Midterm 70-216 1. You are the administrator of Windows 2000 network. The network consists of 30 Windows 2000 Professional computers, and two Windows 2000 Server computers named Athens and Boston. Athens has a permanent cable modem connection to the Internet. All Windows 2000 Professional computers on the network are configured to use Automatic Private IP addressing (APIPA). The network does not contain a DHCP server. To allow all Windows 2000 Professional computers on the network to access the Internet through the cable modem connection of Athens, you install and configure the network address translation (NAT) routing protocol on Athens. You decide to use IP addresses in the range of 192.168.40.1 through 192.168.40.50 for the network. Athens is configured to use an IP address of 192.168.40.1. Boston is a web server configured with an IP address of 192.168.40.2 and a default gateway of 192.168.40.1. Your Internet service provider has allocated two IP addresses, 207.46.179.16 and 207.46.179.17 to your network. The network is shown in the exhibit. You want to allow Internet users from outside your internal network to use an IP address of 207.46.179.17 to access the resources on Boston through the NAT service on Athens. How should you configure the network to accomplish this goal? A. Configure Athens with a static route on the private interface of the NAT routing protocol. Use a destination address of 207.46.179.17, a network mask of 255.255.255.255, and a gateway of 192.168.40.2. B. Configure Boston with a static route on the LAN interface. Use a destination address of 192.168.40.1, a network mask of 255.255.255.255, and a gateway of 207.46.179.17. C. Configure the LAN interface of Boston to use multiple IP addresses. Assign the additional IP address of 207.46.179.17 to the interface. D. Configure the public interface of the NAT routing protocol to use an address pool with a starting address of 207.46.179.16 and a mask of 255.255.255. 254. Reserve a public IP address of 207.46.179.17 for the private IP address of 192.168.40.2. Answer: D Explanation: Normal network address translation (NAT) allows outbound connections from a private network to the public network. Web browsers that run from a private network create connections to Internet resources. The return traffic from the Internet can cross the NAT because the connection was initiated from the private network. To allow Internet users to access resources on our private network, we must configure a static IP address configuration on the resource server including IP address from the range of IP addresses allocated by the NAT computer, a subnet mask also from the range of IP addresses allocated by the NAT computer, a default gateway, which is the private IP address of the NAT computer, and a DNS server. We must exclude the IP address being used by the resource computer from the range of IP addresses being allocated by the NAT computer. We must also configure a special port, which is a static mapping of a public address and port number to a private address and port number. A special port maps an inbound connection from an Internet user to a specific address on your private network. By using a special port, we can create a Web server on our private network that is accessible from the Internet. Incorrect Answers: A: NAT does not use a static route to allow inbound connects; instead a special port is used to create a static mapping between a public address and the private address. B: A special port, not a static router, is used to create a static mapping. The mapping must be made on the NAT computer, not on the computer with the local web server (not on Boston) C: The local web Server only requires one IP address, not two. An additional public IP address is needed to create the static port. 2. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named SrvA and 30 Windows 2000 Professional computers. SrvA has a dial-up connection that connects to the Internet. All Windows 2000 Professional computers on the network are configured to use Automatic Private IP Addressing (APIPA). There is no DHCP server on the network. SrvA is configured to use an IP address of 192.16.80.1. Routing and Remote Access and all the ports on SrvA are enabled for demand-dial routing. The Network Address Translation (NAT) routing protocol is added. You want to allow all Windows 2000 Professional computers on the network to access the Internet through a translated demand-dial connection on SrvA. How should you configure the network? (Choose four) A. Create a new demand-dial interface for the local area connection. B. Create a new demand-dial interface for the dial-up connection C. Add a public and a private interface to the NAT routing protocol D. Configure the IP address of the Internet service provider (ISP) as the default gateway on the private interface. E. Add a default static route that uses the public interface F. Configure the NAT routing protocol to enable network address translation assignment and name resolution. G. Configure the public NAT interface with an address pool of 192. 16. 80. 1 Answer: B, C, E, F Explanation: To configure the NAT server we must 1. Install and enable Routing and Remote Access service 2. Configure the IP address of the home network interface. (the IP address of the LAN adapter that connects to the home network should be configured with an IP address of 192.168.0.1; a subnet mask of 255.255.255.0; and with no default gateway). 3. Enable routing on our dial-up port. 4. Create a demand-dial interface to connect to our ISP (B). 5. Create a default static route that uses the public Internet interface (E). 6. Add the NAT routing protocol. 7. Add the public Internet and the private home interface to NAT routing protocol (C). 8. Enable network address translation addressing and name resolution (F). Incorrect Answers: A: The demand-dial interface must be put on the dial-up connection not the local area connection. D: On the private interface the default gateway (from the clients point of view) is the NAT computer. G: The address pool consists of public addresses. The ISP provides 1 or more public IP addresses. These addresses are added to the address pool. 192.16.80.1 is a private IP address not a public. 3. You are the administrator of your company’s network. You configure a Windows 2000 Server computer as the DNS server for your network. You create both standard primary forward lookup and reverse lookup zones. You discover that when you use the nslookup utility, you cannot resolve host names from IP addresses on your network. You also discover that when you run the Tracert.exe utility, you receive the following error message. “Unable to resolve target system name.” What should you do? A. Configure the DNS to forward requests to an external DNS B. Install a WINS server and configure DHCP to issue the IP address of the WINS server to all DHCP clients C. Create PTR (pointer) records in your reverse lookup zone D. Copy the systemroot\system3 2\dns\cache\samples\cache. dns to systemroot\system32\dns\cache\cache. dns Answer: C Explanation: Tracert is a utility that checks the route to a remote system. Tracert needs to resolve host names to IP addresses and IP addresses to host names to function. If tracert does not work it a very likely cause is that the reverse lookup mechanism does not work. The NSLOOKUP command-line utility, use reverse lookup queries to report back host names. A reverse lookup zone is created, but the reverse lookup zone is either not activated or there is missing PTR records in the reverse lookup zone. Incorrect Answers: A: WINS resolves NetBIOS names to IP address. WNS cannot solve problem with the reverse lookup zone. B: WINS resolves NetBIOS names to IP address. WNS cannot solve problem with the reverse lookup zone. D: Copying the systeniroot\system32\dns\cache\samples\cache.dns to systemroot\system32\dns\cache\cache.dns would replace the root hints, but it would not fix the problem with the reverse lookups. 5. You are the administrator of your company’s network. Your Windows 2000 Server computer named Srv2 cannot communicate with your UNIX server named Srvl. Srv2 can communicate with other computers on your network. You try to ping Srvl, but you receive the following error message, ~“Unknown host Srvl”. You create an A (host) record that has the correct name and IP address. However, when you try to ping Srvl again, you receive the same error message. What should you do to resolve this problem? A. Restart the DNS server. B. Clear the DNS server cache. C. Run the ipconfig /registerdns command on Srv2. D. Run the ipconfig /flushdns command on Srv2. Answer: D Explanation: In this scenario there is a negative-cache entry in the DNS client resolver cache, which prevents communication with Srvl. The command ipconfig/flushdns can be used to remove all entries in the DNS client resolver cache and resets the DNS name cache. This will resolve the problem. Incorrect Answers: A: Restarting the DNS server will not reset the DNS client name cache. B: The problem is at the client, not at the Server. The DNS client cache, not the DNS server cache, needs to be cleared. C: The ipconfig /registerdns command refreshes all DHCP address leases and registers all related DNS names configured and used by the client computer. It will not remove the negative cache entry in the DNS client cache. 6. You are the administrator of your company’s network. The network consists of one Windows 2000 domain. All servers and client computers are running Windows 2000. To facilitate name resolution and client access to resources on the servers, you have configured your DNS standard primary zone to include the addresses of all of your servers. You later add three new member servers to your network. Users report that they can find these servers in the directory but cannot access these servers. You want to resolve this problem. What should you do? A. Convert the DNS standard primary zone to an Active Directory integrated zone B. Create SRV (service) records for each new server in the DNS zone. C. Set the Allow Dynamic Updates setting for the DNS standard primary zone to Yes D. Set the Allow Dynamic Updates setting for the DNS standard primary zone to Only Secure Updates Answer: C Explanation: The problem in this scenario is that the new servers are not allowed to dynamically register their own names in the DNS zone. Windows 2000 DNS server supports dynamic updates but the zone has to be configured to accept them. This can be configured from Administrative Tools by opening the DNS console, right click the zone, select Properties, select the General tab, enable Allow dynamic updates. Incorrect Answers: A: It is not necessary to convert the standard primary zone to an Active-integrated zone. Dynamic updates will allow the members servers to register in a standard primary zone. B: The new servers are member servers and there is no mention of them doing any special services in the domain. It is not necessary to add SRV (service) records for them. D: The DNS zone is a standard primary zone. The Only Secure Updates option only appears if the zone type is Active Directory-integrated. 7. You are the administrator of a Windows 2000 network that consists of three subnets. For load-balancing purposes, each web server on the network is configured to maintain exactly the same content as all the other web servers. You want to configure your DNS server to allow users to type a host name in their browser to connect to web server that is on the same subnet. The host name that all users type will be identical regardless of the subnet they are on. How should you configure your DNS server? A. On the primary DNS server, create three A (host) records that map the same host name to the IP address of the web server on each subnet. B. On the primary DNS server, create one A (host) that is located on the same subnet as the DNS server. On the secondary DNS servers on the two remaining subnets, edit the zone file for the domain on each DNS server to include an A (host) record for the web server on each subnet. C. On the primary DNS server, create three A (host) records that map a different host name to the IP address of the web server on each subnet. D. On the primary DNS server, create one A (host) record for one web server and two CNAME (canonical name) records for the remaining two web servers. Answer: A Explanation: This is Subnet Prioritization by mapping the same host name (A record) to three different IP addresses. If the resolver receives multiple A resource records from a DNS server, and some have IP addresses from networks to which the computer is directly connected to, the resolver orders those resource records first. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them. Incorrect Answers: B: The secondary DNS zone contains a read-only replica of the primary DNS zone. Therefore we should not make changes to the zone at the secondary DNS servers. C: We want the users to use only one host name, not a different one on each subnet. D: A canonical name (CNAME) record enables us to associate more than one host name with an IP address. This is sometimes referred to as aliasing. But we want the users to use the same host name, not different aliases of it. 8. You are network administrator of Woodgrove Bank. Your network is configured as shown in the Srv2 and Srv3 are configured as caching-only servers. Both servers forward requests to Srvl. Srvl is configured as the primary Server for the woodgrovebank.com domain. Users on networks 10.107.2.0 and 10.107.3.0 frequently use an Internet application that gathers stock quotes from various servers on the woodgrovebank.com domain. You want to reduce DNS network traffic. What should you do? A. Increase the Time to Live (TTL) for the SOA (start of authority) record on Srvl. B. Decrease the Time to Live (TTL) for the SOA (start of authority) record on 5rv2 and 5rv3. C. Set the Server Optimization option on Srv2 and Srv3 to Maximize data throughput for network applications. D. Increase the forward time-out seconds on 5rv2 and 5rv3. Answer: A Explanation: The name server caches the query result for a specified amount of time; this is referred to as Time to Live (TTL). A longer TTL value will increase the time that records can be cached in the DNS caching only servers, thus decreasing DNS network traffic. The drawback is the risk of DNS name inconsistencies. The SOA (start of authority) record indicates the starting point or original point of authority for information stored in a zone. The SOA record is stored at the primary DNS server, SRV1, not at 5rv2 and 5rv3. Incorrect Answers: B: The SOA record is stored at the primary DNS server, SRV1, not at 5rv2 and 5rv3. C: The server optimization option “Maximize Throughput for Network Applications” is selected instead of the default “Maximize Throughput for File Sharing” to avoid excessive paging (due to large file server cache) on servers that are used for network programs and services such as SQL Server. In this scenario we want to reduce DNS network traffic, not reduce paging. D: The “Forward Time out” decides how long the DNS server, in this case 5rv2 and 5rv3, will repeatedly query the forwarder, in this case Srvl, until the “Forward Time Out” time is reached, or it gets an answer. This setting will not decrease any DNS traffic. 9. You are the administrator of Windows 2000 network. Your network has one primary internal DNS server and one primary external DNS server. You network has three secondary DNS servers that transfer zone information from the primary external DNS server. The secondary DNS servers are installed on two Windows 2000 Server computers and one Windows NT 4.0 computer. The primary external DNS server is used to host records for your company’s web and mail servers. It has only a limited number of resource records in its zone file. The web server and the mail server have static IP addresses. When you monitor the secondary DNS servers by using system monitor, you notice a high number of hits when monitoring the counter DNS: Zone Transfer SOA Requests sent. You want to minimize the bandwidth that is required for the traffic. What should you do? (Choose two) A. Upgrade the Windows NT server4 computer that is hosting the secondary DNS server to a Windows 2000 Server computer. B. Configure that notify list on the primary external DNS server to notify the secondary DNS server when there are changes to be replicated. C. Reconfigure the primary external DNS server so that it does not allow dynamic updates. D. Increase the value of the refresh interval in the SOA (start of authority) record. E. Decrease the value of the refresh interval in the SOA (start of authority) record. Answer: B, D Explanation: The value of the refresh interval in the SOA (start of authority) record, which has a default value is 15 minutes, decides how often the destination server should request to renew the zone. By increasing this value less zone transfers would occur. However, the danger of increasing the refresh interval of the SOA is DNS inconsistencies in the network. Configuring the notify list on the external DNS server to notify the secondary server, will force changes to be transferred and thus avoiding inconsistencies. Incorrect Answers: A: Upgrading the Windows NT 4.0 secondary DNS server to Windows 2000 will not decrease network bandwidth requirements; they use the same kind of zone transfers. By upgrading to Windows 2000 and changing the zone type to Active Directory-integrated the bandwidth would decrease thanks to incremental zone transfers. C: By disallowing dynamic updates on the external server we will prevent clients from registering themselves in DNS. This will however not decrease bandwidth. E: By decreasing refresh interval in the SOA zone transfers would occur more frequently. It should be increased instead. 10. You are the network administrator for the branch office of a large company. Your network is connected to the company network by means of a Windows 2000 routing and remote access two-way demand dial connection over ISDN. To reduce costs, the ISDN links should only be used once each day to transfer sales information to or from the main office. This transfer should occur during nonbusiness hours. You discover that several times a day an ISDN link is initiated between the networks. You analyze the traffic and discover that it is composed of router announcement broadcasts. Which actions should you take to prevent the link from being used during business hours? (Choose Two) A. Schedule the demand-dial interface to dial only during specific hours. B. Schedule the demand-dial interface to accept only inbound connections during specified hours. C. Create the demand-dial filter on the demand dial interface. D. Enable dynamic routing on the demand-dial interface. E. Create a remote access policy to access the port used by router broadcasts. F. Create a remote access policy to restrict access to only the specific users who transfer information across the link. Answer: A, C Explanation: Demand-dial filters control what traffic will initiate the demand-dial link. Filters can be set to permit or deny specific source or destination IP addresses, ports, or protocols. Further control is offered through the use of time-of-day restrictions. Even though the demand-dial filter requirements are met, if the time of day is restricted by the configuration of dial-out hours, the router will not dial. Reference: Windows 2000 Server documentation, Demand-dial routing design considerations Incorrect Answers: B: The demand-dial interface is only used for outbound traffic and cannot be configured to accept only inbound connections during specified hours. D: We cannot use dynamic routing on demand-dial interfaces. E: Remote access policies are used to determine whether to accept or reject connection attempts, not to specify ports. F: In this scenario there is no requirement to restrict access to specific users. Instead use demand-dial filters and dial-out hours to restrict access. 11. You are the desktop administrator of your company. You are responsible for ensuring that your company’s Windows 2000 Professional client computers have connectivity to the network and the Internet. All client computers use DHCP for their TCP/IP configuration. The network administrators install a new Ti line and router for Internet access. This router must only be used by administrative staff. You want to configure the administrative staff’s client computers to use this new router. You want to ensure that nonadministrative staff users cannot gain access to the Internet through this router. You want to ensure that each targeted client computer will only need to be configured once. What should you do to achieve these goals? A. At each administrative client computer, use the route add -f command to enter the new router information. B. At each administrative client computer, use the route add -p command to enter the new router information. C. Enable the Perform Router Discovery option in the scope options for DHCP. D. Enter the new router’s address in the Router Solicitation Address option in the scope options for DHCP. Answer: B Explanation: By default, routes are not preserved when the computer is restarted. However, by using the ROUTE ADD —p command to add the appropriate route at the administrative client computers, the route is made persistent, even after system reboots. Furthermore, by changing the default gateway, that is entering the router information, the new router would be used by the client. These steps will enable the client computers to gain Internet access through the new router needs to be done once only. Incorrect Answers: A: The —f switch clears all routes, which is not desirable. We should instead make the routes persistent. C: Router discovery option of DHCP is used to configure a default Gateway (router). This setting will be applied to all computers, even the nonadministrative computers, which would allow ordinary users to access Internet. D: This setting would apply to all computers, which makes it impossible to give some users (administrators) Internet access and prevent outer users from gaining access to Internet. 