Hide Notes 

Slide 1: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Contents A. B. C. D. E. F. Planning and Implementing Server Roles and Server Security Planning, Implementing, and Maintaining a Network Infrastructure Planning, Implementing, and Maintaining Routing and Remote Access Planning, Implementing, and Maintaining Server Availability Planning and Maintaining Network Security Planning, Implementing, and Maintaining Security Infrastructure Relevant objective of each question is mentioned with question number. Page 1 of 391
Slide 2: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Question: 1 (A) You are a network administrator for Company. The network consists of an intranet and a perimeter network, as shown in the work area. The perimeter network contains: • One Windows Server 2003, Web Edition computer named Server 1. • One Windows Server 2003, Standard Edition computer named Server 2. • One Windows Server 2003, Enterprise Edition computer named Server 3. • One Web server farm that consists of two Windows Server 2003, Web Edition computers. All servers on the perimeter network are members of the same workgroup. The design team plans to create a new Active Directory domain that uses the existing servers on the perimeter network. The new domain will support Web applications on the perimeter network. The design team states that the perimeter network domain must be fault tolerant. You need to select which server or servers on the perimeter network need to be configured as domain controllers. Which server or servers should you promote? To answer, select the appropriate server or servers in the work area. Answer: Explanation: We know web editions can’t be domain controllers, and we want fault tolerance, which means two Domain Controllers. The answer is promote the two servers that aren’t running Web Edition to dc’s (Company2 and Company3). Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 1 Page 2 of 391
Slide 3: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Question: 2 (A) You are a network administrator for Company. The network consists of a single Active Directory domain and contains Windows Server 2003 computers. You install a new service on a server named Company3. The new service requires that you restart Company3. When you attempt to restart Company3, the logon screen does not appear. You turn off and then turn on the power for Company3. The logon screen does not appear. You attempt to recover the failed server by using the Last Known Good Configuration startup option. It is unsuccessful. You attempt to recover Company3 by using the Safe Mode Startup options. All Safe Mode options are unsuccessful. You restore Company3. Company3 restarts successfully. You discover that Company3 failed because the new service is not compatible with a security path. You want to configure all servers so that you can recover from this type of failure by using the minimum amount of time and by minimizing data loss. You need to ensure that in the future, other services that fail do not result in the same type of failure. What should you do? A. Use Add or Remove Programs. B. Install and use the Recovery Console. C. Use Automated System Recovery (ASR). D. Use Device Driver Roll Back. Answer: B Explanation: • We know that this service causes the failure. • We want minimum of time and minimum of data loss. • We want a solution for all servers. • We want to make sure other services that fail do not result in the same type of failure. Recovery Console is a text-mode command interpreter that can be used without starting Windows Server 2003. It allows you to access the hard disk and use commands to troubleshoot and manage problems that prevent theoperating system from starting properly. Incorrect Answers: A: This option is used to manage software, not uninstall it. C: Automated System Recovery returns a system to operation by reinstalling the operating system and restoring System State from an ASR backup set, it does not affect services. D: This option deals with drivers and devices, not services. Reference: Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 2, p. 120 Question: 3 (A) You are a network administrator for Company. The network consists of a single Active Directory domain named Company.com. The network contains 80 Web servers that run Windows 2000 Server. The IIS Lockdown Wizard is run on all Web servers as they are deployed. Company is planning to upgrade its Web servers to Windows Server 2003. You move all Web servers into an organizational unit (OU) named Web Servers. You are planning a baseline security configuration for the Web servers. The company’s written security policy states that all unnecessary services must be disabled on servers. Testing shows that the server upgrade process leaves the following unnecessary services enabled: • SMTP • Telnet Page 3 of 391
Slide 4: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Your plan for the baseline security configuration for Web servers must comply with the written security policy. You need to ensure that unnecessary services are always disabled on the Web servers. What should you do? A. Create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Web Servers OU. B. Create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Web Servers OU. C. Create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Web Servers OU. D. Create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Web Servers OU. Answer: C Explanation: The web servers have been moved to an OU. This makes it easy for us to configure the web servers using a group policy. We can simply assign a group policy to the Web Servers OU to disable the services. Incorrect Answers: A: The logon script would only run when someone logs on to the web servers. It’s likely that the web servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. Question: 4(A) You are the network administrator for Company. The network consists of a single Active Directory domain named contoso.com. The functional level of the domain is Windows Server 2003. The domain contains Windows Server 2003 computers and Windows XP Professional computers. The domain consists of the containers shown in the exhibit. Page 4 of 391
Slide 5: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 All production server computer accounts are located in an organizational unit (OU) named Servers. All production client computer accounts are located in an OU named Desktops. There are Group Policy objects (GPOs) linked to the domain, to the Servers OU, and to the Desktop OU. The company recently added new requirements to its written security policy. Some of the new requirements apply to all of the computers in the domain, some requirements apply to only servers, and some requirements apply to only client computers. You intend to implement the new requirements by making modifications to the existing GPOs. You configure 10 new Windows XP Professional computers and 5 new Windows Server 2003 computers in order to test the deployment of settings that comply with the new security requirements by using GPOs. You use the Group Policy Management Console (GPMC) to duplicate the existing GPOs for use in testing. You need to decide where to place the test computer accounts in the domain. You want to minimize the amount of administrative effort required to conduct the test while minimizing the impact of the test on production computers. You also want to avoid linking GPOs to multiple containers. What should you do? A. Place all test computer accounts in the Company.com container. B. Place all test computer accounts in the Computers container. C. Place the test client computer accounts in the Desktops OU and the test server computer accounts in the Servers OU. D. Create a child OU under the Desktops OU for the test client computer accounts. Create a child OU under the Servers OU for the test server computer accounts. E. Create a new OU named Test under the Company.com container. Create a child OU under the F. Test OU for the test client computer accounts. Create a second child OU under the Test OU for the test server computer accounts. Answer: E Explanation: To minimize the impact of the test on production computers, we can create a test OU with child OUs for the servers and the client computer accounts. Settings that should apply to the servers and client computers can be applied to the Test OU, and settings that should apply to the servers or the client computers can be applied to the appropriate child OUs. Incorrect Answers: A: You cannot place computer accounts directly under the domain container. They must be in an OU or in a built in container such as the Computers container. B: We need to separate the servers and the client computers into different OUs. C: This solution would apply the new settings to existing production computers. D: This could work but you would have more group policy links. For example, the GPO settings that need to apply to the servers and the client computers would need to be linked to both OUs. It would easier to link the GPO to a single parent OU. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 29-30 Page 5 of 391
Slide 6: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Question: 5(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. The network contains a Windows Server 2003 member server named CompanySrvA. The network also contains a Windows XP Professional computer named Client1. You use Client1 as an administrative computer. You plan to use Microsoft Baseline Security Analyzer (MBSA) on Client1 to analyze CompanySrvA. However, the recent application of a custom security template disabled several services on CompanySrvA. You need to ensure that you can use MBSA to analyze CompanySrvA. Which two services should you enable? To answer, select the appropriate services to enable in the dialog box. Answer: Explanation: The Remote Registry and Server services should be enabled. The following are the requirements for a computer running the tool that is scanning a remote machine(s): • Windows Server 2003, Windows 2000, or Windows XP • Internet Explorer 5.01 or greater • An XML parser (MSXML version 3.0 SP2 or later) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.01 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not install the XML parser that is bundled with the tool, see the notes below on obtaining an XML parser separately. • The IIS Common Files are required on the computer on which the tool is installed if performing remote scans of IIS computers. Page 6 of 391
