name = Cesar007

exam = 70-216

1.You are the administrator for your company's Windows 2000 network. Your company has three offices: on in Dallas, TX, one in Houston, TX, and one in Galveston, TX. Houston and Galveston are connected to Dallas by a T1 line. Each site has its own Windows Internet Name Service (WINS) server.

You have implemented WINS replication between the WINS servers. You view the WINS database on the WINS server in Houston. It contains records in the active state, records in the released state, and records in the tombstoned state.

Which records will be replicated to the WINS server in Dallas?

a. All the records, regardless of their state

b. Only records in the active state

c. Both the records in the active state and the records in the released state

d. Both the records in the active state and the records in the tombstoned state

e. Both the records in the released state and the records in the tombstoned state

How Records Change and Update:

A WINS server always enters name registrations in its database in an active state and time stamped with the sum of the current time and the renewal interval. The version ID is taken from the version ID counter, and the counter is then incremented.

If a name is explicitly released or not refreshed during the renewal interval, the name enters the released state. The WINS server gives the database entry a time stamp using the sum of the current time and the extinction interval, and leaves the version ID unchanged. Thus, released records are not replicated. If a record remains released past the extinction interval, the WINS server changes the state of the record to tombstone, gives the record a time stamp using the sum of the current time and the extinction timeout, and increments the version ID of the record so that the record will be replicated. If a record remains in the tombstone state for a period longer than the extinction timeout, it is deleted from the database.

WINS replicates only records in the active and tombstone states. In the WINS database, WINS enters these replica records with the fields received from the owner database, with the exception of owner ID and time stamp. (The owner ID comes from the local IP address-to-owner ID mapping table because the value used locally to represent a particular WINS server differs from server to server. For example, WINS-D might be represented by a 2 on WINS-B and by a 3 on WINS-A.) WINS gives an active record a time stamp that is the sum of the local current time and the verification interval. WINS gives a tombstone record a time stamp that is the sum of the local current time and the extinction timeout.

Released records not replicated (W2K-TCP/IP page 500)

Active record and Tombstoned record will be replicated ((W2K-TCP/IP page 505

Released records not replicated (W2K-TCP/IP page 500, 533, 534Active record and Tombstoned record will be replicated ((W2K-TCP/IP page 505)Tomstoned or extinct is the same.

 

 

 

2. You are the administrator for a Windows 2000 Server network. You have a Dynamic Host Configuration Protocol (DHCP) Server which is configured to give DHCP clients all appropriate TCP/IP settings. You have a Domain Name System (DNS) / (WINS) server. You set up a Windows 2000 Server computer to be the dial-up connection server and want to configure the security for the dial-up connections. You want to accomplish the following goals:

Require the entry of a password upon connection.

Use the Windows logon and password for authentication.

Require the use of data encryption.

Automatically run a script named logon.scp upon connection.

You perform the following actions:

From the dial-up connection properties on the Security tab in the Security options section, select Typical (recommended settings) radio button.

For the Validate my identity as follows box, select Allow unsecured password.

Check the Automatically use my Windows logon name and password (and domain if any) box.

Check the Require data encryption (disconnect if none) box.

In the Interactive logon scripting section, check the Run script box and type in filename logon.scp.

Which goal or goals are accomplished from these actions? (Choose all that apply.)

a. Require the entry of a password upon connection

b. Use the Windows logon and password for authentication

c. Require the use of data encryption

d. Automatically run a script named logon.scp upon connection

 

 

3. You are the administrator for your company's Windows 2000 Server network. You company has a main office in Dallas, TX. There are three branch offices: one in Atlanta, GA, one in Chicago, IL, and one in Sacramento, CA. All branches are connected to Dallas by a T1 line. A diagram of the network in shown below:

The routers between the offices supports the forwarding of BOOTP messages. At each branch office, you have a local user who is responsible for all administrative duties. Currently the local administrator is responsible for configuring the TCP/IP settings for all the Windows 2000 Professional computers at his/her local branch.

You have been experiencing network communication problems which were the direct result of configuration errors. You want to prevent this from happening again.

What should you do? (Choose two.)

a. Install and configure a Dynamic Host Configuration Protocol (DHCP) Server in Dallas.

b. Install and configure a Windows Internet Name Service (WINS) Server in Dallas.

c. Install and configure a Domain Name System (DNS) Server in Dallas.

d. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain an IP address automatically.

e. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain an IP address automatically.

f. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain DNS server address automatically.

Sorry,No Draw to confirm the answer

4. You are the administrator for your company's Windows 2000 domain. You have a Windows 2000 Server computer that is your Domain Name System (DNS) server. The DNS server contains the following types of resource records:

Start of Authority (SOA)

Name Server (NS)

Address (A)

Point (PTR)

Mail Exchange (MX)

Service (SRV).

You update a host resource record.

Which type of record may be associated with this record and need to be updated also?

a. The associated SOA resource record

b. The associated NS resource record

c. The associated A resource record

d. The associated PTR resource record

 

 

5. You work for a local state agency that does not use Windows Internet Name Service (WINS) for NetBIOS name resolution. Instead, each client on the network copies a master LMHOSTS file from a central server during the logon process.

After experiencing a number of problems with the current Primary Domain Controller (PDC) named MIS4 of the HR domain, you decide to promote one of the Backup Domain Controllers (BDCs) named Payroll2 to PDC status and take the former PDC offline.

In the master LMHOSTS file, you take off the listing for the former PDC.

What is the other change you must make?

a. 128.131.24.122 Payroll2 #DOM:HR

b. 128.131.24.122 Payroll2 #DOMAIN:HR

c. 128.131.24.122 #PRE Payroll2 #DOM:HR

d. 128.131.24.122 Payroll2 #PRE #DOM:HR

Explanation

Adding Remote System Names by Using #PRE

Using #PRE entries improves access to the identified computers because their names and IP addresses are contained in the computer's cache memory. However, by default, Windows 2000 limits the preloaded name cache to 100 entries. (This limit affects only entries marked with the #PRE keyword.) For example:

102.54.94.91 accounting #accounting server

102.54.94.94 payroll #payroll server

102.54.94.97 stockquote #PRE #stock quote server

102.54.94.102 printqueue #print server in Bldg 7

Adding Domain Controllers by Using #DOM

The #DOM keyword can be used in LMHOSTS files to distinguish a Windows 2000 domain controller from other computers on the network. To use the #DOM tag, follow the NetBIOS name and IP address of the domain controller in the LMHOSTS file with the #DOM keyword, a colon, and the domain in which the domain controller participates. For example:

102.54.94.97 primary #PRE #DOM:domain #domain PDC

#DOM entries should be preloaded in the cache by using the #PRE keyword. Note that the #PRE keyword must precede the #DOM keyword in the LMHOSTS file.

 

 

 

6. Your home office network contains 2 Windows 2000 Server computers, 1 Windows 2000 Professional client computer, and 1 Windows 98 second edition client computer.

You want to accomplish the following goals:

Provide one Internet connection for the entire network.

Provide network address translation.

Provide name resolution.

Provide IP address configurations for the entire network.

You perform the following tasks:

You enable Internet Connection Sharing.

You create a connection between the network and the Internet.

You install and configure LAN adapters connecting the client computers to the network.

Which goal is accomplished from these tasks?

 

a. Provide one Internet connection for the entire network

b. Provide network address translation

c. Provide name resolution

d. Provide IP address configurations for the entire network

Configure Internet Connection Sharing

Internet Connection Sharing (ICS) allows multiple computers in a small office or home office to access an Internet connection using a single public IP address. For example, you may have a computer in an intranet that connects to the Internet by using a dial-up connection. By enabling ICS on the computer that uses the dial-up connection, you can provide Internet access to all computers in the network. ICS provides network address translation, address allocation, and name resolution services for all computers on your network. ICS can also be enabled for high-speed networks, such as Integrated Services Digital Network (ISDN), Digital Subscriber Line (DSL), and cable-based Internet connections.

ICS is a version of a network address translator (NAT). A network address translator is an IP router defined in RFC 1631 that can translate IP addresses and TCP/UDP port numbers of packets as they are being forwarded. Consider a small business network with multiple computers connecting to the Internet. A small business normally has to obtain an Internet Service Provider (ISP)–allocated public IP address for each computer on its network. With a NAT, however, the small business can use private addressing (as described in RFC 1918) and have the NAT map its private addresses to a single or to multiple public IP addresses as allocated by its ISP. ICS uses the private network 192.168.0.0 with a subnet mask of 255.255.255.0 for all computers in an ICS-enabled network, permitting a maximum of 254 hosts.

Internet Connection Sharing Settings

Item Configuration

IP address 192.168.0.1 Configured with a subnet mask of 255.255.255.0 on the network adapter that is connected to the small office or branch office network.

Autodial feature Enabled.

Static default IP route Created when the dial-up connection is established.

Internet Connection Sharing service Started automatically.

DHCP allocator Enabled with the default range of 192.168.0.2 to 192.168.0.254 and a subnet mask of 255.255.255.0.

DNS proxy Enabled.

7. You are the administrator for your company's network. Your network has three Windows 2000 Server computers, named Srvr1, Srvr2, and Srvr3. Each employee has his own Windows 2000 Professional computer. Also there is one Windows 2000 Professional computer, named Prof1, that is used by the general public.

Recently several files have been written to Srvr1 and Srvr2 that could have possibly caused great harm to your company's network. You suspect that the files came from Prof1. You want to monitor the traffic between these three computers.

Srvr3 is located in your office so you decide to capture the data there. You want to accomplish these goals with the least amount of administrative overhead.

What should you do?

a. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Prof1, Srvr1, and Srvr2.

b. On Prof1, install the Network Monitor driver.

On Srvr1 and Srvr2, install the Network Monitor driver.

On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Prof1, Srvr1, and Srvr2.

c. On Prof1, install the Network Monitor Tools. Then start Network Monitor and configure capture data for Prof1.

On Srvr1 and Srvr2, install the Network Monitor driver.

On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Srvr1 and Srvr2.

d. On Prof1, install the Network Monitor driver

On Srvr1 and Srvr2, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Srvr1 and Srvr2, respectively.

On Srvr3, install Network Monitor Tools. Then start Network Monitor and configure the capture data for Prof1.

 

 

8. You administer your company's network. You have 20 Windows 2000 Professional computers operating in a switched network environment running TCP/IP. Ten of the Windows 2000 Professional computers are on subnet A. The other ten Windows 2000 Professional computers are on subnet B.

The company uses a Windows 2000 Server computer running Internet Authentication Service (IAS) to connect to the Internet. The IAS server is on subnet B.

You decide to set up Network Monitor to monitor all traffic on your network.

You install Network Monitor on the IAS server. You configure Network Monitor properly to monitor all TCP/IP traffic.

Which packets will you be able to monitor?

a. All packets

b. Only packets sent from the IAS server

c. Only packets addressed to the IAS server

d. All packets addressed to and sent from the IAS computer

 

 

 

 

9. You administer your company's Windows 2000 network.

Your company employs a sales force that needs access to the latest company data when traveling.

You want to ensure that the company will establish a network connection for your salespeople regardless of where the call originates.

Your company also allows customers access to the network using Routing and Remote Access to view and track orders. To ensure network and data security, your company wants to specify the location from which customers can connect to your network.

You want to configure your company's Routing and Remote Access server (RRAS) to facilitate access for salespeople and for customers. You want both the salespeople and the customers to use mutual authentication to provide protection against remote server impersonation.

