read and apply the GPO for the domain controller and server computer accounts. Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's

70 - 296


- 164 -

computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. Filter user policy settings based on membership in security groups. You can specify users or groups for which you do not want a policy setting to apply by clearing the Apply Group Policy and Read check boxes, which are located on the Security tab of the properties dialog box for the GPO. When the Read permission is denied, the policy setting is not downloaded by the computer. As a result, less bandwidth is consumed by downloading unnecessary policy settings, which enables the network to function more quickly. To deny the Read permission, select Deny for the Read check box, which is located on the Security tab of the properties dialog box for the GPO. Incorrect Answers: A: It is likely that some domain level policies should apply to the domain controllers and the servers. Therefore, blocking policy inheritance isn’t recommended. C: It is likely that some domain level policies should apply to the domain controllers and the servers. Therefore, blocking policy inheritance isn’t recommended. D: This won’t stop the software being installed on the servers, because the software installation would be defined in the user section of the group policy. QUESTION NO: 94 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run either

70 - 296


- 165 -

Windows XP Professional or Windows 2000 Professional. All client computer accounts are located in an organizational unit (OU) named Workstation. A written company policy states that the Windows 2000 Professional computers must not use offline folders. You create a Group Policy object (GPO) to enforce this requirement. The settings in the GPO exist for both Windows 2000 Professional computers and Windows XP Professional computers. You need to configure the GPO to apply only to Windows 2000 Professional computers. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Create a WMI filter that will apply the GPO to computers that are running Windows 2000 Professional. B. Create a WMI filter that will apply the GPO to computers that are not running Windows XP

Professional. C. Create two OUs under the Workstation OU.

Place the computer accounts for the Windows XP Professional computers in one OU, and place the computer accounts for the Windows 2000 Professional computers in the other OU. Link the GPO to the Workstation OU.

D. Create a group that includes the Windows XP Professional computers. Assign the group the Deny – General Resultant Set of Policy(Logging) permission.

E. Create a group that includes the Windows 2000 Professional computers. Assign the group the Deny – Apply Group Policy permission.

Answer: A, B Explanation: This is a tricky question because WMI filters are ignored by Windows 2000 clients. However, that doesn’t matter. The Windows XP clients can evaluate the filters and that is good enough. For answer A, the XP clients will evaluate the filter and see that the GPO should not apply to them. The Windows 2000 clients will just apply the GPO without evaluating the WMI filter. For answer B, the same thing will happen. The XP clients will evaluate the filter and see that the GPO should not apply to them. The Windows 2000 clients will just apply the GPO without evaluating the WMI filter. WMI filtering WMI filters are only available in domains that have the Windows Server 2003 configuration. Although none of the domain controllers need to be running Windows Server 2003, you must have run ADPrep /DomainPrep in this domain. Also note that WMI filters are only evaluated by clients running Windows XP, Windows Server 2003, or later. WMI filters associated with a Group Policy object will be ignored by Windows 2000 clients and the GPO will always be applied on Windows 2000. Incorrect Answers: C: This looks like a good idea. However, applying the GPO to the Workstation OU will (by inheritance) apply the GPO to the two child OUs.

70 - 296


- 166 -

D: This won’t prevent the application of the GPO. E: This answer is close, but incorrect. This will prevent the GPO applying to the Windows 2000 clients. If the group contained the Windows XP clients, then it would work. QUESTION NO: 95 You are the network administrator for TestKing. The network consists of a Single Active Directory domain with three sites. There is a domain controller at each site. All servers run Windows Server 2003. Each client computer runs either Windows 2000 Professional or Windows XP Professional. The IT staff is organized into four groups. The IT staff work at the three different sites. The computers for the IT staff must be configured by using scripts. The script or scripts must run differently based on which site the IT staff user is logging on to and which of the four groups the IT staff user is a member of. You need to ensure that the correct logon script is applied to the IT staff users based on group membership and site location. What should you do?

A. Create four Group Policy objects (GPOs). Create a script in each GPO that corresponds to one of the four groups. Link the four new GPOs to all three sites. Grant each group permissions to apply only the GPO that was created for the group.

B. Create a single script that performs the appropriate configuration based on the user’s group membership. Place the script in the Netlogon shared folders on the domain controllers.

C. Configure a Group Policy object (GPO) with a startup script that configures computers based on IT staff group. Link the GPO to the three sites.

D. Create a script that configures the computers based on IT staff group membership and site. Create and link a GPO to the Domain Controllers OU to run the script.

Answer: A Explanation: The easiest way to filter which users or computers a GPO should apply to is to set permissions on the GPOs. A user or computer needs the Allow – Read and Apply Group Policy permissions in order to apply the GPO. In this question, we have four groups, each with different requirements. By creating four different GPOs and linking them to each of the three sites, we can manage who receives the GPO by configuring the permissions on the GPOs. Incorrect Answers: B: The script needs to be linked to an Active Directory container. C: It’s easier to use GPO permissions to determine which users or computers should receive a GPO.

70 - 296


- 167 -

D: It’s easier to use GPO permissions to determine which users or computers should receive a GPO. Furthermore, the GPO is linked to the wrong container in this answer. QUESTION NO: 96 You are the network administrator for TestKing, a company that has a single office. The network consists of a single Active Directory domain and a single site. All servers run Windows Server 2003. All file and print servers and application servers are located in an organizational unit (OU) named Servers. A server support team handles daily support issues for the file and print servers and application servers. All of the server support team’s user accounts are located in the OU named SST. You are responsible for managing security for TestKing’s servers. You create a group named ServerSupport that includes all the user accounts of the server support team. You need to ensure that members of the server support team can log on locally to only the file and print servers and the application servers. What should you do?

A. Create a Group Policy object (GPO) to grant the ServerSupport group the Allow log on locally user right. Link the GPO to the SST OU.

B. Create a Group Policy object (GPO) to grant the ServerSupport group the Allow log on locally user right. Link the GPO to the Servers OU.

C. Assign the ServerSupport group the Allow – Full Control permission for the Servers OU. D. Assign the ServerSupport group the Allow – Full Control permission for the Computers container.

Answer: B Explanation: All file and print servers and application servers are located in an organizational unit (OU) named Servers. Therefore, we can simply a Group Policy object (GPO) to grant the ServerSupport group the Allow log on locally user right and link the GPO to the Servers OU. Incorrect Answers: A: The GPO needs to be linked to the OU containing the computer accounts for the servers. C: This would allow the ServerSupport group to create objects in the OU, and to modify the permission on existing objects. This is more ‘permission’ than necessary. D: This would allow the ServerSupport group to create objects in the computers container, and to modify the permission on existing objects. This would have no effect on the servers because they are in a separate OU.

70 - 296


- 168 -

QUESTION NO: 97 You are the network administrator for TestKing. The network consists of a single Active Directory forest. The forest consists of 19 Active Directory domains. Fifteen of the domains contain Windows Server 2003 domain controllers. The functional level of all the domains is Windows 2000 native. The network consists of a single Microsoft Exchange 2000 Server organization. You need to create groups that can be used only to send e-mail messages to user accounts throughout TestKing. You want to achieve this goal by using the minimum amount of replication traffic and minimizing the size of the Active Directory database. You need to create a plan for creating e-mail groups for TestKing. What should you do?

A. Create global distribution groups in each domain. Make the appropriate users from each domain members of the global distribution group in the same domain. Create universal distribution groups. Make the global distribution groups in each domain members of the universal distribution groups.

B. Create global security groups in each domain. Make the appropriate users from each domain members of the security group in the same domain. Create universal security groups. Make the global security groups in each domain members of the universal security groups.

C. Create universal distribution groups. Make the appropriate users from each domain members of a universal distribution group.

D. Create universal security groups. Make the appropriate users from each domain members of a universal security group.

Answer: A Explanation: We need to minimize replication traffic. We can do this by placing the users into Global groups, then place the Global groups into Universal groups. In Active Directory, a Universal group lists all its members. If the Universal group contained user accounts, and a user account was added or removed, then the Universal group information would be replicated throughout the forest. This is why placing user accounts directly into Universal groups isn’t recommended. We need to use Distribution groups for email groups. Answers B and D are wrong because they suggest using security groups. Answer C is wrong because it suggests placing the user accounts directly into Universal groups.

70 - 296


- 169 -

When to use global groups Because global groups have a forest-wide visibility, do not create them for domain-specific resource access. Use a global group to organize users who share the same job tasks and need similar network access requirements. A different group type is more appropriate for controlling access to resources within a domain. When to use universal groups Use universal groups to nest global groups so that you can assign permissions to related resources in multiple domains. A Windows Server 2003 domain must be in Windows 2000 native mode or higher to use universal groups. When to use domain local groups Use a domain local group to assign permissions to resources that are located in the same domain as the domain local group. You can place all global groups that need to share the same resources into the appropriate domain local group. MS THUMB RULES Grant permissions to groups instead of users. • A G P • A DL P • A G DL P • A G U DL P • A G L P A (Account) G (Global Group) U (Universal Group)

70 - 296


- 170 -

DL (Domain Local Group) P (Permissions)

70 - 296


- 171 -

Reference Server Help Schema classes and attributes, MS workshop 2209 QUESTION NO: 98 You are the network administrator for Acme Inc. Your network consists of a single Active Directory forest that contains one domain named acme.com. The functional level of the forest is Windows Server 2003. Acme, Inc., acquires a company named TestKing. The TestKing network consists of a single Active Directory forest that contains a root domain named testking.com and a child domain named

70 - 296


- 172 -

asia.testking.com. The functional level of the forest is Windows 2000. The functional level of the asia.testking.com domain is Windows 2000 native. A business decision by TestKing requires that asia.testking.com domain to be removed. You need to move all user accounts from the asia.testking.com domain to the acme.com domain by using the Active Directory Migration Tool. You need to accomplish this task without changing the logon rights and permissions for all other users. You need to ensure that users in asia.testking.com can log on to acme.com by using their current user names and passwords. What should you do?

A. Create a two-way Windows Server 2003 external trust relationship between the acme.com domain and the testking.com domain.

B. Create a one-way Windows Server 2003 external trust relationship in which the acme.com domain trusts the testking.com domain.

C. Create a temporary two-way external trust relationship between the acme.com domain and the asia.testking.com domain.

D. Create a temporary one-way external trust relationship in which the asia.testking.com domain trusts the acme.com domain.

Answer: C Explanation: To use ADMT, we need a two way trust between the acme.com domain and the asia.testking.com domain. Incorrect Answers: A: This would enable users in testking.com to log in to acme.com and users in acme.com to log in to testking.com. B: This would enable users in testking.com to log in to acme.com. D: The trust must be a two-way trust. QUESTION NO: 99 You are the network administrator for TestKing. Your network consists of a single Active Directory forest that contains three domains. The forest root domain is named testking.com. The domain contains two child domains named asia.testking.com and africa.testking.com. The functional level of the forest is Windows Server 2003. Each domain contains two Windows Server 2003 domain controllers named DC1 and DC2. DC1 in the testking.com domain performs the following two operations master roles: schema master and domain

70 - 296


- 173 -

naming master. DC1 in each child domain performs the following three operations master roles: PDC emulator master, relative ID (RID) master, and infrastructure master. DC1 in each domain is also a global catalog server. The user account for Tess King in the africa.testking.com domain is a member of the Medicine Students security group. Because of a name change, the domain administrator of africa.testking.com changes the Last name field of Tess’s user account from King to Edwards. The domain administrator of asia.testking.com discovers that the user account for Tess is still listed as Tess King. You need to ensure that the user account for Tess Edwards is correctly listed in the Medicine Students group. What should you do?

A. Transfer the PDC emulator master role from DC1 to DC2 in each domain. B. Transfer the infrastructure master role from DC1 to DC2 in each domain. C. Transfer the RID master role from DC1 to DC2 on each domain. D. Transfer the schema master role from DC1 to DC2 in the testking.com domain.

Answer: B Explanation: Problems like this can occur when the infrastructure master role is on the same domain controller as the Global Catalog. There is no reason to transfer any other master roles. Infrastructure master A domain controller that holds the infrastructure operations master role in Active Directory. The infrastructure master updates the group-to-user reference whenever group memberships change and replicates these changes across the domain. At any time, the infrastructure master role can be assigned to only one domain controller in each domain. in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. Important Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global

70 - 296


- 174 -

catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role. The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication. There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency. QUESTION NO: 100 You are the network administrator for TestKing. The network consists of a single Active Directory domain with two sites. Each site contains two domain controllers. One domain controller in each site is a global catalog server. You add a domain controller to each site. Each new domain controller has a faster processor than the existing domain controllers. TestKing requires Active Directory replication to flow through the servers that have the most powerful CPUs in each site. You need to configure the intersite replication to comply with TestKing’s requirement for Active Directory replication. What should you do?

A. Configure the new domain controllers as global catalog servers. B. Configure the new domain controller in each site as a preferred bridgehead server for the IP transport. C. Configure the new domain controller in each site as a preferred bridgehead server for the SMTP

transport. D. Configure an additional IP site link between the two sites.

Assign a lower site link cost to this site link than the site link cost for the original site link.

70 - 296


- 175 -

Answer: B Explanation: Replication. Directory information is replicated both within and among sites. Active Directory replicates information within a site more frequently than across sites. This balances the need for up-to-date directory information with the limitations imposed by available network bandwidth. You customize how Active Directory replicates information using site links to specify how your sites are connected. Active Directory uses the information about how sites are connected to generate Connection objects that provide efficient replication and fault tolerance. You provide information about the cost of a site link, times when the link is available for use and how often the link should be used. Active Directory uses this information to determine which site link will be used to replicate information. Customizing replication schedules so replication occurs during specific times, such as when network traffic is low, will make replication more efficient. Ordinarily, all domain controllers are used to exchange information between sites, but you can further control replication behavior by specifying a bridgehead server for inter-site replicated information. Establish a bridgehead server when you have a specific server you want to dedicate for inter-site replication, rather than using any server available. You can also establish a bridgehead server when your deployment uses proxy servers, such as for sending and receiving information through a firewall. Site link Site links are logical paths that the KCC uses to establish a connection for Active Directory replication. Site links are stored in Active Directory as site link objects. A site link object represents a set of sites that can communicate at uniform cost through a specified intersite transport. All sites contained within the site link are considered to be connected by means of the same network type. Sites must be manually linked to other sites by using site links so that domain controllers in one site can replicate directory changes from domain controllers in another site. Because site links do not correspond to the actual path taken by network packets on the physical network during replication, you do not need to create redundant site links to improve Active Directory replication efficiency. When two sites are connected by a site link, the replication system automatically creates connections between specific domain controllers in each site called bridgehead servers. In Microsoft® Windows® 2000, intersite replication of the directory partitions (e.g. domain, configuration, and schema) between domain controllers in different sites is performed by the domain controllers (one per directory partition) in those sites designated by the KCC as the bridgehead server. In Windows Server 2003, the KCC may designate more than one domain controller per site hosting the same directory partition as a candidate bridgehead server. The replication connections created by the KCC are randomly distributed between all candidate bridgehead servers in a site to share the replication workload. By default, the randomized selection process takes place only when new connection objects are added to the site.

70 - 296


- 176 -

However, you can run Adlb.exe, a new Windows Resource Kit tool called Active Directory Load Balancing (ADLB) to rebalance the load each time a change occurs in the site topology or in the number of domain controllers the site. In addition, ADLB can stagger schedules so that the outbound replication load for each domain controller is spread out evenly across time. Consider using ADLB to balance replication traffic between the Windows Server 2003–based domain controllers when they are replicating to more than 20 other sites hosting the same domain Reference MS Windows Server 2003 Deployment Kit

Designing and Deploying Directory and Security Services Active Directory Replication Concepts

QUESTION NO: 101 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The functional level of the domain is Windows Server 2003. The organizational unit (OU) structure is shown in the exhibit.

70 - 296


- 177 -

TestKing uses an X.500 directory service enabled product to support a sales and marketing application. The application is used only by users in the sales department and the marketing department. The application uses InetOrgPerson objects as user accounts. InetOrgPerson objects have been created in Active Directory for all Sales and Marketing users. These users are instructed to log on by using their InetOrgPerson object as their user account. Microsoft Identity Integration Server is configured to copy changes to InetOrgPerson objects from Active Directory to the X.500 directory service enabled product. All InetOrgPerson objects for marketing employees are located in the Marketing OU. All InetOrgPerson objects for sales employees are located in the Sales OU. King is another administrator in TestKing. King is responsible for managing the objects for users who require access to the X.500 directory service enabled product. You need to configure Active Directory to allow King to perform his responsibilities. Which action or actions should you take? (Choose all that apply)

A. On the domain, grant King the permission to manage user objects. B. On the domain, grant King the permission to manage InetorgPerson objects. C. On the Sales OU, block the inheritance of permissions. D. On the Marketing OU, block the inheritance of permissions. E. On the Dev OU, block the inheritance of permissions.

Answer: B, E Explanation: The administrator named King needs to manage the InetorgPerson objects. We could delegate this task as shown in the exhibit below, but this isn’t given as an option.

70 - 296


- 178 -

Instead we can set permissions at the domain level. The permissions shouldn’t apply to the Dev OU, so we’ll have to block the inheritance of the permissions for the Dev OU.

70 - 296


- 179 -

QUESTION NO: 102 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains five domains. The functional level of the forest is Windows 2000. You have not configured any universal groups in the forest. One domain is a child domain named usa.testking.com that contains two domain controllers and 50 client computers. The functional level of the domain is Windows Server 2003. The network includes an Active Directory site named Site1 that contains two domain controllers. Site1 represents a remote clinic, and the location changes every few months. All of the computers in usa.testking.com are located in the remote clinic. The single WAN connection that connects the remote clinic to the main network is often saturated or unavailable. Site1 does not include any global catalog servers. You create several new user accounts on the domain controllers located in Site1. You need to ensure that users in the remote clinic can always quickly and successfully log on to the domain.

70 - 296


- 180 -

What should you do?

A. Enable universal group membership caching in Site1. B. Add the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures

key to the registry on both domain controllers in Site1. C. Add the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures

key to the registry on all global catalog servers in the forest. D. Raise the functional level of the forest to Windows Server 2003.

Answer: B Explanation: Native Mode Domain A native mode domain, where all domain controllers are Windows 2000 domain controllers and the domain has been irrevocably switched to native mode, allows the usage of universal groups. When processing a logon request for a user in a native-mode domain, a domain controller sends a query to a global catalog server to determine the user's universal group memberships. Since you can explicitly deny a group access to a resource, complete knowledge of a user's group memberships is necessary to enforce access control correctly. If a domain controller of a native-mode domain cannot contact a global catalog server to determine universal group membership when a user wants to log on, the domain controller refuses the logon request. The following registry key can be set so that the domain controller ignores the global catalog server failure when expanding universal groups: HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \IgnoreGCFailures The domain controller still tries to connect to the global catalog server, however, and the timeout for that query must expire. For more information on using this registry key, refer to article Q241789 in the Microsoft Knowledge Base. QUESTION NO: 103 You are a network administrator for TestKing that has a main office and five branch offices. The network consists of six Active Directory domains. All servers run Windows Server 2003. Each office is configured as a single domain. Each office is also configured as an Active Directory site. TestKing uses an application server that queries user information from the global catalog. You install application servers in the main office and in three branch offices. The network is configured as shown in the exhibit.

70 - 296


- 181 -

You monitor the WAN connections between the main office and each branch office and discover that the utilization increased from 70 percent to 90 percent. Users report slow response times when accessing information on the application server. You need to place global catalog servers in offices where they will improve the response times for the application servers. You need to achieve this goal with a minimum amount of increase in WAN traffic. In which office or offices should you place a new global catalog server or servers? (Choose all that apply)

A. Berlin B. Rio de Janeiro C. New Delhi D. St Petersburg E. Cairo

Answer: B, C, D Explanation: Because the application server queries Global catalog attributes, we need to put one Global Catalog server in each site hosting an application server; in this case Rio de Janeiro, New Delhi and St Petersburg.

70 - 296


- 182 -

QUESTION NO: 104 You are the network administrator for TestKing, a company with six offices. The network consists of a single Active Directory domain named testking.com. Each office has users who work in the sales, marketing, and production departments. All Active Directory administration is performed by the IT group. The IT group provides a help desk, a level-two support group, and an MIS group. Each office has one employee who works for the help desk group. Administrative responsibilities are listed in the following table. Group Role Help desk User account maintenance for all employees who are not

management Level-two support

User account maintenance for all employees, the help desk users, and all management users

MIS group Service account maintenance, maintenance of domain administratoraccounts, and built-in accounts in Active Directory

You need to plan an organizational unit (OU) structure that allows delegation of administration. Your plan must ensure that permissions can be maintained by using the minimum amount of administrative effort. Which OU structure should you use? A.

70 - 296


- 183 -

B.

70 - 296


- 184 -

C.

70 - 296


- 185 -

D.

70 - 296


- 186 -

Answer: C Explanation: We need to delegate the management of different groups of users. We have the non-management employees, who should be managed by the Help Desk staff. We have the employees (including management and help desk staff), who should be managed by the level 2 staff. The MIS group need to manage every other account. To solution to this question is to delegate the management of user accounts at domain level for the MIS group. Delegate the management of user accounts to the Employees OU to the help desk staff. Delegate the management of user accounts to the Corp OU to the second-level support staff. QUESTION NO: 105 You are the network administrator for TestKing. TestKing has three offices. The network consists of a single Active Directory domain with three sites. Each office is configured as a separate site. TestKing opens a new branch office in Montreal that has 10 users. This office does not contain a domain controller. The Montreal Office has WAN connections to two of the existing offices. A router is installed at each of the four offices to route network traffic across the WAN connections. The network after the addition of the Montreal Office is shown in the exhibit.

70 - 296


- 187 -

You need to ensure that when the users in the Montreal office log on the domain during normal operations, they will be authenticated by a domain controller in TestKing Site2. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Create a new IP subnet object that includes the subnet used in the Montreal Office. Link the new subnet object to the TestKing Site2 site object.

B. Create a new IP subnet object that includes the subnet used in the Montreal Office. Link the new subnet object to the TestKing Site3 site object.

C. Create an additional site for the Montreal Office. Configure a site link to TestKing Site3 with a cost of 300. Configure a site link to TestKing Site2 with a cost of 200.

D. Create an additional site for the Montreal Office. Configure a site link to TestKing Site2 with a cost of 300. Configure a site link to TestKing Site3 with a cost of 200.

70 - 296


- 188 -

E. Assign IP addresses to the client computers in the Montreal Office that are on the same IP subnet as the network at Site2.

Answer: A, C Explanation: If we create a new subnet for Montreal site and include in this site the DC for that site, all the computers that are in that subnet will logon in the DC of Montreal subnet. If we create a new site, and cconfigure a site link to TestKing Site3 with a cost of 300 and a site link to TestKing Site2 with a cost of 200, user logons will go over the site link with the lowest cost.

70 - 296


- 189 -

Setting Site Link Properties Intersite replication occurs according to the properties of the connection objects. When the KCC creates connection objects it derives the replication schedule from properties of the site link objects. Each site link object represents the WAN connection between two or more sites. Setting site link object properties includes the following steps: Determining the cost that is associated with that replication path. • The KCC uses cost to determine the least expensive route for replication between two sites that replicate the

same directory partition. • Determining the schedule that defines the times during which intersite replication can occur. • Determining the replication interval that defines how frequently replication should occur during the times

when replication is allowed as defined in the schedule. Reference: MS Windows server 2003 Deployment Kit

Designing and Deploying Directory and Security Services Setting Site Link Properties

QUESTION NO: 106 You are the network administrator for Acme. Acme consists of two subsidiaries named TestKing and Fabrikam, Inc. The network consists of a single Active Directory forest that contains three domains. The domain and site configuration is shown in the exhibit.

70 - 296


- 190 -

A computer named DC1.spain.testking.com is a domain controller in the spain.testking.com domain. DC1.spain.testking.com is also a global catalog server and the preferred bridgehead server for SpainSite. The Active Directory database on DC1.spain.testking.com contains 1 GB of data. The Spain departments in TestKing are implementing an Active Directory-enabled application. You expect size of the database on DC1.spain.testking.com to increase by 200 MB. Active Directory stops responding on DC1.spain.testking.com. You discover that the hard disk has less then 5 MB of space remaining. You need to configure DC1.spain.testking.com so that Active Directory can restart. You also need to configure the server so that additional space is available on the hard disk for the additional data that will be added to the Active Directory database. What should you do?

A. Delete all log files that are located in the NTDS folder. B. Install another hard disk in DC1.spain.testking.com.

Use the Ntdsutil utility to move the database to the new hard disk. C. Install another hard disk in DC1.spain.testking.com.

Use the Ntdsutil utility to move the transaction logs to the new hard disk.

70 - 296


- 191 -

D. Configure another server in the site to operate as a preferred bridgehead server. Configure DC1.spain.testking.com so that it no longer operates as a preferred bridgehead server.

Answer: B Explanation: You will need to use the NTDSUTIL command with the ‘files’ switch. To perform this operation you will need to restart the DC in Directory services restore mode. This operation can not be performed in normal mode, because the database and log are in use. Ntdsutil Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. Use Ntdsutil.exe to perform database maintenance of Active Directory, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators. Files Provides commands for managing the directory service data and log files. The data file is called Ntds.dit. At the files: prompt, type any of the parameters listed under Syntax. Syntax {compact to %s|header | info | integrity|move DB to %s|move logs to %s|recover|set path backup %s|set path db %s|set path logs %s|set path working dir %s Parameters compact to %s (where %s identifies an empty target directory) Invokes Esentutl.exe to compact the existing data file and writes the compacted file to the specified directory. The directory can be remote, that is, mapped by means of the net use command or similar means. After compaction is complete, archive the old data file, and move the newly compacted file back to the original location of the data file. ESENT supports online compaction, but this compaction only rearranges pages within the data file and does not release space back to the file system. (The directory service invokes online compaction regularly.) header Writes the header of the Ntds.dit data file to the screen. This command can help support personnel analyze database problems. info Analyzes and reports the free space for the disks that are installed in the system, reads the registry, and then reports the sizes of the data and log files. (The directory service maintains the registry, which identifies the location of the data files, log files, and directory service working directory.) integrity Invokes Esentutl.exe to perform an integrity check on the data file, which can detect any kind of low-level database corruption. It reads every byte of your data file; thus it can take a long time to process large databases.Note that you should always run Recover before performing an integrity check. move DB to %s(where %s identifies a target directory)

70 - 296


- 192 -

Moves the Ntds.dit data file to the new directory specified by %s and updates the registry so that, upon system restart, the directory service uses the new location. move logs to %s(where %s identifies a target directory) Moves the directory service log files to the new directory specified by %s and updates the registry so that, upon system restart, the directory service uses the new location. recover Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures all committed transactions therein are also reflected in the data file. The Windows 2000 Backup program truncates the log files appropriately.Logs are used to ensure committed transactions are not lost if your system fails or if you have unexpected power loss. In essence, transaction data is written first to a log file and then to the data file. When you restart after failure, you can rerun the log to reproduce the transactions that were committed but hadn't made it to the data file. set path backup %s (where %s identifies a target directory) Sets the disk-to-disk backup target to the directory specified by %s. The directory service can be configured to perform an online disk-to-disk backup at scheduled intervals. set path db %s (where %s identifies a target directory) Updates the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures. set path logs %s (where %s identifies a target directory) Updates the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures. set path working dir %s (where %s identifies a target directory) Sets the part of the registry that identifies the directory service's working directory to the directory specified by %s. %s An alphanumeric variable, such as a domain or domain controller name. quit Takes you back to the previous menu or exits the utility. ? or help Displays help at the command prompt. Reference SERVER HELP QUESTION NO: 107 You are the network administrator for TestKing. Your network consists of a single Active Directory domain testking.com. The functional level of the domain is Windows Server 2003.

70 - 296


- 193 -

You add eight servers for a new application. You create an organizational unit (OU) named Application to hold the servers and other resources for the application. Users and groups in the domain will need varied permissions on the application servers. The members of a global group named Server Access Team need to be able to grant access to the servers. The Server Access Team group does not need to be able to perform any other tasks on the servers. You need to allow the Server Access Team group to grant permissions for the application servers without granting the Server Access Team group unnecessary permissions. What should you do?

A. Create a Group Policy object (GPO) for restricted groups. Configure the GPO to make the Server Access Team group a member of the Power Users group on each application server. Link the GPO to the Application OU.

B. Grant the Server Access Team group permissions to modify computer objects in the Application OU. C. Move the Server Access Team group object into the Application OU. D. Create domain local groups that grant access to the application servers.

Grant the Server Access Team group permissions to modify the membership of the domain local groups. Answer: D Explanation: The simplest way to do this is to create domain local groups with various permissions to the application servers. For example, one group has read access, another group has read and write access and so on. We can then use the Delegation of Control Wizard to grant the right to add or remove members of the groups. Incorrect Answers: A: The Power Users group can perform many administrative tasks on the servers. This is more permission than necessary. B: They don’t need to modify the computer objects. This is more permission than necessary. C: This won’t give them the required permissions. QUESTION NO: 108 You are the network administrator at Acme Inc. The network consists of a single Active Directory forest that contains a single domain named acme.com. The functional level of the forest is Windows Server 2003. Acme purchase a company named TestKing. The TestKing network consists of one Windows NT 4.0 account domain and two Windows NT 4.0 resource domains, as shown in the exhibit.

70 - 296


- 194 -

All file resources are stored on file servers in the acme.com domain and in the TESTKINGSOURCE1 domain. You need to accomplish the following goals:

• You need to minimize the number of trust relationships that must be maintained in the network environment.

• Users in each company must be able to access the file resources on the file servers in the other company’s domain.

Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Create a one-way external trust relationship in which the TESTKINGSOURCE1 domain trusts the acme.com domain.

B. Create a one-way external trust relationship in which the acme.com domain trusts the TESTKINGSOURCE1 domain.

C. Create a one-way external trust relationship in which the acme.com domain trusts the TESTKINGACCOUNT domain.

D. Create a one-way external trust relationship in which the TESTKINGACCOUNT domain trusts the acme.com domain.

Answer: A, C Explanation: For users in the acme.com domain to access resources in the TESTKINGSOURCE1 domain, the TESTKINGSOURCE1 domain needs to trust the acme.com domain. For users in the TESTKINGACCOUNT domain to access resources in the acme.com domain, the acme.com domain needs to trust the TESTKINGACCOUNT domain.

70 - 296


- 195 -

QUESTION NO: 109 You are a network administrator for Acme. Acme consists of two subsidiaries named Litware Inc., and TestKing GmBh. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest contains a forest root domain named litwareinc.com and an additional domain tree named testking.com, which contains two child domains. All domain controllers run Windows Server 2003. The Directory Services object is configured with the default property settings. The forest contains 250,000 objects that are changed frequently. You need to be able to restore objects in one of the child domains in the testking.com domain tree from a three-month-old backup. You need to make a change to a Directory Services property on a domain controller in one of the domains in order to achieve this goal. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Run the netdom command on a domain controller in testking.com. B. Use the Ntdsutil utility on a domain controller in litwareinc.com. C. Use the ADSIEdit utility on a domain controller in testking.com. D. Run the ldp command on a domain controller in litwareince.com.

Answer: C, D Explanation: We need to edit a property of Active Directory. We can need to use a low level editor to do this. AdsiEdit. A Microsoft Management Console (MMC) snap-in that acts as a low-level editor for the Active Directory® service. Through the Active Directory Services Interfaces (ADSI), it provides a means to add, delete, and move objects within the Directory Services. The attributes of each object can be viewed, changed, and deleted. Ldp. A graphical tool that allows users to perform Lightweight Directory Access Protocol (LDAP) operations, such as connect, bind, search, modify, add, and delete, against any LDAP-compatible directory, such as Active Directory. LDAP is an Internet-standard wire protocol used by Active Directory. Reference: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q216/9/93.ASP&NoWebContent=1 Backup of the Active Directory Has 60-Day Useful Life MS KB article 216993

70 - 296


- 196 -

Use the Active Directory editing tool of your choice so that the "tombstoneLifetime" attribute is set to be older than the backup used to restore the Active Directory. Supported tools include Adsiedit.msc, Ldp.exe, and ADSI Scripts. LDP provides an interface to perform LDAP operations against Active Directory.

ADSI Edit you can use to edit objects in the Active Directory database.

70 - 296


- 197 -

QUESTION NO: 110 You are the network administrator for TestKing, a company that has three offices. The offices are in Boston, Chicago, and New York. All three offices are connected by leased lines as shown in the exhibit.

TestKing is deploying a Windows Server 2003 forest. You create a single Active Directory domain named testking.com. You configure each office as a single site. You configure three domain controllers in NYSite. You create a domain controller in each of the other sites. You create site links based on the network topology. Each leased line is represented by a site link. Each site link connects only two sites. The cost and the schedule for all site links is the same. The sites and site links are named as shown in the following table.

70 - 296


- 198 -

Site link name Linked site Linked site NYBoston NYSite BosSite NYChi NYSite ChiSite ChiBoston ChiSite BosSite Users report that network requests between BosSite and ChiSite are taking much longer than they used to take. You discover that replication traffic is using an unacceptably large percentage of the bandwidth between BosSite and ChiSite You need to reduce replication traffic over the ChiBoston site link. What should you do?

A. Create an SMTP-based connection object from a domain controller in NYSite to a domain controller in BosSite.

B. Increase the cost of the ChiBoston site link. C. Create a site link bridge that includes the NYBoston and NYChi site links. D. Increase the replication interval for the NYBoston site link.

Answer: B Explanation: If we increase the cost of the ChiBoston site link to a value greater than the cost of the other two links added together, then no replication will go over the ChiBoston site link – it will all travel over the NYBoston and the NYChi site links. Setting Site Link Properties Intersite replication occurs according to the properties of the connection objects. When the KCC creates connection objects it derives the replication schedule from properties of the site link objects. Each site link object represents the WAN connection between two or more sites. Setting site link object properties includes the following steps: Determining the cost that is associated with that replication path. • The KCC uses cost to determine the least expensive route for replication between two sites that replicate the

same directory partition. • Determining the schedule that defines the times during which intersite replication can occur. • Determining the replication interval that defines how frequently replication should occur during the times

when replication is allowed as defined in the schedule. Reference:

70 - 296


- 199 -

MS Windows server 2003 Deployment Kit

Designing and Deploying Directory and Security Services Setting Site Link Properties

QUESTION NO: 111 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains one root domain and one child domain. The forest also contains three separate sites, as shown in the Network Diagram exhibit.

The network is not fully routed and there is no direct physical connection between Site1 and Site3. Site links are not bridged. You discover that the domain controllers for europe.testking.com located in Site1 have additional accounts that are not on the domain controllers for europe.testking.com located in Site3. You examine the directory service log in Event Viewer on a domain controller for europe.testking.com-

70 - 296


- 200 -

You discover the error message shown in the Error Message exhibit.

You need to resolve the condition that is causing this error. What should you do?

A. Add a domain controller for the europe.testking.com domain to Site2. B. Configure a site link bridge between the site links for Site1 and Site3. C. Configure at least one domain controller in each site to be a global catalog server. D. Create a site link between Site1 and Site3.

Answer: B Explanation: We don’t have a site link between site1 and site3. We have a site link between Site1 and Site2 and between Site2 and Site3. We have no physical connectivity between site1 and site3, so we should therefore create a site link bridge between the site links for Site1 and Site3. Any replication between site1 and site3 will then travel over the two existing site links. One computer in any given site owns the role of creating inbound replication connection objects between bridgehead servers from other sites. This domain controller is known as the Inter-Site Topology Generator. While analyzing the Site Link and Site Link Bridge structure to determine the most cost-effective route to synchronize a naming context between two points, it may determine that a site does not have membership in any Site Link and therefore has no means to create a replication object to a bridgehead server in that site. The first site in the Active Directory (named "Default-First-Site-Name"), is created automatically for the administrator. This site is a member of the default Site Link ("DEFAULTIPSITELINK"), which is also created automatically for the administrator, and is used for RPC communication over TCP/IP. If the administrator were to create two additional sites ("Site1" and "Site2" for example), the administrator must define a Site Link that the site will be a member of before they can be written to the Active Directory.

70 - 296


- 201 -

However, the administrator can open the properties of a Site Link and modify which sites reside in the Site Link. If the administrator were to remove a site from all Site Links, the KCC displays the error message listed above to indicate that a correction needs to be made to the configuration. References: Troubleshooting Event ID 1311: Knowledge Consistency Checker KB article 214745 Incorrect Answers: A: This will cause excessive replication traffic between site2 and site3. This defeats the object of using sites to control replication traffic. C: Global Catalog placement is not the cause of the error in this question. D: We have no physical connectivity between site1 and site3. QUESTION NO: 112 You are a network administrator for TestKing. The network consists of a single Active Directory domain with two sites. All servers run Windows Server 2003. The network is configured as shown in the Network Diagram exhibit.

You use Replication Monitor to monitor Active Directory replication. You discover that replication connections are being established as shown in the Replication Monitor exhibit.

70 - 296


- 202 -

You need to ensure that replication takes place only between defined preferred bridgehead servers. You need to accomplish this task without incurring any additional replication traffic. What should you do?

A. Configure TestKing1 and TestKing5 as additional DNS servers. B. Configure TestKing3 and TestKing6 as additional DNS servers. C. Configure only TestKing2 and TestKing4 as preferred bridgehead servers. D. Configure only TestKing3 and TestKing4 as preferred bridgehead servers.

Answer: C Explanation: When two sites are connected by a site link, the replication system automatically creates connections between specific domain controllers in each site called bridgehead servers. In Microsoft® Windows® 2000, intersite replication of the directory partitions (e.g. domain, configuration, and schema) between domain controllers in different sites is performed by the domain controllers (one per directory partition) in those sites designated by the KCC as the bridgehead server. In Windows Server 2003, the KCC may designate more than one domain controller per site hosting the same directory partition as a candidate bridgehead server. The replication connections created by the KCC are randomly distributed between all candidate bridgehead servers in a site to

70 - 296


- 203 -

share the replication workload. By default, the randomized selection process takes place only when new connection objects are added to the site. However, you can run Adlb.exe, a new Windows Resource Kit tool called Active Directory Load Balancing (ADLB) to rebalance the load each time a change occurs in the site topology or in the number of domain controllers the site. In addition, ADLB can stagger schedules so that the outbound replication load for each domain controller is spread out evenly across time. Consider using ADLB to balance replication traffic between the Windows Server 2003–based domain controllers when they are replicating to more than 20 other sites hosting the same domain QUESTION NO: 113 You are a network administrator for TestKing. The network consists of a single Active Directory domain with two sites. The Active Directory database is backed up every evening. A network administrator in Site1 deletes an empty organizational unit (OU) named Projects. At about the same time, a network administrator in Site2 moves 20 existing user accounts into the Projects OU. Later, the administrator in Site2 discovers that the Projects OU was deleted from Active Directory. He cannot see the user accounts that he moved into the OU. You need to provide an OU named Projects and add the 20 user accounts to the Projects OU. The users’ access to network resources must not be affected by this process. What should you do?

A. Perform an authoritative restore operation of the Projects OU and the user accounts on a domain controller in Site2.

B. Perform a nonauthoritative restore operation of the Projects OU and the user accounts on a domain controller in Site2.

C. Create a new OU named Projects. Create 20 new user accounts that have the same user principal name (UPN) prefix. Move the user accounts into the new Projects OU.

D. Create a new OU named Projects. Move the 20 user accounts from the LostAndFound container to the new Projects OU.

Answer: D Explanation: You moved the users to an OU that had just been deleted. When you move objects to an object that is no longer there, the objects get moved to the LostAndFound container. This means that we haven’t lost the user accounts, so we can just re-create the Projects OU and move the users from the LostAndFound container to the new OU.

70 - 296


- 204 -

Incorrect Answers: A: The user accounts haven’t been deleted, so we don’t need to restore them. B: The user accounts haven’t been deleted, so we don’t need to restore them. C: The user accounts haven’t been deleted, so we don’t need to recreate them. Furthermore, recreating the user accounts in this way will not work to restore the original accounts. The new accounts will be different accounts with different SIDs (Security Identifiers). QUESTION NO: 114 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains three domains named testking.com, usa.testking.com, and europe.testking.com. The functional level of the forest is Windows Server 2003. The help desk department is responsible for resetting passwords for all user accounts in the forest except for accounts that have administrative privileges. There is an organizational unit (OU) named Corp_Users in each domain that contains the user accounts in that domain. All of the user accounts that have administrative privileges are in the default Users container in each domain. There is a universal group named HD_Users in the testking.com domain. All user accounts for the help desk department users are members of the HD_Users group. You need to delegate the required authority for resetting passwords to the users in the help desk department. For which Active Directory component or components should you delegate control? To answer, select the appropriate component or components in the work area.

70 - 296


- 205 -

Answer: Select the Corp_Users OU in each domain.

70 - 296


- 206 -

Explanation: We need to delegate the required authority for resetting passwords for the Corp_Users OU to the HD_Users universal group. The Corp_Users OU in each domain contains the users that the help desk staff need to reset passwords for. The HD_Users universal group contains the help desk staff and is visible to all domains in the forest. QUESTION NO: 115 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. TestKing’s written security policy requires the following account polices:

• User accounts must be automatically locked out in the event of three consecutive failed logon attempts within a 30-minutes period.

• Manual administrative action must be required to unlock a user account.

70 - 296


- 207 -

You need to configure the account polices for the domain to comply with the security requirements. What should you do? To answer, drag the appropriate account policy setting or settings to the correct location or locations in the work area.

Answer:

Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Account lockout threshold This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Reset account lockout counter after This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.

70 - 296


- 208 -

The available range is 1 minute to 99,999 minutes. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. QUESTION NO: 116 You are the network administrator for TestKing. TestKing consists of a single Active Directory domain named testking.com. TestKing has a main office and a branch office. The domain contains four domain controllers. Two domain controllers are located in the main office, and two domain controllers are located in the branch office. You create a Group Policy object (GPO) named WPSoft and link it to the domain. You configure WPSoft to assign a word processing application to the User Configuration section of the GPO. Users in the branch office report that the application is not available to use. Users in the main office report that they can use the application. You need to ensure that the users at the branch office receive the word processing application. What should you do?

A. Synchronize the Netlogon shared folder on both domain controllers in the branch office. B. Force replication between the domain controllers in the main office and the branch office. C. Run the gpresult command on the client computers in the branch office. D. Run the gpotool command on a client computer in the branch office.

Answer: B Explanation: We have created a GPO and linked it to the domain. The domain controllers will receive the new group policy at the next replication interval. Alternatively, we can force replication between the domain controllers in the main office and the branch office by running the gpupdate /force command. Incorrect Answers: A: We need to initiate AD replication between the main office and the branch office. C: This will have no effect as the domain controllers in the branch office haven’t received the new GPO yet. D: This will have no effect as the domain controllers in the branch office haven’t received the new GPO yet. QUESTION NO: 117 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com that contains two domain controllers. Both domain controllers run Windows Server 2003. All client computers run Windows XP Professional. The only account in the Domain

70 - 296


- 209 -

Admins security group is the Administrator account in the domain. Each night, a full backup is made of the hard disks in each domain controller. You disable the local Administrator account in the Default Domain Policy Group Policy object (GPO). You discover that you are no longer able to log on to either domain controller as the Administrator from the domain. You need to ensure that you can log on to both domain controllers as the Administrator from the domain. What should you do?

A. Restart one domain controller in Safe Mode. Log on as Administrator. Create an account for a second administrator. Restart the domain controller and use the new account to remove the restrictions on the local Administrator accounts.

B. Restore the entire hard disk on one domain controller by using the last nightly backup before the change was made. Restart the domain controller. Allow time for Active Directory replication to complete.

C. Restart one domain controller and use a Windows Server 2003 CD to run the Recovery Console. Stop the GPC service. Restart the domain controller.

D. Restart one domain controller in Directory Services Restore Mode. Perform an authoritative restore operation of the Domain Controllers OU in Active Directory from the last nightly backup before the change was made. Restart the domain controller.

Answer: A Explanation: The default domain group policy object is disabling the Administrator accounts. When you restart a domain controller in safe mode, the group policy doesn’t apply, so the administrator account isn’t disabled. You need to start the computer in Safe Mode with Networking. This will enable you to access Active Directory Users and Computers. You can’t modify existing objects, but you can create a new administrative account. Then you can reboot in normal mode and log in using the new administrative account and the new account to remove the restrictions on the local Administrator accounts. Incorrect Answers: B: It is not necessary to restore the entire hard disk. Furthermore, this won’t work, because the GPO would replicate to the restored server and you’d be back to square one. C:

70 - 296


- 210 -

D: The default domain group policy would still apply to the restored domain controller objects, so the administrator account will be disabled. QUESTION NO: 118 You are the network administrator for TestKing. Your network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. You use Group Policy objects (GPOs) to distribute software. TestKing uses two different applications to view graphics. Users are allowed to choose which program they will use based on the features and formats they require. Only the users are allowed to decide which of these two applications will be installed. You need to configure the GPOs to install either graphics application based on the user’s choice. What should you do?

A. Publish both applications with file extension activation. B. Publish both applications without file extension activation. C. Assign both applications to install on demand. D. Assign both applications to complete a full installation.

Answer: B Explanation: You can publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Incorrect Answers: A: Only one application will install when a file is opened. The users won’t have the choice. C: The applications should be published, not assigned. D: This doesn’t make sense. QUESTION NO: 119 You are the network administrator for TestKing. TestKing consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computer accounts for the client computers are located in an organizational unit (OU) named Computer Accounts. All user accounts are located in an OU named User Accounts.

70 - 296


- 211 -

Software Update Services (SUS) is installed on your network. The SUS infrastructure is shown in the exhibit.

Updates that are deployed must not cause any conflicts or errors on the client computers. You need to configure the client computers to download approved updates from the correct server. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Create a Group Policy object (GPO) to set the default package location to be the internal interface of the firewall.

B. Create a Group Policy object (GPO) to set the default package location to be the child SUS server. C. Create a Group Policy object (GPO) to set the update service location to be the child SUS server. D. Create a Group Policy object (GPO) to set the update service location to be the Microsoft Windows

Update server. E. Link the Group Policy object (GPO) to the User Accounts OU. F. Link the Group Policy object (GPO) to the Computer Accounts OU.

Answer: C, F Explanation: You will need to specify the child SUS server and to link the policy to the computer accounts OU. Only approved updates can be downloaded and installed from the child SUS server.

70 - 296


- 212 -

QUESTION NO: 120 You are the systems engineer for TestKing, Ltd. The company is in the process of migrating from a Windows NT 4.0 domain-based network to a Windows Server 2003 Active Directory domain-based network. The company currently has the DNS domain name testking.com registered for use for the company Web site and e-mail addresses. The testking.com domain namespace is currently hosted on DNS servers that are owned by the company’s ISP. A firewall separates the publicly accessible network from the internal company network. Company IT policy for the new directory services infrastructure includes the following requirements:

• All Active Directory data must be isolated from external users. • The internal DNS namespace must be isolated from external users.

70 - 296


- 213 -

You install a Windows 2003 Server computer on the internal network, and you install the DNS Server service on the server. You need to plan the new namespace design for TestKing. Your plan must comply with the company IT policy. What should you do?

A. Create a primary zone named ad.Testking.com on the internal DNS server. B. Create a secondary zone named Testking.com on the internal DNS server. C. Create a stub zone named ad.Testking.com on the internal DNS server. D. Create a delegation record on the ISP’s DNS server for the internal DNS server. E. Configure zone transfers between the ISP’s DNS server and the internal DNS server.

Answer: A Explanation: We need a primary zone on the internal DNS server for the Active Directory. The only answer listed that gives a primary zone as an option is answer A. Incorrect Answers: B: This would enable use to resolve host addresses in the testking.com domain quicker than going through the internet DNS hierarchy, but it’s not necessary and doesn’t address the requirements set out in the question. C: We need a primary zone on the internal DNS server for the Active Directory, not a stub zone. D: This isn’t necessary. No external DNS server needs to know about the internal zone. E: This would enable use to resolve host addresses in the testking.com domain quicker than going through the internet DNS hierarchy, but it’s not necessary and doesn’t address the requirements set out in the question. QUESTION NO: 121 You are the network administrator for TestKing. All Web servers on the network run Windows 2000 Server. The Web servers run several applications, including a collaborative Web-based application that uses ASP.NET and Web Distributed Authoring and Versioning (WebDAV). You plan to migrate the Web servers to Windows Server 2003. You use the Configure Your Server Wizard to configure a Windows Server 2003 computer as an application server, and you enable ASP.NET in the process. You install the Web-based application on the server. Users now report that when they attempt to access the collaborative Web-based application, they receive the error message shown in the exhibit.

70 - 296


- 214 -

You need to enable the collaborative Web-based application to function on Windows Server 2003 while maintaining Web server security. What should you do?

A. Use IIS Manager to disable anonymous access. B. Use IIS Manager to allow the WebDAV Web service extension and to allow Httpext.dll. C. Use IIS Manager to grant the users of the Web-based application permissions for the default Web site. D. Use IIS Manager to allow the Active Server Pages Web service extension and to allow Asp.dll.

Answer: D Explanation: By default, when Internet Information Services (IIS) is installed on any version of the Microsoft Windows Server 2003 family, IIS only serves static content (HTML). When you request dynamic content, such as Active Server Pages (ASP) or ASP.NET pages, you receive one of the following error messages: HTTP Error 404 - File Not Found -or- HTTP Error 404- File or Directory not found To permit IIS to serve other types of content, the administrator must unlock this content in the Web service extensions node in the IIS management console. To do this, either enable a pre-existing Web service extension or add a new Web service extension. Incorrect Answers: A: This is not a permissions problem. You can run ASP content with anonymous access enabled if you want to.

70 - 296


- 215 -

B: Webdav is used to access files over http. It is not required to run ASP content. C: This is not a permissions problem. A permissions problem would return a different error message. QUESTION NO: 122 You are the network administrator for TestKing. All servers run Windows Server 2003. All client computers run Windows XP Professional. All computers are connected to the network by using a wireless access point. You configure a certification authority (CA). You require certificate-based IEEE 802.1x authentication on the wireless access point. You need to enable all computers to communicate on the wireless network. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Enter a 128-bit Wired Equivalent Privacy (WEP) key on the wireless access point and on the computers. B. In the Wireless Network Connection properties on each computer, select the The key is provided for

me automatically check box. C. Temporarily connect each computer to an available Ethernet port on the wireless access point and install

a computer certificate. D. Install a computer certificate on each computer by using a floppy disk.

Answer: A, B Server Setup part:

70 - 296


- 216 -

70 - 296


- 217 -

70 - 296


- 218 -

70 - 296


- 219 -

70 - 296


- 220 -

70 - 296


- 221 -

Client Part

Enabling Wireless Zero Configuration in Windows XP, Picture

70 - 296


- 222 -

802.1x enabled for your wireless client. Picture Setting Up Your Computer for Wireless Networking Wireless networking is integrated into Windows XP and can be set up quickly with the Windows XP automatic networking Setup. All you need is a 802.11b wireless adapter installed on the mobile device, and an operating 802.11b standard wireless network Connecting to the Network Windows XP automatically polls the area for available wireless access points. If one is present, Windows XP attempts to connect to it. Sometimes, you will find that even though there is a wireless network in the area, Windows XP cannot recognize it Installing Computer and User Certificates on Wireless Client Computers For user authentication with EAP-TLS, configure either user certificates or smart card authentication. Certificates can reside either in the certificate store on your computer or on a smart card. A smart card is a credit-card-sized device that is inserted into a smart card reader. The smart card reader is installed internally in your computer or connected externally to your computer.

70 - 296


- 223 -

• For smart card authentication, use the Smart Card Enrollment station to permit you, the administrator, to act on behalf of a user, and to request and to install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card. Then, issue smart cards to the users.

• For user certificate-based authentication, the computer must request a user certificate from a Windows Server 2003 CA on the internal network. If you configured the domain to automatically allocate certificates to computers that are connected to the domain, you can connect the client computer to the domain by using a wired connection and a computer certificate is automatically issued.

Reference HOW TO: Enable Windows XP Automatic Wireless Network Configuration KB article 314897 HOW TO: Support Wireless Connections That Use EAP-TLS Authentication in Windows Server 2003 KB article 816589 QUESTION NO: 123 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All domain controllers and servers run Windows Server 2003. Client computers in the human resources department run Windows XP Professional. Employees in the human resources department use the human resources client computers to transmit confidential data to the file servers. The network also contains kiosk computers. The kiosk computers are used by temporary employees to transmit data to file servers. The kiosk computers run Windows XP Professional. TestKing’s written security policy requires that all data transmissions from the kiosk computers must be able to be monitored by using a protocol analyzer. You need to ensure that the confidential data transmissions to and from the human resources client computers remain confidential. You also need to ensure that you can detect any alterations in the data transmissions made by any computer. You need to comply with the written security policy. What should you do?

A. Use IPSec encryption on both the human resources client computers and the kiosk computers. B. Use IPSec encryption on the human resources client computers and IPSec integrity on the kiosk

computers. C. Use IPSec integrity on the human resources client computers and IPSec encryption on the kiosk

computers.

70 - 296


- 224 -

D. Use IPSec integrity on both the human resources client computers and the kiosk computers. Answer: B Explanation: We want to monitor IPSEC traffic. We can not use ESP because it encrypts the IP header. If you need to diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPSec policy on both computers We need to use AH so that we can monitor network traffic and preserve the integrity of messages, Using both AH and ESP is the only way to both protect the IP header and encrypt the data. However, this level of protection is rarely used because of the increased overhead that AH would incur for packets that are already adequately protected by ESP. ESP protects everything but the IP header, and modifying the IP header does not provide a valuable target for attackers. Generally, the only valuable information in the header is the addresses, and these cannot be spoofed effectively because ESP guarantees data origin authentication for the packets Protocol Requirement Usage

AH The data and the header need to be protected from modification and authenticated, but remain readable.

Use for data integrity in situations where data is not secret but must be authenticated — for example, where access is enforced by IPSec to trusted computers only, or where network intrusion detection, QoS, or firewall filtering requires traffic inspection.

ESP

Only the data needs to be protected by encryption so it is unreadable, but the IP addressing can be left unprotected.

Use when data must be kept secret, such as file sharing, database traffic, RADIUS protocol data, or internal Web applications that have not been adequately secured by SSL.

Both AH and ESP

The header and data, respectively, need to be protected while data is encrypted.

Use for the highest security. However, there are very few circumstances in which the packet must be so strongly protected. When possible, use ESP alone instead.

Reference Server help QUESTION NO: 124 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains Windows Server 2003 computers and Windows XP Professional computers. The network also contains UNIX servers and UNIX client computers. Many users share files on their client computers with other users. All client computers also access shared resources on both the Windows Server 2003 computers and the UNIX servers, which use a third-party

70 - 296


- 225 -

Server Message Block (SMB) server product. The written security policy for TestKing requires that SMB packet signing must be used whenever possible. You need to edit the Computer Configuration section of the Default Domain Policy Group Policy object (GPO) to ensure that all computers in the domain meet the written security policy requirement. Which two security settings should you enable? To answer, select the appropriate security settings in the Group Policy Object Editor Results Pane.

Answer:

Microsoft network client: Digitally sign communications (if server agrees) – Enabled Microsoft network server: Digitally sign communications (if client agrees) - Enabled Explanation: All Windows operating systems support both a client-side SMB component and a server-side SMB component. To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.

70 - 296


- 226 -

Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If server-side SMB signing is required, a client will not be able to establish a session with that server unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. Using SMB packet signing can impose up to a 15 percent performance hit on file service transactions. Reference Serve help Group policies QUESTION NO: 125 You are a network administrator for TestKing. All client computers on the network run Windows XP Professional. You administer a Windows Server 2003 file sever named TestKingB. On TestKingB, you create a shared folder named SharedDocs. SharedDocs contains data files. All client computers connect to the shared folder by using a mapped drive connected to \\TestKingB\SharedDocs. TestKingB is configured to support volume shadow copies. You install the Previous Versions client software on all client computers. You perform a full normal backup of TestKingB every day, seven days per week.

70 - 296


- 227 -

You need to document the recovery process to be used if a user accidentally deletes a file from SharedDocs. The process must allow you to recover the file as quickly as possible and to minimize data loss. Which process should you use?

A. On TestKingB, restore the file from the normal backup that was performed on the day before the file was deleted. Use the advanced restore options to select the Replace existing files check box.

B. On TestKingB, restore the file from the normal backup that was performed on the day before the file was deleted. Use the advanced restore options to select the Preserve existing volume mount points check box.

C. Run the volume shadow copy command-line tool to list all shadow copies. Instruct the user to open the mapped drive and use the folder view options to expose hidden files.

D. Instruct the user to open the mapped drive and navigate to the folder from which the file was deleted. In the properties for the shared folder, select the Previous Versions tab. View the most recent version and navigate until the file is located. Restore the file by copying it to its new location.