Slide 7: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 The following services must be enabled: Workstation service and Client for Microsoft Networks. The following are the requirements for a computer to be scanned remotely by the tool: • Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), or Windows Server 2003 • IIS 4.0, 5.0, 6.0 (required for IIS vulnerability checks) • SQL 7.0, 2000 (required for SQL vulnerability checks) • Microsoft Office 2000, XP (required for Office vulnerability checks) The following services must be installed/enabled: Server service, Remote Registry service, File & Print Sharing Reference: From the readmefile for MBSA Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12:50-51 Question: 6(A) You are the senior systems engineer for Company. The network consists of a single Active Directory domain named Company.com. All servers run Windows Server 2003. Client computers in the sales department run Windows NT Workstation 4.0 with the Active Directory Client Extension software installed. All other client computers run Windows XP Professional. All servers are located in an organizational unit (OU) named Servers. All client computers are located in an OU named Desktops. Four servers contain confidential company information that is used by users in either the finance department or the research department. Users in the sales department also store files and applications in these servers. The company’s written security policy states that for auditing purposes, all network connections to these resources must require authentication at the protocol level. The written security policy also states that all network connections to these resources must be encrypted. The Company budget does not allow for the purchase of any new hardware or software. The applications and data located on these servers may not be moved to any other server in the network. You define and assign the appropriate permissions to ensure that only authorized users can access the resources on the servers. You now need to ensure that all connections made to these servers by the users in the finance department and in the research department meet the security guidelines states by the written security policy. You also need to ensure that all users in the sales department can continue to access their resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Create a new Group Policy object (GPO) and link it to the Servers OU. Enable the Secure Server (Require Security) IPSec policy in the GPO. B. Create a new Group Policy object (GPO) and link to the Servers OU. Enable the Server (Request Security) IPSec policy in the GPO. C. Create a new Group Policy object (GPO) and link to the Desktops OU. Enable the Client (Respond only) IPSec policy in the GPO. D. Create a new Group Policy object (GPO). Edit the GPO to enable the Registry Policy E. Processing option and the IP Security Policy Processing option. Copy the GPO files to the Netlogon shared folder. E. Use the System Policy Editor to open the System.adm file and enable the Registry Policy F. Processing option and the IP Security Policy Processing option. Save the system policy as NTConfig.pol. Answer: B, C Explanation: We need to ensure that the connections made to the servers by the users in the finance department and in the research department meet the security guidelines states by the written security policy. The computers in these departments use Windows XP Professional. We can therefore enable IPSec communication between the servers and the clients in the finance and Page 7 of 391
Slide 8: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 research departments. However, the sales users use Windows NT, which cannot use IPSec. Therefore, to ensure that the NT clients can still communicate with the servers, we should enable the Server (Request Security) IPSec policy on the servers and the Client (Respond only) IPSec policy for the client computers. Incorrect Answers: A: This policy is intended for computers working with sensitive data that must be secured at all times. D: Registry Policy Processing specifies how Registry policies are processed, such as whether Registry policies can be applied during periodic background processing. IP Security Policy Processing specifies how IP security policies are updated. By copying the GPO files to the Netlogon shared folder enables all authenticated users to access it. E: In Windows Server 2003 operating systems, the Group Policy Object Editor replaces the System Policy Editor. Reference: Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, Chapter 5 and 11. Question: 7(A) You are the systems engineer for Company. The company has a main office in Las Palmas and two branch offices, one in Barcelona and one in Madrid. The offices are connected to one another by dedicated T1 lines. Each office has its own local IT department and administrative staff. The company network consists of a single Active Directory domain named Company.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. All servers support firmwarebased console redirection by means of the serial port. The server hardware does not support any other method of console redirection and cannot be upgraded to do so. The company is currently being reorganized. The IT department from each branch office is being relocated to a new central data center in the Las Palmas office. Several servers from each branch office are also being relocated to the Las Palmas data center. Each branch office will retain 10 servers. A new written security policy includes the following requirements: • All servers must be remotely administered for all administrative tasks. • All servers must be administered from the Las Palmas office. • All remote administration connections must be authenticated and encrypted. Your current network configuration already adheres to the new written security policy for day-today server administration tasks performed on the servers. You need to plan a configuration for out-of-band management tasks for each office that meets the new security requirements. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. Connect each server’s serial port to a terminal concentrator. Connect the terminal concentrator to the network. B. Connect a second network adapter to each server. Connect the second network adapater in each server to a separate network switch. Connect the management port on the switch to a WAN port on the office router. Enable IPSec on the router. C. Enable Routing and Remote Access on a server in each branch office, and configure it as an L2TP/IPSec VPN server. Configure a remote access policy to allow only authorized administrative staff to make a VPN connection. Page 8 of 391
Slide 9: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 D. On each server, enable the Telnet service with a startup parameter of Automatic. Configure D. Telnet on each server to use only NTLM authentication. Apply the Server (Request Security) IPSec policy to all servers. E. On each server, enable Emergency Management Services console redirection and the Emergency Management Services Special Administration Console (SAC). Answer: A, C, E Explanation: The Special Administration Console Helper system service can be used to perform remote management tasks if the Windows Server 2003 family operating system stops functioning due to a Stop error message. It’s main functions are to: • Redirect Stop error message explanatory text • Restart the system • Obtain computer identification information The SAC is an auxiliary Emergency Management Services command – line environment that is hosted by Windows Server 2003 family operating systems. It also accepts input, and sends output through the out – of –band port. !SAC is a separate entity from both SAC and Windows Server 2003 family command – line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or is not functioning. If the Special Administration Console Helper service is stopped, SAC services will no longer be available. If this service is disabled, any services that explicitly depend on it will not start. Incorrect answers: B: There is no need to connect a second network adapter to each server and have that adapter connected to a separate network switch. D: Making use of NTLM authentication and applying the Server (Request Security) IPSec policy on all servers is not the solution. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 27 Question: 8(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication. You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits. What should you do? A. Create a custom security template and apply it by using Group Policy. B. Create a custom IPSec policy and assign it by using Group Policy. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS. Answer: A Page 9 of 391
Slide 10: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings into a group policy. We can also use secedit to analyse the current security settings to verify that the required security settings are in place. Incorrect Answers: B: An IPSec policy will not configure the required auditing policy. C: We need a security template, not an administrative template. D: This will create multiple identical machines. We cannot use RIS images in this scenario. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57 Question: 9(A) You are a network administrator for Company. The network consists of a single Active Directory forest. All domain controllers run Windows Server 2003. The bank decides to provide access to its mortgage application services from a real estate agency that has offices throughout the country. You install a Company domain controller in each real estate agency office. You need to further protect the domain controllers’ user account databases from unauthorized access. You want to achieve this goal by using the minimum amount of administrative effort. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Use the system key utility (syskey) with the most secure security level on the domain controllers. B. Create a Group Policy object (GPO), import the Securedc.inf security template, and apply the GPO to the domain controllers. C. Create a Group Policy object (GPO), configure the Network security: LAN Manager authentication level security option to the Send NTLMv2 response only\refuse LM setting, and apply the GPO to the domain controllers. D. Create a Group Policy object (GPO), import the DC security.inf security template, and apply the GPO to the domain controllers. Answer: A, C Question: 10(A) You are a network administrator for Company. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers, 300 Windows 2000 Professional computers, and 150 Windows XP Professional computers. According to the network design specification, the Kerberos version 5 authentication protocols must be used for all client computers on the internal network. You need to ensure that Kerberos version 5 authentications are used for all client computers on the internal network. What should you do? A. On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic. B. Replace all Windows 98 computers with new Windows XP Professional computers. C. Install the Active Directory Client Extension software on the Windows 98 computers. D. Upgrade all Windows 98 computers to Windows NT workstation 4.0. Answer: B Explanation: Page 10 of 391