Which settings should you configure? (Choose three.)

a. Set Callback option to Always Callback To for salespeople

b. Set Callback option to Set by Caller for salespeople

c. Set Callback option to No Callback for customers

d. Set Callback option to Always Callback to for customers

e. Enable Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

 

 

 

 

10. You are the administrator for your company's network. You have several NetWare servers running on your network and want to synchronize the user accounts between your Windows 2000 Server domain and your NetWare Servers.

You select all the NetWare servers and use the Directory Service Manager for NetWare (DSMN) to synchronize the user accounts.

You receive the following error message: "NWC is a NetWare 4.x server. It cannot be added to the domain."

What should you do?

a. Remove the bindery emulation mode option from NWC. Reboot NWC. Rerun DSMN, selecting only NWC for synchronization

b. Do nothing. NetWare 4.x servers running in bindery emulation mode cannot be added to Windows 2000 Server domains under any circumstances.

c. Using REGEDT32.exe on the W 2000 Server domain controller, go to the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSYNC\Parameters key. Choose Add Value option for Edit menu.

In Value Name, type Allow4X.

In Type, enter REG_DWORD.

In Data, enter 1.

Close the Registry.

Restart the Windows 2000 Server.

d.Using REGEDT32.exe on the W 2000 Server domain controller, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSYNC\Parameters key.

Choose Add Value option for Edit menu.

In Value Name, type Allow4X.

In Type, enter REG_DWORD.

In Data, enter 0.

Close the Registry.

Restart the Windows 2000 Server

Error Message:

computer name is a NetWare 4.X server. It cannot be added to the domain.

Explanation:

This error occurs when you select a NetWare 4.x server running in bindery emulation mode. By default, DSMN allows you to synchronize user accounts between Windows 2000 Server domains and NetWare 2.x and 3.x servers.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows 2000 to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

1. Run Registry Editor (REGEDT32.EXE).

2. From the HKEY_LOCAL_MACHINE subtree, go to the following key: \SYSTEM\CurrentControlSet\Services\MSSYNC\Parameters

3. From the Edit menu, choose Add Value.

4. Type the following in the appropriate text boxes: Value Name: Allow4X Data Type: REG_DWORD Data: 1

5. Choose OK and close the Registry Editor.

6. Shut down and restart Windows 2000 Server.

 

 

11. You are the administrator for a Windows 2000 Server network. The network contains three Windows 2000 Server computers and 35 Windows 2000 Professional client computers.

You want to accomplish the following goals:

Install and enable Network Address Translation (NAT) on the network.

Allow Internet users to access resources from the network.

Install and enable Internet Connection Sharing.

Configure dynamic IP addresses on the network.

You perform the following actions:

You configure a static IP address configuration on the resource server.

You exclude the IP address used by the resource computer from the range of IP addresses allocated by the NAT computer.

Configure a special port with a dynamic mapping of a public address and port number to a private address and port number.

Which goal or goals are accomplished from these actions? (Choose all that apply.)

a. Configure dynamic IP addresses on the network

b. Install and enable Internet Connection Sharing

c. Allow Internet users to access resources from the network

d. Install and enable Network Address Translation (NAT) on the network

 

 

 

12. You are the administrator for your company's Windows 2000 domain. On this domain, you have a Windows 2000 Server computer acting as your company's Internet interface.

This morning when you came to work, you noticed that you had an unusually long wait time to access resources on your network. You run several tests but cannot seem to find any problems although the access times are incredibly long.

When the users come in for work, they immediately start complaining about network performance. You then decide to start checking packets on the network.

After investigating the problem, you notice that a denial of service attack has flooded your Internet server with "Destination Unreachable" packets.

You want to prevent this from happening again with the least amount of administrative overhead possible. You do not want to prevent legitimate packets from being forwarded.

What should you do?

a. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0 and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0.

b. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0 and IP Address 172.16.0.0 with Subnet Mask 255.240.0.0.

c. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0, IP Address 172.16.0.0 with Subnet Mask 255.240.0.0, and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0.

d. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0, IP Address 127.0.0.1 with Subnet Mask 255.0.0.0, IP Address 172.16.0.0 with Subnet Mask 255.240.0.0, and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0.

Explanation RFC 1918

The 127.0.0.0 is not useful beause is defined for test proposes

The 10.0.0.0/8 private network is a class A network ID that allows the following range of valid IP addresses: 10.0.0.1 to 10.255.255.254. The 10.0.0.0/8 private network has 24 host bits that can be used for any subnetting scheme within the private organization.

The 172.16.0.0/12 private network can be interpreted either as a block of 16 class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The 172.16.0.0/12 private network allows the following range of valid IP addresses: 172.16.0.1 to 172.31.255.254.

The 192.168.0.0/16 private network can be interpreted either as a block of 256 class C network IDs or as a 16-bit assignable address space (16 host bits) that can be used for any subnetting scheme within the private organization. The 192.168.0.0/16 private network allows the following range of valid IP addresses: 192.168.0.1 to 192.168.255.254.

13. You have just taken a job with a company that would like to convert its current network operating system to Windows 2000. The company has four subnets on its TCP/IP network, each of which will have its own Backup Domain Controller (BDC), except for the subnet on which the Primary Domain Controller (PDC) will reside.

The company would like to allow browsing across the entire network without needing the implement Windows Internet Name Service (WINS) on a Windows 2000 Server computer.

What should you do?

a. Create an LMHOSTS file. Create entries in the LMHOSTS file for the PDC and all BDCs using the #DOM keyword. Place this file on the PDC.

b. Create an LMHOSTS file. Create entries in the LMHOSTS file for the PDC and all BDCs using the #DOM keyword. Place this file on the PDC and all BDCs.

c. Create an LMHOSTS file. Create an entry in the LMHOSTS file for the PDC and all BDCs using the #MH keyworkd. Place this file on the PDC.

Create an LMHOSTS file. Create an entry in the LMHOSTS file for the PDC and all BDCs using the #MH keyword. Place this file on the PDC and all BDCs

Explanation

Because we are not usen a distributed lmhosts we must put the file on all the PDC and BDC, the question not refer to use the especial caracters to 0x1c for PDC identification as master brower domain either for 0x1B master browser

14. You are the administrator of your company's network. Your company owns the Class B subnet 172.41.48.0/24 that consists of 12 servers and 200 client computers, all configured as DHCP clients. The hard disk on your company's DHCP server fails, and your server responds with a fatal error. Your company does not have a backup of the server, and you do not remember which IP addresses have been distributed throughout the network. You need to install a new DHCP server to prevent any connectivity problems that might occur.

What should you do? (Choose two)

A Increase Conflict Detection Attempts on the DHCP server

B Decrease Conflict Detection Attempts on the DHCP server

C Add an exclusion for the 12 servers

D Create a scope that has a range of 172.41.48.1 to 172.41.48.200

E Create a scope that has a range of 172.41.48.1 to 172.41.48.254

Explanation

We have a 24 bits for subnet mask that leave 8 bits for host id minus two network identification and broadcast address 2^8=256-2=254 we can have 254 host on that subnet

They don’t say to us that the servers will be configurated with an Static IP we must supose that the range for the 12 servers are coming from the DHCP

If your network includes legacy DHCP clients, enable conflict detection on the DHCP server. By default, the DHCP service does not perform any conflict detection. In general, conflict detection should be used only as a troubleshooting aid when you suspect there are duplicate IP addresses in use on your network. The reason for this is that, for each additional conflict detection attempt that the DHCP service performs, additional seconds are added to time needed to negotiate leases for DHCP clients.

Conflict Check Queue Length The current length of the conflict check queue for the DHCP server. This queue holds messages not responded to while the DHCP server performs address conflict detection. A large value here may indicate heavy lease traffic at the server or that Conflict Detection Attempts has been set too high.

Preventing Address Conflicts

DHCP components in Windows 2000 have both server-side and client-side IP address conflict detection to prevent duplicate IP addresses on your network. This adds to the reliability of the address allocation process

Server Conflict Detection

The DHCP server detects conflicts (if enabled through the DHCP console via the DHCP server property sheet) by pinging an IP address before offering that address to clients. If the ping is successful (a response is received from a computer, meaning a conflict exists), a conflict is registered and that address is not offered to clients requesting a lease from the server. The address is marked with a BAD_Address value in the active leases. The address remains as a BAD_Address, and can be deleted from the active leases after the conflict is resolved, or remains for the lease duration of the scope and is then returned to the available pool. The DHCP server pings only addresses that have not been previously leased.

The number of times the server tests an address for conflicts defaults to 0 (disabled). To change the value of this entry, use the DHCP console. Right-click the name of the server, click Properties, and then click the Advanced tab. For Conflict detection attempts, type a number greater than 0 (zero), and then click OK.

Client Conflict Detection

Windows 2000 or Windows NT client computers also check to determine if an address is already in use before completing the address configuration with the DHCP server, or when they have been configured with a static IP address. This is accomplished through the use of a gratuitous Address Resolution Protocol (ARP) request. When a Windows 2000 or Windows NT computer starts, a packet is broadcast on the network containing the computer's TCP/IP address to prevent the use of duplicate addresses on the same network.

If the client detects a conflict, it declines the DHCP offer from the DHCP server (by sending a DHCP decline message), begins the lease process again, and is offered the next available address in the scope. If the client was configured with a static IP address, then the interface is disabled, and an event (event ID 26) is generated in the event log. For additional details refer to the Microsoft Knowledge Base article Q199773 (http://support.microsoft.com/support/kb/articles/Q199/7/73.ASP), “Behavior of Gratuitous ARP in Windows NT 4.0”; also, Knowledge Base article Q219374 (http://support.microsoft.com/support/kb/articles/Q219/3/74.ASP), “How to Disable the Gratuitous ARP

 

 

15. Your company has a SNMP-enabled network router installed on its network. Your company wants to monitor all SNMP traffic generated by the router. You install Network Monitor on a Windows 2000 server computer on your network. Your router is configured to trap to an SNMP manager installed on another server. You want to receive a notification whenever the network router raises an SNMP trap.

What should you do? ((Choose two)

A Create an Network Monitor filter that has a pattern match for SNMP-traffic.

B Install SNMP on the server.

C Create a network monitor trigger to run the Net Send command

D Create a TCP/IP filter on the server.

E Start the Windows 2000 Alerter Service on the server.

F Configure the network router to trap to the IP address of the server.

 

16. You have a IPSec policy, you want to prevent the re-use of previous-session keys.

What should you do?

A On the generate a new key every property sheet, modify the time allocations

B Master key Prefect forward Secrecy check box

C Session key Prefect forward Secrecy check box

D ??

If we can choose two B and C are correct if not only C

Session Key Refresh Limit

Repeated re-keying off a session key can compromise the Diffie-Hellman shared secret. Thus, a session key refresh limit is implemented to avoid a security compromise.

For example, Alice on Computer A sends a message to Bob on Computer B, and then sends another message to Bob a few minutes later. The same session key material might be reused because an SA was recently established with that computer. If you want to limit the number of times this occurs, set the session key refresh limit to a low number.

If you have enabled Perfect Forward Secrecy (PFS) for the master key, the session key refresh limit is ignored because PFS forces key regeneration. Setting a session key refresh limit to 1 is identical to enabling master key PFS. If both a master key lifetime and a session key refresh limit is specified, whichever limit is hit first causes the subsequent re-key. By default, IPSec policy does not specify a session key refresh limit.