Answer: D Note: This will only work if the deleted file was in a subfolder in the shared folder. Explanation Although shadow copies are taken for an entire volume, users must use shared folders to access shadow copies. Administrators on the local server must also specify the \\servername\sharename path to access shadow copies. If you or your users want to access a previous version of a file that does not reside in a shared folder, you must first share the folder. Designing a Shadow Copy Strategy You can give users access to previous versions of files by enabling shadow copies, which provide point-in-time copies of files stored on file servers running Windows Server 2003. By enabling shadow copies, you can reduce the administrative burden of restoring previously backed up files for users who accidentally delete or overwrite important files. Shadow copies work for both open and closed files; therefore, shadow copies can be taken even when files are in use. Shadow copies work by making a block-level copy of any changes that have occurred to files since the last shadow copy. Only the changes are copied, not the entire file. As a result, previous versions of files do not usually take up as much disk space as the current file, although the amount of disk space used for changes can vary depending on the application that changed the file. For example, some applications rewrite the entire file when a change is made, whereas other applications append changes to the existing file. If the entire file is rewritten to disk, the shadow copy contains the entire file. Therefore, consider the type of applications in your

70 - 296


- 228 -

organization, as well as the frequency and number of updates, when you determine how much disk space to allocate for shadow copies. Important Shadow copies do not eliminate the need to perform regular backups, nor do shadow copies protect you from media failure. In addition, shadow copies are not permanent. As new shadow copies are taken, old shadow copies are purged when the size of all shadow copies reaches a configurable maximum or when the number of shadow copies reaches 64, whichever is sooner. As a result, shadow copies might not be present for as long as users expect them to be. Be sure to consider user needs and expectations when you configure shadow copies. Shadow copies are designed for volumes that store user data, such as home directories and My Documents folders that are redirected by using Group Policy, or other shared folders where users store data. Shadow copies work with compressed or encrypted files, and they retain whatever permissions were set on the files when the shadow copies were taken. For example, if a user is denied permission to read a file, that user would not be able to restore a previous version of the file, nor would the user be able to read the file after it has been restored. Reference: MS Windows Server 2003 Deployment Kit Designing a Shadow Copy Strategy QUESTION NO: 126 You are a network administrator for TestKing. TestKing is developing a new Web application that connects to an SQL back-end environment. The design team decides that the new application must be fault tolerant. You interview the Web developers and the SQL administrators to establish the size of the environment. The Web developers state that they need at least three Web servers to share the load. Each Web server requires two processors and 1 GB of RAM. The Web developers state if one of the Web servers fails, the Web application can run for several hours in a degraded state. Responsiveness will be below specifications in a degraded state. The SQL administrators state that they need two Microsoft SQL Server computers to support the new application. They want the SQL server environment to be redundant. Each SQL Server computer requires four processors and 3 GB of RAM. The SQL administrators state that only one SQL Server computer is required to maintain the application. You need to ensure that two of the Web servers and one of the SQL Server computers are always available. You need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs.

70 - 296


- 229 -


A. Install Windows Server 2003, Web Edition on all three Web servers. Connect all three servers by using Network Load Balancing.

B. Install Windows Server 2003, Standard Edition on all three Web servers. Connect all three servers by using Network Load Balancing.

C. Install Windows Server 2003, Enterprise Edition on all three Web servers. Install a shared fiber-attached disk array for the Web servers. Implement a three-node server cluster for the Web servers. Configure the cluster so that all three nodes are active.

D. Install Windows Server 2003, Standard Edition on both SQL Server computers. Connect the SQL Server computers by using Network Load Balancing.

E. Install Windows Server 2003, Enterprise Edition on both SQL Server computers. Connect the SQL Server computers by using Network Load Balancing.

F. Install Windows Server 2003, Enterprise Edition on both SQL Server computers. Install a shared fiber-attached disk array for the SQL Server computers. Implement a two-node server cluster for the SQL servers. Configure the cluster so that one node is active and the second node is a hot standby node.

Answer: A, F Explanation: For the web servers we can three servers connected using Network Load Balancing. We can use Network Load Balancing because the content will be the same on the web servers. Windows Server 2003 Web Edition supports Network Load Balancing. For the SQL servers we need a two-node server cluster. For a server cluster, we need Windows Server 2003 Enterprise edition. Incorrect Answers: B: Windows Server 2003 Web Edition supports Network Load Balancing. We don’t need Windows Server 2003, Standard Edition: C: We can use Network Load Balancing because the content will be the same on the web servers. We don’t need a server cluster. D: We can’t use Network Load Balancing for the SQL servers. Network Load Balancing should only be used when you have static content. E: We can’t use Network Load Balancing for the SQL servers. Network Load Balancing should only be used when you have static content. QUESTION NO: 127 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com.

70 - 296


- 230 -

You are responsible for planning the backup and recovery of all servers and services for TestKing. A Windows Server 2003 computer named TestKing4 runs the enterprise root certification authority (CA). No subordinate CAs are installed on the network. You need to create a plan to back up and restore the CA database. Your plan must ensure that the database and log files can be completely recovered in the event that the database is corrupted. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. On TestKing4, use the Certificates console to export all Trusted Root Certification Authorities certificates. On TestKing4, use the Certificates console to import the certificates to the Trusted Root Certification Authorities node.

B. On TestKing4, run the certreq command with the –submit option. On TestKing4, run the certreq command with the –retrieve option.

C. On TestKing4, use the Certification Authority snap-in to back up the CA. On TestKing4, use the Certification Authority snap-in to restore the CA.

D. On TestKing4, run the certutil command with the –backup option. On TestKing4, run the certutil command with the –restore option.

Answer: C, D Explanation: You can backup and restore the database and keys with the certutil command line utility certutil -backupDB -- Backup Certificate Services database -backupKey -- Backup Certificate Services certificate and private key -restore -- Restore Certificate Services -restoreDB -- Restore Certificate Services database -restoreKey -- Restore Certificate Services certificate and private key Or GUI

70 - 296


- 231 -

QUESTION NO: 128 You are a network administrator for TestKing. You administer a file server named TestKingSrvC. The file server stores all data files on a logical volume. You perform a full normal backup of the file server every Saturday. You perform a differential backup of the file server each day on Sunday through Friday. You perform a copy backup of the file server every Wednesday after the differential backup is complete. The copy backup is sent to an off-site facility that requires two hours for tape delivery. The logical volume fails on Friday morning. You need to restore the data that was stored on the failed volume. You need to minimize the loss of data and the time required to perform the restoration. What should you do?

A. Restore the tapes from the copy backup that was performed on Wednesday and from the differential backup that was performed on Thursday.

B. Restore the tapes from the normal backup that was performed on Saturday and from the differential backup that was performed on Thursday.

70 - 296


- 232 -

C. Restore the tapes from the normal backup that was performed on Saturday and from the differential backups that were performed on Monday through Thursday

D. Restore the tapes from the normal backup that was performed on Saturday, from the copy backup that was performed on Wednesday, and from the differential backup that was performed on Thursday.

Answer: B Explanation: The logical volume fails on Friday morning. The most recent backup of all the files was Wednesday’s copy backup. However, if we restored this, we would lose and new or changed data between the copy backup and Friday morning. The correct answer is to restore the normal backup that was performed on Saturday and the differential backup that was performed on Thursday. This would ensure that the restored files will be up to date as of Thursday. Types of backup The Backup utility supports five methods of backing up data on your computer or network. Copy backup A copy backup copies all the files you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. Daily backup A daily backup copies all the files that you select that have been modified on the day the daily backup is performed. The backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared). Differential backup A differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. Incremental backup An incremental backup backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). If you use a combination of normal and incremental backups, you will need to have the last normal backup set as well as all incremental backup sets to restore your data.

70 - 296


- 233 -

Normal backup A normal backup copies all the files you select and marks each file as having been backed up (in other words, the archive attribute is cleared). With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set. Backing up your data using a combination of normal backups and incremental backups requires the least amount of storage space and is the quickest backup method. However, recovering files can be time-consuming and difficult because the backup set might be stored on several disks or tapes. Backing up your data using a combination of normal backups and differential backups is more time-consuming, especially if your data changes frequently it is easier to restore the data because the backup set is usually stored on only a few disks or tapes. Reference: Server Help Incorrect Answers: A: This would work but the copy backup is offsite. It’s quicker to use Saturday’s full backup. C: This is more than necessary. We only need the last differential backup with the full backup. D: This is more than necessary. We only need the last differential backup with the full backup. QUESTION NO: 129 You are the systems engineer for Acme Inc. The network consists of a single Active Directory domain named acme.com. All servers run Windows Server 2003. The network is not currently connected to the Internet. Acme enters into a partnership with Testking. The Testking network consists of a single Active Directory domain named testking-ad.com. All servers in the testking-ad.com domain run Windows Server 2003. Testking maintains a separate network that contains publicity accessible Web and mail servers. These Web and mail servers are members of a DNS domain named testking.com. The testking.com zone is hosted by a UNIX-based DNS server running the latest version of BIND. Both companies require that users from each company must be able to access resources in either network. A new dedicated T1 line is established between the two offices to provide connectivity. The Active Directory project team plans to create a forest trust relationship between the two forests. Both companies’ written security policies state that resources located on the internal network must never be exposed to the Internet. The Testking written security policy also states that the internal network’s DNS namespace must never be exposed to the Internet.

70 - 296


- 234 -

You need to plan a name resolution strategy for internetwork connectivity. You need to configure both Windows Server 2003 DNS servers so that they comply with both companies’ requirements and restrictions. Your plan must provide for minimal disruption of network connectivity in both networks. What should you do?

A. Create a conditional forwarder on the acme.com DNS server to forward all requests for hosts in the testking-ad.com domain to the testking-ad.com DNS server. Create a conditional forwarder on the testking-ad.com DNS server to forward all requests for hosts in the acme.com domain to the acme.com DNS server.

B. Create a conditional forwarder on the acme.com DNS server to forward all requests for hosts in the testking-ad.com domain to the testking.com UNIX-based DNS server. Configure the testking.com UNIX-based DNS server to forward all requests for hosts in the acme.com domain to the acme.com DNS server.

C. Configure root hints on each Windows Server 2003 DNS server. Configure each Windows Server 2003 DNS server to forward requests to the testking.com UNIX-based DNS server.

D. Configure a secondary zone on the testking.com UNIX-based DNS server for each company’s domain. Configure each company’s Windows Server 2003 DNS server to allow zone transfers to only the testking.com UNIX-based DNS server.

Answer: A Explanation: Using Conditional Forwarding to Query for Names in Other Namespaces If your internal network does not have a private root and your users need access to other namespaces, such as a network belonging to a partner company, use conditional forwarding to enable servers to query for names in other namespaces. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name. For example, the Contoso Corporation includes two namespaces: Contoso and Trey Research. Computers in each division need access to the other namespace. In addition, computers in both divisions need access to computers in the Supplier private namespace. Before upgrading to Windows Server 2003, the Trey Research division created secondary zones to ensure that computers in both the Contoso and Trey Research namespace can resolve names in the Contoso, Trey Research, and Supplier namespaces. After upgrading to Windows Server 2003, the Trey Research division deleted its secondary zones and configured conditional forwarding instead. QUESTION NO: 130

70 - 296


- 235 -

You are the network administrator for TestKing. TestKing’s Web site is hosted at a local ISP. TestKing needs to move the Web site from the ISP to TestKing’s perimeter network. The design team specifies that five servers will be needed to host the Web site. The five servers must balance the network load of requests from the Internet. The Web site must remain available in the event that up to three servers fail at the same time. Each server will have four processors and 4 GB of RAM. Discussions with the design team and the Web developers reveal that the site can be implemented by using either shared storage or local server storage. You need to select the proper operating system to install on each server. You need to select the proper Windows Server 2003 technology to provide fault tolerance. You need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. What should you do?

A. Install Windows Server 2003, Enterprise Edition on all five servers. Connect all five servers to a shared fiber-attached disk array. Configure the five servers as a server cluster. Configure the cluster so that all five nodes are active.

B. Install Windows Server 2003, Enterprise Edition on all five servers. Connect all five servers to a shared fiber-attached disk array. Configure the five servers as a server cluster. Configure the cluster so that three nodes are active and two nodes are hot standby nodes.

C. Install Windows Server 2003, Standard Edition on all five servers. Connect all five servers by using Network Load Balancing.

D. Install Windows Server 2003, Web Edition on all five servers. Connect all five servers by using Network Load Balancing.

Answer: C Explanation: The question states that you need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. Windows 2003 Standard Edition supports up to 4 processors and 4 GB of RAM. If three server fail, we will still have two servers serving the web site. Incorrect Answers: A: The question states that you need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. We can use Windows 2003 Standard Edition with NLB. B: The question states that you need to select the lowest edition of Windows Server 2003 that meets the requirements in order to minimize costs. We can use Windows 2003 Standard Edition with NLB. D: Web server edition only supports two-way symmetric multiprocessing (SMP) and 2 gigabytes (GB) of RAM. Reference

70 - 296


- 236 -

Overview of Windows Server 2003, Web Edition http://www.microsoft.com/windowsserver2003/evaluation/overview/web.mspx Overview of Windows Server 2003, Standard Edition http://www.microsoft.com/windowsserver2003/evaluation/overview/standard.mspx Introducing the Windows Server 2003 Family http://www.microsoft.com/windowsserver2003/evaluation/overview/family.mspx QUESTION NO: 131 You are the network administrator for TestKing. All servers run Windows Server 2003. TestKing has 1,000 users that need to use certificates for secure e-mail. TestKing also uses certificates for Encrypting File Systems (EFS) and for authentication to Web-based applications that are located in the perimeter network. TestKing is legally required to maintain access to files and e-mail messages even after employees leave TestKing. TestKing also has internal requirements stating that administrators must be able to restore lost certificate keys for network users. You need to provide a backup and recovery plan to be used in the event that users accidentally delete or lose their certificates and the associated private keys. You need to plan the steps for configuring the certification authority (CA) to issue user certificates for EFS, secure e-mail, and client authentication. Your plan must also provide all requirements for recovering private keys for user certificates. Your plan must minimize administrative effort. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. Create a key recovery agent and acquire the Key Recovery Agent certificate for the account. B. Configure the CA with a policy module that requires the administrator to explicitly issue certificates. C. Configure the CA to allow key archival. D. Create a new certificate template that has the proper application policies and allows key archiving.

Add the certificate template to the CA. Allow authenticated users to enrol for certificates by using the new certificate template.

E. Configure the certificate template to supersede the Domain Controller Authentication certification template.

Answer: A, C, D Explanation: Key archival and recovery

70 - 296


- 237 -

Windows Server 2003, Enterprise Edition can be configured to archive the private key of specific certificates when they are issued. This private key archive allows the key to be recovered at a later time if the private key is lost. This process is implemented in two separate phases: key archival and key recovery. Key archival The process of obtaining a certificate includes the subject locating the appropriate certificate template gathering the information required by that template, and supplying it to a certification authority. This information normally contains information such as the subject name, public key and supported cryptographic algorithms. When key archival is configured, the subject will also provide their private key to the certification authority. The certification authority stores that private key in its database until you want to perform key recovery. By default, the private key of issued certificates is not archived. This is because the storage of the private key in multiple locations, by definition, allows more attacks against it. Key recovery Subjects can lose their private key in a variety of ways such as accidental deletion or deliberate misuse. An administrator may also want to recover the key of a particular subject to access data protected by that key. Key recovery can be used whenever the key archival process has stored the subject's private key. The key recovery process requires an administrator to retrieve the encrypted certificate and private key and then a key recovery agent (KRA) to submit to the certification authority. When a correctly signed key recovery request is received, the subject's certificate and private key are provided to the requestor. The requestor would then use the key as appropriate or securely transfer the key to the subject for continued use. No recertification or rekeying is necessary, as the private key is not necessarily compromised. Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/operate/kyacws03.asp?frame=true#d QUESTION NO: 132 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. You need to implement the capabilities and requirements listed in the following table for the users and computers in the domain. Type of user or computer Capability or requirement Domain users Smart card logon required for all users Security global group Ability to issue smart cards to all domain users

70 - 296


- 238 -

Human resources servers Certificate-based IPSec encryption required for all data transmissions

VPN servers L2TP required All client computers are portable computers and need to connect to the VPN servers and to the human resources serves. You configure a public key infrastructure (PKI) to support the domain users and computers. You need to specify which type of certificate, if any, each type of user or computer requires. What should you do? To answer, drag the appropriate certificate template or templates to the correct location or locations in the work area.

Answer:

70 - 296


- 239 -

Explanation: IPSec should be enabled on the HR servers, VPN servers and the client computers. The Smart Card certificates are issued to the users, not the computers. The Security group need Enrollment Agents certificates. Smart Card Logon Smart card logon is integrated with the Kerberos version 5 authentication protocol implemented in Windows Server 2003. When smart card logon is enabled, the system recognizes a smart-card insertion event as an alternative to the standard Ctrl + Alt + Del secure attention sequence to initiate a logon. The user is then prompted for the smart card PIN code, which controls access to operations performed by using the private key stored on the smart card. In this system, the smart card also contains a copy of the certificate of the user (issued by an enterprise CA). This allows the user to roam within the domain. Smart cards enhance the security of your organization by allowing you to store extremely strong credentials in an easy-to-use form. Requiring a physical smart card for authentication virtually eliminates the potential for spoofing the identities of your users across a network. In addition, you can also use smart card applications in conjunction with virtual private networks and certificate mapping, and in e-commerce. For many organizations, the potential to use smart cards for logon is one of the most compelling reasons for implementing a public key infrastructure. Enroll clients. To participate in a PKI, users, services, and computers must request and receive certificates from an issuing CA. Typically, enrollment is initiated when a requester provides unique identifying information and a newly generated public key.

70 - 296


- 240 -

The CA administrator or enrollment agent uses this unique identifying information to authenticate the identity of the requester before issuing a certificate. Secure VPN The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. Understanding Default IPSec Policies Windows Server 2003 includes three default IPSec policies that are provided as examples only. Do not use any part of the examples as templates to edit or change when creating your own IPSec policies. Instead, design new custom IPSec policies for operational use. The example policies will be overwritten during operating system upgrades and when IPSec policies are imported (when the import files contain other definitions of the same example policies). The three default IPSec policies are as follows:



• Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections

QUESTION NO: 133

70 - 296


- 241 -

You are the network administrator for TestKing. The network consists of a single Active-Directory domain named testking.com. All computers on the network are members of the domain. You are planning a public key infrastructure (PKI) for TestKing. TestKing’s written security policy states that the private keys that are used to encrypt files must be archived for later recovery. You install an enterprise certification authority (CA) on a server that runs Windows Server 2003. You create a new certificate template for file encryption. You configure the certificate template so that the private key is archived. All users on the domain are issued certificates from this template. You separate the roles of key recovery agent and certificate manager. As part of the planning of the CA deployment, you want to document the procedure for how to recover a private key for a user. Which three actions should you include in your procedure?

Answer:

70 - 296


- 242 -

Reference: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_CS_keyarch_walk.asp QUESTION NO: 134 You are a network administrator for TestKing. TestKing participates in a joint venture with Acme. Each company’s network consists of a single Active Directory forest. The functional level of each forest is Windows 2003. Two-way forest trust relationship exists between both companies. Each company maintains its own certification authority (CA). Users are required to encrypt and digitally sign all e-mail messages relating to the joint venture that are sent between the companies. Users in the testking.com domain report that when they open e-mail messages sent by users in the acme.com domain, they receive a security warning. The warning indicates an error in the certificate used to sign the e-mail message. You examine several e-mail messages and discover the error shown in the exhibit.

70 - 296


- 243 -

You need to ensure that users in the testking.com domain receive e-mail messages without receiving any error messages. You need to accomplish this task by using the minimum amount of administrative effort. What should you do?

A. Add the computer account for the enterprise root CA in the acme.com domain to the Cert Publishers domain local group in the testking.com domain.

B. In the acme.com domain, delegate the Allow – Read userCertificate permission for contact objects to the Domain Users global group in the testking.com domain.

C. In the acme.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the testking.com domain, import the enterprise root certificate from the acme.com domain.

D. In the acme.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the testking.com domain, run the certutil command to publish the root certificate to Activate Directory.

Answer: C Explanation: We need the users in testking.com to trust the acme.com CA. We can do this by exporting the acme.com enterprise root certificate to a file, and using certutil to publish the root certificate to the testking.com Activate Directory or we can configure the testking.com CA to trust the acme.com CA. Answers C and D would work but answer C is less administrative effort.

70 - 296


- 244 -

70 - 296


- 245 -

We will need to import this certificate into the Trusted Root Certification Authorities on the testking.com CA. QUESTION NO: 135 You are the network administrator for TestKing. The network contains a single Active Directory domain named testking.com. All computers on the network are members of the domain. TestKing has a main office and 20 branch offices. Each branch office has a connection to the main office. Only the main office has a connection to the Internet. You are planning a security update infrastructure for your network. You deploy a central Software Update Services (SUS) server at the main office and an SUS server at each branch office. The SUS server at the main office uses Windows Update to obtain security patches. You want to minimize the amount of bandwidth used on the connection to the Internet and on the connection between the offices to download security patches. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure the SUS servers at the branch office to use Windows Update to obtain security patches. B. Configure the SUS servers at the branch offices to use the central SUS server for updates. C. Configure Automatic Updates on the SUS servers at the branch offices to use the central SUS server for

updates. D. Configure Automatic Updates on all computers to use the SUS server on the local network. E. Configure Automatic Updates on all computers to use the default update service location.

Answer: B, D Explanation: We must set up the SUS branch offices server to pickup the updates form the server in the main office. By configuring a SUS server in the main office you save network bandwidth, because the branch office servers will not need to use the internet connection. With this solution, the main office SUS server downloads the updates from Microsoft; the branch office SUS servers download the updates from the main office SUS server and the client computers download the updates from the local SUS server. Incorrect Answers: A: This is an unnecessary use of the internet connection. C: You need to configure the SUS server software to download the updates, not automatic updates. E: The default update service location is Microsoft. This is an unnecessary use of the internet connection.

70 - 296


- 246 -

QUESTION NO: 136 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains two Windows Server 2003 domain controllers named TestKingA and TestKingB, which both run the DNS Server service. All of the resource servers on the network are DHCP clients, including a Windows Server 2003 file server named TestKingC. The DNS configuration consists of a primary forward lookup zone that allows dynamic updates on TestKingA and a secondary zone on TestKingB. Users report that they cannot connect to TestKingC. You discover that the IP address that is associated with the host (A) resource record for TestKingC is assigned to a test computer that is not a member of the domain. This computer is also named TestKingC. You need to configure DNS to ensure that A records resolve to the IP addresses of the computers that made the original registration. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure the Secure Only dynamic updates setting on the forward lookup zone on TestKingA. B. Configure the None dynamic updates setting on the forward lookup zone on TestKingA. C. Manually create A record entries for each server on TestKingA. D. Convert the zone type on TestKingA to Active Directory-integrated. E. Convert the zone type on TestKingB to primary.

Answer: A, D Explanation: By configuring Secure only updates, only domain members can register their A records with DNS. The zone is currently a primary zone; we need to convert the zone to Active Directory integrated to enable “secure only” updates. Incorrect Answers: B: It is not necessary (or recommended) to disable dynamic updates on the zone. C: This would only be necessary if we disabled dynamic updates on the zone. E: You can’t have two primary zones for one domain. QUESTION NO: 137 You are the network administrator for TestKing. TestKing is deploying a public Web server farm on Windows Server 2003 computers. This Web server farm will allow the public to view company information. The Web servers in the Web server farm will be placed in TestKing’s perimeter network, which uses a public Internet address space.

70 - 296


- 247 -

TestKing wants to reduce the probability of external unauthorized users breaking into the public Web servers. You need to make the Web servers less vulnerable to attack. You also want to ensure that the public will be able to view information that is placed in TestKing’s perimeter network. What should you do?

A. Configure each Web server’s IP address to a private reserved Internet address. B. Configure the Web servers to allow only IPSec communications. C. Disable any unneeded services on the Web servers. D. Disable TCP/IP filtering on all adapters in the Web servers.

Answer: C Explanation: We should disable any unneeded services on the Web servers. This includes unneeded web services and unneeded server services. This will also ensure that no unnecessary ports are open on the servers. Reducing the Attack Surface of the Web Server Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker. However, if you reduce the attack surface of the Web server too much, you can eliminate functionality that is required by the Web sites and applications that the server hosts. You need to ensure that only the functionality that is necessary to support your Web sites and applications is enabled on the server. This ensures that the Web sites and applications will run properly on your Web server, but that the attack surface is minimized. Incorrect Answers: A: The public web servers need public IP addresses. B: You can’t use IPSec on public web servers. No one would be able to access the web pages. D: TCP/IP filtering should be enabled, not disabled. Reference MS Windows Server 2003 Deployment Kit

Deploying Internet Information Services (IIS) 6.0 Reducing the Attack Surface of the Web Server

70 - 296


- 248 -

QUESTION NO: 138 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. You support 100 mobile users who have portable computers that run Windows NT Workstation 4.0, Windows 98, Windows 2000 Professional, Windows XP Professional, or Windows ME. TestKing’s written security policy requires that any remote access solution must provide both data integrity and data origin authentication. You need to implement a VPN-based remote access solution. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. Install certificates on all VPN client computers. B. Install a certificate on the VPN server computer. C. Implement L2TP-based connections on the Windows 2000 Professional computers and the Windows XP

Professional computers. Implement PPTP-based connections on all other portable computers.

D. Install the L2TP/IPSec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement L2TP-based connections on all portable computers.

E. Install the L2TP/IPSec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement PPTP-based connections on all portable computers.

Answer: A, B, D Explanation: The security of a VPN is based on the tunneling and authentication protocols that you use and the level of encryption that you apply to VPN connections. For the highest level of security, use a remote access VPN based on L2TP/IPSec with certificate-based IPSec authentication and Triple-DES for encryption. If you decide to use a PPTP-based VPN solution to reduce costs and improve manageability and interoperability, use Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) as the authentication protocol. IPSEC is not supported on legacy clients just is supported for VPN http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp

70 - 296


- 249 -

Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec).

Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking version 1.4 upgrade.

Windows Me with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later)

Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later)

Understanding Default IPSec Policies Windows Server 2003 includes three default IPSec policies that are provided as examples only. Do not use any part of the examples as templates to edit or change when creating your own IPSec policies. Instead, design new custom IPSec policies for operational use. The example policies will be overwritten during operating system upgrades and when IPSec policies are imported (when the import files contain other definitions of the same example policies). The three default IPSec policies are as follows:



• Secure Server (Require Security). This default policy has two rules: the default response rule and a rule that allows the initial inbound communication request to be unsecured, but requires that all outbound communication be secured. The filter action for the second rule does not allow IKE to fall back to unsecured communication. If the IKE security negotiation fails, the outbound traffic is discarded and the communication is blocked. This policy requires that all connections be secured with IPSec. Any clients that are not IPSec-enabled cannot establish connections

QUESTION NO: 139 You are the network administrator for TestKing. Your network consists of a single Active Directory forest that contains a forest root domain named testking.com.com and one child domain named

70 - 296


- 250 -

mombasa.testking.com.com. All domain controllers run Windows 2000 Server. The mombasa.testking.com.com domain contains one Windows Server 2003 member server named TestKing3. You attempt to promote TestKing3 to be an additional domain controller of the mombasa.testking.com.com domain. The promotion fails and you receive the error message shown in the exhibit. *****MISSING***** You need to resolve the error in order to promote TestKing3 to be an additional domain controller of the mombasa.testking.com.com domain. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Force replication between the schema master and the PDC emulator of only the testking.com.com domain.

B. Force replication between the schema master and the PDC emulator of the testking.com.com domain

and the mombasa.testking.com.com domain. C. Run the adprep /forestprep command on the schema master of the testking.com.com domain. D. Run the adprep /domainprep command on the infrastructure master of only the testking.com.com

domain. E. Run the adprep /domainprep command on the infrastructure masters of the testking.com.com domain

and the mombasa.testking.com.com domain. Answer: C, E Explanation: We have a Windows 2000 forest. To install a Windows 2003 Domain Controller, you need to modify the schema using the adprep command. Adprep Prepares Windows 2000 domains and forests for an upgrade to Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. Among its tasks, adprep extends the schema, updates default security descriptors of selected objects, and adds new directory objects as required by some applications. Syntax adprep{/forestprep | /domainprep}

70 - 296


- 251 -

Parameters /forestprep Prepares a Windows 2000 forest for an upgrade to a Windows Server 2003 forest. /domainprep Prepares a Windows 2000 domain for an upgrade to a Windows Server 2003 domain.

• Adprep /forestprep must be run on the schema master .

• Adprep /domainprep must be run on each infrastructure master in each domain, and only after adprep /forestprep has been run successfully for the forest.

QUESTION NO: 140 You are the network administrator for Acme. Acme consists of two subsidiaries named Testking, Ltd, and Mimex. The network contains two Active Directory forests. The functional level of each domain is Windows 2000 native. All domain controllers run Windows 2000 Server. External relationships exist between domains, as shown in the exhibit.

70 - 296


- 252 -

User accounts and resources are located in the child domains. All user principal names (UPNs) in each forest comply with a standard company e-mail address. Each domain controller functions as a DNS server. All DNS zones are Active Directory-integrated zones. The testking.com and mimex.com DNS zones have no root (“.”) zone. DNS servers in each forest root DNS zone are configured with root hints to Internet root servers. You upgrade each domain controller in both forests to Windows Server 2003. You raise the functional level for each domain to Windows Server 2003. You plan to implement a smart-card authentication strategy for the entire company. You need to ensure that users are able to access resources in all domains in each forest and on the Internet. You want to accomplish this task by using the minimum amount of administrative effort. You also need to ensure that access to resources is not disrupted. Which two courses of action should you take? (Each correct answer presents part of the solution. Choose two)

A. Create a two-way external trust relationship between the two forest root domains. Raise the functional level of the forest to Windows Server 2003.

B. Raise the functional level of the forest to Windows Server 2003. Replace existing trust relationships with a two-way forest trust relationship between the two forest root domains.

C. Create root hints between DNS servers in each child domain and DNS servers in the root domain for the opposite forest.

D. Create conditional DNS forwarders between domain controllers in each root domain. Answer: B, D Explanation To have a complete trust between all the testking domains and all the mimex domains, we need to create a forest trust relationship between the two forest root domains. This can only be done after the functional level of the forests has been raised to Windows Server 2003. In order to avoid traffic and get the resources from any of the forest we need to configure conditional forwarding in each zone. We will create in testking.com a conditional forwarder to mimex.com We will create in mimex.com a conditional forwarder to testking.com Raise the Forest Functional Level to Windows Server 2003 After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to Windows Server 2003. This enables you to take advantage of all Windows Server 2003 forest-level features.

70 - 296


- 253 -

If any domains in the forest are still operating at the Windows Server 2003 interim functional level, you will be unable to raise the forest functional level to Windows Server 2003. Ensure that all domains are operating at the Windows Server 2003 functional level before you raise the forest functional level. Enabling Windows Server 2003 Functional Levels in a Native Windows 2000 Environment If the domains in your Windows 2000 forest include only Windows 2000 domain controllers and are in Windows 2000 native mode, deploy a Windows Server 2003–based domain controller to enable functional levels. In an environment that contains only domain controllers running Windows 2000, you can introduce a Windows Server 2003–based domain controller in one of two ways:

• By installing a new Windows Server 2003–based domain controller. • By upgrading an existing Windows 2000 domain controller in the forest to Windows Server 2003.

Functional levels are set by default to the following levels, and they remain at these levels until they are raised manually:

• Windows 2000 native domain functional level • Windows 2000 forest functional level

To take advantage of the Windows Server 2003 domain-level features without waiting to complete the upgrade of your Windows 2000 forest to Windows Server 2003, raise only the domain functional level to Windows Server 2003. Before you raise the domain functional level, you must upgrade all Windows 2000–based domain controllers in the domain to Windows Server 2003. After you upgrade all Windows 2000–based domain controllers in the forest to Windows Server 2003, make sure that the domain functional level of each domain is set to Windows 2000 native or higher. Then raise the forest functional level to Windows Server 2003. Raising the forest functional level to Windows Server 2003 automatically raises the functional level of all domains in the forest that are set to Windows 2000 native or higher to Windows Server 2003. Using Conditional Forwarding to Query for Names in Other Namespaces If your internal network does not have a private root and your users need access to other namespaces, such as a network belonging to a partner company, use conditional forwarding to enable servers to query for names in other name spaces. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name. For example, the Contoso Corporation includes two namespaces: Contoso and Trey Research. Computers in each division need access to the other namespace. In addition, computers in both divisions need access to computers in the Supplier private namespace. Before upgrading to Windows Server 2003, the Trey Research division created secondary zones to ensure that computers in both the Contoso and Trey Research namespace can resolve names in the Contoso, Trey Research, and Supplier namespaces. After upgrading to Windows Server 2003, the Trey Research division deleted its secondary zones and configured conditional forwarding instead.

70 - 296


- 254 -

Reference: MS Windows Server Deployment Kit

Designing and Deploying Directory and Security Services Raise the Forest Functional Level to Windows Server 2003

QUESTION NO: 141 You are a systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains 20 servers that run Terminal Services. All user productivity applications are hosted on these servers. Several of these applications are legacy applications that require users to control the file system and application registry settings. Currently, Terminal Services is configured to allow administrators to remotely view and control users’ Terminal Services sessions for support and training purposes. The managers of the human resources and finance departments inform you that confidential information was compromised when administrative personnel viewed user sessions without the knowledge or permission of the users. The managers direct you to change the Terminal Services configuration to ensure that administrators can never view or control a user’s session without the user’s permission. You modify the Default Domain Policy Group Policy object (GPO) as shown in the exhibit.

70 - 296


- 255 -

You attempt to establish remote control of user’s Terminal Services session and find out that you can do so without the user’s permission. You need to configure Terminal Services to require the users’ permission before an administrator can remotely view or control the session. You need to accomplish this task as quickly as possible and by using the minimum amount of administrative effort. Your configuration must also automatically apply to any new terminal servers that are installed in the network. What should you do?

A. In the Computer Configuration section of the Default Domain Policy GPO, disable the Users can connect remotely using Terminal Services option.

B. In the Computer Configuration section of the Default Domain Policy GPO, enable the Sets rules for remote control of Terminal Services user sessions option and specify Full Control with user’s permission.

C. In the Terminal Services Configuration tool, select the Use remote control with the following settings option and select the Require user’s permission check box.

D. In the Terminal Services Configuration tool, set the Permission compatibility option to Full Security. In the connection properties, remote the Allow – Full Control permission from the Administrators group.

70 - 296


- 256 -

Answer: B

QUESTION NO: 142 You are a network administrator for TestKing. All servers run Windows Server 2003. The company uses a public key infrastructure (PKI) enabled sales application that enforces strong certificate revocation list (CRL) checking. On average, 100,000 users require access to this application. A stand-alone root certification authority (CA) is configured to issue certificates to users. Certificate Services is configured as shown in the exhibit.

70 - 296


- 257 -

Certificates you issue are valid for three years. You issue and revoke approximately 10,000 certificates per month for 12 months. After 12 months, users begin to report delays when they open the sales application. You discover that the delays occur periodically. You need to improve the performance when users open the sales application. What should you do?

A. Configure Certificate Services to publish the delta CRL daily and the base CRL monthly. B. Configure Certificate Services to publish the base CRL to a Web server on the network.

Include this location in the CRL distribution point of certificates.

C. Configure a subordinate CA. Instruct new users to enroll for certificates by using this CA.

70 - 296


- 258 -

D. Configure Certificate Services to publish the base CRL daily and the delta CRL monthly. Answer: A Explanation:

To configure CRL and delta CRL overlap period

1. Open Command Prompt. 2. Type:

certutil -setreg ca\CRLOverlapUnits Value certutil -setreg ca\CRLOverlapPeriod Units certutil -setreg ca\CRLDeltaOverlapUnits Value certutil -setreg ca\DeltaOverlapPeriod Units

• The maximum value for either the CRL or delta CRL overlap period is 12 hours. • The overlap period for CRLs is the amount of time at the end of a published CRLs lifetime that a client

can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10% of the CRL lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually.

70 - 296


- 259 -

• When both a base CRL and delta CRL have been recently published, a revoked certificate may appear in both. This is because the newer delta CRL may still point at the older base CRL while the new base CRL is being replicated. Having the certificate appear in both CRLs ensures the revocation information is available.

Using delta certificate revocation lists CRLs can become very long on large CAs that have experienced significant amounts of certificate revocation. This can become a burden for clients to download frequently. To help minimize frequent downloads of lengthy CRLs, delta CRLs can be published. This allows the client to download the most current delta CRL and combine that with the most current base CRL to have a complete list of revoked certificates. Because the client will normally have the CRL cached locally, the use of delta CRLs can potentially improve performance. To use delta CRLs, the client application must be aware of and explicitly use delta CRLs for revocation checking. If the client does not use delta CRLs, it will retrieve the CRL from the CA every time it refreshes its cache, regardless of whether a delta CRL exists or not. For this reason, you should verify that the intended applications use delta CRLs and configure the CA accordingly. If the clients do not support the use of delta CRLs, you should either not configure the CA to publish delta CRLs or configure it so CRLs and delta CRLs are published at the same interval. This would still allow future applications that support delta CRLs to use them, while providing current CRLs to all applications. Note that all applications that use CryptoAPI in Windows XP and the Windows Server 2003 family use delta CRLs. Publishing a CRL before the next scheduled publish period You can also publish a CRL on demand at any time, such as when a valuable certificate becomes compromised. Choosing to publish a CRL outside the established schedule resets the scheduled publication period to begin at that time. In other words, if you manually publish a CRL in the middle of a scheduled publish period, the CRL publish period is restarted. It is important to realize that clients that have a cached copy of the previously published CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a cached copy of a valid CRL Reference: Server Help

70 - 296


- 260 -

QUESTION NO: 143 You are the network administrator for TestKing. The network includes a perimeter network. The perimeter network consists of a single Active Directory domain named testking.com. The domain contains four Windows Server 2003 Web servers configure as a Network Load Balancing cluster. The cluster hosts an Internet e-commerce Web site. You upgrade the Web site to require users to log on in order to gain full access to the site. You will use Active Directory to store the user accounts. Web site users may access the site by using various Web browsers. You need to enable and require SSL when users log on to the Web site. You need to minimize the administrative impact for users of the Web site. What should you do?

A. Obtain a Web server certificate from an external certification authority (CA) that is widely trusted on the Internet. Install the certificate on each Web server in the cluster.

B. Configure a stand-alone certification authority (CA) in the perimeter network. Obtain a Web certificate from the CA. Install the certificate on each Web server in the cluster.

C. Install Certificate Services on each Web server in the cluster, and configure each Web server as enterprise certification authority (CA). Configure certificate autoenrollment for all users.

D. Install Certificate Services on each Web server in the cluster, and configure each Web server as a stand-alone certification authority (CA). Configure Web-based certificates enrollment for users.

Answer: A Explanation: To enable SSL on the web cluster we need a Web server certificate. The web site is a publicly accessible site, so the Web server certificate needs to be trusted by the public computers. We should use a Web server certificate from an external certification authority (CA) that is widely trusted on the Internet such as Verisign. Incorrect Answers: B: The public client computers will display a message saying that the server certificate isn’t trusted. C: The web server needs a Web server certificate from an external certification authority. It doesn’t need to be a CA. D: The web server needs a Web server certificate from an external certification authority. It doesn’t need to be a CA.

70 - 296


- 261 -

Reference How to Configure Certificate Server for Use with SSL on IIS KB 218445 HOW TO: Configure IIS Web Site Authentication in Windows Server 2003 KB 324274 HOW TO: Load Balance a Web Server Farm Using One SSL Certificate in IIS KB 313299 QUESTION NO: 144 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The users in the accounting department use their client computers to access confidential files over the network. The files must not be altered by unauthorized users as the files traverse the network. You need to secure the data transmissions to and from client computers in the accounting department. You also need to be able to monitor the traffic on the network and report to IT management the percentage of bandwidth used for each protocol. What should you do?

A. Use IPSec encryption. B. Use Server Message Block (SMB) signing. C. Use NTLMv2 authentication. D. Use the Kerberos version 5 authentication protocol.

Answer: B Explanation: We can’t use IPSec “encryption” because this uses ESP to encrypt the IP header. If we use IPSec encryption, we won’t be able to monitor the traffic. We could use IPSec “integrity” but that isn’t listed as an option. Instead, we should use Server Message Block (SMB) signing. Server Message Block (SMB) signing Determines whether the computer always digitally signs client communications. The Windows 2000 Server, Windows 2000 Professional, and Windows XP Professional authentication protocol Server Message Block (SMB) supports mutual authentication, which closes a "man-in-the-middle" attack and supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. To use SMB signing, you must either enable it or require it on both the SMB client and the SMB server. If SMB signing is enabled on a server, clients that are also enabled for SMB signing use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, a client is not able to establish a session, unless it is at least enabled for SMB signing.

70 - 296


- 262 -

If this policy is enabled, it requires the SMB client to sign packets. If this policy is disabled, it does not require the SMB client to sign packets. QUESTION NO: 145 You are the systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers on the network run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional. All servers that are not domain controllers are located in an organizational unit (OU) named Servers. All client computers used by administrative personnel are located in an OU named AdminDesktops. Both the Domain Controllers OU and the Servers OU have the Server (Request Security) IPsec policy applied. The AdminDesktops OU has the Client (Respond Only) IPSec policy applied. You implement remote administration for all servers on the network. All servers are configured to allow Remote Desktop connections for administration. The company’s written security policy requires that the highest security levels possible must be enforced during remote administration of the servers. The Terminal Services encryption settings are set to High in the Default Group Policy object (GPO). Administrators who use Windows 2000 Professional computes soon report that they cannot establish Remote Desktop connections to the servers. Administrators can successfully establish network connections to shared resources on the servers. Administrators who use Windows XP Professional computers do not experience the same problem. You verify that the servers to which the administrators are attempting to connect are online and have Remote Desktop connections enabled. You also verify that the maximum number of remote connections has not been exceeded on any server. You need to ensure that all administrators can establish Remote Desktop connections to the servers regardless of which operating system is running on their client computers. What should you do?

A. In the properties for the Remote Desktop Protocol (RDP) connection on each server, set the encryption level to FIPS Compliant.

B. Deploy the Remote Desktop Protocol (RDP) 5.2 client software to the AdminDesktops OU. C. On each server, use Terminal Services Manager to configure the servers to use standard Windows

authentication. D. Configure the Terminal Services permission compatibility to Relaxed Security.

70 - 296


- 263 -

Answer: B Incorrect Answers A. If this setting is enabled, the security channel provider of the operating system is forced to use only the following security algorithms: TLS_RSA_WITH_3DES_EDE_CBC_SHA. This behaviour forces the security channel provider to negotiate only the stronger Trasnport Layer Security (TLS) 1.0 C. Specifies whether the connection defaults to the standard Windows authentication when another authentication package has been installed on the server. D. they ask you. Provide the highest level of security Explanation Computers running earlier versions of Microsoft Windows, including Windows 2000 Server, Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95 can not connect to a Windows Server 2003 Terminal Services if they are using the old client Terminal server. Client can not connect because they are using the full security. But when install the new version allows older Windows platforms to remotely connect to a computer running Windows XP Professional with Remote Desktop enabled In Windows Server 2003 you do not need to install Terminal Server. Instead, you can use Remote Desktop for Administration (formerly Terminal Services in Remote Administration mode), which is installed by default on computers running one of the Windows Server 2003 operating systems. After you enable remote connections, Remote Desktop for Administration allows you to remotely manage servers from any client over a LAN, WAN, or dial-up connection. Up to two remote sessions, plus the console session, can be accessed at the same time, without requiring Terminal Server Licensing. Application compatibility considerations You should install programs from the console session of the terminal server. You can install programs from a remote console session, but this is not the preferred method for installing programs. Some programs require an application compatibility script to be run after the program is installed. The scripts are stored in the systemroot\Application Compatibility Scripts\Install directory on the terminal server. You should be aware of the implications of the security mode in which the terminal server operates. There are two security modes:

• Full security provides the most secure environment for users connecting to a terminal server. To run in this mode, applications must be written to run in the security context of an ordinary user. For Windows Server 2003 operating systems and Windows 2000, full security is the default.

• Relaxed security enables you to run programs that otherwise might not work at all in the more rigorous Full security mode. However, in Relaxed security mode (also known as Windows NT 4.0/Terminal Server Edition permissions compatibility mode), any user on the system can change files and registry settings in many places throughout the system, although others users' data files might not be visible. A malicious user could exploit this situation by replacing a known and trusted program with a program of

70 - 296


- 264 -

the same name but some harmful intent. If the operating system on your terminal server was installed using the Upgrade method, the security mode might be set to Relaxed security. When in doubt, you should choose Full security, test your applications in that mode, and change the security mode only if your test results indicate the need to do so.

Deploying client software Remote Desktop Connection, formerly known as the Terminal Services Client, is installed automatically on computers running Windows XP and Windows Server 2003 operating systems. For performance and security reasons, computers running earlier versions of Microsoft Windows, including Windows 2000 Server, Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95, should have the latest version of Remote Desktop Connection installed. References: Server Help Terminal Server Help Remote Desktop Connection Software Download Download site for new TS client http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp This software package will install the client portion of Remote Desktop on any of the following operating systems: Windows 95, Windows 98 and 98 Second Edition, Windows Me, Windows NT® 4.0, or Windows 2000. (This is the same version of the client software as in Windows XP Service Pack 1.) When run, this software allows older Windows platforms to remotely connect to a computer running Windows XP Professional with Remote Desktop enabled.

70 - 296


- 265 -

QUESTION NO: 146 You are the systems engineer for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All administrative staff use portable computers. The relevant portion of the network is shown in the exhibit.

The private Web server uses non-standard ports for connections. The external firewall is configured to allow inbound connections on these non-standard ports. Company policy requires that all administrative tasks must be performed remotely. You enable Remote Desktop connections on all servers on the company intranet. Each administrative client computer has two Windows Server 2003 Administrative Tools and Remote Desktops snap-in installed. The administrators request that they be able to use Remote Desktop connections to administer the servers when they are at home. The company’s written security policy requires that connections originating from the Internet are not allowed into the company intranet. Currently, only the Web servers are accessible from the Internet. The written security policy does not allow any other connections to the perimeter network from the Internet. You need to provide a solution that allows Remote Desktop connections to the company intranet and that complies with the written security policy. What should you do?

A. Install the Remote Administration Web site on the private Web server. Configure the external firewall to allow inbound connections on the IIS Remote Administration port. Configure the internal firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port.

B. Install the Remote Administration Web site on the private Web server. Configure the external firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port. Configure the internal firewall to allow inbound connections on the IIS Remote Administration port.

C. Install the Remote Desktop Web Connection Web site on the private Web server.

70 - 296


- 266 -

Configure the internal firewall to allow inbound connections on the Remote Desktop Protocol (RDP) port.

D. Install the Remote Desktop Web connection Web site on the Private Web server. Configure the internal firewall to allow inbound connections on the IIS Remote Administration port.

Answer: C Explanation: With this solution, we can access the private web server from the internet over a non-standard port by configuring RDP to listen on the non-standard port. Then we can open a remote desktop connection from the private web server to the intranet servers. Default path Picture

Modified path over 4040 port

In this way you now can connect to this site from external site over non standard port

70 - 296


- 267 -

And from her to the default port over RDP, also this can be changed but this is other topic

70 - 296


- 268 -

Web-based Remote Administration Using a Microsoft ActiveX® control, a Terminal Services session can run on an Internet Explorer Web page. This lets the technology consultant gain access to the server from any desktop without needing to install the Terminal Services client. It is also possible to expose the ActiveX control to the Internet, allowing the technology consultant to log on from any computer connected to the Internet and running the Internet Explorer browser. However, this is not considered a best practice because it potentially exposes the Windows Server 2003 network to the Internet in unintended ways. Configure Terminal Services Port Terminal Services is a useful tool for network administrators because it enables remote server and end – user computer management. The Remote Desktop client installs by default on all Windows Server 2003 and Windows XP systems, and it is available as an optional component on the Windows 2000 Server installation media. There is also a downloadable Microsoft ActiveX® client that runs within Internet Explorer or the Microsoft Management Console (MMC). These are collectively known as the Terminal Services Advanced Client (TSAC). Vulnerability Terminal Services listens on TCP port 3389 by default, and all versions of the Remote Desktop clients attempt to connect to this port. Although the entire session including the user authentication is encrypted, the Terminal Services clients do not perform server authentication. An attacker who was able to spoof a legitimate Terminal Services server could trick users into connecting to the attacker's server rather than the genuine system. An attacker could trick the user into connecting to their server by altering DNS records to redirect users to their own system or some other means. Countermeasure Change the TCP port used by Terminal Services or implement an IPSec policy to require trust and negotiate either Authentication Header (AH) or Encapsulation Security Payload (ESP) using IPSec transport mode (not IPSec tunnel mode). In some scenario, it may be feasible to isolate the Terminal Server behind a VPN gateway so that either Point to Point Tunneling Protocol (PPTP) or L2TP/IPSec secured VPN tunnels are required to gain access to the Terminal Server. For information on how to change the port used by Terminal Services and the Remote Desktop Client, see the Microsoft Knowledgebase article, "How to Change Terminal Server's Listening Port," at http://support.microsoft.com/default.aspx?scid=187623. This article will show you how to do this for the regular desktop client. To do this in the Terminal Services Advanced Client Web client you need to add the following script line to the Web page MsRdpClient.RDPport = xxx, where xxx is the desired TCP port number. For more information on how you can use and customize Remote Desktop Web Connection to run Terminal Services sessions within Microsoft Internet Explorer, see "Providing for RDP Client Security" at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/providing_for_rdp_client_security.asp. Remote Desktop Web Connection Security

70 - 296


- 269 -

The Remote Desktop Web Connection is a high-encryption, Remote Desktop Protocol (RDP) 5.0 client and uses RSA Security’s RC4 cipher with a key strength of 40-, 56-, or 128-bit, as determined by the computer to which it is connecting. The Remote Desktop Web Connection uses the well-known RDP TCP port (3389) to communicate to the host. Unlike some other display protocols, which send data over the network using clear text or with an easily decodable "scrambling" algorithm, Remote Desktop Web Connection's built-in encryption makes it safe to use over any network—including the Internet—as the protocol cannot be easily sniffed to discover passwords and other sensitive data. References: How to Change the Listening Port for Remote Desktop MS Knowledge Base article 306759 How to Manually Open Ports in Internet Connection Firewall in Windows XP MS Knowledge Base article 308127 Configuring the Remote Desktop Client to Connect to a Specific Port MS Knowledge Base article 304034 Remote Desktop Web Connection http://www.microsoft.com/windowsxp/pro/downloads/rdwebconn.asp Server Help QUESTION NO: 147 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. You install a wireless network. You configure the network to use Wired Equivalent Privacy (WEP). You install Windows Server 2003 on a server named TestKingSrv3. You install a wireless network adapter in TestKingSrv3. The company’s written security policy for implementing wireless devices includes the following requirements:

• Administrators must be able to identify unauthorized wireless devices that attempt to connect to the wireless network.

• Administrators must be able to monitor wireless network device status, including radio channels information and signal strength, for wireless devices.

You need to comply with the security monitoring requirements.

70 - 296


- 270 -

What should you do?

A. Add the Wireless Monitor snap-in to enable logging and to view Wireless Client Information. B. Configure preferred networks in the wireless network policy for the Default Domain Policy Group

Policy object (GPO). C. Install and configure Network Monitor on TestKingSrv3 to capture and analyze network traffic, D. In the wireless network policy for the Default Domain Policy Group Policy object (GPO), in the

Networks to access list, select Any available network (access point preferred). Answer: A Logging and viewing wireless network activity Wireless Monitor allows you to view details about access points and wireless clients. You can use this information to troubleshoot your wireless service. The Wireless Configuration service logs information in Wireless Monitor that allows you to:

• Identify service configuration changes. • Check the events logged in the Wireless Configuration service log that are generated from outside of

your network, such as media event notifications, 802.1X events, and timer expiration events. • Check how the Wireless Configuration service reacts to external events by following transitions, as they

are reflected in the log.

To view details about wireless network access points

70 - 296


- 271 -

1. Create a console containing Wireless Monitor. Or, open a saved console file containing Wireless Monitor.

2. Double-click Access Point Information. Where?

• Wireless Monitor • ServerName • Access Point Information

Security information for wireless networks Wireless networking technologies provide convenience and mobility, but they also introduce security risks on your network. For example, unless authentication and authorization mechanisms are implemented, anyone who has a compatible wireless network adapter can access the network. Without encryption, wireless data is sent in plaintext , so anyone within sufficient distance of a wireless access point can detect and receive all data sent to and from a wireless access point. The following security mechanisms enhance security over wireless networks: 802.11 identity verification and authentication 802.11 Wired Equivalent Privacy (WEP) encryption 802.1X authentication IAS support for 802.1X authentication Selecting a wireless network type When you configure new or existing wireless network connections or connect to an available wireless network, you can choose from the following wireless network types:

• Access point (infrastructure) In access point wireless networks, wireless clients (computing devices with wireless network adapters, such as your portable computer or personal digital assistant) connect to wireless access points. The access points function as bridges between wireless clients and the existing network backbone. As you move from one location to another, and the signal for one wireless access point weakens, or the access point becomes congested with traffic, you can connect to a new access point. For example, if you work in a large corporation, you might connect to several different wireless access points as you move between different floors of a building or different buildings in a campus, while still maintaining uninterrupted access to network resources.

• Computer-to-computer (ad hoc) In computer-to-computer wireless networks, wireless clients connect to each other directly, rather than through wireless access points. For example, if you are in a meeting with co-workers, and you do not need to gain access to network resources, your wireless device can make direct connections to the wireless devices of your co-workers, and you can form a temporary network.

• Any available network (access point preferred) In access point preferred wireless networks, a connection to an access point wireless network is always attempted first, if there are any available. If an access point network is not available, a connection to a computer-to-computer wireless network is attempted. For example, if you use your laptop at work in an access point wireless network, and then you take your laptop home to use in your computer-to-computer home

70 - 296


- 272 -

network, the Windows Configuration service will change your wireless network settings as needed so that you can connect to your home network. Reference Server Help QUESTION NO: 148 You are the network administrator for your company. The network contains Windows Server 2003 computers and Windows XP Professional computers. The company deploys two DNS servers. Both DNS servers run Windows Server 2003. One DNS server is inside of the corporate firewall, and the other DNS server is outside of the firewall. The external DNS server provides name resolution for the external Internet name of the company on the Internet, and it is configured with root hints. The internal DNS server hosts the DNS zones related to the internal network configuration, and it is not configured with root hints. You want to limit the exposure of the client computers to DNS-related attacks from the Internet, without limiting their access to Internet-based sites. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure the client computers to use only the internal DNS server. B. Configure the client computers to use both DNS servers.

List the internal DNS server first. C. Configure the firewall to allow only network traffic on the DNS ports. D. On the internal DNS server, disable recursion. E. On the internal DNS server, configure the external DNS server as forwarder. F. On the internal DNS server, add the external DNS server as the only root hint.

Answer: A, E Explanation With this solution, the internal DNS servers will resolve any host resolution requests from its zone file. Any host resolution requests that the internal DNS server is unable to resolve will be forwarded to the external DNS server. The external DNS server will then go through the DNS hierarchy to resolve the request and return the answer to the internal DNS server. Keep forwarder configuration uncomplicated. For every DNS server configured with a forwarder, queries can be sent to a number of different places. Each forwarder and each conditional forwarder must be administered for the benefit of DNS client queries, and this

70 - 296


- 273 -

process can be time consuming. Use forwarders strategically, where they are needed the most, such as resolving offsite queries or sharing information between namespaces. Incorrect answers: B: This is not necessary and is insecure. The internal DNS server can forward external requests to the external DNS server. C: This is not necessary. The firewall should have other ports open such as port 80 for http etc. F: In this way DNS can resolve internet queries, but its not a best practice because can give negative answers to domain. Reference Server Help Directing queries through forwarders QUESTION NO: 149 You are the network administrator for Testking. The network consists of two physical subnets connected by a hardware-based router. Each subnet contains two domain controllers running Windows 2000 Advanced Server. All other servers run Windows 2000 server. TestKing is in the process of migrating to a Windows Server 2003 Active Directory domain-based network. You plan to install two new Windows Server 2003 computers as domain controllers in the domain. The migration plan does not currently allow for upgrading the Windows 2000 domain controllers or changing any operations master roles. Currently, host name resolution is performed by one of the Windows 2000 domain controllers that is running the DNS Server service. The DNS server hosts a standard primary zone for the domain. The migration plan requires that the DNS zone must be implemented as an Active Directory-integrated zone. You need to redesign the DNS infrastructure to comply with the requirements of the migration plan. You need to ensure that the Active Directory-integrated zone will be loaded and hosted on all domain controllers. What should you do?

A. Configure the zone replication scope to replicate the zone to all DNS servers in the Active Directory forest.

B. Configure the zone replication scope to replicate the zone to all DNS servers in the Active Directory domain named testking.com.

70 - 296


- 274 -

C. Configure the zone replication scope to replicate the zone to all domain controllers in the Active Directory domain named testking.com.

D. Configure the zone replication scope to replicate the zone to all domain controllers specified for a separate DNS application directory partition.

Answer: C Explanation The question states that You need to ensure that the Active Directory-integrated zone will be loaded and hosted on all domain controllers. This is the only answer that states “all domain controllers”. This option replicates zone data to all domain controllers in the Active Directory domain. If you want Windows 2000 DNS servers to load an Active Directory zone, this setting must be selected for that zone. Active Directory Replication Active Directory replication propagates zone changes between domain controllers. Replication processing differs from DNS full zone transfers, in which the DNS server transfers the entire zone. Replication processing also differs from incremental zone transfers, in which the server transfers all changes made since the last change. Active Directory zone replication provides the following additional benefits:

• Network traffic is reduced because the domain controllers only send the final result of all changes. • When a zone is stored in Active Directory, replication occurs automatically. No additional configuration

is required. • When Active Directory zone replication occurs between sites, zone data that is greater than the default

transfer size is automatically compressed before it is transferred. This compression decreases the network traffic load.

After careful analysis, you can partition and delegate your DNS zones based on what is required for providing efficient and fault-tolerant name service to each location or site. If you are using Active Directory–integrated zones in a Windows Server 2003 domain, you must select an Active Directory–integrated zone replication scope. When selecting a replication scope, note that network traffic increases as you broaden the replication scope. For example, if you choose to replicate Active Directory–integrated DNS zone data to all DNS servers in the forest, this produces greater network traffic than replicating the DNS zone data to all DNS servers in a single Active Directory domain in that forest. Balance your need to minimize replication traffic against your need to minimize zone query traffic. The DNS administrators in your organization are responsible for managing zone replication. Zone replication scope Description

All DNS servers in the Active Directory forest

Replicates zone data to all DNS servers running on domain controllers in the Active Directory forest. Usually, this is the broadest scope of replication.