Slide 11: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use Kerberos as their authentication protocol. Windows 98 doesn’t support Kerberos authentication; therefore, we need upgrade the Windows 98 computers. Incorrect Answers: A: This won’t enable the Windows 98 clients to use Kerberos authentication. C: The Active Directory Client Extension software doesn’t enable Windows 98 clients to use Kerberos authentication. D: Windows NT 4.0 doesn’t support Kerberos authentication. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 39-42 Question: 11(A) You are the network administrator for Company. The company has a main office and 20 branch offices. You recently completed the design of the company network. The network design consists of a single Active Directory domain named Company.com. All domain controllers will run Windows Server 2003. The main office will contain four domain controllers, and each branch office will contain one domain controller. The branch office domain controllers will be administered from the main office. You need to ensure that the domain controllers are kept up-todate with software updates for Windows Server 2003 after their initial deployment. You want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. You also want to configure the settings by using the minimum amount of administrative effort. What should you do? A. In System Properties, on the Automatic Update tab, enable Keep my computer up to date, and then select Download the updates automatically and notify me when they are ready to be installed. B. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 3 – Auto download and notify for install. C. In the Default Domain Controllers Policy Group Policy object (GPO), enable Configure Automatic Updates with option 4 – Auto download and schedule the install. D. In System Properties, on the Automatic Updates tab, enable Keep my computer up to date, and then select Automatically download the updates, and install them on the schedule that I specify. Answer: C Explanation: The question states that you want to ensure that the domain controllers automatically install the updates by using the minimum amount of administrative intervention. The way to do this is to configure the automatic updates with the option to Auto download and schedule the install. The easiest way to configure the domain controllers with this setting is to configure a group policy object for the domain controllers. The problem with this solution is that the domain controllers may automatically restart after the updates are installed. Scheduling the updates to install out of business hours will minimize any disruption. Incorrect Answers: A: It is easier to configure the domain controllers using group policy. B: This solution will download the updates, but it won’t install them until an administrator manually clicks the install button in the notification dialog box. Answer C automates the procedure more Page 11 of 391
Slide 12: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 by scheduling the installation to occur at a set time without any further administrative intervention. D: It is easier to configure the domain controllers using group policy. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13: 8 Question: 12(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. The company plans to deploy 120 Windows Server 2003 member servers as file servers in the domain. The new file servers will be located in a single organizational unit (OU) named File Servers. The security department provides you with a security template that must be applied to the new file servers. You need to apply and maintain the security settings contained in the security template to the new file servers. You want to achieve this goal by using the minimum amount of administrative effort. What should you do? A. On a reference computer, use the Local Security Settings console to import the security template. Use imaging technology to install and configure the new file servers based on the configuration of the reference computer. B. On a reference computer, run the secedit command to apply the security template. Use imaging technology to install and configure the new file serves based on the configuration of the reference computer. C. Create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU. D. On the PDC emulator master in the domain, run the secedit command to apply the security template. Answer: C Explanation: We have a security template with the required security settings. We can simply import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This would work, but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings ‘maintained’. B: This would work, but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings ‘maintained’. D: This would have no effect on the file servers. Reference: Jill Spealman, Kurt Hudson, and Melissa Craft; MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. Question: 13(A) You are a network administrator for Company. The company consists of a single Active Directory domain named Company.com. All client computers run Windows XP Professional. Page 12 of 391
Slide 13: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 The company’s main office is located in Dallas. You are a network administrator at the company’s branch office in Boston. You create a Group Policy object (GPO) that redirects the Start menu for users in the Boston branch office to a shared folder on a file server. Several users in Boston report that many of the programs that they normally use are missing from their Start menus. The programs were available on the Start menu he previous day, but did not appear when the users logged on today. You log on to one of the client computers. All of the required programs appear on the Start menu. You verify that users can access the shared folder on the server. You need to find out why the Start menu changed for these users. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. In the Group Policy Management Console (GPMC), select the file server that hosts the shared folder and a user account that is in the Domain Admins global group and run Resultant Set Of Policy (RSoP) in planning mode. B. In the Group Policy Management Console (GPMC), select one of the affected user accounts and run Resultant Set of Policy (RSoP) in logging mode. C. On one of the affected client computers, run the gpresult command. D. On one of the affected client computers, run the gpupdate command. E. On one of the affected client computers, run the secedit command. Answer: B, C Explanation: We need to view the effective group policy settings for the users or the computers that the users are using. We can use gpresult of RSoP. Gpresult Displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer. RSoP overviewResultant Set of Policy (RSoP) is an addition to Group Policy RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. RSoP consists of two modes: Planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing policy settings for a computer and user that is currently logged on. Incorrect Answers: A: We need to test the effective policy from a user’s computer, not the file server. D: Gpudate, is the tool used to refresh the policy settings in Windows XP and Windows Server 2003. E: Secedit is the tool used to refresh the policy in Windows 2000 professional and server editions. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 35 Question: 14(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. Company’s perimeter network contains 50 Web servers that host the company’s public Internet site. The Web servers are not members of the domain.The network design team completed a new design specification for the security of servers in specific roles. The Page 13 of 391
Slide 14: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings. You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort. What should you do? A. Create a custom security template named Web.inf that contains the required security settings. Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU. Apply Web.inf to the WebServers OU. B. Create a custom security template named Web.inf that contains the required security settings, and deploy Web.inf to each Web server by using Security Configuration and Analysis. C. Create an image of a Web server that has the required security settings, and replicate the image to each Web server. D. Manually configure the required security settings on each Web server. Answer: B Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a security template with all the required settings and import the settings using the Security Configuration and Analysis tool. Incorrect Answers: A: The web servers aren’t members of the domain. Therefore they cannot be moved to an OU in Active Directory. C: We cannot use imaging in this way. D: This is a long way of doing it. A security template would simply the task. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57 Question: 15(A) You are a network administrator for Company Inc. The network consists of a single Active Directory forest as shown in the exhibit. Page 14 of 391
Slide 15: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Company’s written security policy requires that all domain controllers in the child1.Company.com domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group. You need to configure the domain controllers in the child1.Company.com domain to meet the new security requirements. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) on the child1.Company.com domain. B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.Company.com domain. C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy object (GPO) in the child1.Company.com domain. D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in the child1.Company.com domain. E. Run the system key utility (syskey) on each domain controller in the child1.Company.com domain. In the Account Database Key dialog box, select the Password Startup option. F. Run the system key utility (syskey) on each domain controller in the child1.Company.com domain. In the Account Database Key dialog box, select the Store Startup Key Locally option. Answer: C, E Explanation: Secure (Secure*.inf) Template The Secure templates define enhanced security settings that are least likely to impact application compatibility. For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses. • In order to apply Securews.inf to a member computer, all of the domain controllers that contain the accounts of all users that log on to the client must run Windows NT 4.0 Service Pack 4 or higher. The system key utility (SYSKEY) A security measure used to restrict logon names to user accounts and access to computer systems and resources. By running the syskey utility with the Password startup option, the account information in the directory services is encrypted and a password needs to be entered during system start. The start of the Domain Controllers is therefore restricted to everybody with this password. Incorrect Answers: A: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. B: The Rootsec.inf security template defines permissions for the root of the system drive. This template can be used to reapply the root directory permissions to other volumes. D: We need to apply the policy to the domain controllers container, not the entire domain. F: The System Key Utility (syskey) is used to encrypt the account password information that is stored in the SAM database or in the directory services. By selecting "Store Key locally" the computer stores an encrypted version of the key on the local computer. This doesn’t help in controlling the start of the Domain Controllers. Page 15 of 391