 

 

 

17.You are the administrator of your company's network The network consists of a single Windows 2000 domain. The network has Windows 2000 Server computers, Windows 2000 Professional computers, and Windows NT Workstation 4.0 computers distributed across two IP subnets as shown in the exhibit (Click the Exhibit button)

Two Windows 2000 domain controllers are located on Subnet1. Each domain controller is also a DNS server hosting an Active Directory integrated zone. You implement WINS for NetBIOS name resolution on your network.

WINS is installed on a server on Subnet2

Users of the Windows NT Workstation 4.0 computers on Subnet2 report that they are receiving the following error message 'Domain Controller cannot be located'. Subsequently, these users cannot be validated on the network. Windows NT Workstation 4.0 users on Subnet1 are not experiencing this problem. However, they do report that response times for logon requests are extremely slow. None of the Windows 2000 Professional users on either subnet report these problems

You want to ensure that Windows NT Workstation 4.0 users on Subnet2 can be validated. You also want to improve logon request response time for users on Subnet1

What should you do?

A. Configure the router to forward NetBIOS broadcast packets

B. Configure the Windows NT Workstation 4.0 computers as ~S clients in the existing zone

C. Configure the Windows NT Workstation 4.0 computers as WINS clients

D. Configure the Windows 2000 Server domain controller computers as WINS clients

I don´t know without the exhibit

 

18.You are the administrator of a Windows 2000 network. The network has seven Windows 2000-based WINS servers, and each is in a separate location. Because network users frequently log on at different locations, you want to configure the seven WINS servers to have a convergence time of less than one hour. How should you configure the seven WINS servers to accomplish this goal?

A. Create a display of the seven WINS servers in a circular arrangement. Configure each WINS server as a push/pull partner with the two WINS servers beside it in the circle .Use a replication interval of 25 minutes

B. Designate one of the WINS servers as the central WINS server. Configure the other six WINS servers as push/pull partners with the central WINS server. Configure the central WINS server as a push/pull partner with the other six WINS servers. Use a replication interval of 25 minutes

C. Configure each WINS server to automatically configure the other WINS servers as its replication partners. Use the default interval time for automatic partners configuration. Configure each WINS server to use a renew interval of 50 minutes. Use the default value for the verification interval

19.You are the administrator of a Windows 2000 domain. The domain has four Windows 2000-based WINS servers. You want to delegate the ability to create the four WINS servers' performance logs to a domain user named Kim. You do not want Kim to be able to change the configuration of the four WINS servers. The performance logs for the WINS servers are created by using the Performance console.

How should you configure the network to accomplish this goal?

A. Add the user Kim to the Domain Local group named Wins Users.

B. Create a new Domain Local group named Performance Administrators. Add the user Kim to the Performance Administrators group

C. On the four WINS servers, change the NTFS permissions on the System32\Wins folder to include Read permission for user Kim

D. On the four WINS servers, change the Registry permissions on the

HKEY -LOCAL-MACHINE\system\CurrentControlSet\ServiceS\Wins key to include Read permission for user Kim.

By default the atheticated users have read access c is not valid the same is true for the registry key

 

 

 

20. You are the administrator of your company's network. The network consists of 10 Windows 2000 Server computers, 200 Windows 2000 Professional computers, 250 Windows 98 computers, and 25 UNIX workstation computers running 5MB server software. The network runs only TCP/IP as its transport protocol. You implement WINS in the network for NetBIOS name resolution.

Users of the Windows-based client computers report that they cannot access resources based on the UNIX computers by NetBIOS name. There is no problem accessing Windows-based resources by NetBIOS name

What should you do to resolve this problem?

A. Install a WINS proxy agent on one of the UNIX computers

B. Install a WINS proxy agent on one of the Windows-based computers

C. On the WINS server, create static mappings for the UNIX computers

D. On the WINS server, create static mappings for the Windows-based computers

 

21. You are the administrator of a Windows 2000 network. The network has four Windows 2000-based WINS servers named NY1, NY2, Bos1, and Bos2 The network has computers in two locations Boston and New York. The Bos1 and Bos2 WINS servers are at the Boston location. The NY1 and NY2 WINS servers are at the New York location. You want to configure the replication between the WINS servers to accomplish the following goals.

The NY1 and NY2 WINS servers must replicate changes in the local database to each other immediately following each new registration or IP address change registration. The Bos1 and Bos2 WINS servers must replicate changes in the local database to each other every 30 minutes. The changes in the WINS database in either location should be replicated to the other location every three hours.

How should you configure the WINS servers to accomplish these goals? (Choose three)

A. Configure the WINS servers to enable burst handling. Set the number of requests for burst handling to 1

B. Configure the NY1 and NY2 WINS servers as push/pull partners of each other. Configure both WINS servers to use persistent connections for push replication partners. Set the number of changes before replication to 1

C. Configure the Bos1 and Bos2 WINS servers as push/pull partners of each other Specify a replication interval of 30 minutes

D. Configure the Bos1 and Bos2 WINS servers as push/pull partners of each other. Configure both WINS servers to enable periodic database consistency checking every 30 minutes

E. Configure the NY1 and the Bos1 WINS servers as push partners of each other. Configure both WINS servers to update statistics every three hours.

F. Configure the NY1 and the Bos1 WINS servers as push/pull partners of each other. Specify a replication interval of three hours.

 

 

22. You are the administrator of a Windows 2000 network The network has three Windows 2000-based WINS servers named Srv1, Srv2, and Srv3 You want to periodically compact the WINS database to reclaim unused space.

How should you perform a manual compaction of the WINS database on the Srv1 WINS server?

A. Configure the Srv1 WINS server to block replication of WINS records from the Srv2 and Srv3 WINS servers Initiate database consistency checking. Allow replication of records from the Srv2 and Srv3 WINS servers.

B. Stop the Srv1 WINS server. Use the jetpack command-line tool to compact the WINS database. Start the Srv1 WINS server again.

C. Stop the Srv1 WINS server. Use the Backup Database command to create a backup of the Srv1 WINS database. Compact the backup of the database by using the compact command-line tool. Use the Restore Database command to restore the backup of the database. Start the Srv1 WINS server again

D. In the WINS console, use the Scavenge Database command

 

23. You are the administrator of a Windows 2000 network. The network has six Windows 2000-based WINS servers and two Windows 2000-based DHCP servers. To anticipate the migration of the network from WINS to DNS, you decide to remove one WINS server named Wins6 from the network by performing the following actions.

On Wins6, stop the WINS Service and uninstall WINS. On the DHCP servers in the network, reconfigure the scope options to no longer specify Wins6 as a WINS server. Configure the DHCP options to instead use the other five WINS servers equally. On WINS client computers that are manually configured to use TCP/IP, re-configure the network properties to no longer use Wins6 as a WINS server. Configure these client computers to instead use any of the other five WINS servers. On one of the remaining WINS servers, delete the static mappings originally made on Wins6.

After two weeks, you notice that static mappings originally made on Wins6 are still present on all the remaining WINS servers.

What should you do to permanently remove these unwanted static mappings from the remaining WINS servers?

A. On the remaining WINS servers, use the Scavenge Database command in the WINS console.

B. On the remaining WINS servers, perform an offline compaction of the WINS database

C. Configure the remaining WINS servers to use Migrate On handling of static entries

D. On one of the remaining WINS servers manually tombstone the Wins6 owner from the database.

 

Deleting and tombstoning records

WINS now provides improved database management through support for the following deletion operations:

Simple deletion, for deleting WINS database records stored on a single server database.

Tombstoned deletion, for deleting WINS database records replicated to databases on other WINS servers.

Multiple-group selection of displayed database records, for either simple or tombstoned deletion.

The WINS console also provides a simple and convenient utility for administratively removing records of any type, regardless of whether they are statically or dynamically added. In previous releases of Windows NT Server, other available WINS management tools could only administratively delete entries (such as static mappings) that were added in the same way.

How simple deletion works

Simple deletion removes the records that are selected in the WINS console only from the local WINS server you are currently managing. If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are not fully removed. Also, records that are simply deleted on only one server can reappear after replication between the WINS server where simple deletion was used and any of its replication partners.

How tombstoning works

Tombstoning marks the selected records as tombstoned, that is, marked locally as extinct and immediately released from active use by the local WINS server. This method allows the tombstoned records to remain present in the server database for purposes of subsequent replication of these records to other servers.

When the tombstoned records are replicated, the tombstone status is updated and applied by other WINS servers that store replicated copies of these records. Each replicating WINS server then updates and tombstones these records. When all WINS servers complete replication of these records and a specified length of time (determined by the Verification Interval for each WINS server) elapses, then the records are automatically removed from WINS.

In most cases, WINS records should be tombstoned at the WINS server that originally owned them, to prevent deleted records from reappearing in WINS after subsequent replication with other servers.

The owner of a given WINS server record is typically the first server contacted by the WINS client during the registration process and the server first actually used to register the local names of the client in WINS. In most cases, the WINS server that owns a client name record in WINS corresponds to the primary WINS server configured on the WINS client computer. If the configured primary WINS server is not available during client registration, a configured secondary WINS server can perform the actual registration of the client name and become the owner.

Example: Tombstoned deletion in replicated WINS

Where tombstoned deletion is used at an owner WINS server in a replicated WINS network, the following sequence of events occurs to effect full removal of the selected records from all WINS servers that replicate the selected records.

The owner WINS server marks and changes the status of the selected WINS records in its local WINS server database from Active to Tombstoned.

WINS then treats the records as inactive and released from use. When these records are tombstoned locally, the owner WINS server does not respond to or resolve NetBIOS name queries for these names unless the records are registered again by the WINS client.

The owner WINS server replicates the selected records as tombstoned at subsequent replication cycles.

The records are not forcibly and immediately removed from WINS, but are flagged or marked for eventual deletion. The exact replication cycle interval is configured by the server Intervals properties, which you set in the WINS console. Records are not removed from WINS data until the time specified in the Extinction Interval has elapsed. This allows other WINS servers to be notified that these records are no longer in use, update their replicated mappings for these records, and further replicate this updated WINS data to other servers.

Records become extinct on all replicated WINS servers and are eventually removed physically from all WINS servers.

After all WINS servers that participate in replication complete a full replication cycle and arrive at a consistent state, the tombstoned records expire and are removed from the WINS database of each server at the next database scavenging operation. After scavenging occurs on all servers, the records no longer appear in the WINS console and are no longer physically stored in the WINS database.

 

24. You are the administrator of a Windows 2000 network. The network has three segments connected by a router. Each segment contains a Windows 2000-based WINS server and two other Windows 2000 Server computers. The network also has 300 Windows NT Workstation 4.0 WINS client computers distributed evenly over the three segments.

Users in each network segment inform you that they cannot browse any network resources on the other network segments. They do not have problems browsing their own segment.

How should you configure the network to enable users to browse for network resources on all three networks segments?

A. Configure all WINS client computers to be NetBIOS node type Mixed (m-node)

B. Configure all WINS client computers to use all three WINS servers.

C. On each WINS server, configure the Lmhosts file to contain entries that include #PRE and #DOM for the other two WINS servers

D. Configure the three WINS servers as replication partners of one another

 

 

 

 

25. You are the administrator of your company's network. The network consists of a single IP subnet that uses DHCP to automate client computer configuration. You install a WINS server on the network to reduce broadcast traffic for name resolution.