All DNS servers in the Replicates zone data to all DNS servers running on domain controllers in the

70 - 296


- 275 -

Active Directory domain Active Directory domain. This option is the default setting for Active Directory-integrated DNS zone replication in the Windows Server 2003 family.

All domain controllers in the Active Directory domain

Replicates zone data to all domain controllers in the Active Directory domain. If you want Windows 2000 DNS servers to load an Active Directory zone, this setting must be selected for that zone.

All domain controllers in a specified application directory partition

Replicates zone data according to the replication scope of the specified application directory partition. For a zone to be stored in the specified application directory partition, the DNS server hosting the zone must be enlisted in the specified application directory partition.

Migrating Zones to Windows Server 2003 DNS Servers You can migrate zones to DNS servers running Windows Server 2003 in one of two ways:

• By using zone transfer. • By copying the zone files.

If you copy the zone files, you must manually verify the integrity of the zones. Regardless of the method that you use to migrate zones, you must decide whether to take the original DNS server offline, or to use it as a secondary server. If you determine that the original third-party DNS server causes interoperability problems on your network, or if you need to use that server hardware for another purpose, take the server offline. Otherwise, keep the server on you network to provide backup for your primary DNS server running Windows Server 2003. Reference Server Help DNS zone replication in Active Directory QUESTION NO: 150 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The network contains servers that have Terminal Server enabled. The terminal servers host legacy applications that currently require users to be members of the Power Users group. A new requirement in the company’s written security policy states that the Power Users group must be empty on all resource servers. You need to maintain the ability to run the legacy applications on the terminal servers when the new security requirement is implemented.

70 - 296


- 276 -

What should you do?

A. Add the Domain Users global group to the Remote Desktop Users built-in group in the domain. B. Add the Domain Users global group to the Remote Desktop Users local group on each terminal server. C. Modify the Compatws.inf security template settings to allow members of the local Users group to run

the applications. Import the security template into the Default Domain Controllers Policy Group Policy object (GPO).

D. Modify the Compatws.inf security template settings to allow members of the local Users group to run the applications. Apply the modified template to each terminal server.

Answer: D Explanation: This is a trick question because answers A and B would enable the users to use Terminal Services. However, the question doesn’t state whether the users can already use Terminal Services. The question asks how we can run the application without the users being in the power users group. The answer would therefore be D. Incorrect Answers: A: This would enable the users to use Terminal Services. However, this is not what the question is asking. The question is asking how we can run the application without the users being in the power users group. B: This would enable the users to use Terminal Services. However, this is not what the question is asking. The question is asking how we can run the application without the users being in the power users group. C: The Compatws.inf security template should be applied to the servers running the application, not the domain controllers. Compatws.inf Default permissions for workstations and servers are primarily granted to three local groups: Administrators, Power Users, and Users. Of the three, the Administrators group has the most permission, while the Users group has the least. Because of this, you can significantly improve security, reliability, and the total cost of system ownership by:

• Making sure that end users are members of the Users group. • Deploying applications that can be run successfully by members of the Users group.

Members of the Users group can successfully run applications that are a part of the Windows Logo Program. However, members of the Users group might not be able to run applications that do not meet the requirements of the program. If other applications must be supported, there are two options:

• Permit members of the Users group to be members of the Power Users group. • Relax the default permissions that are granted to the Users group.

70 - 296


- 277 -

Because Power Users have additional permissions such as creating users, groups, printers, and shares, some administrators prefer to relax the default User permissions instead of permitting members of the Users group to be members of the Power Users group. This is precisely what the Compatible template is for. The Compatible template changes the default file and registry permissions that are granted to the Users group in a way that is consistent with the requirements of most applications that do not belong to the Windows Logo Program. Additionally, because it is assumed that the administrator who is applying the Compatible template does not want members of the Users group to be Power Users, the Compatible template also removes all members of the Power Users group Reference: MS Windows Server 2003 Deployment Kit Designing a Managed Environment Selecting Predefined Security Templates QUESTION NO: 151 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains a Windows Server 2003 computer named TestKing4 that functions as a mail server. TestKing4 is configured as a member server in the domain. To improve service to users, TestKing launched a single sign-on initiative. Currently, users need to authenticate to the mail server after they log on to the domain to send or receive e-mail messages. You use IIS Manager to configure the properties for the Default SMTP Virtual Server on TestKing4. You need to allow users to send e-mail messages without explicitly logging on to TestKing4. You need to prevent unauthorized users from sending e-mail messages. What should you do? To answer, configure the appropriate option or options in the dialog box.

70 - 296


- 278 -

Answer: Uncheck anonymous access, Check Integrated Windows Authentication Integrated Windows Authentication Select this option to enable the standard security mechanism that is provided with servers running Windows Server. This security feature makes it possible for businesses to provide secure logon services for their customers. Virtual servers that already use Integrated Windows Authentication in an internal system can benefit by using a single, common security mechanism. Integrated Windows Authentication uses a cryptographic technique for authenticating users and does not require the user to transmit actual passwords across the network. Note: Using Integrated Windows Authentication requires a mail client that supports this authentication method. Microsoft Outlook and Microsoft Outlook Express support Integrated Windows Authentication. QUESTION NO: 152 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The company has an internal network and a perimeter network. The internal network is protected by a firewall. Application servers on the perimeter network are accessible from the Internet. You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web pages.

70 - 296


- 279 -

The network design requires that custom security settings must be applied to the application servers. These custom security settings must be automatically refreshed every day to ensure compliance with the design. You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements. What should you do?

A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO). B. Create a task on each application server that runs Security and Configuration Analysis with

Baseline1.inf every day. C. Create a task on each application server that runs the secedit command with Baseline1.inf every day. D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the secedit

command with Baseline1.inf. Answer: C Explanation: You will need to use the secedit command line tool with the switch “/configure”. Allows you to configure a system with security settings stored in a database. The syntax of this command is: secedit /configure /db filename [/cfg filename] [/overwrite][/areas area1 area2...] [/logfilename] [/quiet] /db filename Specifies the database used to perform the security configuration. /cfg filename Specifies a security template to import into the database prior to configuring the computer.

Security templates are created using the Security Templates snap-in.

/overwrite Specifies that the database should be emptied prior to importing the security template. If this parameter is not specified, the settings in the security template are

accumulated into the database. If this parameter is not specified and there are conflicting settings in the

database and the template being imported, the template settings win.

/areas Specifies the security areas to be applied to the system. If this parameter is not specified, all

70 - 296


- 280 -

security settings defined in the database are applied to the system. To configure multiple areas,

separate each area by a space. The following security areas are supported: SECURITYPOLICY Includes Account Policies, Audit Policies, EventLog Settings and Security Options. GROUP_MGMT Includes Restricted Group settings USER_RIGHTS Includes User Rights Assignment REGKEYS Includes Registry Permissions FILESTORE Includes File System permissions SERVICES Includes System Service settings /log filename Specifies a file in which to log the status of the configuration process. If not specified,

configuration processing information is logged in the scesrv.log file which is located in the

%windir%\security\logs directory. /quiet Specifies that the configuration process should take place without prompting the user for any

confirmation. Example: secedit /configure /db hisecws.sdb /cfg hisecws.inf /overwrite /log hisecws.log For all filenames, the current directory is used if no path is specified. Incorrect Answers: A: The application servers are not domain members, so we cannot use group policy. B: The Security Configuration and Analysis console is a graphical tool. We need to use the command line version in order to schedule it. D: The application Servers are not domain members, so we cannot use group policy. QUESTION NO: 153 You are a network administrator for TestKing. You install Windows Server 2003 on a server named TestKingA. You install a production application on TestKingA. You create a shared folder named ProdData on TestKingA to support the needs of the production application. All critical data files for the application are stored in the ProdData shared folder on TestKingA. You install Windows Server 2003 in another server named TestKingB. You create a shared folder on TestKingB named ProdDataBackup.

70 - 296


- 281 -

The production application keeps many data files open. All the files in the ProdData folder must be backed up during each shift change. You are not allowed to stop and restart the production application without special approval. You need to provide a backup solution for the critical files in the ProdData on TestKingA. Your solution must not affect the production application. What should you do?

A. On TestKingA, use the Backup or Restore Wizard to select the ProdData folder. Type \\TestKingB\ProdDataBackUp for the backup destination, and the advanced backup options to select the Disable volume shadow copy check box.

B. On TestKingB, use the Backup or Restore Wizard to select the ProdData folder. Type \\TestKingA\ProdData for the backup destination, and use the advanced backup options to select the Disable volume shadow copy check box.

C. On TestKingA, use the Backup or Restore Wizard to select the ProdData folder. Type \\TestKingB\ProdDataBackUp for the backup destination.

D. On TestKingA, use the Backup or Restore Wizard to select the ProdData folder. Type \\TestKingA\ProdData for the backup destination.

Answer: C Explanation: To back up open files, the backup needs to be configured to use Shadow Copies. This is the default behaviour for the Windows Server 2003 backup program. Therefore, we just need to configure the backup program to backup the files to \\TestKingB\ProdDataBackUp. Incorrect Answers: A: We need to use Shadow Copies. This is enabled by default. We should not select the Disable volume shadow copy check box. B: We need to use Shadow Copies. This is enabled by default. We should not select the Disable volume shadow copy check box. D: \\TestKingA\ProdData is the wrong backup destination. QUESTION NO: 154 You are a network administrator for TestKing. The network contains a Windows Server 2003, Enterprise Edition file server named TestKing3 that contains two volumes configured as drive H and drive J. Drive H contains 40 GB of unused space and drive J contains 12 GB of unused space. TestKing3 contains the shared folders shown in the following table.

File system path Share name Disk space used by shared folders

70 - 296


- 282 -

H:\HomeFolders HomeFolders 20 GB H:\GroupFolders GroupFolders 20 GB J:\TestKingData TKData 16 GB

Each file in the TestKingData folder is modified or deleted every seven days on average, and new files are added frequently. Users often request that prior versions of files be restored from backup tapes. All users have Windows XP Professional computers. You want to enable users to restore prior versions of modified or deleted files in the TestKingData folder. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Enable Shadow Copies of Shared Folders on drive J and configure an 8-GB storage area on drive J. B. Enable Shadow Copies of Shared Folders on drive J and configure a 20-GB storage area on drive H. C. Enable automatic caching of documents for TKData. D. Enable manual caching of documents for TKData. E. Install Twcli32.msi on each user’s client computer. F. Install Adminpak.msi on each user’s client computer.

Answer: B, E Explanation: The client software to access previous versions of files is Twcli32.msi. This needs to be installed on every client computer. This is a difficult question because answer A or B will work. We need to decide which disk to store the shadow copies on. Drive H has enough spare space. With more space, we can store more shadow copies. Also, placing the shadow copies on a separate disk or volume provides better performance.

Determining Which Disk to Use to Store Shadow Copies To store the shadow copies of another volume on the same file server, a volume can be dedicated on separate disks. For example, if user files are stored on H:\, another volume such as S:\ can be used to store the shadow copies. Using a separate volume on separate disks provides better performance and is recommended for heavily used file servers. Important: If shadow copies are stored on the same volume as the user files, note that a burst of disk input/output (I/O) can cause all shadow copies to be deleted. If the sudden deletion of shadow copies is unacceptable to administrators or end users, it is best to use a separate volume on separate disks to store shadow copies.

QUESTION NO: 155

70 - 296


- 283 -

You are a network administrator for TestKing. The design team provides you with the following list of requirements for server disaster recovery:

• No more than two sets of tapes can be used to restore to the previous day. • A full backup of each server must be stored off-site. • A full backup of each server that is no more than one week old must be available on-site. • Backups must never run during business hours. • Tapes may be recalled from off-site storage only of the on-site tapes are corrupted or damaged.

A full backup of all servers requires approximately 24 hours. Backing up all files that change during one week requires approximately 4 hours. Business hours for the company are Monday through Friday, from 6:00 A.M. to 10:00 P.M. You need to provide a backup rotation plan that meets the design team’s requirements. Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Perform a full normal backup for on-site storage on Friday night after business hours. Perform a full copy backup for off-site storage on Saturday night after the Friday backups is complete.

B. Perform a full normal backup for on-site storage on Friday night after business hours. Perform another full normal backup for off-site storage on Saturday after the Friday backup is complete.

C. Perform a full copy backup for on-site storage on Friday night after business hours. Perform a full copy backup for off-site storage on Saturday night after the Friday backup is complete.

D. Perform differential backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours.

E. Perform incremental backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours.

F. Perform incremental backups on Sunday, Tuesday, and Thursday nights after business hours. Perform differential backup on Monday and Wednesday nights after business hours.

Answer: A, D Explanation: We do a normal backup on Friday, and the archive bit is cleared. We do a copy backup on Saturday and the archive bit is not cleared. We do a differential backup from Sunday, Monday, Tuesday, Wednesday, and Thursday. This way, we just need two tapes to restore, the full backup and the last differential backup. Types of backup The Backup utility supports five methods of backing up data on your computer or network. Copy backup

70 - 296


- 284 -

A copy backup copies all the files you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. Daily backup A daily backup copies all the files that you select that have been modified on the day the daily backup is performed. The backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared). Differential backup A differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. Incremental backup An incremental backup backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). If you use a combination of normal and incremental backups, you will need to have the last normal backup set as well as all incremental backup sets to restore your data. Normal backup A normal backup copies all the files you select and marks each file as having been backed up (in other words, the archive attribute is cleared). With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set. Backing up your data using a combination of normal backups and incremental backups requires the least amount of storage space and is the quickest backup method. However, recovering files can be time-consuming and difficult because the backup set might be stored on several disks or tapes. Backing up your data using a combination of normal backups and differential backups is more time-consuming, especially if your data changes frequently, but it is easier to restore the data because the backup set is usually stored on only a few disks or tapes. QUESTION NO: 156 You are a network administrator for TestKing. The network design team decides that the DNS Server service must always be available. The network design team requires that all computers on the network must always access the DNS Server service by using a single IP address. TCP/IP configurations for client computers and servers will contain a single DNS entry. The DNS Server service must be authoritative for all host (A) and service locator (SRV) resource records for the network. The DNS Server service must maintain all records in the event that there is a hardware failure of the DNS server.

70 - 296


- 285 -

You need to deploy DNS on the network. You need to comply with the network design team’s requirements. What should you do?

A. Deploy DNS by using the Cluster service to configure a two-node server cluster in a failover configuration.

B. Deploy DNS by using the Cluster service to configure a two-node server cluster that hosts DNS on both nodes simultaneously.

C. Deploy DNS stub zones by using Network Load Balancing. D. Deploy multiple DNS servers that host secondary zones that are load balanced by using Network Load

Balancing. Answer: A Explanation: We can use the Cluster service to configure a two-node server cluster in a failover configuration. Using the failover configuration, if one machine fails, the other machine will continue to run. Incorrect Answers: B: This configuration won’t work. C: We need a primary zone, not a stub zone. The DNS Server service must be authoritative for all host (A) and service locator (SRV) resource records for the network. D: We need a primary zone, not secondary zones. The DNS Server service must be authoritative for all host (A) and service locator (SRV) resource records for the network. QUESTION NO: 157 You are a network administrator for TestKing. The network consists of single Active Directory forest that contains two domains and four sites. All servers run Windows Server 2003. You are responsible for administering domain controllers in one site. Your site contains four domain controllers. The hard disk that contains the Active Directory database fails on a domain controller named TESTKING2. You replace the failed disk. You need to recover TESTKING2. You need to achieve this goal without affecting existing Active Directory data. What should you do?

A. Perform a nonauthoritative restoration of the Active Directory database. B. Perform an authoritative restoration of the Active Directory database. C. Use the Ntdsutil utility to run the semantic database analysis command. D. Use the Ntdsutil utility to run the restore subtree command.

70 - 296


- 286 -

Answer: A Explanation: You have four domain controllers in your site. You can simply perform a non-authoritative restore of the Active Directory database. Any changes to the Active Directory database since the data was backed up will be replicated from another domain controller. Incorrect Answers: B: This is not necessary. This will overwrite the Active Directory database on the other domain controllers. The other domain controllers will have the most recent copies of the Active Directory database. These changes can be replicated to the failed machine. C: You can use this process to generate reports on the number of records present in the Active Directory database, including deleted and phantom records. It is not used to restore the Active Directory database. D: We need to restore the entire Active Directory database, not just a subtree of it. QUESTION NO: 158 You are the network administrator for TestKing. Your user account is a member of the Schema Admins group. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named TestKingA holds the schema master role. An application named Application1 creates additional schema classes. You notice that this application created some classes that have incorrect class names. You need to correct the class names as quickly as possible. What should you do?

A. Deactivate the Application1 classes that have the incorrect class names. Set the default security permission for the Everyone group for those schema classes to Deny.

B. Deactivate the Application1 classes that have the incorrect class names. Create the Application1 classes with the correct class names.

C. Rename the description of the Application1 classes to the correct class name. Instruct the developers of Application1 to change the code of the application so that the renamed schema classes can be used.

D. Instruct the developers of Application1 to change the code of the application so that the application creates the new schema classes with the correct class names. Reinstall Application1 and select Reload the schema in the Active Directory Schema console.

Answer: B

70 - 296


- 287 -

Explanation: We need to deactivate the Application1 classes that have the incorrect class names. This is because you cannot delete or rename a class. We can only deactivate the incorrect classes and recreate the classes with the correct class names. Incorrect Answers: A: It is not necessary to deny access to the classes after deactivating them. We need to recreate the classes with the correct names. C: Changing the description of a class doesn’t rename the class. It is not possible to rename a class. D: We need to deactivate the classes that have the incorrect class names. Extending the schema When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network. Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. Deactivating a class or attribute Domain controllers running Windows Server 2003 do not permit the deletion of classes or attributes, but they can be deactivated if they are no longer needed or if there was an error in the original definition. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; however, it is easily reactivated. If your forest has been raised to the Windows Server 2003 functional level, you can reuse the object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID that were associated with the defunct class or attribute. This allows you to change the object identifier associated with a particular class or attribute. The only exception to this is that an attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and schemaIdGuid values even after being deactivated (for example, those values cannot be reused). If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a class or attribute and then redefine it. For example, the Unicode String syntax of an attribute called SalesManager could be changed to Distinguished Name. Since Active Directory does not permit you to change the syntax of an attribute after it has been defined in the schema, you can deactivate the SalesManager attribute and create a new SalesManager attribute that reuses the same object identifier and LDAP display name as the old attribute, but with the desired attribute syntax. You must rename the deactivated attribute before it can be redefined.

70 - 296


- 288 -

Reference Server Help QUESTION NO: 159 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. User accounts are configured as local administrators so that users can install software. A desktop support team supports end users. The desktop support team’s user accounts are all members of a group named Support. You create a software restriction policy that only prevents users from running registry editing tools by file hash rule. You apply the policy to all user accounts in the domains. The desktop support team reports that when they attempt to run registry editing tools, they receive the following error message: “Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator”. You need to ensure that only the desktop support team can run registry editing tools. What should you do?

A. Configure the software restriction policies to be enforced for all users except local administrators. B. Make users members of the Power Users group instead of the Administrators group. C. Use a logon script to copy the registry editing tools to the root of drive C.

Assign the Domain Admins group the Allow – Read permission for the registry editing tools in the new location.

D. Filter the software restriction policy to prevent the Support group from applying the policy. Answer: D Explanation: We can prevent the software restriction policy from applying to the support group by simply assigning the support group the Deny – Read and/or the Deny – Apply group policy permission. Incorrect answers: A: The users are local administrators. The policy must apply to the local administrators. B: The policy applies to all users. It will still apply to the support group. Changing the local users group membership will have no effect on the policy.

70 - 296


- 289 -

C: The software restriction policy is using a hash rule to prevent the use of the registry editing tools. It doesn’t matter where the tools are located, they still won’t run. QUESTION NO: 160 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Each client computer runs either Windows XP Professional or Windows 2000 Professional. The company requires that all users log on by using smart cards. You deploy Certificate Services and smart card readers. You configure auto-enrollment to issue certificates to users. Users report that they cannot log on by using a smart card. You need to ensure that all users can log on by using a smart card. What should you do?

A. In Active Directory Users and Computers, configure all user accounts to require a smart card for interactive logon.

B. Configure the domain security policy to require smart cards for interactive logon. C. Use the Certificate Services Web site to enroll each user for a smart card certificate. D. Add a copy of the enterprise root certificate to the trusted root certification authorities store on each

client computer. Answer: C Explanation: Although the question says “you configure auto-enrollment to issue certificates to users”, it doesn’t say what type of certificates were auto-enrolled. You can use the Certificate Services Web site to enroll each user for a smart card certificate. Incorrect answers: A: This is not necessary. With this setting disabled, the users can log on using any method. B: This is not necessary. With this setting disabled, the users can log on using any method. D: In a single domain, the Certificate Authority would be trusted by the client computers in the domain. Therefore, it is not necessary to add a copy of the enterprise root certificate to the trusted root certification authorities store on each client computer. Enrolling for a smart card certificate

70 - 296


- 290 -

A domain user cannot enroll for a Smart Card Logon certificate (which provides authentication) or a Smart Card User certificate (which provides authentication plus the capability to secure e-mail) unless a system administrator has granted the user access rights to the certificate template stored in Active Directory. Enrollment for a smart card certificate must be a controlled procedure, in the same manner that employee badges are controlled for purposes of identification and physical access. The recommended method for enrolling users for smart card-based certificates and keys is through the Smart Card Enrollment station that is integrated with Certificate Services in Windows 2000 Server and Windows 2000 Advanced Server. When an enterprise certification authority (CA) is installed, the installation includes the Smart Card Enrollment station. This allows an administrator to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user's smart card. Prior to using the Smart Card Enrollment station , the smart card issuer must have obtained a signing certificate based on the Enrollment Agent certificate template. The signing certificate will be used to sign the certificate request generated on behalf of the smart card recipient. By default, only domain administrators are granted permission to request a certificate based on the Enrollment Agent template. A user other than a domain administrator can be granted permission to enroll for an Enrollment Agent certificate by means of Active Directory Sites and Services. It's very important to note that once someone has an Enrollment Agent certificate, they can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Group Policy Interactive logon: Require smart card

• Description This security setting requires users to log on to a computer using a smart card. The options are:

• Enabled. Users can only log on to the computer using a smart card. • Disabled. Users can log on to the computer using any method.

Default: Disabled. Planning Smart Card Certificate Templates You can use any of the following types of Windows Server 2003 certificate templates to enable smart card use in the Windows Server 2003 PKI:

• Enrollment Agent. Allows an authorized user to serve as a certificate request agent on behalf of other users.

• Smart Card User. Enables a user to log on and sign e-mail. • SmartCardLogon. Enables a user to log on by using a smart card.

Establishing Enrollment Agents

70 - 296


- 291 -

If you decide to control smart card issuance from a central location, you need to authorize one or more individuals within the organization to be enrollment agents. The enrollment agent needs to be issued an Enrollment Agent certificate, which makes it possible for the agent to enroll for certificates on behalf of users. Server help Certificate Services Security Policy Configurations settings MS Windows Server 2003 Smarts Card Deploy QUESTION NO: 161 You are the network administrator for TestKing. Your network consists of a single Active Directory domain named testking.com. There is an organizational unit (OU) named DocProcessing. The DocProcessing OU contains user accounts for users in the document processing department. You create a Group Policy object (GPO) and link it to the DocProcessing OU. You configure the GPO to publish a graphics application. Some of the users in the document processing department report that the application is not available from the Start menu, and other users report that the graphics application was installed successfully after they double-clicked a graphics application document. You need to ensure that all users in the DocProcessing OU can successfully run the graphics application. What should you do?

A. Instruct users who report a problem to run the gpupdate command on their computers. B. Instruct users who report a problem to install the application by using Add or Remove Programs in

Control Panel. C. Run the Resultant Set of Policy (RSoP) tool on the domain controllers on the network. D. Run the gpresult command on each client computer and domain controller on the network.

Answer: B Explanation: You have published the applications to users. This setting makes the application available for users to install. In order to install a published application, users need to use the Add or Remove Programs applet in Control Panel, which includes a list of all published applications that are available for them to install.

70 - 296


- 292 -

Users in the document processing department report that the application is not available from the Start menu. It won’t be available in the start menu because the application was published, not assigned. Group Policy Management Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. Reference Server Help Incorrect Answers: A: This will refresh the group policy. It won’t make the application available in the start menu. C: This will display the resultant policy. It won’t make the application available in the start menu. D: This will display the resultant policy. It won’t make the application available in the start menu.

70 - 296


- 293 -

QUESTION NO: 162 You are the network administrator for TestKing. The network consists of a single Active Directory domain that contains only one domain controller. The domain controller is named TestKingSrvA. The domain contains only one site named Valencia. You are adding a new site named Barcelona. You need to promote an existing Windows Server 2003 member server named TestKingSrvB to be an additional domain controller of the domain. A 56Kbps WAN connection connects the Valencia and Barcelona sites. You need to install TestKingSrvB as a new domain controller on the Barcelona site. You need to minimize the use of the WAN connection during this process. What should you do?

A. Set the site link cost between the Valencia and Barcelona sites to 50. Promote TestKingSrvB to be an additional domain controller in the Barcelona site.

B. Restore the backup files from the system state data on TestKingSrvA to a folder on TestKingSrvB and install Active Directory by running the dcpromo /adv command.

C. Promote TestKingSrvB to be an additional domain controller by running the dcpromo command over the network.

D. Promote TestKingSrvB to be an additional domain controller by using an unattended installation file. Answer: B Explanation: We want to minimize the use of the WAN link. We can use the new dcpromo /adv command to promote the DC from a backup of the system state data of an existing domain controller. The /adv switch Is only necessary when you want to create a domain controller from restored backup files. It is not required when creating an additional domain controller over the network. For additional domain controllers in an existing domain, you have the option of using the install from media feature, which is new in Windows Server 2003. Install from media allows you to pre-populate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link.

70 - 296


- 294 -

To use the install from media feature, you first create a backup of System State from the existing domain controller, then restore it to the new domain controller by using the Restore to: Alternate location option. In this scenario, we can restore the system state data to a member server, then use that restored system state data to promote a member server to a domain controller. Reference Server Help QUESTION NO: 163 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains one root domain and multiple child domains. The functional level of all child domains is Windows Server 2003. The functional level of the root domain is Windows 2000 native. You configure a Windows Server 2003 computer named TestKing1 to be a domain controller for an existing child domain. TestKing1 is located at a new branch office, and you connect TestKing1 to a central data center by a persistent VPN connection over a DSL line. TestKing1 has a single replication connection with a bridgehead domain controller in the central data center. You configure DNS on TestKing1 and create secondary forward lookup zones for each domain in the forest. You need to minimize the amount of traffic over the VPN connection caused by logon activities. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Configure the DNS zones to be Active Directory-integrated zones. B. Configure TestKing1 to be the PDC emulator for the domain. C. Configure TestKing1 to be a global catalog server. D. Configure universal group membership caching on TestKing1.

Answer: C, D QUESTION NO: 164 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The Active Directory database contains 500 MB of information.

70 - 296


- 295 -

TestKing has its main office in Moscow and a branch office in Minsk. The two offices are connected by a 56-Kbps WAN connection that is used only for Active Directory replication. The Moscow office has 450 users, and the Minsk office has 15 users. The Minsk office has a single Windows Server 2003 domain controller and two Windows Server 2003 file and print servers. The hard disk containing the operating system on the domain controller in Minsk fails and cannot be recovered. You need to re-establish a domain controller that contains a current copy of Active Directory in the Minsk office. You need to achieve this goal as quickly as possible. What should you do?

A. Replace the hard disk on the domain controller. Install Windows Server 2003 on the domain controller. Install Active Directory from restored backup files.

B. Install Active Directory on a file and print server. Force replication.

C. Install Active Directory on a file and print server from restored backup files. D. Replace the hard disk on the domain controller.

Install Windows Server 2003 on the domain controller. Force replication.

Answer: C Explanation: We need to re-establish a domain controller in the Minsk office as quickly as possible. Therefore, we should install Active Directory from restored backup files. Answer A is the recommended answer, but answer C is quicker. We can use the new dcpromo /adv command to promote the DC from a backup of the system state data of an existing domain controller. The /adv switch Is only necessary when you want to create a domain controller from restored backup files. It is not required when creating an additional domain controller over the network. For additional domain controllers in an existing domain, you have the option of using the install from media feature, which is new in Windows Server 2003. Install from media allows you to pre-populate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition.

70 - 296


- 296 -

Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in large domains or for installing new domain controllers that are connected by a slow network link. Incorrect Answers: A: This would work but answer C is quicker. B: We don’t want to replicate a 500MB Active Directory database over a 56Kbps WAN link. D: We don’t want to replicate a 500MB Active Directory database over a 56Kbps WAN link. QUESTION NO: 165 You are the network administrator for your company. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.com and cpand1.com. The functional level of each forest is Windows Server 2003. A two-way forest trust relationship exists between the forests. You need to achieve the following goals:

• Users in the contoso.com forest must be able to access all resources in the cpand1.com forest. • Users in the cpand1.com forest must be able to access only resources on a server named

HRApps.contoso.com. You need to configure the forest trust relationship and the resources on HRApps.contoso.com to achieve the goals. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust relationship to use selective authentication.

B. On a domain controller in the contoso.com forest, configure the properties of the incoming forest trust

relationship to use forest-wide authentication. C. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust

relationship to use selective authentication. D. On a domain controller in the cpand1.com forest, configure the properties of the incoming forest trust

relationship to use forest-wide authentication. E. Modify the discretionary access control list (DACLs) on HRApps.contoso.com to allow access to the

Other Organization security group.

70 - 296


- 297 -

F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.com to deny access to This

Organization security group. Answer: A, D, E Authentication between Windows Server 2003 forests When all domains in two forests trust each other and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish one-way or two-way external trusts between the domains that require interforest authentication. Selective authentication between forests Using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust You can set selective authentication differently for outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would be able to access any resource in ForestA (assuming they have the required permissions). If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest. When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context. QUESTION NO: 166 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains five domains and 30 remote sites located in cities throughout the world. There are a total of 40,000 users in the five domains. All remote sites are connected to the company network by unreliable 56-Kbps WAN connections.

70 - 296


- 298 -

Each site contains at least one domain controller and one global catalog server. All domain controllers in the forest run Windows Server 2003. The functional level of all the domains in the forest is Windows 2000 native. You plan to deploy several Active Directory-enabled applications over the next six months. Each of these applications will add attributes to the global catalog or modify existing attributes in the global catalog. You need to make modifications to the Active Directory infrastructure in order to prepare for these deployments. You plan to accomplish this task during off-peak hours. You need to ensure that you can minimize any potential network disruption that would be caused by the deployment of these applications in the future. You also need to ensure that the modifications do not disrupt user access to resources. What should you do?

A. Decrease the tombstone lifetime attribute in the Active Directory Schema NIDS-Service object class. B. Remove the global catalog role from the global catalog servers in each remote site. C. Raise the functional level of the forest to Windows Server 2003. D. Configure universal group membership caching in each remote site.

Answer: C Explanation To prepare for the new application the best option is to raise the forest functional level. This will enable us to deactivate any wrong schema class, and make DNS and AD partitions for the new applications Extending the schema When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network. Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. Deactivating a class or attribute Domain controllers running Windows Server 2003 do not permit the deletion of classes or attributes, but they can be deactivated if they are no longer needed or if there was an error in the original definition. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; however, it is easily reactivated.

70 - 296


- 299 -

If your forest has been raised to the Windows Server 2003 functional level, you can reuse the object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID that were associated with the defunct class or attribute. This allows you to change the object identifier associated with a particular class or attribute. The only exception to this is that an attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and schemaIdGuid values even after being deactivated (for example, those values cannot be reused). If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a class or attribute and then redefine it. For example, the Unicode String syntax of an attribute called SalesManager could be changed to Distinguished Name. Since Active Directory does not permit you to change the syntax of an attribute after it has been defined in the schema, you can deactivate the SalesManager attribute and create a new SalesManager attribute that reuses the same object identifier and LDAP display name as the old attribute, but with the desired attribute syntax. You must rename the deactivated attribute before it can be redefined. Reference Server Help QUESTION NO: 167 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com TestKing merges with a company named Acme. You need to create new user accounts for all of the Acme employees. The e-mail address format for all users at Acme is [email protected]. The users need to continue to use their e-mail addresses after the merger. To decrease confusion, these users also need to be able to use their e-mail addresses as their user logon names when logging on to the company network. You need to ensure that new users can log on by using their e-mail addresses as their logon names. You want to achieve this goal by incurring the minimum cost and by using the minimum amount of administrative effort. What should you do?

A. Create a new domain tree named acme.com in the testking.com forest. Create user accounts for all of the users in the acme.com domain.

B. Create a new forest named acme.com. Create user accounts for all of the users in the acme.com domain. Configure a forest trust relationship between the two forests.

70 - 296


- 300 -

C. Create user accounts for all of the new users in the testking.com domain. Configure the e-mail addresses for all of the Acme users as [email protected].

D. Configure acme.com as an additional user principal name (UPN) suffix for the testking.com forest. Configure each user account to use the acme.com UPN suffix.

Answer: D Explanation: Enabling UPN Logon You can simplify the logon process for users by enabling UPN logon. When UPN logon is enabled, all users use the same UPN suffix to log on to their domains. This might be users' e-mail address. For example, a user, Bob, in the Reskit domain enters [email protected] for his UPN logon name. In this way, he does not have to select a domain from a long list. UPN names are comprised of the user's logon name and the DNS name of the domain. When you enable UPN logon, users' logon names remain the same even when their domains change. You might choose to enable UPN logon if your system meets the following criteria:

• Domain names in your enterprise are complex and difficult to remember. • Users in your organization might change domains as a result of domain consolidation or other

organizational changes. • All domains in the forest are in native mode. • User logon names are unique within the forest. • A global catalog server is available to match the UPN to the correct domain account.

You can use one UPN suffix for all users in the forest. For example, [email protected] might be a member of the noam domain, a child domain of the Reskit domain. In this way, when Alice logs on, she does not need to know which domain she is logging on to because a global catalog will find the domain that contains her user account. If Alice moves to another domain, she still logs on with the same UPN suffix. To enable UPN logon for all accounts, use Active Directory Users and Computers to edit the user's account to select a specific UPN suffix, such as the forest root of a domain. To enable UPN logon

1. In Active Directory Users and Computers, right-click the user's account. 2. Click Properties, and click the Account tab. 3. Select one of the UPN suffixes from the User logon name drop down combo box.

Reference: MS White paper Designing an Authentication Strategy QUESTION NO: 168 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. Password resets are performed on user accounts on all servers regularly throughout each day. The Windows Server 2003 computers named TestKingA, TestKingB, and TestKingC are configured as shown in the following table.

70 - 296


- 301 -

One Wednesday morning, another network administrator in Boston connects to TestKingC and deletes an organizational unit (OU) named BostonUsers. The change replicates to all sites in the forest. Users in Boston report that they can no longer log on to the network. You need to provide the users in Boston with the ability to log on to the network as soon as possible. You must also ensure that there is minimal disruption to the users in Toronto and San Francisco. What should you do?

A. Restore the BostonUsers OU on TestKingA from backup. Use the Ntdsutil utility to mark the BostonUsers OU as authoritative. Allow replication to take place.

B. Restore the BostonUsers OU on TestKingB from backup. Allow replication to take place.

C. Restore the Ntdsutil utility to connect to TestKingA. Use the metadata cleanup command to remove TestKingC from Active Directory. Force replication.

D. Use the Ntdsutil utility on TestKingC to mark the domain context as authoritative. Force replication.

Answer: A Explanation: We need to restore the BostonUsers OU. We should restore it on TestKingA because that domain controller has a more recent backup. We need to mark the BostonUsers OU as authoritative so that it gets replicated to the other domain controllers. If we didn’t mark the BostonUsers OU as authoritative, it would get deleted again at the next AD replication. Incorrect Answers: B: We need to mark the BostonUsers OU as authoritative so that it gets replicated to the other domain controllers. If we didn’t mark the BostonUsers OU as authoritative, it would get deleted again at the next AD replication. C: We need to restore the BostonUsers OU. This won’t restore the OU. D: We need to restore the BostonUsers OU. This won’t restore the OU.

70 - 296


- 302 -

QUESTION NO: 169 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit (OU) named Accounting. A user named Tess works in the accounting department. A user account for Tess is located in the Accounting OU. You create three Group Policy objects (GPOs) and link them to the Accounting OU. The three polices are shown in the Accounting Properties exhibit.

You run Resultant Set of Policy (RSoP) in logging mode for Tess’s user account. The results for the policies that apply to Tess’s user account are shown in the RSoP Settings exhibit.

70 - 296


- 303 -

You need to ensure that the Desktop tab and the Screen Saver tab are disabled. What should you do?

A. Move the Hide Screen Saver disabled GPO higher in the priority list in the Group Policy Object Links area of the Accounting Properties dialog box.

B. Move the Hide Screen Saver disabled GPO lower in the priority list in the Group Policy Object Links area of the Accounting Properties dialog box.

C. Disable the Block Policy inheritance setting on the Accounting OU. D. Click the Options button in the Accounting Properties dialog box and enable the No Override setting

on the Hide desktop tab GPO. Answer: B Explanation: The Desktop tab is hidden, so we just need to hide the Screen Saver tab. With the current settings, the Hide Screen Saver Enabled policy is applied first. It is then overwritten by the Hide Screen Saver Disabled policy. The result being that that the Screen Saver tab is not hidden. We can rectify this by moving the Hide Screen Saver disabled GPO lower in the priority list in the Group Policy Object Links area of the Accounting Properties dialog box. This will mean that that the Hide Screen Saver Disabled policy is applied first and is then overwritten by the Hide Screen Saver Enabled policy. Incorrect Answers: A: The Hide Screen Saver disabled GPO is already higher in the priority list than the Hide Screen Saver Enabled GPO. It needs to be lower. C: The problem is caused by the OU policies. Unblocking inheritance won’t affect the OU policies. D: This won’t affect the policies applied at this OU level. This would only affect child OUs if they existed.

70 - 296


- 304 -

QUESTION NO: 170 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All member servers run Windows Server 2003. All client computers run Windows XP Professional. All client computer accounts in the domain are located in an organizational unit (OU) named Workstations. You need to distribute a new application to all client computers on the network. You create a Group Policy object (GPO) that includes the application package in the software installation settings of the Computer Configuration section of the GPO. You assign the GPO to the Workstations OU. Several days later, users report that the new application is still not installed on their client computers. You need to ensure that the application is installed on all client computers. What should you do?

A. Instruct users to restart their client computers. B. Instruct users to run Windows Update on their client computers. C. Instruct users to force a refresh of the computer policy settings on their client computers. D. Instruct users to force a refresh of the user policy settings on their client computers.

Answer: A Explanation: When an application is assigned to a computer, the software is deployed when it is safe to do so (that is, when the operating system files are closed). This generally means that the software will be installed when the computer starts up, which ensures that the applications are deployed prior to any user logging on. For this scenario, we need to tell the users to restart their client computers. Incorrect Answers: B: Windows Update is used to update the operating system with the latest security patches etc. C: You applied the policy several days ago. The client computers should have the GPO by now. D: The setting isn’t in the user section of the group policy. When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation.

70 - 296


- 305 -

With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Reference: Group Policy Help QUESTION NO: 171 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows 2000 mixed. The domain includes an organizational unit (OU) named Marketing. Computer accounts for client computers in the marketing department are located in the Marketing OU. Each client computer runs Windows NT Workstation 4.0, Windows 2000 Professional, or Windows XP Professional. You need to automatically deploy a new software package to all Windows 2000 Professional client computers in the Marketing OU. You create a Group Policy object (GPO) and link it to the Marketing OU. What else should you do?

A. Configure the GPO to assign the software package under the Computer Configuration section, under Software Settings. Modify the discretionary access control list (DACL) of the GPO to assign the Authenticated Users group the Allow – Read and the Deny – Apply Group Policy permissions.

B. Configure the GPO to assign the software package under the Computer Configuration section, under Software Settings. Configure a WMI filter to include Windows 2000 Professional.

C. Configure the GPO to assign the software package under the Computer Configuration section, under Software Settings. Disable Computer Configuration settings on the GPO.

D. Configure the GPO to publish the software package under the User Configuration section, under Software Settings.

70 - 296


- 306 -

Modify the discretionary access control list (DACL) of the GPO to assign only the Windows 2000 Professional computer accounts the Allow – Read and the Allow – Apply Group Policy permissions.

Answer: B Explanation: This question is tricky because Windows 2000 clients cannot process WMI filters. They will ignore the filters and install the software. However, the Windows XP clients will process the WMI filter and so will not install the software. The NT clients will not process the group policy at all, and so will not install the software. This fulfils the requirements in the question. WMI filtering WMI filters are only available in domains that have the Windows Server 2003 configuration. Although none of the domain controllers need to be running Windows Server 2003, you must have run ADPrep /DomainPrep in this domain. Also note that WMI filters are only evaluated by clients running Windows XP, Windows Server 2003, or later. WMI filters associated with a Group Policy object will be ignored by Windows 2000 clients and the GPO will always be applied on Windows 2000. Incorrect Answers: A: This will deny the group policy, so the policy will not apply to anyone. C: This will disable the part of the GPO with the required settings. Therefore, the software won’t install on any computers. D: The software needs to be assigned to the computers, not the users. This answer could work if the software was assigned under the Computer Configuration section, but it’s an impractical way of doing it. QUESTION NO: 172 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The network contains 10 file servers running Windows Server 2003. All the file servers are located in an organizational unit (OU) named TK. You discover that a virus is infecting files on the file servers. You locate an antivirus application that will remove the virus and install a patch that prevents the virus from re-infecting the servers. The application and its updates are available as .msi files. The file servers must remain available because users are currently using the file servers for critical processes. You need to ensure that the file servers are protected from viruses. You want to accomplish this task by using the minimum mount of administrative effort. Which action or actions should you take to achieve this goal?

70 - 296


- 307 -

To answer, drag the action that you should perform first to the First Action box. Continue dragging actions to the corresponding numbered boxes until you list all required actions in the correct order. You might not need to use all numbered boxes.

Answer: First action: Log on interactively and install the .msi file on each server. Explanation: When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. The question states that the file servers must remain available because users are currently using the file servers for critical processes. For this reason, we cannot use a group policy to assign the software (we cannot reboot the computers). Therefore, we must manually install the software on the computers. QUESTION NO: 173 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. User accounts for users in the finance department are in an organizational unit (OU) named Finance. You use Group Policy objects (GPOs) to manage these user accounts. Users in the finance department need a new application installed on their computers. Several of these users volunteer to be pilot users to test the application before it is deployed throughout the department. You configure a GPO to install the application. You create a group named PilotUsers in the Finance OU. You make the pilot users’ user accounts members of the PilotUsers group. The pilot users’ user accounts are also in the Finance OU.

70 - 296


- 308 -

You need to allow only the pilot users to test the application. What should you do?

A. Assign the PilotUsers group the Allow – Read and the Allow – Write permissions for the gPLink property of the Finance OU.

B. Assign the PilotUsers group the Allow – Read and the Allow – Apply Group Policy permissions for the GPO. Remove the Authenticated Users group’s permissions to apply the GPO.

C. Assign the PilotUsers group the Allow – Generate Resultant Set of Policy (Logging) permissions for the Finance OU.

D. Assign the PilotUsers group the Allow – Generate Resultant Set of Policy (Planning) permission for the Finance OU.

Answer: B Explanation: We need to install the application for the pilot users only. We can do this by assigning the PilotUsers group the Allow – Read and the Allow – Apply Group Policy permissions for the GPO. To prevent the GPO applying to the other finance users, we need to remove the Authenticated Users group’s permissions to apply the GPO. Incorrect Answers: A: We need to assign permissions to apply the group policy, not link the policy. C: This will allow the PilotUsers group to run RSoP in logging mode. It won’t configure the GPO to apply to just the pilot users. D: This will allow the PilotUsers group to run RSoP in planning mode. It won’t configure the GPO to apply to just the pilot users. QUESTION NO: 174 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All computers are members of the domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains desktop client computers and portable client computers. The portable computers include both laptop computers and tablet computers. Client computer accounts are located in various organizational units (OUs) organized by department and division, along with desktop computer accounts.

70 - 296


- 309 -

A written company policy requires that no portable computer is to be left unattended and logged on to the network, unless protected by a password. Users are not allowed to override this requirement. This requirement does not apply to desktop computers because those computers are located in secured offices. You need to configure your network so that portable computers comply with the written requirement. What should you do?

A. Create a Group Policy object (GPO) that specifies a logon script. Link this GPO to the domain. Configure the logon script to read the Oeninfo.info file for manufacturer and model information, and set the screen saver properties if the manufacturer and model number indicates one of the portable computers.

B. Create a Group Policy object (GPO) that specified a logon script. Link this GPO to the domain. Configure the logon script to make a WMI query for manufacturer information and update the user’s profile information in Active Directory if the user is using a portable computer.

C. Create a Group Policy object (GPO) that specifies a password-protected screen saver. Link this GPO to the domain. Use a WMI filter to query for the hardware chassis type information to ensure that the GPO applies only to the portable computers.

D. Create a Group Policy object (GPO) that specified a password-protected screen saver. Link this GPO to the domain. Use a WMI filter to query for the specific edition of Windows XP Professional installed on the computer to ensure that the GPO applies only to the portable computers.

Answer: C Explanation: We can use a WMI filter to query for the hardware chassis type information to ensure that the GPO applies only to the portable computers. Incorrect Answers: A: This is a very difficult and impractical way of doing it. B: Updating the user profile would not achieve anything. D: The desktops would probably have the same version of XP as the laptops. QUESTION NO: 175 You are the network administrator for Acme. The network consists of a single Active Directory forest root domain named acme.com. The functional level of the forest is Windows Server 2003.

70 - 296


- 310 -

A Windows Server 2003 domain controller named DC1.acme.com is the Active Directory-integrated DNS server for acme.com. All servers and client computers in the acme.com domain use DC1.acme.com as their DNS server for name resolution. Acme acquires a company named TestKing. The TestKing network consists of a single Active Directory forest root domain named testking.com. The functional level of this domain is Windows Server 2003. A Windows Server 2003 domain controller named DC1.testking.com is the Active Directory-integrated DNS server for testking.com. All servers and client computers in the testking.com domain use DC1.testking.com as their DNS server for name resolution. You create a two-way forest trust relationship with forest-wide authentication between acme.com and testking.com. You need to ensure that all users in both companies can log on to both forest root domains. You need to achieve this goal without adversely affecting Internet access. What should you do?

A. Set the Stub Zone as the zone type for the acme.com domain on DC1.acme.com and for the testking.com domain on DC1.testking.com.

B. Select the Do not use recursion for this domain check box on DC1.testking.com and on

DC1.acme.com. C. Add the fully qualified domain name (FQDN) and the IP address of DC1.testking.com to the Root hints

list in DC1.acme.com. Add the FQDN and the IP address of DC1.acme.com to the Root hints list on DC1.testking.com.

D. Configure conditional forwarding on DC1.acme.com to forward all requests for resources in the testking.com domain to DC1.testking.com. Configure conditional forwarding on DC1.testking.com to forward all requests for resources in the acme.com domain to DC1.acme.com.

Answer: D Explanation: To log on to a computer in acme.com with a user account in testking.com, the acme.com DNS server needs to be able to locate a domain controller in testking.com to authenticate the login. You can use Conditional forwarding which enables a DNS server to forward DNS queries based on the DNS domain name in the query. Using Conditional Forwarding to Query for Names in Other Namespaces If your internal network does not have a private root and your users need access to other namespaces, such as a network belonging to a partner company, use conditional forwarding to enable servers to query for names in

70 - 296


- 311 -

other namespaces. Conditional forwarding in Windows Server 2003 DNS eliminates the need for secondary zones by configuring DNS servers to forward queries to different servers based on the domain name. Reference Server Help QUESTION NO: 176 Your network contains a Windows Server 2003 computer named TestKingC. TestKingC has a single CPU, 512 MB of RAM, and a single 100MB network adapter. All network user’s home folders are stored on TestKingC. Users access their home folders by using a mapped network drive that connects to a shared folder on TestKingC After several weeks, users report that accessing home folders on TestKingC is extremely slow at certain times during the day. You need to identify the resources bottleneck that is causing the poor performance. What should you do?

A. Capture a counter log by using LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface performance objects and view the log data information that is captured during period of poor performance

B. Configure alerts on TestKingC to log entries in the event logs for the LogicalDisk, PhysicalDisk, Processor, Memory and Network Interface performance objects when the value of any object is more than 90

C. Capture a trace log that captures Page faults, File details, Network TCP/IP, and Process creations/deletions events

D. Implement Auditing on the folder that contains the user’s home folders. Configure Network Monitor on TestKingC

Answer: A Explanation: The problem is most likely to be caused by a hardware bottleneck. This could be a disk problem or a problem with the processor, RAM or network card. We can monitor these hardware resources by using a System Monitor counter log. The Windows Performance tool is composed of two parts: System Monitor and Performance Logs and Alerts. With System Monitor, you can collect and view real-time data about memory, disk, processor, network, and other activity in graph, histogram, or report form. The output from the counter log will show us which hardware resource in unable to cope with the load and needs to be upgraded or replaced. Incorrect Answers: B: We cannot use a generic value of 90 for the different hardware resources because different hardware resources have different acceptable performance counters.

70 - 296


- 312 -

C: We need to monitor the hardware resources listed in answer A, not the software resources listed in this answer. D: The problem is most likely to be caused by a hardware bottleneck. Auditing and network monitoring won’t give us any useful information about the hardware. QUESTION NO: 177 Your network consists of a single Active Directory domain. TestKing has a main office in Denver and branch offices in Paris and Bogota. Each branch office contains a Windows Server 2003 DC. All client computers run Windows XP Professional. Users in the Bogota office report intermittent problems authenticating to the domain. You suspect that a specific client computer is causing the problem. You need to capture the authentication event details on the domain controller in the Bogota office so that you can find out the IP address of the client computer that is the source of the problem. What should you do?

A. Configure System Monitor to monitor authentication events B. Configure Performance Logs and Alerts with a counter log to record the authentication events C. Configure Network Monitor to record the authentication events D. Configure Performance Logs and Alerts with an alert to trigger on authentication events

Answer: C Explanation: The question states that you find out the IP address of the client computer that is the source of the problem. Using Network Monitor to capture traffic is the only way to do this. Incorrect Answers: A: This will not display the IP address of the client computer that is the source of the problem. B: This will not display the IP address of the client computer that is the source of the problem. D: This will not display the IP address of the client computer that is the source of the problem. http://support.microsoft.com/default.aspx?scid=kb;en-us;175062 QUESTION NO: 178

70 - 296


- 313 -

You have just installed two Windows Server 2003 computers. You configure the servers as a two node server cluster. You install WINS on each Node of the cluster. You create a new virtual server to support WINS. You create a new cluster group named WINSgroup. When you attempt to create the Network Name resource, you receive an error message. You need to make the proper changes to the cluster to complete the installation of WINS. What should you do?

A. Create a Generic Service resource in the WINSgroup cluster group B. Configure the network priorities for the cluster C. Create an IP address resource in the WINSgroup cluster group D. Add the proper DNS name for the WINS Server in the DNS database

Answer: C Explanation: You need to create an IP address resource before you can create the network name resource.

70 - 296


- 314 -

http://support.microsoft.com/default.aspx?scid=kb;en-us;226796 QUESTION NO: 179 TestKing uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used. A user Tess on a server named TestKing2 reports that when she runs a script to transfer files to a server named TestKing5, she receives the following error stating “Unknown Host TestKing5” You use TestKing2 to troubleshoot the problem. The results of your troubleshooting show that the nslookup utility replies with an address of 192.168.1.8. When you try to ping TestKing5, the reply times out and shows a different IP address. You need to allow Tess on TestKing2 to use the script on TestKing5.

70 - 296


- 315 -

What should you do?

A. Re register TestKing5 with WINS B. On TestKing5 run the ipconfig /registerdns command C. On TestKing2 run the ipconfig /flushdns command D. On TestKing2, purge and reload the remote NetBIOS cache name table

Answer: A Explanation: The nslookup utility replies with an address of 192.168.1.8. This is probably the correct address. When you ping TestKing5, it times out and shows a different IP address. This is an incorrect address that was resolved using a WINS lookup. As the address in the WINS database is wrong, we need to re-register TestKing5 with WINS. Incorrect Answers: B: The address of TestKing5 stored in DNS is likely to be correct, so it doesn’t need to be re-registered. C: Nslookup returns an address of TestKing5 that is likely to be correct. We know this because the ping test fails with a different IP address. Therefore, the locally cached IP address is likely to be correct, so the cache doesn’t need to be cleared. D: We would need to purge the local NetBIOS name cache, not the remote cache. QUESTION NO: 180 You are the network administrator for TestKing. There is a single active directory domain named TestKing.com. All computers on the network are members of the domain. All domain controllers run Windows Server 2003. You are planning a Public Key Infrastructure (PKI). The PKI design documents for TestKing specify that certificates that users request to encrypt files must have a validity period of two years. The validity period of the Basic EFS certificate is one year. In the certificates Templates console, you attempt to change the validity period for the Basic EFS certificate template. However, the console does not allow you to change the value. You need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files. What should you do?

A. Install an enterprise CA in each domain. B. Assign the Domain Admins group the Allow Full control permission for the Basic EFS certificate

Template

70 - 296


- 316 -

C. Create a duplicate of the basic EFS certificate template. Enable the new template for issuing certificate authorities

D. Instruct users to connect to the CA Web Enrolment pages to request a Basic EFS certificate. Answer: C Explanation: The question states that the validity period of the Basic EFS certificate is one year. This suggests that we are using a standalone CA (the default validity period for an enterprise CA is two years). We cannot change the validity period of the Basic EFS template. We can however, make a copy of the Basic EFS template. This would enable us to make changes to the copy of the template. Incorrect Answers: A: The default validity period for an enterprise CA is two years. This would satisfy the requirement that the certificates have a validity period of two years. However, it does not satisfy the requirement that “you need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files”. Therefore, answer C is a better solution. B: This is not a permissions issue. We cannot change the values in the template because they are hardcoded into the templates. D: We need to edit the template before the users receive the certificates. Reference: http://support.microsoft.com/?id=254632 QUESTION NO: 181 You are a network administrator for TestKing. The company has a main office and one branch office. The network consists of a single active directory domain named TestKing.com. All servers run windows server 2003 The company needs to connect the main office network and the branch office network by using RRAS servers at each office the networks will be connected by a VPN connection over the internet. The company’s written security policy includes the following requirements for VPN connections over the internet:

All data must be encrypted with end to end encryption VPN connection authentication must be at the computer level Credential information must not be transmitted over the internet as part of the authentication

process. You need to configure security for VPN connections between the main office and the branch office. You need to comply with the written policy.

70 - 296


- 317 -

What should you do?

A. use a PPTP connection with EAP-TLS authentication B. use a PPTP connection with MS-CHAP v2 authentication C. Use an L2TP connection with EAP-TLS authentication D. Use an L2TP connection with MS-CHAP v2 authentication

Answer: C Explanation: Strictly speaking, this answer is incomplete, because it doesn’t mention IPSec. For computer level authentication, we must use L2TP/IPSec connections. To establish an IPSec security association, the VPN client and the VPN server use the Internet Key Exchange (IKE) protocol to exchange either computer certificates or a preshared key. In either case, the VPN client and server authenticate each other at the computer level. Computer certificate authentication is highly recommended, as it is a much stronger authentication method. Computer-level authentication is only done for L2TP/IPSec connections. Incorrect Answers: A: PPTP uses user-level authentication over PPP. The question states that computer-level authentication is required; therefore we must use L2TP/IPSEC. B: PPTP uses user-level authentication over PPP. The question states that computer-level authentication is required; therefore we must use L2TP/IPSEC. D: For computer certificate authentication, we must use EAP-TLS, not MS-CHAP v2. QUESTION NO: 182 You are the systems engineer for TestKing. TestKing has 20,000 users in a large campus environment located in London. Each department in the company is located in its own building. Each department has its own IT staff. The company’s network is divided into several IP subnets that are connected to one another by using dedicated routers. Each building on the company’s main campus contains at least one subnet, and possibly up to five subnets. Each building has at least one router. All routers use RIP v2 broadcasts. A new office in Dortmund has 25 users. Dortmund is connected to the main office with a Frame Relay line. Dortmund installs a server with RRAS and implements RIP v2. Later the Dortmund admin reports that his router is not receiving routing table updates from the routers at the main office. He must manually add routing entries to the routing table to enable connectivity between the locations. You investigate and discover that the RIPv2 broadcasts are not being received at

70 - 296


- 318 -

the Dortmund office. You also discover that no routing table announcements from the Dortmund office are being received at the main office. You need to ensure that the network in the Dortmund office can communicate with the main campus network and can send and receive automatic routing table updates as network conditions change. What should you do to the router in the Dortmund office?

A. Configure the router to use RIPv1 broadcasts B. Configure the router to use auto-static update mode C. Add the IP address ranges of the main campus network to the routers accept list and announce list D. Add the IP addresses of the main campus routers to the router’s neighbors list

Answer: D Explanation: It looks like the Dortmund router is configured to use neighbors. Therefore, we need to add the IP addresses of the main campus routers to the router’s neighbour’s list. QUESTION NO: 183 You are the network admin for TestKing. All servers run Windows Server 2003. Every week, you run the mbsacli.exe /hf command to ensure that all servers have the latest critical updates installed. You run the mbsaclie.exe /hf command from a server named server1. When you scan a server named TestKingB you receive the following error message stating Error 200, System not found, Scan failed. When you ping TestKingB you receive a reply. You need to ensure that you can scan TestKingB by using the mbsacli.exe /hf. What should you do?