Slide 16: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Reference: http://www.microsoft.net/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver20 03/proddocs/standard/syskey_concept.asp Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26 David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Question: 16(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. All member servers run Windows Server 2003. All client computers run Windows XP Professional. All client computer accounts in the domain are located in an organizational unit (OU) named Workstations. You need to distribute a new application to all client computers on the network. You create a Group Policy object (GPO) that includes the application package in the software installation settings of the Computer Configuration section of the GPO. You assign the GPO to the Workstations OU. Several days later, users report that the new application is still not installed on their client computers. You need to ensure that the application is installed on all client computers. What should you do? A. Instruct users to restart their client computers. B. Instruct users to run Windows Update on their client computers. C. Instruct users to force a refresh of the computer policy settings on their client computers. D. Instruct users to force a refresh of the user policy settings on their client computers. Answer: A Explanation: When an application is assigned to a computer, the software is deployed when it is safe to do so (that is, when the operating system files are closed). This generally means that the software will be installed when the computer starts up, which ensures that the applications are deployed prior to any user logging on. For this scenario, we need to tell the users to restart their client computers. Incorrect Answers: B: Windows Update is used to update the operating system with the latest security patches etc. C: You applied the policy several days ago. The client computers should have the GPO by now. D: The setting isn’t in the user section of the group policy. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1: 29-30 Question: 17(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com Company merges with a company named Acme. You need to create new user accounts for all of the Acme employees. The e-mail address format for all users at Acme is alias@acme.net. The users need to continue to use their e-mail addresses after the merger. To decrease confusion, these users also need to be able to use their e-mail addresses as their user logon names when logging on to the company network. You need to ensure that new users can log on by using their e-mail addresses as their logon names. You want to achieve this goal by incurring the minimum cost and by using the minimum amount of administrative effort. What should you do? Page 16 of 391
Slide 17: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 A. Create a new domain tree named acme.net in the Company.com forest. Create user accounts for all of the users in the acme.net domain. B. Create a new forest named acme.net. Create user accounts for all of the users in the acme.net domain. Configure a forest trust relationship between the two forests. C. Create user accounts for all of the new users in the Company.com domain. Configure the email addresses for all of the Acme users as alias@acme.net. D. Configure acme.net as an additional user principal name (UPN) suffix for the Company.com forest. Configure each user account to use the acme.net UPN suffix. Answer: D Explanation: You can simplify the logon process for users by enabling UPN logon. When UPN logon is enabled, all users use the same UPN suffix to log on to their domains. UPN names are comprised of the user's logon name and the DNS name of the domain. When you enable UPN logon, users' logon names remain the same even when their domains change. You might choose to enable UPN logon if: • Domain names in your enterprise are complex and difficult to remember. • Users in your organization might change domains as a result of domain consolidation or other organizational changes. • All domains in the forest are in native mode. • User logon names are unique within the forest. • A global catalog server is available to match the UPN to the correct domain account. You can use one UPN suffix for all users in the forest. Incorrect Answers: A, B: Creating a new domain tree or forest and recreating the user accounts for all of the users in the acme.com domain would require excessive administrative effort. C: Creating new user accounts for all of the users in the acme.com domain would require excessive administrative effort. Using the UPN logon feature would require less administrative effort. Reference: Thomas W. Shinder and Debra Littlejohn Shinder, MCSE Exam 70-294: Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure, Syngress, 2003, pp. 956. Question: 18(A) You are the network administrator for Company. The company consists of two subsidiaries named Contoso, Ltd, and City Power & Light. The network contains two Active Directory forests named contoso.net and cpand1.net. The functional level of each forest is Windows Server 2003. A two-way forest trust relationship exists between the forests. You need to achieve the following goals: • Users in the contoso.net forest must be able to access all resources in the cpand1.net forest. • Users in the cpand1.net forest must be able to access only resources on a server named HRApps.contoso.net. You need to configure the forest trust relationship and the resources on HRApps.contoso.net to achieve the goals. Which three actions should you take? (Each correct answer presents part of the solution. Choose three) A. On a domain controller in the contoso.net forest, configure the properties of the incoming forest trust relationship to use selective authentication. Page 17 of 391
Slide 18: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 B. On a domain controller in the contoso.net forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication. C. On a domain controller in the cpand1.net forest, configure the properties of the incoming forest trust relationship to use selective authentication. D. On a domain controller in the cpand1.net forest, configure the properties of the incoming forest trust relationship to use forest-wide authentication. E. Modify the discretionary access control list (DACLs) on HRApps.contoso.net to allow access to the Other Organization security group. F. Modify the discretionary access control lists (DACLs) on HRApps.contoso.net to deny access to This Organization security group. Answer: A, D, E Explanation: When all domains in two forests trust each other and need to authenticate users, establish a forest trust between the forests. When only some of the domains in two Windows Server 2003 forests trust each other, establish oneway or two-way external trusts between the domains that require interforest authentication. Selective authentication between forests Using Active Directory Domains and Trusts, you can determine the scope of authentication between two forests that are joined by a forest trust You can set selective authentication differently for outgoing and incoming forest trusts. With selective trusts, administrators can make flexible forest-wide access control decisions. If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if ForestA has an incoming forest trust from ForestB and forest-wide authentication is used, users from ForestB would be able to access any resource in ForestA (assuming they have the required permissions). If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each domain and resource to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on an object for that particular user or group from the second forest. When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is authenticated, then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context. Taking the above mentioned into account then options A, D and E will make sure that users in the contoso.com forest have forest-wide access. Incorrect Answers: B: If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. However, users in the cpand1.com forest must be able to access only resources on a server named HRApps.contoso.com. We should therefore use selective authentication for the cpandl.com forest to access the contoso.com. C: Users in the contoso.com forest must be able to access all resources in the cpand1.com forest, in other words, they need forest-wide access. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 4-48 to 4-49. Page 18 of 391
Slide 19: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training System, Syngress Publishing Inc., Rockland, 2003, p. 254. Question: 19(A) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. User accounts are configured as local administrators so that users can install software. A desktop support team supports end users. The desktop support team’s user accounts are all members of a group named Support. You create a software restriction policy that only prevents users from running registry editing tools by file hash rule. You apply the policy to all user accounts in the domains. The desktop support team reports that when they attempt to run registry editing tools, they receive the following error message: “Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator”. You need to ensure that only the desktop support team can run registry editing tools. What should you do? A. Configure the software restriction policies to be enforced for all users except local administrators. B. Make users members of the Power Users group instead of the Administrators group. C. Use a logon script to copy the registry editing tools to the root of drive C. Assign the Domain Admins group the Allow – Read permission for the registry editing tools in the new location. D. Filter the software restriction policy to prevent the Support group from applying the policy. Answer: D Explanation: We can prevent the software restriction policy from applying to the support group by simply assigning the support group the Deny – Read and/or the Deny – Apply group policy permission. Incorrect answers: A: The users are local administrators. The policy must apply to the local administrators. B: The policy applies to all users. It will still apply to the support group. Changing the local users group membership will have no effect on the policy. C: The software restriction policy is using a hash rule to prevent the use of the registry editing tools. It doesn’t matter where the tools are located, they still won’t run. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 9: 16 Question: 20(A) You are the network administrator for Company. Your user account is a member of the Schema Admins group. The network consists of a single Active Directory forest that contains three domains. The functional level of the forest is Windows Server 2003. A Windows Server 2003 domain controller named CompanyA holds the schema master role. An application named Application1 creates additional schema classes. You notice that this application created some classes that have incorrect class names. You need to correct the class names as quickly as possible. Page 19 of 391
Slide 20: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 What should you do? A. Deactivate the Application1 classes that have the incorrect class names. Set the default security permission for the Everyone group for those schema classes to Deny. B. Deactivate the Application1 classes that have the incorrect class names. Create the Application1 classes with the correct class names. C. Rename the description of the Application1 classes to the correct class name. Instruct the developers of Application1 to change the code of the application so that the renamed schema classes can be used. D. Instruct the developers of Application1 to change the code of the application so that the application creates the new schema classes with the correct class names. Reinstall Application1 and select Reload the schema in the Active Directory Schema console. Answer: B Explanation: We need to deactivate the Application1 classes that have the incorrect class names. This is because you cannot delete or rename a class. We can only deactivate the incorrect classes and recreate the classes with the correct class names. Extending the schema When the set of classes and attributes in the base Active Directory schema do not meet your needs, you can extend the schema by modifying or adding classes and attributes. You should only extend the schema when absolutely necessary. The easiest way to extend the schema is through the Schema Microsoft Management Console (MMC) snap-in. You should always develop and test your schema extensions in a test lab before moving them to your production network. Schema extensions are not reversible Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. Deactivating a class or attribute Domain controllers running Windows Server 2003 do not permit the deletion of classes or attributes, but they can be deactivated if they are no longer needed or if there was an error in the original definition. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; however, it is easily reactivated. If your forest has been raised to the Windows Server 2003 functional level, you can reuse the object identifier (governsId and attributeId values), the ldapDisplayName, and the schemaIdGUID that were associated with the defunct class or attribute. This allows you to change the object identifier associated with a particular class or attribute. The only exception to this is that an attribute used as a rdnAttId of a class continues to own its attributeId, ldapDisplayName, and schemaIdGuid values even after being deactivated (for example, those values cannot be reused). If your forest has been raised to the Windows Server 2003 functional level, you can deactivate a class or attribute and then redefine it. Incorrect Answers: A: It is not necessary to deny access to the classes after deactivating them. We need to recreate the classes with the correct names. C: Changing the description of a class doesn’t rename the class. It is not possible to rename a class. D: We need to deactivate the classes that have the incorrect class names. Reference: Page 20 of 391