After several days, users report that the network response time is still unacceptably slow. You investigate and discover that the levels of broadcast traffic have not been reduced. When you view the WINS database, you also find that the only entry is for the WINS server itself.

What should you do to resolve this problem?

A. Configure the WINS server as a DHCP client computer

B. Configure the DHCP server as a WINS client computer

C. Configure a DHCP scope option to include the address of the WINS server.

D. Configure static mappings on the WINS server for each client computer

26. You are the administrator of your company's network. You have a portable computer that uses Microsoft Internet Explorer to access your company's Internet Information Services (lIS) computer. This application works successfully when your portable computer is docked at the office, but it fails when your portable computer is connected by Routing and Remote Access.

You want to configure your portable computer to connect to your company's network by Routing and Remote Access. You want to install only what is necessary while maximizing performance and minimizing administrative overhead.

What should you do?

To answer, click in the appropriate box or boxes in the Networking tab of the dialog box.

Internet Protocol [TCP/IP)

File and Printer Sharing for Microsoft Networks

Network Load Balancing

Client for Microsoft Networks

 

 

 

27. You are the administrator of a Windows 2000 domain. The domain has two Windows 2000 member server computers named Istanbul and Rome. Routing and Remote Access is enabled for remote access on Rome.

Internet Authentication Service (IAS) is installed on Istanbul

Rome uses Istanbul to authenticate remote access credentials. The remote access policies on Istanbul specify that domain members are allowed remote access to the network. However, users report that they are not allowed to dial in to Rome. When you investigate the problem, you discover that the configuration of Istanbul supports only local user accounts. What should you do?

 

 

A. Add Istanbul to the RAS and IAS Servers group in Active Directory

B. Configure Routing and Remote Access on Istanbul to use RADIUS Authentication

C. On Istanbul, add a realm replacement rule for the Windows 2000 domain.

D. On Istanbul, add a remote access policy that uses MS-CHAP

Windows 2000

The new model uses three servers running Windows 2000. When the user dials in and provides her credentials, the Windows 2000–based server is pointed to an Internet Authentication Server using RADIUS. Through the IAS server, the Windows 2000–based server asks RADIUS whether that user can get in.

The IAS server then queries the domain controller for the user’s credentials, and it applies any policies that the RADIUS server has been configured to verify. The IAS checks the credentials and policies, then passes a response back to the Windows 2000–based server. And Windows 2000 goes ahead and provides or denies access based on this reply.

This method enables centralized logging. Even if you have several remote access servers, you still only have to go to one RADIUS server to get the logs.

 

 

 

28. You are the administrator of a Windows 2000 network that consists of a single domain. Because no employee in your company should have the ability to encrypt files by using Encrypting File System (EFS), you need to remove this ability from all users in the domain

What should you do to accomplish this goal? (Choose all that apply)

A. From the Run command, start Secpolmsc

B. Go to the Encrypted Data Recovery Agents container and delete the certificate you find. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy.

C. Go to the Public Key Policies container and delete the Encrypted Data Recovery Agents policy. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy.

D. Go to the Encrypted Data Recovery Agents container and delete the certificate you find

E. Go to the Encrypted Data Recovery Agents container and initialize the empty policy. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy

F. Go to the Public Key Policies container and initialize the empty policy.

Disabling EFS for a Specific Set of Computers

A particular computer must have at least one valid recovery agent certificate to enable EFS. EFS does not allow encryption of data if no recovery agent certificate is specified by recovery agent policy. Therefore, you can disable EFS by setting either no recovery policy (where the policy is removed from the computer) or an empty recovery policy (where the policy remains, but the recovery agent certificates are deleted). These are applied as follows:

· Both no policy and empty policy disable EFS on a stand-alone computer.

· Both no policy and empty policy are ineffective in disabling EFS on the local computer in a domain if there is a policy at a higher level, such as a domain or organizational unit.

· Applying no policy at a higher level disables EFS at that level only. The lower-level computers use their own local policies.

· Applying empty policy at a higher level disables EFS at that level and all lower levels.

To set no recovery policy

1. On a stand-alone computer, open the MMC and add the Group Policy snap-in for the local computer.

2. In the Group Policy console, right-click Encrypted Data Recovery Agents, and then click Delete Policy.

3. Answer Yes when the system prompts you with the question Are you sure . . . ? The details pane of the window displays the message “There is no policy defined.”

If a domain administrator wants to disable EFS for all the computers in a domain or an organizational unit, the best way is to set an empty recovery policy. This is because the effective policy is an accumulation of Group Policy objects that are defined at various levels in the directory tree. The absence of a recovery policy at the domain or organizational unit level allows policies at a lower level to take effect. However, an empty recovery policy at these higher levels disables EFS by providing no effective recovery certificates and blocking the individual computers from using lower-level policies.

To set an empty policy at the domain or organizational unit level

1. Log on as Administrator of the initial domain controller created in the domain and display the certificate listings in the details pane of the window.

2. Right-click Administrator and any other certificate that might be listed in the details pane, and then click Delete.

3. Answer Yes to the question Permanently delete the selected certificate?

To re-enable EFS on the local computer

1. Restore recovery policy by right-clicking Encrypted Data Recovery Agents and then clicking Initialize Empty Policy.

2. After you have an empty policy, to re-enable EFS, you must add a policy by right-clicking Encrypted Data Recovery Agents and clicking Add. This starts the Add Recovery Agent wizard. The Add Recovery Agent wizard accepts a recovery agent certificate file only if it has a .cer extension.

To re-enable EFS on the domain or organizational unit

· Add one or more valid recovery agent certificates to EFS recovery policy by following the procedure in “Designate Assigning Recovery Agent Accounts” earlier in this chapter.

29. You are the administrator of your company's network Your company has branch offices in New York and Paris. Because each branch office will support its own Routing and Remote Access server, you implement a Remote Authentication Dial-In User Service (RADIUS) server to centralize administration

You remove the default remote access policy. You need to implement one company policy that requires all dial-up communications to use 40-bit encryption. You want to configure your network to require secure communications by using the least amount of administrative effort.

What should you do? (Choose two)

A. Create one remote access policy on each Routing and Remote Access server

B. Create one remote access policy on the RADIUS server

C. Set encryption to Basic in the remote access policy or policies

D. Set encryption to Strong in the remote access policy or policies

E. Enable the Secure Server IPSec policy on the RADIUS server

F. Enable the Server IPSec policy on the RADIUS server

 

 

 

 

30. You are the administrator of your company's network. You need to Implement a remote access solution that is highly available and highly secure. Your company consists of a single location and has a T3 connection to the Internet. Your company has 1,000 salespeople who need reliable connectivity to the company network from any remote location. All servers are running Windows 2000 Advanced Server, and all client computers are running Windows 2000 Professional.

You want to accomplish the following goals:

No single point of failure, aside from total loss of the T3, will result in total loss of remote access connectivity.

No authentication traffic will be carried as clear text.

No data traffic will be carried as clear text.

Support for at least 200 simultaneous remote users accessing the network will be available at all times.

You take the following actions:

Install three virtual private network (VPN) servers at the main office.

Configure each VPN server to support 150 PPTP connections.

Configure the client computers to use Password Authentication Protocol (PAP) as the authentication protocol.

Create DNS Round Robin entries with a Time to Live (TTL) of zero for each VPN server

Which result or results do these actions produce? (Choose all that apply)

A. No single point of failure, aside from total loss of the T3, results in total loss of remote access connectivity

B. No authentication traffic is carried as clear text

C. No data traffic is carried as clear text

D. Support for at least 200 simultaneous remote users accessing the network is available at all times

Option D is not valid because if we loose two points we have configurated to support only 150 users not 200

 

 

 

 

31. You are the administrator of your company's network. You are configuring your users' portable computers to allow users to connect to the company network by using Routing and Remote Access. You test the portable computers on the LAN and verify that they can successfully connect to resources on the company network by name. When you test the connection through Remote Access, all of the portable computers can successfully connect, but they cannot access files on computers on different segments by using the computer name.

What should you do to resolve this problem?

A. Set the authentication method to Allow remote systems to connect without authentication

B. Enable the computer account for each portable computer

C. Change the computer name on each portable computer

D. Install the DHCP Relay Agent on the Remote Access server

B is not valid because all the computers have an account already, they can connect

on the company to the resources, we must asume that the parameters providing for the dhcp server are no passing all the options correctly except the ip

 

 

32. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named DeskA. Routing and Remote Access is enabled for remote access on DeskA.

Your company is organizing an industry trade show in a conference center. You have set up 15 desks and telephones in the conference area. During the conference, attendees will be allowed to dial in to your network by using any of the 15 telephones. Each telephone line has its own telephone number. The conference attendees can use their own portable computers to dial in.

When attendees dial in to DeskA, they do not need to specify a user name or password. However, you do not want to allow dial-in access from any telephone other than the 15 telephones in the conference area.

You enable unauthenticated access on the DeskA remote access server. You also create a remote access policy named Conference that allows unauthenticated access as the authentication method.

Attendees report that they are not able to dial in unless they specify a user name and password

You want to ensure that attendees can dial in without specifying a user name and password. What should you do?

A. Create a user account named Conference Guest. Configure Routing and Remote Access to use the Conference Guest account as the default user identity.

B. Configure the Conference Guest account to use the 15 phone numbers as Caller ID. Create 15 user accounts named Conf-1, Conf-2, Conf-3, and so on through Conf-15. Specify a separate Caller ID phone number for each of the 15 users.

caller id do no exist the correct term is called station id and the condition is phone number dialer by the user

C. Create 15 user accounts that use each phone number as the user name. Configure Routing and Remote Access to use the calling number as the authentication identity.

D. Configure the Conference remote access policy so that it has a Calling-Station ID condition. Use the 15 phone numbers as the condition.

Calling id station is the condition that macth with the phone from with call is origined, because we do not need to have any users the condition must be based on the Calling Station ID

 

 

 

 

33. You are the administrator of your company's network. To facilitate connections for remote administration, you install Routing and Remote Access on a Windows 2000 domain controller.

You want to accomplish the following goals

Only administrators will have dial-up access.

Dial-up connections will be accepted only from 4.00 PM to 7.00 AM.

Connections will be forcibly disconnected after 20 minutes of inactivity

All connections will encrypt all communications

Connections will be limited to one hour

You take the following actions

Set the level or levels of encryption to No Encryption and Basic.

Add Domain Admins to the Windows Group Policy condition.

Configure the rest of the remote access policy as shown in the exhibit (Click the Exhibit button)

Idle time 60

Max session time 20

Allow dial times Sun 07:00-16:00

Mon 07:00-16:00 etc.

Which result or results do these actions produce? (Choose all that apply)

A. Only administrators have dial-up access

B. Dial-up connections are accepted only between 400 PM and 700 A.M

C. Connections are forcibly disconnected after 20 minutes of inactivity

D. All connections encrypt all communications

E. Connections are limited to one hour

The idle time and the max session times were backwards so neither of those was accomplished.

The Allow Dial-In times should have been 12:00-07:00 and 16:00-12:00 for every day of the week.

No match Idle time that must be 20 for loose the conection by inactivity they get out of line by time not but iddle

 

 

 

 

 

 

 

34. You are the administrator of your company's Routing and Remote Access servers. Your company's administrators are able to dial in to the company's network to perform remote monitoring and administration. This remote monitoring and administration requires an excessive amount of network bandwidth. You want to allow only administrators to use multiple phone lines, and you want to limit all other users to a single phone line.