12. You are the network administrator for a branch office of a large company. Your network is connected to the company network by means of a Windows 2000 routing and remote access two-way demand-dial connection over ISDN. In addition to e-mail and application traffic, sensitive company data is transferred across this connection. You want to accomplish the following goals: • All data transmitted over the connection will be secured. • Rouge routers will be prevented from exchanging router information with either router. • Both routers in the connection will be able to validate each other. • Both routers in the connection will maintain up-to-date routing tables. • Traffic over the demand-dial link during peak business hours will be minimized. You take the following actions: • Install a certificate services server at the main office. • Enable EAP-TLS as the authentication protocol on both routing and remote access servers. • Enable RIP version 2 on the demand dial interfaces. Which result or results do these actions produce? (Choose all that apply) A. All data transmitted over the connection is secure. B. Rouge routers are prevented from exchanging router information with either router. C. Both routers in the connection are able to validate each other. D. Both routers in the connection are maintaining up-to-date routing tables. E. Traffic over the demand-dial link during peak business hours is minimized. Answer: A, C, D Explanation: We have enable EAP-TLS as the authentication protocol on both routing and remote access servers. The EAP (Extensible Authentication Protocol) supplies secure mutual authentication, therefore the routers would be able to validate each other in a secure way. EAP-Transport Level Security (EAP-TLS) supplies data encryption as well, which makes the transmitted data secure. We have enabled RIP V2, which is used to keep the routing tables up-to-date by frequent broadcasts. Incorrect Answers: B: RIP version 2 is able to detect Rogue Routers but we must enable this detection. E: In order to minimize traffic during peak business hours we would have to configure a Remote Access Policy. 13. You are the administrator of your company’s network. The network consists of two locations named East and West. Each location contains a Windows 2000 Server computer and 45 Windows 2000 Professional computers. The two servers are Windows 2000-based routers. The two routers are connected to each other, but both are connected to a third router named Central. The central router is administered by a different company. Users in the both locations want to provide multicast-based datacasting of information to the other location. You add the Internet Group Management Protocol (IGMP) to both the servers. However, the central router does not support multicast forwarding or routing. How should you configure the network to allow IP multicast traffic to pass between the east and the west locations? A. On both servers, create a static route. Use the IP address of the other as a gateway. B. On both servers, assign the interface for the central router to the IGMP routing protocol. Run these interfaces in IGMP proxy mode. C. Create an IP-in-IP interface between the two servers. Assign the IP-in-IP interface to the IGMP routing protocol. Run the interface in the IGMP proxy mode. D. Add the RIP for IP routing protocol to both servers. Assign the interface for the central router to the RIP routing protocol. Configure the servers to be unicast neighbors of each other. Answer: C Explanation: By creating IP-in-IP interface between the two routers, assigning the IGMP routing protocol to the interface and running the interface in IGMP proxy mode the routers will have a multicast tunnel that works even though the central router supports neither multicast routing nor forwarding. Incorrect Answers: A: The central router does not support multicast forwarding therefore an IGMP proxy mode has to be used. B: The central router does not support multicast routing therefore an IP-in-IP tunnel must be created. D: The central router does not support multicast routing therefore an IP-in-IP tunnel must be created. 14. You are the administrator of Windows 2000 network. The network contains a Windows 2000 server computer named Dublin. Dublin has two network interfaces named SideA and SideB. Routing and remote access is enabled as a router on Dublin. Only the network segment connected to the SideA interface has a DHCP server. The DHCP server is a Windows 2000 server named ServerA. You want to allow computers on segment connected to the SideB interface to receive IP addresses from ServerA. How should you configure Dublin to accomplish this goal? (Choose all that apply) A. Create an IP tunnel to connect the SideA interface to the SideB interface. B. Create a static route to the IP address of the SideB interface. C. Configure the DHCP Relay Agent routing protocol to run the SideA interface. D. Configure the DHCP relay agent routing protocol to run the SideB interface. E. Configure the DHCP relay agent routing protocol to use the IP address of the DHCP server as the server address. F. Configure the DHCP relay agent routing protocol to use the port number of the DHCP server. Answer: D, E Explanation: In this scenario the clients on SideB are not able to receive DHCP information from the DHCP server on SideA. In order to enable this, a DHCP relay agent must be configured on the SideB LAN interface on the Router Dublin. This is done by adding the SideB interface to the DHCP Relay Agent IP routing protocol. The DHCP Relay Agent protocol must also be configured with the IP address of a DHCP server, in this case the IP address of ServerA. Incorrect Answers: A: IP tunnels are used between different computers, not between different LAN interfaces on a Router. B: A static router between the SideA and SideB interfaces will not enable communication between the client on segment B and the DHCP server. C: DHCP Relay Agent routing protocol must be configured on the interface to the segment which has no DHCP server. It must thus be configured on the SideB interface not the SideA interface. F: The DHCP Relay Agent protocol must also be configured with the IP address of a DHCP server, not the port number of the DHCP server. 16. You are the administrator of a Windows 2000 network for your company. The company has a main office in Atlanta and branch office locations in Boston, Chicago and Dallas. The three branch office locations are connected to the Atlanta location by means of Windows 2000-based routers. All four locations have a Windows 2000-based DHCP Server. Each Friday, the Atlanta location hosts a multicast video presentation that is broadcast to all four locations. The Atlanta location also frequently hosts multicasting video presentation intended for the sales staff in the Atlanta and Boston locations only. You want to ensure that these sales staff multicasting video presentations are not sent to the Chicago and Dallas locations. You assign specific IP multicast addresses for use with the sales staff multicasting video presentations. How should you configure the network to prevent the forwarding of the sales staff multicasting video presentations to the Chicago and Dallas locations? A. Configure a multicast scope boundary for the sales IP multicast addresses on the Chicago and Dallas interfaces of the Atlanta router. B. Configure the DHCP servers to provide a multicast scope for the sales IP multicast addresses. At the Chicago and Dallas locations, configure the scope to use a Time to Live (TTL) of 0. At the Atlanta and Boston locations, use the default multicast TTL. C. Configure the network connections to the Chicago and Dallas locations to use TCP/IP filtering. Do not permit network traffic that has IP multicast addresses. D. On the central router, configure a static route for the sales IP multicast addresses. Use the router IP address at the Boston location as the gateway for this static route. Answer: A Explanation: Multicast boundaries are administrative barriers to the forwarding of IP multicast traffic. Without boundaries, an IP multicast router would forward all appropriate IP multicast traffic. In this scenario we want to prevent multicasting on the Chicago and Dallas interfaces on the Atlanta router. This can be accomplished by adding the sales multicasting IP addresses to these interfaces. Incorrect Answers: B: Multicast boundaries are configured in the RRAS console, not by configuring scopes with the DHCP console. C: TCP/IP filtering cannot be used to prevent multicasting on particular interfaces. Multicast boundaries must be configured and used on those interfaces. D: Multicast boundaries, not static routes, are used to prevent multicasting on specific router interfaces. 16. You are the administrator of a Windows 2000 network. Some of the members of your company’s graphics department use Macintosh computers and are not using Internet Explorer as their browser. These users inform you that they cannot request valid user certificate from your enterprise certificate authority. You want to make it possible for these users to request certificates by using web-based enrollment. What should you do? A. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to Basic Authentication. B. In the policy settings container in the CA console for your CA, add a new enrollment agent certificate. C. Edit the ACL on the user certificate template to grant the graphics department users enroll access. D. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to Integrated Windows Authentication. Answer: A Explanation: IIS has four levels of authentication: anonymous access, which grants anyone access; basic authentication, which sends passwords over the connection in clear text; integrated Windows authentication, which uses Kerberos VS and can only be used by Windows clients; and digest authentication, which is the best choice for publishing information on a server over the Internet and through firewalls. In this scenario there is a need to relax security so that the Macintosh users will be able to request certificates by using web-based enrollment. By setting the authentication type to Basic Authentication most browsers will be able to connect to the IIS server. Incorrect Answers: B: A new enrollment agent certificate is not needed. The Windows users are able to use the current one and so will the Macintosh users when the authentication type is changed to Basic Authentication. C: It is not necessary to change the ACL on the user certificate template for the users in the graphics department. The Windows users in the graphics department have no problem with IIS. D: Integrated Windows authentication uses Kerberos VS and can only be used by Windows clients. 17. You are the administrator of a Web server hosted on the Internet that is running on a Windows 2000 Server computer. Your company’s Web developers have developed applications that download ActiveX controls automatically to your customers’ browsers. You discover that the default security settings on your customers’ browsers are preventing the ActiveX controls from being downloaded automatically. You want to facilitate the downloading of ActiveX controls from your Web server to the Internet clients. What should you do? A. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for code signing. B. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web developers to request a certificate for trust list signing. C. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for trust list signing D. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web developers to request a certificate for code signing Answer: A Explanation: A commercial Certificate Authority is needed since external clients on the Internet will use the Active X controls. The web developers need to sign their Active X controls with code signing certificates. Incorrect Answers: B: An Enterprise Certificate Authority is used within a Windows Domain and would not be accessible by Internet users. The customers are external and would not be able to access an Enterprise Certificate Authority (CA). A commercial Certificate Authority is needed. C: Trust list signing is a mechanism for allowing an administrator to specify a collection of trusted CAs. Trust list signing cannot be used to enable downloading of Active X controls. D: An Enterprise Certificate Authority is used within a Windows Domain and would not be accessible by Internet users. The customers are external and would not be able to access an Enterprise Certificate Authority (CA). A commercial Certificate Authority is needed. 18. You are the administrator of your company’s network. You are configuring your users’ portable computer to allow users to connect to the company network by using routing and remote access. You test the portable computers on the LAN and verify that they can successfully connect to sources on the company network by name. When to test the connection through remote access, all the portable computers can successfully connect, but they cannot access files on the computers on different segments by using the computer name. What should you do to resolve the problem? A. Set the authentication method to Allow remote systems to connect without authentication. B. Enable the computer account for each portable computer. C. Change the computer name on each portable computer. D. Install the DHCP relay agent on the remote access server. Answer: D Explanation: The DHCP relay agent must be installed on the Routing and Remote Access (RRAS) server. The DHCP relay agent will allow communication between the DHCP server and the RAS clients. In particular the RAS clients would be given the Default Gateway that has been configured for the scope at the DHCP server. Incorrect Answers: A: The RAS clients have already connected successfully. The problem is the Default Gateway setting of the clients not the authentication method at the RRAS server. B: It is not necessary to enable the computer accounts. The remote users already have access to the network. C: It is not necessary rename the computers. The remote users already have access to the network. 19. You are the administrator of your company’s Routing and Remote Access servers. Your company’s administrators are able to dial in to the company’s network to perform remote monitoring and administration. This remote monitoring and administration requires an excessive amount of network bandwidth. You want to allow only administrators to use multiple phone lines, and you want to limit all other users to a single phone line. You want to configure multiple phone-line network connections to adapt to changing bandwidth conditions. When the phone lines fall below 50 percent capacity, you want to reduce the number of phone lines utilized. You also want to allow all users the ability to connect to the network by Routing and Remote Access. No default remote access policies currently exist. What should you do? (Choose three) A. Create one remote access policy on the Routing and Remote Access server. B. Create two remote access policies on the Routing and Remote Access server. C. Allow Multilink. D. Decrease the maximum number of ports used by the Routing and Remote Access server. E. Select the Require Bandwidth Allocation Protocol (BAP) for the Dynamic Multilink Requests check box. F. Increase the maximum number of dial-up sessions Answer: B, C, E Explanation: No default remote access policy exists in Windows 2000. We need to create two Remote Access Policies (RAPs); one which applies to the administrators and on which applies to the ordinary users. Multilink has to be allowed for the Administrator RAP. The Routing and Remote Access console is then used to enable multilink and to enable the Bandwidth allocation Protocol. Incorrect Answers: A: Two RAPs have to be created, not one. One should be created for the Administrators and another for the Users. D: Decreasing the number of ports used on the Routing and Remote Access server will decrease the number of simultaneous connections. This is not in keeping with the requirements set out in this scenario. F: Multilink has to be enabled, the number of dial-up sessions does not have to be increased. 20. You are the administrator of your company’s network. Your company has branch offices in New York and Paris. Because each branch office will support its own Routing and Remote Access server, you implement a remote authentication dial-in user service (RADIUS) server to centralize administration. You remove the default remote access policy. You need to implement one company policy that requires all dial-up communications to use 40-bit encryption. You want to configure your network to require secure communications by using the least amount of administrative effort. What should you do? (Choose two) A. Create one remote access policy on each routing and remote access server. B. Create one remote access policy on the RADIUS server. C. Set encryption to Basic in the remote access policy or policies. D. Set encryption to Strong in the remote access policy or policies. E. Enable the secure server IPSec policy on the RADIUS server. F. Enable the server IPSec policy on the RADIUS server. Answer: B, C Explanation: IAS, Microsoft’s implementation of RADIUS server, is used to centralize administration, authentication, and authorization of RAS. Remote Access Policies is included in this centralization. Furthermore, there are 3 levels of encryption on dial-up connections: basic, strong and strongest. Basic is 40-bit encryption and is used on older Windows systems. Strong is 56-bit encryption and strongest is 128-bit encryption. Strongest is only used inside North America because of legal issues. Incorrect Answers: A: Only one remote access policy at the RADIUS server has to be created, not one on each RRAS server. D: If encryption were set to Strong in a remote access policy, 56-bit encryption would be used, this would not be compatible with older Windows systems. In this scenario 40-bit encryption is required. E: By enabling the Secure Server (Require security) IPSec policy at the Radius server, any clients, including the Routing and Remote Access servers, which connect to this server must be IPSec-aware. They are not in this scenario. F: Enabling the Server (Request security) IPSec policy at the Radius server, would still allow unencrypted communication initiated from a client who is not IPSec. 20. You are the administrator of your company’s network. You are configuring remote access services in your Windows 2000 domain to allow mobile users to access network resources. You want the inbound client connections to receive IP address administrator option configurations for the client computers. Users report that they cannot access network resources by using the server name or by searching Active Directory. You investigate and find that when you connect to the remote access server, your client computer is receiving its IP address configuration but none of the DHCP options. Internal client computers are not experiencing this problem. What should you do to resolve this problem? A. Enable IP routing in the remote access Server’s Properties dialog box. B. Disable IP routing in the remote access Server’s Properties dialog box. C. Configure a static address pool on the remote access Server. D. Configure the remote access server to act as a DHCP Relay Agent. Answer: D Explanation: In this scenario the mobile users receive their IP configurations from the Remote Access Server, but they are not able to receive any DHCP options. In order to enable this, a DHCP relay agent must be configured on the Remote Access server. This will allow DHCPINFORM, which are used to obtain Windows Internet Name Service (WINS) and Domain Name System (DNS) addresses, domain name, Default Gateway or other DHCP options originating from the DHCP server, to reach the mobile clients. Incorrect Answers: A: The mobile clients are able to connect to Remote Access Server. Therefore this is not a communication problem. Therefore enabling IP routing will not solve the problem. B: The mobile clients are able to connect to Remote Access Server. Therefore this is not a communication problem. Therefore disabling IP routing will not solve the problem. C: The mobile clients receive the correct IP configurations from the Remote Access Server. Therefore it is not necessary to create a static address pool on the remote access Server. 21. You are the administrator of a Windows 2000 domain named contoso.com. The domain has a Windows 2000 member server computer named Rasi and a Windows 2000-based DHCP server computer named Dora. Routing and Remote access is enabled for access on Rasi. The network has two DNS servers that use IP addresses of iO.i.5.2 and iO.i.5.3. Rasi has configured to use DHCP to assign IP addresses to the remote access client computers. The configuration of the scope options on the DHCP server is shown in the following Windows. When remote access client computers dial into Rasi, they receive an IP address form the DHCP scope range, but they do not receive the DNS address configured in the DHCP scope. Instead, the remote access client computers receive a DNS server address of iO.i.5.2. You want the remote access client computers to receive the DNS option from the DHCP server. How should you configure the network to accomplish this goal? A. Configure the remote access client computers to enable DHCP on the dial-up connection. B. Configure Rasito use Windows authentication. C. Install and configure the DHCP relay agent routing protocol on the internet interface of Rasi. D. On the DHCP server, configure the DNS scope option of 10.1.5.3 for the default routing and remote access user class. Answer: C Explanation: In this scenario, the remote clients are receiving the correct DNS server address, as it was specified in the scope. However, they are not able to receive DHCPINFORM packets from the DHCP server on The DHCP scope does not have any client computer reservations. Dora. In order to enable this, a DHCP relay agent must be configured on Internet interface of Ras 1. This is done by adding the SideB interface to the DHCP Relay Agent IP routing protocol. The DHCP Relay Agent protocol must also be configured with the IP address of a DHCP server, in this case the IP address of ServerA. Incorrect Answers: A: DHCP cannot be configured on a dial-up connection. B: This is a DCHP problem, not an authentication problem. The RAS clients can perform remote access, but they are configured with the incorrect DNS server. D: The exhibit indicates that the correct DNS scope option of 10.1.5.3 has already been defined. There is also no default routing and remote access user class. 22. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named RasS. Routing and Remote Access is enabled for remote access on RasS. The domain also has a Windows NT 4.0 member server computer named Ras4. Ras4 is running Remote Access Service (RAS). The domain is in mixed mode. Users in the domain use Windows 2000 Professional computers to dial in to the network through Ras4 or RasS. However, Ras4 is not able to validate remote access credentials of domain accounts. How should you configure the network to enable the Windows NT 4.0 Ras4 member server computer to validate remote access domain users? A. Change the domain from mixed mode to native mode. B. Add the Ras4 computer account to the RAS and lAS Servers group. C. Add the Everyone group to the Pre-Windows 2000 Compatible Access group. D. Create a remote access policy that has the Ras4 computer account as a condition. Grant remote access permission if the condition matches the properties of the dial-in attempt. Answer: C Explanation: The Pre-Windows 2000 Compatible Access is a backward compatibility group which allows read access on all users and groups in the domain. In this the NT 4.0 RAS Server Ras4 needs to access the user accounts of the domain. This is done by adding the Everyone group to the Pre-Windows 2000 Compatible Access group. We can verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the net localgroup ‘Pre-Windows 2000 Compatible Access’ command. If not, we can issue the net localgroup ‘Pre-Windows 2000 Compatible Access’ everyone /add command on a domain controller computer and then restart the domain controller computer. Incorrect Answers: A: Changing to native mode is not required and would not address the problem. B: The Windows NT 4.0 Ras server will not be able access properties of user account by adding it to any group. The Everyone group has to be added to the Pre-Windows 2000 Compatible Access group. D: Creating a new remote access policy will not enable the NT 4.0 RAS server to access the properties of the user accounts of the domain. 24. You are the administrator of your company’s network, which consists of a single subnet. It includes 50 Windows 2000 Professional computers and four Windows 2000 server computers. One of these servers runs DNS. The DNS server is configured to allow dynamic updates. All client computers and server are configured with static IP addresses and with the address of the DNS server. You add two UNIX database servers named DBi and DB2 to the network. From your client computer, you can ping both servers by using their IP addresses. However, when you try to run ping either server by name, you receive the following error message: ~“Un known host”. You need to ensure that you can ping DBi and DB2 by name. Which two actions should you perform? (Each correct answer presents part of the solution. choose two) A. Add A (host) records to the DNS server for DB 1 and DB2 B. Add SRV (service) records to the DNS server for DB1 and DB2 C. Disable dynamic updates on the DNS Server D. Run the ipconfig/flushdns command on your client computer E. Clear the DNS server cache Answer: A, D Explanation: To be able to ping a resource with a name, a forward lookup must be successful. Forward lookups uses Host (A) records. Host records for the two databases servers has to be added at the DNS Server. Then the DNS client resolver cache has to cleared, since a negative cache entry is preventing communication. The command ipconfig/flushdns removes all entries and resets the DNS client resolver cache. Incorrect Answers: B: The new servers are database servers and they are not doing any special services in the domain. It is not necessary to add SRV (service) records for them. C: Disabling dynamic updates on the DNS Server would prevent Windows 2000 computers from registering themselves in the DNS zone. It would help in registering the two UNIX servers in the zone. E: The DNS client resolver cache, not the DNS server cache has to be cleared. 25. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. The network includes two subnets. Each one has its own domain controller. Subneti includes a Windows 2000 server named DNS1, which is configured with a standard primary zone. Subnet2 includes a UNIX server named DNS2, which is configured with a secondary DNS zone. DNS2 successfully accepts zone transfers from DNS1. All client computers on your network are DHCP clients. The DHCP server is configured to issue the IP addresses of DNS1 and DNS2 to client computers for name resolution. Users report that they sometimes cannot log on to the domain or perform LDAP searches of the directory. You discover that this problem occurs only when DNS1 is taken offline for maintenance. Users report no other problems accessing resources on the network. You need to ensure that users can log on to the domain and search the directory even when DNS1 is unavailable. What should you do? A. Configure DNS1 to allow BIND secondary servers B. Configure DNS1 to allow zone transfers to any DNS server C. Install Kerberos vS client software on DNS2 D. Upgrade the DNS server software on DNS2 with a BIND 8.2 compatible implementation Answer: D Explanation: In this scenario the users cannot logon or perform LDAP searches when only the UNIX DNS is online. This is because the UNIX DNS server uses an old BND standard which does not support service records (SRV RR5).To support service records (SRV RRs) and dynamic updates of DNS (DDNS) the Berkeley Internet Name Domain (BIND) 8.2 or later must be used on the UNIX DNS servers. Clients in a Windows 2000 network look up SRV RRs in the DDNS server to locate the network’s Active Directory (AD) and its services, in particular the logon service. When a Windows 2000 client system logs on, it queries the DNS server for the domain controllers of the logon domain. Windows 2000 uses SRV RRs to locate the logon service, then sends the client the domain controllers’ names. The client uses an available domain controller to log on to the AD domain. Incorrect Answers: A: Bind secondaries determines whether to use fast transfer format when transferring a zone to DNS servers running legacy Berkeley Internet Name Domain (BIND) implementations. But the problem at hand is not with zone transfers, it concerns logon and LDAP searches. B: This is not a zone transfer problem. Users are able to use DNS2 for name resolution when DNS 1 is offline. The problem is that they cannot log on to the domain or perform LDAP searches of the directory when DNS1 is offline. C: Kerberos vS client is an administrative tool for managing Kerberos security on UNIX systems. It cannot solve the problem at hand. The UNIX DNS server has to be upgraded to BIND 8.2 or later. 26. You are the administrator of your company’s network, which consists of a single site. The network contains 200 computers running Windows 2000 server and 9,000 computers running Windows 2000 Professional. Every morning, an additional 5,000 manufacturing computers are brought online by using Wake-On-LAN, iS minutes before the production day begins. All client computers use DHCP for automatic IP addressing. All servers use static IP addressing. One server runs WINS. You install a second WINS server on one of your existing domain controllers. You configure DHCP so that one-half of the client computers use the new WINS server as their primary WINS server. The other half use the original WINS server as their automatic primary WINS server. You configure both WINS servers to use the automatic partner configuration. After the installation, you notice a large number of rejected name registrations in the event log and an increase in network traffic, you also notice a decrease in system performance on the new WINS server. You want to improve the performance of the new WINS server. What should you do? A. Configure the WINS servers as push partners with each other B. Configure the WINS servers as pull partners with each other C. Change the burst handling setting on the new WINS server to High D. Disable burst handling on the new WINS server Answer: C Explanation: Windows 2000 WINS servers have the ability to handle high-impact times, like when the 5000 client computers go online every morning as in this scenario, using WINS burst handling. WINS burst handling is disabled by default. When it is enabled it has four settings: Low, Medium (the default setting), High and Custom. WINS burst handling works by handling WINS registration queries by immediately responding positively with a low Time to live (TTL) setting. Incorrect Answers: A: This is not a WINS replication problem, it is a WINS registration problem during periods of high impact WINS registration queries. B: The WINS servers are already configured as pull partners, since this is the default setting. D: By disabling WINS burst handling WINS performance would suffer during periods of high impact WINS registrations requests. 27. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. The network includes iO Windows 2000 server computers and two NetWare 4.i servers. The Windows 2000 server computers have static IP addresses and use TCP/IP as their only transport protocol. All client computers run Windows 2000 Professional and use both TCP/IP and IPX/SPX as transport protocols. All client computers are DHCP clients. You add SO new client computers to your network. All run Windows 2000 Professional. Many users now report that they experience intermittent connection failures. Connectivity to the NetWare servers remains unaffected, and workgroup resources remain accessible. You inspect the TCP/IP configuration of a client computer that is currently experiencing a connection failure. You discover that this computer uses the IP address 0.0.0.0 How should you correct the connectivity problem? A. Decrease the lease duration on the DHCP scope to three days B. Add a sufficient number of new addresses to the DHCP scope to accommodate the new client computers C. Create a new scope on the DHCP server to include the new client computers D. Add reservations in the DHCP scope for all client computers Answer: B Explanation: The IP address 0.0.0.0 of the client indicates that the DHCP server was not able to give it an IP address. The most likely cause of this is that the DHCP server simply had run out of free IP addresses. 50 clients were added to the network and the DHCP scope must be increased accordingly. Incorrect Answers: A: The default lease duration is 8 days. By decreasing the lease duration to 3 days there might be some improvement on IP address availability, since IP addresses are released quickly, but it would not solve the problem in general. Specifically it would not work if the client computers are used concurrently. C: It is not necessary to create a new scope. The current scope could be extended. D: Adding reservations for all client computers would not increase the number of available IP addresses. 28. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. The network includes three Windows 2000 domain controllers. All three have the DNS server service installed. Each DNS server hosts an Active Directory integrated zone and requires secure dynamic updates. The network contains 200 client computers running Windows NT Workstation 4.0. All 200 have static IP addresses and static A (host) records in the DNS zone file. You upgrade the client computers to Windows 2000 Professional and configure them as DHCP clients. Your DHCP server is configured to always update client records in DNS. After the upgrade, users report that they cannot access certain workgroup resources on the network. When you examine the DNS zone, you discover that the A records of your client computers are not being updated. You need to ensure that the DHCP server updates the A records in the DNS zone. You must accomplish this goal with the least possible disruption to client computers. What should you do? A. On the DNS zone file, run DnsCmd.exe with the /AgeAllRecords option B. On the DNS zone file, run DnsCmd.exe with the /StartScavenging option C. Delete the A records of your client computers from the DNS zone file. Run the ipconfig/registerdns command on the client computers D. Delete the A records of your client computers from the DNS zone file. Run the Reconcile Scope command in the DHCP to refresh the records in the DNS zone. Answer: A Explanation: Previous versions of Microsoft operating systems that do not support dynamic Domain Name System (DNS) require that a static DNS entry use a static IP address whenever possible. If we upgrade to Microsoft Windows 2000 and our present DNS server is Windows 2000, the IP address will remain the same, but the DNS “A” record remains static. However, the static PTR record is converted to a dynamic entry and is subject to the aging process. The Windows 2000 Dynamic Domain Name System (DDNS) client does not overwrite an existing “A” record if the IP addresses match. To convert static entries to dynamic entries, we must use the /AgeAllRecords option in the Dnscmd.exe command. Reference: Windows 2000 documentation, Understanding aging and scavenging Incorrect Answers: B: The scavenging process removes stale records from the DNS zone. This will not remove the old A (host) records in this scenario sense they are static. These records must first be converted to dynamic entries. C: Manually deleting all A (host) records for the client computers and then manually configuring every client is a daunting administrative task. It’s better to use the /AgeAllRecords option in the Dnscmd.exe program. D: Deleting all A (host) records for the client computers requires administrative effort. Scope reconciliation of the DHCP database is to add database entries for the existing leases. But there are no existing leases. 29. You are the administrator of your company’s network. The network consists of iO Windows 2000 Server computers, iOO Windows 2000 Professional computers, and 150 Windows NT Workstation computers. For workgroup collaboration and document sharing, all client computers have file and print sharing services enabled. You are using DHCP to automate the TCP/IP configuration of all client computers. You want to accomplish the following goals: • All client computers will be able to be located on the network by the network’s fully qualified domain name. • A (host) records for all client computers will be automatically added to the DNS zone files. • PTR (pointer) records for reverse name lookup for all client computers will be automatically added to the DNS zone files • A records and PTR records will be automatically removed from the DNS zone files when the DHCP lease expires You take the following actions: • Configure the DHCP server to always update client computer information in DNS • Configure the DHCP server to discard forward lookups when the lease expires • Configure the DHCP server to update DNS for client computers that do not support dynamic updates • Configure the DHCP scope to configure the domain name for all DHCP client computers. Which result or results do these actions produce? (Choose all that apply) A. All client computers are able to be located on the network by the network’s fully qualified domain name. B. A records for all client computers are automatically added to the DNS zone files. C. PTR records for reverse name lookup for all client computers are automatically added to the DNS zone files D. A records and PTR records are automatically removed from the DNS zone files when the DHCP lease expires. Answer: A, B, C, D Explanation: If the DHCP server is configured to Always update forward and reverse lookups, it will update both A and PTR resource records itself regardless of the DHCP clients request. Windows NT machines can be located by their Fully Qualified Domain Name since ‘Configure the DHCP server to always update client computer information in DNS’ is selected. In Dynamic DNS (DDNS) and DHCP environment like in this scenario, the DHCP Service cleans up both the A records and PTR records in the zone when the lease expires. 32. You are the administrator of your company’s network. The network consists of 10 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and 150 Windows NT Workstation computers. For workgroup collaboration and document sharing, all client computers have file and print sharing services enabled. You are using DHCP to automate the TCP/IP configuration of all client computers. You want to accomplish the following goals: • All client computers will be able to be located on the network by the network’s fully qualified domain name. • A (host) records for all client computers will be automatically added to the DNS zone files. • PTR (pointer) records for reverse name lookup for all client computers will be automatically added to the DNS zone files. • A records and PTR records will be automatically removed from the DNS zone files when the DHCP lease expires You take the following actions: • Configure the DHCP server to never update client information in DNS • Configure the DHCP server to discard forward lookups when the lease expires • Configure the DHCP scope to configure the domain name for all DHCP client computers Which result or results do these actions produce? (Choose all that apply) A. All client computers are able to be located on the network by the network’s fully qualified domain name. B. A records for all client computers are automatically added to the DNS zone files C. PTR records for reverse name lookup for all client computers are automatically added to the DNS zone files D. A records and PTR records are automatically removed from the DNS zone files when the DHCP lease expires Answer: D Explanation: In Dynamic DNS (DDNS) and DHCP environment like in this scenario, the DHCP Service cleans up both the A records and PTR records in the zone when the lease expires. Incorrect Answers: A: Windows NT 4.0 does not support dynamic DNS and Windows NT clients cannot register themselves in DNS. The DHCP server is configured to never update client information in DNS. Therefore A (Host) records and PTR (pointer) will not be added for the Windows NT clients. Furthermore, the Windows NT clients cannot be located by their domain names. B: The DHCP server is configured to never update client information in DNS. Therefore A (Host) records will not be added for the Windows NT clients. C: The DHCP server is configured to never update client information in DNS. Therefore PTR (pointer) records will not be added for the Windows NT clients. 33. You are the administrator of your company’s network. The network consists of five subnets that are connected by a BOOTP relay-enabled router. There are SO Windows 2000 Server computers and 1,000 Windows 2000 Professional client computers distributed approximately evenly across the five subnets. There are also 25 UNIX servers and 100 DHCP-enabled network printers on the network. You want to accomplish the following goals: • The correct assignment of IP addresses to each client computer on each subnet will be automated. • Address conflicts between client computers and servers will be prevented • Correct scope options will be applied to each client computer on each subnet. • Client computers that are not in use will be prevented from keeping an IP address for more than three days. • Each network printer will always receive the same IP address You take the following actions: • Install the DHCP Server service on a Windows 2000 Server computer. • Create five scopes, each containing the address range for a specific subnet • In the DHCP console, set optional client configurations for each scope in the Scope Options container • Exclude the range of addresses in use by the servers • Exclude the range of addresses in use by the network printers. Which result or results do these actions produce? (Choose all that apply) A. The correct assignment of IP addresses to each client computer on each subnet is automated B. Address conflicts between client computers and servers are prevented. C. Correct scope options are applied to each client computer on each subnet. D. Client computers that are not in use are prevented from keeping an IP address for more than three days. E. Each network printer always receives the same IP address Answer: A, B, C Explanation: The DHCP Server service is installed. Five scopes have been created, each containing the address range for a specific subnet’. This ensures an automated assignment of IP addresses and scope options to every client computer on the five subnets. By excluding the range of addresses used by the servers no address conflicts between client computers and servers will occur. Incorrect Answers: D: The DHCP lease duration has not been configured. Furthermore, the default DHCP lease duration is 8 days, not 3 days. E: The printers have been excluded from the Scope range. This will not, by itself, configure the IP address for the printers. Reservations for the printers should be added. 33. You are the administrator of a Windows 2000 network. The network consists of two Windows 2000 Server computers named Atlanta and Orlando and 350 Windows 2000 Professional computers. Orlando is a DHCP Server. The DHCP Server provides the TCP/IP configuration of all the Windows 2000 Professional computers. Atlanta and Orlando have IP Addresses that are manually configured. Atlanta frequently hosts multicast-based video and audio conferences. You want to dynamically allocate multicast addresses. How should you configure the network? A. On the DHCP Server, create and activate a scope that it has range of Class D addresses. B. On Atlanta, configure Routing and Remote Access to enable the IGMP routing protocol in Proxy mode on the LAN interface. C. On the Windows 2000 Professional computers, enable router discovery. D. On the Windows 2000 Professional computers, add a route for network destination 224.0.0.0 and mask 224.0.0.0. Answer: A Explanation: To dynamically allocate multicast addresses we require a DHCP server with a scope for the multicast addresses. The class D addresses range from 224.0.0.0 to 239.255.255.255. These addresses are used for multicasting, in which datagrams flow to a group of recipients instead of to a single recipient (unicasting). Multicasting has applications in streaming audio and video transmission. Incorrect Answers: B: The IGMP routing protocol in Proxy mode is only used when there is router not supporting multicast routing. In this scenario the two routers communicate directly with each other and there are no routers in between. C: Windows 2000 supports router discovery as a host and router. This is not configured at clients. To dynamically allocate multicast addresses the DHCP server is used. D: To dynamically allocate multicast IP addresses you configure a scope at the DHCP server, not by configuring a route on the client computers. 