A. Copy the latest version of the Mssecure.xml to the program files\microsoft baseline security analyzer folder on server1

B. Ensure that the Server service is running on TestKingB C. Install IIS common files on Server1 D. Install the latest version of IE on TestKingB

Answer: B

70 - 296


- 319 -

Explanation: From Microsoft: Error: 200 - System not found. Scan not performed. This error message indicates that mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error, verify that this computer is on the network and that the host name and IP address are correct. We know that the computer is on the network because we can successfully ping it. Therefore, the cause of the problem must be that the Server service isn’t running. Incorrect Answers: A: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with Server1. C: We can successfully scan other computers from Server1. Therefore, the problem is unlikely to be with Server1. D: The version of IE that comes with Windows Server 2003 is sufficient, and therefore does not need to be upgraded. Reference: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q303/2/15.asp&NoWebContent=1 QUESTION NO: 184 You are the network administrator for TestKing. The network consists of a single active directory domain named TestKing.com. All servers run Windows Server 2003. A server named TestKing2 functions as the mail server for the company. All users use Microsoft Outlook Express as their email client. An update to the company’s written security policy specifies that users must use encrypted authentication while they are retrieving email messages from TestKing2 You need to comply with the updated policy. What should you do? (Choose three)

A. Configure the POP3 service on TestKing2 to use Active Directory Integrated Authentication B. Configure the SMTP virtual server on TestKing2 to use Integrated Windows Authentication C. Configure Outlook Express to use the Secure Password Authentication (SPA) D. Configure the SMTP virtual server on TestKing2 to use Basic Authentication with Transport Layer

Security (TLS) encryption E. Configure the POP3 service on TestKing2 to require secure password authentication (SPA for all

connections Answers: A, C, E Explanation: You can use Active Directory Authentication to incorporate the POP3 service into your existing Active Directory domain. Active Directory integrated authentication supports both plaintext and Secure

70 - 296


- 320 -

Password Authentication (SPA) e-mail client authentication. Because plaintext transmits the user's credentials in an unsecured, unencrypted format, however, the use of plaintext authentication is not recommended. SPA does require e-mail clients to transmit both the user name and password using secure authentication; it is therefore recommended over plaintext authentication. We need to configure the POP3 service on TestKing2 to require secure password authentication, and we need to configure the email clients to use Secure Password Authentication (SPA). Incorrect Answers: B: We need to configure the POP3 service, not the SMTP virtual server. D: We need to configure the POP3 service, not the SMTP virtual server. QUESTION NO: 185 You are the network admin for TestKing. Your network contains 50 application servers that run Windows Server 2003. The security configuration of the application servers is not uniform. The application servers were deployed by local administrators who configured the setting for each of the application servers differently based on their knowledge and skill. The application servers are configured with different authentication methods, audit settings and account policy settings. The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application server role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings. You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements. What should you do?

A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf template

B. Apply the Application.inf template and then the Hisecws.inf template. C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template D. Apply the Setup.inf template and then the application.inf template

Answer: A. Explanation: The servers currently have different security settings. Before applying our modified settings, we should reconfigure the servers with their default settings. This is what the security.inf template does. Now that

70 - 296


- 321 -

our servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now we can apply our custom settings using the application.inf template. Incorrect Answers: B: The hisecws.inf template would overwrite the custom application.inf template. C: Same as answer A. Also, the setup.inf security template doesn’t exist. To return a system to its default security settings, we use the security.inf template. D: The setup.inf security template doesn’t exist. To return a system to its default security settings, we use the security.inf template. QUESTION NO: 186 You are the network administrator for TestKing’s Active Directory domain. TestKing’s written security policy was updated and now requires a minimum of NTLM v2 for LAN manager authentication. You need to identify which Operating Systems on your network do not meet the new requirement Which OS would require an upgrade to the OS or software to meet the requirement?

A. Windows 2000 Professional B. Windows Server 2003 C. Windows XP Professional D. Windows NT Workstation with service pack 5 E. Windows 95

Answer: E. Explanation: Windows 95 does not natively support NTLM v2 authentication. To enable it, you would need to install the Directory Services Client software. QUESTION NO: 187 TestKing has a single active directory domain named TestKing.com. The company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed.

70 - 296


- 322 -

You create a security template named fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using fileserver.inf and receive the results shown in the exhibit. ***MISSING*** You want to make only the changes that are required to meet the requirements. Which two actions should you take?

A. Correct the maximum application log size setting on the file server B. Correct the maximum security log size setting on the file server C. Correct the maximum system log size setting on the file server D. Correct the retention method for application log setting on the file server E. Correct the retention method for the security log setting on the file server F. Correct the retention method for the system log setting for the file server

Answers: B, E QUESTION NO: 188 You are the network administrator for TestKing. The network contains Window Server 2003 servers configured in a 4 node server cluster. The cluster provides file services to 5,000 users and contains several terabytes of data files. Several thousand shared folders have been created on 16 virtual server groups by using dynamic File Share cluster resources. Many data files are updated, created, or deleted each day. You need to create a backup strategy for both user data and the cluster configuration. You need to ensure that your strategy limits the potential loss of data and the cluster configuration to one week and provides the quickest means of recovery. What should you do?

A. Perform a weekly ASR of the cluster node that owns the quorum resource. Perform a weekly backup of all data files to tape.

B. Perform a weekly ASR of every node in the cluster. Perform a weekly backup of all data files to tape C. Perform a weekly ASR on each cluster node that currently owns cluster groups containing data files D. Configure daily shadow copies of all volumes on cluster nodes E. Configure weekly shadow copies of all volumes on all cluster nodes

Answer: A

70 - 296


- 323 -

How to Back Up the Cluster Configuration To back up the cluster configuration, use the Backup tool to back up the system state of a node when the Cluster service is running. When you do so, a backup of the local cluster registry is created in the %SystemRoot%\Cluster\ClusDB folder. The contents of the Quorum disk, including the Chkxxx.tmp file and the Quolog.log file, are also backed up. To back up the cluster configuration: 1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup. 2. After the Backup or Restore Wizard starts, click Next. 3. Click Back up files and settings, and then click Next. 4. Click Let me choose what to back up, and then click Next. 5. Under My Computer, click System State. 6. Enter a location to save the backup file to, and then click Next. 7. Verify the backup settings, and then click Finish.

http://support.microsoft.com/default.aspx?scid=kb;en-us;286422&Product=winsvr2003 QUESTION NO: 189 You are the network admin for Testking. The network consists of a single active directory domain named TestKing.com. All computers on the network are members of the domain. You are planning a Public Key Infrastructure (PKI) for the company. You want to deploy smart cards for all users in the domain. You want the members of a new group named Smartcard Agents to be able to issue smart cards for all users. You create a new global group named Smartcard Agents. You install an Enterprise Certificate Authority (CA) on a Windows Server 2003 computer named Server1. You create a duplicate of the enrollment agent certificate template and change the validity period of the new certificate template to three years. The name of the new certificate template is SmartCard Enrollment. The configuration of the permission for the certificate template is shown in the exhibit. ***MISSING**' You want to ensure that members of the Smartcard Agents group can request smartcard enrollment certificates. What should you do?

A. Assign the Smartcard Agents group the Allow Autoenroll permission for the Smartcard Enrollment certificate template

B. Add the enrollment agent certificate template to the list of superseded templates on the smartcard enrollment certificate template

70 - 296


- 324 -

C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template D. Configure the enterprise CA to assign the Certificate Managers to the Smartcard Agents Group E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web enrollment

pages to request certificates Answer: B http://support.microsoft.com/default.aspx?scid=kb;en-us;313490 QUESTION NO: 190 You are the network admin for TestKing. You need to test a new application. The application requires 2 processors and 2 GB of RAM. The application also requires shared folders and installation of software on client computers. You install the application on a Windows Server 2003 Web Edition computer and install the application on 20 test client computers. You then discover that only some of the client computers can connect and run the application. You turn off some computers and discover that the computer that failed to open the application can now run the application. You need to identify the cause of the failure and update your test plan. What should you do?

A. Increase the maximum number of worker processes to 20 for the default application pool B. use add/remove programs to add the application server windows component C. change the application pool to identity to local service for the default application pool D. change the test server OS to Window Server 2003 Standard Edition or Enterprise

Answer: D Explanation: Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it reserves 1GB of it for the operating system; only 1GB of RAM is available for the application. Therefore, we need to install Window Server 2003 Standard Edition or Enterprise Edition to support enough RAM. QUESTION NO: 191

70 - 296


- 325 -

You are the network admin for litware, inc. The company’s written security policy requires that you maintain a copy of all private keys issued by TestKing’s enterprise root CA You create a duplicate of the user template named Employee and configure the template as shown in the Employee Properties exhibit:

You configure the CA to archive private keys by using a Key Recovery Agent Certificate. You create a test user account named peter and request a new employee certificate. You issue the certificate to Peter. You reinstall the OS on your test computer and attempt to recover Peter’s private key. Your attempt fails and generates the following error message: C:\ certutil –Getkey CertUtil: - GetKeycommand failed CertUtil: Cannot find object or property. You need to ensure that future attempts to recover private keys associated with Employee certificates succeed What should you do?

A. Using Group Policy, deploy a copy of the key recovery agent certificate to all client computers

70 - 296


- 326 -

B. In the Employee template, select the Archive subject’s encryption private key check box C. In the employee template, select the Allow private key to be exported check box D. Run the certutil – dspublish command to publish the Key Recovery Agent certificate to Active

Directory Answer: C

70 - 296


- 327 -

QUESTION NO: 192 Exhibit:

You are the network administrator for TestKing. The network contains Windows Server 2003 servers and Windows XP professional clients. All computers are members of the same active directory forest. The company uses a Public Key Infrastructure (PKI) enabled application to manage marketing data. Certificates used with this application are managed by the application administrators. You install certificate services to create an offline stand alone root CA on one Windows Server 2003 server. You configure a 2nd Windows Server 2003 server as a stand alone subordinate CA You instruct users in the marketing department to enroll for certificates by using the web enrollment tool on the stand alone Subordinate CA. Some users report that when they attempt to complete the enrollment process, they receive an error message on their certificate stating (see exhibit). This certificate cannot be verified up to a trusted certification authority”. Other users in the Marketing department do not report the error.

70 - 296


- 328 -

You need to ensure that users in the marketing department do not continue to receive this error. You also need to ensure that users in the marketing department trust certificates issued by this CA. You create a new OU name Marketing. What else should you do?

A. Place all marketing department computer objects in the Marketing OU. Create a new GPO and link it to the Marketing OU. Publish the root CA’s root certificate in the Trusted Root Certification Authorities Section of the GPO

B. Place all marketing department user objects in the Marketing OU. Create a new GPO and link it to the marketing OU. In the user configuration section of the GPO, configure a certificate trust list (CTL) that contains the subordinate CA’s certificate

C. Place all marketing department computer objects in the Marketing OU. Create a new GPO and link it to the Marketing OU. In the computer configuration section of the GPO, configure a certificate trust list (CTL) that contains the subordinate CA’s certificate

D. Place all marketing department user objects in the Marketing OU. Create a new GPO and link it to the marketing OU. In the user configuration section of the GPO, configure a certificate trust list (CTL) that contains the root’s CA certificate

Answer: D Explanation: We need to configure the Marketing department users to trust the root CA. We can do this using a group policy object (GPO). We should place the marketing department user objects in the Marketing OU and apply the GPO to the OU. QUESTION NO: 193 You are the network admin for TestKing. Your network contains 3 subnets. All servers have manually assigned IP addresses while all clients are configured to receive an address from a DHCP server. The DHCP server is located in Site 1. The DHCP server has a scope configured for each subnet. Users in site 2 and site 3 are complaining that periodically they cannot connect to resources located on any subnet. You discover that during times of peak usage users are receiving an IP address in the 169.254.x.x address range. You need to ensure that all client computers receive an address from their subnet even during times of peak usage. What should you do?

A. Install one DHCP server in site 2 and site 3. On each DHCP server, configure identical scopes for each subnet

70 - 296


- 329 -

B. Install one DHCP server in Site 2 and Site 3. On each DHCP server configure a single subnet specific scope

C. Configure a DHCP Relay agent on Site 2 and Site 3 D. Configure a GPO on the domain that disables APIPA

Answer: B Explanation: It appears that during times of peak usage, the DHCP server and/or the subnet containing the DHCP server cannot cope with the load. The clients in sites 2 and 3 are unable to receive an IP configuration from the DHCP server and so configure themselves with an APIPA configuration. We can ease the load on the DHCP server and subnet 1 by installing DHCP servers in Site 2 and Site 3. The DHCP servers must be configured with a single scope specific to the subnet. Incorrect Answers: A: We cannot have DHCP servers with identical scopes. This would lead to duplicate IP addresses on the network. C: The clients can connect to the DHCP server during less busy times. Therefore, a DHCP Relay Agent is either already installed or isn’t required. D: Disabling APIPA won’t ease the load on the DHCP server. QUESTION NO: 194 You are the administrator for TestKing. The network consists of a single active directory domain named TestKing.com. All servers run windows server 2003 When the network was designed, the design team set design specifications. After the network was implemented, the deployment team set baseline specifications. The specifications for broadcast traffic are:

The design specifications requires that broadcast traffic must be 5 percent or less of total network traffic

The baseline specifications showed that the broadcast traffic is always 1 percent or less of the total network traffic during normal operation

You need to monitor the network traffic and find out if the level of broadcast traffic is within the design and baseline specs. You decide to use network monitor. After monitoring for 1 hour, you observe the results shown in the exhibit:

70 - 296


- 330 -

You need to report the results of your observations to management. Which 2 actions should you take?

A. report that broadcast traffic is outside of the baseline specs B. report that the broadcast traffic is outside of the design specs C. report that the broadcast traffic is within the design specs D. report that the broadcast traffic is within the baseline specs

Answers: A, B QUESTION NO: 195 Your network contains Terminal servers that host legacy applications that require users to be members of the Power Users group in order to run them.

70 - 296


- 331 -

A new company policy states that the Power Users Group must be empty on all servers. You need to maintain the ability to run legacy applications on your servers when the new security requirement is enabled. What should you do?

A. Add the domain users global group to the Remote Desktop Users built-in group in the domain B. Add the domain users global group to the Remote Desktop Users local group on each terminal server C. Modify the compatws.inf security template settings to allow members of the local users group to run the

applications. Import the security settings into the default Domain Controllers Group Policy Object. D. Modify the compatws.inf security template settings to allow members of the local users group to run the

applications. Apply the modified template to each terminal server Answer: D Explanation: The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration. However, if Windows 2000 users are members of the Power Users group in order to run applications not certified for Windows 2000, this may be too unsecure for some environments. Some organizations may find it preferable to assign users, by default, only as members of the Users group and then decrease the security privileges for the Users group to the level where applications not certified for Windows 2000 run successfully. The compatible template (compatws.inf) is designed for such organizations. By lowering the security levels on specific files, folders, and registry keys that are commonly accessed by applications, the compatible template allows most applications to run successfully under a User context. In addition, since it is assumed that the administrator applying the compatible template does not want users to be Power Users, all members of the Power Users group are removed. QUESTION NO: 196 You are the network admin for Contoso. The network consists of a single active directory domain named contoso.com. The domain is supported by an active directory integrated zone that allows only secure updates. The contoso.com domain is configured as two active directory sites named Mainoffice and Branch1. Branch1 contains a single windows server 2003 domain controller named server1 that is not a DNS server. There is a single subnet of 192.168.10.0/24 in branch1 that contains all client computers and servers in the site.

70 - 296


- 332 -

Branch 1 is connected to Mainoffice by a single low bandwidth WAN connection that is often saturated. Users in Branch1 are normally authenticated by server1. Users in Branch1 report that they are experiencing unusually long logon times. You discover that Branch1 users are being authenticated by domain controllers in MainOffice. You run the nslookup command to query the SRV records for Branch1 and receive the output shown in the following table: Server hostname Server1.contoso.com Server1.contoso.com internet address 192.168.10.65 You run the ipconfig command on server1 and receive the following: IP address 192.168.10.32 Subnet mask 255.255.255.0 Default Gateway 192.168.10.1 You want server1 to resume authenticating all clients in Branch1. What should you do?

A. Run the ipconfig.exe registerdns command on server1 B. Run the ipconfig.exe /flushdns command on server1 C. Stop and restart the Netlogon service on server1 D. Stop and restart the Netlogon service on clients in Branch1

Answer: C Explanation: The DNS record shows the wrong IP address for Server1. We need to configure the DNS with the correct information. Because server1 is a domain controller, we need to register the A records and the SRV records. The Net Logon service on a domain controller registers the DNS resource records required for the domain controller to be located in the network every 24 hours. To initiate the registration performed by Net Logon service manually, you can restart the Net Logon service. Incorrect Answers: A: This command will only register the A records. The client computers locate the domain controller by querying SRV records. B: This will flush the local DNS client cache. This won’t solve the problem. D: We need to restart the Netlogon service on server1, not the clients. QUESTION NO: 197 You are the network administrator for TestKing. The network consists of a single Active Directory domain named TestKing.com with five sites.

70 - 296


- 333 -

You configure the five Active Directory sites in accordance with the requirements of the company's site configuration design. The network and site configuration is shown in the exhibit.

The site configuration design also requires you to configure site link bridges. The design requires the site links connecting Site1, Site2, and Site3 to be transitive and all other site links to be nontransitive. You need to configure site link bridges to comply with the site configuration design. Which action or actions should you take? (Choose all that apply)

A. Disable automatic site link bridging in the IP object properties. B. Create new site links between each of the Active Directory sites. C. Remove each of the sites from the default site link. D. Create a new site link bridge.

Add the site links connecting Site1, Site2, and Site3 to the site link bridge. E. Create a new link bridge.

Add the site links connecting Site3, Site4, and Site5 to the site link bridge. Answer: A, C, D. Explanation: A: We must disable automatic site link bridging in the IP object properties, to prevent all site links being transitive. C: The exhibit suggests this has already been done; at least some of the sites have been removed, and site links have been manually added. But, we should do this just to be sure. D: The design requires the site links connecting Site1, Site2, and Site3 to be transitive. Therefore, we should create a new site link bridge and add the site links connecting Site1, Site2, and Site3 to the site link bridge. Incorrect Answers: B: This would mean that every site is connected to each of the other sites. E: This would make the site links connecting Site3, Site4, and Site5 transitive.

70 - 296


- 334 -

QUESTION NO: 198 You are the network administrator for your company. Your company consists of two subsidiaries named Contoso, Ltd., and TestKing, Inc. The network consists of two Active Directory domains in a single forest with four sites. The network configuration is shown in the exhibit.

All client computers run Windows XP Professional. Users who have accounts in the TestKing.com domain frequently travel to Site3. When these users log on to the network in Site3, the logon process can take up to 10 minutes. You discover that when these users log on to the network in Site3, they are authenticated by DC5.TestKing.com in Site1.

70 - 296


- 335 -

You need to ensure that TestKing, Inc., users can log on more quickly from Site3. What should you do?

A. Increase the site link cost for SiteLink-1-3 to 500. B. Configure a site link bridge that will bridge SiteLink-3-4 and SiteLink-2-4. C. Modify the subnet object linked to Site3 so that is linked to Site1. D. Move the DC5.TestKing.com domain controller object from Site1 to Site3.

Answer: B QUESTION NO: 199 You work as a network administrator at TestKing. You administer the Windows 2003 domain TestKing.com and a child domain named child1.TestKing.com. The child1.TestKing.com domain contains all of the user accounts for the network. Your company acquires a company named Contoso, Ltd. The Contoso, Ltd., network consists of a single Active Directory forest that contains a forest root domain named contoso.com and a child domain named child1.contoso.com. All domain controllers run Windows 2000 Server. Both domains contain user accounts and resource servers. The domains and existing trust relationships are shown in the exhibit.

70 - 296


- 336 -

You need to create the minimum number of trust relationships required for the users in the child1.TestKing.com domain to access resources in both domains in the contoso.com forest. What should you do?

A. Create a one-way trust relationship in which the TestKing.com domain trusts the contoso.com domain. B. Create a one-way trust relationship in which the contoso.com domain trusts the TestKing.com domain. C. Create a one-way trust relationship in which the child1.TestKing.com domain trusts the contoso.com

domain. Create a one-way relationship in which the child1.TestKing.com domain trusts the child1.contoso.com domain.

D. Create a one-way trust relationship in which the contoso.com domain trusts the child1.TestKing.com domain. Create a one-way trust relationship in which the child1.contoso.com domain trusts the child1.TestKing.com domain.

Answer: D Explanation: Users in child1.testking.com need to access resources in contoso.com and child1.contoso.com. Therefore, the contoso.com and child1.contoso.com domains need to trust the child1.testking.com domain. We can achieve this by configuring two one-way trust relationships: one in which the contoso.com domain trusts

70 - 296


- 337 -

the child1.TestKing.com domain and one in which the child1.contoso.com domain trusts the child1.TestKing.com domain. Incorrect Answers: A: The Testking user accounts are in the child1.testking.com domain, not the testking.com domain. Therefore, the contoso.com and child1.contoso.com domains need to trust the child1.testking.com domain. B: The Testking user accounts are in the child1.testking.com domain, not the testking.com domain. Therefore, the contoso.com and child1.contoso.com domains need to trust the child1.testking.com domain. C: This answer is close but the trusts are the wrong way round. The contoso.com and child1.contoso.com domains need to trust the child1.testking.com domain. QUESTION NO: 200 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com that contains two Windows Server 2003 domain controllers named TestKing1 and TestKing2. TestKing1 runs DNS for the domain. Backups of the system state are performed each night on each domain controller. A power surge damages both domain controllers. You replace the domain controllers with two new computers and retrieve the latest backup tapes. You need to restore the Active Directory domain by using the backup tapes. You want to restore name resolution services first. What should you do? To answer, drag the action that should perform first to the First Action box for each server. Continue dragging actions to the corresponding numbered boxes until you list all three required actions to restore TestKing1 and all three required actions to restore TestKing2.

70 - 296


- 338 -

Answer:

70 - 296


- 339 -

Explanation: Both domain controllers need to be restored. The first thing to do on each new server is to install Windows Server 2003. To restore the System State data on a domain controller, you must first start your computer in a special startup option called Directory Services Restore Mode. This will allow you to restore the SYSVOL directory and Active Directory service database. To access Directory Services Restore Mode, press F8 during startup and select it from the list of startup options. On the first domain controller, we can do a primary restore of the System State data as this will be the first domain controller on the network. On the second domain controller, we can do a non-authoritative restore of the system state data. This way, any changes to the Active Directory on the first server will be replicated to the second server. http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/ntbackup_restore_sysstate.asp QUESTION NO: 201 You are the network administrator for TestKing. The network consists of a single Windows 2003 Active Directory domain named TestKing.internal. The network includes 20 servers running Windows 2003 Server and 700 client computers running Windows XP Professional.

70 - 296


- 340 -

All servers belong to the default computer container. All client computers belong to an organization unit (OU) named Clients. All domain controllers belong to the default domain controller OU. Name resolution and IP addressing are controlled by DNS, WINS, and DHCP. You need to ensure that the DNS suffix in the system properties of each client computer is set to TestKing.com. What should you do?

A. Create a new Group Policy object and link it to Clients. Set the configuration of the primary DNS suffix to TestKing.com.

B. Modify the default domain policy. Set the configuration of the primary DNS suffix to TestKing.com. C. In the DHCP scope options, define the DNS domain name as TestKing.intemal. D. In the DHCP scope options, define the NIS domain name as TestKing.internal.

Answer: A Explanation: We need to ensure that the DNS suffix in the system properties of each client computer is set to TestKing.com. The client computers are located in an organization unit (OU) named Clients. The easiest way to achieve this is to configure a GPO to set the configuration of the primary DNS suffix to TestKing.com and link the GPO to the Clients OU. Incorrect Answers: B: The setting should apply to the clients only. Linking the GPO to the domain will apply the settings to all computers in the domain (including servers and domain controllers). C: The question doesn’t say that the servers have static IP addresses. If they are configured to use DHCP, then we can’t use DHCP to apply the DNS suffix setting because it will apply the settings to all computers in the domain (including servers and domain controllers). D: An NIS domain is a Unix/Linux domain. We have a Windows domain. QUESTION NO: 202 You are a member of the Enterprise Admins group in TestKing’s Windows 2003 network. The network consists of a single domain named TestKing.com. The Bonn office has its own organizational unit (OU) named Bonn. You hire an employee named Sophie as a LAN administrator for the Bonn office. Sophie needs to create child OUs for the Bonn OU. She also needs to verify the existence of the OUs she creates. You need to grant Sophie the minimum permissions on the Bonn OU so that she can accomplish these tasks. Which permissions should you grant?

A. Read All Properties, Create Organizational Unit Object, Write All Properties. B. Read All Properties, List Contents, Create Organizational Unit Objects. C. List Contents, Create All Child Objects.

70 - 296


- 341 -

D. Write All Properties, All Extended Rights. Answer: B Explanation: The minimum permission required to create OUs in the Create Organizational Unit Objects permission. To verify the OUs, she needs the Read and List permissions. Incorrect Answers: A: The write permission will allow a user to create or modify any object in the OU. C: The Create All Child Objects will allow a use to create any object in the OU. D: The write permission will allow a user to create or modify any object in the OU. QUESTION NO: 203 You are the administrator of TestKing Inc. The network consists of a single domain. The company’s main office is located in South Africa and branch offices are located in Asia and Europe. The offices are connected by dedicated 256-Kbps lines. To minimize logon authentication traffic across the slow links, you create an Active Directory site for each company office and configure site links between the sites. Users in branch offices report that it takes a long time to log on to the domain. You monitor the network and discover that all authentication traffic is still being sent to the domain controllers in South Africa. You need to improve network performance. What should you do?

A. Schedule replication to occur more frequently between the sites. B. Schedule replication to occur less frequently between the sites. C. Create a subnet for each physical location, associate the subnets with the South Africa site, and move the

domain controller objects to the South Africa site. D. Create a subnet for each physical location, associate each subnet with its site, and move each domain

controller object to its site. Answer: D Explanation: You have created the sites and configured site links, but you haven’t configured the sites. To configure the site you need to create a subnet object for each physical location and associate each subnet with its site. Then move each domain controller object to its site. This will configure active directory so that authentication requests get sent to the ‘local’ domain controller rather than going across the WAN links. Incorrect Answers: A: No replication will occur between the sites, because all domain controllers in the same (default) site. The domain controller objects need to be moved to their respective sites.

70 - 296


- 342 -

B: No replication will occur between the sites, because all domain controllers in the same (default) site. The domain controller objects need to be moved to their respective sites. C: We don’t want all the subnets to be in one site. They should be in their respective sites. QUESTION NO: 204 You are a consultant for several different companies. You design the security policies for the computers running Windows 2003 Server and Windows XP Professional in your customers’ networks. You use these security policies to configure a server named Server 1. You want to deploy the security configuration on Server 1 to computers in your customer’s networks by using the least amount of administrative effort. What should you do first?

A. Create a Group Policy Object (GPO) that configures the security settings for all computers to match the settings on Server 1, and then link the GPO to the domain. Export the console list to a file.

B. In the Security Configuration and Analysis snap-in, analyze Serverl and export the security template in a file.

C. In the System Information snap-in, save the system summary as a system information file. D. In the Security Templates snap-in, export the console list to a file.

Answer: B Explanation: We can use the Security Configuration and Analysis snap-in to export all the security settings from a computer to a template file. This will enable us to apply the same security settings to other computers. We can apply the template to other computers either by using the Security Configuration and Analysis snap-in (for single computers) or by importing the template into a group policy object (for multiple computers). Incorrect Answers: A: You have already manually configured the settings on Server1. It would be quicker to export them to a template file, rather than manually enter the settings into a GPO. C: The system summary does not contain the security settings. D: The console list does not contain the security settings. QUESTION NO: 205 You are the administrator of TestKing’s Windows 2003 network. The network contains two Active Directory sites: Munich and Singapore. The network also consists of two domains: fabrikam.com and asia.fabrikam.com. The network is configured as shown in the exhibit.

70 - 296


- 343 -

Users from the Singapore office often travel to the Munich office with their portable computers. When these users log on to the network from Munich, their computers display the text “Applying your personal settings” for a long time. You want to ensure that users from Singapore do not experience these delays when they log on to the network from Munich. What should you do?

A. Associate the Munich subnet with the Singapore site. B. Create a trust relationship so that fabrikam.com trusts asia.fabrikam.com. C. Install a domain controller for asia.fabrikam.com in the Munich subnet. D. Use the Active Directory Sites and Services snap-in to move DC3 to the Munich site.

Answer: C Explanation: The asia.fabrikam.com domain is in the Singapore site. When a user from Singapore logs on in Munich the client computer connects to a domain controller in Singapore to authenticate the user and download any policy settings. This traffic over the WAN link is what is causing the delay. We can prevent this by installing a domain controller for the asia.fabrikam.com domain in Munich. This way, the logon process for Singapore users in Munich can occur locally. Incorrect Answers: A: The Munich subnet should be associated with the Munich site. Associating the Munich subnet with the Singapore site would cause all authentication traffic from clients in Munich to go over the WAN link to Singapore. B: A two-way transitive trust already exists between the domains. D: DC3 is physically in Singapore. The logon traffic would still travel over the WAN link to DC3. QUESTION NO: 206

70 - 296


- 344 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain named TestKing.com. You configure a new Windows Server 2003 file server named TestKingSrvl. You restore user files from a tape backup, and you create a logon script that maps drive letters to shared files on TestKing Srv1. Users report that they cannot access TestKingSrvl through the drive mappings you created. Users also report that TestKingSrvl does not appear in My Network Places. You log on to TestKingSrvl and confirm that the files are present and that the NTFS permissions and share permissions are correct. You cannot access any network resources. You run the ipconfig command and see the following output.

You need to configure the TCP/IP properties on TestKingSrv1 to resolve the problem. What should you do?

A. Add TestKing.com to the DNS suffix for this connection field. B. Configure the default gateway. C. Configure the DNS server address. D. Configure a static IP address.

Answer: D Explanation: The IP address shown in the exhibit is an APIPA (automatic private IP addressing) address. This means that the server is configured to use DHCP for it’s IP configuration but is unable to contact a DHCP server (a likely cause for this is that there isn’t a DHCP server on the network). We can fix the problem by configuring a static IP address in the same IP range as the rest of the network. Incorrect Answers: A: A DNS suffix isn’t necessary. B: A default gateway isn’t necessary unless this is a routed network. C: The server not having a DNS server address wouldn’t prevent clients connecting to the server. QUESTION NO: 207

70 - 296


- 345 -

You are the network administrator for a new branch office of TestKing. The office network is connected to the Internet by a T1 line. TestKing’s Internet service provider (ISP) gives you a single public IP address and provides firewall services to protect the office network. The office network includes five windows XP Professional client computers and a Windows Server 2003 computer named TestKingA. All client computers are configured to use DHCP to obtain their IP configuration settings. TestKingA is configured as a DHCP server and contains two network adapters. You connect one network adapter to the ISP connection, and you connect the other network adapter to the office network. You want to configure TestKingA so that client computers can access the Internet. Which two courses of action should you take? (Each correct answer presents part of the solution. Choose two)

A. Remove the DHCP Server service. B. Install the DNS Server service. C. Run the route command to add a route to the internal network. D. Assign the public IP address to the external network adapter. Install and configure Routing and Remote

Access. Answer: B, D Explanation: We have a single public IP address from the ISP. This should be assigned to the external network adapter. This will enable the server to send and receive data on the internet. The LAN clients will use private IP addresses. We need to install the Routing and Remote Access service on the server and configure NAT (Network Address Translation). This will enable the server to route traffic between the internet and the LAN. We need to install the DNS service on the router so that the clients can resolve external (internet) host names. Incorrect Answers: A: It is not necessary to remove the DHCP service. C: We don’t need to add a route into the internal network. The question doesn’t say that people will be connecting to the LAN computers from the internet. QUESTION NO: 208 You are the administrator of TestKing’s network, which consists of a single Windows 2003 domain named testking.com. The network includes a stand-alone Windows 2003 Server computer named RAS 1, which runs Routing and Remote Access. All employees use computers running Windows XP Professional to dial in to the network. Your remote access polices permit members of the Domain Users group to dial in to RAS1 between 7:00 P.M and 6:00 A.M. every day. To increase dial-up security, your company issues smart cards to all employees.

70 - 296


- 346 -

You need to configure RAS1 and your remote access polices to support the use of the smart cards for dial-up connections. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)

A. Create a remote access policy that requires users to authenticate by using the EAP-TLS. B. Create a remote access policy that requires users to authenticate by using the MS-CHAP v2. C. Create a remote access policy that requires users to authenticate by using SPAP protocol. D. Add RAS1 to the Windows 2000 domain. E. Install the Internet Authentication Service (lAS) on RAS 1 F. Install Certificate Services on RAS1 and configure it to issue encryption certificates upon request.

Answer: A, F Explanation: Smart cards require certificates. To authenticate using certificates, the RRAS server needs to be configured to use EAP-TLS. When configuring EAP-TLS, you can select the smart card option. The RRAS server is a standalone server, so we’ll need to configure Certificate Services on it to issue the certificates for the smart cards. Incorrect Answers: B: EAP-TLS is required for smart card authentication, not MS-CHAP v2. C: EAP-TLS is required for smart card authentication, not SPAP. D: The RRAS server does not need to be a member of the domain. E: Internet Authentication Service (lAS) is Microsoft’s implementation of the RADIUS service. This is used when you have multiple RRAS servers and require centralised authentication. QUESTION NO: 209 You are the administrator of TestKing’s network, which links the main office and 15 branch offices. The network contains 5,000 computers running Windows 2000 Professional and 180 computers running Windows 2000 Server. The main office has two WINS servers, and each branch office has one WINS server. The WINS servers in the branch offices are configured for push/pull replication with one of the WINS servers in the main office. Both WINS servers in the main office are configured for push/pull replication with each other. You enable periodic database consistency checking. You then notice an increase in network traffic during the check periods. You need to reduce or eliminate the additional traffic, while maintaining the integrity of the database records. What should you do?

A. Configure all WINS servers to use the automatic partner configuration. B. Disable periodic database consistency checking and manually perform consistency checking. C. Increase the verification interval on each of the WINS servers.

70 - 296


- 347 -

D. Configure the DHCP client options for WINS so that the primary WINS servers are evenly divided among the DHCP clients.

Answer: B Periodic database consistency checking increases network traffic, so it should be disabled and manually perform consistency checking. References: Windows 2003 Help ( WINS Push/Pull Replication). QUESTION NO: 210 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains two domains named testking.com and na.testking.com. The functional level of the forest is Windows Server 2003. Your company merges with a company named Proseware, Inc. The Proseware Inc,, network also consists of a single Active Directory forest. The forest contains two domains names proseware.com and sa.proseware.com. The functional level of both domains is Windows 2000 native. All domain Controllers in the forest run Windows 2000 Server. Users in the na.testking.com domain and the sa.proseware.com domain must be able to easily share information. The data is located on Windows Server 2003 member servers in both domains. You need to configure the trust relationships between the domains so that the users can easily share the information. You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

A. Create a two-way forest trust relationship between the testking.com domain and the proseware.com domain.

B. Create a one-way external trust relationship in which the na.testking.com domain trusts the sa.proseware.com domain. Create another one-way external trust relationship in which the sa.proseware.com domain trusts the na.testking.com

C. Create a one-way external trust relationship in which the proseware.com domain trusts the sa.proseware.com domain. Create another one-way external trust relationship in which the sa.proseware.com domain trusts the testking.com

D. Create a one-way external trust relationship in which the proseware.com domain trusts the sa.proseware.com domain. Create another one-way external trust relationship in which the testking.com domain trusts the sa.proseware.com

70 - 296


- 348 -

Answer: B Explanation: Users in na.testking.com need to access resources in the sa.proseware.com domain. Therefore, we need a one-way external trust relationship in which the sa.proseware.com domain trusts the na.testking.com domain. Users in sa.proseware.com need to access resources in the in na.testking.com domain. Therefore, we need a one-way external trust relationship in which the na.testking.com domain trusts the sa.proseware.com domain. Incorrect Answers: A: We can’t create a two-way forest trust relationship between the testking.com domain and the proseware.com domain because the proseware.com forest isn’t in the Windows Server 2003 functional level. C: The domains in each forest have by default 2-way transitive trust relationships. We need to configure trust relationships between na.testking.com and sa.proseware.com. D: We need to configure trust relationships between na.testking.com and sa.proseware.com. QUESTION NO: 211 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Eric works in the sales department. User objects for sales users are stored in an organizational unit (OU) named Sales. When Eric is transferred to another department, you delete Eric’s user account. Several weeks later, Eric is transferred back to the sales department. You create a new user accounts in the Sales OU and grant the account access to sales resources. When Eric attempts to open any of the 1,000 files that he created before he was transferred, he receives the following error message. “Access Denied”. He reports that he receives this error message for all 1,000 files in 150 different locations. You need to provide Eric with access to files that he created both before his first transfer and after his return to the sales department, you must accomplish this task without affecting other users on the network. What should you do?

A. Move Eric’s existing account to a new OU. Nonauthoritatively restore the OU that contained Eric’s previous account.

B. Nonauthoritatively restore Eric’s old account. Force Active Directory replication to occur. C. Authoritatively restore Eric’s old account. Force Active Directory replication to occur. D. Rename Eric’s existing account. Authoritatively restore Eric’s old account.

Answer: D

70 - 296


- 349 -

Explanation: Although we have created another account named Eric, Eric will not be able to access any of his files. This is because the new ‘Eric’ account has a different Security Identifier (SID) to the previous account. It is therefore considered to be a different account. We could set permissions on the new account, but this would take a long time. It would be easier to restore a copy of Erics old account from backup. To avoid have two accounts with the same name, we should rename the existing account, before restoring the previous account. Incorrect Answers: A: We don’t need to restore an entire OU. We can restore just Erics previous account. B: We need an authoritative restore. Otherwise, the restored account would be deleted again at the next Active Directory replication. C: To avoid have two accounts with the same name, we should rename the existing account, before restoring the previous account. QUESTION NO: 212 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains two domains named testking.com and dev.testking.com. All domain controllers run windows server 2003. The functional level of the forest is windows server 2003. TestKing., acquires a company named Graphic Design Institute. The Graphic Design Institute network consists of a single Active Directory forest that contains a single domain named graphicdesigninstitute.com. All domain controllers run Windows Server 2003. The functional level of the forest is Windows Server 2003. Users in the testking.com domain require access to file and print resources stored on a computer named TestKing1.graphicdesigninstitute.com. Users in the graphicdesigninstitute.com domain require access to all computers in the testking.com forest. You must provide administrators with the ability to grant users access to required resources. What should you do?

A. Create a two-way forest trust relationship between the testking.com domain and the graphicdesigninstitute.com. In the testking.com domain, enable forest-wide authentication for the graphicdesigninstitute.com domain. In the graphicdesigninstitute.com domain, enable selective authentication for the testking.com domain.

B. Create a two-way forest external trust relationship between the testking.com domain and the graphicdesigninstitute.com domain.

C. Create a one-way forest trust relationship in which the graphicdesigninstitute.com. trusts the testking.com domain. In the testking.com domain, enable forest-wide authentication for the graphicdesigninstitute.com domain.

70 - 296


- 350 -

D. Create a one-way forest trust relationship in which the testking.com domain trusts the graphicdesigninstitute.com domain. Create a second incoming external trust relationship on the graphicdesigninstitute.com domain. Specify that the trust relationship is between the testking.com domain and the graphicdesigninstitute.com domain.

Answer: A Explanation: Both forests are running in Windows Server 2003 functional level. Therefore, we can configure a two-way forest trust relationship between the two forests. If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would be able to access any resource in ForestA (assuming they have the required permissions). If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest. QUESTION NO: 213 You are a network administrator for TestKing. The network consists of two Active Directory domains. All servers run Windows Server 2003. The company has offices in several cities as shown in the exhibit.

Each office is configured as an Active Directory site. There are global catalog servers in the Toronto and Paris sites. You enable universal group membership caching for all other sites. Users in TestKing use an application that is integrated with Active Directory. The application reads data from the global catalog. Users report that during periods of peak activity, the application responds slowly.

70 - 296


- 351 -

You need to improve the response time of the application. What should you do?

A. Disable universal group membership caching in the Chicago, New York, Bonn, and Rome sites. B. Decrease the replication interval on the site link that connect the Chicago and New York sites to the

Toronto site, and on the site links that connect the Bonn and Rome sites to the Paris site. C. Configure global catalog servers in the Chicago, New York, Bonn, and Rome site. D. Perform an offline defragmentation of Active Directory Database on the domain controllers in the

Toronto and Paris sites. Answer: C Explanation: The application needs to read data from the global catalog. This information is stored on the global catalog servers in the Toronto and Rome sites. This means that the application needs to contact the global catalog servers over WAN links. We can improve performance by configuring global catalog servers in every site. This will enable the application to contact a global catalog server over fast LAN connections. Incorrect Answers: A: Universal group caching has no effect on the application. Even with universal group caching enabled, the application still runs slow. B: The question states that the application runs slowly during periods of peak activity. In other words, it runs better during less activity. Therefore, AD replication is unlikely to be the cause of the problem. D: The global catalog only holds a subset of the information stored in the Active Directory database. Therefore, defragmenting the Active Directory database is unlikely to improve the performance of the application. QUESTION NO: 214 You are the network administrators for TestKing. Two of TestKing’s customers are Contoso Pharmaceuticals and City Power and Light. Your domain infrastructure is shown in the exhibit.

70 - 296


- 352 -

All users in the testking.com domain need to access resources in the contoso.com domain. Some users in the testking.com domain need to access resources in the sales.cpandl.com domain. No users in the testking.com domain need to access resources in the sales.contoso.com domain. Although a two-way trust relationship exists between the testking.com and cpandl.com domains. You discover that the users in the testking.com domain cannot access resources in the sales.cpandl.com domain. You need to ensure that all users in the testking.com domain can access the appropriate resources in the other forests. What should you do?

A. Enable the routing status of the sales.contoso.com name suffix on the forest trust from testking.com to contoso.com Disable the routing status of the sales.cpandl.com name suffix on the forest trust from testking.com to cpandl.com

B. Disable the routing status of the sales.contoso.com name suffix on the forest trust from testking.com to contoso.com Enable the routing status of the sales.cpandl.com name suffix on the forest trust from testking.com to cpandl.com

C. Enable the routing status of the sales.contoso.com name suffix on the forest trust from testking.com to contoso.com

70 - 296


- 353 -

Enable the routing status of the sales.cpandl.com name suffix on the forest trust from testking.com to cpandl.com

D. Disable the routing status of the sales.contoso.com name suffix on the forest trust from testking.com to contoso.com Disable the routing status of the sales.cpandl.com name suffix on the forest trust from testking.com to cpandl.com

Answer: B http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/x_c_forestauthentication.asp QUESTION NO: 215 You are the network administrator of TestKing. Your network consists of a single Active Directory forest that contains two domains named testking.com and Chicago.testking.com. The functional level of the forest is Windows Server 2003. The network contains two sites named New York and Chicago. A 128 kbps site link connects the New York and Chicago sites. The testking.com domain contains a domain controller named DCI in the New York Site. The Chicago.testking.com domain contains a domain controller named DC2 in the Chicago site. DC1 is an Active Directory integrated DNS Server and global catalog server. There are 1500 users in the New York site and 80 users in the Chicago site. Users in the Chicago site report that it takes a long time to log on to the network. You need to ensure that the users in the Chicago site can log on faster. What should you do?

A. Decrease the value of the Maximum lifetime for user ticket Kerberos Policy in the Default Domain Policy Object (GPO) of the Chicago.testking.com domain.

B. Enable universal group membership caching for DC2 in Active Directory sites and services. C. Enable the Interactive logon: Number of previous logons to cache security policy in the Default Domain

Policy Object (GPO) of the Chicago.testking.com domain. D. Decrease the value of the replication interval at the site link between the Chicago and New York sites.

Answer: B

70 - 296


- 354 -

Explanation: It takes a long time to log on to DC2 because DC2 needs to contact DC1 over a WAN link to obtain universal group information whenever someone logs on. Global catalog server A global catalog server is a domain controller that stores information about all objects in the forest, but not their attributes, so that applications can search Active Directory without referring to specific domain controllers that store the requested data. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting. Universal group membership caching Universal group membership caching allows the domain controller to cache universal group membership information for users. You can enable domain controllers that are running Windows Server 2003 to cache universal group memberships by using the Active Directory Sites and Services snap-in. Enabling universal group membership caching eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information. QUESTION NO: 216 You are the network administrator for your company. The company consists of three subsidiaries named Testking Ltd, Fabricam Inc and Adatum Corporation. The network consists of three Active Directory forests that include external trust relationships, as shown in the exhibit.

70 - 296


- 355 -

The functional level of each forest is Windows 2000. The functional level of each domain is Windows 2000 native. TestKing requires users in each domain to be able to access resources in all domains across all forests by using the minimum number of trust relationships. You need to ensure that users don’t have accounts in one of the other two forests. You need to accomplish this goal by using the minimum amount of administrative effort. You upgrade every domain controller to Windows Server 2003. Which additional action or actions should you take? (Choose all that apply).

70 - 296


- 356 -

A. Raise the functional level of each forest to Windows Server 2003 B. Create shortcut relationship between each child domain. C. Replace existing external trust relationship with two-way forest trust relationships. D. Create a two-way forest trust relationship between testking.com and fabricam.com.

Answer: A, C, D Explanation: We have Windows 2000 forests which means we can only create one-way trusts between the forests. If we raise the functional level of each forest to Windows Server 2003, we can use two-way forest trust relationships which will reduce the number of required trust relationships. Forest trust relationships are not transitive. This means that although testking.com trusts adatum.com and adatum.com trusts fabrikam.com, testking.com does not trust fabrikam.com. Therefore, we need to configure a two-way forest trust relationship between testking.com and fabricam.com. Incorrect Answers: B: Creating shortcut trust relationships between each child domain is not necessary and will add to the number of trust relationships. QUESTION NO: 217 You are the Network administrator for TestKing .The network consists of a single Active Directory forest that contains a forest root domain named testking.com and a child domain named child1.testking.com. The functional level of the forest is windows server 2003. The company uses Universal groups to prevent temporary employees from accessing confidential information on computers in the forest. The child1.testking.com domain contains a Windows 2000 Server computer named TestKing1. TestKing1 runs an application that makes frequent LDAP queries to the global catalog. TestKing1 is located on a subnet associated with an Active Directory site named site2 that has no global catalog servers. Site 2 connects to another site by a WAN connection. You need to enable the application on TestKing1 to run at high performance levels and to continue operating if a WAN connection fails. You also need to minimize traffic over the WAN connection.

What should you do?

A. Enable universal group membership caching in site2 B. Configure at least one global catalog in site2 C. Add the Hkey_Local_Machine\system\CurrentControlset\Control\Lsa\IgnoreGcFailures key to the

registry on all domain controllers in Site2. D. Remove TestKing1 from the child1.testkings.com domain and add it to a workgroup.

70 - 296


- 357 -

Answer: B Explanation: The application needs to read data from the global catalog. This information is stored on the global catalog servers in the other site. This means that the application needs to contact the global catalog servers over a WAN link. We can improve performance by configuring a global catalog server in site2. This will enable the application to contact a global catalog server over fast LAN connections. It will also enable the application to run if the WAN link fails. Incorrect Answers: A: Universal group caching likely has no effect on the application. Universal group information is just a small part of the information stored in the global catalog. The application would still need to contact a global catalog server. C: This setting allows users to log on to a domain if the domain controller is unable to contact a global catalog server. It will have no effect on the application. D: The application won’t be able to query the global catalog if the computer isn’t a member of the domain. QUESTION NO: 218 You are the Network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The domain contains 300 user accounts and 325 computer accounts. Different users on the network need different applications based on the department in which they work. All of these applications are packaged as .msi files. Many of the applications are updated every year. You receive many support calls from users who need to have applications reinstalled because of damaged installations. The company decides that the cost of installing and maintaining these many applications is too high. You need to implement a technology that will enable you to lower the cost of deploying user applications while minimizing user down time.

What should you do?

A. Configure Group Policy Objects (GPOs) to assign applications to user accounts. B. Install servers running Remote Installation Services on the network. C. Place a server running Software Update Services (SUS) on the network and configure a GPO to enable

updates for all client computers. D. Install Microsoft Operations Manager and enable SNMP on the client computers.

70 - 296


- 358 -

Answer: A Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. QUESTION NO: 219 You are the Network administrator for TestKing. The network consists of a single Active directory domain named testking.com. Windows 2000 domain controllers are located in two sites named site1 and site2. The domain contains an Organizational Unit (OU) named Accounting. The users from accounts log on to any client computer. You need to deploy an antivirus application to all computers on the network without user intervention. You also need to deploy a special Accounting application to user accounts in the Accounting OU without user intervention. The accounting application must be available to users in the accounting department regardless of which computer they are using. You need to minimize the number of GPO links. Name GPO Policy Setting GPO 1 Computer Configuration Assign the antivirus application GPO 2 User Configuration Assign the antivirus application GPO 3 Computer Configuration Assign the accounting application

70 - 296


- 359 -

GPO 4 User Configuration Assign the accounting application GPO 5 User Configuration Publish the antivirus application GPO 6 User Configuration Publish the accounting application Where should you link the GPOS? To answer, drag the appropriate application GPO or GPOS to the correct domain component or components in the work area.

Answer:

70 - 296


- 360 -

Explanation: We need to assign the anti-virus application to computers and link the GPO to the domain level. This will ensure that all computers in the domain receive the anti-virus application. We need to assign the accounting application to the accounting users. We can do this by linking the GPO to the OU that contains the accounts users user accounts. This will ensure that the accounts users receive the accounting application on any computer they log on to. Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the

70 - 296


- 361 -

user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. QUESTION NO: 220 You are the Network administrator for TestKing. The network consists of a single domain Active Directory forest and a single Windows NT 4.0 domain. The functional level of the forest is Windows 2000. The Active Directory domain contains computer accounts and two Windows Server 2003 domain controllers. The Active Directory domain also uses Group Policy objects (GPOS). The Windows NT 4.0 domain contains user Accounts. The Windows NT 4.0 domain also uses System Policy to configure users’ computers. You no longer want the settings that were configured by using the system polices applied to computers. What should you do?

A. Create a new system policy that contains user configuration settings that reverse the previous system policies. Replace the old system policies with the new system policies.

B. Create a new GPO that contains user configuration settings that reverse the previous system policies. Apply the new GPO to the Active Directory domain.

C. Raise the functional level of the Active Directory domain to Windows Server 2003 interim. D. Raise the functional level of the forest to Windows Server 2003 interim.

Answer: A Explanation: Unlike Windows 2000 (or later) GPOs, Windows NT system policy settings stay in place even after the system policy is removed. To remove the system policy settings, we must create another system policy that reverses the settings from the previous system policies. Incorrect Answers: B: Group Policy Objects (GPOs) have no effect on Windows NT computers. C: The functional level of the forest or domain will have no effect on the computers in the Windows NT domain. D: The functional level of the forest or domain will have no effect on the computers in the Windows NT domain.

70 - 296


- 362 -

QUESTION NO: 221 You are the Network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All domain controllers run Windows Server 2003. The user accounts for the processing department are located in an Organizational Unit (OU) named processing. You need to deploy an application to all users in the processing department. You create a Group Policy Object (GPO) and link it to the processing OU. You place the .msi file for the application in a shared folder on the network. You configure the User Configuration section of the GPO to deploy the application. You need to ensure that the application is immediately ready for use when a user logs on to a client computer. You also need to prevent any user from continuing to use the application if the user’s user account is moved to another OU.

What should you do?

Answer:

70 - 296


- 363 -

Select the following check boxes:

1) Assigned. 2) Uninstall this application when it falls out of the scope of management. 3) Install this application at logon. 4) Basic

Explanation: We need to assign the application to the users and select the “Install this application at logon” option to ensure that the application is immediately ready for use when a user logs on to a client computer. To prevent any user from continuing to use the application if the user’s user account is moved to another OU, we need to select the “Uninstall this application when it falls out of the scope of management” option. The “Basic” option ensures that the application installs with minimal (or no) user intervention. Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.)

70 - 296


- 364 -

When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. QUESTION NO: 222 You are the network administrator for TestKing. The company has offices in Toronto, New York and Chicago. The Network connections are shown in the exhibit.

70 - 296


- 365 -

The network consists of two Active Directory domains. User objects for users in the Toronto office and the New York office are stored in the testking.com domain. User objects for users in the Chicago office are stored in the production.testking.com domain. Active Directory is configured as shown in the following table. Location Number of user Number of Domain

Controller Number of Global Catalog Server.

Toronto 650 4 2 New York 15 1 0 Chicago 500 3 2 Users in the New York office frequently report that they cannot log on to the network or that logging on takes a very long time. You notice increased global catalog queries to server in the Toronto office during peak logon due to replication.

70 - 296


- 366 -

What should you do?

A. Configure the domain controller in the New York office as a global catalog server. B. Configure the Active Directory to cache universal group memberships for the Toronto office. C. Install an additional domain controller in the New York office. D. Configure Active Directory to cache universal group memberships for the New York office.

Answer: D Explanation: It takes a long time to log on in the New York site because the New York domain controller needs to contact a global catalog server over a WAN link to the Toronto site to obtain universal group information whenever someone logs on. Global catalog server A global catalog server is a domain controller that stores information about all objects in the forest, but not their attributes, so that applications can search Active Directory without referring to specific domain controllers that store the requested data. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting. Universal group membership caching Universal group membership caching allows the domain controller to cache universal group membership information for users. You can enable domain controllers that are running Windows Server 2003 to cache universal group memberships by using the Active Directory Sites and Services snap-in. Enabling universal group membership caching eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information. QUESTION NO: 223 You are a network administrator for TestKing. The network contains a perimeter network. The perimeter network contains four Windows Server 2003, Web Edition computers that are configured as a Network Load Balancing cluster. The cluster hosts an e-commerce Web site that must be available 24 hours per day. The cluster is located in a physically secure data center and uses an Internet-addressable virtual IP address. All servers in the cluster are configured with the Hisecws.inf template. You need to implement protective measures against the cluster’s most significant security vulnerability.

70 - 296


- 367 -

What should you do?

A. Use Encrypting File System (EFS) for all files that contain confidential data stored on the cluster. B. Use packet filtering on all inbound traffic to the cluster. C. Use Security Configuration and Analysis regularly to compare the security settings on all servers in the

cluster with the baseline settings. D. Configure private IP addresses for the servers.

Answer: B Explanation: The most sensitive element in this case is the network card that uses an Internet-addressable virtual IP address. The question doesn’t mention a firewall implementation or and intrusion detection system (Usually Hardware). Therefore, we should set up packet filtering. REF: Deploying Network Services (Windows Server 2003 Reskit) Using a Perimeter Network IP packet filtering You can configure packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted because the port numbers are encrypted and therefore cannot be examined. In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection. QUESTION NO: 224 You are the administrator of the TestKing company network. The network consists of a single active directory domain. The network includes 30 servers running Windows Server 2003 and 2000 client computers running Windows XP Professional. 20 member servers are located in an organisational unit (OU) named Servers. 10 domain controllers are in the default Domain Controllers container. All 2000 client computers are located in an organisational unit (OU) named Clients. The member servers are configured with the following security settings:

• Logon events must be audited. • System events must be audited.

70 - 296


- 368 -

• Passwords for local user accounts must meet complexity requirements. • Passwords must be changed every 30 days. • Password history must be enforced. • Connections to the servers must be encrypted.

The written security policy states that you need to be able to verify the custom security settings during audits. You need to deploy and refresh the custom security settings on a routine basis. What should you do?

A. Create a custom security template and apply it by using a Group Policy linked to the Servers OU. B. Create a custom security template and apply it by using a Group Policy linked to the domain. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using disk imaging software.

Answer: A Explanation: The easiest way to deploy multiple security settings to a group of Windows 2003 computer is to create a security template with all the required settings and import the settings into a GPO. In this case, the security settings apply to local accounts on the servers. This means that we can apply the settings with a GPO assigned to an Organisation Unit containing the servers. Incorrect Answers: B: The security settings need to apply to the member servers only. Applying the GPO to the domain would affect all computers in the domain. C: We need a security template, not an administrative template. D: We cannot use imaging in this way. QUESTION NO: 225 You are the administrator of the Woodgrove Bank company network. The network consists of a single active directory domain. The network includes 10 domain controllers running Windows Server 2003, 30 member servers running Windows Server 2003, 500 client computers running Windows XP Professional and 200 client computers running Windows NT 4.0 Workstation. WINS and DNS are used for name resolution. You log in to a member server named Server15. You attempt to connect to another member server named Server5, but you are unable to connect. You receive the following error message: “System error 67 has occurred. The network name cannot be found”.

70 - 296


- 369 -

To troubleshoot the problem, you try to ping Server5. The results are shown in the exhibit.

You need to be able to connect to Server5 by host name and IP address. What should you do? (Each correct answer presents a complete solution. Choose two)

A. Open compmgmt.msc. Use the “Connect to another computer” option. B. Open a command prompt on Server5. Run the nbtstat –RR command. C. Open a command prompt on Server15. Run the ipconfig /flushdns command. D. Open a command prompt on Server5. Run the ipconfig /renew command. E. Open a command prompt on Server5. Run the ipconfig /registerdns command.