You want to configure multiple phone-line network connections to adapt to changing bandwidth conditions. When the phone lines fall below 50 percent capacity, you want to reduce the number of phone lines utilized. You also want to allow all users the ability to connect to the network by Routing and Remote Access. No default remote access policies currently exist

What should you do? (Choose three)

A. Create one remote access policy on the Routing and Remote Access server

B. Create two remote access policies on the Routing and Remote Access server

C. Allow Multilink

D. Decrease the maximum number of ports used by the Routing and Remote Access server

E. Select the Require Bandwidth Allocation Protoco\ BAP) for the Dynamic Multilink Requests check box.

F. Increase the maximum number of dial-up sessions

With one policy and the editing the profile we match the conditions multilink, bap and with the d we decrease the ports avialables to connect users

 

 

 

 

35. You are the administrator of a Web server hosted on the Internet that is running on a Windows 2000 Server computer. Your company's Web developers have developed applications that download ActiveX controls automatically to your customers' browsers. You discover that the default security settings on your customers' browsers are preventing the ActiveX controls from being downloaded automatically. You want to facilitate the downloading of ActiveX controls from your Web server to the Internet clients.What should you do?

A. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for code signing

B. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web developers to request a certificate for trust list signing.

C. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for trust list signing

D. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web developers to request a certificate for code signing

The trick to the question is that must be automatically the users no no need know nothing

Enterprise Root CA

An enterprise root CA is the root of an organization's CA hierarchy. An organization should set up an enterprise root CA if the CA will be issuing certificates to users and computers within the organization. In large organizations, the enterprise root CA is used only to issue certificates to subordinate CAs. The subordinate CAs issue certificates to users and computers. The enterprise root CA requires the following:

Windows 2000 DNS Service, Windows 2000 Active Directory Service

Administrative privileges on all servers

 

 

 

35-1. Your organization is using CA to provide identification to users. You would like to ensure customers of your identity while providing employees access to secure areas on your web server. What type of CA would you install?

A. Install an enterprise CA on your server.

B. Install a subordinate enterprise CA on your server from a known commercial CA.

C. Install a stand-alone CA on your server.

D. Install a stand-alone subordinate CA on your server from a known commercial CA.

Enterprise Subordinate CA

An enterprise subordinate CA is a CA that issues certificates within an organization but is not the most trusted CA in that organization; it is subordinate to another CA in the hierarchy.

The enterprise subordinate CA has the following requirements:

It must be associated with a CA that will process the subordinate CA's certificate requests. This could be an external commercial CA or a stand-alone CA.

Windows 2000 DNS Service.

Windows 2000 Directory Service.

Administrative privileges on all servers.

 

 

 

 

36. You are the administrator of a Windows 2000 network. Your company wants you to provide a high level of security for its Public Key Infrastructure. You decide to create an offline root Certificate Authority (CA). You want the offline root CA to be capable of processing certificate requests from files, and you want the offline root CA to be recognized as a trusted root authority for Windows 2000 client computers.

How should you create the offline root CA?

A. On a member Windows 2000 Server computer that is connected to the network, create an Enterprise CA. After you install the CA, remove the server to a secure and separate location

B. On a member Windows 2000 Server computer, create a subordinate Enterprise CA that uses a Commercial CA as the certifying authority. After you install the CA, remove the server to a secure and separate location

C. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a Stand-Alone CA. Export the certificate for the CA to a floppy disk

D. In the Default Domain Group Policy object (GPO), import the certificate to the Enterprise Trust Certificate Store

E. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a Stand-Alone CA. Export the certificate for the CA to a floppy disk. In the Default Domain Group Policy object (GPO), import the certificate to the Trusted Root Certification Authority Store

Stand-Alone Subordinate CA

A stand-alone subordinate CA is a CA that operates as a solitary certificate server or exists in a CA trust hierarchy. An organization should set up a stand-alone subordinate CA when it will be issuing certificates to entities outside the organization.

The stand-alone subordinate CA has the following requirements:

It must be associated with a CA that will process the subordinate CA's certificate requests. This could be an external commercial CA.

Administrative privileges on the local server.

Certificate enrollment is the process of obtaining a digital certificate.

Protecting a CA

CAs are high-value resources, and it is often desirable to provide them with a high degree of protection. Specific actions that should be considered include:

Physical protection. Because CAs represent highly trusted entities within an enterprise, they should be protected from tampering. This requirement is dependent on the inherent value of the certification made by the CA. Physical isolation of the CA server in a facility accessible only to security administrators can dramatically reduce the possibility of such physical attacks.

Key management. The CA's private key provides the basis for trust in the certification process and should be secured from tampering. Cryptographic hardware modules (accessible to Certificate Services through a CryptoAPI CSP) can provide tamper-resistant key storage and isolate the cryptographic operations from other software running on the server. This significantly reduces the likelihood of a CA key being compromised.

Restoration. Loss of a CA—due to hardware failure, for example—can create a number of administrative and operational problems and prevent revocation of existing certificates. Certificate Services supports backup of a CA instance so it can be restored at a later time. This is an important part of the overall CA management process.

37. You are the administrator of a Windows 2000 network. Some of the members of your company's graphics department use Macintosh computers and are not using Internet Explorer as their browser These users inform you that they cannot request valid user certificates from your Enterprise Certificate Authority (CA). You want to make it possible for these users to request certificates by using Web-based enrollment.

What should you do?

A. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to Basic Authentication

B. In the Policy Settings container in the CA console for your CA, add a new Enrollment Agent certificate

C. Edit the ACL on the user certificate template to grant the graphics department users enroll access

D. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to Integrated Windows Authentication

A B and C can be, but if we can choose only one, the high level is C the must be have access to enroll

 

38. You are the administrator of a Windows 2000 network. The network consists of one Windows 2000 domain that has Windows 2000 Professional client computers and Windows NT Workstation 4.0 client computers. To create a digital certificate, you use a stand-alone certificate server configured as a root Certificate Authority (CA). You use the digital certificate to secure a virtual directory on your Internet Web server

Users report that when they connect to the virtual directory by means of a new URL, a Security Alert dialog box appears with the following warning message 'The security certificate was issued by a company you have not chosen to trust'

You want to prevent this warning message from appearing. You also want to avoid any unnecessary reconfiguration of either the certificate server or the Web server.

What should you do?

A. Inform your users of the new URL that points to the host name used in the digital certificate

B. Configure a Group Policy that automatically installs as a trusted authority in the client computers the digital certificate for the certificate server

C. Inform your users that they need to install a client certificate from the certificate server

D. Inform your users that they need to install as a trusted authority in the client computers the digital certificate for the certificate server

39. You are the administrator of your company's network. The network consists of Windows 2000 Server computers, Windows NT Workstation client computers, and Windows for Workgroups 3.11 client computers distributed across three subnets. All client computers are configured as DHCP client computers to automate TCP/IP configuration.

You install a WINS server on one subnet on your network. You also define a DHCP scope option to include the WINS server's address.

Users report that they can access resources on servers on their own subnet, but they cannot access resources on other subnets.

What should you do to resolve this problem?

A. Use the ipconfig /renew command to refresh the client computers' configuration

B. Use the ipconfig /release command to refresh the client computers' configuration

C. Install a WINS proxy agent on the subnet that hosts the WINS server

D. Install a WINS proxy agent on the subnets that do not host the WINS server

 

40. You are the administrator of a Windows 2000 network. The network has 18,000 Windows 2000 Professional WINS client computers and six Windows 2000-based WINS servers. The WINS client computers are portable client computers, and they frequently connect to the network at different locations. The WINS client computers access NetBIOS-based resources. The TCP/IP configuration of the WINS client computers is provided by DHCP servers on the network.

Some of the WAN links in your network are unreliable. You want to ensure that all Windows 2000 Professional computers are able to resolve NetBIOS names, even if some of the WINS servers are not available

How should you configure the network to accomplish this goal?

A. On each segment, configure a computer as a WINS proxy

B. Configure the DHCP servers to provide each client computer with a list of WINS servers.

C. Configure the WINS servers to enable burst handling. Set the number of requests for burst handling to High

D. Configure the DHCP server to set the NetBIOS over TCP/IP node type for each client computer to Mixed node)

 

 

 

 

41. You are not running in native mode.

Your company is a sales organization and has 150 salespeople. When these salespeople are out of the office, they require file and print services,

e-mail, and access to the company's product and inventory database. These salespeople belong to a group named SalesMobile.

Your company has dedicated T1 access to the Internet. Your company also uses a virtual private network (VPN) to reduce the costs and hardware required to support the salespeople.

You want to accomplish the following goals:

Required network resources will be accessible to all salespeople

Connections to the network will be made only by salespeople

Sensitive company data will be kept confidential over the VPN connections

Access to the network will only take place during business hours

All salespeople will be able to connect to the network simultaneously

You take the following actions:

On a Windows 2000 Server computer, install Routing and Remote Access and configure virtual private networking.

Increase the WAN Miniport (PPTP) maximum port limit to 150.

Create a new remote access policy that has the condition to allow access to the users in the SalesMobile group

Set the new remote access policy's order of precedence higher than the default policy.

Edit the default remote access profile to require strong encryption of data.

Which result or results do these actions produce? (Choose all that apply)

A. Required network resources are accessible to all salespeople

B. Connections to the network are made only by salespeople

C. Sensitive company data is kept confidential over the VPN connections

D. Access to the network only takes place during business hours

E. All salespeople are able to connect to the network simultaneously

 

 

 

 

 

42. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named Delta. Routing and Remote Access is enabled for remote access on Delta. The domain is in native mode for all user accounts, the dial-in permission is set to control access through remote access policies.

You want to allow all users in the domain to dial in during the workday.

You also want to allow only members of the global security group named

Support Staff to be able to dial in between 6 00 PM and 8 00 AM.

However, you do not want to allow the Support Staff members to be able to dial in when the log files are made each day between 7:00 AM and 8:00 AM.

You create four remote access policies on Delta as shown in the following

table

Name

Domain users all policy

Support staff all policy

Domain users 6-8 policy

Condition

Windows-group=Domain users

Windows-group=Support staff

Day-and- Time=6PM-8AM

Windows-group=Domain users

Day-and- Ti me= 7 AM-8AM

Windows-group=Support staff

Permission

Access

Access

Deny

Profile

(default)

(default)

(default)

Support staff 7 -8 policy

Deny

(default)

To specify the appropriate access control for Delta, click the Select and Place button, and then drag the remote access policies and place them in the correct order.

 

The questions is simular to this draw and is drag an drop over the question

 

43. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named Vegas. Routing and Remote Access is enabled for remote access on Vegas. Some of the remote access client computers require the use of CHAP.

You enable CHAP on Vegas. You also configure the appropriate remote access policy to use CHAP. However, users who require CHAP report that they are not able to dial in to Vegas

What should you do?

A. Configure Vegas to prohibit the use of U\N Manager authentication

B. Configure Vegas to disable the use of Internet Control Protocol (lCP) extensions

C. Configure the user accounts by selecting Store passwords using reversible encryption. Set the user passwords to change the next time each user logs on

D. Configure the user accounts to use a static IP address when they dial in to the network

 

 

44. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named Ras5. Routing and Remote Access is enabled for remote access on Ras5. The domain also has a Windows NT 4.0 member server computer named Ras4. Ras4 is running Remote Access Service (RAS).

The domain is in mixed mode.