Slide 21: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 11 Question: 21(A) You are the administrator for Company. The network consists of a single active directory domain named Company.com. All servers run windows server 2003 When the network was designed, the design team set design specifications. After the network was implemented, the deployment team set baseline specifications. The specifications for broadcast traffic are: • • The design specifications requires that broadcast traffic must be 5 percent or less of total network traffic. The baseline specifications showed that the broadcast traffic is always 1 percent or less of the total network traffic during normal operation. You need to monitor the network traffic and find out if the level of broadcast traffic is within the design and baseline specs. You decide to use network monitor. After monitoring for 1 hour, you observe the results shown in the exhibit: You need to report the results of your observations to management. Which 2 actions should you take? Page 21 of 391
Slide 22: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 A. Report that broadcast traffic is outside of the baseline specs B. Report that the broadcast traffic is outside of the design specs C. Report that the broadcast traffic is within the design specs D. Report that the broadcast traffic is within the baseline specs Answers: A, B Explanation: A baseline is a measurement derived from the collection of data over an extended period during varying workloads and user connections, representing acceptable performance under typical operating conditions. The baseline indicates how system resources are used during periods of normal activity and makes it easier to spot problems when they occur. A baseline provides a mechanism for identifying what normal operating conditions are for a server. The baseline acts as a reference for troubleshooting performance issues. If the design specifications require that broadcast traffic must be 5 percent or less of total network traffic then the graphic indicates that it is outside of the specifications as monitored over a period of one hour. Further, if the baseline specifications showed that the broadcast traffic is always 1 percent or less of the total network traffic during normal operation then you can report than the broadcast traffic is outside of the baseline specs as monitored over the period of one hour. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 14:42 Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 2, pp. 94-112 Question: 22(A) You are the network administrator for Costos, Ltd. The network contains a single Active Directory domain named Contoso.net. All computers on the network are members of the domain. Contoso, Ltd. has a main office and 20 branch offices. Each branch office has a connection to the main office. Only the main office has a connection to the Internet. You are planning a security update infrastructure for your network. You deploy a central Software Update Services (SUS) server at the main office and an SUS server at each branch office. The SUS server at the main office uses Windows Update to obtain security patches. You want to minimize the amount of bandwidth used on the connection to the Internet and on the connection between the offices to download security patches. Which two actions should you take? A. Configure the SUS servers at the branch office to use Windows Update to obtain security patches. B. Configure the SUS servers at the branch offices to use the central SUS server for updates. C. Configure Automatic Updates on the SUS servers at the branch offices to use the central SUS server for updates. D. Configure Automatic Updates on all computers to use the SUS server on the local network. E. Configure Automatic Updates on all computers to use the default update service location. Answer: B, D Explanation: We must set up the SUS branch offices server to pickup the updates form the server in the main office. By configuring a SUS server in the main office you save network bandwidth, because the Page 22 of 391
Slide 23: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 branch office servers will not need to use the internet connection. With this solution, the main office SUS server downloads the updates from Microsoft; the branch office SUS servers download the updates from the main office SUS server and the client computers download the updates from the local SUS server. Incorrect Answers: A: This is an unnecessary use of the internet connection. C: You need to configure the SUS server software to download the updates, not automatic updates. E: The default update service location is Microsoft. This is an unnecessary use of the internet connection. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13: 8 Question: 23(A) You are the network administrator for Company. The network consists of a single active directory domain named Company.com. All servers run Windows Server 2003. A server named Company2 functions as the mail server for the company. All users use Microsoft Outlook Express as their email client. An update to the company’s written security policy specifies that users must use encrypted authentication while they are retrieving email messages from Company2 You need to comply with the updated policy. What should you do? (Choose three) A. Configure the POP3 service on Company2 to use Active Directory Integrated Authentication B. Configure the SMTP virtual server on Company2 to use Integrated Windows Authentication C. Configure Outlook Express to use the Secure Password Authentication (SPA) D. Configure the SMTP virtual server on Company2 to use Basic Authentication with Trasport Layer Security (TLS) encryption E. Configure the POP3 service on Company2 to require secure password authentication (SPA for all connections Answers: A, C, E Explanation: You can use Active Directory Authentication to incorporate the POP3 service into your existing Active Directory domain. Active Directory integrated authentication supports both plaintext and Secure Password Authentication (SPA) e-mail client authentication. Because plaintext transmits the user's credentials in an unsecured, unencrypted format, however, the use of plaintext authentication is not recommended. SPA does require e-mail clients to transmit both the user name and password using secure authentication; it is therefore recommended over plaintext authentication. We need to configure the POP3 service on Compnay2 to require secure password authentication, and we need to configure the email clients to use Secure Password Authentication (SPA). Incorrect Answers: B: We need to configure the POP3 service, not the SMTP virtual server. D: We need to configure the POP3 service, not the SMTP virtual server. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Page 23 of 391
Slide 24: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan, and Lisa Justice; Mastering ™ Windows Server 2003. Question: 24(A) You are the network admin for Company. Your network contains 50 application servers that run Windows Server 2003. The security configuration of the application servers is not uniform. The application servers were deployed by local administrators who configured the setting for each of the application servers differently based on their knowledge and skill. The application servers are configure with different authentication methods, audit setting and account policy settings. The security team recently completed a new network security design. The design includes a baseline configuration for security settings on all servers. The baseline security settings use the hisecws.inf predefined security template. The design also requires modified settings for servers in an application role. These settings include system service startup requirements, renaming the administrator account, and more stringent account lockout policies. The security team created a security template named application.inf that contains the required settings. You need to plan the deployment of the new security design. You need to ensure that all security settings for the application servers are standardized, and that after the deployment, the security settings on all application servers meet the design requirements. What should you do? A. Apply the setup security.inf template first, the hisecws.inf template next, and then the application.inf template B. Apply the Application.inf template and then the Hisecws.inf template. C. Apply the Application.inf template first, then setup.inf template next, and then the hisecws.inf template D. Apply the Setup.inf template and then the application.inf template Answer: A. Explanation: The servers currently have different security settings. Before applying our modified settings, we should reconfigure the servers with their default settings. This is what the security.inf template does. Now that our servers have the default settings, we can apply our baseline settings specified in the hisecws.inf template. Now we can apply our custom settings using the application.inf template. Incorrect Answers: B: The hisecws.inf template would overwrite the custom application.inf template. C: Same as answer A. Also, the setup.inf security template doesn’t exist. To return a system to its Default security settings, we use the security.inf template. D: The setup.inf security template doesn’t exist. To return a system to its default security settings, we use the security.inf template. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Question: 25(A) You are the network admin for an Active Directory domain. Company’s written security policy was updated and now requires a minimum of NTLM v2 for LAN manager authentication. You need to identify which Operating Systems on your network do not meet the new requirement Which OS which require an upgrade to the OS or software to meet the requirement? A. Windows 2000 Professional Page 24 of 391