Answer: B, E Explanation: The server doesn’t answer to dns name or ip address which means either he is offline or he has changed his ip and is still registered with the old ip(192.168.202.8). Ipconfig /registerdns will register server5 in dns. The nbtstat –RR command will re-register Server5 with WINS. QUESTION NO: 226

70 - 296


- 370 -

You are the administrator of the TestKing company network. The network consists of a single active directory domain. The network includes 10 servers running Windows Server 2003 and 500 client computers running Windows XP Professional. You create a Group Policy object (GPO) that redirects the Start menu for users to a shared folder on a file server. Some users report that many of the programs that they normally use are missing from their Start menus. You log on to a client computer named Client1. All of the required programs appear on the Start menu. The users are able to connect to the shared folder. You suspect that changes made to one of more GPOs are causing the problem. You need to find out why some Start menu items are not appearing for some users. What should you do?

A. On the file server that hosts the shared folder, run the gpresult command. B. On one of the affected client computers, run the gpresult command. C. On one of the affected client computers, run the gpupdate command. D. On one of the affected client computers, run the secedit command.

Answer: B Explanation: Because you can apply overlapping levels of policies to any computer or user, the Group Policy feature generates a resulting set of policies at logon. Gpresult displays the resulting set of policies that were enforced on the computer for the specified user at logon. Incorrect Answers: A: We need to run the gpresult command on one of the affected client computers, not the server that hosts the shared folder. C: The gpudate command refreshes the group policies applied to a computer or user. We need to use the gpresult command to determine the result of all the policies that apply to the computer. D: The secedit command is the command line version of the Security Configuration and Analysis utility. This has nothing to do with the effects of group policies. QUESTION NO: 227 You are the administrator of the TestKing company network. The network consists of a single active directory domain. The network includes 10 servers running Windows Server 2003 and 500 client

70 - 296


- 371 -

computers running Windows XP Professional, Windows 2000 Professional or Windows NT 4.0 Workstation. The legal department request that you configure all computers in the network to display a legal notice when someone logs on to a computer. You need to configure the computers to display the legal notice. What should you do? (Choose two).

A. Use gpedit.msc to create a Group Policy object (GPO) that includes the appropriate settings in the interactive logon section. Link the GPO to the domain.

B. Create a logon script to display the legal message. Use gpedit.msc to create a Group Policy object (GPO) linked to the Users container to run the script when a user logs in.

C. Use poledit.exe to create a system policy file named Ntconfig.pol that includes the appropriate settings. Place a copy of this file in the appropriate folder on the domain controller.

D. Use a text editor to create a batch file named Autoexec.bat that presents the required warning. Copy the file to the C:\ drive on all computers in the network.

Answer: A, C Explanation: We need to configure a GPO to display the logon message that will apply to the Windows 2000 and Windows XP clients. We need to configure a system policy to display the logon message that will apply to the Windows NT clients. This policy is created with System policies and the System Policy Editor, System policies are used by network administrators to configure and control individual users and their computers. Administrators use POLEDIT.EXE to set Windows NT profiles that are either network- or user-based. Using this application, you can create policies, which are either local or network-driven, that can affect Registry settings for both hardware and users. The file created to apply the policy is named NTConfig.pol. Interactive logon: Message text for users attempting to log on Description This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Configuring this security setting You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

70 - 296


- 372 -

Reference Group Policy Help QUESTION NO: 228 You are the network administrator for TestKing. The network consists of a single Active Directory named testking.com. The functional level of the domain is Windows Server 2003. TestKing has a main office and four branch offices. Each branch office is connected to the main office by a WAN connection. You configure an Active Directory site for each office. The sites and WAN connections are shown in the exhibit.

70 - 296


- 373 -

You need to create site links to minimize replication traffic over WAN connections. Which site link or site links should you create? To answer, drag the appropriate site link or site links to the correct location or locations in the work area.

70 - 296


- 374 -

Answer:

QUESTION NO: 229 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com with three sites named Site1, Site2, and Site3. Site links are configured between the sites so that Site1 and Site3 are connected by using Site2. The site links are configured as shown in the following table. Site link Replication schedule Replication interval CostSite1 – Site2 site link 1:00 A.M. – 6:00 A.M. 60 minutes 200 Site2 – Site3 site link 8:00 P.M. – 1:00 A.M. 30 minutes 500 All user and group accounts are managed by network administrators at Site1. Users at Site3 report that it takes more than a day for changes made to Active Directory at Site1 to be visible in the domain at Site3. You must ensure that the changes made by Active Directory at Site1 between 8:00 A.M. and 6:00 P.M. are visible at Site3 when the business opens at 8:00 A.M. the next day. What should you do?

A. Modify the replication interval for the site link between Site1 and Site2 to 30 minutes. B. Modify the replication schedule for the site link between Site2 and Site3 to replicate between 6:00 P.M.

and 1:00 A.M. C. Modify the site link cost between Site2 and Site3 to be 200.

70 - 296


- 375 -

D. Modify the replication schedule for the site link between Site1 and Site2 to replicate between 9:00 P.M. and 2:30 A.M.

Answer: D Explanation: Example: An administrator in site1 makes a change to the AD at 10:00A.M Monday morning. This information is replicated to site2 between 1:00 A.M. and 6:00 A.M Tuesday morning. This information is then replicated to site3 between 8:00 P.M. and 1:00 A.M Tuesday evening. Users in Site3 see the changes when they start work on Wednesday morning. If we change the replication schedule for the site link between Site1 and Site2 to replicate between 9:00 P.M. and 2:30 A.M, the example would look like this: Example: An administrator in site1 makes a change to the AD at 10:00A.M Monday morning. This information is replicated to site2 between 9:00 P.M. and 2:30 A.M Monday evening. This information is then replicated to site3 between 8:00 P.M. and 1:00 A.M Monday evening. Users in Site3 see the changes when they start work on Tuesday morning. QUESTION NO: 230 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains one domain. The company has its main office and one branch office in San Francisco. The company has additional branch offices in Chicago, New York, and Toronto. Administrators at the main office are responsible for managing all objects in the domain. Administrators at each branch office are responsible for managing user and computer objects for employees who work in the same branch office as the administrator. Administrators for the San Francisco branch office are also responsible for managing user and computer objects for employees who work in the main office. These users are managed as a single unit. You want administrators to be authorized to make changes only to the objects for which they are responsible. You need to plan an organization unit (OU) structure that allows the delegation of required permissions. You want to achieve this goal by using the minimum amount of administrative effort. Which OU structure should you use? A.

70 - 296


- 376 -

B.

70 - 296


- 377 -

C.

D.

70 - 296


- 378 -

Answer: A Explanation: Administrators at each branch office are responsible for managing user and computer objects for employees who work in the same branch office as the administrator. A separate OU for each office will achieve this. Administrators for the San Francisco branch office are also responsible for managing user and computer objects for employees who work in the main office. We can put the main office user and computer accounts in the San Francisco OU. Administrators at the main office are responsible for managing all objects in the domain. The Main office administrators can be set permissions at the domain level. The permissions will apply to all OUs. QUESTION NO: 231 You are the network administrator for A. Datum Corporation. The company has a subsidiary named TestKing. The A. Datum Corporation network consists of a single Active Directory forest. The forest contains one domain named adatum.com. The functional level of the domain is Windows Server 2003. The TestKing network consists of a single Windows NT 4.0 domain named TESTKING. A file server named Server1 is a member of the adatum.com domain. All users in both domains need to save files on Server1 every day. You need to allow users in the TestKing domain to access files on Server1. You need to ensure that the domain administrators of the TestKing domain cannot grant users in the adatum.com domain permissions on servers in the TestKing domain. What should you do?

A. Upgrade the TestKing domain to Windows Server 2003 and make this domain the root domain of a second tree in the existing forest.

B. Upgrade the TestKing domain to Windows Server 2003 and make this domain the root domain of a new forest. Create a two-way forest trust relationship.

C. Create a one-way external trust relationship in which the adatum.com domain trusts the TestKing domain.

70 - 296


- 379 -

D. Create a one-way external trust relationship in which the TestKing domain trusts the adatum.com domain.

Answer: C Explanation: Users in the TestKing domain need to access resources on Server1 (in the adatum domain). Users in the adatum domain must not be able to access resources in the TestKing domain. Therefore, we need a one-way external trust relationship in which the adatum.com domain trusts the TestKing domain. Incorrect Answers: A: It is not necessary to upgrade the TestKing domain. Furthermore, this solution would enable users in the adatum domain to access resources in the TestKing domain (TestKing administrators could grant permissions to the adatum users to access resources). B: It is not necessary to upgrade the TestKing domain. Furthermore, this solution would enable users in the adatum domain to access resources in the TestKing domain (TestKing administrators could grant permissions to the adatum users to access resources). D: This solution would enable users in the adatum domain to access resources in the TestKing domain (TestKing administrators could grant permissions to the adatum users to access resources), but users in the TestKing domain would not be able to access resources on Server1 (in the adatum domain). QUESTION NO: 232 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The company has its main office in Chicago and branch offices in Toronto and New York. The main office contains a sales department and a marketing department. The company's MIS department is responsible for administration of the entire domain. Each office has an IT group that is responsible for the administration of user accounts. In addition, the main office MIS group has one administrator to manage the sales department and one administrator to manage the marketing department. You need to plan the organizational unit (OU) structure for TestKing. You want administrators to be delegated control to only objects for which they are responsible. Your plan must ensure that permissions can be maintained by using the minimum amount of administrative effort. Which OU structure should you use?

70 - 296


- 380 -

70 - 296


- 381 -

Answer: A Explanation: The company's MIS department is responsible for administration of the entire domain. They can be set permissions at the domain level. These permissions would apply to all OUs in the domain. Each office has an IT group that is responsible for the administration of user accounts. A separate OU for each office would allow the necessary delegation of control. The main office MIS group has one administrator to manage the sales department and one administrator to manage the marketing department. OUs in the main office OU (Chicago) would allow the necessary delegation of control. QUESTION NO: 233 You are the network administrator for TestKing. The network consists of a singe Active Directory domain. All servers run Windows Server 20003.

70 - 296


- 382 -

You create a Group Policy object (GPO) to publish an .msi file that installs a graphics application. The company approve the use of a new graphics application to replace the old graphics application. The new application is installed by using an .msi file. Current users can continue to use the old application, or they can start using the new application whenever they choose. To prevent support issues, both applications must not be installed at the same time. You need to configure the user accounts so that users can migrate to the new application. What should you do?

A. Create a new GPO to publish the new application. Configure the link for the new GPO to have a higher priority than the GPO that installs the old application.

B. Create a new GPO to assign the new application. Disable the GPO that installed the old application. C. Create a new GPO to publish the new application. Configure the GPO to upgrade and replace the

existing application with the new application, but do not make it a requirement. D. Copy the .msi file for the new application to the same location as the .msi file for the old application.

Answer: C Explanation: We need to publish the application rather than assign it. If we assigned it, the new application will automatically install. The users must be able to use the old application if they want to. Publishing the application will give the users the choice. They can install the new application by using the Add/Remove Programs control panel applet. To prevent users running the old version and the new version, we can configure the published application to replace the old version. Incorrect Answers: A: This will not cause the new application to replace the old application when it is installed. B: If we assigned it, the new application will automatically install. The users must be able to use the old application if they want to. D: This will not install the new application or replace the old one. QUESTION NO: 234 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All users have user accounts in an organizational unit (OU) named CompanyUsers. The CompanyUsers OU is configured a shown in the exhibit. *MISSING* You discover that no Group Policy settings are being applied to most users when they log on to client computers in the domain. When administrators log on, they receive the appropriate Group Policy

70 - 296


- 383 -

settings. You examine the event log on one of the client computers. You find the error message shown in the Event Properties exhibit: *MISSING* You need to correct the problem in the network so that Group Policy settings are applied for all users. What should you do?

A. Assign the SYSTEM account the Allow – Full Control permission for child objects in the CompanyUsers OU.

B. Assign the Authenticated Users group the Allow – Read, the Allow – Read All Properties, and the Allow – List Contents permissions for the CompanyUsers OU.

C. Assign the Everyone group the Allow – Read and the Allow – Apply Group Policy permissions for the Default Domain Controllers Policy Group Policy object (GPO).

D. Assign the Domain Users group the Allow – Full Control permission for the Default Domain Policy Group Policy object (GPO).

Answer: C QUESTION NO: 235 You are the network administrator for TestKing. You are responsible for planning the deployment and configuration of applications by using Group Policy objects (GPOs). Your network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All user accounts are located in an organizational unit (OU) named Accounts. All client computers run Windows XP Professional and are located in an OU named Workstations. All managers in the company need to use a management application. This application is sent by a hyperlink contained in an e-mail message to the users who require it. The managers need this application regardless of the computer that they are using at any given time. A software update for the application is now available. You need to update the application on all computers that have the application installed. What should you do?

A. Configure a GPO to install the software update by using a WMI filter. Link the GPO to the Accounts OU.

70 - 296


- 384 -

B. Configure a GPO that requires the installation of the software update. Link the GPO to the Workstations OU.

C. Create a .zap file for the software update, and configure a GPO to install the .zap file. Link the GPO to the Accounts OU.

D. Configure a GPO to enable automatic updates and to install the software update. Link the GPO to the Workstations OU.

Answer: B Explanation: This solution will install the update on any workstations that have the application installed. If the application is not installed, the update will not be installed. Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. QUESTION NO: 236 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The company restricts all users so that they can use only authorized applications. All domain users are authorized to use the Microsoft Office suite of applications. Members of a security group named CRM Users are also authorized to use a customer relationship management (CRM) application.

70 - 296


- 385 -

You configure Group Policy objects (GPOs) as shown in the exhibit.

The Office Applications GPO has only the Microsoft Office applications listed as allowed applications. The CRM Application GPO has only the CRM application listed as an allowed application. The CRM Application GPO has security settings so that it applies only to members of the CRM Users security group. Users who are members of the CRM Users security group report that they cannot run the CRM application. You need to reconfigure the domain to meet the following requirements:

All users must be able to run the Microsoft Office applications. Members of the CRM Users security group must be able to run the CRM application. All users must be prevented from running unauthorized software.


A. Configure the Default Domain Policy GPO so that the CRM application is published to the members of the CPM Users security group.

B. Disable the No Override setting for the CRM Application GPO. Leave the CRM Application GPO linked to the domain.

C. Reorder the GPOs so that the CRM Application GPO is higher in the list than the Office Application GPO.

D. Create a new OU. Move the user accounts for all members of the CRM Users security group into this OU. Link the CRM Application GPO to this OU. Enable the Block Policy inheritance setting for this OU. Unlink the CRM Application GPO from the domain.

E. Add the Microsoft Office applications to the list of allowed applications in the CRM Application GPO. Answer: C, E

70 - 296


- 386 -

QUESTION NO: 237 You are the network administrator for TestKing. Your network consists of a single Active Directory domain named testking.com All servers run Windows Server 2003. All client computers run Windows XP Professional. Employees use client computers and also use Remote Desktop to connect to a terminal server named TK1. All users in TestKing have user accounts in an organizational unit (OU) named Company Users. All users receive applications that are assigned to their user accounts by Group Policy objects (GPOs) linked to the Company Users OU. The GPOs use security filtering to control which security groups receive which applications. Users report that when using TK1, their assigned applications are not available. You need to configure your network so that the applications are available to users when they connect to TK1. You need to ensure that users cannot run any application that is not currently assigned to them. What should you do?

A. Reconfigure the GPOs containing software installation packages so that the software installation packages are published to users.

B. Reconfigure the GPOs containing software installation packages so that assigned software installation packages are automatically installed at logon.

C. Install all required software on TK1. Use NTFS permissions to control which security groups can access which applications.

D. Link the GPOs containing software installation packages to the domain, not to an OU. Answer: C Explanation: When an application is assigned to a user, it is not available if the user connects to a Terminal Server using a Remote Desktop Connection. The only way to make the applications available on a Terminal Server is to manually install the applications on the server. We can use NTFS permissions to ensure that only the appropriate users are able to use the application. Incorrect Answers: A: It doesn’t matter if the applications are published or assigned. They will not be available on a Terminal Server. B: The software will be installed on the users’ client computers, but not the Terminal Server. D: The applications are assigned to users, not computers. The users receive the GPOs, so linking the GPO to the domain won’t make any difference.

70 - 296


- 387 -

QUESTION NO: 238 You are the network administrator for TestKing. Your network consists of a single Active Directory domain named testking.com. You are responsible for configuring Active Directory security for the domain. All groups for the domain are in an organizational unit (OU) named Groups. Resource groups will be used to provide permissions to users in accounts groups. The human resources department needs to be able to manage the membership of only the accounts groups. The server support department needs to be able to manage the membership of only the resource groups. The Domain Admins group needs to be able to manage all groups. You need to configure the OU structure to allow the appropriate permissions to be granted. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? To answer, drag the appropriate OU or OUs to the correct location or locations in the work area.

70 - 296


- 388 -

Answer:

70 - 296


- 389 -

Explanation: We should create two top level OUs. This will enable us to delegate control to the necessary departments. Having the OUs at the same level means that each department won’t have control over the other OU. The human resources department needs to be able to manage the membership of only the accounts groups. An OU for the accounts groups will enable us to delegate the necessary permissions to the Human Resources department. The server support department needs to be able to manage the membership of only the resource groups. An OU for the resource groups will enable us to delegate the necessary permissions to the Server Support department.

70 - 296


- 390 -

The Domain Admins group needs to be able to manage all groups. The domain admins group has permission to manage all groups in the domain. QUESTION NO: 239 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The company's written domain administration policy requires that help desk employees must have the ability to reset passwords. The help desk employees must be able to reset passwords for all user accounts except for members of the Domain global group and members of the Executive global group. The help desk employees must not have any other administrative rights in the domain. All members of the Domain Admins group are located in an organizational unit (OU) named AdminsOU. All members of the Executives group are located in an OU named ExecutiveOU. All other user accounts are located in an OU named EmployeesOU. The relevant portion of the OU design for the domain is shown in the exhibit. *MISSING* You need to configure the permissions for the help desk employees as defined by the written domain administration policy. What should you do?

A. Assign the Help Desk global group the right to reset passwords in the OU named EmployeesOU. B. Assign the Help Desk global group the right to manage user accounts in the OU named AllUsersOU.

Block the inheritance of permissions at the OU named AdminsOU and the OU named ExecutiveOU. C. Assign the Help Desk global group the right to reset passwords in the OU named AllUsersOU. D. Assign the Help Desk global group the right to manage user accounts at the domain level. Deny the help

desk employees the right to reset passwords in the OU named AdminsOU and the OU named ExecutiveOU.

Answer: A Explanation: The user accounts that the Help Desk group need to reset passwords for are located in an OU named EmployeesOU. We can simply delegate the “Reset Passwords” permission on the EmployeesOU. Incorrect Answers: B: The right to manage user accounts will enable the Help Desk group to do more than just reset the passwords.

70 - 296


- 391 -

C: The AllUsersOU contains all user accounts. This would enable the Help Desk group to reset passwords on all user accounts including the domain admins and executives. D: The right to manage user accounts will enable the Help Desk group to do more than just reset the passwords. QUESTION NO: 240 You are the network administrator for a company that has two locations, New York and Singapore. The company is installing an Active Directory forest that consists of a single domain. The company's departments are divided into two main divisions named Operations and Support. The local IT staff at each location are responsible for user support at their location, regardless of the user's division. The research and development (R&D) department has its own IT support staff. The R&D department maintains its own IT support staff regardless of location. You need to plan a top-level organizational unit (OU) structure that facilitates delegation of administrative control. Which top-level OU or OUs should you create? To answer, drag the appropriate top-level OU or OUs to the correct location or locations in the work area.

70 - 296


- 392 -

Answer:

Explanation: The local IT staff at each location are responsible for user support at their location, regardless of the user's division. An OU for each location will enable the local IT staff to manage resources in that location (except for R&D resources). The research and development (R&D) department has its own IT support staff. The R&D department maintains its own IT support staff regardless of location. An OU for R&D resources will enable the R&D support staff to manage the R&D resources. QUESTION NO: 241 You are the network administrator for TestKing. The network structure is shown in the exhibit.

70 - 296


- 393 -

The functional level of both forests is Windows Server 2003. All three domains are Active Directory domains. Domain3 contains a computer named Server1. A shared folder on Server1 is named Share1. Users in an organizational unit (OU) named Accounts in Domain2 need access to Share1. However, whenever the users in the Accounts OU attempt to connect to Share1, they receive an error message stating that access was denied. You need to ensure that users in the Accounts OU can connect to Share1. What should you do?

A. Create a universal distribution group in Domain2 that includes all users in the Accounts OU. Create a domain local security group in Domain3. Grant access to \\Server1\Share1 to the domain local security group. Make the universal distribution group a member of the domain local security group.

B. Create global security group in Domain2 that includes all users in the Accounts OU. Create a domain local security group in Domain3. Grant access to \\Server1\Share1 to the domain local security group. Make the global security group a member of the domain local security group.

C. Create a shared folder in the Accounts OU for \\Server1\Share1. D. Create a one-way external trust relationship in which Domain2 trusts Domain3.

70 - 296


- 394 -

Answer: B Explanations: There is a forest trust between the two forests. The users in the Accounts OU get an access denied error when trying to connect to share1 on the server named server1. This is a simple permissions problem. All we need to do is to assign the appropriate permissions to the accounts users to access share1. The recommended way of assigning permissions is to create a domain local security group and assign the group permissions to the resource (in this case, the resource is \\server1\share1). Then we need to group together the accounts users by adding the user accounts to a domain global security group. We then grant the permissions by adding the domain global group to the domain local group. Incorrect Answers: A: You can’t apply permissions to a distribution group. You must use a security group. C: The shared folder is in another domain, so this solution wouldn’t work. D: There is a forest trust between the two forests, so there is no need to create another trust relationship. QUESTION NO: 242 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. All domain controllers run Windows Server 2003. All domain controllers are fully backed up every Friday evening at 5:00 P.M. The Directory Services object is configured to have the properties shown in the following table. Directory Services object property Setting garbageCollPeriod 15 hourstombstoneLifetime 5 days On Monday morning, a network administrator deletes several domain user accounts. On Wednesday evening at 5:00 P.M., one of the domain controllers fails. You plan to restore the directory database domain controller from backup. You need to ensure that Active Directory is not corrupted by the restoration process. What should you do?

A. Increase the garbageCollPeriod setting by 5. B. Decrease the garbageCollPeriod setting by 5. C. Increase the tombstoneLifetime setting by 5. D. Decrease the tombstoneLifetime setting by 5.

Answer: C

70 - 296


- 395 -

Explanation: Use the Active Directory editing tool of your choice so that the "tombstoneLifetime" attribute is set to be older than the backup used to restore the Active Directory. Supported tools include Adsiedit.msc, Ldp.exe, and ADSI Scripts. http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q216/9/93.ASP&NoWebContent=1 QUESTION NO: 243 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain contains three sites named MainOffice, EastCoast, and WestCoast. Each site contains four domain controllers and 100 client computers. One server in the EastCoast site is named TestKing1. All DNS servers contain Active Directory-integrated zones. Other administrators report that they cannot connect to TestKing1 when attempting to perform Active Directory administration. They report they can perform these tasks locally at TestKing1. You verify that Server1 is operational and that file and print resources are accessible by using the host name. You need to ensure that administrators can perform Active Directory administration on TestKing1 without requiring physical access to the server. What should you do?

A. On Server1, force registration of DNS hosts (A) resource records. B. On Server1, restart the Net Logon service. C. Install DNS on TestKing1. D. Configure TestKing1 as a local bridgehead server for the EastCoast site.

Answer: B Explanation: TestKing1 is a domain controller. We know this because administrators are trying to perform Active Directory administration on TestKing1. File and print resources on TestKing1 are accessible by using the host name. This means that the A records are present in DNS. The problem in this question is that the SRV records are missing. We need to restore the SRV in DNS. The Net Logon service on a domain controller registers the DNS resource records required for the domain controller to be located in the network every 24 hours. To initiate the registration performed by Net Logon service manually, you can restart the Net Logon service. Incorrect Answers:

70 - 296


- 396 -

A: File and print resources on TestKing1 are accessible by using the host name. This means that the A records are present in DNS. C: It is not necessary to install DNS on TestKing1. D: TestKing1 does not need to be a bridgehead server to enable the administrators to access it. QUESTION NO: 244 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains a single domain named testking.com. The network contains four Windows Server 2003 domain controllers. The DNS Server service is running on two Windows Server 2003 member servers in the domain. You decide to create a new child domain named dev.testking.com in the forest. You install Windows Server 2003 on a new server. You join the server to the testking.com domain. The first domain controller installed in the testking.com domain fails because of a hardware failure. You find out that it will take several days to repair the domain controller. You decide to continue creating the new child domain. You attempt to promote the member server to a domain controller in the dev.testking.com domain. The promotion of the domain controller fails. You receive the following message: The operation failed because: Active Directory could not contact the domain naming master DC1.testking.com. "The specified server cannot perform the requested operation". The server has been disjoined from domain TestKing. You need to resolve the error to create the new domain. What should you do?

A. Configure the DNS client settings on the new server to use the DNS server that is authoritative for the testking.com domain.

B. Configure the DNS server for the testking.com zone to have a zone named dev.testking.com. Configure the zone for dynamic updates.

C. Configure one of the other testking.com domain controllers to hold all of the operations master roles. D. Configure one of the existing domain controllers as a global catalog server.

70 - 296


- 397 -

Answer: C Explanation: The first domain controller installed in the forest will by default, have the domain naming master operations master role. The question states that the first domain controller installed fails due to a hardware failure. This means that the forest has no domain naming master. A domain naming master is required to create additional domains in the forest. To add another domain, we need to configure one of the other testking.com domain controllers to hold at least the domain naming master role (or as the answer states, all of the operations master roles). Incorrect Answers: A: This is not a DNS problem. B: This is not a DNS problem. D: We need a domain naming master, not a global catalog server. QUESTION NO: 245 You are a network administrator for TestKing. The company has offices in Paris and New York. The network consists of a single Active Directory domain named testking.com that contains six domain controllers, as shown in the exhibit. *MISSING* The Paris and New York offices are connected by an IP site link. The six domain controllers are configured as shown in the following table. Server name Function TestKing1 File and print server TestKing2 Application server TestKing3 Routing and Remote Access serverTestKing4 Routing and Remote Access serverTestKing5 File and print server TestKing6 Application server You notice that at regular intervals the CPU utilization on some of the file and print servers increases to 100 percent for a period of time. During this time, the servers become unresponsive to user requests. You discover that this problem occurs during Active Directory replication. You need to ensure that the file and print servers are responsible to use requests during Active Directory replication. What should you do?

A. Increase the replication interval of the site link connecting the two offices.

70 - 296


- 398 -

B. Decrease the replication interval of the site link connecting the two offices. C. Configure TestKing1 and TestKing5 as preferred bridgehead servers. D. Configure TestKing3 and TestKing4 as preferred bridgehead servers.

Answer: D Explanation: The poor performance of the File and Print servers is due to Active Directory replication. The replication is occurring between the File and Print servers. This is because they are configured as preferred bridgehead servers. We can improve their performance by configuring the replication to occur between different servers (in this case, the RRAS servers, TestKing3 and TestKing4). We do this by configuring TestKing3 and TestKing4 as preferred bridgehead servers. Incorrect Answers: A: The problems occur during replication. This solution will decrease the frequency of the problems, but it won’t eliminate the problems. B: The problems occur during replication. This solution will increase the frequency of the problems. C: TestKing1 and TestKing5 are already preferred bridgehead servers. This is the cause of the problem. QUESTION NO: 246 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains a single domain named testking.com. You have a user account named TestKing\admin that is a member of the Domain Admins global group. You need to create a new child domain named NA.testking.com in the forest. You install a stand-alone Windows Server 2003 computer named TK3. You use the Active Directory Installation Wizard to promote TK3 to a domain controller in the new domain. You choose to create a domain controller for a new child domain in an existing domain tree. You enter the user name and password for TestKing\admin. You choose testking.com as the parent domain, and you type NA as the name of the child domain. You receive the error message shown in the exhibit. *MISSING* You need to be able to create the new child domain. What should you do?

A. Enter the network credentials for a member of the local Administrative group.

70 - 296


- 399 -

B. Add TK3 to the testking.com domain and then run the Active Directory Installation Wizard. C. Enter the network credentials for a member of the Enterprise Admins group for the testking.com forest. D. Enter the network credentials for a member of the Schema Admins group for the testking.com forest.

Answer: C Explanation: We don’t have the exhibit, but from the answers, we can guess that the problem is a permissions problem. To add a domain in a forest, you need to be a member of the Enterprise Admins group. Therefore, to add the domain, you need to enter the network credentials for a member of the Enterprise Admins group for the testking.com forest. Incorrect Answers: A: To add a domain in a forest, you need to be a member of the Enterprise Admins group. You do need administrative rights on the local computer, but that alone isn’t enough. B: This is not necessary. D: To add a domain in a forest, you need to be a member of the Enterprise Admins group, not the Schema Admins group. QUESTION NO: 247 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All user accounts for the research and development department are located in an organizational unit (OU) named PBUsers. A Group Policy object (GPO) named UserRights is linked to the domain. The following user settings are enabled in the UserRights GPO:

Prohibit user configuration of offline files. Remove Add or Remove Programs. Remove Display in Control Panel.

You need to allow all users in the PBUsers OU to remove programs by using Add or Remove Programs in Control Panel. The other policy settings must continue to apply. What should you do?

A. Enable the Block Policy Inheritance setting on the PBUsers OU. B. Create a new GPO that disables the Remove Add or Remove Programs setting. Link the GPO to the

PBUsers OU. C. Assign the user accounts in the PBUsers OU the Deny – Apply Group Policy permission for the

UserRights GPO. D. Assign the user accounts in the PBusers OU the Deny – Write GPlink permission for the PBUsers OU.

70 - 296


- 400 -

Answer: B Explanation: A GPO linked to an OU will override the settings from a GPO linked to the domain. Therefore, we can create a GPO the disables the Remove Add or Remove Programs setting and link it to the PBUsers OU. Incorrect Answers: A: The question states that the other settings from the domain GPO must apply. Therefore, we cannot block policy inheritance. C: The question states that the other settings from the domain GPO must apply. Denying the users the Apply Group Policy permission will prevent the settings from the domain GPO from being applied. D: This setting has no effect on the application of the GPOs. QUESTION NO: 248 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All file servers have computer accounts in an organizational unit (OU) named CompanyServers. All users have user accounts in an OU named CompanyUsers. For all users and administrators, the My Documents folder is redirected to a shared folder on a file server named TestKing1. The company wants to limit the amount of disk space that can be used by each user. Each user must be allowed to use a maximum of 2 GB of storage on TestKing1. You need to limit disk space usage on TestKing1 to 2 GB per user. Administrators must not have these limits. What should you do?

A. Create a Group Policy object (GPO) linked to the CompanyUsers OU. In the GPO, enable disk quotas. B. Create a Group Policy object (GPO) linked to the CompanyUsers OU. In the GPO, enable a size limit on

user profiles C. Create a Group Policy object (GPO) linked to the CompanyServers OU. In the GPO, enable disk quotas. D. Create a Group Policy object (GPO) linked to the CompanyServers OU. In the GPO, enable a default

cache size for offline files. Answer: B

70 - 296


- 401 -

QUESTION NO: 249 You are a network administrator for TestKing that operates a call center. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers are members of the domain. Computers in the call center are configured by a Group Policy object (GPO) to have a common, restricted desktop. All computers in the call center have accounts in an organizational unit (OU) named Call Center Computers. Non-management users have user accounts in an OU named CallCenterStaff. Managers have user accounts in an OU named ManagementUsers. You link a GPO to the Call Center Computers OU. The current settings of the GPO are shown in the work area. Any user logging on to these computers receives the restricted desktop. Currently, a manager who logs on to a computer in the call center is presented with the restricted desktop. The restricted desktops prevent managers from performing management tasks. You need to ensure that any manager logging on to a computer in the call center receives a normal, unrestricted desktop. Which GPO setting should you change? To answer, select the appropriate setting in the work area. Work Area Allow Cross-Forest User Policy and Roaming User Profiles Disabled Group Policy slow link detection Enabled Turn off Resultant Set of Policy logging Disabled Remove users ability to invoke machine policy refresh Enabled Disallow Interactive Users from generating Resultant Set of Policy… Enabled Registry policy processing Disabled Internet Explorer Maintenance policy processing Disabled Software Installation policy processing Disabled Folder Redirection policy processing Disabled Scripts policy processing Disabled Security policy processing Disabled IP Security policy processing Disabled Wireless policy processing Disabled

70 - 296


- 402 -

EFS recovery policy processing Disabled Disk Quota policy processing Disabled Always use local ADM files for Group Policy Object Editor Enabled Answer: Select “Registry policy processing”. QUESTION NO: 250 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. One of the domain controllers is configured as an enterprise root certification authority (CA). All client computers run Windows XP Professional. TestKing uses IPSec to secure communications between computers in TestKing and computers at other companies. These IPSec connections require computer certificates. Your IPSec policies require every computer to be able to make an IPSec connection when connecting to other computers. You need to configure the network so that all computers can make IPSec connections. What should you do?

A. In the computer settings section of the Default Domain Policy Group Policy object (GPO), configure the domain members to always digitally encrypt or sign secure channel data.

B. Create a new automatic certificate request in the computer settings section of the Default Domain Policy Group Policy object (GPO),

C. Obtain a new computer certificate from a public CA. Import a copy of this certificate into the Trusted Root Certification Authorities section of the Default Domain Policy Group Policy object (GPO).

D. Issue a new computer certificate from your enterprise CA. Place a copy of this certificate on an internal Web page. Instruct users to install this certificate in their trusted certificate store the first time they need to make an IPSec connection.

Answer: D QUESTION NO: 251 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003.

70 - 296


- 403 -

The company decides to make five Windows XP Professional computers available in a public area for use by visitors. These computers are to be used only for browsing public Web sites, A Web browser is the only application that will be run on these computers. You make these computers members of the Active Directory domain. You create a new organizational unit (OU) named Restricted Computers and place the five computer accounts in this OU. You configure these computers to automatically log on a user named Restricted User each time the computer is started. The Restricted User account does not have administrative rights on the computer or on the domain. You need to configure the five computers so that they can access public Web sites but cannot run other applications. The restrictions must not affect other users or computers on the network. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Create a Group Policy object (GPO) and link it to the domain. Configure the user settings in the GPO to allow only Internet Explorer to run. Configure the computer settings in the GPO to enable loopback mode.

B. Create a Group Policy object (GPO) and link it to the Restricted Computers OU. Configure the user settings in the GPO to allow only Internet Explorer to run. Configure the GPO to apply only to the Restricted User account.

C. Create a Group Policy object (GPO) and link it to the Restricted Computers OU. Configure the GPO to contain a Restricted Groups policy that places all users in the local Guests group of each of the five Windows XP Professional computers.

D. Create a Group Policy object (GPO) and link it to the domain. Configure the user settings in the GPO to allow only Internet Explorer to run. Configure the GPO to apply only to the Restricted User account.

E. Create a Group Policy object (GPO) and link to the Restricted Computer OU. Configure the user settings in the GPO to allow only Internet Explorer to run. Configure the computer settings in the GPO to enable loopback mode.

Answer: D, E Explanation: The computers are configured to automatically log on the Restricted User account each time the computers start. We can configure a GPO to allow only Internet Explorer to run. We can link the GPO to the domain and use security permissions to ensure that the policy applies only to the Restricted User account. This will ensure that the GPO only affects the restricted computers. The restricted computers are in the Restricted Computers OU. Therefore, another solution would be to link the GPO to the Restricted Computers OU, thus ensuring that no other computers are affected by the GPO. Although the Internet Explorer settings are in the user part of a GPO, and this solution applies the GPO to computers (not users), we can apply the user settings to the Restricted User account by using loopback mode.

70 - 296


- 404 -

For loopback processing, you can choose whether to replace or merge user-specific policy. The replace mode replaces all of a user’s normal policy settings with those defined in the user configuration of the GPOs that apply to the computer object (the loopback settings). Merge mode merges the user’s normal policy settings and the loopback settings. In the case where a policy item in the user’s normal policy conflicts with the loopback settings, the loopback settings are applied. QUESTION NO: 252 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. You are planning the implementation of new Group Policy objects (GPOs). The accounting department and the research department each has its own organizational unit (OU). The accounting department includes the accounts payable (AP) department and the accounts receivable (AR) department. The Accounting OU contains an AP OU and an AR OU. User accounts are in the Accounting, AP, AR, and Research OUs. The accounting department has an accounting application that must be installed on the computers that are used by users in the accounting department. You want to avoid installing the accounting application on the computers of any other users. You plan to create a GPO named Software to install the accounting application. The research department user accounts must have passwords that are at least eight characters in length and most be changed every 30 days. There are no specific password requirements for any other users in the testking.com domain. You plan to create a GPO named Password to configure the minimum password length and password age. You need to decide the correct locations for placing the Password GPO and the Software GPO, while minimizing the time it takes for any user to log on to the domain. Where should you link the Password GPO and the Software GPO? To answer, drag the appropriate GPO or GPOs to the correct location or locations in the work area. If both polices need to be linked to the same location, use the source labelled Both GPOs.

70 - 296


- 405 -

Answer:

70 - 296


- 406 -

Explanation: The accounting department has an accounting application that must be installed on the computers that are used by users in the accounting department. You want to avoid installing the accounting application on the computers of any other users. You plan to create a GPO named Software to install the accounting application. The software GPO can be applied to the Accounting OU. This GPO will also apply to the AP and AR OUs (which also contain accounts users). The research department user accounts must have passwords that are at least eight characters in length and most be changed every 30 days. There are no specific password requirements for any other users in the testking.com domain. You plan to create a GPO named Password to configure the minimum password length and password age. Password policies for domain user accounts must be applied at the domain level. The policies will have no effect on domain user accounts if they are applied at any other level.

70 - 296


- 407 -

QUESTION NO: 253 You are the network administrator for TestKing. Your network consists of a single Active Directory domain named testking.com. Three security groups named Accounts, Processors, and Management are located in an organizational unit (OU) named Accounting. All of the user accounts that belong these three groups are also in the Accounting OU. You create a Group Policy object (GPO) and link it to the Accounting OU. You configure the GPO to disable the display options under the User Configuration section of the GPO. You need to achieve the following goals:

You need to ensure that the GPO applies to all user accounts that are members of the Processors group.

You need to prevent the GPO from applying to any user account that is a member of the Accountants group.

You need to prevent the GPO from applying to any user account that is a member of the Management group, unless the user account is also a member of the Processors group.

What should you do?

A. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants and Management security groups the Deny – Read and the Deny – Apply Group Policy permissions. Modify the DACL of the GPO to assign the users who are in both the Accountants and Management security groups the Allow – Read and the Allow – Apply Group Policy permissions.

B. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants and Management security groups the Deny – Read and the Deny – Apply Group Policy permissions. Create a new security group named Mixed that contains all the user accounts from the Processors group and the specific user accounts from the Management group to which you want the GPO to apply. Modify the DACL of the GPO to assign the Mixed security group the Allow – Read and the Allow – Apply Group Policy permissions.

C. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants security group the Deny – Read and the Deny – Apply Group Policy permissions. Modify the DACL settings of the GPO to remove the Authenticated Users special group. Modify the DACL settings of the GPO to add the Processors group and assign the Allow – Read and the Allow – Apply Group Policy permissions.

D. Modify the discretionary access control list (DACL) settings of the GPO to assign the Accountants security group the Deny – Read and the Allow – Apply Group Policy permissions. Modify the DACL settings of the GPO to assign the Management security group the Deny – Read and the Deny – Apply Group Policy permissions.

70 - 296


- 408 -

Answer: C Explanation: You need to prevent the GPO from applying to any user account that is a member of the Accountants group. We can achieve this by modifying the discretionary access control list (DACL) settings of the GPO to assign the Accountants security group the Deny – Read and the Deny – Apply Group Policy permissions. We need to remove the authenticated users group so that the policy doesn’t apply to anyone that isn’t a member of any of the three groups. You need to ensure that the GPO applies to all user accounts that are members of the Processors group. We can achieve this by modifying the DACL settings of the GPO to add the Processors group and assign the Allow – Read and the Allow – Apply Group Policy permissions. You need to prevent the GPO from applying to any user account that is a member of the Management group, unless the user account is also a member of the Processors group. The Management group isn’t listed in the DACL. Therefore, no user in the Management group will receive the GPO. Management users will only receive the GPO if they are also a member of the Processors group, because the Processors group have the Allow – Read and the Allow – Apply Group Policy permissions. QUESTION NO: 254 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All servers that are not domain controllers, are located in an organizational unit (OU) named Servers. All user accounts are located in an OU named Accounts. The health insurance department has servers that store the medical records of customers. These records servers contain information that must be closely monitored. A non-Microsoft auditing tool is installed on the records servers to monitor that information. Access to the auditing information is available only to a small number of local user accounts on each record server. For legal reasons, the health insurance department needs to change its account lockout and password settings for the local user accounts on records servers. You need to ensure that the records servers adhere to the security requirements. You want to accomplish this task by using the minimum amount of administrative effort. What should you do?

A. Create a new domain under the testking.com domain. Make the records servers members of the new domain.

70 - 296


- 409 -

Create a Group Policy object (GPO) that contains the account lockout and password settings. Link the GPO to the new domain.

B. Create a new domain under the testking.com domain. Make the health insurance user accounts members of the new domain. Create a Group Policy object (GPO) that contains the account lockout and password settings. Link the GPO to the new domain.

C. Create a new OU under the Servers OU. Make the records servers members of the new OU. Create a Group Policy object (GPO) that contains the account lockout and password settings. Link the GPO to the new OU.

D. Create a new OU under the Accounts OU. Make the health insurance user accounts members of the new OU. Create a Group Policy object (GPO) that contains the account lockout and password settings. Link the GPO to the new OU.

Answer: C Explanation: We need to move the records servers to a new OU to that we can easily apply settings to them by using a GPO. Account lockout and password settings for domain user accounts must be applied at domain level. However, for this question, we need to configure the account lockout and password settings for the local user accounts. We can do this by linking a GPO to an OU containing the records servers. Incorrect Answers: A: It is not necessary to create a new domain because we need to configure settings for local user accounts, not domain user accounts. B: It is not necessary to create a new domain because we need to configure settings for local user accounts, not domain user accounts. D: We need to configure the account lockout and password settings for the local user accounts. The local user accounts are not objects in Active Directory and so cannot be moved to an OU. QUESTION NO: 255 You are the network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The domain includes an OU named Accounting. The user accounts for all users in the accounting department are in the Accounting OU. You create a GPO and link it to Accounting. You configure the GPO to display the company logo as the desktop wallpaper for all clients computers in the Accounting OU. The users in the accounting department report that they do not see the company logo as the desktop wallpaper. You suspect that a policy that has higher precedence is conflicting with the one you recently created.

70 - 296


- 410 -

You need to find out why the desktop wallpaper is not applying the client computer. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution, choose two).

A. Use Resultant Set of Policy (RSOP) in planning mode. Expand the Administrator Templates and view the state of the Active Desktop Wallpaper.

B. Use Resultant Set of Policy (RSOP) in logging mode. Expand the Administrator Templates and view the properties of the Active Desktop Wallpaper.

C. Run the gpupdate /Target: User command from your computer. D. Run the gpresult /Z command on a computer in the accounting department.

Answer: B, D. Explanation: We need to view the effective group policy settings for the users or the computers that the users are using. We can use gpresult or RSoP. Gpresult Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer. RSoP overviewResultant Set of Policy (RSoP) is an addition to Group Policy RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. RSoP consists of two modes: Planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing policy settings for a computer and user that is currently logged on. QUESTION NO: 256 You are the network administrator for TestKing. The network consists of a single Active Directory domain. The domain includes a Windows Server 2003 computer that runs Terminal Services. The terminal server has a computer account in an organizational unit (OU) named Terminal Servers. A Group Policy object (GPO) named TS Settings is linked to the Terminal Servers OU. This GPO is configured with settings that must apply when users are logged on to the terminal server. The company

70 - 296


- 411 -

wants users to have their normal settings when connected to the terminal server, except settings that conflicts with the settings in the TS Settings GPO. You discover that when users are logged on to the terminal server, they receive only the settings from the TS Settings GPO, without any of their own settings. You use the Group Policy Management Console (GPMC) to examine the configuration of the TS Settings GPO. The relevant portion of the configuration is shown in the exhibit. ****MISSING**** You need to ensure that policy settings apply properly to users logging on the terminal server. What should you do?

A. Enable the Block Policy inheritance setting for the Terminal Servers OU. B. Disable the No Override setting for the TS Settings GPO. C. Modify the TS Settings GPO to use loopback processing in Merge mode. D. Disable the Only allow local profiles setting in the TS settings GPO.

Answer: C Explanation: We can use loopback processing in Merge mode to ensure that user settings that don’t conflict with the TS Settings GPO will apply to the users. For loopback processing, you can choose whether to replace or merge user-specific policy. The replace mode replaces all of a user’s normal policy settings with those defined in the user configuration of the GPOs that apply to the computer object (the loopback settings). Merge mode merges the user’s normal policy settings and the loopback settings. In the case where a policy item in the user’s normal policy conflicts with the loopback settings, the loopback settings are applied. QUESTION NO: 257 You are the network administrator for TestKing. The network consists of a single Active Directory domain. All servers run Windows Server 2003. One of the domain controllers is configured as a subordinate enterprise certification authority (CA). TestKing also has an offline root CA. All client computers run Windows XP Professional. TestKing does business with a distributor named Coho Vineyard. Users at TestKing frequently access secured Web sites at Coho Vineyard. These sites are secured by using certificates issued by an enterprise CA at Coho Vineyard.

70 - 296


- 412 -

Users at TestKing report that they receive security alerts from the Web browser whenever they try to access secured Web sites at Coho Vineyard. Users can access the sites after they acknowledge the warnings, but many choose to cancel the operation in order to be sure that the network is secure. You need to configure the TestKing network to prevent these security alerts from appearing when accessing the secured Web sites at Coho Vineyard. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Obtain a copy of the Coho Vineyard root certificate from Coho Vineyard. B. Issue a certificate to the Coho Vineyard Web server from the TestKing enterprise CA. C. Import the certificate into the Trusted Root Certification Authorities section of the Default Domain

Policy Group Policy object (GPO). D. Place the Coho Vineyard secured Web sites in the list of trusted sites in the Internet Explorer

Maintenance section of the Default Domain Policy Group Policy object (GPO). Answer: A, C Explanation: When a user tries to access a secure website, the web browser looks in its trusted root certificate store for a copy of the issuing CA’s root certificate. The problem here is that the users’ computers don’t trust the Coho Vineyard certificate because the trusted root certificate store doesn’t contain a copy of the Coho Vineyard root certificate. To fix this we first need to obtain a copy of the Coho Vineyard root certificate from Coho Vineyard. Then we can use the Default Domain Policy Group Policy object (GPO) to distribute the certificate to the trusted root stores on the users’ computers. Incorrect Answers: B: Testking needs to trust the Coho Vineyard CA, not the other way round. D: The “trust” in the list of trusted sites in Internet Explorer doesn’t apply to the site’s certificate (or the CA’s certificate). It applies to the code (and applications etc) within the website. QUESTION NO: 258 You are a network administrator for TestKing. The network consists of a single Active Directory domain. All servers run Windows Server 2003. You configure a certification authority (CA) to issue smart card authentication certificates. Users who have administrative responsibilities are required to have two accounts. One account is for general computer use. The other account is an administrative account that has administrative privileges and is used only when performing administrative tasks.

70 - 296


- 413 -

You decide to deploy smart cards to all users in your company. You issue one smart card to each user for general computer use. You enroll each user for a smart card authentication certificate. You need to plan smart card access for users who have administrative responsibilities. What should you do?

A. Issue an additional smart card to users who have administrative responsibilities. Enroll each user’s administrative account for a smart card authentication certificate. Instruct users to use this card when logging on to perform administrative tasks.

B. Enroll each user’s administrative account for a smart card authentication certificate. When prompted, store the certificate on the existing smart card. Instruct users to use this card when logging on to perform all tasks.

C. Configure Group Policy to autoenroll administrative users for certificates. Instruct these users to log on by using their nonadministrative accounts.

D. Issue a master card to users who have administrative responsibilities. Instruct users to use this card when logging on to perform administrative tasks.

Answer: B Explanation: It is possible to store multiple certificates on a smart card. The user can select an account when he/she logs on. Incorrect Answers: A: It is not necessary to issue additional smart cards. A single smart card can store multiple certificates. C: This answer won’t work. The users need to log on using their administrative accounts to do administrative work. A certificate needs to be created for the administrative account and stored on a smart card. D: It is not necessary to issue additional smart cards. A single smart card can store multiple certificates. Furthermore, this answer seems to suggest having multiple smart cards with a single “master” certificate mapped to a single “master” administrative account. QUESTION NO: 259 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains a single domain named testking.com. Organizational units (OUs) in the domain are configured as shown in the Domain Structure exhibit. The exhibit shows the following OU structure:

- IT Users OU- - ------- Service Desk Staff OU. - ------- Domain Admins OU.

70 - 296


- 414 -

All client computers run Windows XP Professional. All client computer accounts are located in the TestKing Computers OU. Your user account is a member of the Domain Admins security group. All user accounts that are members of the Domain Admins security group are located in the Domain Admins OU. All service desk users have user accounts that are members of the SrvDeskGrp security group. All accounts that are members of this group are located in the Service Desk Staff OU. You use the Group Policy Management Console (GPMC) to create a Group Policy object (GPO) named Install Admin Tools. You configure the GPO as follows:

• In the GPO, create a software installation package that assigns the Windows Server 2003 Administration Tools Pack (adminpak.msi) to users.

• Link the GPO to the IT Users OU. • Remove the Authenticated Users built-in group from the list of users and groups that were

delegated permissions for the GPO. • Assign the SrvDeskGrp security the Allow – Read permission for GPO.

Service desk users report that the administrative tools needed for their job are not installed. You use the GPMC to examine the history of Group Policy application for one of the affected users. The relevant results are shown in the GPMC exhibit. **MISSING** You also discover that when you log on to a computer normally used by a service desk user, the administrative tools are automatically available for you. You need to ensure that administrative tools can also be installed by Group Policy for all users with accounts in the IT Users OU, without increasing the administrative privileges of any users. What should you do?

A. Link the Install Admin Tools GPO to the Service Desk Staff OU. Move the computer accounts for computers used by service desk users to the Service Desk Staff OU.

B. Change the security filtering on the Install Admin Tools GPO to grant the SrvDeskGrp security group the ability to apply the GPO.

C. Move the SrvDeskGrp security group to the Domain Admins OU. D. Modify the GPO to assign the Administration Tools Pack to computers instead of to users.

Answer: B

70 - 296


- 415 -

Explanation: To apply a group policy to a user or group, the user or group needs the Allow – Read and the Allow – Apply Group Policy permissions. In this question, the SrvDeskGrp security group that contains the service desk staff user accounts doesn’t have the Allow – Apply Group Policy permission for the GPO. Therefore, to enable the service desk users to receive the settings from the GPO, we need to modify the permissions to give the SrvDeskGrp the Allow – Apply Group Policy permission for the GPO. Incorrect Answers: A: The GPO is linked to the IT Users OU. The Service Desk Staff OU is a sub-OU of the IT Users OU. Therefore, the Service Desk Staff OU will receive the GPO. Furthermore, the question states that when you log on to a computer normally used by a service desk user, the administrative tools are automatically available for you. This means that the GPO is being applied to the Service Desk Staff OU. The reason the application installs for you and not the Service Desk users is that you are a member of the Domain Admins group and therefore, you have the necessary permissions on the GPO. C: This will have no effect on applying the GPO. The GPO is not applying to the SrvDeskGrp group because the group doesn’t have the Allow – Apply Group Policy permission for the GPO. D: All client computer accounts are located in the TestKing Computers OU. Therefore, assigning the Administration Tools Pack to computers instead of to users and linking the GPO to the IT Users OU will have no effect. QUESTION NO: 260 You are the network administrator for TestKing. You are implementing a new Windows Server 2003 network environment. You install one Active Directory forest root domain named cpandl.com. You install the first domain controller named DC1. You configure DC1 as a DHCP server and as an Active Directory-integrated DNS server with dynamic updates enabled. Later you install an additional domain controller named DC2. You cannot raise the functional level of the domain to Windows Server 2003. You discover that the service locator (SRV) resource records of DC1 are not created in the cpandl.com zone on the DNS server. You run the Dcdiag tool on DC1 and receive the output shown in the exhibit.

70 - 296


- 416 -

You need to make it possible to raise the functional level of the domain to Windows Server 2003. What should you do?

A. Upgrade DC2 to a global catalog server. B. Use the DHCP server locator utility to find out which DHCP servers are available in the cpandl.com

zone. C. Start the Net Logon service on DC1. D. Restart the DNS Server service on DC1 to enable DNS clients to resolve host names by answering

queries and update requests. Answer: C Explanation: The attempt to raise the functional level failed because the domain controller could not be located on the network. The question states that the service locator (SRV) resource records of DC1 are not created in the cpandl.com zone on the DNS server. The Net Logon service on a domain controller registers the DNS SRV records required for the domain controller’s services to be located on the network every 24 hours.

70 - 296


- 417 -

The exhibit shows that the Net Logon service isn’t running on DC1. Therefore, to initiate the SRV record registration performed by the Net Logon service manually, we can restart the Net Logon service. Incorrect Answers: A: DC2 does not need to be a global catalog server in order to raise the functional level of the domain. The domain controller that holds the FSMO roles (DC1) could not be located because the SRV records are not in the DNS zone. B: This problem has nothing to do with DHCP. D: The problem isn’t the DNS server. The problem is a lack of SRV records in the DNS zone on the DNS server. Restarting the DNS server won’t fix this. QUESTION NO: 261 You are the network administrator for TestKing. The network consists of a single Active Directory domain. The network contains three Windows Server 2003 domain controllers named ServerTK1, ServerTK2 and ServerTK3. ServerTK1 holds the schema master role and the domain naming master role. ServerTK2 holds the relative ID (RID) master role. ServerTK3 holds the PDC emulator master role and the infrastructure master role. ServerTK2 fails and cannot be restarted. You log on to ServerTK3 as the administrator and seize the RID master role. Later, ServerTK2 is repaired and can be brought back online. You want ServerTK2 to hold the RID master role again. What should you do?

A. Restart ServerTK2 while it is connected to the network. Use the Ntdsutil utility and seize the RID master role. Reconnect ServerTK2 to the network.

B. Restart ServerTK2 while it is disconnected from the network. Use the Ntdsutil and seize the RID master role. Reconnect ServerTK2 to the network.

C. Reinstall Windows Server 2003 on ServerTK2. Restore the system state from the most recent backup to ServerTK2. Reconnect ServerTK2 to the network.

D. Reinstall Windows Server 2003 on ServerTK2. Promote ServerTK2 to become a domain controller. Transfer the RID master role to ServerTK2.

Answer: D

70 - 296


- 418 -

Explanation: A domain controller whose RID master role has been seized must never be brought back online. You cannot have two RID masters running in one domain. In this scenario, the RID master role has been seized by ServerTK3. To bring ServerTK2 back online, we must bring it back online as a domain controller with no FSMO roles. The only way to do this is to reinstall the operating system and promote the server to a domain controller in the domain. When the domain controller (with no FSMO roles) is back online, we can transfer FSMO roles to it. Incorrect Answers: A: You cannot have two RID masters running in one domain. Restarting ServerTK2 while it is connected to the network will result in two RID masters running in one domain. Seizing the RID master role on a machine that is already running the RID master role won’t work. B: Seizing the RID master role on a machine that is already running the RID master role won’t work. When ServerTK2 is reconnected to the network, you’ll have two RID masters running in one domain. C: Restoring the system state from the most recent backup to ServerTK2 will restore the RID master role to ServerTK2. Reference: http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/enterprise/proddocs/en-us/sag_ADrespondFSMOfailures.asp QUESTION NO: 262 You are a network administrator for TestKing. The network consists of two Active Directory domains. All servers run Windows Server 2003. TestKing has offices in New York and Rome. The two offices are connected by a 128-Kbps WAN connection. Each office is configured as a single domain. Each office is also configured as an Active Directory site. TestKing stores printer location information in Active Directory. Users frequently perform searches of Active Directory to find information on printers by selecting the Entire Directory option. Users in the New York Office report that response time is unacceptably slow when searching for printers. You need to improve the response time for users in the New York office. What should you do?

A. Place a domain controller for the Rome domain in the New York office. B. Place a domain controller for the New York domain in the Rome office. C. Enable universal group membership caching in the New York office. D. Configure a global catalog server in the New York office.

70 - 296


- 419 -

Answer: D Explanation: Users in the New York Office report that response time is unacceptably slow when searching for printers. The reason for the slow response time is because the Active Directory at the Rome site is being searched (over a slow WAN link). The global catalog contains a subset of attributes of the Active Directory Objects throughout the forest. If we configure a global catalog server in the New York office, we’ll have a local list containing a subset of details of the printers (and other objects) from the Rome office. Incorrect Answers: A: This would work but it is unnecessary. Replicating the entire Active Directory from the Rome office to the New York office over the slow WAN link is a waste of resources. A global catalog server in the New York office would suffice. B: This won’t solve the problem at all. C: Universal Group caching (as its name implies) caches information about universal groups. This scenario involves searching for printers which is nothing to do with universal groups. QUESTION NO: 263 You are the network administrator for TestKing. The network consists of a single Active Directory forest that contains multiple domains. The functional level of the forest is Windows Server 2003. The forest contains several Active Directory sites that represent branch offices and a site named MainOffice that represent the central data center. A site named Branch1 contains one domain controller named Server1 that is not a global catalog server. The MainOffice site contains one domain controller named Server2 that is a global catalog server. You need to use universal group membership caching in the Branch1 site. Which component or components should you configure? To answer, select the appropriate component or components in the work area.

70 - 296


- 420 -

Answer: Select the “NTDS Site Settings” for the Branch1 office in the right hand pane.