34. You are the administrator of your company’s network. The network consists of one Windows 2000 domain that has 10 Windows 2000 Server computers and 500 Windows 2000 Professional client computers. You want all client computers to receive their TCP/IP configuration from DHCP. You install the DHCP Server service on one of your Windows 2000 Server computers and create and activate a scope of addresses. Users report that they cannot connect to the network. You discover that none of the client computers are receiving TCP/IP configurations from DHCP. What should you do to resolve this problem? A. Stop and restart the DHCP Server service on the DHCP server B. Restart all client computers C. Authorize the DHCP server in Active Directory D. Add a DNS host record for the DHCP server Answer: C Explanation: Before DHCP servers are allowed to run in a Windows 2000 domain they need to be authorized in the Active Directory of the domain. This is done by opening the DHCP Server Console, right-click DHCP, select Manage authorized servers, select Authorize, and type name or IP address of the DHCP server to be authorized. Incorrect Answers: A: The DHCP Server service cannot be started until it is authorized in the Active Directory. B: No user can connect to the network, so restarting the clients will not help. The DHCP Server must be authorized. D: The client computers broadcast to initiate communication with the DHCP server. Then they are able to communicate by the IP address of the DHCP server. The name of the DHCP server is not needed. Q.37 You are the enterprise administrator of a Windows 2000 domain. The domain has three Windows 2000 Server computers named Athens, Barcelona and Cairo, and 90 Windows 2000 Professional computers. Your network consists of three segments connected by a router. Each segment contains one of the servers. The 90 Windows 2000 Professional computers are evenly distributed over the three subnets. Athens is a DHCP server. The TCP/IP configuration of all the Windows 2000 Professional computers on the three segments is provided by the Athens DHCP server. The DHCP server has three scopes, one for each segment. The lease time for all these scopes is eight days. For performance reasons you want to move the DHCP server service from Athens to Barcelona. You take the following actions: • On Athens, stop and disable the DHCP server service. • On Barcelona, install, authorize, and stop the DHCP server service. • Copy the entire system root\system32\dhcp folder from Athens to Barcelona. You want to configure Barcelona to use the scope information and the leased addresses currently in use by the Windows 2000 Professional computers. What should you do next on Barcelona? (Choose Two) A. Enable DHCP relay agent. Use a boot threshold of 0 seconds. B. Use the jet pack utility to manually repair the DHCP database. C. Use the Regedt32.exe registry editor to restore the DHCP registry configuration from the systemroot\system32 \Dhcp \backup location. D. Copy the system root\system32\DHCP\jSO.chk file to the Dhcp.mdb file. E. Start the DHCP server and reconcile all scopes. F. Start the DHCP server and create a new superscope that contains the three original scope ranges. Answer: C, E Explanation: To move the DHCP Database we must first stop the DHCP service on the old server, back up the Registry key HKLM\SOFTWARE\Microsoft\DhcpServer\Configuration, and install DCHP on the new server. We must then stop the DHCP service on the new server and restore the Registry key from the old server onto the new server. Then we must delete the contents of C:\WINNT\System32\DHCP on the new server, copy the database file DHCP.MDB from the old server onto the new server but not the transaction logging (*.LOG) and checkpoint (*.CHK) files and start the DHCP Service on the new server. Finally we must reconcile all scopes on the new server to synchronize the database with the Registry. Incorrect Answers: A: A DHCP relay agent is not needed to install and configure the new DHCP Server. B: It is not necessary to repair the DHCP database when it is moved. D: The DHCP.MDB file should simply be copied from the old to the new server. Copying the system root\system32\DHCP\jSO.chk file to the Dhcp.mdb file is incorrect. F: It is not necessary to create a superscope, instead all scopes should be reconciled on the new server. 34. You are configuring a Windows 2000 Professional computer as a client computer in your company’s network. The servers in the network consist of a mix of Windows 2000 Server computers, Windows NT 4.0 computers, and NetWare 3.11 and 4.1 servers. You install and configure both TCP/IP and NWLink IPXISPX on the Windows 2000 Professional computer. You also install the client software for both Microsoft and NetWare networks. When you attach the computer to the network, you can communicate with all of the Windows-based servers and the NetWare 4.1 servers, but you cannot see the NetWare 3.11 servers in My Network Places. You also cannot map drives by using either Microsoft-specific or NetWare-specific commands. What should you do to correct this problem? A. Edit the NetworkNumber value in the registry to specify the network number for the NetWare 3.11 servers. B. Edit the NetworkNumber value in the registry to specify the network number for the NetWare 4.1 servers. C. Edit the NetworkNumber value in the registry to specify the network number for both the NetWare 3.11 and 4.1 servers. D. Edit the PktType value in the registry to include the hexadecimal value for the 802.2 frame type. E. Edit the PktType value in the registry to include the hexadecimal value for the 802.3 frame type. F. Edit the PktType value in the registry to include the hexadecimal value for both the 802.2 and 802.3 frame types. Answer: F Explanation: NetWare 3.11 uses the 802.3 frame type. Netware 3.12 and above uses the 802.2 frame type. This network has both NetWare 3.11 and NetWare 3.1 servers, so both Frame Types must be installed. Installation of multiple frame types on a Windows 2000 Professional requires editing of the Registry, specifically add both types to the multi-string value PktType in HKLM\SYSTEM\CurrentControlSet\Services\NwlnkIPX\Parameters\Adapters\, where is the network adapter identifier. Incorrect Answers: A: Network numbers values denote a network segment. There is no specific network segment for NetWare 3.11 servers. B: Network numbers values denote a network segment. There is no specific network segment for NetWare 4.1 servers. C: Network numbers values denote a network segment. There is no specific network segment for NetWare 3.11 orNetWare4.1 servers. D: The 802.3 frame type must be added as well since there are Netware 3.11 servers on the network. E: The 802.2 frame type must be added as well since there are Netware 4.1 servers on the network. 39. You are the administrator of your company’s network. Your web server is configured to run a third- party Web application for users on your network. Another network administrator in your company has recently made some configuration changes to secure the server. Users report that each time they try to connect to a secure web server, they receive the following error message, “Web page requested is not available”. Users have no problem connecting to FTP, and you have verified that the web service has started. You want to discover why users are receiving the error message. What should you do to diagnose the problem? A. Verify that port 21 and port 20 are permitted in your TCP/IP filter. B. Verify that port 443 is permitted in your TCP/IP filter. C. Verify that the connect NTFS file permissions are on the Web pages. D. Verify that the port 80 is permitted in your TCP/IP filter. Answer: B Explanation: Port 443 is used for secure web traffic (HTTPS). Therefore TCP/IP should permit this port. Incorrect Answers: A: Port 20 and port 21 are used for FTP traffic. C: This is not a permission problem, the web page that was requested was not available. D: Port 80 is the HTTP protocol. HTTPS, secure web server, is port 443. 40. You are the administrator of a Windows 2000 network. You need to assign network ID numbers and host addresses to the computers in one of your company’s branch offices. A single route to the branch office is advertised as 192.168.16.0/21. The branch office has 150 computers on a single subnet of 192.168.16.0/24. However, the company wants to be able to add up to another 2,000 computers to the branch office. You want to be able to accommodate all computers in the branch office, while also taking advantage of route summarization. Which steps should you take to achieve this goal? (Choose all that apply) A. In the branch office, add another route advertised as 192.168.32.0/22. B. In the branch office, add additional network numbers ID numbers 192.168.33.0/24 — 192. 168.39.0/24. C. In the branch office, add additional network ID numbers 192.168.17.0/24 — 192.168.23.0/24. D. In the branch office, add additional network ID numbers 192.168.24.0/24 — 192.168.31.0/24. E. Change the advertisement to the branch office to 192.168.16.0/20 Answer: D, E Explanation: In this scenario there are 150 computers at the branch office now, but up to 2000 computers could be added in the future. To accommodate for all clients 12 bits will be needed for the clients (2**12=4096). A network mask of 20 bits (32 minus the 12 hosts bits) or less is acceptable. The 192.168.16.0/20 TCP/IP configuration could be used. This range could be used to add 8 additional network ID numbers 192.168.24.0/24 - 192.168.31.0/24. This range is subnetted within 192.168.16.0/20 - or 192.168.16.0/20 is a supernet of the 192.168.24.0/24 - 192.168.31.0/24 networks. This would supply more than 2000 hosts: 8 networks with 254 hosts each equals 2032 hosts. Note: The networks are 192.168.24.0/24 (first) 192.168.25.0/24 (we add 1 in the network partition - that is we add 0.0.1.0) 192. 168.26.0/24 192. 168.27.0/24 192. 168.28.0/24 192. 168.29.0/24 192. 168.30.0/24 192.168.31.0/24 (last) Incorrect Answers: A: With a 22 bit subnet mask (192.168.32.0/22) only 1022 (2**10~2) hosts could be used. Here we need to supply more than 2000 hosts. B: The 192.168.33.0/24 — 192.168.39.0/24 range is not contiguous and it supplies only 7 network IDs with 254 hosts each which is less than the required 2000 hosts. C: 192.168.17.0/24 — 192.168.23.0/24 only gives 7 new network ID numbers. Each network has 254 hosts (2**(32~24)~2 hosts). 7 network IDs would only supply 1774 clients. 8 Network ID numbers are needed. 41. You are the administrator of your company’s network. You investigate a report that administrators in the Dallas office have installed and are using Network Monitor. Your company allows only administrators in the Atlanta office to install and use Network Monitor. You install Network Monitor on Profi. You need to monitor how many copies of Network Monitor are currently running. What should you do? (Choose Two) A. On the Tools menu in Network Monitor, select identify Network Monitor Users. B. On the Options menu in Network Monitor, select Show Address Names. C. On the Tools menu in Network Monitor, select Find Routers. D. On the Display menu in Network Monitor, select Find all names. E. Install Network Monitor on a computer on SegmentB. F. Permit all ports in the TCP/IP filter on the router. Answer: A, E Explanation: In Network Monitor, the “Identify Network Monitor users” option is available in the Tools menu. This option sends a series of multicast packets to all NetBIOS- enabled systems that have the Network Monitor agent installed. After detecting all the Network Monitor agents, a list of the agents is displayed. It will show other computer’s names that are running network monitor along with the user name, MAC address, network monitor state (running, capturing, or transmitting), and network monitor version. In order to detect installations of Network Monitor on segment B the Network monitor has to be installed on a computer on SegmentB. Incorrect Answers: B: The Show Address Names command in the Options menu toggles whether or not friendly names are used. It is enabled by default. It is not required to monitor how many copies of Network Monitor are currently running. C: The Find Routers command finds routers, it does not find computer running Network monitor. D: There is no Display menu in Network Monitor. F: It is not necessary to permit all ports in the TCP/IP filter on the router. 42. You are the administrator of a Windows 2000 network that has a main office and one branch office. You use PPTP to connect the main office to the branch office. You want to verify that the strongest possible level of data encryption is supported for the connection. What should you do? A. In the Routing and Remote access consoles, verify that the dial-in profile used to establish the connection between the two offices allows only MS-CHAP. B. In the properties of the Routing and Remote Access Server objects in the Routing and Remote access consoles, verify that the Extensible Authentication Protocol is using MDS-CHAP. C. In the properties of the PPTP interfaces in the Routing and Remote Access consoles, verify that MS- CHAP v2 is being used as the authentication method. D. In the properties of the PPTP interfaces in the Routing and Remote Access consoles, verify that Password Authentication Protocol (PAP) is being used as the authentication method. Answer: B Explanation: We can use EAP to support authentication schemes such as Generic Token Card, MDS-Challenge (MDS-CHAP), Transport Level Security (TLS) for smart card support, and S/Key as well as any future authentication technologies. Extensible Authentication Protocol using MDS-CHAP is more secure than MS- CHAP V2, MS-CHAP and PAP. Note: The Message Digest S Challenge Handshake Authentication Protocol. This protocol encrypts user names and passwords with an MDS algorithm. Incorrect Answers: A: CHAP uses encrypted authentication but is vulnerable. C: MS-CHAP V2 is an improvement on CHAP. In MS-CHAP the challenge response is calculated with a Message Digest 4 (MD4)-hashed version of the password D: PAP uses plaintext and is not a secure authentication protocol. 43, You are the administrator of your company. To monitor the traffic on your network, you install Network Monitor. You need to monitor the source IP address, and destination IP address, and destination port number of every TCP/IP frame on the network. You want to log this information for a period of three hours. What should you do? (Choose Two) A. On the Capture Buffer Settings menu, increase the buffer size. B. On the Capture Buffer Settings menu, decrease the buffer size. C. On the Capture Buffer Settings menu, increase the frame size. D. On the Capture Buffer Settings menu, decrease the frame size. E. Change the Temporary Capture Directory. Answer: A, D Explanation: In this scenario the buffer size must be increased from the default setting of 1.0 MB to prevent to buffer from being overwritten. By decreasing the frame size from the default value of 65,535 bytes, the buffer will last longer before it is overwritten. Incorrect Answers: B: In this scenario the buffer size must be increased not decreased. C: The frame size must be decreased not increased. E: To only reason for moving the Temporary Capture Directory is that the hard drive is becoming full. It is no indication in this scenario that this is the case. 44, You are the administrator of a mixed Windows NT 4.0 and Windows 2000 network. All of the Windows 2000 Server computers in your network are member servers of a single Windows NT 4.0 domain. You want to use two of these servers to test configurations of IPSec that are using the Kerberos authentication protocol. What should you do? A. On both servers, create a new IPSec policy. Configure a rule so that it will not use a tunnel. Specify shared secret key authentication. Assign the new policy. B. On one of your servers, install a stand-alone root Certificate Authority (CA). Create a digital certificate for both servers. On both servers create a new IPSec policy and specify the issued certificate for authentication. Assign the policy. C. On both servers, create a new IPSec policy. Specify the tunnel end point as the IP address of the partner Server and specify a shared secret key to use for authentication. Assign a new policy. D. Promote one of the servers to a domain controller. Assign the domain controller as the default Secure Server IPSec policy. Assign the other Server the default Client IPSec policy. Answer: D Explanation: Active Directory is needed for Kerberos Authentication. Kerberos is not supported in Windows NT 4.0. Therefore we must promote one of the Windows 2000 member servers to a domain controller, use Secure Server (Require encryption) on this domain controller and configure the other server with the Client IPSec Policy. To promote a Windows 2000 member server to a domain controller we must install Windows NT 4.0 as a backup domain controller (BDC), promote the BDC to a primary domain controller (PDC), and then promote to Windows 2000 mixed-mode domain controller. Incorrect Answers: A: A Windows 2000 domain controller is required for Kerberos authentication. B: A Windows 2000 domain controller is required for Kerberos authentication. C: A Windows 2000 domain controller is required for Kerberos authentication. 45. You are the administrator of your company’s network. You are configuring your Windows 2000 server computer that runs Internet Information Server (IIS). Your Server uses the IP address of 131.107.2.2 to support Internet users. Your server uses the IP address of 10.1.1.2 to support an intranet application. You want to configure your server to permit only web communications from the Internet. You also want to configure your server to allow access to shared folders and other resources for users on the intranet. What should you do? (Choose two) A. Enable a TCP filter. Permit only port 80 on the network adapter that uses the IP address of 131. 107.2.2. B. Enable a TCP filter. Permit only port 21 and port 20 on the network adapter that uses the IP address of 13 1.107.2.2. C. Permit all ports on the network adapter that uses the IP address of 13 1.107.2.2. D. Enable a TCP filter. Permit only port 80 on the network adapter that uses the IP address of 10.1.1.2. E. Enable a TCP filter. Permit only port 21 and port 20 on the network adapter that uses the IP address of 10.1.1.2. F. Permit all ports on the network adapter that uses the IP address of 10.1.1.2. Answer: A, F Explanation: In this scenario External Internet users will use the 131.107.2.2 IP address to use the Web server. Therefore it should only be enabled for web traffic (HTTP), which uses the TCP port 80. Internal users will use the 10.1.1.2 IP address to access the Web server. Furthermore, all traffic should be permitted. Incorrect Answers: B: Port 20 and port 21 which are used for FTP traffic, port 80 is used for http traffic. We should therefore permit port 80 on Internet interface of the Web server. C: Only port 80 should be permitted on the Internet interface of the Web server. D: All ports should be permitted on the internal interface of the Web server, not only web traffic. E: All ports should be permitted on the internal interface of the Web server, not only FTP traffic. 47. You are the administrator of your company’s network. The network consists of 10 Windows 2000 Server computers, 200 Windows 2000 Professional computers, 250 Windows 98 computers, and 25 UNIX workstation computers running SMB server software. The network runs only TCP/IP as its transport protocol. You implement WINS in the network for NetBIOS name resolution. Users of the Windows-based client computers report that they cannot access resources based on the UNIX computers by NetBIOS name. There is no problem accessing Windows-based resources by NetBIOS name. What should you do to resolve this problem? A. Install a WINS proxy agent on one of the UNIX computers. B. Install a WINS proxy agent on one of the Windows-based computers. C. On the WINS server, create static mappings for the UNIX computer. D. On the WINS server, create static mappings for the Windows-based computers. Answer: C Explanation: In this scenario Windows computers cannot access resources on the UNIX computers. This is because UNIX computers do not register themselves in WINS thus There are no records for the UNIX computers in the WINS server. We can overcome this problem by adding static mappings of the UNIX computers in the WINS server. Incorrect Answers: A: The WINS Proxy agent is used to enable non-WINS clients want to communicate with WINS-clients. But in this scenario the non-WINS clients, the UNIX computers, are able to connect to resources on the Windows computers already, Static entries of the UNIX computers have to be added. B: The WINS Proxy agent is used to enable non-WINS clients want to communicate with WINS-clients. But in this scenario the non-WINS clients, the UNIX computers, are able to connect to resources on the Windows computers already, Static entries of the UNIX computers have to be added. D: Resources on the Windows computers can already be used. Windows computers have already registered themselves in WINS. 48. You are the administrator of your company’s network. The network consists of a single Windows 2000 domain. The network has Windows 2000 Server computers, Windows 2000 Professional computers, and Windows NT Workstation 4.0 computers distributed across two IP subnets. Two Windows 2000 domain controllers are located on Subnet1. Each domain controller is also a DNS server hosting an Active Directory integrated zone. You implement WINS for NetBIOS name resolution on your network. WINS is installed on a server on Subnet2. Users of the Windows NT Workstation 4.0 computers on Subnet2 report that they are receiving the following error message, “Domain Controller cannot be located”. Subsequently, these users cannot be validated on the network. Windows NT Workstation 4.0 users on Subneti are not experiencing this problem. However, they do report that response times for logon requests are extremely slow. None of the Windows 2000 Professional users on either subnet report these problems. You want to ensure that Windows NT Workstation 4.0 users on Subnet2 can be validated. You also want to improve logon request response time for users on Subneti. What should you do? A. Configure the router to forward NetBIOS broadcast packets B. Configure the Windows NT Workstation 4.0 computers as DNS clients in the existing zone C. Configure the Windows NT Workstation 4. 0 computers as WINS clients D. Configure the Windows 2000 Server domain controller computers as WINS clients Answer: D Explanation: The Windows 2000 computers use DNS for name resolution. Windows 2000 computers do not register themselves in WINS; specifically the Windows 2000 Domain controllers are not registered in WINS. The NT 4.0 clients use WINS for name resolution but they will be unable to find the Domain Controllers by using WINS. The Windows 2000 domain controllers need to be registered in WINS. That is they have to be configured as WINS clients. Incorrect Answers: A: The WINS server is on the same segment as the NT 4.0 machines. The NT 4.0 clients will be able to communicate with the WINS server. The Windows 2000 computers on the other segment do not use WINS WINS. B: The Domain Controllers, not the NT Workstations, must be configured as WINS clients. C: The Domain Controllers, not the NT Workstations, must be configured as WINS clients. 