Slide 25: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 B. Windows Server 2003 C. Windows XP Professional D. Windows NT Workstation with service pack 5 E. Windows 95 Answer: E. Explanation: Windows 95 does not natively support NTLM v2 authentication. To enable it, you would need to install the Directory Services Client software. Incorrect Answers: A, B, C, D: Windows 2000 Professional, Server 2003, XP Professional, and NT Workstation with service pack 5 natively supports NTLM v2 authentication. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 1:24-26 Question: 26(A) Company has a single active directory domain named Company.com. The company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed. You create a security template named fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using fileserver.inf and receive the resules shown in the exhibit. You want to make only the changes that are required to meet the requirements. Which two actions should you take? A. Correct the maximum application log size setting on the file server Page 25 of 391
Slide 26: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 B. Correct the maximum security log size setting on the file server C. Correct the maximum system log size setting on the file server D. Correct the retention method for application log setting on the file server E. Correct the retention method for the security log setting on the file server F. Correct the retention method for the system log setting for the file server Answers: B, E Explanation: The Event Log security area defines attributes related to the application, security, and system logs in the Event Viewer console for computers in a site, domain, or OU. The attributes are: maximum log size, access rights for each log, and retention settings and methods. Event log size and log wrapping should be defined to match your business and security requirements. In this particular case you should be correcting the maximum security log size setting and the retention method for the security log setting on the file server so as to comply with the stated requirements. Incorrect answers: A, C, D, F: The question states that the company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. And given the past experiences of the company regarding the size of security events and its retention, you should be correct the maximum log size and retention methods of the security logs and not the application log or the system log. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 10 Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:6 Question: 27(A) You are the administrator of the Company company network. The network consists of a single active directory domain. The network includes 50 servers running Windows Server 2003 and 1000 client computers running Windows XP Professional. All client computers are in an organisational unit (OU) named Clients. All server computers are in an organisational unit (OU) named Servers. You discover that most of the servers are running the SMTP service and the Telnet service. These services are not required and should be disabled. What is the easiest way to ensure that the services are always disabled on the servers? A. Use gpedit.msc to create a Group Policy object (GPO) to apply a logon script that disables the unnecessary services. Link the GPO to the Servers OU. B. Use gpedit.msc to create a Group Policy object (GPO) and import the Hisecws.inf security template. Link the GPO to the Servers OU. C. Use gpedit.msc to create a Group Policy object (GPO) to set the startup type of the unnecessary services to Disabled. Link the GPO to the Servers OU. D. Use gpedit.msc to create a Group Policy object (GPO) to apply a startup script to stop the unnecessary services. Link the GPO to the Servers OU. Answer: C Explanation: The servers have been moved to an OU. This makes it easy for us to configure the servers using a group policy. We can simply assign a group policy to the Servers OU to disable the services. a Page 26 of 391
Slide 27: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Incorrect Answers: A: The logon script would only run when someone logs on to the servers. It’s likely that the servers will be running with no one logged in. B: The Hisecws.inf security template is designed for workstations, not servers. D: The startup script would only run when the servers are restarted. A group policy would be refreshed at regular intervals. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 11: 55 Question: 28(A) You are the administrator of the Company company network. The network consists of a single active directory domain. The network includes 30 servers running Windows Server 2003 and 2000 client computers running Windows XP Professional. 20 member servers are located in an organisational unit (OU) named Servers. 10 domain controllers are in the default Domain Controllers container. All 2000 client computers are located in an organizational unit (OU) named Clients. The member servers are configured with the following security settings: • Logon events must be audited. • System events must be audited. • Passwords for local user accounts must meet complexity requirements. • Passwords must be changed every 30 days. • Password history must be enforced. • Connections to the servers must be encrypted. The written security policy states that you need to be able to verify the custom security settings during audits. You need to deploy and refresh the custom security settings on a routine basis. What should you do? A. Create a custom security template and apply it by using a Group Policy linked to the Servers OU. B. Create a custom security template and apply it by using a Group Policy linked to the domain. C. Create and apply a custom Administrative Template. D. Create a custom application server image and deploy it by using RIS. Answer: A Explanation: The easiest way to deploy multiple security settings to a group of Windows 2003 computer is to create a security template with all the required settings and import the settings into a GPO. In this case, the security settings apply to local accounts on the servers. This means that we can apply the settings with a GPO assigned to an Organisation Unit containing the servers. Incorrect Answers: B: The security settings need to apply to the member servers only. Applying the GPO to the domain would affect all computers in the domain. C: We need a security template, not an administrative template. D: We cannot use imaging in this way. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Page 27 of 391
Slide 28: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Question: 29(A) You are the administrator of the Company company network. The network consists of a single active directory domain named Company.com. The network includes 20 servers running Windows Server 2003 and 200 client computers running Windows XP Professional. The company purchases 10 new servers to function as file servers for the domain. You install Windows Server 2003 on the new servers. The computer accounts for the file servers are located on an OU named File Servers. A security expert configures one of the servers named ESFile1 with various security settings. You need to apply and maintain the same security settings on the remaining 9 servers. You need to do this by using the minimum amount of administrative effort. What should you do? (Choose two) A. Use disk imaging software to take an image of ESFile1. Apply the disk image to the remaining 9 servers. B. Use gpedit.msc to create a new Group Policy object (GPO). Manually configure the GPO with the same security settings as ESFile1. Link the GPO to the File Servers OU. C. Use gpedit.msc to create a new Group Policy object (GPO). Import the security template into the Security Settings of the Computer Configuration section of the GPO. Link the GPO to the File Servers OU. D. On the PDC Emulator, use Security Configuration and Analysis to export the security settings to a security template. E. On ESFile1, use Security Configuration and Analysis to export the security settings to a security template. Answer: C, E Explanation: The easiest way to configure multiple computers with multiple security settings is to use a GPO. In this question, we have a computer configured with the required settings. We can use the Security Configuration and Analysis to export the security settings to a security template. We can then import the template into a Group Policy Object and apply the settings to the File Servers OU. Incorrect Answers: A: This could work (if we changed the computer names and SIDS), but there is a catch in the question. The question states that you need to apply and maintain the security settings contained in the security template to the new file servers. Using a GPO, the settings will be periodically refreshed, ensuring that the security settings ‘maintained’. B: This is a long way of doing it. Exporting the settings to a security template would be easier. D: This would have no effect on the file servers. Reference: David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam 70- 294): Que Publishing, Indianapolis, 2004, Chapter 8 Question: 30(B) You are a network administrator for Company. The network consists of multiple physical segments. The network contains two Windows Server 2003 computers named CompanySrvA and CompanySrvB, and several Windows 2000 Server computers. CompanySrvA is configured with a single DHCP scope for the 10.250.100.0/24 network with an IP address range of 10.250.100.10 to 10.250.100.100 Several users on the network report that they cannot connect to file and print servers, but they can connect to each other’s client computers. All other users on the network are able to connect to all network resources. You run the ipconfig.exe /all command on one of the affected client computers and observe the information in the following table: Page 28 of 391
Slide 29: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 IP Address Subnet Mask Default Gateway DHCP Server DNS Server Primary Wins Server 10..250.100.150 255.255.255.0 (blank) Company SrvB (blank) (blank) You need to configure all affected client computers so that they can communicate with all other hosts on the network. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. Disable the DHCP service on CompanySrvB. B. Increase the IP address range for the 10.250.100.0/24 scope on CompanySrvA. C. Add global DHCP scope options to CompanySrvA for default gateway, DNS servers, and WINS servers. D. Delete all IP address reservation in the scope on CompanySrvA. E. Run the ipconfig.exe /renew command on all affected client computers. F. Run the ipconfig.exe /registerdns command on all affected client computers. Answer: A, E Explanation: We can see from the exhibit that the affected computer received it’s IP configuration from CompanySrvB. We can also see that the IP configuration has no default gateway, WINS or DNS addresses. Obviously, CompanySrvB is misconfigured. Other client computers have no problems; it is likely that they get their IP configuration from CompanySrvA. We can either correctly configure the DHCP service on CompanySrvB or we can disable it and just use CompanySrvA as the DHCP server. The only option given is to disable the DHCP service on CompanySrvB, so answer A is correct. We need to run the ipconfig /renew command on all affected client computers so that they can update their IP configurations using CompanySrvA as their DHCP server. Incorrect Answers: B: The client computer received its IP configuration from CompanySrvB. Therefore, the problem is likely to be with CompanySrvB, not CompanySrvA. C: Some client computers have no problems; it is likely that they get their IP configuration from CompanySrvA. Therefore, CompanySrvA is correctly configured. D: The client computer received its IP configuration from CompanySrvB. Therefore, the problem is likely to be with CompanySrvB, not CompanySrvA. F: The affected client computers have no DNS configuration; therefore this command will have no affect. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2:44 Question: 31(B) You are the network administrator for Company. You need to provide Internet name resolution services for the company. You set up a Windows Server 2003 computer running the DNS Server service to provide this network service. During testing, you notice the following intermittent problems: Page 29 of 391