Users in the domain use Windows 2000 Professional computers to dial in to the network through Ras4 or Ras5. However, Ras4 is not able to validate remote access credentials of domain accounts.

How should you configure the network to enable the Windows NT 4.0 Ras4 member server computer to validate remote access domain users?

A. Change the domain from mixed mode to native mode

B. Add the Ras4 computer account to the RAS and IAS Servers group

C. Add the Everyone group to the Pre-Windows 2000 Compatible Access group

D. Create a remote access policy that has the Ras4 computer account as a condition Grant remote access permission if the condition matches the properties of the dial-in attempt

 

 

 

 

45. You are the administrator of a Windows 2000 network. Your network has one primary internal DNS server and one primary external DNS server.

Your network has three secondary DNS servers that transfer zone information from the primary external DNS server. The secondary DNS servers are installed on two Windows 2000 Server computers and one Windows NT Server 4.0 computer.

The primary external DNS server is used to host records for your company's Web and mail servers. It has only a limited number of resource records in its zone file. The Web server and the mail server have static IP addresses.

When you monitor the secondary DNS servers by using System Monitor, you notice a high number of hits when monitoring the counter Zone Transfer SOA Requests Sent. You want to minimize the bandwidth that is required for this traffic

What should you do? (Choose two)

A. Upgrade the Windows NT Server 4.0 computer that is hosting the secondary DNS server to a Windows 2000 Server computer

B. Configure the notify list on the primary external DNS server to notify the secondary DNS servers when there are changes to be replicated.

C. Reconfigure the primary external DNS server so that it does not allow dynamic updates

D. Increase the value of the Refresh interval in the SOA (start of authority) record

E. Decrease the value of the Refresh interval in the SOA (start of authority) record

D will valid too because we have a limited number of records incrising the value the trafic will be delay the default refresh interval that is 15 minutes

 

 

46-0. You are the administrator of your company's network. Your Windows 2000 Server computer named Srv2 cannot communicate with your UNIX server named Srv1. Srv2 can communicate with other computers on your network. You try to ping Srv1, but you receive the following error message. "Unknown host Srv1."

You create an A (host) record that has the correct name and IP address. However, when you try to ping Srv1 again, you receive the same error message What should you do to resolve this problem?

A. Restart the DNS server

B. Clear the DNS Server Cache

C. Run the ipconfig/registerdns command on Srv2

D. Run the ipconfig/fIushdns command on Srv2

To open a command prompt, click Start, point to Programs, point to Accessories, and then click Command Prompt.

The ipconfig /flushdns command provides you with a means to flush and reset the contents of the DNS client resolver cache. During DNS troubleshooting, if necessary, you can use this procedure to discard negative cache entries from the cache, as well as, any other dynamically added entries.

Resetting the cache does not eliminate entries that are preloaded from the local Hosts file. To eliminate those entries from the cache, remove them from this file. For more information, see Related Topics.

Although the ipconfig command is provided for earlier versions of Windows, the /flushdns option is only available for use at computers running Windows 2000 The DNS Client service must also be started.

 

 

 

46-1. From a client running Windows 2000 Professional, you attempt to ping a UNIX host on your network. You receive the following error message:

"Unknown host computer4.company.com"

You are not having connectivity problems with any other computers on your network. Eventually, you realize this message is due to the fact that you haven't registered the UNIX host with your DNS server. After adding the UNIX host to your DNS server, you still get the same error message.

What step should you take next?

A. Enter the command "ipconfig /registerdns" on the Windows 2000 Professional client to make sure that it is also registered in DNS.

B. Check to make sure that the subnet mask is configured properly on your machine. Incorrect subnet mask configuration can often cause connectivity problems.

C. Configure a default gateway for your Windows 2000 Professional client.

D. Enter the command "ipconfig /flushdns" on the Windows 2000 Professional client to clear the DNS resolver cache.

 

 

 

 

47. You are the network administrator for Wood grove Bank. Your network is configured as shown in the exhibit (Click the Exhibit button)

Srv2 and Srv3 are configured as caching-only servers. Both servers forward requests to Srv1. Srv1 is configured as the primary server for the woodgrovebank.com domain.

Users on networks 10 10720 and 10 10730 frequently use an Internet application that gathers stock quotes from various servers on the woodgrovebank.com domain

You want to reduce DNS network traffic. What should you do?

A. Increase the Time to live (TTl) for the SOA (start of authority) record on Srv1

B. Increase the Time to live (TTl) for the SOA (start of authority) record on Srv2 and Srv3

C. Set the Server Optimization option on Srv2 and Srv3 to Maximize data throughput for network applications

D. Increase the forward time-out (seconds) on Srv2 and Srv3

Time-To-Live (TTL)

For most resource records, this field is optional. It indicates a length of time used by other DNS servers to determine how long to cache information for a record before expiring and discarding it.

For example, most resource records created by the DNS Server service inherit the minimum (default) TTL of 1 hour from the start of authority (SOA) record which prevents overlong caching by other DNS servers.

For an individual resource record, you can specify a record-specific TTL that overrides the minimum (default) TTL inherited from the SOA RR. TTL values of zero (0) can also be used for resource records that contain volatile data not to be cached for later use after the current DNS query in progress is completed.

Using forwarders exclusively (no recursion)

When a DNS server is configured to use forwarders, they are used before any other means of resolving a name is tried. If the list of forwarders fails to provide a positive answer, a DNS server can attempt to resolve the query itself using iterative queries and standard recursion.

A server can also be configured to not perform recursion after forwarders fail. In this configuration, the server does not attempt any further recursive queries itself to resolve the name. Instead, it fails the query if it does not get a successful query response from any of the forwarders.

This forces a DNS server to use its configured forwarders exclusively to perform final resolution when resolving a name query. In this mode of operation, a server configured to use forwarders can still check in its configured zones first to attempt to resolve a queried name. If it finds a match in its authoritative data there, it can answer the query based on that information.

To use this option, select the Do not use recursion option on the Forwarders tab when a server is configured to use forwarders.

Note

When using forwarders, queries are sent to each forwarder in the list, which is given a time-out value, in seconds, within which it must respond before the next forwarder is tried.

 

48. You are the administrator of a Windows 2000 network. Your company's primary DNS server, named ns1.contoso.com, is heavily used, and the CPU utilization on this server is consistently high.

Because of the large number of records that are stored on the DNS server, you suspect that some DNS queries result in answers that exceed the limit for a single UDP packet

You want to know if answers to DNS queries are exceeding the limit for a single UDP packet

What should you do?

A. Start System Monitor. On the DNS server, monitor the counters for DNS TCP Responses Sent and DNS TCP Responses Sent/Sec.

B. Start System Monitor. On the DNS server, monitor the counters for DNS UDP Message Memory.

C. Use Network Monitor to analyze network traffic. Use nslookup on a separate computer to query for NS records on the primary DNS server. Compare the number of UDP packets returned from the DNS server in response to your queries with the number of queries you issued

D. Use Network Monitor to analyze network traffic. From a client computer on your network, ping host records that are stored on your DNS server. Compare the number of UDP packets returned from the DNS server in response to your queries with the number of queries you issued

 

49. You are the administrator of your company's network. The network consists of a single Windows 2000 domain that spans multiple locations. The locations are connected over the Internet by using Routing and Remote Access

Resources are located on TCP/lP hosts on your network. To facilitate name resolution for client access to these resources, you implement Windows 2000 DNS servers on your network.

You want to ensure that when the zone transfer traffic between your DNS servers crosses the Internet links between the locations, it cannot be compromised by outside parties. What should you do?

A. Select the option to allow zone transfers only to servers listed on the Name Servers tab

B. Set up an Active Directory integrated zone

C. Set the Allow Dynamic Updates setting for your zone to No

D. Set the Allow Dynamic Updates setting for your zone to Only Secure Updates

Secure dynamic update

For Windows 2000, DNS update security is available only for zones that are integrated into Active Directory. Once you directory-integrate a zone, access control list (ACL) editing features are available in the DNS console so you can add or remove users or groups from the ACL for a specified zone or resource record.

 

50. You are the administrator of your company's network. Your company has a main office, two large branch offices, and two small branch offices. The company's network consists of one Windows 2000 domain. The main office and the two large branch offices are connected by dedicated T1 lines, as shown in the exhibit (Click the Exhibit button)

The two small branch offices use 128-Kbps ISDN lines and Routing and Remote Access over the Internet to connect to the company's internal network

You are designing your DNS name resolution environment. You want to accomplish the following goals.

DNS name resolution traffic across the WAN links will be minimized.

DNS replication traffic across the WAN links will be minimized

DNS replication traffic across the public WAN links will be secured

Name resolution performance for client computers will be optimized

You take the following actions:

Install the DNS Server service on one domain controller at each office

Create an Active Directory integrated zone on each DNS server at each office.

Configure client computers to query their local DNS server

Configure the zones to allow dynamic updates

Which result or results do these actions produce? (Choose all that apply)

A. DNS name resolution traffic across the WAN links is minimized

B. DNS replication traffic across the WAN links is minimized

C. DNS replication traffic across the public WAN links is secured.

D. Name resolution performance for client computers is optimized

 

51. You are the administrator of your company's network. To allow fault tolerance for your external DNS server, your Internet service provider (ISP) hosts a DNS server on its UNIX server. The UNIX server is used as the secondary DNS server for your primary external DNS server

Users inform you that they are not able to connect to the URL of the company's Web server. You investigate and discover that this inability to connect occurs during times when your primary external DNS server is unavailable.

What should you do to resolve this problem?

To answer, click the appropriate check box in the Advanced tab of the London Properties dialog box

In the Server options list, select the ‘Bind Secondaries’ check box, and then click OK.

DNS servers running versions of the Berkeley Internet Name Domain (BIND) server implementation prior to version 4.9.4 do not support the fast transfer format. You should enable this option only if you are transferring zones to BIND servers running version 4.9.4 or later. box, and then click OK.

52. You are the administrator of your company's network. The network consists of one Windows 2000 domain. All servers and client computers are running Windows 2000. To facilitate name resolution and client access to resources on the servers, you have configured your DNS standard primary zone to include the addresses of all of your servers. You later add three new member servers to your network. Users report that they can find these servers in the directory but cannot access these servers

You want to resolve this problem.

What should you do?

A. Convert the DNS standard primary zone to an Active Directory integrated zone

B. Create SRV (service) records for each new server in the DNS zone.

C. Set the Allow Dynamic Updates setting for the DNS standard primary zone to Yes

D. Set the Allow Dynamic Updates setting for the DNS standard primary zone to Only Secure Updates

DNS and Active Directory configuration,

Integrated storage,

Merged replication of Active Directory and DNS data,

Secure authentication when allowing dynamic updates

 

 

 

53. You are the administrator of the contoso.com domain. Your network environment consists of a main office and two branch offices. The branch offices are connected to the main office by 256-Kbps leased lines. You have a single DNS zone, and all DNS servers are located at the main office. All servers on your network are running Windows 2000 Server. Your network is not connected to the Internet.

Users report that response times are extremely slow when they attempt to access intranet resources. When you monitor the network, you discover that DNS name resolution queries are generating heavy traffic across the WAN links.

You want to accomplish the following goals:

Name resolution traffic across the WAN links will be reduced

Response times for name resolution queries will be reduced

Administrative overhead for DNS maintenance will be minimized

Current DNS namespace design will be maintained.