49. You are the administrator of your company’s network. The network consists of Windows 2000 Server computers, Windows NT Workstation client computers, and Windows for Workgroups 3.11 client computers distributed across three subnets. All client computers are configured as DHCP client computers to automate TCP/IP configuration. You install a WINS server on one subnet on your network. You also define a DHCP scope option to include the WINS server’s address. Users report that they can access resources on servers on their own subnet, but they cannot access resources on other subnets. What should you do to resolve this problem? A. Use the ipconfig/renew command to refresh the client computers’ configuration B. Use the ipconfig/release command to refresh the client computers’ configuration. C. Install a WINS proxy agent on the subnet that hosts the WINS server. D. Install a WINS proxy agent on the subnets that do not host the WINS server. Answer: A Explanation: In this scenario the IP configuration has been updated on the DHCP server. This new information must reach the client computers. To accomplish this we should use the IPConfig /renew command on every DHCP client computer. Windows 3.11 client computers are also able to use the ipconfig/renew command. Incorrect Answers: B: Ipconfig/renew not ipconfig/release is used to get new TCP/IP configuration information from the DHCP Server. Ipconfig/release only resets the client’s IP configuration. C: All clients in the network are able to use WINS, therefore it is not necessary for any WINS Proxy agent. D: All clients in the network are able to use WINS, therefore it is not necessary for any WINS Proxy agent. 50. You are the administrator of a Windows 2000 network. The network has three segments connected by a router. Each segment contains a Windows 2000-based WINS server and two other Windows 2000 Server computers. The network also has 300 Windows NT Workstation 4. 0 WINS client computers distributed evenly over the three segments. Users in each network segment inform you that they cannot browse any network resources on the other network segments. They do not have problems browsing their own segment. How should you configure the network to enable users to browse for network resources on all three- network segments? A. Configure all WINS client computers to be NetBIOS node type Mixed (m-node) B. Configure all WINS client computers to use all three WINS servers. C. On each WINS server, configure the Lmhosts file to contain entries that include #PRE and #DOM For the other two WINS servers D. Configure the three WINS servers as replication partners of one another. Answer: D Explanation: In this scenario the WINS servers are working in isolation on each segment with no replication of information. They need to exchange their records by setting them up as replication partners. The NetBIOS broadcasts will not pass the routers, but the WINS replication will. Incorrect Answers: A: WINS client are h-node (hybrid) by default, that is, they use WINS followed by broadcast. Changing to m-mode (mixed), which is broadcast followed by WINS, will not help since the routers do not pass broadcasts and the WINS servers do not replicate information. B: The routers will not allow the WINS traffic through. C: The lmhosts file must be copied to every WINS client computer, not only to the WINS Server computer. 51. You are the administrator of a Windows 2000 network. The network has four Windows 2000 servers named NY1, NY2, Bos1 and Bos2. The network has computers in two locations: Boston and New York. The Bos1 and Bos2 Wins servers are at Boston location. The NY1 and NY2 WINS servers are at the New York location. You want to configure the replication between the WINS servers to accomplish the following goals: • The NY1 and NY2 WINS servers must replicate changes in the local database to each other immediately following each new registration or IP address change registration. • The Bosi and Bos2 WINS servers must replicate changes in the local database to each other every 30 minutes. • The changes in the WINS database in either location should be replicated to the other location every three hours. How should you configure the WINS servers to accomplish these goals? (Choose Three) A. Configure the WINS servers to enable burst handling. Set the number of requests for burst handling to 1. B. Configure the NY1 and NY2 WINS servers as pushlpull partners of each other. Configure both WINS servers to use persistent connections for push replication partners. Set the number of changes before replication to 1. C. Configure Bos1 and Bos2 WINS servers as pushlpull partners of each other. Specify a replication interval of 30 minutes. D. Configure Bos1 and Bos2 WINS servers as pushlpull partners of each other. Configure both WINS servers to enable periodic database consistency checking every 30 minutes. E. Configure the NY1 and Bos1 WINS servers as push partners of each other. Configure both WINS servers to update statistics every three hours. F. Configure the NY1 and Bos1 WINS servers as pushlpull partners of each other. Specify a replication interval of three hours. Answer: B, C, F Explanation: By configuring NY1 and NY2 WINS servers as pushlpull partners, using persistent connections and setting the number of changes to replication to 1, the WINS servers will be able to replicate any changes to each other immediately. The default setting requires at least 20 changes before replication. Bosi and Bos2 are configured as pushlpull partner with a replication interval of 30 minutes, which forces them to replicate their local databases to each other every 30 minutes. NY1 and Bosi are configured as pushlpull partner with a replication interval of 3 hours, which forces them to replicate their local databases to each other every 3 hours. Incorrect Answers: A: Burst handling is only useful for high impact WINS registration periods, and it is not used for WINS replication configuration. - 57 - D: The replication interval, not periodic database consistency checking, should be configured to 30 minutes. E: There is no requirement to update statistics of the WINS servers. 52. You are the administrator of a Windows 2000 network. The network has 18,000 Windows 2000 Professional WINS client computers and six Windows 2000-based WINS servers. The WINS client computers are portable client computers, and they frequently connect to the network at different locations. The WINS client computers access NetBIOS-based resources. The TCP/IP configuration of the WINS client computers is provided by DHCP servers on the network. Some of the WAN links in your network are unreliable. You want to ensure that all Windows 2000 Professional computers are able to resolve NetBIOS names, even if some of the WINS servers are not available. How should you configure the network to accomplish this goal? A. On each segment, configure a computer as a WINS proxy. B. Configure the DHCP servers to provide each client computer with a list of WINS servers. C. Configure the WINS servers to enable burst handling. Set the number of requests for burst handling to High. D. Configure the DHCP server to set the NetBIOS over TCP/IP node type for each client computer to Mixed (m-node). Answer: B Explanation: Windows 2000 clients can be configured to use up to 12 WINS Servers. This redundancy would be beneficial in a large network as it will ensure that all Windows 2000 Professional computers are able to resolve NetBIOS names, even if some of the WINS servers are not available. Incorrect Answers: A: Since all clients are Windows 2000 computers which are WINS-enabled, a WINS-Proxy is not required. C: Burst handling could improve performance during high impact WINS registration periods, but it is not used to configure redundancy in case of WINS server failure. D: Mixed mode, instead of the default Hybrid mode, only switches the order of the WINS communications methods. In hybrid mode WINS is followed by the broadcast and in mixed mode the broadcast is followed by WINS. Therefore mixed mode would not offer any redundancy. 53. You are the administrator of a Windows 2000 network. The network has seven Windows 2000-based WINS servers, and each is in a separate location. Because network users frequently logon at different locations, you want to configure the seven WINS servers to have a convergence time of less than one hour. How should you configure the seven WINS servers to accomplish this goal? A. Create a display of the seven WINS servers in a circular arrangement. Configure each WINS server as a pushlpull partner with the two WINS servers beside it in the circle. Use a replication interval of 25 minutes. B. Designate one of the WINS servers as the central WINS server. Configure the other six WINS servers as pushlpull partners with the central WINS server. Configure the central WINS server as the pushlpull partner with the other six WINS servers. Use a replication interval of 25 minutes. C. Configure each WINS server to automatically configure the other WINS servers as its replication partners. Use the default interval time for automatic partner configuration. D. Configure each WINS server to use a renew interval of 50 minutes. Use the default value for verification interval. Answer: B Explanation: The Default WINS Pull Replication interval time is 30 minutes. This model with a centralized WINS server communicating with the other WINS servers is called the hub-and-spoke model is the only proposed solution where replicated information from one WINS server reaches all the others within 2 replications, which would be less than 60 minutes. In this model replication passes through the central WINS server from the one WINS server to all the other WINS servers. Incorrect Answers: A: With the WINS server in a circular arrangement it would take at least four replications for the WINS information to reach the WINS server farthest away in the circle. This would make replication time of around 2 hours. C: WINS server cannot be configured to automatically configure the other WINS servers as pushlpull partners. The replication must be manually configured on the WINS servers. D: The WINS servers need to be configured as replication partners. 54. You are the administrator of your company’s network. The network consists of a single IP subnet that uses DHCP to automate client computer configuration. You install a WINS server on the network to reduce broadcast traffic for name resolution. After several days, users report that the network response time is still unacceptably slow. You investigate and discover that the levels of broadcast traffic have not been reduced. When you view the WINS database, you also find that the only entry is for the WINS server itself. What should you do to resolve this problem? A. Configure the WINS server as a DHCP client computer B. Configure the DHCP server as a WINS client computer C. Configure a DHCP scope option to include the address of the WINS server D. Configure static mappings on the WINS server for each client computer E. Configure a reservation in the DHCP scope for the WINS server. Answer: C Explanation: In addition to an IP address, DHCP servers can be configured to provide optional data to fully configure TCP/IP for clients. In this scenario we configure the DHCP scope option to include the IP address of the WINS server. The next time the clients contacts the DHCP server they will be configured to use the WINS server. To accomplish this we must select the DHCP console in the Administrative Tools, open Scope, Right- click Scope options, select Configure Scope, and enable 044 WINS/NBNS Servers and enable 46 WINS/NBT Node Type. Incorrect Answers: A: The WINS server should have a static IP address, it should not be a DHCP client. B: The DHCP server does not need to be configured to be a WINS clients, it must configure the address of the WINS server in the scope option. D: It is not necessary for static mapping on the WINS server. The DHCP server must be configured to include the WINS server address in the scope option. E: A reservation in the DHCP scope for the WINS server would only ensure that the WINS server uses the same IP addresses. It would not enable the clients to use the WINS server. 55. You are the administrator of a Windows 2000 network The network has three Windows 2000-based WINS servers named Srv1, Srv2, and Srv3. You want to periodically compact the WINS database to reclaim unused space. How should you perform a manual compaction of the WINS database on the Srvi WINS server? A. Configure the Srvl WINS server to block replication of WINS records from the 5rv2 and 5rv3 WINS servers. Initiate database consistency checking. Allow replication of records from the 5rv2 and 5rv3 WINS servers. B. Stop the Srvl WINS server. Use the jetpack command-line tool to compact the WINS database. Start the Srvl WINS server again. C. Stop the Srvl WINS server. Use the Backup Database command to create a backup of the Srvl WINS database. Compact the backup of the database by using the compact command-line tool. Use the Restore Database command to restore the backup of the database. Start the Srvl WINS server again D. In the WINS console, use the Scavenge Database command Answer: B Explanation: To compact a WINS database we must stop the WINS server service. Then at the command prompt we must issue the jetpack wins.mdb tmp.mdb command and then restart the WINS server service. Incorrect Answers: A: WINS replication configuration or database consistency checking are not used when the WINS database should be compacted. C: The compact command is used to compress files in general not to compact the WINS database. D: The Scavenge database command is used to remove stale records from the WINS database. It is not used to compact the WINS database. 56. You are the administrator of a Windows 2000 network. The network has six Windows 2000-based WINS servers and two Windows 2000-based DHCP servers. To anticipate the migration of the network from WINS to DNS, you decide to remove one WINS server named Wins6 from the network by performing the following actions. • On Wins6, stop the WINS Service and uninstall WINS. • On the DHCP servers in the network, reconfigure the options to no longer specify Wins6 as a WINS server Configure the DHCP options to instead use the other five WINS servers equally. • On WINS client computers that are manually configured to use TCP/IP, reconfigure the network properties to no longer use Wins6 as a WINS server Configure these client computers to instead use any of the other five WINS servers. • On one of the remaining WINS servers, delete the static mappings originally made on Wins6. After two weeks, you notice that static mappings originally made on Wins6 are still present on all the remaining WINS servers. What should you do to permanently remove these unwanted static mappings from the remaining WINS servers? A. On the remaining WINS servers, use the Scavenge Database command in the WINS console B. On the remaining WINS servers, perform an offline compaction of the WINS database C. Configure the remaining WINS servers to use Migrate On handling of static entries D. On one of the remaining WINS servers. Manually tombstone the Wins6 owner from the database. Answer: D Explanation: By manually tombstone the records which belonged to the Wins6 WINS server, the tombstone information will replicate to other WINS servers and the corresponding records will be tombstoned on the other WINS servers as well. The tombstone records will eventually be deleted. Incorrect Answers: A: Scavenging the database would only remove stale records, not the static mappings. B: Offline compacting of the WINS database would not remove any wins records. C: The migrate on setting would enable static entries in the WINS database to be challenged and dynamically updated by clients. This would not remove any static mappings which will not be challenged though. 57. You are the administrator of a Windows 2000 network. The network has two Windows 2000-based WINS servers. You want periodic backups of the WINS database of both WINS servers to occur automatically. How should you configure the network to accomplish this goal? A. In the WINS console on both WINS servers, use the right mouse button (Right-click) to select the server name, and then select the Back Up database command. B. In the WINS console on both WINS servers, configure the general properties of the WINS server to specify a default backup path. C. On both WINS servers, use Windows backup to schedule a regular backup of the system32\Wins folder. D. On the both WINS servers, configure the File Replication Service to copy the System32\Wins folder to another location on the disk. Answer: B Explanation: Once a backup folder for the database has been specified, WINS performs a complete WINS database backup every three hours. Incorrect Answers: A: Manually backing up the WINS database will not schedule any period WINS backups for the future. C: The Windows backup cannot be used to backup the WINS database. The WINS console must be used to specify the default backup directory. D: The WINS database cannot be backed up by the file replication service. WINS database backups must configured from the WINS console. 58. You are the administrator of your company’s network. The network consists of four IP subnets connected by a router. The network contains 12 Windows 2000 Server computers and 100 Windows 2000 Professional computers, evenly distributed across the four subnets. All of the servers are used to server file and print resources to the client computers. You install the WINS server service on one server on one subnet. You configure the WINS option in a DHCP scope to configure all of the other computers on the network to register with and query the WINS server for NetBIOS name resolution. Within four hours of the installation and configuration, users on the remote subnets report that they cannot access resources located on the WINS server by NetBIOS name. Other TCP/IP connectivity is not affected. Users located on the same subnet as the WINS server are experiencing no problem accessing these same resources. What should you do to resolve this problem? A. Install a WINS proxy agent on each remote subnet. B. Install a WINS proxy agent on same subnet as the WINS server. C. Configure the WINS server to include IP addresses of each gateway on the router. D. Configure the WINS server to include its own IP address as a WINS client computer. Answer: D Explanation: The clients receive their WINS Server address, along with other IP configuration information, from the DHCP server. But they cannot use the NetBIOS name of the WINS server to access resources on the WINS server as the WINS server must also be configured as WINS client. Incorrect Answers: A: WINS proxy agent is only useful for non WINS-clients. B: WINS proxy agent is only useful for non WINS-clients. C: The DHCP server scope option is configured to include a default gateway address. WINS is only used for NetBIOS to IP address name resolution. 59. You are the administrator of your company’s network. Your network has 1,900 hosts. Your network requires Internet connectivity. Aside from the connection to the Internet, your network is not routed. Your Internet service Provider (ISP) assigns you the following eight network addresses: 192.24.32.0/24 192.24.33.0/24 192.24.34.0/24 192.30.35.0/24 192.30.36.0/24 192.30.37.0/24 192.30.38.0/24 192.30.39.0/24 You want to minimize the complexity of routing tables on the network while maintaining Internet connectivity for all hosts. Which subnet mask should you configure to meet these goals? A. 255.255.240.0 B. 255.255.248.0 C. 255.255.252.0 D. 255.255.254.0 E. 255.255.255.0 Answer: B Explanation: There must be 1,900 clients on the subnet. At least eleven bits must be used for these 1,900 hosts, since 2**11=2048 and not 10 bits since 2**10 = 1024. This leaves 21(32-11) bits for the subnet mask. Subnetmask inbinary: 11111111.11111111.11111000.00000000 Subnet mask in decimal: 255.255.248.0 Incorrect Answers: A: The subnet mask 255.255.240.0, is not appropriate for the 8 subnets provided by the ISP. C: The subnet mask 255.255.252.0, or in binary 11111111.11111111.11111100.00000000, leaves 10 bits forthe hosts, whichtranslatesto 1024 host which is not enough. D: The subnet mask 255.255.254.0, or in binary 11111111.11111111.11111110.0, only leaves 9 bits for the hosts, which translates to only 512 hosts but 1,900 hosts are required. E: The subnet mask 255.255.255.0, or in binary 11111111.11111111.11111111.0, onlyleaves 8bits forthehosts,whichtranslatesto only2S6 hostsbut 1,900 hosts are required. 60. Your company has a Simple Network Management Protocol (SNMP)-enabled network router installed on its network. Your company wants to monitor all SNMP traffic generated by the router. You install Network Monitor on Windows 2000 server computer on your network. Your router is configured to trap to an SNMP Manager installed on another server. You want to receive a notification whenever router raises an SNMP trap. What should you do? (Choose two) A. Create a Network Monitor filter that has a pattern match for SNMP traffic. B. Install SNMP on the server. C. Create a network monitor trigger to run the Net Send command. D. Create a TCP/IP filter on the server. E. Start the Windows 2000 Alerter Service on the server. F. Configure the network router to trap to the IP address of the server. Answer: A, C Explanation: First a Network Monitor filter selects only the frames that has a pattern match for SNMP traffic. Then A network monitor trigger has to be configured to trigger on Pattern match for SNMP traffic, and to run a net send command which will notify you on the SNMP trap. Incorrect Answers: B: SNMP is already installed on a Windows 2000 Server. Only one SNMP server is needed. D: A Network monitor filter, not a TCP/IP filter on the server, will catch the SNMP trap message. E: The alerter service must be running, and it is enabled by default, so that the net send command will be allowed to reach you. F: The router is, by default, already configured to trap SNMP events. These traps are broadcasts so the IP address of the SNMP server does not have to be configured. 