Slide 30: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 • Name resolution queries sometimes take longer than one minute to resolve. • Some valid name resolution queries receive the following error message in the Nslookup command and-line tool: “Non-existent domain”. You suspect that there is a problem with name resolution. You need to review the individual queries that the server handles. You want to configure monitoring on the DNS server to troubleshoot the problem. What should you do? A. In the DNS server properties, on the Debug Logging tab, select the Log packets for debugging option. B. In the DNS server properties, on the Event Logging tab, select the Errors and warnings option. C. In the System Monitor, monitor the Recursive Query Failure counter in the DNS object. D. In the DNS server properties, on the Monitoring tab, select the monitoring options. Answer: A Explanation: If you need to analyze and monitor the DNS server performance in greater detail, you can use the optional debug tool. You can choose to log packets based on the following: _Their direction, either outbound or inbound _The transport protocol, either TCP or UDP _Their contents: queries/transfers, updates, or notifications _Their type, either requests or responses _Their IP address Finally, you can choose to include detailed information. Note: That’s the only thing that’s going to let you see details about packets. Incorrect Answers: B: The Event Logging tab allows you to restrict the events written to the DNS Events log file to only errors or to only errors and warnings, also it allows you to disable DNS logging. C: This option allows you to view the total number of recursive query failures D: The Monitoring tab of the DNS server properties dialog box allows you to check basic DNS functionality with two simple tests: a simple query against the local DNS server and a recursive query to the root DNS servers. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, Chapter 5 Troubleshooting DNS servers Using server debug logging options The following DNS debug logging options are available: Page 30 of 391
Slide 31: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 • Direction of packets Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file. • Content of packets Standard queries Specifies that packets containing standard queries (per RFC 1034) are logged in the DNS server log file. Updates Specifies that packets containing dynamic updates (per RFC 2136) are logged in the DNS server log file. Notifies Specifies that packets containing notifications (per RFC 1996) are logged in the DNS server log file. • Transport protocol UDP Specifies that packets sent and received over UDP are logged in the DNS server log file. TCP Specifiesthat packets sent and received over TCP are logged in the DNS server log file. • Type of packet Request Specifies that request packets are logged in the DNS server log file (a request packet is characterized by a QR bit set to 0 in the DNS message header). Response Specifies that response packets are logged in the DNS server log file (a response packet is characterized by a QR bit set to 1 in the DNS message header). • Enable filtering based on IP address Provides additional filtering of packets logged in the DNS server log file. This option allows logging of packets sent from specific IP addresses to a DNS server, or from a DNS server to specific IP addresses. • File name Lets you specify the name and location of the DNS server log file. For example: • dns.log specifies that the DNS server log file should be saved as dns.log in the systemroot Question: 32(B) You are a network administrator for Company. Company has a main office and two branch offices. The branch offices are connected to the main office by T1 lines. The network consists of three Active Directory sites, one for each office. All client computers run either Windows 2000 Professional or Windows XP Professional. Each office has a small data center that contains domain controllers, WINS, DNS, and DHCP servers, all running Windows Server 2003. Users in all offices connect to a file server in the main office to retrieve critical files. The network team reports that the WAN connections are severely congested during peak business hours. Users report poor file server performance during peak business hours. The design team is concerned that the file server is a single point of failure. The design team requests a plan to alleviate the WAN congestion during business hours and to provide high availability for the file server. You need to provide a solution that improved file server performance during peak hours and that provides high availability for file services. You need to minimize bandwidth utilization. What should you do? A. Purchase two high-end servers and a shared fiber-attached disk array. Implement a file server cluster in the main office by using both new servers and the shared fiberattached disk array. B. Implement Offline Files on the client computers in the branch offices by using Synchronization Manager. Schedule synchronization to occur during off-peak hours. C. Implement a stand-alone Distributed File System (DFS) root in the main office. Implement copies of shared folders for the branch offices. Schedule replication of shared folders to occur during off-peak hours by using scheduled tasks. Page 31 of 391
Slide 32: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 D. Implement a domain Distributed File System (DFS) root in the main office. Implement DFS replicas for the branch offices. Schedule replication to occur during off-peak hours. Answer: D Explanation: A DFS root is effectively a folder containing links to shared files. A domain DFS root is stored in Active Directory. This means that the users don’t need to know which physical server is hosting the shared files; they just open a folder in Active Directory and view a list of shared folders. A DFS replica is another server hosting the same shared files. We can configure replication between the file servers to replicate the shared files out of business hours. The users in each office will access the files from a DFS replica in the user’s office, rather than accessing the files over a WAN link. Incorrect Answers: A: This won’t minimize bandwidth utilization because the users in the branch offices will still access the files over the WAN. B: This doesn’t provide any redundancy for the server hosting the shared files. C: You need DFS replicas to use the replicas of the shared folders. Reference: Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 15 Question: 33(B) You are a network administrator for Woodgrove Bank. All servers run Windows Server 2003. The company uses WINS and DNS for name resolution. The LMHosts and Hosts files are not used. A user on a server named Server2 reports that when she attempts to map a network drive to a shared folder on a server named Server5 by name, she received the following error message: “System error 67 has occurred. The network name cannot be found”. The user was previously able to map network drives by name to shared folders on Server5 from Server2. You run the ping command on Server2 to troubleshoot the problem. The results of your troubleshooting are shown in the exhibit. Page 32 of 391
Slide 33: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 You need to allow the user on Server2 to connect to resources on Server5 both by name and by address. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two) A. On Server2, purge and reload the remote NetBIOS cache name table. B. Re-register Server5 with WINS. C. On Server2, run the ipconfig command with the /flushdns option. D. On Server5, run the ipconfig command with the /renew option. E. On Server5, run the ipconfig command with the /registerdns option. Answer: A, D Question: 34(B) You are the network administrator for Company. The company has a main office and two branch offices. The network in the main office contains 10 servers and 100 client computers. Each branch office contains 5 servers and 50 client computers. Each branch office is connected to the main office by a direct T1 line. The network design requires that company IP addresses must be assigned from a single classful private IP address range. The network is assigned a class C private IP address range to allocate IP addresses for servers and client computers. Company acquires a company named Acme. The acquisition will increase the number of servers to 20 and the number of client computers to 200 in the main office. The acquisition is expected to increase the number of servers to 20 and the number of client computers to 200 in the branch offices. The acquisition will also add 10 more branch offices. After the acquisition, all branch Page 33 of 391
Slide 34: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 offices will be the same size. Each branch office will be connected to the main office by a direct T1 line. The new company will follow the Company network design requirements. You need to plan the IP addressing for the new company. You need to comply with the network design requirement. What should you do? A. Assign the main office and each branch office a new class A private IP address range. B. Assign the main office and each branch office a new class B private IP address range. C. Assign the main office and each branch office a subnet from a new class B private IP address range. D. Assign the main office and each branch office a subnet from the current class C private IP address range. Answer: C Explanation: After the expansion the situation will be: • Main office o Need 220 IP, 20 for servers and 200 for clients • Branch Offices o Need 220 IP, 20 for servers and 200 for clients o We will have 12 branch offices o 12 x 220 = 2640 Total for all offices is 2640 + 220 = 2860. The network design requires that company IP addresses must be assigned from a single classful private IP address range. We can subnet a private Class B address range into enough subnets to accommodate each office. There are various ways of doing this, but one way would be to subnet the class B address into subnets using a 24 bit subnet mask. This would allow up to 254 IP addresses per subnet and up to 254 subnets. Incorrect Answers: A: The network design requires that company IP addresses must be assigned from a single classful private IP address range. B: The network design requires that company IP addresses must be assigned from a single classful private IP address range. D: The class C network doesn’t have enough IP addresses to accommodate all the computers in all the offices. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 2: 23-26 Question: 35(B) You are a network administrator for Company. The internal network has an Active Directoryintegrated zone for the Company.com domain. Computers on the internal network use the Active Directory integrated DNS service for all host name resolution. The Company Web site and DNS server are hosted at a local ISP. The public Web site for Company is accessed at www.Company.com. The DNS server at the ISP hosts the Company.com domain. Page 34 of 391