You take the following actions:

Increase the refresh interval for zone transfers.

For each branch office, create a new Windows 2000 domain in the same tree as the first domain.

Install a DNS server and create a new standard primary DNS zone for each new Windows 2000 domain

Configure each DNS server to forward requests to the other DNS servers on the network

Add resource records for each office's local intranet resources to the local zone files

Configure client computers in the branch offices to query their local DNS servers only.

Which result or results do these actions produce? (Choose all that apply)

A. Name resolution traffic across the WAN links is reduced

B. Response times for name resolution queries are reduced

C. Administrative overhead for DNS maintenance is minimized

D. Current DNS namespace design is maintained

Because we have the same structure without add and delegate zones to adicional Dns in each location the Load will not decrease

 

 

 

54. You are the administrator of your company's network. You configure a Windows 2000 Server computer as the DNS server for your network. You create both standard primary forward lookup and reverse lookup zones.

You discover that when you use the nslookup utility, you cannot resolve host names from IP addresses on your network. You also discover that when you run the Tracert.exe utility, you receive the following error message.

"Unable to resolve target system name"

What should you do?

A. Create A (host) records in the forward lookup zone

B. Create A (host) records in the reverse lookup zone

C. Create PTR (pointer) records in the forward lookup zone

D. Create PTR (pointer) records in the reverse lookup zone

Pointer (PTR) resource records

Pointer (PTR) RRs are used to support the reverse lookup process, based on zones created and rooted in the in-addr.arpa domain. These records are used to locate a computer by its IP address and resolve this information to the DNS domain name for that computer.

PTR RRs can be added to a zone in several ways:

You can manually create a PTR RR for a static TCP/IP client computer using the DNS snap-in, either as a separate procedure or as part of the procedure for creating an A RR.

Computers running Windows 2000 can use the DHCP Client service to dynamically register and update their PTR RR in DNS when an IP configuration change occurs.

All other DHCP-enabled client computers can have their PTR RRs registered and updated by the DHCP server if they obtain their IP lease from a qualified server. The DHCP service provided with Windows 2000 Server provides this capability.

The pointer (PTR) resource record is used only in reverse lookup zones to support reverse lookup. For

 

 

 

55. You are the administrator of the contoso.com domain. Your network environment consists of a main office and two branch offices. The branch offices are connected to the main office by 256-Kbps leased lines. You have a single DNS zone, and all DNS servers are located at the main office. All servers on your network are running. Windows 2000 Server. Your network is not connected to the Internet.

Users report that response times are extremely slow when they attempt to access intranet resources. When you monitor the network, you discover that DNS name resolution queries are generating heavy traffic across the WAN links.

You want to accomplish the following goals

Name resolution traffic across the WAN links will be reduced.

Response times for name resolution queries will be reduced

Administrative overhead for DNS maintenance will be minimized

Current DNS namespace design will be maintained

You take the following actions

Create a new secondary DNS zone at each branch office. Use the primary zone at the main office as the master zone.

Increase the refresh interval for zone transfers.

Configure the client computers to query their local DNS servers.

Which result or results do these actions produce? (Choose all that apply)

A. Name resolution traffic across the WAN links is reduced.

B. Response times for name resolution queries are reduced

C. Administrative overhead for ONS maintenance is minimized

D. Current DNS namespace design is maintained

 

 

 

 

56. You are the administrator of a Windows 2000 network that consists of three subnets. For load-balancing purposes, each Web server on your network is configured to maintain exactly the same content as all the other Web servers.

You want to configure your DNS server to allow users to type a host name in their browsers to connect to the Web server that is on the same subnet. The host name that all users type will be identical regardless of the subnet they are on.

How should you configure your DNS server?

A. On the primary DNS server, create three A (host) records that map the same host name to the IP address of the Web server on each subnet

B. On the primary DNS server, create one A (host) record that is located on the same subnet as the DNS server. On the secondary DNS servers on the two remaining subnets, edit the zone file for the domain on each ONS server to include an A (host) record for the Web server on each subnet

C. On the primary DNS server, create three A (host) records that map a different host name to the IP address of the Web server on each subnet.

D. On the primary DNS server, create one A (host) record for one Web server and two CNAME (canonical name) records for the remaining two Web servers.

Alias (CNAME) resource records

Alias (CNAME) resource records are also sometimes called canonical names. These records allow you to use more than one name to point to a single host, making it easy to do such things as host both an FTP server and a Web server on the same computer.

For example

The well-known server names (ftp, www) are registered using CNAME RRs that map to the DNS host name, such as "server-1", for the server computer that hosts these services.

CNAME RRs are recommended for use in the following scenarios:

When a host specified in an A RR in the same zone needs to be renamed.

When a generic name for a well-known server such as www needs to resolve to a group of individual computers (each with individual A RRs) that provide the same service. For example, a group of redundant Web servers.

 

 

 

57. You are the administrator of your company's network. Your primary internal DNS server is installed on a UNIX computer named ns1.contoso.com.

The ns1.contoso.com server is configured to send zone transfers to a secondary DNS server installed on a Windows 2000 Server computer named ns2. contoso.com.

The ns1.contoso.com server is also configured to send zone transfers to a DNS server installed on a Windows NT Server 4.0 computer named ns3.contoso.com.

When you examine the records in the zone file on the ns2.contoso.com server, you notice that they do not match the records found on either the ns1.contoso.com server or the ns3.contoso.com server.

What should you do to correct this problem? (Choose all that apply)

A. Install the DNS Server service on a separate Windows 2000 Server computer on your network

B. Create sub zones on the UNIX DNS server.

C. Delegate the sub zones that contain the SRV (service) records to a separate DNS server

D. Configure the primary DNS server so that only the root zone is transferred to the Windows 2000 DNS server.

E. Configure the WINS resource records so that they are not replicated to secondary name servers

F. Clear the Fail on load if bad 2One data check box in the properties of the primary DNS server

G. Change the zone on the primary DNS server from an Active Directory integrated zone to a standard primary zone.

 

 

 

 

58. You are the administrator of a Windows 2000 network. The network consists of 30 Windows 2000 Professional computers and two Windows 2000 Server computers named Athens and Boston. Athens has a permanent cable modem connection to the Internet.

All Windows 2000 Professional computers on the network are configured to use Automatic Private IP Addressing (APIPA). The network does not contain a DHCP server.

To allow all Windows 2000 Professional computers on the network to access the Internet through the cable modem connection of Athens, you install and configure the Network Address Translation (NAT) routing protocol on Athens

You decide to use IP addresses in the range of 192.168.40.1 through 192.168.40.50 for the network. Athens is configured to use an IP address of 192.168.40.1.

Boston is a Web server configured with an IP address of 192.168.40.2 and a default gateway of 192.168.40 1.

Your Internet service provider (ISP) has allocated two IP addresses, 207.46.179.16 and 207.46.179.17 to your network.

The network is shown in the exhibit (Click the Exhibit button)

You want to allow Internet users from outside your internal network to use an IP address of 207.46.179.17 to access the resources on Boston through the NAT service on Athens

How should you configure the network to accomplish this goal?

A. Configure Athens with a static route on the private interface of the NAT routing protocol. Use a destination address of 207.46.179.17, a network mask of 255.255.255.255, and a gateway of 192.168.40.2.

B. Configure Boston with a static route on the U\N interface. Use a destination address of 192.168.40 1, a network mask of 255.255.255.255, and a gateway of 207.46.179.17

C. Configure the U\N interface of Boston to use multiple IP addresses. Assign the additional lP address of 207.46.179.17 to the interface.

D. Configure the public interface of the NAT routing protocol to use an address pool with a starting address of 207.46.179.16 and a mask of 255.255.255.254. Reserve a public IP address of 207.46.179.17 for the private IP address of 192.168.40.2

 

 

 

 

59. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named SrvA and 30 Windows 2000 Professional computers. SrvA has a dial-up connection that connects to the Internet

All Windows 2000 Professional computers on the network are configured to use Automatic Private IP Addressing (APIPA). There is no DHCP server on the network.

SrvA is configured to use an IP address of 192.168.0.1. Routing and Remote Access and all the ports on SrvA are enabled for demand-dial routing. The Network Address Translation (NAT) routing protocol is added.

You want to allow all Windows 2000 Professional computers on the network to access the Internet through a translated demand-dial connection on SrvA.

How should you configure the network? (Choose four)

A. Create a new demand-dial interface for the local area connection

B. Create a new demand-dial interface for the dial-up connection

C. Add a public and a private interface to the NAT routing protocol

D. Configure the IP address of the Internet service provider (ISP) as the default gateway on the private interface

E. Add a default static route that uses the public interface.

F. Configure the NAT routing protocol to enable network address translation assignment and name resolution

G. Configure the public NAT interface with an address pool of 192.168.0.1

 

 

 

 

60. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named Srv1 and 12 Windows 2000 Professional computers. Srv1 has a dial-up connection that connects to the Internet.

Srv1 is configured to use Internet Connection Sharing to allow Internet access through the dial-up connection of Srv1.

The 12 Windows 2000 Professional computers are configured for static TCP/lP addressing. The IP addresses are 192.168.0.1 through 192.168.0.12, and the subnet mask is 255.255.255.0. The 12 Windows 2000 Professional computers have no default gateway configured.

You discover that the Windows 2000 Professional computers are not able to access the Internet through the dial-up connection of Srv1. You confirm that the preferred DNS server on the Windows 2000 Professional computers is configured correctly.

What should you do to allow all 12 computers to access the Internet through the dial-up connection of Srv1? (Choose all that apply)

A. On the Windows 2000 Professional computer with IP address 192.168.0.1, change the IP address to 192.168.0.13

B. Change the IP address on all 12 Windows 2000 Professional computers to 169.254.0.2 through 169.254.0.13

C. Change the subnet mask on all 12 Windows 2000 Professional computers to 255.255.0.0.

D. Change the default gateway on all 12 Windows 2000 Professional computers to 192 .168.0 1

E. Change the default gateway on all 12 Windows 2000 Professional computers to 169.254.0.1

We need 13 address because one of them will be used for default gateway adresss

 

 

61. You are the administrator of a Windows 2000 network. The network consists of two Windows 2000 Server computers named ServerA and ServerB and 180 Windows 2000 Professional computers on one segment.

ServerA has an IP address of 192.168.2.1. ServerA is a DHCP server. The TCP/IP configuration of all the Windows 2000 Professional computers is provided by the DHCP server. The range of IP addresses used at ServerA is 192.168.20/24. The lease time used is 15 days.

You want to change the IP addresses on the network from 192.168.20/24 to 10.178.0/24.

ServerB has an IP address of 10.178.1. You install another DHCP server on ServerB. The range of IP addresses used at ServerB is 10.178.0/24 The lease time used is 15 days.

The network is shown in the exhibit (Click the Exhibit button )

To ensure compatibility, the two address ranges will be used concurrently on the same segment for three months. Routing between the two address ranges is provided by a router on the network

After you activate the DHCP scope on ServerB, users report that they are unable to obtain a valid IP address.

When you investigate the problem, you discover that each of the two DHCP servers responds with DHCP negative acknowledge (DHCPNAK) messages to leases requested by the client computers.

What should you do?

A. On the Windows 2000 Professional computers, disable Automatic Private IP Addressing (APIPA)

B. On the Windows 2000 Professional computers, configure the DHCP client computers to release the DHCP lease at shutdown.