70 - 296


- 421 -

QUESTION NO: 264 You are a network administrator for TestKing, which has five regional offices and 3,000 branch offices. Each branch office contains 10 users. Branch offices are connected to the nearest regional office by a 56-Kbps WAN connection. The network consists of a single Active Directory forest that contains one domain for each regional office. All servers run Windows Server 2003. Each branch office contains one domain controller that is configured as an additional domain controller in the regional domain for the branch office. The site link between each branch office and the corresponding regional domain is configured to replicate every 30 minutes.

70 - 296


- 422 -

Users in the branch office report that applications respond slowly when they access resources in the corresponding regional office. You monitor the WAN connection that connects several of the branch offices and discover that utilization increases from 30 percent to more than 90 percent on a regular basis. You need to improve the response time of applications when they access resources in the regional office. You need to ensure that users can log on without using cached credentials if the WAN connection fails. What should you do?

A. Remove Active Directory from the file and print server in each branch office. On the site link between each branch office and the corresponding regional office, increase the replication interval.

B. Enable universal group membership caching in each branch office. Configure the site link between each branch office and the corresponding regional office to be available only during off-peak hours.

C. Configure the domain controller in each branch office as a global catalog server. D. On the site link between each branch office and the corresponding regional office, decrease the

replication interval. Answer: B Explanation: Users in the branch office report that applications respond slowly when they access resources in the corresponding regional office. The reason for the slow response time is that the low bandwidth WAN link is heavily utilized due to replication traffic. We can solve this by configuring the site link between each branch office and the corresponding regional office to be available only during off-peak hours. This will prevent any replication occurring during business hours. To ensure that users can log on without using cached credentials if the WAN connection fails, we need to either enable universal group membership caching in each branch office or configure the domain controller in each branch office as a global catalog server. Configuring the domain controller in each branch office as a global catalog server alone will not solve the replication (lack of bandwidth) problem. Therefore, the correct answer is B. Note: “Cached credentials” is where a users profile and other settings are cached on a client computer. If the client computer is unable to authenticate the user with a domain controller, the client will allow the user to log on with cached credentials (assuming the user has logged on recently and the computer has cached the credentials). Cached credentials and Universal Group Caching are two separate things. Incorrect Answers: A: We must have a domain controller at each branch office so that users can log on to the domain in the event of a WAN connection failure. C: Configuring the domain controller in each branch office as a global catalog server alone will not solve the replication (lack of bandwidth) problem. Our solution must involve reducing the low bandwidth WAN connection utilization.

70 - 296


- 423 -

D: Decreasing the replication interval on the site links will increase the frequency of the replication; thus making the problem worse. QUESTION NO: 265 You are a network administrator for TestKing. The network consists of a single Active Directory domain. All servers run Windows Server 2003. TestKing’s written security policy requires that all administrative passwords be changed every 30 days. You configure the domain security policy to enforce the written security policy. A security audit reveals that the password used to log on to domain controllers in Directory Services Restore mode is 10 months old. You need to ensure that all passwords are changed in accordance with the written security policy. You must accomplish this task without causing disruption to user access. What should you do?

A. Restart each domain controller in Directory Services Restore More. Use Computer Management to reset the password for the Administrator account.

B. Use the Ntdsutil utility to reset the password on each domain controller for Directory Services Restore Mode.

C. Configure the Domain Controller Security Policy to enforce the written security policy. D. Reset the Administrator password by using Active Directory Users and Computers.

Answer: B In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps:

1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).

2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument "set dsrm password" at the ntdsutil prompt: ntdsutil: set dsrm password

3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server thanos, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server thanos To reset the password on the local machine, specify null as the server name: Reset DSRM Administrator Password: reset password on server null

4. You'll be prompted twice to enter the new password. You'll see the following messages: 5. Please type password for DS Restore Mode Administrator Account:

70 - 296


- 424 -

6. Please confirm new password: Password has been set successfully.

7. Exit the password-reset utility by typing "quit" at the following prompts: 8. Reset DSRM Administrator Password: quit

ntdsutil: quit QUESTION NO: 266 Network Diagram

You notice that after the forest trust relationship is deleted, the membership lists for some of the domain local groups are no longer accurate. When you view a membership list, it contains entries without user-friendly names. A sample is shown in the Membership List exhibit. **MISSING**

70 - 296


- 425 -

You need to delete all the unknown groups from the membership list for the domain local groups. You want to achieve this goal by using the minimum amount of administrative effort, and without modifying the access to resources for users in the testking.com forest. What should you do?

A. Create new domain local groups. Add the required global groups from the testking.com forest to the domain local groups. Grant appropriate permissions to the domain local groups. Delete the original domain local groups.

B. Re-create the trust relationship between testking.com forest and the fabrikam.com forest. Delete all fabrikam.com global accounts from the domain local group membership lists. Delete the trust relationship between the two forests.

C. Verify all remaining trust relationships. Then delete the unknown accounts from the domain local groups.

D. Delete all the affected domain local groups. Re-create the groups. Add the appropriate global groups from the testking.com forest to the groups. Grant appropriate permissions to the domain local groups.

Answer: C Explanation: The first thing we need to do is to verify all remaining trust relationships. The reason for this is that if a trust (that should be working) isn’t working, then the accounts will appear as unknown accounts. This could cause us to delete accounts that should be there which would affect access to resources. If all existing trusts are working, then all the accounts that should be there will be represented by user-friendly names. Now we can delete all the accounts that don’t have user-friendly names from the domain local groups. Incorrect Answers: A: Recreating the groups would require an excessive amount of administrative effort. B: This would work but it isn’t a recommended way of doing it. As soon as you recreate the trust relationship between testking.com forest and the fabrikam.com forest, users in the fabrikam.com forest will be able to access the resources in the testking.com forest until you deleted the accounts from the domain local groups. D: Recreating the groups would require an excessive amount of administrative effort. QUESTION NO: 267 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains one forest root domain named testking.com and two child domains named europe.testking.com and usa.testking.com. The functional level of the forest is Windows 2000 native.

70 - 296


- 426 -

The testking.com domain contains a Windows 2000 Server domain controller named TestKing3 that is running Service Pack 4 or later. You take TestKing3 offline. You also remove all references to TestKing3 from the Configuration container in Active Directory. Five days later, you upgrade all remaining domain controllers to Windows Server 2003. You then raise the functional level of the forest to Windows Server 2003. You need to integrate TestKing3 into the new Active Directory infrastructure. You want TestKing3 to be an additional domain controller of the europe.testking.com domain. What should you do?

A. Upgrade TestKing3 to Windows Server 2003. Add the computer account for TestKing3 into the Computers container of the europe.testking.com domain.

B. Demote TestKing3 to a Windows 2000 member server by running the dcpromo /forceremoval command. Upgrade TestKing3 to a Windows Server 2003 member server. Run the dcpromo command to promote TestKing3 to be an additional domain controller of the europe.testking.com domain.

C. Demote TestKing3 to a Windows 2000 member server by running the dcpromo /forceremoval command. Add the computer account for TestKing3 into the Domain Controllers organizational unit (OU) of the europe.testking.com domain.

D. Upgrade TestKing3 to Windows Server 2003. Add the computer account for TestKing3 into the Domain Controllers organizational unit (OU) of the europe.testking.com domain.

Answer: B

QUESTION NO: 268 You are a network administrator for TestKing.com. The network consists of a single Active Directory forest that contains 30 domains. TestKing has 400 offices. The network contains 150,000 user objects. All servers run Windows Server 2003. You are responsible for administering the marketing department, which has offices in North America and Europe, as shown in the work area. Offices in Toronto, Chicago, and New York are part of the america.testking.com domain. Offices in Paris, Bonn, and Rome are part of the europe.testking.com domain. The number of users in each office is shown in the following table. Office Number of users Toronto 750 Chicago 20 New York 650

70 - 296


- 427 -

Paris 650 Bonn 10 Rome 15 Users in the Bonn, New York, and Toronto offices require access to a directory-enabled application that stores configuration information in the global catalog. You need to plan the placement of domain controllers for the network. You need to ensure that each user can log on without using cached credentials and that users have access to the application if a WAN connection fails. You need to achieve this goal while minimizing the increase in WAN traffic. What should you do? To answer, drag the appropriate domain controller configuration or configurations to the correct location or locations in the work area.

Answer:

70 - 296


- 428 -

QUESTION NO: 269 You are a network administrator for TestKing.com. The network consists of two Active Directory domains with three sites. All servers run Windows Server 2003. TestKing has offices in three cities and each office is configured as a separate site. The network configuration is shown in the exhibit.

70 - 296


- 429 -

The company has 1,750 users in the Paris office, 1,750 users in the Rome office, and 25 users in the Bonn office. Global catalog servers are configured in each site. Automatic site link bridging is disabled. A written company policy requires that no WAN connection exceed 70 percent peak utilization. You examine the WAN connection between the Rome and Paris offices and discover that the utilization reaches 95 percent during Active Directory replication. You need to reduce the WAN traffic associated with the Active Directory replication on the connection between the Rome and Paris offices. You need to ensure that users in the Rome office can log on to the domain if a WAN connection fails. What should you do?

A. Decrease the replication interval on the site link connecting the Paris and Rome sites. B. Remove the global catalog server from the Rome office and enable universal group membership caching

in the Rome site. C. Enable slow link detection in the Default Domain Policy Group Policy object (GPO) in the

rome.testking.com domain. D. Configure a site link bridge between the site link that connects the Rome and Paris sites and the site link

that connects the Paris and Bonn sites.

70 - 296


- 430 -

Answer: B QUESTION NO: 270 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All production servers are located in an organizational unit (OU) named Servers. You maintain a lab that contains test servers. All test servers are located in an OU named Test Servers. You are planning to deploy critical Windows updates to all servers in the Servers OU by using Software Update Services (SUS), which is hosted on two dedicated SUS servers named Testking1 and Testking2. Testking1 and Testking2 are located in an OU named SUS servers. You synchronize Testking1 to download from the Microsoft Windows Update servers. You approve the relevant updates for your servers on Testking1. You need to minimize the impact of applying the critical updates to the production servers. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Create a Group Policy Object (GPO) to configure computers to download and install critical updates from Testking1, and link it to the Test Servers OU. Create a second GPO to configure computers to download and install critical updates from Testking2, and link it to the Servers OU.

B. Configure Testking2 to automatically download approved and tested updates from Tesking1. C. Configure Testking2 to manually download approved and tested updates from Testking1. D. Create a Group Policy Object (GPO) to configure computers to download and install critical updates

from Testking1, and link it to the Servers OU. Create a second GPO to configure computers to download and install critical updates from Testking2, and link it to the Test Servers OU.

Answer: A, C QUESTION NO: 271 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. TestKing has an internal network and a perimeter network. The internal network is protected by a firewall. Application servers on the perimeter network are accessible from the Internet.

70 - 296


- 431 -

You are deploying 10 Windows Server 2003 computers in application server roles. The servers will be located in the perimeter network and will not be members of the domain. The servers will host only publicly available Web pages. The network design requires that custom security settings must be applied to the application servers. These custom security settings must be automatically refreshed every day to ensure compliance with the design. You create a custom security template named Baseline1.inf for the application servers. You need to comply with the design requirements. What should you do?

A. Import Baseline1.inf into the Default Domain Policy Group Policy object (GPO). B. Create a task on each application server that runs Security and Configuration Analysis with

Baseline1.inf every day. C. Create a task on each application server that runs the secedit command with Baseline1.inf every

day. D. Create a startup script in the Default Domain Policy Group Policy object (GPO) that runs the

secedit command with Baseline1.inf. Answer: C QUESTION NO: 272 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional. TestKing has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information. The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular, you want to configure stronger password settings, audit settings, and lockout settings. You want to minimize interference with the proper functioning of the legacy applications. You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers.

70 - 296


- 432 -

What should you do?

A. Apply the Setup security.inf template to the domain controllers. B. Apply the DC security.inf template to the domain controllers. C. Apply the Securedc.inf template to the domain controllers. D. Apply the Rootsec.inf template to the domain controllers.

Answer: C QUESTION NO: 273 You are the network administrator for TestKing. All Web servers on the network run Windows Server 2003. The network also contains a Windows Server 2003 computer named Testking1. Software Update Services (SUS) is installed on Testking1. You are testing the security configuration of a Web server named Testking2. Testking2 is used on TestKing’s intranet. TestKing’s written security policy prohibits the intranet servers from communicating with Internet resources. You run the Microsoft Baseline Security Analyzer (MBSA) on Testking2 and receive the results shown in the exhibit.

You need to run MBSA successfully. What should you do?

A. Temporarily enable Testking2 to access the Internet, and run MBSA again.

70 - 296


- 433 -

B. Run the mbsacli.exe command, and run MBSA again. C. Run MBSA again.

Configure MBSA to use the SUS server. D. Ensure that Windows Update is correctly configured on Testking2, and run MBSA again.

Answer: A QUESTION NO: 274 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows 2003. You support 100 mobile users who have portable computers that run Windows NT Workstation 4.0, Windows 98, Windows 2000 Professional, Windows XP Professional, or Windows ME. TestKing’s written security policy requires that any remote access solution must provide both data integrity and data origin authentication. Which three actions should you take? (Each correct answer presents part of the solution. Choose three)

A. Install certificates on all VPN client computers. B. Install a certificate on the VPN server computer. C. Implement L2TP-based connections on the Windows 2000 Professional computer and the

Windows XP Professional computers. Implement PPTP-based connections on all other portable computers.

D. Install the L2TP/IPsec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement L2TP-based connections on all portable computers.

E. Install the L2TP/Ipsec VPN client on the portable computers that run Windows NT Workstation 4.0 or earlier. Implement PPTP-based connections on all portable computers.

Answer: A, B, D Explanation: Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec). The combination of L2TP and IPSec, known as L2TP/IPSec, is a highly secure technology for making remote access virtual private network (VPN) connections across public networks such as the Internet. Microsoft L2TP/IPSec VPN Client also provides support for IPSec Network Address Translator (NAT) traversal.

70 - 296


- 434 -

When used in a network that supports a public key infrastructure (PKI) that issues digital certificates, Microsoft L2TP/IPSec VPN Client will connect without requiring any additional configuration. QUESTION NO: 275 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All servers are manually configured with static IP addresses. All client computers run Windows XP Professional. All client computers receive their TCP/IP configuration information from a DHCP server. TestKing’s network consists of two subnets: 172.30.22.0/24 and 172.30.23.0/24. The research department uses the 172.30.23.0/24 subnet exclusively. All computers that belong to the other departments are located on the 172.30.22.0/24 subnet. You deploy a server named Testking1 to the research department. Testking1 was formally used in a test lab environment. You change the TCP/IP configuration of Testking1 to allow it to communicate on the company network. Later, users from other departments report that when they attempt to connect to Testking1, the connection times out. You run the route print command on Testking1 and view the output shown in the exhibit.

You need to ensure that users can connect to Testking1.

70 - 296


- 435 -

Which command should you run on Testking1?

A. route delete 172.30.22.0 mask 255.255.255.0 192.168.17.100 B. route delete 172.30.23.0 mask 255.255.255.0 172.30.23.19 C. route change 172.30.22.0 mask 255.255.255.0 192.168.17.100 2 IF 1 D. route change 172.30.23.0 mask 255.255.255.0 172.30.23.19 E IF 1

Answer: A QUESTION NO: 276 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. TestKing has a main office and a branch office. Both offices are connected to the Internet by Network Address Translation (NAT) firewalls and T1 connections to the company’s ISP. Each firewall is configured with a perimeter network. TestKing uses a public key infrastructure (PKI) for both internal and external authentication. TestKing needs to connect to the main office to the branch office by using the existing Internet connections. TestKing’s written security policy included the following requirements:

• All Internet communications must use the PKI for all authentication and data encryption. • All servers that are required to communicate to or by means of the Internet must be located in a

firewall perimeter network. You need to connect to the main office to the branch office. You need to comply with the written security policy. You install Routing and Remote Access servers in the perimeter network at each office. What else should you do?

A. Configure persistent, two-way initiated PPTP connections with EAP-TLS user authentication. B. Configure persistent, two-way initiated PPTP connections with MS-CHAP v2 user authentication. C. Configure persistent, two-way initiated L2TP/IPSec connections with MS-CHAP v2 user authentication. D. Configure persistent, two-way initiated L2TP/IPsec connections with EAP-TLS user and computer

authentication.

70 - 296


- 436 -

Answer: D QUESTION NO: 277 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The audit department has servers that contain highly confidential files. The files are accessed over the LAN by the audit department client computers. The audit department client computers have slow processors. The network design requires that the network transmissions between the audit department servers and client computers be confidential and that any changes to the data in transit must be detectable. You create a custom IPSec filter action. You need to select the security method settings. You need to ensure that you minimize the performance impact on the audit department client computers. What should you do?

A. Select MD5 as the integrity algorithm and DES as the encryption algorithm. B. Select SHA1 as the integrity algorithm and DES as the encryption algorithm. C. Select SHA1 as the integrity algorithm and 3DES as the encryption algorithm. D. Select MD5 as the integrity algorithm and 3DES as the encryption algorithm.

Answer: A

70 - 296


- 437 -

QUESTION NO: 278 You are the network administer for TestKing. The network contains Windows 98, Windows NT Workstation 4.0, and Windows XP Professional client computers. All computers run the latest service pack. The network contains a Windows Server 2003 file server named Testking1. TestKing’s written security policy requires that data communications must be encrypted by using IPSec whenever possible. Other than the default GPOs, there are no additional Group Policy objects (GPOs) within Active Directory or any local GPOs applied to the computers in the domain. You need to configure Testking1 so that it meets the written security policy requirements without disabling access for any client computer. You also want to minimize session key negotiation times. What should you do? To answer, configure the appropriate option or options in the dialog box.

Answer: Select the “Allow unsecured communication with non-IPSec aware computers” checkbox.

70 - 296


- 438 -

QUESTION NO: 279 You are the system engineer for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The servers on the network are all located in a central data center building, which is located on the company campus. All servers have the Recovery Console installed and support firmware-based console redirection by means of installed service processors. All servers are located in a physically secured room. IT department personnel can access this room for the purpose of installing or maintaining hardware. All IT department personnel are members of the Domain Admins security group. TestKing adopts a new remote administration policy, which includes the following requirements:

• All in-bound management of servers on the network must be performed remotely. • All remote administration connections made to any server must be authenticated by using the

Kerberos version 5 protocol and must be logged in the Security event log. • All remote administration connections must be encrypted. • The new remote administration configuration must not adversely affect normal network

connectivity for users or cause any disruption in network services. The new remote administration policy applies to all servers, including domain controllers, file and print servers, and application servers. You need to plan a remote administration strategy for all servers on the network that complies with the new policy. What should you do?

A. On each server, enable Emergency Management Services. B. On each server, enable Remote Desktop connections. C. On each server, enable the Telnet service with the Automatic startup parameter.

Enable the Secure Server (Require Security) IPSec policy in the Default Domain Policy Group Policy object (GPO).

D. Install IIS on each server. Select the Remote Administration (HTML) check box in the properties for the World Wide Web Service. On each server, configure IP packets filters to accept only SSL connections.

Answer: B

70 - 296


- 439 -

QUESTION NO: 280 You are the systems engineer for TestKing. The network consists of three physical networks connected by hardware-based routers. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each physical network contains at least one domain controller and at least one DNS server. One physical network contains a Microsoft Internet Security and Acceleration (ISA) Server array that provides Internet access for the entire company. The network also contains a certificate server. TestKing management wants to ensure that all data is encrypted on the network and that all computers transmitting data on the network are authenticated. You decide to implement IPSec on all computers on the network. You edit the Default Domain Policy Group Policy object (GPO) to apply to Secure Server (Require Security) IPSec policy. Users immediately report that they cannot access resources located in remote networks. You investigate and discover that all packets are being dropped by the routers. You also discover that Active Directory replication is not functioning between domain controllers in different networks. You need to revise your design and implementation to allow computers to communicate across the entire network. You also need to ensure that the authentication keys are stored encrypted. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure the routers to use IPSec and preshared key for authentication. B. Configure the routers to use IPSec and a certificate for authentication. C. Configure the routers to use IPsec and Kerberos for authentication. D. Reconfigure the GPOs to require a preshared key for IPSec authentication. E. Reconfigure the GPOs to require a certificate for IPSec authentication.

Answer: B, E QUESTION NO: 281 You are a network administrator for TestKing.com. The network consists of two Active Directory domains. You are responsible for administering one domain, which contains users who work in the sales department. User objects for the users in the sales department are stored in an organizational unit (OU) named Sales in your domain.

70 - 296


- 440 -

Users in the sales department use a public key infrastructure (PKI) enabled application that requires users to present client authentication certificates before they are granted access. You install Certificate Services on two member servers running Windows Server 2003. You configure one server as an enterprise subordinate certification authority (CA) and the other server as a stand-alone root CA. You need to issue certificates that support client authentication to sales users only. You need to achieve this goal by using the minimum amount of administrative effort. What should you do?

A. Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll users for certificates.

B. Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object (GPO) to autoenroll computers for certificates.

C. Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based in the template. Create a new Group Policy object (GPO) and link it to the Sales OU. Configure the GPO to autoenroll sales users for certificates.

D. Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Create a new Group Policy (GPO) and link it to the Sales OU. Configure the GPO to autoenroll sales client computers for certificates.

Answer: C QUESTION NO: 282 You are the security analyst for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The perimeter network contains an application server, which is accessible to external users. You view the logs on your intrusion-detection system (IDS) on the router and discover that very large numbers of TCP SYN packets are being sent to the application server. The application server is responding with SYN-ACK packets to several different IP addresses, but it is not receiving ACK responses. You note that all incoming SYN packets appear to be originating from IP addresses located within the perimeter network’s subnet address range. No computers in your perimeter network are

70 - 296


- 441 -

configured with these IP addresses. The router logs show that these packets are originating from locations on the Internet. You need to prevent this type of attack from occurring until a patch is made available from the application vendor. Because of budget constraints, you cannot add any new hardware or software to the network. Your solution cannot adversely affect legitimate traffic to the application server. What should you do?

A. Relocate the application server to the company intranet. Configure the firewall to allow inbound and outbound traffic on the ports and protocols used by the application.

B. Configure network ingress filters on the router to drop packets that have local addresses but that appear to originate from outside the company network.

C. Create access control lists (ACLs) and packet filters on the router to allow perimeter network access to only authorized users and to drop all other packets originating from the Internet.

D. Configure the IDS on the perimeter network with a response rule that sends a remote shutdown command to the application server in the event of a similar denial-of-service attack.

Answer: B

70 - 296


- 442 -

QUESTION NO: 283 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The domain contains three Windows Server 2003 computers: Testking1, Testking2, and Testking3. You intend to use the three servers as certification authorities (CAs) for the following roles: Server name Role Testking1 root CA Testking2 subordinate CA Testking3 subordinate CA Testking2 will be used exclusively to issue enrolment agent certificates. Testking3 will be used to issue all other certificate typed needed in the domain. You plan to take Testking1 offline after the CA hierarchy is established. You want to minimize the possibility that unauthorized certificates might get issued. You also want to be able to revoke certificates that are issued by a subordinate CA if that server is compromised, without affecting the certificates that are issued by the other subordinate CA. You need to design a CA hierarchy that meets the requirements. What should you do? To answer, drag the appropriate CAs to the correct locations in the work area.

70 - 296


- 443 -

Answer:

70 - 296


- 444 -

QUESTION NO: 284 You are the security analyst for TestKing. TestKing’s written security policy does not allow direct dial-in connections to the network. During a routine security audit, you discover a Windows Server 2003 server named Testking1 that has a modem installed and is connected to an outside analog phone line. You investigate and discover that Testking1 is also running Routing and Remote Access and is used by the sales department. The modem supports the caller ID service. This remote access connection is used by an application at a partner company to upload product and inventory information to Testking1. Each day at midnight, the partner application connects to Testking1 and uploads the information. The connection never lasts longer than 30 minutes. The application is currently using the sales manager’s domain user account to make the connection. The partner application does not support incoming connections. The partner company has no plans to update this application to support your written security policy, and the sales department requires this updated product and inventory information to be available each morning.

70 - 296


- 445 -

TestKing management directs you to design a solution that provides the highest level of security for this connection until a more secure solution can be developed by the two companies. You need to design and implement a solution that will ensure that only the partner’s application can connect to your network over the dial-up connection. Your solution must prevent the connection from being used by unauthorized users, and it must allow only the minimum amount of access to the network. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Create an account named PartnerDialup in the domain, and add this account to the Domain Guests group. Grant this user account permissions for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access.

B. Create a local account named PartnerDialup on Testking1, and add this account to the local Users group. Grant this user account permission for the folder to which the sales information is uploaded. Direct the partner company to use this account for remote access.

C. Configure a remote access policy on Testking1 that allows the connection for only the specified user account between midnight and 1.00 A.M. Configure the policy to require callback authentication to the partner company’s server.

D. Configure a remote access policy on Testking1 that allows the connection for only the specified user account between midnight and 1:00 A.M. Configure the policy to allow only the specific calling station identifier of the partner company’s computer.

Answer: B, D

70 - 296


- 446 -

QUESTION NO: 285 You are a network administrator for TestKing.com. TestKing participates in a joint venture with Alpine Ski House. Each company’s network consists of a single Active Directory forest. The functional level of each forest is Windows 2003. A two-way forest trust relationship exists between both companies. Each company maintains its own certification authority (CA). Users are required to encrypt and digitally sign all e-mail messages relating to the joint venture that are sent between the companies. Users in the testking.com domain report that when they open e-mail messages sent by users in the alpineskihouse.com domain, they receive a security warning. The warning indicates an error in the certificate used to sign the e-mail message. You examine several e-mails messages and discover the error shown in the exhibit.

You need to ensure that users in the testking.com domain receive e-mail messages without receiving any error messages. You need to accomplish this task by using the minimum amount of administrative effort. What should you do?

A. Add the computer account for the enterprise root CA in the alpineskihouse.com domain to the Cert Publisher domain local group in the testking.com domain.

70 - 296


- 447 -

B. In the alpineskihouse.com domain, delegate the Allow – Read userCertificate permission for contact objects to the Domain Users global group in the testking.com domain.

C. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the testking.com domain, import the enterprise root certificate from the alpineskihouse.com domain.

D. In the alpineskihouse.com domain, export the enterprise root certificate to a file. On the enterprise root CA in the testking.com domain, run the certutil command to publish the root certificate to Active Directory.

Answer: C QUESTION NO: 286 You are a network administrator for TestKing. You install Windows Server 2003 on two servers named Testking1 and Testking2. You configure Testking1 and Testking2 as two-node server cluster. The cluster has three managed drives assigned the letters Q, R, and S. The quorum resource is located in drive Q. You create a WINS group and configure WINS on the cluster. You create a File Server group and configure file sharing on the cluster by using a shared folder that you create on drive R. File sharing and WINS are both running on Testking1. You move the WINS group to Testking2. The file share service fails on Testking1. When you attempt to bring it back online, the file share resource will not start on Testking1. You move the WINS group back to Testking1. The file share service will not come back online. You need to configure the cluster so that each application can be moved or can fail over independently, without affecting the other application. What should you do?

A. Modify the Preferred owners list for the WINS group so that only Testking2 is in the list. B. Modify the Preferred owners list for the File Server group so that only Testking2 is in the list. C. Configure both the WINS group and the File Server group to allow failback immediately. D. Reconfigure the File Server group File Share resource to use a shared folder on drive S.

Answer: B http://download.microsoft.com/download/7/6/f/76f3db2f-6f43-4624-bfde-ff731e3c1f96/GDClusters.doc

70 - 296


- 448 -

QUESTION NO: 287 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The domain contains a Windows Server 2003 two-node server cluster. The security team states that the password for the cluster service account must be changed because one of the administrators has left the company. You fill out the necessary change control paperwork. You need to provide the process for changing the password in the change control form. You need to change the password for the cluster service account by using the minimum amount of administrative effort. What should you do?

A. Change the cluster service account password in Active Directory Users and Computers. Change the cluster service account password on one node, and restart the node. After the first node comes back online, change the cluster service account password on the second node, and restart the node.

B. Change the cluster service account password in Active Directory Users and Computers. Change the cluster service account password on both nodes, and restart the first node. After the first node comes back online, restart the second node.

C. Run Dsmod.exe with the change password option. D. Run Cluster.exe with the change password option. E. Run SC.exe with the change password option.

Answer: D http://support.microsoft.com/default.aspx?scid=kb;en-us;305813 QUESTION NO: 288 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains Windows Server 2003 file servers. The network also contains a Windows Server 2003 computer named Testking1 that runs Routing and Remote Access and Internet Authentication Service (IAS). Testking1 provides VPN access to the network for user’s home computers.

70 - 296


- 449 -

You suspect that an external unauthorized user is attempting to access the network through Testking1. You want to log the details of access attempts by VPN users when they attempt to access the network. You want to compare the IP addresses of user’s home computers with the IP addresses used in the access attempts to verify that the users are authorized. You need to configure Testking1 to log the details of access attempts by VPN users. What should you do?

A. Configure the system event log to Do not overwrite. B. In IAS, in Remote Access Logging, enable the Authentication requests setting. C. Configure the Remote Access server to Log all events. D. Create a custom remote access policy and configure it for Authentication-Type.

Answer: B QUESTION NO: 289 You are a network administrator for TestKing. The design team provides you with the following list of requirements for server disaster recovery:

• No more than two sets of tapes can be used to restore to the previous day. • A full backup of each server must be stored off-site. • A full backup of each server that is no more than one week old must be available on-site. • Backups must never run during business hours. • Tapes may be recalled from off-site storage only if the on-site tapes are corrupted or damaged.

A full backup of all servers requires approximately 24 hours. Backing up all files that change during one week requires approximately 4 hours. Business hours for TestKing are Monday through Friday from 6:00 A.M. to 10:00 P.M. You need to provide a backup rotation plan that meets the design team’s requirements. Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Perform a full normal backup for on-site storage on Friday night after business hours. Perform a full copy backup of off-site storage on Saturday night after the Friday backup is complete.

B. Perform a full normal backup for on-site storage on Friday night after business hours. Perform another full normal backup for off-site storage on Saturday night after the Friday backup is complete.

70 - 296


- 450 -

C. Perform a full copy backup for on-site storage on Friday night after business hours. Perform a full copy backup for off-site storage on Saturday night after the Friday backup is complete.

D. Perform differential backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours.

E. Perform incremental backups on Sunday, Monday, Tuesday, Wednesday, and Thursday nights after business hours.

F. Perform incremental backups on Sunday, Tuesday, and Thursday nights after business hours. Perform differential backups on Monday and Wednesday nights after business hours.

Answer: A, D QUESTION NO: 290 You are the network administrator for TestKing.com. All servers run Windows Server 2003. The network contains two Web servers named Testking1 and Testking2 and three application servers named Testking3, Testking4, and Testking5. All five servers have similar hardware. The servers are configured as Network Load Balancing clusters, as shown in the exhibit.

A Web services application hosted on Testking1 and Testking2 communicates to application components hosted on Testking3, Testking4 and Testking5 by using the IP address 10.1.20.11. The application is designed to be stateless. The Network Load Balancing settings for each server are listed in the following table.

70 - 296


- 451 -

Host Filtering mode Host priority Affinity Load Testking1 Multiple 1 Single EqualTestking2 Multiple 2 Single EqualTestking3 Multiple 1 Single EqualTestking4 Multiple 2 Single EqualTestking5 Multiple 3 Single Equal Users report that response time to the Web services application is slow. You investigate the performance of each server and observe the information listed in the following table Host Average % of CPU in use Average %of RAM in useTestking1 75 80 Testking2 65 75 Testking3 98 90 Testking4 2 20 Testking5 2 20 You need to improve the response time of the application. What should you do?

A. Modify the Web services application to access the components on the application servers by using the IP address 10.1.10.11.

B. Modify the Network Load Balancing host priorities for Testking3 and Testking5 by 1. C. Modify the Network Load Balancing host priority for Testking2 to be 1. D. Modify the Network Load Balancing affinity setting for Testking3, Testking4, and Testking5 to be

None. E. Modify the Network Load Balancing affinity setting for Testking1 and Testking2 to be None.

Answer: D QUESTION NO: 291 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All computers on the network are members of the domain. You administer a four-node Network Load Balancing cluster. All nodes run Windows Server 2003. The cluster has converged successfully. You use Network Load Balancing Manager on the default host to configure all nodes of the cluster. The nodes have a single network adapter and are connected to the same switching hub device.

70 - 296


- 452 -

Administrators of non-cluster servers that are connected to the same switching hub device report that their servers receive traffic that is destined for the cluster nodes. Receiving this additional network traffic impairs the network performance of the non-cluster servers. You need to ensure that traffic destined for only the cluster nodes is not sent to all ports of the switching hub device. You do not want to move the cluster to another switching hub device. What should you do?

A. On the node, run the nlb.exe reload command. B. On each node, run the wlbs.exe drainstop command. C. Use Network Load Balancing Manager to enable Internet Group Management Protocol (IGMP) support

on the cluster. D. Use Network Load Balancing Manager to add a second cluster IP address.

Answer: C QUESTION NO: 292 You are a network administrator for TestKing. You install Windows Server 2003, Enterprise Edition on two servers named Testking1 and Testking2. You configure Testking1 and Testking2 as a two-node server cluster. Testking1 and Testking2 are connected to a shared fiber-attached array. You configure the server cluster for file sharing. You configure Testking1 as the preferred owner of the file sharing resources. You perform the following backups by using the Backup or Restore Wizard. Tuesday Wednesday Testking1 Normal backup including

system state Incremental backup and Automated System Recovery (ASR) backup

Testking2 Normal backup including system state

Incremental backup and ASRbackup

On Thursday morning, Testking2 experiences a hard disk failure. The failed disk contains only the operating system for Testking2. You evict Testking2 from the server cluster. You need to recover Testking2 and restore it to the cluster. You need to minimize data loss and recovery time.

70 - 296


- 453 -

What should you do?

A. Restore the quorum disk signature and data from the Tuesday backup of Testking1, and add Testking2 to the server cluster.

B. Restore Testking2 by using ASR, and add Testking2 to the server cluster. C. Restore the Tuesday backup of Testking2, and add Testking2 to the server cluster. D. Restore the Tuesday normal backup and the Wednesday incremental backup of Testking2, and add

Testking2 to the server cluster. Answer: B QUESTION NO: 293 You are a network administrator for TestKing. The network contains two Windows Server 2003 database servers configured as a two-node server cluster. Each cluster node has a 100-Mbit network adapter and a 10-Mbit network adapter. The 100-Mbit network adapter on each server is connected to company network. The 10-Mbit adapters are connected to each other by an Ethernet crossover cable. Cluster communications are configured to use the crossover connection as the primary cluster network. The cluster provides mission-critical data to several hundred users at any given time, 24 hours per day. You need to be able to ascertain if the network performance ever becomes or might become a limiting performance factor. You want to be able to identify trends over time. You need to choose which network adapters and performance counters are the most important for you to monitor, and you need to choose which method of monitoring to use to detect potential saturation of the network adapters. What should you do?

70 - 296


- 454 -

Answer:

70 - 296


- 455 -

QUESTION NO: 294 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com that has two child domains: domain1.testking.com and domain2.testking.com. All domain controllers run Windows Server 2003. All domain controllers are configured as DNS servers. You use a proxy firewall to isolate your network from the Internet. You configure the DNS servers in the testking.com domain as internal DNS root servers. All client computers are configured with the proxy firewall client software. You need to allow users to resolve host names on both the internal network and the Internet. What should you do?

A. Configure the internal DNS root servers to use Active Directory-integrated stub zones to resolve DNS queries for domain1.testking.com and domain2.testking.com.

B. Configure all client computers to use a Web browser automatic configuration script.

70 - 296


- 456 -

C. Configure the DNS servers in the child domains to use the internal DNS root servers as forwarders. D. Configure the DNS servers in the child domain with root hints that point to the internal DNS root servers

in the testking.com domain. Answer: D QUESTION NO: 295 You are a network administrator for TestKing. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest and of all three domains is Windows Server 2003. TestKing has a main office and 30 branch offices. Each branch office is connected to the main office by a 56-Kbps WAN connection. You configure the main office and each branch office as a separate Active Directory site. You deploy a Windows Server 2003 domain controller at the main office and at each branch office. Each domain controller is configured as a DNS server. You can log on to the network from client computers in the branch offices at any time. However, users in the branch offices report that they cannot log on to the network during peak hours. You need to allow users to log on to the network from branch office computers. You do not want to affect the performance of the branch office domain controllers. You need to minimize Active Directory replication traffic across the WAN connections. What should you do?

A. Use Active Directory Sites and Services to enable universal group membership caching for each branch office site.

B. Use the DNS console to configure the branch office DNS servers to forward requests to a DNS server in the main office.

C. Use Active Directory Sites and Services to configure each branch office domain controller as a global catalog server.

D. Use the DNS console to configure the branch office DNS servers to use an Active Directory-integrated zone.

Answer: A QUESTION NO: 296

70 - 296


- 457 -

You are the network administrator for TestKing.com. TestKing has 20,000 users in 20 physical locations worldwide. TestKing is expecting to grow by 50 percent the next five years. TestKing recently became a subsidiary of Humongous Insurance. Humongous Insurance has five other subsidiaries. Humongous Insurance has 100,000 users in 100 physical locations worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries integrate into this network. The network design team at TestKing provides you with a network design for integrating into the Humongous Insurance network. The design specifies that TestKing will use a single block of IP network numbers to assign IP addresses to its network. You need to plan the IP address space to meet the design specification. You need to request a block of IP addresses from Humongous Insurance that will accommodate all TestKing users. To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance address space, you want to request the smallest block of IP addresses that meets the design specification. What should you do?

A. Request a 10.0.0.0 block of IP addresses with an 8-bit subnet mask from Humongous Insurance. B. Request a 10.0.0.0 block of IP addresses with a 16-bit subnet mask from Humongous Insurance. C. Request a 10.0.0.0 block of IP addresses with a 24-bit subnet mask from Humongous Insurance. D. Request a 10.0.0.0 block of IP addresses with a 32-bit subnet mask from Humongous Insurance.

Answer: B QUESTION NO: 297 You are the administrator of a network at TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 98. All Windows 98 computers have the Active Directory Client Extensions software installed. The network consists of three physical subnets. Each subnet contains a domain controller and a server that runs DHCP. Each subnet also contains a server that runs both the DNS Server service and the WINS service. All client computers receive their TCP/IP configuration from the DHCP server that is located on their local subnet. All of the Windows 98 computers are located on a single subnet. The DHCP scope on this subnet is configured with the options shown in the exhibit.

70 - 296


- 458 -

All DHCP servers are configured with similar options. Users of the Windows 98 computers report that they cannot connect to resources on the Windows Server 2003 computers located on any subnet. When they attempt to connect to a shared resource by using \\servername\sharename in the Run command, they receive the following error message: “Server not found”. The users can successfully connect to Web-based resources located on the same servers. When you attempt to connect to the servers by using the ping command on an affected Windows 98 computer you can connect successfully. The users of the Windows XP Professional computers do not report the same problems. You need to ensure that the users of the Windows 98 computers can connect to shared resources on the Windows Server 2003 computers. What should you do?

A. On the affected subnet’s DHCP server, configure the scope options to use the Windows 98 vendor class. B. On the affected subnet’s DHCP server, remove the WINS/NBT Node Type from the scope options. C. On each DHCP server, remove the Microsoft Disable NetBIOS Option from the scope options. D. On each DHCP server, add the NetBIOS over TCP/IP NBDD DHCP scope option to the scope options.

Answer: C

70 - 296


- 459 -

QUESTION NO: 298 You are the system engineer for TestKing. The internal network consists of a Windows NT 4.0 domain. The company maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named testking.com. The testking.com zone is hosted by a UNIX-based DNS server running BIND 4.8.1. TestKing is planning to migrate to a Windows Server 2003 Active Directory domain-based network. The migration plan states that all client computers will be upgraded to Windows XP Professional and that all servers will be replaced with new computers running Windows Server 2003. The migration plan specifies the following requirements for DNS in the new environment:

• Active Directory data must not be accessible from the Internet. • The DNS namespace must be contiguous to minimize confusion for users and administrators. • Users must be able to connect to resources in the testking.com domain. • Users must be able to connect to resources located on the Internet. • The existing UNIX-based DNS server will continue to host the testking.com domain. • The existing UNIX-based DNS server cannot be upgraded or replaced.

You plan to install a Windows Server 2003 DNS server on the internal network. You need to configure this Windows-based DNS server to meet the requirements specified in the migration plan. What should you do?

A. Create a primary zone named ad.testking.com as your Windows-based DNS server. Create a delegation record for the new zone on the UNIX-based DNS server. Configure forwarders on your Windows-based DNS server.

B. Create a primary zone named ad.testking.com on the UNIX-based DNS server. Create a secondary zone on your Windows-based DNS server for the ad.testking.com domain.

C. Create a primary zone named testking-ad.com on your Windows-based DNS server. Create a secondary zone on the UNIX-based DNS server for the testking-ad.com domain.

D. Create a primary zone named testking-ad.com on the UNIX-based DNS server. Create a stub zone on the Windows-based DNS server for the testking-ad.com domain. Configure conditional forwarders on your Windows-based DNS server for the testking-ad.com and testking.com domain.

Answer: A

70 - 296


- 460 -

QUESTION NO: 299 You are the network administrator for TestKing.com. The relevant portion of the network is shown in the exhibit.

All servers run Windows Server 2003. Each subnet of the network contains 100 Windows XP Professional computers. Each subnet also contains a DHCP server, which provides TCP/IP configuration information to all computers on its local subnet. You create and configure Subnet3 for a new department at your company. Users in Subnet3 report that they cannot connect to resources located on servers in Subnet1 and Subnet2. When they attempt to connect to these resources, they receive the following message: “Server not found”. The users can successfully connect to resources located on servers in Subnet3. Users in Subnet1 and Subnet2 report that they cannot connect to resources located on servers in Subnet3. When they attempt to connect to these resources, they receive the following error message: “Server did not respond in a timely manner”. The users can successfully connect to resources in both Subnet1 and Subnet2. You need to ensure that all client computers can connect to server-based resources an all subnets. What should you do?

A. Configure the DHCP server in Subnet3 to provide a subnet mask of 255.255.255.0 B. Configure the DHCP servers in Subnet1 and Subnet2 to provide a subnet mask of 255.255.0.0. C. Configure the Testking2 Interface E1 to use a subnet mask of 255.255.0.0. D. Configure the IP address of the Testking2 Interface E0 as the default gateway for Subnet3. E. Configure the IP address of the Testking2 Interface E1 as the default gateway for Subnet2.

70 - 296


- 461 -

Answer: A QUESTION NO: 300 You are a network administrator for TestKing. TestKing has one main office and 30 branch offices. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. TestKing needs to connect the main office network and all branch office networks by using Routing and Remote Access servers at each office. The networks will be connected by VPN connections over the Internet. You install three Routing and Remote Access servers at the main office. You are configuring security for the Routing and Remote Access servers. You need to provide centralized authentication for the branch office Routing and Remote Access servers. You need to centrally configure the remote access policies for the main office Routing and Remote Access servers. You need to centrally maintain remote access authentication and connection logs for the main office Routing and Remote Access servers. You install Internet Authentication Service (IAS) on a server in the main office and register it in Active Directory. What else should you do?

A. Configure the remote access policies on the IAS server. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use RADIUS authentication and accounting.

B. Configure the remote access policies on the IAS server. On the IAS server, configure the branch office RADIUS clients. Configure the branch office Routing and Remote Access servers to use RADIUS authentication and accounting.

C. Configure the remote access policies on the IAS server. On the IAS server, configure the main office RADIUS clients. Configure the main office Routing and Remote Access servers to use Windows authentication and accounting.

D. Run the netsh command to configure the remote access polices on the main office Routing and Remote Access servers. On the IAS server, configure the main office RADIUS clients.

70 - 296


- 462 -

Configure the main office Routing and Remote Access servers to use RADIUS authentication and accounting.

Answer: A QUESTION NO: 301 You are the systems engineer for TestKing. The network consists of a single Active Directory domain testking.com. TestKing has a main office and two branch offices. All servers run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional. Each branch office maintains a dedicated 256-Kbps connection to the main office. Each office also maintains a T1 connection to the Internet. Each office has a Microsoft Internet Security and Acceleration (ISA) Server 2003 computer, which provides firewall and proxy services on the Internet connection. Each branch office contains one domain controller and five servers that are not domain controllers. There is a minimal administrative staff at the branch offices. A new company policy states that all servers must now be remotely administered by administrators in the main office. The policy states that all remote administrators’ connections must be authenticated by the domain and that all traffic must be encrypted. The policy also states that the remote administration traffic must never be carried in clear text across the Internet. You choose to implement remote administration by enabling Remote Desktop connections on all servers on the network. You decide to use the Internet-connected T1 lines for remote administration connectivity between offices. Because administrative tasks might require simultaneous connections to multiple servers across the network, you need to ensure that administrators do not lose connections to servers in one office when they attempt to connect to servers in another office. What should you do?

A. Configure Routing and Remote Access on one server in each branch office. Create L2TP/IPsec VPN ports on these servers. Create new VPN connections to the administrator’s computers to connect to the VPN servers in the branch offices.

B. Configure a VPN sever in each branch office. Create connections that use IPSec Authentication Header (AH) in tunnel mode from the main office to connect to VPN servers in the branch offices.

C. Configure a local L2TP/IPSec VPN connection on the ISA Server 2000 firewall computer in the main office.

70 - 296


- 463 -

Configure the ISA Server 2000 firewall computers at the branch offices as remote L2TP/IPSec VPN servers.

D. Configure a local PPTP VPN connection on the ISA Server 2000 firewall computers in each branch office. Configure the ISA Server 2000 firewall computer at the main office as a remote PPTP VPN server.

Answer: C QUESTION NO: 302 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The functional level of the domain is Windows 2000 mixed. The network contains domain controllers that run Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0. The network also contains application servers that run Windows Server 2003, Windows 2000 Advanced Server, or Windows NT Server 4.0. All client computers run Windows XP Professional. TestKing has a main office and branch offices. Each office has local administrator. Local administrators manage the client computers that are in their offices, including the Group Policy settings. You want to reduce the possibility of passwords being compromised through man-in-the-middle attacks during the authentication process between client computers and servers. You want to ensure that the authentication protocols used by the client computers are as secure as possible. You are planning the guideline that the local administrators will use when they configure the Network Security policy setting for client computers. You want to be as flexible as possible, while still meeting your goals. You need to select the appropriate authentication type or types for the client computers. What should you do?

A. Allow LM, NTLM, NTLMv2, and Kerberos. B. Allow only NTLM, NTLMv2, and Kerberos. C. Allow only NTLMv2 and Kerberos. D. Allow only Kerberos.

Answer: C QUESTION NO: 303

70 - 296


- 464 -

You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 10 application servers running Windows Server 2003. There are 500 client computers on the LAN. The LAN-based client computers are members of the domain. There are 50 client computers on the Internet. The Internet-based client computers are not members of the domain. All client computers run Windows XP Professional. All client computers need to access the application servers. TestKing purchases certificates from a commercial certification authority (CA) when needed. The network design requires that all access to the application servers must be encrypted by using IPSec. The application servers are configured to refuse any connection that is not encrypted. You need to ensure that the client computers are authorized to access the application servers. You need to achieve this goal by using the minimum amount of administrative effort. What should you do?

A. Configure both the LAN-based client computers and the Internet-based client computers to use the Kerberos version 5 authentication protocol.

B. Configure both the LAN-based client computers and the Internet-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA.

C. Configure the LAN-based client computers to use the Kerberos version 5 authentication protocol and the Internet-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA.

D. Configure the LAN-based client computers to use the certificate-based authentication method with certificates generated by a commercial CA and the Internet-based client computers to use the Kerberos version 5 authentication protocol.

Answer: C QUESTION NO: 304 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 50 Windows Server 2003 computers and 200 Windows XP Professional computers. TestKing does not use wireless networking. The network at TestKing is shown in the exhibit.

70 - 296


- 465 -

TestKing enters into a strategic partnership with Adventure Works. Under the strategic partnership, Adventure Works will regularly send employees to TestKing. Your design team interviews the Adventure Works administrator and discovers the following:

• Adventure Works employees require access to the Internet to retrieve e-mail messages and to browse the Internet.

• Adventure Works employees do not need access to the internal network at TestKing. • Adventure Works employees all have portable computers that run Windows XP Professional, and

they use a wireless network in their home office. • The wireless network client computers of Adventure Works employees must be protected from

Internet-based attacks. Adventure Works sends you a wireless access point that its employees will use to access the Internet through your network. You are not allowed to change the configuration of the wireless access point because any change will require changes to all of the wireless client computers. You need to develop a plan that will meet the requirements of Adventure Works employees and the security requirements of TestKing. Your solution must be secure and must minimize administrative effort. What should you do?

A. Install the wireless access point on a separate subnet inside the TestKing network. Configure a router to allow only HTTP, IMAP4, and SMTP traffic out of the wireless network.

B. Install the wireless access point on a separate subnet inside the TestKing network. Configure a VPN from the wireless network to the Adventure Works office network.

C. Install the wireless access point on the TestKing perimeter network. Configure Firewall1 to allow wireless network traffic to and from the Internet. Configure Firewall2 to not allow wireless traffic into the TestKing network.

D. Install the wireless access point outside Firewall1 at TestKing. Obtain IP addresses from your ISP to support all wireless users.

70 - 296


- 466 -

Answer: C QUESTION NO: 305 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The domain contains a Windows Server 2003 computer named Testking1 that is located in an organizational unit (OU) named Servers. Testking1 contains confidential data, and all network communications with Testking1 must be encrypted by using IPSec. The default Client (Respond Only) IPSec policy is enabled in the Default Domain Policy Group Policy object (GPO). You create a new GPO and link it to the Servers OU. You configure the new GPO by creating and enabling a custom IPSec policy. You monitor and discover that network communications with Testking1 are not being encrypted. You need to view all IPSec polices that are being applied to Testking1. What should you do?

A. Use Local Security Policy to view the IP Security Policies on Local Computer for Testking1. B. Use Local Security Policy to view the Security Options for Testking1. C. Use Resultant Set of Policy (RSoP) to run an RsoP logging mode query to view the IP Security Policies

on Local Computer for Testking1. D. Use Resultant Set of Policy (RSoP) to run an RSoP planning mode query to view the Security Options

for Testking1. E. Use IP Security Monitor to view the Active Policy for Testking1. F. Use IP Security Monitor to view the IKE Policies for Testking1.

Answer: C QUESTION NO: 306 You are the security analyst for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. The network currently does not have a connection to the Internet.

70 - 296


- 467 -

You are in the process of designing an Internet connection solution for TestKing. TestKing’s Internet security policy includes the following requirements:

• Traffic that originates from outside the TestKing network must never be passed to the TestKing intranet.

• Internal TestKing resources must not be directly accessible from the Internet. • TestKing’s public Web site must not contain any confidential TestKing information. • TestKing’s public Web site must be accessible from the Internet, even in the event of the failure of

any TestKing-owned network component. You design a network solution that provides strict access control to the TestKing intranet by means of a firewall. Your new design includes a perimeter network, which contains resources that external users or computers might need to access. Your design also includes three computers running intrusion-detection software: ISD1, IDS2, and IDS3. You now need to plan the placement of five servers on the network in accordance with TestKing’s Internet security policy. How should you place the servers to comply with the security policy? To answer, drag the appropriate server role to the correct network location in the Network Diagram.

70 - 296


- 468 -

Answer:

70 - 296


- 469 -

QUESTION NO: 307 You are the security analyst for TestKing. TestKing’s network consists of a single Active Directory domain testking.com. TestKing’s network consists of an intranet and a perimeter network separated by a firewall. The perimeter network is connected to the Internet by a second firewall. The perimeter network contains three Windows Server 2003 computers. The servers on the perimeter network host a custom application that provides product inventory information to customers. The application is managed by SNMP. Each server has the SNMP service installed. Two Windows XP Professional computers running SNMP management software are located on the TestKing intranet.

70 - 296


- 470 -

The internet firewall is configured to allow outbound SNMP traffic from the intranet to the perimeter network. The firewall does not allow inbound SNMP traffic to the intranet. The current read-only SNMP community name is Public. The current read-write SNMP community name is AppCommRW. TestKing management wants to ensure that the SNMP traffic on the perimeter network cannot be intercepted by outside parties and used to compromise application integrity. You need to design a method to secure the SNMP traffic as it passed from the intranet to the perimeter network. Because of budget constraints, you cannot add any new hardware or software. You solution must not affect customer access to the application. You need to ensure that all SNMP management traffic for the application is secure and cannot be used to compromise network security. What should you do?

A. Change the read-only SNMP community name to AppCommRO. On each application server, configure the SNMP, service to send only application-specific SNMP information to the management client computers, to send authentication traps for both community names, and to accept only SNMP packets from the IP addresses of the management client computers.

B. Create an IPSec filter named SNMP Messages for the default SNMP ports in the local security policy on the management client computers and on the application server. Create and assign a new IPSec policy that requires security by using the SNMP Messages filter in the local security policy on the management client computers and on the application servers. Configure the internal firewall to allow outbound IPSec traffic from the intranet.

C. Change the community rights for the Public community to Notify. Change the community rights for the AppCommRW community to Read-Create. On each application server, configure the SNMP service to log on by using a domain user account instead of the local system account and to send authentication traps for the AppCommRW community name. Configure the internal firewall to allow inbound SNMP traffic from the perimeter network.

D. Create an organization unit (OU) named SNMP Computers. Add the management client computers and the application servers to the SNMP Computers OU. Assign the Secure Server (Require Security) IPSec policy to the SNMP Computers OU. Configure the internal firewall to allow outbound IPSec traffic from the intranet.

Answer: B http://support.microsoft.com/default.aspx?scid=kb;en-us;324261&Product=winsvr2003 QUESTION NO: 308

70 - 296


- 471 -

You are the network administrator for Test King.com. The network contains 20 Windows Server 2003 database servers. The written security policy for TestKing requires that the following services must be disabled on all database server computers:

• Computer Browser • File Replication • Indexing Service • Remote Registry • Server • Task Scheduler

The written security policy also requires that the database servers must be prohibited from having access to the Internet. You use a Windows XP Professional client computer named Testking1 that has access to the Internet. You need to perform a weekly analysis of the hotfix level of the database servers compared with the latest available updates. You need to minimize the amount of administrative effort. What should you do?

A. Schedule the mbsacli.exe command to run weekly on Testking1. Configure the mbsacli.exe parameters to use a file that contains the names of all database servers.

B. Each week, copy the Mssecure.cab file from the Microsoft Web site to Testking1 and initiate a Remote Desktop connection to each database server. Run the mbsacli.exe command on each database server. Configure the mbsacli.exe parameters to reference Testking1 as a data source for the hotfix information.

C. Each week, initiate a Remote Desktop connection to each database server. Run the wmic.exe qfe command on each database server.

D. Each week, initiate a Remote Desktop connection to each database server. Run the hotfix.exe command on each database server.

Answer: B QUESTION NO: 309 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All computers on the network are members of the domain.

70 - 296


- 472 -

You are planning a public key infrastructure (PKI) for TestKing. You want to deploy smart cards for all users in the domain. You want the members of a new group named Smartcard Agents to be able to issue smart cards for all users. You create a new global group named Smartcard Agents. You install an enterprise certification authority (CA) on a Windows Server 2003 computer named Testking1. You create a duplicate of the Enrollment Agent certificate template and change the validity period of the new certificate template to three years. The name of the new certificate template is SmartCard Enrollment. The configuration of permissions for the Smartcard Enrollment certificate template as shown in exhibit.

However, members of the Smartcard Agents group report that when they start the Certificate Request Wizard, they do not see Smartcard Enrollment in the list of certificate types that they can request. You want to ensure that members of the Smartcard Agents group request SmartCard Enrollment certificates. What should you do?

70 - 296


- 473 -

A. Assign the Smartcard Agents group the Allow – Autoenroll permission for the Smartcard Enrollment

certificate template. B. Add the Enrollment Agent certificate template to the list of superseded templates on the Smartcard

certificate template. C. Configure the enterprise CA to enable the Smartcard Enrollment certificate template. D. Configure the enterprise CA to assign the Certificate Managers role to the Smartcard Agents group. E. Instruct the members of the Smartcard Agents group to connect to the enterprise CA Web enrolment

pages to request certificates. Answer: A QUESTION NO: 310 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains three Windows Server 2003 domain controllers. You are creating the recovery plan for TestKing. According to the existing backup plan, domain controllers are backed up by using normal backups each night. The normal backups of the domain controllers include the system state of each domain controller. Your recovery plan must incorporate the following organizational requirements:

• Active Directory objects that are accidentally or maliciously deleted must be recoverable. • Active Directory must be restored to its most recent state as quickly as possible. • Active Directory database replication must be minimized.

You need to create a plan to restore a deleted organizational unit (OU). Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Restart a domain controller in Directory Services Restore Mode. B. Restart a domain controller in Safe Mode. C. Use the Ntdsutil utility in Safe Mode. D. Restore the system state by using the Always replace the file on my computer option. E. Use the Ntdsutil to perform an authoritative restore operation of the appropriate subtree.

Answer: A, E

70 - 296


- 474 -

QUESTION NO: 311 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All computers on the network are members of the domain. You administer a Network Load Balancing cluster that consists of three nodes. Each node runs Windows Server 2003 and contains a single network adapter, The Network Load Balancing cluster can run only in unicast mode. The Network Load Balancing cluster has converged successfully. To increase the utilization of the cluster, you decide to move a particular application to each node of the cluster. For this application to run, you must add a Network Load Balancing port rule to the nodes of the cluster. You start Network Load Balancing Manager on the second node of the cluster. However, Network Load Balancing Manager displays a message that it cannot communicate with the other two nodes of the cluster. You want to add the port rule the nodes of the cluster. What should you do?