Slide 35: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 To improve support for the Web site, Company wants to move the Web site and DNS service from the ISP to the company’s perimeter network. The DNS server on the perimeter network must contain only the host (A) resource records for computers on the perimeter network. You install a Windows Server 2003 computer on the perimeter network to host the DNS service for the Company.com domain. You need to ensure that the computers on the internal network can properly resolve host names for all internal resources, all perimeter resources, and all Internet resources. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. On the DNS server that is on the perimeter network, install a primary zone for Company.com. B. On the DNS server that is on the perimeter network, install a stub zone for Company.com. C. Configure the DNS server that is on the internal network to conditionally forward lookup requests to the DNS server that is on the perimeter network. D. Configure the computers on the internal network to use one of the internal DNS servers as the preferred DNS server. Configure the TCP/IP settings on the computers on the internal network to use the DNS server on the perimeter network as an alternate DNS server. E. On the DNS server that is on the perimeter network, configure a root zone. Answer: A, C Explanation: By configuring a primary zone for company.com on a DNS server in the perimeter network, we have a DNS server that can resolve requests for the www.company.com website. To enable users on the LAN to quickly resolve company.com resources, we can configure conditional forwarding on the internal company.org server so that requests for company.com resources get forwarded straight to the perimeter network DNS server. Incorrect Answers: B: A stub zone is no good to us here. The perimeter DNS server must be authoritative for the company.com domain. Therefore, we need a primary zone on the perimeter DNS server. D: As long as the internal DNS servers are working, the external DNS server will never be used. Internal clients will not be able to resolve www.company.com. E: There is no need to configure a root zone on the perimeter network DNS server. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Question: 36(B) You are the systems engineer for Company. The network consists of a single Active Directory domain named contoso-ad.com. All servers run Windows Server 2003. A Windows Server 2003 computer named DNSSRV1 functions as the internal DNS server and has zone configured as shown in the exhibit. Page 35 of 391
Slide 36: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 The network is not currently connected to the Internet. Company maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named Company.com. The Company.com zone is hosted by a UNIXbased DNS server named UNIXDNS, which is running the latest version of BIND. The company plans to allow users of the internal network to access Internet-based resources. The company’s written security policy states that resources located on the internal network must never be exposed to the Internet. The written security policy states that the internal network’s DNS namespace must never be exposed to the Internet. To meet these requirements, the design specifies that all name resolution requests for Internet-based resources from computers on the internal network must be sent from DNSSRV1. The current design also specifies that UNIXDNS must attempt to resolve any name resolution requests before sending them to name servers on the Internet. You need to plan a name resolution strategy for Internet access. You need to configure DNSSRV1 so that it complies with company requirements and restrictions. What should you do? A. Delete the root zone from DNSSRV1. Configure DNSSRV1 to forward requests to UNIXDNS. B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the C:\Windows\System32\Dns folder on DNSSRV1. C. Add a name server (NS) resource record for UNIXDNS to your zone. Configure UNIXDNS with current root hints. D. On DNSSRV1, configure a secondary zone named Company.com that uses UNIXDNS as the master server. Configure UNIXDNS to forward requests to your ISP’s DNS servers. Answer: A Explanation: We need to delete the root zone from the internal DNS server. This will enable us to configure the server to forward internet name resolution requests to the external DNS server (UNIXDNS). A DNS server configured to use a forwarder will behave differently than one that is not configured to use it. A DNS server configured to use a forwarder behaves as follows: When the DNS server receives a query, it attempts to resolve this query using the primary and secondary zones that it hosts and its cache. If the query cannot be resolved using this local data, then it will forward the query to the DNS server designated as a forwarder. The DNS server will wait briefly for an answer from the forwarder before attempting to contact the DNS servers specified in its root hints. Page 36 of 391
Slide 37: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 Incorrect Answers: B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don’t want the internal DNS server to query the root DNS servers, so we don’t need the cache.dns file. C: Unixdns already has root hints. An NS record on the internal DNS server won’t fulfill the requirements of the question. D: We don’t need a secondary zone on the internal DNS server. All external resolution requests must be forwarded to the external DNS server. Reference: Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Question: 37(B) You are the network administrator for Company. The network consists of a single Active Directory domain named Company.com. The network contains two IP subnets connected by a Windows Server 2003 computer running Routing and Remote Access. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each subnet contains a domain controller. Each subnet contains a DHCP server, which provides TCP/IP configuration information to the computers on only its subnet. The relevant portion of the network is shown in the exhibit. You recently implemented a Microsoft Internet Security and Acceleration (ISA) Server 2000 array on the network to provide Internet connectivity. The ISA Server array uses Network Load Balancing on the internal adapters. The array’s Network Load Balancing cluster address is 172.30.32.1. You configure the DHCP server on Subnet1 to provide the array’s Network Load Balancing cluster address as the default gateway. You configure the DHCP server on Subnet2 to provide the IP address 172.30.64.1 as the default gateway for Subnet2. Users on Subnet2 report that they cannot connect to Internet-based resources. They can successfully connect to resources located on Subnet1. Users on Subnet1 can successfully connect to Internet-based resources. You investigate and discover that no Internet requests from computers on Subnet2 are being received by the ISA Server array. You need to provide Internet connectivity to users on Subnet2. What should you do? Page 37 of 391
Slide 38: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 A. Configure the DHCP server on Subnet2 to provide the address 172.30.32.1 as the default gateway. B. Configure the DHCP server on Subnet2 to provide the address 172.30.32.2 as the default gateway. C. On the Routing and Remote Access server, add a default route to 172.30.32.1. D. On the Routing and Remote Access server, add a default route to 131.107.72.17. Answer: C Explanation: The routing and remote access server knows how to route traffic between subnet 1 and subnet 2. However, it doesn’t know how to route traffic to the internet. We can fix this by adding a default route on the routing and remote access server. The default route will tell the routing and remote access server that any traffic that isn’t destined for subnet1 or subnet2 (i.e. any external destination) should be forwarded to the internal interface of the ISA server (172.30.32.1). Incorrect Answers: A: 172.30.32.1 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gateway. B: 172.30.32.2 isn’t on the same subnet as subnet2. Therefore, the clients on subnet2 cannot use this address as their default gateway. Furthermore, this address isn’t the internal address of the ISA server. D: The default route needs to forward traffic to the internal interface of the ISA server. Reference: Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 15:30 Question: 38(B) You are the systems engineer for Company GmBh. The network consists of three Windows NT 4.0 domains in a master domain model configuration. The servers on the network run either Windows NT Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server 4.0. The network also contains 10 UNIX-based application servers. All host name resolution services are provided by a UNIX-based server running the latest version of BIND, which currently hosts the zone for the Company.com domain. All NetBIOS name resolution services are provided by two Windows 2000 Server WINS servers. The company is in the process of migrating to a single Windows Server 2003 Active Directory domain based network. The new domain is named Company-ad.net, and it will be hosted in an Active Directory integrated zone that is stored on the domain controllers. Servers that are not domain controllers will not be updated at this time. The migration plan requires that all computers must use DNS to resolve host names and computer redundancy for the Windows-based DNS servers. You upgrade the domain controllers in the master domain to Windows Server 2003. You also migrate all user and computer accounts to the new Active Directory domain. The DNS zone on the Windows Server 2003 computers is configured as shown in the exhibit. Page 38 of 391
Slide 39: Exam Name: Exam Type: Doc Type: Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Microsoft Exam Code: 70-293 Q & A with Explanations Total Questions: 432 You now need to configure the required redundancy between the Windows-based DNS servers and the UNIX-based DNS server. You need to ensure that there will be no service interruption on any of the DNS server computers. Which two actions should you take? (Each correct answer presents part of the solution. Choose two) A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based DNS server as the master server. B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS server as the master server. C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS server as the master server. D. Add a delegation in the Company.com zone that delegates authority of the Companyad.net zone to a Windows Server 2003 DNS server. E. Configure the Company-ad.net zone to not replicate WINS-specific resource records during zone transfers. Answer: B, E Explanation: This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers. We can provide this by configuring the UNIX DNS server to resolve names in the Companyad.net domain. With a secondary zone on the UNIX DNS server, the UNIX DNS server will be able to resolve host name resolutions requests in the Company-ad.net domain. The Company-ad.net DNS is configured to query WINS if required. When configuring a UNIX DNS server with a secondary zone, we should configure the zone to not replicate WINS-specific resource records during zone transfers. Incorrect Answers: A: This would provide redundancy for the UNIX server; the question isn’t asking for that. C: This won’t provide any redundancy. D: Company-ad.net isn’t a subdomain of Company.com so no delegation is required. Reference: Mark Minasi, Christa Anderson, Michele Beveridge, C.A. Callahan & Lisa Justice, Mastering Windows Server 2003, Sybex Inc. Alameda, 2003, pp. 436-437 Page 39 of 391