61. You are the administrator of a Windows 2000 network that has a main office and one branch office. The company leases a 128-Kbps ISDN line to connect the main office to the branch office. You configure Routing and Remote Access on a stand-alone Windows 2000 server computer in each office to provide a demand-dial connection. You want to encrypt traffic over the ISDN connection, and you want to prevent unnecessary connections over the ISDN line. What should you do? A. Configure a PPTP demand-dial connection to connect the two offices over the ISDN connection and ensure that data encryption is enabled. Set the demand dial filters to exclude NetBIOS broadcast traffic. B. Configure a PPTP demand-dial connection to connect the two offices over the ISDN connection and ensure that data encryption is enabled. Set the IP Demand Dial Filters to exclude Remote Procedure Call traffic. C. Configure an L2TP demand-dial connection to connect the two offices over the ISDN connection. Configure inbound and outbound filters to exclude all NetBIOS broadcast traffic. D. Configure an L2TP demand-dial connection to connect the two offices over the ISDN connection. In the demand dial filter list, configure filters to exclude Remote Procedure Call traffic. Answer: A Explanation: PPTP demand dial-in connection which is configured to enabled data encryption will encrypt all traffic. Furthermore, by configuring the demand dial filters to exclude NetBIOS broadcasts would prevent some unnecessary name resolution traffic over the ISDN line. Incorrect Answers: B: The demand dial filters should be configured to exclude NetBIOS broadcasts not Remote Procedure Call traffic. C: L2TP must be used with IPSec to encrypt data. D: L2TP must be used with IPSec to encrypt data. 62. You are the administrator of your company’s network. Your network consists of 100 computers that use the IPXISPX protocol. You plan to migrate the network to use TCP/IP and establish connectivity within the network. Your Internet Service provider (ISP) assigns the address 192.168.16.0/24 to your network. Your network requires 10 subnets with at least 10 hosts per subnet. Which subnet mask should you configure to meet this requirement? A. 255.255.255.0 B. 255. 255. 255. 192 C. 255. 255. 255. 224 D. 255. 255. 255. 240 E. 255. 255. 255. 248 Answer: D Explanation: 10 hosts in each subnet require four bits to the hosts which would supply 14 hosts (2**4~2). The remaining 28 bits (32-4) could be used for the network mask. Networkmask,inbinary: 11111111.11111111. 11111111.11110000 Network mask, in decimal: 255.255.255.240 Subnetting would be given 4 hosts bits (32-24-4) which give 14 subnets (2’~4-2) which is more than required 10. Note: To calculate the number of available host we use the formula: 2A(number of host bits)-2. We must subtract the lowest address since it is a network address, and the highest address since it is the network broadcast address. Incorrect Answers: A: A network mask of 255.255.255.0 gives 254 hosts, but no bits for subnet. 10 subnet is required. B: A network mask of 255.255.255.192 gives 64 hosts, but only 2 subnets (10 required). C: A network mask of 255.255.255.224 gives 32 hosts, but only 6 subnets (10 required). E: A network mask of 255.255.255.248 gives 6 hosts, but 10 is required. 63. You are the administrator of your company’s network. Your network consists of Windows 2000 server computer and Windows 2000 Professional computers. You create an IPSec policy named accountingsec for use by employees in your accounting department. Your company is concerned that the keys used for encryption could be compromised and used to decrypt future communications. You want to prevent the re-use of previous-session keys. You also want to limit performance degradation. What should you do? A. Decrease the frequency of policy checks for updates. B. On the Generate a new key every property, modify the time allocations. C. Select the Master key perfect forward secrecy check box. D. Select the Session key perfect forward secrecy check box. Answer: D Explanation: Session Key Perfect Forward Secrecy creates a new master key during every session rekey operation and is the most secure setting. Incorrect Answers: A: Decreasing the frequency of policy checks would not prevent use of previous session keys. B: If the time allocations of the Generate a new key every property is configured, a re-authentication and new key generation at that interval would be configured. But there is no guarantee that a new session will not use a previous session key. C: Master key PFS should be used with caution as it requires re-authentication. This may cause additional overhead for any domain controllers in your network. 65. You are the administrator of your company’s network. Your network consists of 15 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and one Netware server. Your users need to access the Sys:volume on the Netware server. You want your company’s administrators to have complete access to the Sys:volume. You want all others users to have read-only access. You configure gateway service for Netware on a Windows 2000 Server computer. You want to configure the appropriate access to the Netware server. What should you do? (Choose Two) A. To the NTGateway Group on the NetWare server, add the users accounts that need access to the Netware server. B. To the NTGateway group on the Windows 2000 server computer, add the user accounts that need access to the Netware server. C. To the NTGateway group on the Netware server, add the NTGateway user account. D. To the NTGateway group on the Windows 2000 server computer, add the NTGateway user account. E. On the Windows 2000 Server computer, grant Full Control permission to administrators and Read permissions to the users. Answer: C, E Explanation: The NTGateway group should be created at the NetWare server not at the Windows 2000 Server. A Netware user account, with the necessary rights for the resources that you want to access, must be a member of the NTGateway group on the Netware server. On the computer running Windows 2000 Server and acting as a gateway, you can set share-level permissions for each resource made available through the gateway. In our case: Full Control to administrators and Read permissions to users. Incorrect Answers: A: Only one single NetWare user account must be added to the NTGateway group on the NetWare server. B: The NTGateway group should be created at the NetWare server not the Windows 2000 server computer. D: The NTGateway group is created on the NetWare server not the Windows 2000 Server computer. 66. You are the administrator of you company’s network. On you Windows 2000 Server computer named Srvi, you install client service on NetWare and NWLink with default settings. You perform these installations to access files stored on your company’s NetWare servers. From the Srvi you can connect Srv2. You can also connect to NetWarel and NetWare3, but you cannot connect to NetWare2 and NetWare4. NetWare2 and NetWare4 run different versions of NetWare than NetWare 1 and NetWare3. You want to configure Srvi to connect to all the NetWare servers. What should you do? A. Set the adapter to Manual frame type detection and add the frame type of each NetWare server. B. Manually configure the internal network number to 00000000. C. Enable direct hosting of the Internet work packet exchange (IPX). D. Install file and print services for the NetWare. Answer: A Explanation: On this network two different NWLink frame types are used. On Windows 2000 computers NWLink automatically detects the frame type used by the network adapter. If multiple frame types are detected, NWLink sets the frame type to 802.2. If more than one frame type must be supported the additional frame types must be added manually. This is done by the following steps on a Windows 2000 Server computer: Open Network and dial-up connections, Right click appropriate interface, select Properties, select NWLink, select Properties, select Manual frame type detection, choose Add and Select appropriate Frame Type. Note: this setting could also be accomplished by editing the registry: add both types to the multi-string value PktType in HKLM\SYSTEM\CurrentControlSet\Services\NwlnklPX\Parameters\Adapters\, where is the network adapter identifier Incorrect Answers: B: Internal network number must be used to run FPNW or IPX routing. It is not used to support different NWLink frame types. C: Direct hosting is a feature that allows computers to communicate over IPX, bypassing the NetBIOS layer. It is not used to support multiple frame types. D: File and Print Services for NetWare (FPNW) is used to provide NetWare client access to file and print resources on a computer running Windows 2000 Server, it is not used to support different NWLink frame types. 67. You are the administrator of the blueskyairlines.com domain. You maintain a local DNS server to provide name resolution within your Internet domain. Your DNS server runs on Windows 2000 server. You have five web servers, which contain company and flight information in addition to the online flight reservation system. For load-balancing purposes, each web server is configured to maintain exactly the same contents as all the other web servers. All the web servers respond to the host name www.blueskyairlines.com. Customer feedback indicates that web server response times are unacceptably slow. You monitor your web servers and discover that only one of the five servers is servicing customer requests, while the others are sitting idle. You want to ensure load balancing and improve response time for customer web request. What could you do in the DNS management console? (Choose two) A. Enable round robin in the DNS server’s properties. B. Disable round robin in the DNS server’s properties. C. Enable forwarders and configure them to point to each web server. D. Verify that A (host) records have been created for each web server. E. Verify that CNAME (canonical name) records have been created for each web server. Answer: A, D Explanation: Round robin is an approach for performing load balancing. It’s used to share and distribute the network resource load. With round robin, the host name contained in a query, for which multiple RRs exist, are rotated each time the query is answered. In this scenario five host (A) records for www.blueskyairlines.com (pointing to the different web servers) must be created. Incorrect Answers: B: To ensure load balancing and to improve performance Round robin must be enabled, not disabled. C: Forwarders is used to forward DNS name queries to other DNS servers. It can not be used to load balance the web servers. E: CNAME records define aliases for resources. It can not be used to increase performance of the Web servers. Instead host (A) records with identical names but different IP addresses must be created for the Web servers. 68. You are the administrator of a Windows 2000 network. Your internal DNS server is located behind a firewall. When you test your DNS server by using the Monitoring tab on the server’s properties page, the DNS server passes the simple test but fails the recursive test. What could you do to resolve the problem? A. Run the ipconfig/ registerdns command. B. Delete the Systemroot\system32\dns\cache.dns file. C. Copy the systemroot\system32\dns\samples\cache. dns file to the systemroot\system32\dns\cache.dns file. D. Create a forward lookup zone for the root zone. Name the forward lookup zone “.“. E. Create a reverse lookup zone for the subnet on which the resource records for the primary name server are located. Answer: C Explanation: The recursive test fails. No forwarders are used. The internal DNS server must be configured with forwarders to be able to resolve external addresses. One likely cause is a root hints problem. By replacing the cache.dns file the root hints will be replaced and the internal DNS server will be able to use external DNS server as forwarders. Reference: Replacing Root Hints with the Cache.dns File (Q249868) HOW TO: Configure DNS for Internet Access in Windows 2000 (Q300202) Incorrect Answers: A: ipconfig/registerdns would register the computer, the DNS server, in DNS. This does not apply to the problem at hand. B: Cache.dns contains the addresses of DNS’s root servers. Deleting it would cause damage to the DNS Server. D: Creating a new empty root zone would make the internal DNS server a root server. It would never use any forwarders. Only local name resolution would be possible. Deleting an empty root zone, not creating one, could be helpful in this scenario. E: Create a new reverse lookup zone, would enable IP to name resolving, but would not fix the current DNS problem. 69. You are the administrator of one standard primary DNS server and two standard secondary DNS servers in a Windows 2000 domain. There are no other DNS servers on the network. The domain includes Windows 2000 Professional computers and a Windows 98 computer. The DNS zone for the Windows 2000 domain is configured to allow dynamic updates. All three DNS servers are located on domain controllers. You want client computers to be able to register with any DNS server. What should you do? A. Change the zone type of the DNS zone for the Windows 2000 domain on all three DNS servers to active directory integrated. B. Change the settings on the standard primary DNS server to notify the two standard secondary DNS servers when the zone is updated. C. Change the settings on the standard primary DNS server to allow zone transfers to only the two standard secondary DNS servers. D. Change the dynamic update option on the standard primary DNS server to allow only secure updates. Answer: A Explanation: With primary and secondary servers, the clients can only be registered at the primary server. With three Active Directory DNS Servers the clients could register themselves dynamically on any of them. Incorrect Answers: B: Configuration of notification concerns zone transfers and does not change the way clients register themselves. C: Zone transfers will not make the clients able to register themselves dynamically at any server. D: Only secure updates can only be configured in Active Directory Integrated zones. 70. You are the administrator of Windows 2000 network. You have three Windows 2000 domain controllers in a single domain. Your primary DNS server is installed on a domain controller named dci.contoso.com. You have two secondary DNS server installed on member servers named srvi.contoso.com and srv2.contoso.com. You want to increase fault tolerance for your DNS infrastructure. You also want to optimize and simplify the management of replication and zone transfers on your network. How should you accomplish these goals? A. Promote the member servers that are hosting the DNS server to domain controllers. B. Add srvl .contoso.com and srv2.contoso.com to the notify list on the primary DNS server. C. Remove the DNS server service from the member servers. Install the DNS server service on the domain controller. Convert the zone hosted by dcl .contoso.com to an Active Directory Integrated zone. D. Set the Time to Live (TTL) value in the SOA (start of authority) record on the primary DNS server to a low value. Answer: C Explanation: By removing the secondary DNS servers, installing DNS on a Domain controller, and converting the zone to Active Directory-integrated zone we would increase fault tolerance, since every DNS server has a full updateable replica of the DNS zone, optimize zone replication since incremental zone transfers instead of full zone transfers could be performed, simplify replication management: replication is integrated in the Active Directory replication process and does not have to be configured. Incorrect Answers: A: Only promoting the member servers to domain controllers would not increase fault tolerance, optimize zone replication or simply replication management since the zones still would be secondary zones. B: Adding srvl .contoso.com and srv2.contoso.com to the notify list will make the records on the secondary servers more up to date, but it would not increase fault tolerance, optimize zone replication or simply replication management since the zones still would be secondary zones. D: By setting the TTL value on the SOA record on the primary server to a low value would keep DNS records more current at the secondary servers, but would not increase fault tolerance, optimize zone replication or simply replication management since the zones still would be secondary zones. 71. You are the administrator of your company’s network. Your company has an intranet web application named appz Information Services (IIS). For performance reasons, your company mirrors the content of appz on three web servers: IIS1, 11S2 and 11S3. You want to configure your network to allow access to the other web servers in the event of failures. You want to configure DNS by using the fewest possible resources. What should you do? A. Configure one DNS server so that it has one DNS zone. Enable Round Robin. Create an A (host) record for appz for each web server’s IP address. B. Configure one DNS server so that it has one DNS zone. Disable Round Robin. Create an A (host) record for appz for each web server’s IP address. C. Configure three DNS servers so that each has one DNS zone. Enable Round Robin. Add an A (host) record for appz for each web server on each DNS server. D. Configure three DNS servers so that it has one DNS zone. Disable Round Robin. Add an A (host) record for appz for each web server on each DNS server. Answer: A Explanation: Round robin is an approach for performing load balancing. It is used to share and distribute the network resource load. With round robin, the host name contained in a query, for which multiple RRs exist, are rotated each time the query is answered. Round Robin also provides redundancy. In this scenario three host (A) records for appz (pointing to IIS1, 11S2 and 11S3 respectively) must be created. These three host (A) records must be added to the same DNS zone to provide load balancing and redundancy. Incorrect Answers: B: To ensure load balancing and to improve performance Round robin must be enabled, not disabled. C: With three host (A) records in different zones the name resolution would not be able to rotate between IIS1, 11S2 and 11S3; we would not have any load balancing or redundancy. D: To ensure load balancing and to improve performance Round robin must be enabled, not disabled. 72. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named Atlanta and 120 Windows 2000 Professional computers. Atlanta has a dial-up connection that connects to the Internet. All Windows 2000 Professional computers on the network are configured to use a dynamically assigned IP address. The network has one DHCP server. To allow all Windows 2000 Professional computers on the network to access the Internet through the dial-up connection of Atlanta, you install and configure the Network Address Translation (NAT) routing protocol on Atlanta. Your Internet service provider (ISP) has allocated four IP addresses, 207.46.179.4 through 207.46.179.7 to your network. You want Atlanta to use the four IP addresses for the translated connection to the ISP. How should you configure Atlanta? A. Configure the Nat routing protocol to use the IP addresses in the range starting with 207.46.179.4 with a mask of 255.255.255.252 for the DHCP Allocator. B. Configure the public interface of the NAT routing protocol to use an address pool with a starting address of 207.46.179.4 and a mask of 255.255.255.252 C. Configure the LAN interface of the NAT routing protocol to use an address pool with a starting address of 207.46.179.4 and a mask of 255.255.255.252 D. Configure the NAT routing protocol to use special ports on the public interface. Use private addresses 207.46.179.4 through 207.46.179.7 Answer: B Explanation: By configuring the public interface of the NAT protocol with the public IP addresses provided by the ISP the NAT would be set up correctly. A subnet mask of 255.255.255.252 is also correct; it allows 6 public addresses, 4 of them are used here. Incorrect Answers: A: The DHCP allocator functionality in NAT enables all DHCP clients in the network to automatically obtain an IP address, subnet mask, default gateway, and DNS server address from the NAT computer. The DHCP allocator uses private addresses on the internal LAN interface, not public addresses like 207.46.179.4. C: Public addresses, like 207.46.179.4, cannot be exposed on the internal LAN interface. D: Special ports could be used to make private resources on the LAN available for internet users. This is done by a mapping public address to a private address with a special port. The public addresses 207.46.179.4 through 207.46.179.7 cannot be used at private addresses. 73. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named ServerA and 45 Windows 2000 Professional computers. ServerA has a dial-up connection that connects to the internet. To allow all Windows 2000 Professional computers on the network to access the internet through dial-up connection of ServerA, you install and configure the Network Address Translation (NAT) routing protocol on ServerA. All Windows 2000 Professional computers in the network are configured to use Automatic Private IP Addressing (APIPA). There is no DHCP server on the network. You want to configure the network to use IP addresses in the range of 172.16.65.1 through 172.16.65.250 for ServerA and the 45 Windows 2000 Professional computers. What should you configure ServerA to accomplish this goal? (Choose all that apply) A. Assign an IP address 172.16.65.1 to the LAN interface of ServerA. B. Enable Internet Connection Sharing on the dial-up connection of ServerA. C. Configure Routing and Remote Access on ServerA to automatically assign IP addresses in the range of 172.16.65.2 through 172.16.65.250 dial-in client computers. D. Configure the NAT routing protocol on ServerA to automatically assign IP addresses in the range of 172.16.65.2 through 172.16.65.250 to computers on the private interface. E. Configure the public NAT interface to use an IP address pool in the range of 172.16.65.2 through 172.16.65.250. Answer: A, D Explanation: The LAN interface of the server should assigned the first IP address in the range of 172.16.65.1 through 172.16.65.250; namely 172.16.65.1. The NAT computer must be set up to automatically assign IP addresses, in the 172.16.65.2 through 172.16.65.250 range, to the local computers. Incorrect Answers: B: Internet Connection Sharing (ICS) is not needed here, since NAT has already been installed. C: This is a dial-up connection to Internet which uses NAT, not a dial-in connection using RRAS. So there is no point to configure the Server to automatically assign IP-addresses to dial-in clients. The scenario does not mention dial-in clients or RRAS in any way. E: The public NAT interface cannot use private IP addresses in the range of 172.16.65.2 through 172.16.65.250. 74. You are the administrator of a Windows 2000 network. The administrator of your company’s Human Resources Organizational Unit wants to be able to manage Encrypting File System for the users in their department. The administrators of the human resources department belong to a group named HRAdmins, which has full administrative privileges to the OU. To make it possible for the members of HRAdmins to manage EFS for the users in their department, you install an Enterprise Certificate Authority for use by the entire company. However, the administrators of the human resources department notify you that they are unable to create a Group Policy that allows them to manage EFS for their department. What should you do to enable the administrators of the Human Resources Organizational Unit to create a Group Policy to manage EFS for the users in their department? (Choose Two) A. Install a Subordinate Enterprise CA for use by the human resources department. B. In the certification Authority console for the CA, add a new policy setting for a EFS Recovery Agent certificate. C. In the certification authority console for the CA, add a new policy setting for a Basic EFS certificate. D. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the Enrollment Agent Certificate Template. E. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the EFS Recovery Certificate Template. F. In Active Directory sites and services, grant the Enroll permission to the HRAdmins for the EFS Certificate Template. Answer: B, E Explanation: The administrators of the Human Resources department must be set up as Recovery Agents in order to be able to administer EFS for their department. This can be accomplished by adding a new policy setting for an EFS Recovery Agent certificate in the appropriate CA and granting the Enroll permission to the HRAdmins for the EFS Recovery Certificate Template in Active Directory sites and services. Incorrect Answers: A: It is not necessary to install a subordinate Enterprise CA. The Enterprise CA can very well be used. C: A new policy setting for a EFS Recovery Agent certificate, not a Basic EFS certificate, should be added. D: The HRAdmins should be granted enroll permissions to the EFS Recovery Certificate Template not the Enrollment Agent Certificate Template. F: The HRAdmins should be granted enroll permissions to the EFS Recovery Certificate Template not the EFS Certificate Template. 75. You are the administrator of a Windows 2000 network. Your Public Key Infrastructure consists of an offline Certificate Authority (CA) and a number of subordinate CAs. Your company is selling one of its divisions. This division has a subordinate CA that it uses to issue certificates. You want to ensure that once the division is sold, applications and other CAs on your network will not accept the former division’s certificates. You also want to ensure that you can implement your solution by using a minimum amount of administrative effort. What should you do? A. On the division’s subordinate CA, revoke all the certificates it has issued. Publish the Certificate Revocation List (CRL) to a server on your network. Uninstall the CS software and remove the CS files. B. On the company’s root CA, revoke the certificate of the division’s subordinate CA. Publish the Certificate Revocation List (CRL). C. On the division’s subordinate CA, revoke the certificates it has issued. Publish the Certificate Revocation List. Copy the EDB.LOG file from the subordinate CA to the Certification Distribution Point on your network. D. On the company’s root CA, revoke CA, revoke the certificate of the division’s subordinate CA. Publish the Certificate Revocation List (CRL). Copy the CRL file to the Certificate Distribution Point on your network. E. On the division’s subordinate CA, revoke the certificates it has issued. Publish the Certificate Revocation List. Copy the CRL file to the Certificate Distribution Point on your network. Disconnect the CA from the network. Answer: D Explanation: By revoking the certificate for the subordinate CA, instead of revoking all of the certificates it has issued, the goal will be achieved with the least amount of administrative effort. Revoking a certificate is a two- step process first we must revoke the certificate and then create (this is done automatically) and publish the Certificate Revocation List (CRL). Finally, the Certificate Revocation Lists (CRLs) must be accessible to all users. It should be put in a network share and the users should have appropriate (read) permission to the share. Incorrect Answers: A: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke the certificate for the CA itself. B: The Certificate Revocation Lists (CRLs) must be accessible to all users. It should be put in a network share and the users should have appropriate (read) permission to the share. C: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke the certificate for the CA itself. The edb.log file is not used for revoking certificates. E: Revoking all certificates that the CA has issued is a daunting administrative task. It is better to revoke the certificate for the CA itself. 76. You are the administrator of your company’s network. The network consists of two Windows 2000 server computers and SO Windows 2000 Professional computers. You are using DHCP to automate the assignment of the TCP/IP configurations of the client computers. You configure the DHCP server to automatically update your DNS server’s forward and reverse lookup zone files with the DHCP client information. You discover that 15 of the client computers are referenced by PTR (pointer) records in the reverse lookup zone. There are no PTR records for the remaining 35 client computers. How should you resolve this problem? A. Configure the client computers so that they register their A (host) records with the DNS server. B. Configure the client computers so that they do not register their domain name with the DNS server. C. Configure the DHCP server to enable updates for client computers that do not support dynamic update D. Configure the DHCP server to always update DNS, even if a client computer does not request it. Answer: C Explanation: In this scenario, 35 computers do not get their PTR (pointer) records registered in DNS. All clients computer have their host (A) records registered in DNS. The DHCP server is configured to automatically register both A (Host) records (in forward zone) and PTR (pointer) records (in reverse lookup zone). This not the default setting. Usually Windows 2000 DHCP clients register their own A (host) register in DNS. What might occur in this scenario is that both the DHCP server and the 2000 client try to register the same A (host) record, which may result in missing PTR (Pointer) records. It would be better the change the DHCP setting to change the setting from “always update DNS, even if client computer does not request it” to “enable updates for client computers that do not support dynamic update”. By default Windows 2000 clients register each host records directly to the DNS server and request that the DHCP service register the PTR (pointer) record. The DHCP service adds the PTR (pointer) records to the zone and cleans up the PTR (pointer) and ‘A’ (Host) records in the zone upon lease expiration. The DHCP service also registers both the ‘A’ (Host) and PTR (pointer) records for legacy clients, and performs any necessary cleanup action. Incorrect Answers: A: The problem is registration of PTR (Pointer) records not A (host) records. By default, Microsoft Windows 2000 clients register their host records directly to the DNS server. B: The problem is registration of PTR (Pointer) records not A (host) records. Disabling the default behavior of Windows 2000 clients to register their domain name with the DNS server will not help registering the PTR (Pointer records). D: The DHCP server is already configured to always update DNS even if a client computer does not request it; it updates both the forward and the reverse lookup zones of the clients. 77. You are the administrator of your company’s network. The network consists of a single Windows 2000 domain and uses TCP/IP exclusively as its transport protocol. You use DHCP assign addresses to your Windows 2000 Professional client computers. You add 20 new Windows 2000 Professional client computers to your network. Users report that occasionally they cannot access network resources located on servers. However, workgroup resources are sometimes available. The inconsistency in server access does not appear to follow any pattern. You inspect the TCP/IP configuration of a computer that is experiencing this problem and find that it is using the address 169.254.0.16, which is not a valid address in your network. What should you do to resolve this problem? A. Configure the client computers to use only DHCP-assigned addresses B. Configure the client computers to only accept addresses from authorized DHCP servers C. Add enough new addresses to the existing DHCP scope to include the new client computers D. Create a new scope on the DHCP server to include the new client computers Answer: C Explanation: In this scenario 20 new computers are added. Sometimes network resources are not available to clients. One client with this problem has the private APIPA address 169.254.0.16. This type of address is assigned when the DHCP server are unable to provide IP configuration to the client. The problem is that the DHCP server occasionally runs out of IP addresses. This problem is solved by extending the DHCP scope with new IP addresses. Incorrect Answers: A: If the new clients had static IP addresses, they would never be able to access any network resource. They are already DHCP clients, but the DHCP cannot always provide proper IP configuration. B: It seems unlikely that an unauthorized DHCP server would not lease an IP address in the private range of 169.254.xx.xx. The more likely cause of the problem is that the DHCP server occasionally runs out of IP addresses. D: It is not necessary to create a new scope. It would be better to extend the existing scope. 78. You are the administrator of a Windows 2000 network. The network consists of two Windows 2000 server computers named serveri and server2, and 75 Windows 2000 Professional computers. Server 1 is a DHCP server. The TCP/IP configuration of all the Windows 2000 Professional computers is provided by the server 1 DHCP server. Your company’s technical-support personnel belong to the Helpdesk global group. To allow the technical-support personnel to respond to support calls more effectively, you want them to have only Read access to the DHCP console and the DHCP leases information. What should you do? A. Place the Helpdesk global group in the DHCP Users group B. Add the members of the Helpdesk global group to the built-in group named Pre-Windows 2000 Compatible Access C. In the DHCP console on the serverl DHCP server, select manage authorized servers and add the Helpdesk global group to the list D. On the serverl DHCP server, grant the Helpdesk global group Read permission on the Systemroot\system \system32\DHCP folder Answer: A Explanation: The DHCP Users group provides a way to grant read-only console access to the DHCP server. Other users or groups added as members of this group are granted the right to view, but not modify, data for the applicable server in the DHCP console. Incorrect Answers: B: Adding the members of the Helpdesk group to the group Pre-Windows 2000 Compatible Access would give access to some parts of the Active Directory. It would give them access to the DHCP information. C: After selecting manage authorizes servers in the DHCP console a list of servers will be presented. The Helpdesk global group cannot be added to this list. D: Read access to the DHCP console and to DHCP lease information cannot be set by NTFS file permission. Instead use the DHCP Users built-in group. 79. You are the enterprise administrator for a Windows 2000 Domain that contains Windows 2000 Professional computers. You install Windows 2000 DHCP server on a member server in the domain. The DHCP server is located on the same network segment as the Windows 2000 Professional computers. You create and activate a DHCP scope for the network segment. The Windows 2000 Professional computers are configured as DHCP client computers, but they do not receive IP addresses. What should you do so that each DHCP client computer receives an IP address? A. In the Device Manager console, start the DHCP service B. Move the DHCP server to the same site as the Windows 2000 Professional computers C. In Active Directory, authorize the DHCP server D. Define a DHCP option Class for the Windows 2000 Professional computers. Answer: C Explanation: In an Active Directory environment (Windows 2000 Domain) the DHCP servers must be authorized in the Active Directory before they are allowed to start. This is a precaution which prevents rogue DHCP servers from starting. Incorrect Answers: A: We use Device Manager to configure hardware devices not to start services. B: As the DHCP server is located on the same network segment as the client they already belong to the same site. D: The DHCP option Class is used to enable different DHCP configuration for different groups of computers in one single scope. Defining an DHCP option Class would not make the DHCP server start working. 80. You are the administrator of your company’s network. You install the DHCP server service on a Windows 2000 server computer to automate the configuration of client computers on your network. You create scopes for each subnet’s range of addresses and activate each scope. Users from Subnet 2 and Subnet 3 report that they cannot connect to the network. Users from Subnet 1 report no connectivity problems. You discover that computers on subnets 2 and 3 are not receiving a TCP/IP configuration from the DHCP server. A. Install the DHCP Relay Agent service on the DHCP server. B. Install the DHCP Relay Agent service on a computer on each remote subnet. C. Install the WINS server service on a Windows 2000 server computer and configure the client computers to use WINS to find the DHCP server. D. Install the WINS proxy Agent service on a computer on each remote subnet. E. Install the DNS server service on a Windows 2000 Server computer and configure the client computers to use DNS to find the DHCP server. F. Install a DNS caching-only server on a computer on each remote subnet. Answer: B Explanation: A DHCP server can provide IP addresses to client computers on remote multiple subnets only if the router that separates them can act as a DHCP relay agent. Apparently this router is not BOOTP-enabled, or in other words RFC 1542-compliant and the remote clients are unable to reach the DHCP server. Configure a BOOTP/DHCP relay agent on the remote client subnets. The relay agent can be located on the router itself or on a Windows 2000 Server computer running the DHCP Relay service component. The relay agent should be configured with the IP address of the DHCP server. - 86 - A: The DHCP Relay Agent service must be installed on the remote clients subnets not on the DHCP server itself. C: The client computers make the initial connection the DHCP server using broadcasts. The DHCP relay agent will pass these broadcasts to the DHCP server. It is not necessary of a WINS server. D: WINS proxy agents are used for NON-WINS clients like UNIX, OS/2. Windows 2000 is a WINS clients. E: The clients would not be able to use a DNS server without first getting TCP/IP configuration from the DHCP Server. DHCP helps in finding the DNS server, not the opposite way around. F: The clients would not be able to use a DNS server without first getting TCP/IP configuration from the DHCP Server. 81. You are the network administrator for Trey Research. Trey Research’s network consists of 90 client computers and SO portable computers, all running Windows 2000 Professional. Only 20 of the users of the portable computers will ever be in the office at the same time. To accommodate the number users on the network, Trey Research purchases a subnetted Class B subnet with a 25-bit mask. All users need access to the Internet while in the office. How should you configure DHCP? A. Create two scopes that have different lease durations B. Create manual reservations for all portable computer users C. Create one scope that has two user classes, each with a different lease duration D. Create one scope that has two vendor classes, each with a different lease duration. Answer: C Explanation: The problem in this scenario is that only 7 bits (32-25) can be used for the host, which only provides for 126 concurrent hosts on the network, but we have 140 computers. Therefore the IP lease duration of the LapTaps should be lowered. In this scenario we must create one user class for the portable computers and one user class for the stationary office computers, each with different lease duration. User classes allows us to differentiate between DHCP clients by specifying a User Class option. When available for client use, this option includes a user-determined class ID that can help to group clients of similar configuration needs within a scope. Reference: Microsoft DHCP Vendor and User Classes (Q266675) How to Create a New DHCP User or Vendor Class (Q240247) Incorrect Answers: A: We cannot configure a scope to be used by certain computers without using the user class option. B: A manual reservation of an IP address would be counterproductive, since those IP addresses couldn’t be used by other computers. Lowering the lease time of LapTap’s is the correct solution. D: Vendor classes are most helpful to vendors for managing DHCP option assignments based on vendor- specific needs without disturbing other non-vendor DHCP clients. Vendor classes cannot be used to differentiate between the LapTops and the office computers. User classes have to be used instead. 83. You are the enterprise administrator of a Windows 2000 Domain. All client computers in the domain are either Windows 98 computers or Windows 2000 computers. Your Windows 2000 users run an Internet application that must access files from a Windows NT computer named WNT_1O1. None of your Windows 2000 computers can connect to WNT_1O1, but WNT_1O1 can connect to every Windows 2000 computer. What should you do? A. Release and renew the IP address of Windows NT 101 B. Select the Enable updates for DNS clients that do not support dynamic update check box C. Clear the Discard forward (name-to-address) lookups when lease expires check box D. Set the DNS zone for the Windows 2000 Domain to Active Directory Integrated Primary. Answer: B Explanation: A Windows 2000 domain uses Active Directory. Active Directory requires DNS for name resolution. Windows 2000 clients are able to communicate with each other. They use Dynamic DNS (DDNS) to register themselves in the DNS zone of the domain. Windows NT 4.0 computers are not able to register themselves in DNS. This is the reason the no one can connect to the WNT 101 machine. By configuring the DHCP server to Enable updates for DNS clients that do not support dynamic update the DHCP server will register A (host) and PTR (pointer) records in DNS for WNT 101. The computer would then be accessible on network. Incorrect Answers: A: The NT 101 computer is able to connect to the Windows 2000 computers. There is nothing wrong with the IP configuration of NT 101. C: By clearing the Discard forward (name-to-address) lookups when lease expires check box on the DHCP server, the DHCP server will not remove A (Host) records when leases expire. This is not a solution to the problem at hand. D: Changing the zone to an Active Directory Integrated zone will not enable the NT 101 computer to be registered in the DNS zone. 84. You are the administrator of Windows 2000 network. The network consists of 10 segments. These segments are connected by four Windows 2000 server-based routers named Routerl, Router2, Router3 and Router4. Routing and remote access is enabled as a router on these four servers. To exchange routing information, the four servers use RIP version 2 for IP. There are two other routers on the network that use RIP version 2 to exchange routing information. These other routers might have been erroneously configured and, consequently, contain incorrect routing information. You want to ensure that Routerl, Router2, Router3 and Router4 do not process routes received from any other router than Router 1, Router2, Router3 and Router4. How can you configure the four routers to accomplish this goal? (Choose all that apply) A. Configure the RIP routing protocol on the four routers to RIP peer filters. List the other three routers as RIP peers. B. Configure each RIP interface on the four routers to unicast announcements to RIP neighbors. List the other three routers as RIP neighbors. C. Configure each RIP interface on the four routers to use password authentication. Use the same password on all four routers. D. On each RIP interface on the four routers, configure routes for outgoing routes. Announce only routes in the route ranges of the network IDs that are connected to the four routers. Answer: A, B, C, D Explanation: A: We can configure each RIP router with a list of routers (by IP address) from which RIP announcements are accepted. By default, RIP announcements from all sources are accepted. By configuring a list of RIP peers, RIP announcements from unauthorized RIP routers are discarded. B: By default, RIP either broadcasts (RIP version 1 or RIP version 2) or multicasts (RIP v2 only) announcements. To prevent RIP traffic from being received by any node except neighboring RIP routers, the Windows 2000 router can unicast RIP announcements to neighboring RIP routers. C: To prevent the corruption of RIP routes by an unauthorized RIP router in a RIP version 2 environment, you can configure RIP v2 router interfaces to use simple password authentication. Received RIP announcements that do not match the configured password are discarded. D: We can configure route filters on each RIP interface so that the only routes considered for addition to the routing table are those that reflect reachable network IDs within the internetwork Neighbors. 85. You are the administrator of your company’s WAN. The network consists of 10 internal subnets in two physical sides connected by routes. You have an additional subnet that is configured for access to the Internet. The routers on the network will be multihomed Windows 2000 server computers running routing and remote access. You want to accomplish the following goals. • Administrative overhead for configuration of routing tables on each router will be minimized. • Broadcast traffic for configuration of routing tables on each router will be minimized. • In the event of a router failure, link redundancy within 10 minutes will be ensured. • Convergence time of less than one minute for all known routers on all routers will be ensued. • Internal routing information will never be exposed to external router. You take the following actions: • Install RIP version 1. • Configure RIP to use all interface on all multihomed computers. • Enable RIP authentication by specifying a password on each interface. Which result or results do these results produce? (Choose all that apply) A. Administrative overheads for configuration of routing tables on each router is minimized. B. Broadcast traffic for configuration of routing tables on each router is minimized. C. In the event of a router failure, link redundancy within 10 minutes is ensured. D. Convergence time of less than one minute for all known routes on all routers will be ensued. E. Internal routing information is never exposed to external routers. Answer: A Explanation: RIP V1 facilitates the automatic exchange of routing information. Incorrect Answers: B: Broadcast traffic for routing table configuration is not minimized because all RIP Vi route announcements are addressed to the IP Subnet and MAC-Level, even non-RIP hosts receive RIP announcements. RIP broadcasts every 30 seconds. The amount of broadcasts traffic can become significant on large networks. C: By default each router table entry learned through RIP is given a timeout of 3 minutes past the time it was received in a RIP announcement from a neighboring RIP router. There is at least a distance of four hops between routers in the exhibit, so the convergence time is greater than 10 minutes. D: Since neighboring routers could need up to 3 minutes a convergence time of less than 1 minute is impossible. E: RIP authentication by password has been specified on each interface, but RIP Vi does not support password authentication. Only RIP V2 supports password authentication. 