A. Use Network Load Balancing Manager on the Network Load Balancing default host to add the port rule. B. Change the host priority of the second node to be the highest in the cluster, and then use Network Load

Balancing Manager to add the port rule. C. Run the nlb.exe drain command on each node, and then use Network Load Balancing Manager to add

the port rule. D. Add the port rule through Network Connections Properties on each node.

Answer: D You can also open the Network Load Balancing Properties dialog box through the Network Connections tool. However, Network Load Balancing Manager is the preferred method. If you use the Network Connections tool, you must make the same configuration changes on every cluster host. Using both Network Load Balancing Manager and the Network Connections tool together to change Network Load Balancing properties may create unpredictable results. The parameters that are set in the Network Load Balancing Properties dialog box are recorded in the registry on each host. Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations.

To create port rules:

70 - 296


- 475 -

Click Start, click Control Panel, and then double-click Network Connections. Right-click Local Area Connection, and then click Properties. In the Local Connection Properties dialog box, click Network Load Balancing, and then click Properties. Click the Port Rules tab, and then click ADD. Type values for the Port range, Protocols, Filtering mode, Affinity, Load weight, and Handling priority boxes by using information from the installation check list.

Click OK.

To edit port rules:

Click Start, click Control Panel, and then double-click Network Connections. Right-click Local Area Connection, and then click Properties. In the Local Connection Properties dialog box, click Network Load Balancing, and then click Properties. Click the Port Rules tab. In the list of rules, double-click the rule to display the rule's parameters in the Configuration area above the list of rules.

Modify the Port range, Protocols, and Filtering mode parameters as necessary. Click OK.

To remove port rules:

Click Start, click Control Panel, and then double-click Network Connections. Right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties dialog box, click Network Load Balancing, and then click Properties. Click the Port Rules tab, click the rule that you want to remove, and then click Remove.

Changes to Network Load Balancing parameters are applied when you click OK in the Network Load Balancing Properties dialog box. Clicking OK stops Network Load Balancing (if it is running), reloads the parameters, and then restarts cluster operations. http://support.microsoft.com/default.aspx?scid=kb;en-us;323437&Product=winsvr2003 QUESTION NO: 312 You are a network administrator for TestKing. You install an intranet application on three Windows Server 2003 computers. You configure the servers as a Network Load Balancing cluster. You configure each server with two network adapters. One network adapter provides client computers access to the

70 - 296


- 476 -

servers. The second network adapter is for cluster communications. Cluster communications are on a separate network segment. The network team wants to reduce the cluster’s vulnerability to attack. These servers need to be highly available. The network team decides that the Network Load Balancing cluster needs to filter IP ports. The team wants the cluster to allow only the ports that are required for the intranet application. You need to implement filtering so that only the intranet application ports are available on the cluster. You need to achieve this goal by using the minimum amount of administrative effort. What should you do?

A. Use Network Load Balancing Manager to configure port rules. Allow only the intranet application ports on the cluster IP address.

B. Use TCP/IP filtering one each server. Configure only the intranet application ports on the network adapter that provides client computers access to the servers.

C. Use TCP/IP filtering on each server. Configure only the intranet application ports on both of the network adapters.

D. Configure Routing and Remote Access on each server. Use Routing and Remote Access input filters to allow only the intranet application ports on the network adapter that provides client computers access to the servers.

Answer: A QUESTION NO: 313 You are a network administrator for TestKing. The network contains four Windows Server 2003 computers configured as a four-node server cluster. Each cluster node is the preferred owner of a clustered instance of Microsoft SQL Server 2000, and each cluster node is configured as a possible owner of all other instances of SQL Server. All nodes have identically configured hardware. All four nodes operate at a sustained 70 percent CPU average. You add a server that has identically configured hardware to the cluster as a fifth node. You want each SQL Server instance to continue operating at the same level of performance in the e vent of a single node failure. What should you do?

70 - 296


- 477 -

A. Clear the Affect group check box in the cluster resource properties for each SQL Server instance. B. Configure the fifth node as the only possible other than the existing preferred owner of the cluster

resources that are associated with each SQL Server instance. C. Configure the fifth node as the preferred owner of each cluster group that contains an SQL Server

instance. D. Enable failback on each group that contains an SQL Server instance.

Answer: B http://support.microsoft.com/default.aspx?scid=kb;en-us;296799&Product=winsvr2003 QUESTION NO: 314 You are a network administrator for TestKing. The network contains a Windows Server 2003 computer named Testking1. You install a custom mission-critical application on Testking1 for the shipping department. You install the application on drive D of Testking1. You configure the application database on drive D, and you configure the application database log files on drive E of Testking1. After running successfully for six days, the custom application fails. You investigate and find out that drive E is almost completely filled with the application’s log files. The application’s backup program is not properly deleting log files. Security requirements do not allow log files to be deleted unless the database on Testking1 has been backed up. You can keep the application running by manually backing up the application database and then deleting the log files. You need an automated process to keep the application running until a long-term solution can be provided. Because of the size of the database, you need to minimize the number of backups performed. What should you do?

A. Create a script that backs up the database and then deletes the log files. Configure an alert on Testking1 to run the script when there is less then 20 percent of free space on drive E.

B. Create a script that backs up the database and deletes the log files. Configure an event trigger on Testking1 to run the script when drive D has 20 percent free space.

C. Create a script that backs up the log files and then deletes the log files. Configure a scheduled task to run the script on Testking1 each night.

D. Create a script that backs up the database and then deletes the log files.

70 - 296


- 478 -

Configure a scheduled task to run the script on Testking1 each night. Answer: A QUESTION NO: 315 You are the network administrator for TestKing. TestKing has a main office in San Francisco and branch offices in London and Vancouver. The network consists of a single Active Directory domain testking.com. The network contains four Windows Server 2003 domain controllers. There are two domain controllers in the main office and one in each branch office. The domain controllers are DNS servers. Network services are monitored centrally from the main office. You review the DNS server event logs remotely from the main office during the monthly maintenance routine. During the monthly maintenance, you find out that some of the DNS event history is missing. You need to ensure that all DNS event history is retained until you manually clear it. How should you modify each domain controller?

A. Use DNS Manager to select the All Events option on the Event Logging tab in the DNS Server properties.

B. Use DNS Manager to select the Do not overwrite events option on the General tab in the DNS Events properties.

C. Use Event Viewer to set the Maximum log size to 512 KB in the DNS Server properties. D. Use Event Viewer to select the Do not overwrite events option in the Application properties.

Answer: D QUESTION NO: 316 You are the network administrator for TestKing. The network consists of a single Active Directory domain testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network consists of three physical subnets, which corresponds to the three buildings on TestKing’s campus, as shown in the Network Diagram exhibit.

70 - 296


- 479 -

All servers have manually configured IP addresses. All client computers receive their TCP/IP configuration information from a DHCP server located on the Building1 subnet. The DHCP server has one scope configured for each subnet. Users on the Building2 subnet and the Building3 subnet report that they periodically cannot connect to network resources located on any subnet. You discover that during times of high network usage, client computers in Building2 and Building3 are configured as shown in the Network Connection Details exhibit.

70 - 296


- 480 -

You need to ensure that all client computers receive valid IP addresses for their subnet even during times of high network usage. What should you do?

A. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each DHCP server, configure identical scopes for each subnet.

B. Install one DHCP server on the Building2 subnet and one on the Building3 subnet. On each DHCP server, configure a single subnet-specific scope.

C. Configure one DHCP relay agent on the Building2 subnet and one on the Building3 subnet to forward DHCP requests to the Building1 subnet DHCP server.

D. Configure an administrative template in the Default Domain Policy Group Policy object (GPO) to disable Automatic Private IP addressing (APIPA) on the client computers.

Answer: B QUESTION NO: 317 You are the network administrator for TestKing. TestKing has an internal network and a perimeter network, as shown in the work area.

70 - 296


- 481 -

The internal network consists of a single Active Directory domain testking.com. The internal network contains a Windows Server 2003 domain controller named DC1, which runs the DNS Server service. The internal network also contains a Windows Server 2003 file server named Testking1, which runs the DHCP Server service. The network contains 500 Windows XP Professional computers. The perimeter network contains a public Web server named Web1. The internal network is connected to the perimeter network by a firewall. The perimeter network is connected to the Internet. You need to plan an IP address strategy. The IP address strategy must provide TCP/IP connectivity from the internal network to Web1. TestKing wants to reduce administrative overhead by automatically assigning IP addresses whenever possible. You need to choose the appropriate IP addressing distribution method for the computers on the networks. To answer, drag the appropriate IP addressing distribution method or methods to the correct computer or computers in the work area.

70 - 296


- 482 -

Answer:

70 - 296


- 483 -

70 - 296


- 484 -

QUESTION NO: 318 You are a network administrator for TestKing. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains a single DHCP server that services two subnets named SubnetTK1 and SubnetTK2, as shown in the work area. All servers and the administrator client computer have manually assigned IP addresses. All other client computers are DHCP clients. The router on your network fails and is replaced by another router. After the router is replaced, client computers on SubnetTK2 cannot receive IP addressing from the DHCP server. You need to configure an appropriate host to be a DHCP relay agent. Which component should you use? To answer, select the appropriate component in the work area.

Answer: Select the Print Server.

70 - 296


- 485 -

QUESTION NO: 319 You are the network administrator for TestKing. The network contains Windows Server 2003 computers and Windows XP Professional computers. TestKing deploys two DNS servers. Both DNS servers run Windows Server 2003. One DNS server is inside of the corporate firewall, and the other DNS server is outside of the firewall. The external DNS server provides name resolution for the external Internet name of TestKing on the Internet, and it is configured with root hints. The internal DNS server hosts the DNS zones related to the internal network configuration, and it is not configured with root hints. You want to limit the exposure of the client computers to DNS-related attacks from the Internet, without limiting their access to Internet-based sites. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure the client computers to use only the internal DNS server. B. Configure the client computers to use both DNS servers. List the internal DNS server first. C. Configure the firewall to allow only network traffic on the DNS ports. D. On the internal DNS server, disable recursion. E. On the internal DNS server, configure the external DNS server as forwarder. F. On the internal DNS server, add the external DNS server as the only root hint.

Answer: A, E QUESTION NO: 320 You are the network administrator for TestKing.com. The network contains 10 Web servers that run Windows Server 2003, Web Edition. The Web servers are located in an organizational unit (OU) named Web_Servers A security analysis of the Web servers reveals that they all contain several security settings that are critical vulnerabilities. You need to modify the security settings on the Web as quickly as possible while minimizing the performance impact on the servers. You want the new settings to be periodically enforced without administrative intervention. What should you do?

70 - 296


- 486 -

A. Create a Group Policy object (GPO) and link to the Web_Servers OU.

Configure the appropriate security settings in the GPO. On each server, run the secedit /refreshpolicy machine_policy command.

B. Create a Group Policy object (GPO) and link it to the Web_Servers OU. Configure the appropriate security settings in the GPO. On each server, run the gpupdate /target:computer command.

C. Configure a security template that contains the appropriate security settings and name it Websec.inf. On each server, run the secedit /configure /db secedit.sdb /cfg websec.inf command.

D. Configure a security template that contains the appropriate security settings and name it Websec.inf. On each server, run the secedit /import /db secedit.sdb /cfg websec.inf command.

Answer: B QUESTION NO: 321 You are the network administrator for TestKing. All servers run Windows Server 2003. You configure a baseline security template Baseline.inf. Several operations groups are responsible for creating templates containing settings that satisfy operational requirements. You receive the templates shown in the following table. Operations group Template name Applies to File and Print TestKingFile.inf File servers Database TestKingDB.inf Database servers Security TestKingSec.inf All resource servers The operations groups agree that in the case of conflicting settings, the priority order listed in the following table establishes the resultants setting. Template Priority TestKingSec.inf 1 Baseline.inf 2 Specific server role template 3 You need to create one or more Group Policy objects (GPOs) to implement the security settings. You want to minimize the amount of administrative effort required when changes are requested by the various operations groups. What should you do?

70 - 296


- 487 -

A. Create a GPO and import the following templates in the following order: Baseline.inf, TestKingSec.inf. Create a GPO for each server role and import only the specific template for that role into each respective GPO.

B. Create a GPO and import the following templates in the following order: TestKingSec.inf, Baseline.inf. Create a GPO for each server role and import only the specific template for that role into each respective GPO.

C. Create a GPO for each server role and import the following templates in the following order: Baseline.inf, specific server role template, TestKingSec.inf.

D. Create a GPO and import the following templates in the following order: TestKingSec.inf, TestKingDB.inf, TestKingFile.inf, Baseline.inf.

Answer: A QUESTION NO: 322 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains Web servers that run Windows Server 2003. You use Sysprep to create a baseline image for Web servers. You instruct a technician to install Windows Server 2003 on 20 new Web servers by using the baseline image. A new service pack is subsequently released. You need to install the new service pack on all Web servers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

A. Copy the service pack installation files to a shared folder. Install the service pack on each Web server from the shared folder.

B. Create an organizational unit (OU) named Web servers. Create a Group Policy object (GPO) to assign the service pack package to users. Link the GPO to the Web Servers OU. Move the Web servers into the Web Servers OU.

C. Create an organizational unit (OU) named Web Servers. Create a Group Policy object (GPO) to assign the service pack package to computers. Link the GPO to the Web Servers OU. Move the Web servers into the Web Servers OU.

D. Create a Cmdlines.txt file for use with the baseline Sysprep image in order to run the service pack package.

70 - 296


- 488 -

Answer: C QUESTION NO: 323 You are a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers at they are deployed. TestKing is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers. You are planning a baseline security configuration for the Web servers. TestKing’s written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled:

• SMTP • Telnet

Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers. What should you do?

A. Create a Group Policy Object (GPO) to apply a logon script that disabled the unnecessary services. Link the GPO to the Web Servers OU.

B. Create a Group Policy Object (GPO) and import Hisecws.inf security template. Link the GPO to the Web Servers OU.

C. Create a Group Policy Object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU.

D. Create a Group Policy Object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU.

Answer: C QUESTION NO: 324

70 - 296


- 489 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory domain testking.com. The network contains two Windows Server 2003 domain controllers, two Windows 2000 Server domain controllers, and two Windows NT Server 4.0 domain controllers. All file servers for the finance department are located in an organizational unit (OU) named Finance Servers. All file servers for the payroll department are located in an OU named Payroll Servers. The Payroll Servers OU is a child OU of the Finance Servers OU. TestKing’s written security policy for the finance department states that departmental servers must have security settings that are enhanced from the default settings. The written security policy for the payroll department states that departmental servers must have enhanced security settings from the default settings, and auditing must be enabled for file or folder deletion. You need to plan the security policy settings for the finance and payroll departments. What should you do?

A. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.

B. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.

C. Create a Group Policy object (GPO) to apply to the Compatws.inf security template to computer objects, and link it to the Finance Servers OU. Create a second GPO to apply the Hisecws.inf security template to computer objects, and link it to the Payroll Servers OU.

D. Create a Group Policy object (GPO) to apply the Securews.inf security template to computer objects, and link it to the Finance Servers and to the Payroll Servers OUs. Create a second GPO to enable the Audit object access audit policy on computer objects, and link it to the Payroll Servers OU.

Answer: B QUESTION NO: 325 Tess King is a network administrator for TestKing. The network consists of a single Active Directory domain testking.com. The network contains 12 domain controllers and 50 servers in the application server roles. All servers run Windows Server 2003.

70 - 296


- 490 -

The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. Tess needs to deploy and refresh the custom security settings on a routine basis. She also needs to be able to verify the customer security settings during audits. What actions should Tess King take?

A. She should create a custom security template and apply it by using Group Policy. B. She should create a custom IPSec policy and assign it by using Group Policy. C. She should create and apply a custom Administrative Template. D. She should create a custom application server image and deploy it by using RIS.

Answer: A QUESTION NO: 326 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains 2,250 user accounts. Each user account has the appropriate permissions for resource access. All user accounts are in the Users container. TestKing has five departments. To support TestKing’s structure, you must place the existing user accounts in organizational units (OUs) arranged by department. You create five OUs in the domain, with one OU for each department. The human resources manager sends you a file in the comma-separated value (CSV) file format. The CSV file lists each user’s full name, account logon name, and department. You expect to receive CSV files containing new and updated information every two weeks. You need to place the user accounts in the correct OUs. You must not make changes that require the permissions on resources to be changed. You must deploy the changes in the minimum amount of time and by changing the minimum amount of administrative effort. What should you do?

A. Create a script that reads the CSV file and uses ADSI to move user accounts to the correct OUs.

70 - 296


- 491 -

B. Create a script that reads the CSV file and updates the Department attribute of each user account to the name of the correct OU.

C. Create a security group for each department. Move the security group objects to the correct OUs. Make each user account a member of the security group for the user’s department.

D. In Active Directory Users and Computers, create a new user account for each user in the correct OU, then delete the corresponding user object in the Users container.

E. In Active Directory Users and Computers, select all of the user accounts from one department and move them to the correct OU. Repeat this process for each of the other departments.

Answer: A Explanation: Creating a script to automate the updates and moves is the easiest way to handle the administrative tasks on an ongoing basis. The new users are listed in a CSV file so it is the easiest way combined with CSVDE. Use ADSI's MoveHere method to move the existing user objects. ADSI's IADsContainer interface exposes MoveHere. QUESTION NO: 327 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The following table shows the types and quantities of Windows Server 2003 Web and database servers in the domain. Server type QuantityNonproduction test Web server 2 Nonproducation test database server 2 Production Web server 10 Production database server 10 The computer accounts for the Web and database servers are located in the default Computers container. The domain also includes many organizational units (OU) that contain other computer accounts. TestKing plans to use Group Policy objects (GPO) to centrally apply security settings to the Web and database server computers. The settings need to be applied as follows:

• Some security settings need to apply to all Web and database servers. • Some security settings need to apply to the nonproduction servers only. • Some security settings need to apply to the production servers only and must not be overridden. • Other security settings need to apply to specific server types only.

70 - 296


- 492 -

You need to create an organizational unit (OU) structure to support the GPO requirements. You want to create as few GPOs and links as possible while using only the default security permissions for GPO links. You also want to limit the number ***missing*** What should you do?

A. Create two top-level OUs named Web and Database under the domain. Create two child OUs named Nonproduction and Production under both the Web OU and the Database OU.

B. Create two top-level OUs named Nonproduction and Production under the domain. Create two child OUs named Web and Database under both the Nonproduction OU and the Production OU.

C. Create a top-level OU named Servers under the domain. Create two child OUs named Web and Database under the Servers OU. Create two child OUs named Nonproduction and Production under both the Web OU and the Database OU.

D. Create a top-level OU named Servers under the domain. Create two child OUs named Nonproduction and Production under the Servers OU. Create two child OUs named Web and Database under both the Nonproduction OU and Production OU.

Answer: D QUESTION NO: 328 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains one domain named testking.com. You need to deploy a new domain named NA.testking.com as a child domain of testking.com. You install a new stand-alone Windows Server 2003 computer named TK1. You plan to make TK1 the first domain controller in the NA.testking.com domain. You configure TK1 with a static IP configuration. You run the Active Directory Installation Wizard on TK1. The wizard prompts you for the network credentials to use to join the NA.testking.com domain to testking.com. You receive an error message stating that a domain controller in the testking.com domain cannot be located. You need to be able to promote TK1 to a domain controller as the first domain controller of the child domain in the existing forest.

70 - 296


- 493 -

What should you do?

A. Configure the client WINS settings on TK1 to use a WINS server that contains entries for the testking.com domain controllers.

B. Configure the client DNS settings on TK1 to use a DNS server that is authoritative for the testking.com domain.

C. Configure the DNS Server service on TK1 to have a zone for NA.testking.com. D. Configure TK1 to be a member server in the testking.com domain.

Answer: B Explanation: This is typically the effect of a DNS problem because the client (in this case a member server) can't locate the SRV records of a domain. The process needs to contact the DNS server that is authoritative for the parent domain that you are wanting to make a child domain in. First, in the Active Directory installation wizard, you specify the DNS name of the Active Directory domain for which you are promoting the server to become a domain controller. Later in the installation process, the wizard tests for the following: Based on its TCP/IP client configuration, it checks to see whether a preferred DNS server is configured. If a preferred DNS server is available, it queries to find the primary authoritative server for the DNS domain you specified earlier in the wizard. It then tests to see whether the authoritative primary server can support and accept dynamic updates as described in the DNS dynamic update protocol. If, at this point in the process, a supporting DNS server cannot be located to accept updates for the specified DNS domain name you are using with Active Directory, you are provided with the option to install the DNS Server service. QUESTION NO: 329 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains three Windows Server 2003 domain controllers. A domain controller named DC2.testking.com fails because of a hardware failure. You decide not to rebuild the domain controller. However, because several applications refer to DC2.testking.com by its NetBIOS name, you need to provide a new domain controller that has the same name.

70 - 296


- 494 -

You install a new Windows Server 2003 computer and name it DC2. You attempt to promote the server to a domain controller in the testking.com domain. The promotion fails and you receive the following error message.

You need to install a new domain controller named DC2 in the testking.com domain. What should you do?

A. Use the WINS administrative console to remove all WINS record for DC2.testking.com B. Use the Ntdsutil utility to remove the metadata associated with the DC2.testking.com domain controller

object from Active Directory. C. Use Active Directory Users and Computers to remove the DC2.testking.com domain controller

computer account for the testking.com domain. D. Use the DNS administrative console to remove all DNS record that refer to DC2.testking.com

Answer: B Explanation: Ntdsutil tool Cleanup command. To cleanup metadata left behind by decommissioned or failed domain controllers, use the cleanup command. It removes the defunct domain controller's identification and information from the directory. QUESTION NO: 330 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain is shown in the exhibit.

70 - 296


- 495 -

Replication is scheduled to take place once per day. Each server is fully backed up daily. You connect to Testking1 and create seven logon scripts in the Default Domain Policy Group Policy object (GPO) Three days later, an administrator in Tel Aviv inadvertently corrupts the scripts on Testking3. Ten minutes later, you successfully make changes to one of the logon scripts on Testking1. You need to make the latest version of the logon scripts available to users in Tel Aviv as soon as possible. What should you do? To answer, drag the action that you should perform first to the First Action box. Continue dragging actions to the corresponding numbered boxes until you list all required actions in the correct order. You might not need to use all numbered boxes.

70 - 296


- 496 -

70 - 296


- 497 -

Answer:

Explanation: You want to get TestKing3 back up to the most current script versions that are stored in active Directory. Restoring the SySVol restores the scripts to the good versions that were backed up in the previous backup. After rebooting, changes in AD since the last backup will be replicated to this server's AD.

70 - 296


- 498 -

QUESTION NO: 331 You are the network administrator for TestKing, which is located in New York. TestKing owns a company named Lucerne Publishing, which is located in London. The TestKing network consists of a single Active Directory forest that contains two domain. TestKing opens a new office in Cairo. The structure of the Active Directory network after the addition of the Cairo office is shown in the exhibit.

Both site links are configured to be transitive. The site links are configured as shown in the following table. NYLondon LondonCairo Cost 200 100 Interval 30 minutes 45 minutes Schedule 11:00 P.M. – 1:00 A.M. UTC 7:00 P.M. – 9:00 P.M. UTC Users un all three sites report that response times are unacceptably slow when crossing WAN connections to access information in other offices. You discover that replication between servers in NYSite and CairoSite is happening throughout the day. You need to ensure that users’ access to remote offices is not slowed as a result of replication traffic.

70 - 296


- 499 -

What should you do?

A. Replace the current site links with SMTP-based site links. B. Create a site link bridge and include both site links. C. Configure the cost on both site links to be 500. D. Configure the schedule times to overlap.

Answer: D QUESTION NO: 332 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain with three sites named Testking1, Testking2, and Testking3. The sites and site links are configured to use Testking2 to connect Testking1 and Testking3. Each site contains three Windows Server 2003 domain controllers. A domain controller in each site is configured as a preferred bridgehead server. All user and group accounts are created in Testking1. Several new users start work in Testking2. When they attempt to log on to the network, the logon fails. You confirm that the user accounts are created and are visible in Testking1 and Testking2. You discover that the preferred IP bridgehead server in Testking2 failed. You repair the server and confirm that replication is successful to Testking2. You need to ensure that the failure of a single domain controller in any site will not interfere with Active Directory replication between sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Configure an IP site link between Testking1 and Testking3. B. Configure two domain controllers in each site as preferred IP bridgehead servers. C. Configure two domain controllers in each site as preferred SMTP bridgehead servers. D. Configure each site to have no preferred bridgehead servers. E. Configure an SMTP site link between each of the sites.

Assign a cost of 200 to the SMTP site link. Answer: B, D

70 - 296


- 500 -

QUESTION NO: 333 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains three Active Directory sites named Testking1, Testking2, and Testking3. The sites are connected by site links as shown in the work area. SiteLink1 and SiteLink2 include a redundant, high-speed WAN connections. Each site has one subnet associated with it. The number of computers in each site and the operating system that the computers are running are indicated in the following table. Operating system Testking1 Testking2 Testking3Windows 98 50 30 550 Windows NT Workstation 4.0 50 20 550 Windows 2000 Professional 0 500 100 Windows XP Professional 100 0 0 Windows Server 2003 10 20 15 Testking1 contains a Windows Server 2003 domain controller named Server1 that is the relative ID (RID) master for the domain. Testking2 contains two Windows Server 2003 domain controllers named Server2 and Server3. Server2 is the infrastructure master for the domain. Testking3 contains a Windows Server 2003 domain controller named Server4. You need to decide where to place the PDC emulator role holder. You want to optimize the overall response time for users in all sites. Where should you place the PDC emulator role? To answer, select the appropriate domain controller or domain controllers in the work area.

70 - 296


- 501 -

70 - 296


- 502 -

Answer:

Explanation: Place the PDC emulator on Testking 3. This site has the most Windows 98 and NT 4.0 workstations which need a PDC emulator to contact to logon while XP & Windows 2000 can logon at any DC.

70 - 296


- 503 -

QUESTION NO: 334 You are the network administrator for TestKing.com. TestKing has offices in Toronto, New York, and Chicago. The network connections are shown in the exhibit.

The network consists of two Active Directory domains. User objects for users in the Toronto office and the New York office are stored in the testking.com domain. User objects for users in the Chicago office are stored in the production.testking.com. Active Directory is configured as shown in the following table. Location Numbers of

Users Number of Domain Controllers

Number of global Catalog servers

Toronto 650 4 2 New York 15 1 0 Chicago 500 3 2 Users in the New York office frequently report that they cannot log on to the network, or that logging on takes a very long time. You notice increased global catalog queries to severs in the Toronto office during peak logon times. You need to improve logon performance for users in the New York office without increasing WAN traffic that is due to replication. What should you do?

A. Configure the domain controllers in the New York office as a global catalog server. B. Configure Active Directory to cache universal group membership for the Toronto office. C. Install an additional domain controller in the New York office. D. Configure Active Directory to cache universal group memberships for the New York office.

70 - 296


- 504 -

Answer: D Explanation: Logons for NewYork must contact a global catalog server across the WAN to check the universal group membership from the global catalog in Toronto. Configuring universal group membership caching at the NewYork site would speed up logons and would not generate additional WAN traffic. Incorrect Answers: A: is wrong because it would only make sense if there were applications that need a GC. B: is wrong because the Toronto office doesn’t have the logon problems. C: is wrong because the number of Domain Controllers is sufficient for the number of users in NY. QUESTION NO: 335 You are the network administrator for TestKing.com. You plan to create an Active Directory domain named testking.com that will have a functional level of Windows Server 2003. TestKing has one main office and four branch offices, which are all located in one country. A central security department in the main office is responsible for creating and administering all user accounts in all offices. Each office has a local help desk department that is responsible for resetting passwords within the individual department’s office only. All user accounts are located in the default Users container. You need to create an organizational unit (OU) structure to support the delegation of authority requirements. You want to minimize the amount of administrative effort required to maintain the environment. What should you do?

A. Create a top-level OU named Testking_Users under the tesking.com domain. Create a separate child OU for each office under Testking_Users.

Move the user accounts of all employees in each office to the child OU for that office. B. Create a top-level OU named Main_Office under the testking.com domain.

Move the user accounts of all users in the main office to the Main_Office OU. Create a separate child OU for each branch office under the Main_Office OU. Move the user accounts of all users in each branch office to the child OU for that office.

C. Create a top-level OU named Testking_Users under the testking.com domain. Create a child OU named Central_Security under TesttKing_Users. Move the user accounts of the central security department users to the Central_Security OU. Create a child OU named Help_Desk under TestKing_Users. Move the user accounts of the help desk users to the Help_Desk OU.

70 - 296


- 505 -

D. Create a top-level OU named TestKing_Users under the testking.com domain. Create a child OU named Central_Security under TestKing_Users. Move the user accounts of the central security department users to the Central_Security OU.

Answer: A Explanation: Two OUs will fit the requirement. You can delegate control for central security on the OU "Testking_Users" and each office can be administered by the local help desk team. QUESTION NO: 336 You are a network administrator for TestKing.com. The network consists of a single Active Directory forest that contains one root domain and multiple child domains. The functional level of all child domains in is Windows Server 2003. The functional level of the root domain is Windows 2000 native. You configure a Windows Server 2003 computer named Testking1 to be a domain controller for an existing child domain. Testking1 is located at a new branch office, and you connect Testking1 to a central data center by a persistent VPN connection over a DSL line. Testking1 has a single replication connection with a bridgehead domain controller in the central data center. You configure DNS on Testking1 and create secondary forward lookup zones for each domain in the forest. You need to minimize the amount of traffic over the VPN connection caused by logon activities. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Configure the DNS zones to be Active Directory-integrated zones. B. Configure Testking1 to be the PDC emulator for the domain. C. Configure Testking1 to be a global catalog server. D. Configure universal group membership caching on Testking1.

Answer: C, D Explanation: Logon traffic over the VPN is caused by the local domain controller retrieving universal group information from a global catalog server. We can simply reduce this traffic by either configuring TestKing1 to be a global catalog server, or by enabling universal group membership cashing on TestKing1. QUESTION NO: 337

70 - 296


- 506 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The relevant portion of the organizational unit (OU) structure is shown in the exhibit.

TestKing’s sales division consists of an inside sales department, a mobile sales department, and a telemarketing department. User objects for users in these departments are stored in the Inside, Mobile, and Telemarket OUs respectively. User objects for all junior managers and senior managers are stored in the Managers OU. TestKing’s decides to train junior managers to perform basic administrative tasks. Junior managers are responsible for enabling and disabling accounts for all sales users except junior managers and senior managers. You need to enable junior managers to perform the assigned administrative tasks. You must not affect any existing permissions. What should you do?

A. On the Managers OU, block the inheritance of permissions. Copy all existing permissions. On the Sales OU, grant junior managers the permission to enable and disable accounts.

B. On the Inside, Mobile, and Telemarket OUs, block the inheritance of permissions. Copy all existing permissions. On the Sales OU, grant junior managers the permission to enable and disable accounts.

C. On the Managers OU, block the inheritance of permissions. Remove all existing permissions. On the Sales OU, grant junior managers the permission to enable and disable accounts.

D. On the Sales OU, block the inheritance of permissions.

70 - 296


- 507 -

Copy all existing permissions. On the Sales OU, grant junior managers the permissions to enable and disable accounts.

Answer: A Explanation: You want to set the policy on a higher OU (parent) than the three target child OUs where we want administration. For junior managers to be able to do this task on only the three target OUs and not the managers OU we have to set Block the inheritance of the Policy at the managers OU, to prevent junior managers from being able to do this task from the mangers OU. You also want to preserve permissions that were inherited before setting the block so copying all permissions would satisfy that requirement. QUESTION NO: 338 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers are Windows XP Professional computers that are members of the domain. TestKing wants to install a new application on only the computers where it is required. However, once installed on a particular computer, the application can be used by any user logged on to that computer. The application is installed by using a Windows Installer package. You copy the .msi file to a shared folder on a file server. The shared folder is configured so that members of the Domain Admins group have the Allow – Full Control permission, and no other permissions are granted. TestKing wants to automate installation as much as possible. Users must not be able install unauthorized copies of the application. You need to ensure that application will be deployed in accordance with TestKing’s requirements. You create a security group and assign this group the Allow – Read permission for the shared folder that contains the .msi file. Which two additional courses of action should you take? (Each correct answer presents part of the solution. Choose two)

A. Make all users of the application members of the security group. B. Make all unauthorized computers members of the security group. C. Create a Group Policy object (GPO) that assigns the application to users.

Link the GPO to the domain. Set permissions on the GPO so that it applies only to the security group you created.

D. Create a Group Policy object (GPO) that publishes the application to users. Link the GPO to the domain. Set permissions on the GPO so that it applies only to the security group you created.

70 - 296


- 508 -

E. Create a Group Policy object (GPO) that assigns the application to computers. Link the GPO to the domain. Set permissions on the GPO so that it applies only to the security group you created.

Answer: A, C QUESTION NO: 339 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Each client computer runs either Windows 2000 Professional or Windows XP Professional. All desktop computers have computer accounts in an organizational unit (OU) named TestkingDesktops, and all portable computers have computer accounts in an OU named TestkingPortables. All employees have user accounts in an OU named TestkingUsers. A written TestKing policy requires that different Encrypting File System (EFS) policies be applied to portable computers and to desktop computers. In addition, policy settings in the Default Domain Policy Group Policy object (GPO) must apply to all computers. You create two new GPOs named DesktopEFSPolicy and PortableEFSPolicy to be applied to desktop computers and portable computers, respectively. You configure each GPO to contain the policy settings required by the written TestKing policy. You need to ensure that the written TestKing policy is enforced. Which two courses of action should you take? (Each correct answer presents part of the solution. Choose two)

A. Link the DesktopEFSPolicy GPO to the TestkingDesktops OU. Link the PortableEFSPolicy GPO to the TestKing Portables OU.

B. In the Default Domain Policy GPO, assign the Domain Users security group the Deny – Full Control permission. Assign the Domain Admins security group the Allow – Full Control permission.

C. Link the DesktopEFSPolicy GPO and the PortableEFSPolicy to the domain. Configure the TestkingDesktops OU and the TestkingPortables OU to block Group Policy inheritance.

D. Enable the No Override setting for the Default Domain Policy GPO, the DesktopEFSPolicy GPO, and the PortableEFSPolicy OU.

Answer: A, D

70 - 296


- 509 -

Explanation: You want the Default Domain Polict settings to apply to all computers, so you must configure the No Overide, or else lower GPO settings with the Block Policy Inheritance will negate the particular policy from above. Also the same is true for the OU level GPOS that are configured. Any lower GPOs configured on child OUs with Block Policy inheritance will negate policy from a higher level set GPO policy. QUESTION NO: 340 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. TestKing operates a call center in which 200 users use Windows XP Professional computers to access e-mail, TestKing’s intranet, and a database application. All client computers are configured identically. The call center users do not use computers outside of the call center. A written TestKing policy states that call center users are not allowed to install or run additional applications or to change the desktop settings on their computers. You need to prevent call center users from changing the configuration of the call center computers. Your solution must not restrict users in other parts of TestKing from making changes to computers outside the call center. What should you do?

A. Place all of the computer accounts for call center computers in an organizational unit (OU) named Call Center Computers. Create a Group Policy object (GPO) that includes the appropriate restrictions in the User Configuration section. Link the GPO to the Call Center Computers OU.

B. Place all of the user accounts for call center users in an organizational unit (OU) named Call Center Users. Create a Group Policy object (GPO) that includes the appropriate restrictions in the User Configuration section. Link the GPO to the Call Center Users OU.

C. Place all of the user accounts for call center users in a security group named Call Center Users. Change the default user rights assignment on the call center computers so that the Call Center Users group has only the Allow log on locally right.

D. Place all of the user accounts for call center users in a security group named Call Center Users. Configure these accounts so that all users use a common roaming profile stored on a file server. Assigns the Call Center Users group the Allow – Full Control permission for the roaming profile folder.

70 - 296


- 510 -

Answer: B QUESTION NO: 341 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain with two sates. The two sites are named Testking1 and Testking2. All servers run Windows Server 2003. TestKing has two offices, and each office is configured as one of the sites. A 256-Kbps leased line connects the two offices. In addition, a site link connects the two sites. The site link is configured to replicate during off-peak hours. There are domain controllers in both sites. Testking1 contains all of the operations master role holders. You plan to create Group Policy objects (GPO) for each site. Some GPOs will be used to resolve potential support issues for a specific site, and you need to minimize any delay in the propagation of GPOs. You need to ensure that GPOs are applied to users in the appropriate site with minimal delay. What should you do?

A. Configure the Group Policy Object Editor and Active Directory Users and Computers snap-ins to connect to the infrastructure master.

B. Configure the Group Policy and Active Directory snap-ins to connect to a domain controller in the site where the GPO must be applied.

C. Create a remote procedure call (RPC) connection object between the two sites. D. Create a GPO that disabled Group Policy slow link detection.

Link the GPO to both sites. Answer: B Explanation: Creating the GPO on a domain controller in a particular site will apply the GPO much quicker than if the GPO were created on a domain controller in a different site across a site link. This is because no replication will need to occur for the settings to take effect. QUESTION NO: 342 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain with two sites. The two sites are named Testking1 and Testking2. TestKing has two offices, and each office is configured as one of the sites. All servers run Windows Server 2003.

70 - 296


- 511 -

The two offices are connected by a 256-Kbps leased line. In addition, Testking1 and Testking2 are connected by a site link. Testking1 has 1,000 users and Testking2 has 15 users. There are no domain controllers in Testking2. You create a Group Policy object (GPO) to redirect the My Documents folder. You link the GPO to the domain. Users in Testking1 have their folders redirected successfully, but users in Testking2 do not. You need to ensure that users in Testking2 has their folders redirected. What should you do?

A. Combine Testking1 and Testking2 into a single site. B. Enable loopback processing in Merge mode in the GPO. C. Remove the link for the GPO from the domain.

Link the GPO to Testking1 and to Testking2. D. Create a new GPO that disables Group Policy slow link detection.

Link the new GPO to Testking2. Answer: D Explanation: The users in TestKing2 receive their GPOs from domain controllers in TestKing1. The bandwidth of the link between the two sites is less than 500Kbps which is the ‘slow link’ threshold. Therefore, if slow link detection is enabled, the policy won’t apply. To apply the policy to users in TestKing2, we need to disable slow link detection. QUESTION NO: 343 You are the network administrator for TestKing.com. The network consists of as ingle Active Directory forest that contains an empty root domain named testking.com and a child domain named research.testking.com. You need to implement secure password protection for the accounts located in the research.testking.com domain. What should you do?

A. Configure the Default Domain Policy Group Policy object (GPO) of the research.testking.com domain to enable the Password must meet complexity requirements policy.

B. Configure the Default Domain Controllers Policy Group Policy object (GPO) of the research.testking.com domain to enable the Password must meet complexity requirements policy.

70 - 296


- 512 -

C. Configure the Default Domain Policy Group Policy object (GPO) of the testking.com domain to enable the Password must meet complexity requirements policy. Enable the No Override setting on the GPO.

D. Configure the Default Domain Controllers Policy Group Policy object (GPO) of the testking.com domain to enable the Password must meet complexity requirements policy. Enable the No Override setting on the GPO.

Answer: A Explanation: Password policy must be configured at domain level for domain enforcement. QUESTION NO: 344 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All client computers run Windows XP Professional. All user accounts for the sales department users are located in an organizational unit (OU) named Sales. The client computers are located in the default Computers container. All users in the sales department require that a sales application be installed on their client computers. You create a new Group Policy object (GPO). You create a software installation package and use the GPO to assign the package to computers. You link the GPO to the Sales OU. Users in the sales department report that the application is not installed on any client computers. You need to install the application on all client computers in the sales department. You need to ensure that the application is installed only on the client computers used by users in the sales department. What should you do?

A. Modify the GPO to specify that Windows Installer packages will be installed by using elevated permissions.

B. Modify the GPO so that the application is assigned to user accounts. C. Enable loopback processing for the GPO. D. Link the GPO to the Computers container.

Answer: B QUESTION NO: 345

70 - 296


- 513 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. You use a Group Policy object (GPO) to distribute an application to users. The application is contained in an .msi file that is stored in a shared folder. Users report that they do not have the application installed. You verify that the GPO successfully installed the application on your computer. On the client computers, you see the error message shown in the exhibit.

You need to ensure that users can install the application. What should you do?

A. Configure the default package location in the GPO to be the network path to the application.

70 - 296


- 514 -

B. Configure the Windows Installer service on each client computer to start as a member of the Domain Admins group.

C. Create a GPO to enable the Always install with elevated privileges setting. D. Assign the users the Allow – Read permission for the .msi file.

Answer: D Explanation: To assign the application to users, the users need at least Allow – Read permission to the msi file. QUESTION NO: 346 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain that contains four domain controllers. All servers run Windows Server 2003. All user accounts are located in an organizational unit (OU) named TestKingUsers. A written TestKing policy requires all users to use strong passwords. User passwords must contain a mixture of letters, numbers, or special characters. Passwords must be at least 10 characters long. Passwords must be changed at least every 60 days, and the new password cannot be the same as the old one. To enforce this requirement, you create a Group Policy object (GPO) named Password Policies and link the GPO to the TestKingUsers OU. The setting in the Password Policy section of the Password Policies GPO are shown in the exhibit.

You discover that users are creating simple passwords that do not meet the complexity requirements. You need to ensure that TestKing’s password requirements are enforced. What should you do?

A. Link the Password Policies GPO to the Domain Controllers OU. Make it the first GPO in the list.

70 - 296


- 515 -

B. Configure the properties of the Password Policies GPO so that it cannot be overridden. C. Delete the Password Policies GPO.

Edit the Default Domain Policy GPO to include the settings from the Password Policy section of the Password Policies GPO.

D. Delete the Password Policies GPO. Edit the Default Domain Controllers Policy GPO to include the settings from the Password Policy section of the Password Policies GPO.

Answer: C Explanation: Changes in Security Policies such as a password policy can only affect the user if applied at the Domain Level using the Default Domain Policy. Security Policies that affect computers can be applied at the OU level as well as at the Domain Level. Incorrect Answers: A: This would effect the policies set on a DC. B: This wouldn't do anything because password polices in this case are set on a Users OU and not a computers OU. C: This answer is nearly the same as A except that you delete and recreate the GPO. QUESTION NO: 347 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit (OU) named Research. All users who have user accounts in the Research OU use portable computers that run Windows XP Professional. You create a Group Policy object (GPO) named PowerManagement and link it to the Research OU. You configure the PowerManagement GPO to enable the Prompt for password on resume from hibernate /suspend policy. A user named Tess has a user account in the Research OU. Tess reports that she is not prompted for a password when her computer resumes hibernation. You need to ensure that Tess immediately has password protection for her portable computer when resuming from hibernation mode. What should you do?

A. Instruct Tess to run the gpupdate command from her computer. B. Instruct Tess to run the gpresult command from her computer. C. Instruct Tess to send a Remote Assistance invitation to you.

70 - 296


- 516 -

Take control of Tess’s compute and run the secedit /analyze command. D. Instruct Tess to send a Remote Assistance invitation to you.

Take control of Tess’s computer and run the gpresult command. Answer: A Explanation: Although the GPO has been configured, some laptops may have not been online to be updated with the GPO policy or their could of ben network connectivity problems that prevented some laptops from getting the policy. All problems aside, Tess's laptop should get the update at the next GPO refresh interval or Tess can get refresh immediately by running the gpupdate command form here computer. QUESTION NO: 348 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain. The domain includes an organizational unit (OU) named TerminalServers and a global group named Accounting. The TerminalServers OU contains all of the Windows Server 2003 computer accounts running Terminal Services. Members of the Accounting group connect to terminal servers to access their software applications. You create a Group Policy object (GPO) and link it to the TerminalServers OU. You configure the GPO to publish a software installation package that installs the most recent tax application. Users in the Accounting group report that the new tax application is not installed on any of the terminal servers. You log on to one of the servers running Terminal Services and attempt to use Add or Remove Programs in Control Panel. When you select Add New Program, you receive the following message: “Applications are not available to install from the network in this mode.” You need to ensure that the new tax application is installed on the computers running Terminal Services. What should you do?

A. Modify the GPO and configure the software installation package to be assigned under the Computer Configuration section of the GPO under Software Settings.

B. Modify the GPO and configure the software installation package to be assigned under the User Configuration section of the GPO under Software Settings.

C. Modify the discretionary access control list (DACL) settings of the GPO to assign the Authenticated Users group the Deny – Read and the Allow – Apply Group Policy permissions.

D. Modify the discretionary access control list (DACL) settings of the GPO to assign the computer accounts in the TerminalServers OU the Allow – Read and the Allow – Apply Group Policy permissions.

70 - 296


- 517 -

Answer: A Explanation: In order for the Softwate application to be available through a Terminal Session, the software application must be installed on the server itself. If the GPO assigns the software installation package under user configuration the software will not get installed onto the Terminal Server. QUESTION NO: 349 You are the network administrator for TestKing, The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The organizational unit (OU) structure is shown in the exhibit.

The File Servers OU subtree contains 20 file and print servers. All of TestKing’s user accounts are in the User Accounts OU subtree. TestKing uses Group Policy objects (GPOs) linked to the OUs within the User Accounts OU subtree to configure the users’ environment. These GPOs are configured to install desktop utilities for all user accounts. The desktop utilities are for use on only client computers. You are responsible for planning and implementing the Group Policy infrastructure for TestKing.com. TestKing wants to apply a new GPO named ServerSecurity to the 20 file and print servers. The ServerSecurity GPO includes computer configuration setting and user configuration settings. These settings will be used to secure the file and prints ervers.

70 - 296


- 518 -

You plan to apply the ServerSecurity GPO to the File Servers OU. You need to ensure that the desktop utilities are not installed on the servers when users log on to the network. What should you do?

A. Grant the file and print servers permissions to link GPOs at the File Servers OU. B. Configure the ServerSecurity GPO to enable the Loopback policy. C. Configure a shutdown script that refreshes the computer configuration settings for the file and print

servers. D. Apply the ServerSecurity GPO at the site level rather than at the OU level.

Answer: B Explanation: You dont want the user's settings applying the Dekstop utilities so you must also configure the Replace Mode. You do not want the users settings applied at all in this case. if users settings were allowed to apply , then the Desktop utilities would get installed. In some cases, this processing order may not be appropriate (for example, when you do not want applications that have been assigned or published to the users in their OU to be installed while they are logged on to the computers in some specific OU). QUESTION NO: 350 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows 2000 native. All servers run Windows Server 2003. TestKing is adding 15 new servers to run a new application. TestKing is also adding an organizational unit (OU) named Application to hold the servers and other resources for the application. The server access team needs to be able to grant various types of access to the servers. The server access team does not need to be able to perform any other tasks on the servers. You need to allow the server access team to grant permissions for application servers without granting the team unnecessary permissions. What should you do?

A. Create a Restricted Groups Group Policy object (GPO) to make the server access team a member of the Power Users group on each application server. Link the GPO to the Application OU.

B. Grant the server access team permission to modify computer objects in the Application OU. C. Make the server access team a member of the Server Operators group.

70 - 296


- 519 -

D. Create Domain Local security groups that grant the appropriate access to the servers. Grant the server access team permission to modify the membership of the Domain Local security groups.

Answer: D QUESTION NO: 351 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com with six sites. The Active Directory site configuration is shown in the exhibit.

The network connection connecting SiteTestking3 and SiteTestking4 has more than 80 percent utilization during TestKing’s business hours. The network bandwidth is required for a critical business application, and so you must ensure that Active Directory replication does not interfere with the application. The other network connections have adequate bandwidth to support Active Directory replication. You must ensure that Active Directory replication traffic does not cross the network connection connecting SiteTestking3 and SiteTestking4 during TestKing’s business hours. Replication connecting all other Active Directory sites must occur at least every three hours throughout the day. What should you do?

A. Configure the replication schedule for the site link connecting SiteTestking3 and SiteTestking4 to replicate only during nonbusiness hours.

B. Disable automatic site link bridging. Create on site link bridge that bridges the site links connecting SiteTestking1, SiteTestking2, and SiteTestking3. Create another site link bridge that bridges the site links connecting SiteTestking4, SiteTestking5, and SiteTestking6.

C. Configure one domain controller in SiteTestking3 and one domain controller in SiteTestking4 as preferred bridgehead servers.

D. Configure the site link cost between SiteTestking3 and SiteTestking4 to be 1,000. Configure the other site link costs to be 100.

70 - 296


- 520 -

Answer: A QUESTION NO: 352 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. TestKing has offices in 25 cities. Each office is configured a single site. You are responsible for one site that is configured as shown in the exhibit.

An IP site link connects your site and the site at TestKing’s main office. TestKing replaces your router with a firewall device. The firewall is configured to allow HTTP, SMTP, FTP, NTTP, global catalog queries, and VPN packets to pass. You discover that replication with other sites is not occurring. You need to ensure that you can replicate with other sites. You need to achieve this goal without removing or reconfiguring the firewall. What should you do?

A. Create a new SMTP site link between your site and each of the other sites. B. Configure one domain controller in your site as a global catalog server. C. Configure both domain controllers in your site to use a fixed port when replicating. D. Create a VPN between your site and the site at the main office.

Answer: D

70 - 296


- 521 -

QUESTION NO: 353 You are the network administrators A company that consist of two subsidiaries named TestKing and Contoso, Ltd. The network consists of a single Active Directory forest that contains two domain trees, as shown in the exhibit.

Some users are temporarily relocated from Hong King to New York. Their user accounts remain in the asia.contoso.com domain, and they use their principal names (UPNs) to log on from the namerica.testking.com domain. The relocated users report that their authentication time is extremely slow. You need to improve their authentication time. What should you do?

A. Create a universal security group in the asia.contoso.com domain and add the relocated users into the group. Add the universal group to the domain local groups in the asia.contoso.com domain that have permission for the object to which the users need access.

B. Create a universal security group in the namerica.testking.com domain and add the relocated users into the group.

70 - 296


- 522 -

Add the universal group to the domain local groups in the asia.contoso.com domain that have permission for the objects to which the users need access.

C. Create a shortcut trust relationship in which the asia.contoso.com domain trusts the namerica.testking.com domain.

D. Create a shortcut trust relationship in which the namerica.testking.com domain trusts the asia.contoso.com domain.

Answer: D QUESTION NO: 354 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain and two Active Directory sites. The sites are named Testking1 and Testking2. Each site contains two windows Server 2003 domain controllers. All client computers on the network run Windows XP Professional. Administrators in Testking1 manage all user and group administration on the network. One of the executives located in the office at Testking2 requires access to a network shared folder named ExecutiveData. This folder is located on a Windows Server 2003 member server at Testking2. An administrator in Testking1 adds the executive to an Active Directory global group that has access to the ExecutiveData shared folder. The executive restarts her computer and logs back on to the domain. One hour later, the executive still cannot access the shared folder. Other users in the same group can access the shared folder. You need to ensure that the executive has immediate access to the ExecutiveData shared folder. What should you do?

A. Modify the NTFS permissions on the ExecutiveData shared folder on the Windows Server 2003 member server.

B. Configure one of the domain controllers in Testking2 as a global catalog server. C. Use Replication Monitor to force replication between domain controllers in the two sites. D. Modify the share permissions on the ExecutiveData shared folder to give the user account explicit

permissions. Answer: C QUESTION NO: 355

70 - 296


- 523 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory domain with four sites. The sites are connected by site links, as shown in the work area. WAN connection Type of connection Available bandwidthSite TK1 – Site TK2 56 Kbps 30 percent Site TK2 – Site TK3 T3 70 percent Site TK3 – Site TK4 T1 40 percent Site TK4 – Site TK1 T3 70 percent You need to ensure that the Knowledge Consistency Checker (KCC) uses the faster connection links when possible. What should you do? To answer, drag the appropriate site link cost or costs to the correct location or locations in the work area.

Answer:

70 - 296


- 524 -

QUESTION NO: 356 You are a network administrator for TestKing.com. The network consists of a single Active Directory forest that contains two domains named testking.com and dev.testking.com. All domain controllers run Windows Server 2003. The functional level of the forest is Windows Server 2003. TestKing acquires a company named Graphic Design Institute. The Graphic Design Institute network consist of a single Active Directory forest that contains a single domain named graphicdesigninstitute.com. All domain controllers run Windows Server 2003. The functional level of the forest is Windows Server 2003. Users in the testking.com domain require access to file and print resources stored on a computer named server1.graphicdesigninstitute.com. Users in the graphicdesigninstitute.com domain require access to all computers in the testking.com forest. You must provide administrators with the ability to grant users access to the required resources. What should you do?

70 - 296


- 525 -

A. Create a two-way forest trust relationship between the testking.com domain and the graphicdesigninstitute.com domain. In the testking.com domain, enable forest-wide authentication for the graphicdesigninstitute.com domain. In the graphicdesigninstitute.com domain, enable selective authentication for the testking.com domain.

B. Create a two-way external trust relationship between the testking.com domain and the graphicdesigninstitute.com domain.

C. Create a one-way forest trust relationship in which the graphicdesigninstitute.com domain trusts the testking.com domain. In the testking.com domain, enable forest-wide authentication for the graphicdesigninstitute.com domain.

D. Create a one-way external trust relationship in which the testking.com domain trusts the graphicdesigninstitute.com domain. Create a second incoming external trust relationship on the graphicdesigninstitute.com domain. Specify that the trust relationship in between the dev.testking.com domain and the graphicdesigninstitute.com domain.

Answer: A QUESTION NO: 357 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The company contains several departments. One of these departments is sales. A group named Sales Admin is responsible for administering the sales department. In addition, the sales department has two teams that are responsible for daily support. One of these teams supports the sales department’s user accounts. The other team supports the sales department’s computers. Each department in TestKing has a specific set of Group Policy objects (GPOs). The sales department has two additional sets of GPOs. One set of GPOs is for user accounts. The other set of GPOs is for computers. You need to configure the organizational unit (OU) structure to support the implementation of GPOs and delegation of security for the sales department. You want to accomplish this task by using the minimum amount of administrative effort. How should you configure the OU structure? To answer, drag the appropriate OU or OUs to the correct location or locations in the work area.

70 - 296


- 526 -

Answer:

QUESTION NO: 358 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains three domains named testkin.com, child1.testking.com, and child2.testking.com. The functional level of the forest is Windows 2003.

70 - 296


- 527 -

Both the child1.testking.com domain and the child2.testking.com domain contain user accounts of users in the accounting department. All accounting users need to access resources in both child domains. You need to ensure that all accounting users can access the appropriate resources. You want to restrict administrators in the child domains to managing the access requirements for user accounts in their domain. You also want to minimize global catalog replication. What should you do?

A. Create a global group named All_Accounting in each child domain. Add all user accounts for accounting users in a domain to the All_Accounting group for that domain. Create a universal group in the testking.com domain. Add both All_Accounting groups to the universal group.

B. Create a global group named All_Accounting in each child domain. Add all user accounts for accounting users in a domain to the All_Accounting group for that domain. Create a domain local group in the testking.com domain. Add both All_Accounting groups to the domain local group.

C. Create a universal group in the testking.com domain. Add all user accounts for accounting users in both child domains to the universal group.

D. Create a domain local group in the testking.com domain. Add the user accounts for accounting users in both child domains to the domain local group.

Answer: A QUESTION NO: 359 You are the network administrator for TestKing.com. TestKing has one main office and 11 branch offices. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit (OU) named BranchOffices. The BranchOffices OU contains an OU for each of the 11 branch offices. The network administrators who administer the branch offices are members of the BranchOffice Admins global group. You delete full control of all child objects in the BranchOffices OU to the BranchOffice Admins group. TestKing’s written security policy states the following requirements:

• Members of the BranchOffice Admins group must have the right to modify the assignment of Group Policy objects (GPOs) for the individual branch office OUs.

• Members of the BranchOffice Admins group must not be able to block the inheritance of GPOs at the individual branch office OUs.

70 - 296


- 528 -

• Members of the BranchOffice Admins group must not be able to modify any GPO settings at the BranchOffices OU level.

You need to configure the delegation of the administration of GPOs as defined by the written security policy. You must also ensure that you do not remove more permissions that is necessary from the BranchOffice Admins group. What should you do?

A. Modify the permissions granted to the BranchOffice Admins group so that the group is denied permission to write the gPOptions attribute at the BranchOffices OU level. Configure the permission to apply to the BranchOffices OU and all child objects.

B. Modify the permissions granted to the BranchOffice Admins group so that the group is granted permission to read and write the gPOptions attribute at the BranchOffices OU level. Configure the permission to apply to child objects of the BranchOffices OU only.

C. In the Group Policy Management Console (GPMC), remove the BranchOffice Admins group from the Permissions tab for the BranchOffices OU. Add the BranchOffice Admins group to the LinkGPOs permission in the Delegation tab for the BranchOfficesOu. Configure the permissions to apply the BranchOffice Admins container only.

D. In the Group Policy Management Console (GPMC), remove the BranchOffice Admins group from the Permissions tab for the BranchOffices OU. Add the BranchOffice Admins group to the LinkGPOs permission in the Delegation tab for the BranchOffices OU. Configure the permissions to apply the BranchOffice Admins container and all child containers.

Answer: A QUESTION NO: 360 You are the network administrator for TestKing.com. Your network consists of a single Active Directory domain named testking.com. All the user accounts, groups, and application servers of the human resources (HR) department are located in an organizational unit (OU) named HR. The managers in the HR department need access to the application servers to perform administrative tasks. A local group named HRManagers exists on each application server. The HRManagers local groups supply the permissions that the HR managers require. For security reasons, the company wants user accounts for managers in the HR department to be the only members of the HRManagers groups. You need to ensure that membership of the HRManagers group in each application server is as secure as possible.

70 - 296


- 529 -

What should you do?

A. Create a Group Policy object (GPO) that configures restricted groups for each HRManagers group. Link the GPO to the HR OU.

B. Create a new OU for application servers under the HR OU, and move the servers to the new OU. Block permissions inheritance at the new OU.