C. On both DHCP servers, set the number of times the DHCP server should attempt conflict detection to 0

D. On both DHCP servers, configure a superscope so that it has both address ranges. Define an exclusion range for the entire address range of 10.178.01/24 on ServerA and of 192.168.20/124 on ServerB

E. On both DHCP servers, set scope option 031 Perform Router Discoverv to 1 to enable the option on the Windows 2000 Professional computers

 

 

 

 

62. You are the administrator of your company's network. The network consists of 10 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and 150 Windows NT Workstation computers. For workgroup collaboration and document sharing, all client computers have file and print sharing services enabled.

You are using DHCP to automate the TCP/IP configuration of all client computers

You want to accomplish the following goals

All client computers will be able to be located on the network by the network's fully qualified domain name.

A (host) records for all client computers will be automatically added to the DNS zone files.

PTR (pointer) records for reverse name lookup for all client computers will be automatically added to the DNS zone files

A records and PTR records will be automatically removed from the DNS zone files when the DHCP lease expires

You take the following actions

Configure the DHCP server to always update client computer information in DNS

Configure the DHCP server to discard forward lookups when the lease expires

Configure the DHCP server to update DNS for client computers that do not support dynamic updates

Configure the DHCP scope to configure the domain name for all DHCP client computers.

Which result or results do these actions produce? (Choose all that apply)

A. All client computers are able to be located on the network by the network's fully qualified domain name

B. A records for all client computers are automatically added to the DNS zone files

C. PTR records for reverse name lookup for all client computers are automatically added to the DNS zone files

D. A records and PTR records are automatically removed from the DNS zone files when the DHCP lease expires

 

 

 

 

63. You are the administrator of your company's network.

The network consists of five subnets that are connected by a BOOTP relay-enabled router.

There are 50 Windows 2000 Server computers and 1,000 Windows 2000 Professional client computers distributed approximately evenly across the five subnets.

There are also 25 UNIX servers and 100 DHCP-enabled network printers on the network

You want to accomplish the following goals

The correct assignment of IP addresses to each client computer on each subnet will be automated

Address conflicts between client computers and servers will be prevented

Correct scope options will be applied to each client computer on each subnet

Client computers that are not in use will be prevented from keeping an IP address for more than three days.

Each network printer will always receive the same IP address

You take the following actions:

Install the DHCP Server service on a Windows 2000 Server computer.

Create five scopes, each containing the address range for a specific subnet

In the DHCP console, set optional client configurations for each scope in

the Scope Options container

Exclude the range of addresses in use by the servers

Exclude the range of addresses in use by the network printers.

Which result or results do these actions produce? (Choose all that apply)

A. The correct assignment of IP addresses to each client computer on each subnet is automated

B. Address conflicts between client computers and servers are prevented

C. Correct scope options are applied to each client computer on each subnet

D. Client computers that are not in use are prevented from keeping an IP address for more than three days

E. Each network printer always receives the same IP address

 

 

 

 

64. You are the administrator of your company's network. The network consists of 10 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and 150 Windows NT Workstation computers. For workgroup collaboration and document sharing, all client computers have file and print sharing services enabled.

You are using DHCP to automate the TCP/IP configuration of all client computers

You want to accomplish the following goals

All client computers will be able to be located on the network by the network's fully qualified domain name.

A (host) records for all client computers will be automatically added to the DNS zone files.

PTR (pointer) records for reverse name lookup for all client computers will be automatically added to the DNS zone files

A records and PTR records will be automatically removed from the DNS zone files when the DHCP lease expires

You take the following actions

Configure the DHCP server to never update client information in DNS

Configure the DHCP server to discard forward lookups when the lease expires

Configure the DHCP scope to configure the domain name for all DHCP client computers

Which result or results do these actions produce? (Choose all that apply)

A. All client computers are able to be located on the network by the network's fully qualified domain name

B. A records for all client computers are automatically added to the DNS zone files

C. PTR records for reverse name lookup for all client computers are automatically added to the DNS zone files

D. A records and PTR records are automatically removed from the DNS zone files when the DHCP lease expires

 

 

 

 

65. You are the administrator of your company's network. The network consists of one Windows 2000 domain that has 10 Windows 2000 Server computers and 500 Windows 2000 Professional client computers.

You want all client computers to receive their TCP/IP configuration from DHCP. You install the DHCP Server service on one of your Windows 2000 Server computers and create and activate a scope of addresses.

Users report that they cannot connect to the network. You discover that none of the client computers are receiving TCP/IP configurations from DHCP.

What should you do to resolve this problem?

A. Stop and restart the DHCP Server service on the DHCP server

B. Restart all client computers

C. Authorize the DHCP server in Active Directory

D. Add a DNS host record for the DHCP server

 

 

 

 

66. You are the administrator of a Windows 2000 domain named contoso.com. The domain has a Windows 2000 member server computer named Ras1 and a Windows 2000-based DHCP Server computer named Dora.

Routing and Remote Access is enabled for remote access on Ras1. The network has two DNS servers that use IP addresses of 10.152 and 10.153

Ras1 is configured to use DHCP to assign IP addresses to the remote access client computers

The configuration of the scope options on the DHCP server is shown in the following window

DHCP

~1~ dora,contoso.com[10.1.5,1]

8J1t1 Scope [10.1.5.0] Net5

ji1i) Address Pool

f;o Address Leases

ff]1J8 Reservations

-11..1

!~ Server Options

r~;";::)\"!f""""'!"'W;: "W

e006 DNS Servers

Standard

10.1.5.3

None

The DHCP scope does not have any client computer reservations

When remote access client computers dial in to Ras1, they receive an IP address from the DHCP scope range, but they do not receive the DNS address configured in the DHCP scope. Instead, the remote access client computers receive a DNS server address of 10.1. 52

You want the remote access client computers to receive the DNS option from the DHCP server

How should you configure the network to accomplish this goal?

A. Configure the remote access client computers to enable DHCP on the dial-up connection

B. Configure Ras1 to use Windows Authentication.

C. Install and configure the DHCP Relay Agent routing protocol on the Internal interface of Ras1

D. On the DHCP server, configure the DNS scope option of 10 1 53 for the Default Routing and Remote Access user class

 

 

 

 

67. You want to implement four RRAS-policies. Click and place the four RRAS-policies in order of execution:

Domain Users - permit access between 07:00 and 17:00

Support Staff - permit access between 18:00 and 20:00

Domain Users - deny access between 17:00 and 07:00

Support Staff - deny access between 20:00 and 18:00.

D, C, B, & A

 

68. You are the administrator of a large network. At the moment you are using IP 207.200.16.0/24 for multicasting purposes. Your CEO wants to add 2.000 PC's to your network, and make sure the current subnet can deal with an extra 2.000 workstations. Should you:

 

A) add another subnet ranging from 207.200.17.0- 207.200.24.0,

B) add another subnet ranging from 207.200.33.0 - 207.200.48.0.

C) change the advertisement branch IP to 207.200.16.0/20

D) add another subnet ranging from 207.200.16.0/22 - 207.200.16.0/23

 

 

69. Your company has four branch offices Atlanta, Boston, New York and Dallas.

There is a multicast address used for videoconferences and the like to deliver content to all four sites. Atlanta and Boston are right beside each other connected by a router. There is a Sales videoconference held every Monday between Atlanta and Boston. How should you configure the router so that the Sales multicast videoconferencing does not get broadcasted to all four branches?

 

A) Configure TCP-filters on the router to block all multicast traffic.

B) Create a static route for the Sales multicast broadcast on the router.

 

 

70. You are the admin of a large network with a web server. Internal users complain that when they try to view a secure page, they get an error like

"The requested page cannot be displayed". You have to troubleshoot the problem.

A) Permit port 20 in your TCP-filter,

B) Permit port 21 in your TCP-filter,

C) Permit port 443 in your TCP-filter,

D) Change the file permissions for the HTTPS-page.

 

 

 

 

 

71. You are the admin of a large network consisting of four subnets: A, B, C and D. There are three workstations on every subnet. One workstation on Subnet B frequently uses resources from a machine on Subnet A; the other two workstations on subnet B use resources located in subnet C.

Should you:

A) Configure a DHCP-scope for the two machines on subnet B to use the router to connect to Subnet C.

B) Create a reservation for the one machine and specify a DCHP scope option to use the router to connect to Subnet A

C) Configure a static route on the router for the machine in Subnet B that gets its resources from Subnet A and add that under DHCP-scope options for that DHCP-address reservation

D) Configure a static route on the router for the machines in Subnet B that get their

resources from Subnet C, and add that under DHCP-scope options for that DHCP-scope

72 .You have a Windows 2000 Server with RRAS and fax service, your another remote office also have a Windows 2000 Server with RRAS. When you start to replicate some accounting files to the remote office,but fail.

How do you resolve this problem?

A. stop the FAX service.

B. enable Multilink

C. enable Internet Connecting Sharing

D. enable server as a Router.

Q192614

RRAS is not TAPI aware. To avoid interference with the functionality of otherapplications that use TAPI (such as the Fax service and the Modem Sharingservice), any modems and devices configured for RRAS cannot be available for other services and vice versa.

While configuring RRAS in Control Panel/ Network/ Services, add only the devices explicitly installed for use with RRAS.

Any communication devices such as ISDN adapters, PPTP (VPNs), and any modemsthat need to be used with RRAS, should be on the Windows NT HardwareCompatibility List at a minimum, and ideally also on the SBS HCL.

If you are using modems for RRAS, set them to use the COM ports with thelowest numbers, in consecutive order.

The modems to be used for modem sharing and fax service should be on the SBS HCL for the two services to be able to use them. Select only the designated modems when you configure these services. Leave unchecked any that are designated for use with RRAS.

It is necessary to stop and restart the Fax and Modem Sharing services after you change the list of available modems for those services.

73. You want to use Network Monitor to analyze ISO and TP4 communication to MS Exchange Server.How?(choose two)

A. change the Temporary Capture Directory.

B. Copy ISO.dll and TP4.dll to Netmon Subdirectory.

C. Copy ISO.dll and TP4.dll to Netmon\Parsers Subdirectory.

D. Modify the parser.ini.

E. Modify the Netmon.ini.

Q168862

Copy the Iso.dll, Iso.ini, Tp4.dll files to your NetMon\Parsers subdirectory. These files are located in the BackOffice Resource Kit.

Make following additions to your Parser.ini file. The Parser.ini file is located in the NetMon directory.

 

74. You are the admin of a large network consisting of four subnets: A, B, C and D. There are three workstations on every subnet. One workstation on Subnet B freqently uses resources from a machine on Subnet A; the other two workstations on subnet B use resources located in subnet C. Should you:

A) Configure a DHCP-scope for the two machines on subnet B to use the router to connect to Subnet C.

B) Create a reservation for the one machine and specify a DCHP scope option to use the router to connect to Subnet A

C) Configure a static route on the router for the machine in Subnet B that gets its resources from Subnet A and add that under DHCP-scope options for that DHCP-address reservation

D) Configure a static route on the router for the machines in Subnet B that get their resources from Subnet C, and add that under DHCP-scope options for that DHCP-scope

 

75. your organization is using CA to provide identification to users. You would like to ensure customers of your identity while providing employees access to secure areas on your web server. What type of CA would you install?

a. install an enterprise CA on your server

b. install a subordinate enterprise CA on your server from a known commercial CA.

c. install a stand-alone CA on your server

d. install a stand-alone subordinate CA on your server from a known commercial CA.