C. Create a universal group named HRManagers and make the user accounts for HR managers members of that group. Make the HRManagers universal group a member of the HRManagers local group on each application server.

D. Create a script that adds the user accounts for managers in the HR department to the HRManagers local groups. Configure the script to act as the startup and shutdown script for the application servers.

Answer: A QUESTION NO: 361 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. You are testing Group Policy objects (GPOs) on an organizational unit (OU) named Test. The Test OU contains a Windows XP Professional client computer that you use as a test computer. The domain contains a group named Security. You create a new GPO and configure the Computer Configuration section to grant the Security group the Change the system time user right. You log on to the test computer and discover that the setting you set through the GPO is not in effect. You need to apply the GPO settings immediately. What should you do?

A. Log off the test computer and log on again. B. Log off the test computer.

Create a test user account in the Test OU and then log on as the test user account. C. On the test computer, run the gpresult command. D. On the test computer, run the gpupdate /force command.

Answer: D

70 - 296


- 530 -

QUESTION NO: 362 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit (OU) named Accounting. A user named Marie works in the accounting department. A user account for Marie is located in the Accounting OU. You create a Group Policy object (GPO) and link it to the Accounting OU. You configure the GPO to require complex passwords. Marie reports that the policy is not in effect. You run Resultant Set of Policy (RSoP) in logging mode for Marie’s user account. The results for the password policies are shown in the exhibit.

You need to ensure that the complex password policy is applied to the Accounting OU. What should you do?

A. Enable the Block Policy inheritance setting on the Accounting OU. B. Modify the Default Domain Policy GPO to enforce complex passwords. C. Run the gpupdate command on Marie’s client computer. D. Disable the User Configuration section of the GPO linked to the Accounting OU.

70 - 296


- 531 -

Answer: B QUESTION NO: 363 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain with a single site. All client computers in the domain run Windows XP Professional. The relevant portion of the organizational unit (OU) structure is shown in the OU structure exhibit.

The user accounts for all managers are located in Managers OU. You need to deploy a new application. You create a new Group Policy object (GPO) that assigns the .msi application package to user accounts. You link the GPO to the domain. You configure the permissions on the GPO as shown in the Security Settings exhibit.

70 - 296


- 532 -

You then remove the Authenticated Users built-in group from the permissions on the GPO. The application package is installed on the client computers of all users who are not managers. Managers indicate that they want to have the application installed as well. You need to configure the GPO so that the application is installed on the manager’s computers. What should you do?

A. Modify the permissions on the GPO by selecting the Allow – Apply Group Policy permission check box for the Managers global group.

B. Modify the permissions on the GPO by clearing the Deny – Apply Group Policy permission check box for the Managers global group.

C. Remove the link between the GPO and the domain. Link the GPO to Managers OU.

D. Remove the link between the GPO and the domain. Link the GPO to the site that contains the domain controller.

70 - 296


- 533 -

Answer: A QUESTION NO: 364 You are the network administrator for TestKing.com. Your network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All user accounts in your domain are located in an organizational unit (OU) named User Accounts. User accounts are separated in two types: accounts for users who use portable computers and accounts for users who use desktop computers. The accounts for the users who use portable computers are in an OU named Portable, and the accounts for the users who use desktop computers are in an OU named Desktop. The OU structure is shown in the work area. Users who use portable computers often travel with them, but they do not connect to the network when they are out of the office. You need to install an application on all client computers. Users must be able to run the application even if the client computer is not connected to the network. You need to perform the installation in a way that reduces network load on the installation source. All software installed by using a Group Policy object (GPO) must require as little support as possible. You need to configure Group Policy to install the application. You also need to link any GPO to the appropriate OU. What should you do? To answer, drag the appropriate action or actions for a GPO to perform to the correct OU or OUs in the work area.

70 - 296


- 534 -

Answer:

70 - 296


- 535 -

QUESTION NO: 365 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains one domain controller. All servers run Windows Server 2003. All client computers run Windows XP Professional. TestKing uses Group Policy objects (GPOs) to configure user and computer settings. The Active Directory database and the SYSVOL shared folder are stored on separate hard disks. The hard disk containing the SYSVOL folder fails. Some Group Policy settings are still applied, but new users do not receive the Group Policy settings. You replace the failed disk. You discover that there are no valid backups of the SYSVOL folder. You have a list of GUIDs and friendly names for each GPO. On the new disk, you create a new shared folder named SYSVOL in the same location as the previous SYSVOL folder. You need to configure the network so that the user and computer settings will be applied to all users. Which tree courses of action should you take? (Each correct answer presents part of the solution. Choose three)

70 - 296


- 536 -

A. In the SYSVOL folder, create a folder named testking.com.

In the testking.com folder, create a folder named Polices. B. In the SYSVOL folder, create a folder named System State.

In the System State folder, create a folder named Policies. C. In the Policies folder, create a folder for each GPO.

Name of the folders by using the friendly name of each GPO. In the folder for each GPO, create a folder named MACHINE and a folder named USER.

D. In the Policies folder, create a folder for each GPO. Name the folders by using the GUID of each GPO. In the folder for each GPO, create a folder named MACHINE and a folder named USER.

E. Use Active Directory Users and Computers to open each GPO. Close each GPO without changing any settings.

F. Use Active Directory Users and Computers to open each GPO. Change at least one setting in each GPO before closing it.

Answer: A, D, F QUESTION NO: 366 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. You deploy an application by using a Group Policy object (GPO) that publishes an .msi file. Users report some instabilities in the application that cause data loss. The software vendor releases a patch that fixes the problem. The patch is released as an .msp file. You need to ensure that users do not lose data when running the application. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Copy the .msp file to the folder where the application source files exist. B. Create a .zap file for the patch and deploy the .zap file. C. Rename the .msp file to an .mst file. D. Apply the patch to the application source files. E. Redeploy the GPO that installs the application.

Answer: D, E

70 - 296


- 537 -

QUESTION NO: 367 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. Each department in TestKing has an organizational unit OU for all its resources and accounts, TestKing has a desktop support team that provides support to all departments. A separate team creates Group Policy objects (GPOs) for the desktop support staff to use. The GPO creation team is now allowed to link the GPO to any departmental OUs. The desktop support staff is allowed to use the GPOs created by the GPO creation team with departmental OUs. If members of the desktop support staff need a GPO that does not exist, they can request it, but they are not allowed to create any GPOs. You need to ensure that the appropriate teams are granted the appropriate permissions. What should you do? To answer, drag the appropriate action or actions to the correct location or locations in the work area.

70 - 296


- 538 -

Answer:

70 - 296


- 539 -

QUESTION NO: 368 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional with the most recent service pack. All client computers have computer accounts in an organizational unit (OU) named TestkingComputers. TestKing requires all computers to be kept up-to-date with service packs and hotfixes from Microsoft. Administrators will manually update servers as required. You need to configure the network so that client computers are automatically updated as new critical updates are issued. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

70 - 296


- 540 -

A. Create a Group Policy object (GPO) linked to the domain. Configure the GPO so that client computers automatically download and install updates from Microsoft update servers from the Internet.

B. Create a Group Policy object (GPO) linked to the TestkingComputers OU. Configure the GPO so that client computers automatically download and install updates from Microsoft update servers from the Internet.

C. Create a Group Policy object (GPO) linked to the domain. Configure the GPO so that client computers automatically download and install updates from an internal server on which you install and configure Software Update Services.

D. Create a Group Policy object (GPO) linked to the TestkingComputers OU. Configure the GPO so that client computers automatically download and install updates from an internal server on which you install and configure Software Update Services.

Answer: B, D QUESTION NO: 369 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional and are members of the domain. Only designated IT support staff have administrative rights on client computers. TestKing requires all client computers to run antivirus software. TestKing licenses an antivirus application that is installed on a file server named Testking1. An unattended installation can be performed on each client computer by running the setup command from a shared folder on Testking1. Several users report that when they attempt to install the antivirus application, they receive the following error message: “You do not have sufficient privileges on this computer to perform this action.” You verify that the antivirus application is not installed on any client computers. You need to ensure that all client computers have the antivirus application installed. You want to accomplish this task by using the minimum amount of administrative effort. What should you do?

A. Create a Group Policy object (GPO) linked to the domain. Use the GPO to launch a login script that runs the setup command to install the antivirus application if it is not currently installed. Instruct all users to restart their client computers.

B. Create a Group Policy object (GPO) linked to the domain.

70 - 296


- 541 -

Use the GPO to launch a startup script that runs the setup command to install the antivirus application if it is not currently installed. Instruct all users to restart their client computers.

C. Create a batch file that runs the setup command. Send this batch file in an e-mail message to all users. Instruct all users to run this batch file.

D. Use Remote Assistance to run the setup command on each client computer. Answer: B QUESTION NO: 370 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain controllers are located in three Active Directory sites. The domain contains an organizational unit (OU) named Marketing. The Marketing OU contains two child OUs named Sales and Research. You need to disable the Windows Update service on all computers in the domain, with the exception of computers in the Sales OU. You want to use the minimum number of Group Policy object (GPOs). What should you do?

A. Create a GPO and link it to the domain. Configure the GPO to disable Windows Update under the User Configuration section of the GPO. On the Sales OU, enable the Block Policy inheritance setting.

B. Create a GPO and link it to the domain. Configure the GPO to disable Windows Update under the User Configuration section of the GPO. Enable the No Override setting on the GPO.

C. Create a GPO and link it to all three Active Directory sites. Configure the GPO to disable Windows Update under the User Configuration section of the GPO. On the Sales OU, enable the Block Policy inheritance setting.

D. Create a GPO and link it to all three Active Directory sites. Configure the GPO to disable Windows Update under the User Configuration section of the GPO. Enable the No Override setting on the GPO.

Answer: A QUESTION NO: 371

70 - 296


- 542 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers that are not domain controllers are located in an organizational unit (OU) named Servers. The security department is responsible for defining security requirements for servers. You are responsible for configuring TestKing’s servers. The security department provides you with security settings that you must apply to new and existing servers that are not domain controllers. You configure a Windows Server 2003 computer named Testking1 with these settings. You need to apply the security settings in compliance with the security department’s requirements. What should you do?

A. Export the security settings for Testking1. Import the settings to a Group Policy object (GPO) linked to the Servers OU.

B. Create a script by running the netsh dump command on Testking1. Create a Group Policy object (GPO), link to the GPO to the Servers OU, and configure the GPO to apply the script as a startup script.

C. Configure Synchronization Manager on Testking1 to perform a synchronization task daily. D. Export the security settings for Testking1.

Configure File Replication service (FRS) to copy the .ini file to the systemroot on each server. Answer: A QUESTION NO: 372 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All client computers run Windows XP Professional. A written TestKing policy requires all documents created by the legal department to be saved to a shared folder named MyDocs on a file server named FileS1. The written policy also states that each user in the legal department must have a unique folder in which to store the user’s documents. The user accounts for all users in the legal department are in an organizational unit (OU) named Legal. The users belong to various Active Directory groups. You create a new Group Policy object (GPO) and link it to the Legal OU. In the GPO, you open the properties of the Folder Redirection setting for My Documents folder. The dialog box is shown in the work area. You need to configure folder redirection by using the minimum amount of administrative effort.

70 - 296


- 543 -

How should you configure the folder redirection settings? To answer, configure the appropriate option or options in the dialog box.

Answer: Select “Basic – Redirect everyone’s folder to the same location”. Select “Create a folder for each user under the root path”. QUESTION NO: 373 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain.

70 - 296


- 544 -

All servers run Windows Server 2003. All client computers run Windows XP Professional. All computer accounts for the client computers are located in an organizational unit (OU) named Workstations. TestKing’s written security policy states the following requirements:

• Users must be members of the local Power Users group on all client computers. • Users must be members of the local Administrators group on any client computers. • Users must not have any administrative rights to member servers or domain controllers in the

domain. • The Power Users group membership cannot be modified by members of the local Administrators

group on any client computer. You need to provide automatic assignments of required group memberships for the users on the client computers. What should you do?

A. Create a logon script that adds the Domain Users group to the local Power Users group when the user logs on. Link the logon script to the Workstations OU.

B. Create a startup script that adds the Domain Users group to the local Power Users group when the client computer starts. Link the startup script to the Workstation OU.

C. Create a new Group Policy object (GPO) named GPO1. Configure the Restricted Groups option in GPO1 to add the Domain Users group to the Power Users group. Link GPO1 to the Workstation OU.

D. Create a new Group Policy object (GPO) named GPO1. Configure the Restricted Groups option in GPO1 to add the Domain Users group to the Power Users group. Link GPO1 to the domain.

Answer: C QUESTION NO: 374 You are the network administrator for TestKing that has a main office and many small branch offices. TestKing’s network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The domain has an organizational unit (OU) for each branch office. Group Policy objects (GPOs) linked to these OUs are used to configure TestKing resources.

70 - 296


- 545 -

Under each branch office’s OU, there is an OU named UserAccounts that contains user accounts and an OU named Workstations that contains client computer accounts. A single administrative user at each branch office provides desktop support and administration for the branch office. The number of support calls for the branch office administrators recently increased because users are making configuration changes to their computers. You need to restrict desktop features and administrative tools for all users except the administrative user in each branch office. You create a GPO that applies the desktop restrictions. What else should you do?

A. Link the GPO to each branch office’s Workstations OU. Create an OU underneath each branch office’s Workstations OU and move the administrative user’s computer accounts into the new OU. Block GPOs from applying to the new OU.

B. Link the GPO to each branch office’s UserAccounts OU. Create an OU underneath each branch office’s UserAccounts OU and move the administrative user’s account into the new OU. Block GPOs from applying to the new OU.

C. Link the GPO to each branch office’s workstations OU. Filter the GPO on the administrative user’s computer for each branch office, so that the computer does not apply the new GPO.

D. Link the GPO to each branch office’s UserAccounts OU. Filter the GPO on the administrative user’s account for each branch office, so that the user accounts does not apply to the new GPO.

Answer: D QUESTION NO: 375 You are the network administrator for TestKing.com. Your network consists of a single Active Directory forest that contains a forest root domain named testking.com and one child domain named miami.testking.com. All domain controllers run Windows 2000 Server. The miami.testking.com domain contains one Windows Server 2003 member server named Testking2. You attempt to promote Testking2 to be and additional domain controller of the miami.testking.com domain. The promotion fails and you receive the error message shown in the exhibit.

70 - 296


- 546 -

You need to resolve the error in order to promote Testking2 to be an additional domain controller of the miami.testking.com domain. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Force replication between the schema master and the PDC emulator of only the testking.com domain. B. Force replication between the schema master and the PDC emulator of the testking.com and the

miami.testking.com domain. C. Run the adprep /forestprep command on the schema master of the testking.com domain. D. Run the adprep /domainprep command on the infrastructure master of only the testking.com domain. E. Run the adprep /domainprep command on the infrastructure masters of the testking.com domain and

the miami.testking.com domain. Answer: C, E QUESTION NO: 376 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest, as shown in the exhibit.

70 - 296


- 547 -

A domain controller named dc1.corp.testking.com runs Windows 2000 Server. All other domain controllers run Windows Server 2003. TestKing is engaged in a joint venture with Litware, Inc. The network of Litware, Inc., consists of a single Active Directory forest named litwareinc.com that contains one domain. The functional level of the litwareinc.com forest is Windows Server 2003.

70 - 296


- 548 -

You need to ensure that the users of TestKing can log on to the litwareinc.com forest. You upgrade dc1.corp.testking.com to Windows Server 2003. Which two additional courses of action should you take? (Each correct answer presents part of the solution. Choose two)

A. Raise the functional level of corp.testking.com domain and the east.corp.testking.com domain to Windows 2000 native. Raise the functional level of the testking.com forest to Windows Server 2003.

B. Raise the functional level of the corp.testking.com domain to Windows 2000 native. Raise the functional level of the east.corp.testking.com domain to Windows Server 2003. Raise the functional level of the west.testking.com domain to Windows Server 2003.

C. Create a one-way forest trust relationship in which the testking.com forest trusts the litwareinc.com forest.

D. Create a one-way forest trust relationship in which the litwareinc.com forest trusts the testking.com forest.

Answer: A, D QUESTION NO: 377 You are a network administrator for TestKing.com. The relevant portion of your network configuration is shown in the work area. TestKing has offices in Toronto and New York. The Toronto office has 500 employees, and the New York office has 150 employees. Employees in both offices use an application that frequently reads configuration data in the global catalog. You install Windows Server 2003 on all domain controllers. You create a single Windows Server 2003 Active Directory domain. The functional level of the forest is Windows Server 2003. You configure servers as shown in the following table. Server name Configuration Testking1 Domain controller, domain naming master, schema master Testking2 Domain controller, PDC emulator master, relative ID (RID)Testking3 Member server, file and print server Testking4 Member server, Web server Testking5 Domain controller Testking6 Member server, file and print server

70 - 296


- 549 -

You need to plan the placement of global catalog servers for TestKing.com. You need to ensure that the application performs well during times of peak activity. You need to ensure that the application continues to function in the event of multiple global catalog failures. Where should you place the global catalog server or servers? To answer, select the appropriate computer or computers in the work area.

Answer: Select Testking1, Testking2 and Testking5. QUESTION NO: 378 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain with six sites. These sites are located in six different cities. The site configuration is shown in the exhibit.

The site links are configured as shown in the following table.

70 - 296


- 550 -

Site link name Replication schedule Replication frequencySiteLink-1-2 24 hours per day 1 hour SiteLink-1-3-4 6:00 P.M. to 6:00 A.M. 1 hour SiteLink-2-5-6 10:00 P.M. to 6:00 A.M. 2 hours All user accounts for the entire company are created by network administrators in Testking1. The number of employees in the office at Testking3 is growing rapidly. Several accounts for new employees are created for users in Testking3 every day. The new employees report that they cannot log on to the domain on the same day that their accounts are created. They can log on to the domain successfully the next day. You need to ensure that the employees can log on to the domain on the same day that their accounts are created. You also need to ensure that the replication traffic between the Testking1 and Testking3 is compressed. What should you do?

A. Move the Active Directory domain controller objects from Testking3 to Testking1. B. Add the Active Directory subnet object for Testking3 to Testking1. C. Reconfigure SiteLink-1-2 to include Testking1, Testking2, and Testking3.

Remove Testking3 from SiteLink-1-3-4. D. Remove Testking1 from SiteLink-1-3-4.

Answer: C QUESTION NO: 379 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain consists of four sites as shown in the work area. Pedro is another administrator for TestKing.com. Pedro is responsible for managing the frequency of Active Directory replication among the four sites. You need to allow Pedro to manage the frequency of intersite replication. You must ensure that Pedro cannot modify any other objects. Where should you grant Pedro the permission that he needs? To answer, select the appropriate node in the dialog box.

70 - 296


- 551 -

Answer: Select “Inter-Site Transports”. QUESTION NO: 380 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains three domains named tetsking.com, child1.testking.com and child2.testking.com. The functional level of the forest is Windows Server 2003. Each domain contains Windows Server 2003 file and print servers. Al of the file and print server computer accounts are located in the default Computers container in each domain. There is a central operations department that is responsible for administering the file server computer accounts in all domains. There is a separate operations department for each domain that is responsible for administering the print server computer accounts in that domain. You need to delegate authority to create an environment to support your file and print server administration requirements. You need to create an organizational unit (OU) structure to support the delegation of authority requirements. What should you do?

A. Create a top-level OU for file server computer accounts under the testking.com domain. Create a top-level OU for print server computer accounts under the testking.com domain.

B. Create a top-level OU for file server computer accounts under the testking.com domain. Create a top-level OU for print server computer accounts under each domain.

C. Create a top-level OU for file server computer accounts under each domain. Create a top-level OU for print server computer accounts under each domain.

D. Create a top-level OU for file server computer accounts under each domain.

70 - 296


- 552 -

Create a child OU for print server computer accounts under each file server OU. Answer: D QUESTION NO: 381 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest that contains two domains with three sites. Domain1 is used as an empty root domain for security purposes. Domain1 has a domain controller only in Testking1. Domain2 has domain controllers in all three sites. The domain controllers in Testking1 and Testking2 are global catalog servers. Each client computer on the network runs Windows NT Workstation 4.0, Windows 2000 Professional, or Windows XP Professional. You and your administration staff are located at Testking1, where you perform administrative tasks. You want to minimize network traffic as much as possible. The number of user accounts per site for each domain is shown in the following table. Testking1 Testking2 Testking3Users – Domain1 5 0 0 Users – Domain2 5 100 25,000 You are planning the placement of the operations master role holders. You need to place your operations master roles in the appropriate sites. How many operations master roles should you place in each site? To answer, drag the appropriate number of roles to the correct locations in the work area.

70 - 296


- 553 -

Answer:

QUESTION NO: 382 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit (OU) named TerminalServers. You create two Group Policy objects (GPOs) named TestkingSettings and SecuritySettings and link them to the domain. You then create another GPO named TS_Settings and link it to the TerminalServers OU. Users report that when they run Internet Explorer on a terminal server, they cannot access approved Web sites. Users did not encounter any problems with running Internet Explorer on the terminal servers before the GPOs were created and linked. You need to find out which GPO is the cause of the problem. What should you do?

A. Log on to a terminal server and run the secedit /analyze command. B. Log on to a domain controller and run the query termserver command. C. Log on to a domain controller and run Resultant Set of Policy (RSoP) in planning mode against the

client computers. D. Log on to a domain controller and run Resultant Set of Policy (RSoP) in logging mode against a

terminal server.

70 - 296


- 554 -

Answer: D QUESTION NO: 383 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains an organizational unit named Accounting. The Accounting OU contains both user accounts and computer accounts. You create a Group Policy object (GPO) named Custom ADM Template and link it to the Accounting OU. You need to apply specific security-related registry entries to all of the computer accounts in the Accounting OU. You create an ADM template named CustomSecuritySettings that includes the security-related registry entries. You need to import the CustomSecuritySettings template into the Custom ADM Template GPO so that you can enable the new policy settings in the CustomSecuritySettings template. Where should you import the CustomSecuritySettings template? To answer, select the appropriate section of the GPO in the dialog box.

Answer: Select “Administrative Templates” under Computer Configuration.

70 - 296


- 555 -

QUESTION NO: 384 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain. All user accounts for users in the engineering department are located in an organizational unit (OU) named Engineering. These users’ client computers are all located in an OU named EngineeringWorkstations, which is a child OU of the Engineering OU. All users in the engineering department are members of a global group named Engineers. You create a Group Policy object (GPO) that assigns a software installation package to users in the Engineering OU. To comply with the licensing requirements for the application, the application must be uninstalled from a user’s computer when that user is moved out of the Engineering OU. A user named Lisa is transferred out of the engineering department. The user account for Lisa is moved into an OU named Research. Lisa reports that the application is still installed on her computer. You must ensure that that the application is automatically uninstalled from Lisa’s computer. The application must remain on the computers of all users who are still in the Engineering OU. What should you do?

A. Move Lisa’s user account back into the Engineering OU. Configure the software installation package so that the software is uninstalled when Lisa’s user account falls out of the scope of management. Ensure that Lisa logs on to the network. Move Lisa’s user account back into the Research OU.

B. Move Lisa’s user account back into the Engineering OU. Modify the GPO so that the software installation package is removed. Ensure that Lisa logs on to the network. Move Lisa’s user account back to the Research OU.

C. Move the client computer object for Lisa’s computer out of the EngineeringWorkstations OU. D. Remove Lisa from the Engineers global group.

Answer: A QUESTION NO: 385 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003.

70 - 296


- 556 -

You configure two Active Directory sites named Testking1 and Testking2. Testking1 contains all of the operations masters and two global catalog servers. Testking2 contains a domain controller named Server1. You create a site link named SiteLink1 that includes Testking1 and Testking2. You need to provide global catalog services locally in Testking2. Which Active Directory component should you configure? To answer, select the appropriate component in the work area.

Answer: Select “NTDS Settings” under SERVER1. QUESTION NO: 386 You are the network administrator for TestKing.com. The network consists of an Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. TestKing has a main office and four branch offices, which are located in one country. Each office has a data center that contains domain controllers and servers with a corresponding Active Directory site. There is a central operations department in the main office that is responsible for administering all resource servers and domain controllers in all locations. Each office has a local operations department that is responsible for administering all client computers within the individual department’s office only. The local operations departments are also responsible for running backups on the servers in their data centers. The computer accounts for all domain controllers are located in the default Domain Controllers organizational unit (OU). The computer accounts for all other computers are located in the default Computers container. You decide to use delegation of authority to meet the requirements for administration of computer accounts. You need to create an OU structure for computer accounts to support the delegation of

70 - 296


- 557 -

authority requirements. You want to minimize the amount of administrative effort required to maintain the environment. What should you do?

A. Create a top-level OU under the testking.com domain for each office. Move the computer accounts of all computers in each office to the appropriate OU for that office.

B. Create a top-level OU named Corp_Computers under the testking.com domain. Create a separate child OU for each office and place the child OUs under Corp_Computers. Move all of the client and resource server computer accounts located in each office to the appropriate child OU for that office.

C. Create a top-level OU named Servers under the testking.com domain. Move the computer accounts of resource servers and domain controllers in all offices to the Servers OU. Create an OU named Desktops under the testking.com domain. Move the computer accounts of the client computers in all offices to the Desktops OU.

D. Create a top-level OU named Servers under the testking.com domain. Create a separate child OU for each office under Servers. Move the computer accounts of all resource servers in each office to the appropriate child OU for that office. Create an OU named Desktops under the testking.com domain. Create a separate child OU for each office under Desktops. Move the computer accounts of all client computers in each office to the appropriate child OU for that office.

E. Create a top-level OU named Servers under the testking.com domain. Create a separate child OU for each office under Servers. Move the computer accounts of all resource servers and domain controllers in each office to the appropriate child OU for that office. Create a top-level OU named Desktops under the testking.com domain. Create a separate child OU for each office under Desktops. Move the computer accounts of all client computers in each office to the appropriate child OU for that office.

Answer: E QUESTION NO: 387 You are a network administrator for TestKing. The network consists of two Active Directory domains. All servers run Windows Server 2003. TestKing has offices in several cities as shown in the exhibit.

70 - 296


- 558 -

Each office is configured as an Active Directory site. There are global catalog servers in the Toronto and Paris sites. You enable universal group membership caching for all other sites. Users in your company use an application that is integrated with Active Directory. The application reads data from the global catalog. Users report that during periods of peak activity, the application responds slowly. You need to improve the response time of the application. What should you do?

A. Disable universal group membership caching in the Chicago, New York, Bonn, and Rome sites. B. Decrease the replication interval on the site links that connect the Chicago and New York sites to the

Toronto sites, and on the site links that connect the Bonn and Rome sites to the Paris site. C. Configure global catalog servers in the Chicago, New York, Bonn, and Rome sites. D. Perform an offline defragmentation of the Active Directory database on the domain controllers in the

Toronto and Paris sites. Answer: C QUESTION NO: 388 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. User and group objects for the sales department are located in an organizational unit (OU) named Sales. Peter and Mary are administrators for TestKing. Peter is responsible for managing Sales user objects. Mary is responsible for managing Sales group objects.

70 - 296


- 559 -

You need to delegate Peter and Mary control over only the objects for which they are responsible. What should you do?

A. In the Sales OU, create two new OUs. Name one OU SalesUsers and place all user objects for the sales department in this OU. Name the other OU SalesGroups and place all group objects for the sales department in this OU. Grant Peter and Mary full control over the Sales OU.

B. On the Sales OU, grant Peter the right to manage user objects. On the Sales OU, grant Mary the right to manage group objects.

C. In the Sales OU, create a new OU. Name this OU SalesGroups. Place all Sales groups in the SalesGroups OU. Grant Peter the right to manage all objects in the Sales OU. Grant Mary the right to manage all objects in the SalesGroups OU.

D. On the Sales OU, deny Peter the right to manage group objects. On the Sales OU, deny Mary the right to manage user objects.

Answer: B QUESTION NO: 389 You are the network administrator for your company. The company consists of two subsidiaries named TestKing and Fabrikam, Inc. The network consists of two Active Directory domains with two sites. The sites are named Site1 and Site2. The domains are named testking.com and fabrikam.com. The network includes one Active Directory application partition named AppPartition1. This application partition is replicated to domain controllers in Site1 and Site2. The network contains six domain controllers. The domain controller locations and the roles of the domain controllers are identified in the work area below. You need to configure preferred bridgehead servers in each site. You need to configure the minimum number of domain controllers as preferred bridgehead servers such that no bridgehead servers will be automatically selected. Which domain controller or domain controllers should you configure as preferred bridgehead servers? To answer, select the appropriate domain controller or domain controllers in the work area. Domain Controller Name Location Role(s)

70 - 296


- 560 -

DC1.testking.com Site1 Domain controller Domain controller AppPartition1 application partition

DC2.testking.com Site1

Global catalog server DC3.fabrikam.com Site1 Domain controller DC4.testking.com Site2 Domain controller

Domain controller DC5.testking.com Site2 Global catalog server Domain controller DC6.fabrikam.com Site2 AppPartition1 application partition

Answer: DC2 and DC5. QUESTION NO: 390 You are the network administrator for TestKing.com. TestKing has offices in Chicago, New York and Toronto. Each office employs 500 people. The network consists of a single Active Directory forest with one domain in each office. Each domain contains two domain controllers named Testking1 and Testking2. All domain controllers run Windows Server 2003. Each office is configured as an Active Directory site. The domain structure is shown in the exhibit.

70 - 296


- 561 -

New York Toronto The Windows Server 2003 computer named Testking1.testking.com holds all operations master roles for its domain, and it holds both forest-level operations master roles. The Windows Server 2003 computer named Testking1.sales.testking.com and Testking1.prod.testking.com hold all operations master roles for their respective domains. WAN connectivity between the offices is unreliable. You need to plan the placement of global catalog servers for the network. You need to ensure that each user can log on in the event of the failure of a single domain controller and WAN connection. You need to ensure that the consistency of universal group membership information remains intact. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure both domain controllers in testking.com as global catalog servers.

70 - 296


- 562 -

B. Configure only Testking1 in each domain as a global catalog server. C. Configure only Testking2 in each domain as a global catalog server. D. Enable universal group membership caching for each site. E. Enable universal group membership caching for the Chicago office. F. Enable universal group membership caching for the Toronto office and the New York office.

Answer: A, F QUESTION NO: 391 You are the network administrator for TestKing.com. The network consists of a single Active Directory forest. The forest functional level is Windows 2000. The forest consists of a forest root domain named testking.com and two child domains named child1.testking.com and child2.testking.com. The functional level of all three domains is Windows 2000 native. All domain controllers in the forest run Windows 2000 Server. Your user account has administrative privileges is in the child1.testking.com domain and is a member of the following groups: Schema Admins, Domain Admins, and Domain Users. You need to successfully run the adprep.exe /forestprep command. What should you do?

A. Run the adprep.exe /forestprep command on the PDC emulator for the testking.com domain. B. Restart the schema master in Directory Services Restore Mode and run the adprep.exe /forestprep

command. C. Add your user account that has administrative privileges to the Enterprise Admins group.

Run the adprep.exe /forestprep command on the schema master. D. Run the adprep.exe /domain prep command on the PDC emulator for the testking.com domain.

Then run the adprep.exe /forestprep command on the schema master. E. Run the adprep.exe /domainprep command on the infrastructure master in each domain.

Then run the adprep.exe /forestprep command on the schema master. Answer: C QUESTION NO: 392

70 - 296


- 563 -

You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain contains Windows Server 2003 print servers and printer objects. A group named PrinterSupport needs to be able to manage the printers and print queues in the domain. The PrinterSupport group also needs to manage the printer objects in Active Directory. The PrinterSupport group does not need to perform any other tasks. You need to grant the PrinterSupport group only the permissions that it needs. Which action or actions should you take? (Choose all that apply)

A. Make the PrinterSupport group a member of the Print Operators group on each print server. B. Make the PrinterSupport group a member of the HelpServicesGroup on each print server. C. Make the PrinterSupport group a member of the Power Users group on each print server. D. Make the PrinterSupport group a member of the Server Operators group in the Built-in container. E. Make the PrinterSupport group a member of the Print Operators group in the Built-in container.

Answer: E QUESTION NO: 393 You are the network administrator for TestKing.com. Your network consists of a single Active Directory domain named testking.com. You work in the corporate IT department. TestKing consists of 12 business divisions. Each business division has its own top-level organizational unit (OU) in the domain. Each business division is responsible for managing its own OU structure. The OU of each division includes an administrative group for that division. Members of each administrative group have the Allow – Read permission for their division’s OU object and the Allow – Full Control permission for all child objects of the OU structure of only their own division. The administrators of each division must be approved by the members of the Domain Admins group. You need to prevent administrators of individual divisions from adding additional administrators in their administrative group. You need to ensure that members of the Domain Admins group are able to manage those groups. What should you do?

A. Create a new OU under the OU of each division.

70 - 296


- 564 -

Move the appropriate administrative groups into the new OUs. Block the inheritance of permissions. When prompted, remove permissions applied from the parent.

B. Assign the Domain Admins group the Allow – Full Control permission for the administrative groups in the OU of each division.

C. Create a new OU at the same level in the OU structure as the OUs of the individual divisions. Move all the administrative groups of the divisions into the new OU.

D. Create a Restricted Groups Group Policy object (GPO) and link the GPO to the OU of each division. Answer: C QUESTION NO: 394 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The domain includes an organizational unit (OU) named Processing. There are 100 computer accounts in the Processing OU. You create a Group Policy object (GPO) named NetworkSecurity and link it to the domain. You configure NetworkSecurity to enable security settings through the Computer Configuration section of the Group Policy settings. You need to ensure that NetworkSecurity will apply only to the computers in the Processing OU. You need to minimize the number of GPO links. What should you do?

A. Link NetworkSecurity to the Processing OU. Disable the User Configuration section of NetworkSecurity.

B. Link NetworkSecurity to the Processing OU. Remove the link from NetworkSecurity to the domain.

C. Modify the discretionary control list (DACL) for NetworkSecurity to assign all computer accounts on the Processing OU the Allow – Read and the Allow – Supply Group Policy permissions.

D. Modify the discretionary access control list (DACL) for NetworkSecurity to assign the Authenticated Users group the Deny – Apply Group Policy permission and to assign all of the computer accounts in the Processing OU the Allow – Read and the Allow – Apply Group Policy permissions.

Answer: B

70 - 296


- 565 -

QUESTION NO: 395 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. The user accounts for support staff users are located in an organizational unit (OU) named Support. All other user accounts are located in an OU named UserAccounts. As TestKing expands, user accounts for users other than support staff might be created in OUs other than the UserAccounts OU. A written TestKing policy states that all users, including support staff, must comply with the following rules:

• Users are not allowed to use offline files. • Only support staff employees are allowed to edit the registry.

The written policy also states that any changes to these rules must be applied to the entire company as quickly as possible. You need to enforce the written TestKing policy by using the minimum amount of administrative effort. Which action or actions should you take, and where should you take the action or actions? To answer, drag the appropriate action or actions to the correct location or locations in the work area.

70 - 296


- 566 -

Answer:

70 - 296


- 567 -

QUESTION NO: 396 You are the network administrator for TestKing.com. Your network consists of a single Active Directory domain named testking.com. An organizational unit (OU) named Sales contains two child OUs named Accounts Payable and Accounts Receivable. You need to deploy an accounting application to all user accounts in the Sales and Accounts Receivable OUs. You do not want to deploy the application to the user accounts in the Accounts Payable OU. In addition, you have a graphics application that you need to deploy to all user accounts in the Accounts Payable OU only. You need to configure your Group Policy object (GPO) structure to achieve these goals. What should you do?

A. Create a GPO named Software Distribution and link it to the Sales OU. Configure the GPO to deploy both the accounting and the graphics applications. Enable the No Override setting on the GPO.

70 - 296


- 568 -

On the Accounts Payable OU, enable the Block Policy inheritance setting. B. Create a GPO named Software Distribution and link it to the Sales OU.

Configure the GPO to deploy both the accounting and the graphics applications. Modify the discretionary access control list (DACL) settings of the GPO to assign the Authenticated Users group the Deny- Read and the Deny – Apply Group Policy permissions.

C. Create a GPO named Graphics and link it to the Sales OU. Configure the GPO to deploy the graphics application. Create a GPO named Accounting Software and link it to the Accounts Payable OU. Configure the GPO to deploy the accounting application. On the Accounts Payable OU, enable the Block Policy inheritance setting.

D. Create a GPO named Accounting Software and link it to the Sales OU. Configure the GPO to deploy the accounting application. Create a GPO named Graphics and link it to the Accounts Payable OU. Configure the GPO to deploy the graphics application. On the Accounts Payable OU, enable the Block Policy inheritance setting.

Answer: D QUESTION NO: 397 You are the network administrator for TestKing.com. The network consists of two Active Directory forests. Each forest contains a single domain. All servers run Windows Server 2003. One forest is used for testing and the other forest is used for production. The test forest contains a single domain controller. The test forest is used to test Group Policy objects (GPOs). You are testing 60 GPOs in the test environment that will be deployed in the production environment. You assign the Testuser account in the test forest the Deny – Apply Group Policy permission. Logging on to the test forest takes longer than would be acceptable in the production forest. You must reduce logon times in the test forest. What should you do?

A. Assign the Testuser account the Deny – Read permission for unused GPOs. B. Assign the Testuser account the Deny – Write gpoLink permission for the domain. C. Create a GPO to enable the Negative DC Discovery Cache Setting, specify the setting to be 60

seconds, and apply it to the client computers. D. Create a GPO to enable the Group Policy refresh interval for computers setting, specify the update

rate to be 120 minutes, and apply it to the client computers.

70 - 296


- 569 -

Answer: A QUESTION NO: 398 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. You use a Group Policy object (GPO) to change the default storage location of the My Documents folder for all user accounts. The GPO redirects the My Documents folder to \\SERVER1\USERFILES\%USERNAME%. The Redirect the folder back to the local user profile location when policy is removed option is selected. The network does not use roaming user profiles. The My Documents folders of several users are very large and consume too much disk space on Server1. As a result, users report slow response times for shared files. You need to ensure that the My Documents folder for each user is stored and maintained on the user’s client computer. You must not affect any other policies. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two)

A. Change the redirection setting in the GPO to Not configured. Run the gpupdate command on Server1.

B. Change the redirection setting in the GPO to Not Configured. Include an xcopy command in each user’s logon script to move the files.

C. Copy all settings in the GPO except the redirection setting to a new GPO. Delete the existing GPO.

D. In the GPO, change the specified path to %USERPROFILE%\My Documents. E. Configure all shared folders on Server1 to automatically make all files available offline.

After the files are cached on the client computer, delete the files from the server. Answer: A, D QUESTION NO: 399 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com Windows Server 2003 domain controllers are located in two sites named Testking1 and Testking2. The domain contains an organizational unit (OU) named Accounting. The user accounts for users in the accounting department are located in the Accounting OU. Users in the accounting department can log on to any client computer.

70 - 296


- 570 -

You need to deploy an antivirus application to all computers on the network without user intervention. You also need to deploy a special accounting application to user accounts in the Accounting OU without user intervention. The accounting application must be available to users in the accounting department regardless of which computer they are using. You need to minimize the number of GPO links. You create the Group Policy objects (GPOs) listed in the following table. Name GPO section Policy setting GPO1 Computer Configuration Assign the antivirus application GPO2 User Configuration Assign the antivirus application GPO3 Computer Configuration Assign the accounting application GPO4 User Configuration Assign the accounting application GPO5 User Configuration Publish the antivirus application GPO6 User Configuration Publish the accounting application Where should you link the GPOs? To answer, drag the appropriate GPO or GPOs to the correct domain component or components in the work area.

70 - 296


- 571 -

Answer:

70 - 296


- 572 -

QUESTION NO: 400 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The network also consists of two sites named Testking1 and Testking2. Each site contains domain controllers. An organizational unit (OU) named Accounting contains two child OUs named Accounts Payable and Accounts Receivable. All user accounts for users in the accounting department are located in these three OUs. User accounts in the Accounting OU need to have password lengths of at least eight characters. You need to ensure that users in the Accounting OU, the Accounts Receivable OU, and the Accounts Payable OU cannot modify their screen savers. In addition, you need to ensure that users in the Accounts Payable OU cannot change their desktop wallpaper. Another administrator creates the four Group Policy objects (GPOs) listed in the following table. Name GPO section Policy Setting GPO1 User Configuration Prevent changing wallpaper Disabled GPO2 Computer Configuration Minimum password length equals 8 characters Enabled GPO3 User Configuration Screen Saver Disabled GPO4 User Configuration Prevent changing wallpaper Enabled

70 - 296


- 573 -

You need to decide where to link the appropriate GPOs to each OU. Where should you link the GPOs? To answer, drag each appropriate GPO to the correct location or locations in the work area.

Answer:

70 - 296


- 574 -

QUESTION NO: 401 You are the network administrator for TestKing.com. TestKing has offices in New York, Copenhagen and Ankara. The network consists of a single Active Directory domain and three sites. The sites are named NYsite, CopSite, and AnkSite. TestKing is adding a new division at the New York office for publishing fiction books. You create a new organizational unit (OU) named Fiction for the fiction division. You add a new network segment and subnet for the fiction division. You plan to place new Windows XP Professional computers for the fiction division in the new subnet. You also plan to add a new domain controller to NYSite.

70 - 296


- 575 -

You need to ensure that users in the fiction division use the domain controllers in the New York office when logging on to the network. What should you do?

A. Decrease the metric for the default gateway on the new Windows XP Professional computers. B. Create a new subnet object for the new subnet.

Add the new subnet object to NYSite. C. Configure the location attribute for the new Windows XP Professional computers to be NYSite. D. Move the domain controller objects for the domain controllers in the New York office to the Fiction OU.

Answer: B QUESTION NO: 402 You are a network administrator for TestKing. TestKing has 25 offices in major cities throughout the world. The network consists of a single Active Directory forest that contains five domains. All domain controllers run Windows 2000 Server. Each domain contains user objects for five offices. The offices in Paris and Toronto provide help desk services to 20,000 users in all domains. The help desk frequently processes group membership changes requested by department managers. Help desk administrators report that changes made to group memberships are often lost and have to be re-created. You discover that this problem is caused by replication conflicts that occur when a large number of help desk requests are being processed in a short period of time. You upgrade all domain controllers to Windows Server 2003. Help desk administrators continue to report that work is often lost during times of peak activity. You need to reduce the amount of work lost by help desk administrators. You want accomplish this task by using the minimum amount of administrative effort. What should you do?

A. Ensure that all help desk administrators are connecting to the PDC emulator in their domain when they perform updates to group memberships.

B. Raise the functional level of the domain and of the forest to Windows Server 2003. C. Enable universal group membership caching on domain controllers used by the help desk administrators. D. Disable site link bridging for all site links in the forest.

70 - 296


- 576 -

Answer: A QUESTION NO: 403 You are the network administrator for TestKing, The network consists of a single Active Directory domain with two sites named Testking1 and Testking2. Testking1 contains two domain controllers. Testking2 contains one domain controller. Each site contains two member servers. All domain controllers are backed up every night. Each of the domain controllers is installed with a similar hardware configuration, which includes a single processor and a single hard disk. You create several user accounts on the domain controller in Testking2. The hard disk on that domain controller fails. You install a new hard disk on the domain controller and restore the domain controller from the most recent backup tape. You notice that the new user accounts you created on the domain controller do not appear. The only way that you can restore the user accounts is to re-create them. You need to configure the domain controllers so that the loss of data in Active Directory is minimized during a similar hard disk failure. What should you do?

A. Configure an existing member server as an additional domain controller in Testking2. B. Install an additional hard disk in each domain controller.

Move the Active Directory log files to the new hard disk. C. Install an additional hard disk in each domain.

Move the Active Directory database file to the new hard disk. D. Configure a new site link between Testking1 and Testking2.

Answer: A QUESTION NO: 404 You are a network administrator for TestKing. The network consists of a single Active Directory domain named testking.com. The Active Directory database is contained on a Windows Server 2003 domain controller named Testking1. The hard disk that contains the Active Directory database fails.

70 - 296


- 577 -

You restart Testking1 in Directory Services Restore Mode. When prompted to log on, you type [email protected] as your user name and enter your domain password. Your logon attempt fails. You need to log on to DC1 to complete the restore operation. What should you do?

A. Type sales\ administrator as your user name and enter your domain password. B. Type administrator as your user named and enter the password that was associated with the local

administrator account before you installed Active Directory. C. Type administrator as your user name and enter your domain password. D. Type administrator as your user name and enter the password that you supplied during the installation

of Active Directory. Answer: D QUESTION NO: 405 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. The functional level of the domain is Windows Server 2003. The domain contains an organizational unit (OU) named Servers that contains all of TestKing’s Windows Server 2003 resource servers. The domain also contains an OU named Workstations that contains all of TestKing’s Windows XP Professional client computers. You configure a baseline security template for resource servers named Server.inf and a baseline security template for client computers named Workstation.inf. The Server.inf template contains hundreds of settings, including file and registry permission settings that have inheritance propagation enabled. The Workstation.inf template contains 20 security settings, none of which contain file or registry permissions settings. The resource servers operate at near capacity during business hours. You need to apply the baseline security templates so that the settings will be periodically enforced. You need to accomplish this task by using the minimum amount of administrative effort and while minimizing the performance impact on the resource servers. What should you do?

A. Create a Group Policy object (GPO) and link it to the domain. Import both the Server.inf and the Workstation.inf templates into the GPO.

70 - 296


- 578 -

B. Import both the Server.inf and the Workstation.inf templates into the Default Domain Policy Group Policy object (GPO).

C. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Create a Group Policy object (GPO) and link it to the Workstations OU. Import the Workstation.inf template into the GPO.

D. On each resource server, create a weekly scheduled task to apply the Server.inf settings during off-peak hours by using the secedit command. Import the Workstation.inf template into the Default Domain Policy Group Policy object (GPO).

Answer: C QUESTION NO: 406 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The human resources department has servers that contain confidential information stored in files. The client computers in the human resources department access the confidential information over the LAN. The network design requires that any access to the human resources department servers must be encrypted to protect the confidentiality of the data transmissions. You need to automatically enforce the network design requirement at regular intervals. What should you do?

A. Assign the Secure Server (Require Security) IPSec policy to the human resources department servers by using Group Policy.

B. Assign the Secure Server (Require Security) IPSec policy to the human resources department servers by using local policy.

C. Apply the Hisecws.inf security template to the human resources department servers by using Group Policy.

D. Apply the Hisecws.inf security template to the human resources department servers by using the secedit command.

Answer: A

70 - 296


- 579 -

QUESTION NO: 407 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. TestKing has a main office and five branch offices. The branch offices are connected to the main office by a WAN connection. All servers run Windows Server 2003. All client computers run Windows XP Professional. The audit department has users in the main office and in all branch offices. The audit department users share files on an audit department secured server at the main office. The files must be kept confidential. The audit department is concerned that files will be captured while they are transmitted between the audit department server and the client computers. The audit department server is configured to protect the confidentiality of network transmissions. You need to configure the audit department client computers to further ensure the confidentiality of network transmissions. You need to ensure that the configuration of the client computers is periodically enforced. What should you do?

A. Use a Group Policy object (GPO) to assign the Client (Respond Only) IPSec policy to the client computers.

B. Run the secedit command with the Hisecws.inf predefined security template on the client computers. C. Use a Group Policy object (GPO) to configure Server Message Block (SMB) signing on the client

computers. D. Run the secedit command with the Rootsec.inf predefined security template on the client computers.

Answer: C QUESTION NO: 408 You are the security analyst for TestKing.com. The network consists of TestKing’s intranet and a perimeter network. The networks are separated by a firewall. TestKing’s intranet consists of a single Active Directory domain named corp.testking.com. The perimeter network consists of a DNS domain named testking.com. The perimeter network contains publicly accessible Web servers. The intranet contains a Windows Server 2003 DNS server named Testking1. Testking1 hosts an Active Directory-integrated primary zone for the corp.testking.com domain. Testking1 also hosts a secondary zone that is not integrated with Active Directory for the testking.com domain. The perimeter network contains a Windows Server 2003 DNS server named Testking2. Testking2 is authoritative for the testking.com DNS domain, which contains the resource records for the publicly accessible servers. Testking1 is configured to forward requests to Testking2. Testking2 is configured with root hints.

70 - 296


- 580 -

TestKing’s written DNS security includes the following requirements:

• The internal DNS namespace must never be accessible by external users or computers. • External users must not be able to retrieve zone information from either DNS server.

You need to plan a DNS security solution that meets the DNS security policy requirements. Your solution must not adversely affect required or allowed name resolution functions in the network. What should you do?

A. On Testking2, allow zone transfers to only servers listed in the Name Servers list. Disable recursion on Testking1.

B. On Testking2, allow zone transfers to only servers listed by IP address. On Testking1, do not allow zone transfers.

C. On Testking1, allow zone transfers to only servers listed in the Name Servers list. Disable recursion on Testking2.

D. On Testking1, allow zone transfer to only servers listed by IP address. On Testking2, do not allow zone transfers.

Answer: A QUESTION NO: 409 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network contains a Windows Server 2003 computer named Testking1 that is not a member of the domain and a Windows Server 2003 member server named Testking2. You need to implement a public key infrastructure (PKI) for the network. You configure Testking1 as a root certification authority (CA). You intend to disconnect Testking1 from the network. You configure Testking2 as a subordinate CA, and you leave Testking2 connected to the network. You need to configure Testking1 to support updates to the certificate revocation list (CRL) and to support certificate chain verification on the network while it is offline. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. On Testking1, use the Certification Authority snap-in to configure the CRL Distribution Point (CDP) setting to point to a shared folder. Regularly copy the CRL from Testking1 to the shared folder.

70 - 296


- 581 -

B. On Testking1, use the Certification Authority snap-in to configure the CRL Distribution Point (CDP) setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder.

C. On Testking1, use the Certification Authority snap-in to configure the Authority Information Access (AIA) setting to point to a shared folder. Regularly copy the AIA from Testking1 to the shared folder.

D. On Testking1, use the Certification Authority snap-in to configure the Authority Information Access (AIA) setting to point to the C:\Windows\System32\CertSrv\CertEnroll folder.

E. Configure the Default Domain Policy Group Policy object (GPO) to enable the Enroll certificates automatically setting and then select the Remove expired certificates, update pending certificates and remove revoked certificates option.

F. Configure all certificate templates on Testking2 to be published in Active Directory. Answer: B, D QUESTION NO: 410 You are a network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. You install Certificate Services and configure an offline root certification authority (CA). You also configure an enterprise subordinate CA in the domain. Employees in the marketing department use a public key infrastructure (PKI) enabled application to store secure marketing data. Employees require a certificate that supports client authentication to gain access to this application. User objects for employees in the marketing department are stored in an organizational unit (OU) named Marketing. You create a Group Policy object (GPO) that configures users for autoenrollment, and you link the GPO to the Marketing OU. You create a duplicate of the User certificate template named Employee and assign permission to allow autoenrollment for users in the marketing department. You configure the Employee template to prompt the user during enrolment. An employee in the marketing department named David Lindberg reports that when he attempts to use the marketing application, he receives a message stating that he does not have a client authentication certificate. David is unable to use the marketing application. You examine David Lindberg’s user object, shown in the exhibit. **MISSING** You need to ensure that David can use the marketing application. What should you do?

70 - 296


- 582 -

A. Edit David Lindberg’s user object to include an e-mail address. B. Add David Lindberg’s user object to the Cert Publishers domain local group. C. On David Lindberg’s computer, use the Web enrolment tool to connect to the subordinate CA and

download a copy of the subordinate CA’s certificate. D. On David Lindberg’s computer, use the Web enrolment tool to connect to the subordinate CA and

download the most recent certificate revocation list (CRL). Answer: D QUESTION NO: 411 You are a network administrator for a consulting company. You need to create a wireless network that will be used by consultants from your company at a customer location. The wireless network will consists of nine portable computers, three servers, and four wireless digital cameras. All computers and cameras can use either static or dynamic IP addressing. The cameras do not support data encryption. Both the portable computers and the servers must be able to initiate communication over the Internet to VPN servers in your company’s main data center. Only the wireless point is connected to the customer’s corporate network. You need to plan the wireless IP network so that it minimizes the risk of unauthorized use of the wireless network and prevents unsolicited communication from the Internet to the hosts on the network. What should you do?

70 - 296


- 583 -

Answer:

70 - 296


- 584 -

QUESTION NO: 412 You are the network administrator for TestKing.com. The network contains an application server running Windows Server 2003.

70 - 296


- 585 -

Users report that the application server intermittently responds slowly. When the application server is responding slowly, requests that normally take 1 second to complete take more than 30 seconds to complete. You suspect that the slow server response is because of high broadcast traffic on the network. You need to plan how to monitor the application server and to have a message generated when broadcast traffic is high. You also want to minimize the creation of false alarms when nonbroadcast traffic is high. What should you do?

A. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert trigger when the Datagrams/sec counter in the UDPv4 object is high.

B. Use System Monitor and configure it to monitor the Segments/sec counter in the TCPv4 object. C. Use System Monitor and configure it to monitor the Datagrams/sec counter in the UDPv4 object. D. Use the Alerts option in the Performance Logs and Alerts snap-in to configure an alert to trigger when

the Datagrams/sec counter in the TCPv4 object is high. Answer: A QUESTION NO: 413 You are the network administrator for TestKing.com. The network consists of a single Active Directory domain named testking.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. The network also contains 10 network printers. All servers have manually configured IP addresses. The client computers and network printers receive their TCP/IP configuration information from a DHCP server. TestKing IP policy states that each of the network printers will always be configured with the same IP address. You configure a DHCP server and create a DHCP scope as shown in the exhibit.

70 - 296


- 586 -

Users report that they cannot submit print jobs to any of the network printers. You investigate and discover that none of the network printers are receiving their IP addresses from the DHCP server. You need to ensure that the network printers receive their IP addresses from DHCP. What should you do?

A. Remove the IP address reservations for the network printers from the DHCP scope. B. Delete the IP address exclusion range for the network printers from the DHCP scope. C. Add the 009 LPR Servers option to the DHCP server options. D. Enable address conflict detection on the DHCP server.

Answer: B QUESTION NO: 414

70 - 296


- 587 -

You are a network administrator for TestKing.com. The network consists of a Windows NT 4.0 domain. All servers run Windows NT Server 4.0 and all client computers run Windows NT Workstation 4.0. TestKing has two offices that are connected by a 56-Kbps WAN connection. All computers are configured to use WINS for name resolution and network browsing capability between the two offices. TestKing is planning to upgrade the domain controllers to Windows Server 2003 and to deploy Windows Server 2003 and Windows XP Professional computers. You need to maintain name resolution and network browsing support during and after the upgrade process. You need to allow users of Windows NT Workstation 4.0 and Windows XP Professional computers to browse and connect to both Windows NT Server 4.0 and Windows Server 2003 computers. You need to minimize name resolution traffic across the WAN connection. What should you do?

A. Install a Windows Server 2003 DNS server at each office. Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both WINS and DNS for name resolution. Configure all Windows Server 2003 computers to use WINS.

B. Install a Windows Server 2003 DNS server at only one office. Configure all Windows NT Workstation 4.0 and Windows NT Server 4.0 computers to use both WINS and DNS for name resolution. Configure all Windows Server 2003 computers to use WINS

C. Upgrade the WINS servers at each office to Windows Server 2003. Install a Windows Server 2003 DNS server at only one office and configure it to use WINS lookup. Configure all Windows Server 2003 computers to use WINS.

D. Upgrade the WINS servers at each office to Windows Server 2003. Install a Windows Server 2003 DNS server at each office. Configure each DNS server to use WINS lookup. Configure all Windows Server 2003 computers to use WINS.

Answer: A

70 - 296


- 588 -

QUESTION NO: 415 Exhibit

You are a network administrator for TestKing.com. The user accounts for all service desk users are members of a global group named Service Desk and are located in ServiceDesk OU. A GPO named Admin Tools assigns the Windows Server 2003 Administration Tools Pack to users. You link the GPO to the Administrators OU. The administrative tools are not installed on the client computers used by the service desk users These users require the administrative tools. You use the Group Policy Management Console (GPMC) to examine how the Group Policy is applied to the ServiceDesk OU. You discover that the inheritance of GPOs is blocked for the ServiceDesk OU. You need to ensure that the administrative tools are installed on the client computers used by the service desk users. You also need to ensure that the client computers used by the service desk users are not modified in any other way. What should you do?

70 - 296


- 589 -

A. Link the Admin Tools GPO to the ServiceDesk OU. B. Link the Admin Tools GPO to the domain. C. Configure the Admin Tools GPO to apply to the Service Desk global group. D. Create a new GPO that assigns the Windows Server 2003 Administration Tools Pack to computers. Link

the new GPO to the ServiceDesk OU. Answer: A QUESTION NO: 416 Exhibit, Active Directory

Exhibit, GPMC

Sandra reports that the Run command does not appear on her Start menu, even though she is in the OU named Administration.

70 - 296


- 590 -

You discover that the Default Domain Policy GPO is removing the Run command from Sandra’s Start menu. There is alsoa GPO named AdministationSettings linked to the Administration OU that has the “Remove Menu from Start Menu” setting disabled. To investigate the problem, you use the Group Policy Management Console (GMPC). The relevant information is shown in the exhibit. You need to correct the application of policy settings so that the accounts in the Administrative OU receive the settings from the GPO linked to that OU. You need to accomplish this task without affecting any other policies. What should you do?

A. Disable the No Override setting in the Default Domain Policy GPO. B. Disable the user configuration setting in the Default Domain Policy GPO. C. Enable the Block Policy inheritance setting for the Administrative OU. D. Enable the No Override setting for the AdministrativeSettings GPO. E. Link the AdministrativeSettings GPO to the domain instead of the Administration OU. Modify the

security settings so that the GPO applies to accounts contained in the Administrative OU. Answer: A