86. You are the administrator of a Windows 2000 network. The network consists of two segments connected by a router. Each segment contains two Windows 2000 server computers and 50 Windows 2000 Professional computers. The network has one DHCP server that has active scope for both segments. The IP addresses configured in the two scopes are 10.65.1.0/24 for one segment and 10.65.2.0/24 for the other segment. The IP address for the DHCP server is 10.65.1.2. Users in the segment that does not have the DHCP server report that their 2000 Professional computer are using IP addresses in the range of 169.2S4.0.0/16. Windows 2000 Professional computers in the other segments use the IP addresses in the range of 10.6S.1.0/24. You want Windows 2000 Professional computers in the segment that does not have DHCP server to automatically use the IP addresses in the range of 10.6S.2.0/24. How should you configure the network to accomplish the goal? A. Enable and configure DHCP relay agent service on the DHCP server. B. Enable and configure DHCP relay agent server on a server in the segment that does not have the DHCP server. C. On the DHCP server, configure a packet filter to receive IP packets that use the BOOTP port. D. On the server in the segment that does not have a DHCP server, configure a packet filter to receive IP packets that use the BOOTP port. Answer: B Explanation: Users in the remote segment received IP addresses of 169.254.0.0/16, private APIPA addresses, which are assigned when a DHCP server cannot be reached. A DHCP server can provide IP addresses to client computers on remote multiple subnets only if the router that separates them can act as a DHCP relay agent. Apparently this router is not BOOTP-enabled, or in other words RFC 1542-compliant and the remote clients are unable to reach the DHCP server. Configure the BOOTP/DHCP relay agent on the remote client subnets. The relay agent can be located on the router itself or on a Windows 2000 Server computer running the DHCP Relay service component. The relay agent should be configured with the IP address of the DHCP server. 50 Windows 2000 Incorrect Answers: A: The DHCP Relay agent server should be configured on the remote segment not on the DHCP server. C: It is the router that blocks the DHCPINFORM messages. Changing packet filters on the DHCP will not help. D: It is the router that blocks the DHCPINFORM messages. A packet filter on the remote segment would not enable communication with the remote clients. 87. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named Houston. Routing and remote access is enabled for remote access on Houston. The domain also has a DHCP server. The domain is in native mode. Users in the domain dial in the network by using Windows 2000 Professional portable computers. The configuration of the dial-up connection on the Windows 2000 Professional computer is set to obtain an IP address automatically. You do not want to change this configuration. For administrative purposes, you want to designate a fixed IP address for each of the users. All users should receive a different fixed IP address when a dial-up connection is made. How should you configure the network to accomplish this goal? A. On the Houston Remote Access service, create a static address pool so that it has only the IP address of the remote access dial-in interface. Use a mask of 0.0.0.0. B. On the Houston remote access service, create a static address pool for IP address assignment. Use a mask of 255.255.255.255. C. On the DHCP server, create a reservation that uses a specific IP address for each user. D. In the active directory user and computers console, assign static IP address for each user. Answer: D Explanation: A static IP addresses for each individual user is set in the Active Directory Users and Computers console by selecting Users, right-clicking appropriate User, select Properties, choose Dial-in tab, and then enable Static IP address and provide it. Incorrect Answers: A: A static address pool is used to dynamically give remote users IP configuration information. The remote users will not receive a designated fixed IP address. B: A static address pool will not provide designated fixed IP address assignments. C: Creating a reservation for each individual user is possible, but would be an administrative nightmare. 88. You are the administrator of Windows 2000 domain. The domain has a Windows 2000 member server computer named Vegas. Routing and remote access is enabled for remote access on Vegas. Some of the remote access client computers require the use of CHAP. You enable CHAP on Vegas. You also configure the appropriate remote access policy to use CHAP. However, users who require CHAP report that they are not able to dial in to Vegas. What should you do? A. Configure Vegas to prohibit the use LAN manager authentication. B. Configure Vegas to disable use of link control protocol (LCP) extensions. C. Configure the user accounts by selecting Store passwords using reversible encryption. Set the user passwords to change the next time each user logs on. D. Configure the user account to use static IP address when they dial into the network. Answer: C Explanation: To enable CHAP-based authentication, we must enable CHAP as an authentication protocol on the remote access server, enable CHAP on the appropriate remote access policy, enable storage of a reversibly encrypted form of the user’s password, force a reset of the user’s password so that the new password is in a reversibly encrypted form, and enable CHAP on the remote access client running Windows 2000. When we enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. We must therefore either reset user passwords or set user passwords to be changed the next time each user logs on Incorrect Answers: A: LAN manager authentication is used for legacy clients, for example DOS, but is of no use here. B: Disabling LCP extensions would help in troubleshooting certain Internet Service Provider Login problems. It would not help with this RRAS dial-in problem. D: This is an authentication problem, not an IP configuration problem. 89. You are the administrator of a Windows 2000 domain. The Domain has a Windows 2000 member server computer named Helsinki. Routing and remote access is enabled for remote access on Helsinki. Users in the domain are able to dial in to the network by using their Windows 2000 Professional computers. Your company has a group named sales. You want to allow members of the sales group to use a smart card for the remote authentication. The dial-in permission for all users in the sales group is set to control access through remote access policy. You create a new access policy named sales access. This remote access policy grants remote access to members of the sales group any time of the day. This remote access policy is the first policy on the list of remote access policies on Helsinki. Members of the sales group are able to dial in to the network, but they report that they are unable to use a smart card for remote authentication. You want to ensure that members of the sales group are able to use the smart card authentication method. What should you do? A. In active directory, add Helsinki to the Pre-Windows 2000 compatible access group. B. Enable EAP as an authentication method on the Helsinki remote access server and the Windows 2000 remote access client computers. Enable EAP in the profiles of the sales access remote access policy. C. For all the member of the sales group, select stored passwords using reversible encryption. D. For all the members of the sales group, configure the user account to be trusted for delegation. Answer: B Explanation: Smart Card Authentication requires the use of the Extensible Authentication Protocol (EAP). EAP has to be configured at the RAS server, at the RAS clients, and in profiles o the remote access policy. Incorrect Answers: A: The Pre-Windows 2000 Compatible Access is a backward compatibility group which allows read access on all users and groups in the domain. Adding Helsinki to it would not enable smart card authentication. C: The stored passwords using reversible encryption setting is used when the CHAP protocol is enabled. It is not used to enable smart card authentication. D: The trusted for delegation privilege enables the user (or computer) to access resources on another computer. It is not used to enable smart card authentication. 90. You are the administrator of your company’s network. The network consists of one Windows 2000 domain running in native mode. You are not running Certificate Services in the domain. Your company is a sales organization and has iSO salespeople. When these salespeople are out of office, they require file and print services, e-mail and access to the company’s product and inventory database. These salespeople belong to a group named SalesMobile. Your company has dedicated Ti access to the Internet. Your company also uses a virtual private network (VPN) to reduce the costs and hardware required to support the salespeople. You want to accomplish the following goals: • Required network resources will be accessible to all salespeople. • Connections to the network will be made only by salespeople. • Sensitive company data will be kept confidential over the VPN connections. • Access to the network will only take place during business hours. • All salespeople will be able to connect to the network simultaneously. You take the following actions: • Install routing and remote access on a Windows 2000 server computer and configure virtual private networking. • Grant the salespeople the Allow Access dial-in permission. • Edit the default remote access policy to grant remote access permission. • Edit the default remote access profile to require strong encryption of data. Which result or results do these actions produce? A. Required network resources are accessible to all salespeople. B. Connections to the network are made only by salespeople. C. Sensitive company data is kept confidential over the VPN connections. D. Access to the network only takes place during business hours. E. All salespeople are able to connect to the network simultaneously. Answer: A, C Explanation: A: Salespeople have access to the network resources, since they have the Allow Access dial-in permission. The default remote access profile will also allow access, since it has no conditions. C: The default remote access profile (RAP) is set to require strong data encryption. There is no other way to get access, so all company data are kept confidential. Incorrect Answers: B: The default dial-in permission in native mode is Control Access through Remote Access Policy. This applies to all user accounts in the domain, except the Salespeople users who have Allow access. The default remote access policy has no restrictions so every user would be able to get remote access. D: No time restriction policy has been selected in default RAP. The default setting is to allow dial during all times. Access will not be restricted to business hours. E: Only 10 PPTP ports are configured by default. The 150 sales people would not be able to connect simultaneously with only 10 ports. The PPTP ports setting must be increased to at least 150. 91. You are the administrator of your company’s network. You are configuring a Windows 2000 network for dial up access. Your users need to access their computers from home. To increase security your company issue smart cards to all users who have dial up access. You need to configure your Routing and Remote Access server. What should you do? (Choose two) A. Select the Extensible Authentication Protocol (EAP) check box. B. Select the Microsoft encrypted authentication version 2 (MS-CHAP v2) to check box. C. Install a computer certificate on the routing and remote access server. D. Install a smart card logon certificate on the routing and remote access server. E. Install a computer certificate on the dial-up access client computer. Answer: A, D Explanation: The Extensible Authentication Protocol (EAP) is required for authentication using smart cards. A smart card logon certificate must be installed on routing and remote access server. Incorrect Answers: B: EAP, not MS-CHAP V2, must be used for smart card user authentication. C: A smart card logon certificate, not a computer certificate, must be installed. E: A smart card logon certificate, not a computer certificate, must be installed. 92. You are the administrator of your company’s network. Your company employs account executives who need access to the latest company data when they are traveling. You want to ensure that your company will establish the network connection for your account executives regardless of where the call originates. Your company also allows vendors access to the network by routing and remote access to submit purchase orders. To ensure network security, your company wants to specify the location from which vendors can connect. You want to configure your company’s routing and remote access server to facilitate access for account executive and vendors. Which three actions should you take to ensure this configuration? (Choose three) A. Set the Callback option to Always Callback to for the account executives. B. Set the Callback option to Set by Caller for the account executives. C. Set the Callback option to No callback for the vendors. D. Set the Callback option to Always Callback to for the vendors. E. Set the Callback option to Set By Caller for the vendors. F. Enable link Control protocol (LCP) extensions. G. Enable EAP. Answer: B, D, F Explanation: By configuring the Callback option to Set by Caller for the account executives, the executives will be able to dial-in regardless where the call originates. By configuring the Callback option to Always Callback to for the vendors, the company can specify from where the vendors are allowed to dial-in. Enabling link Control protocol (LCP) extensions will enable callback during the LCP negotiation of LCP. And callback is used in the Callback option in this scenario. Incorrect Answers: A: The account executives must be able to call in regardless of location. The Callback option must be set to Set By caller, not Always callback to. C: The No Callback option would allow the vendor to call in regardless of location, which shouldn’t be allowed. E: The vendors must not be able to call in regardless of location. The Callback option must be set to Always callback to, not Set By caller. G: EAP would require further configuration to work. 93. You are the administrator of your company’s network, which consists of a single Windows 2000 Domain. RISS will be used to deploy Windows 2000 Professional to new client computers. You add RISS to the domain and install RIS on it. You configure RISS to obtain IP addressing information from WinsvrS. You try to use RIS to deploy Windows 2000 Professional to a PXE-compliant client computer. However, this computer cannot connect to RISS. When you examine the event log on RISS, you discover the following error message: “BINL will not respond to client requests.” How should you correct this problem? A. Use the Active Directory sites and services console to authorize RI55 as a DHCP server in the domain. B. Use the Active Directory sites and services console to authorize Winsvr5 as a DHCP server in the domain C. Create a DHCP reservation for R155 on winsvr5 D. Create DHCP reservations for new client computers on Winsvr5. Answer: B Explanation: In this scenario the Boot Information Negotiation Layer (BINL) service must be authorized even though DHCP may not be running on the server and non-Windows 2000 DHCP servers are being used. If our network environment includes other non-Windows 2000 DHCP servers, they must be authorized. Authorizing a server sets an attribute in the Active Directory that allows it to function. In our scenario the DHCP server on the Windows NT machine Winsrv5 has to be authorized in the Active Directory. Incorrect Answers: A: RISS is not a DHCP server. Winsrv5 not RISS has to be authorized in Active Directory. C: Creating a reservation for the RIS server will not solve the problem. The DHCP server is not allowed to start. It has to be authorized. D: Creating reservations will not solve the problems. The DHCP server is not allowed to start. It has to be authorized. 95. Your department hires 20 new salespeople and issues portable computers to them. The new salespeople will work on-site for several months, and then begin working remotely. However, none of these new users can connect to the network. They receive an error message indicating that their computers cannot obtain IP addresses. You need to enable the new salespeople to connect to the network. Your solution must prevent the connect problem from happening again. Your solution must also avoid disrupting network communications for existing network users and minimize network traffic associated with DHCP. What should you do? A. Delete the existing IP address leases from the DHCP server. Increase the setting for conflict detection attempts to 3. Decrease the lease duration to eight hours. B. Decrease the lease duration to one day. Increase the setting for conflict detection attempts to 2. C. On the new salespeople’s computers, run the ipconfig/release command and then the ipconfig/renew command. D. Disable dynamic update of DNS records. Decrease the lease duration to eight hours. Run the ipconfig/renew command on the new salespeople’s computers. Answer: B Explanation: There are too few IP addresses in this scenario. Either more IP addresses must be added to the scope or IP lease time must be decreased. Decreasing the lease time to one day would release IP addresses when workers take their laptops and work on the field. By increasing the conflict detection attempts from the default 0 to 2, the DHCP server will determine whether an IP address is already in use on the network before leasing or using the address. Incorrect Answers: A: If DHCP server-side conflict detection is used, you should set the number of conflict detection attempts made by the server to use one or two pings at most, not 3. It is unnecessary to delete the IP leases when server-side conflict detection is used. C: IPconfig/release followed by IPConfig/Renew might solve the short term problem, but the problem would reappear later. This is no long term solution. D: Decreasing the lease time to 1 day would be better than to decrease it to 8 hours. During one work day the lease might have to be renewed, which increases DHCP traffic. Increasing conflict detection attempts would be a better long term solution then to run the ipconfig/renew command once. 96. You administer the Tailspin Toys network, which consists of a single Windows 2000 Domain. To reduce broadcast traffic in your network, you disable NetBIOS over TCP/IP support on all computers. The network contains a Windows 2000 server computer named tswebsrv.tailspintoys.com, which hosts your internal Web site. For this server, you create a CNAME (canonical name) record named IWEB in your DNS zone. Using your own Windows 2000 Professional computer, you try to access a file share named dropbox on tswebsrv.tailspintoys.com by mapping a drive to \\iweb.tailspintpys.com\dropbox. However, you receive the following error message. The mapped network drive could not be created because the following error has occurred: A duplicate name exists on the network. You establish that no other computer on the network is named IWEB. However, the error persists, and you still require access to dropbox. What should you do? A. Create a Hosts file on your computer and add an entry for IWEB B. Enable NetBIOS over TCP/IP support on your computer C. Enable NetBIOS over TCP/IP support on tswebsrv.tailspintoys.com D. Use the primary computer name \\tswebsrv to connect to tswebsrv.tailspintoys.com E. Use only the alias \\iweb to connect to tswebsrv.tailspintoys.com Answer: D Explanation: The problem in this scenario can occur when we try to connect to the server by using a CNAME alias created in the DNS zone. The server is not “listening” on the alias, and because of this, it is not accepting connections to that name. The solution is to use the primary computer name to connect instead of the alias. In this scenario the primary computer name is \\tswebsrv. Incorrect Answers: A: One A (Host) record for IWEB already exists in the DNS zone. Preloading another A (Host) record for IWEB using a Hosts file would make no difference. B: This is not a NetBIOS name problem, this is a DNS problem. C: This is not a NetBIOS name problem, this is a DNS problem. E: The primary name, not the alias name must be used. 97. You are the network administrator for Lucerne Publishing. Your network consists of a single Windows 2000 Domain. Lucerne Publishing employs a full-time staff. It also contracts authors for short-term projects. All full- time employees use portable computers that run Windows 2000 Professional. These users require remote access to network resource, such as applications and printers. Contracted authors use their personal computers, which run a variety of operating systems, including Windows 98, Windows NT 4.0, and Windows 2000 Professional. The authors require remote access to the network so they can upload draft and revisions to a file share located on a Windows 2000 Server named Srvi. To ensure connection security, you allow access to the network only by means of a virtual private network (VPN) connection through the Internet. You use PPTP as the VPN protocol, and you configure four VPN servers as a Network Load Balancing (NLB) cluster. Several authors now report that they experience rejected connections when they log on and try to access srvi. Full-time employees report no problems. How should you correct this problem? A. Remove the cluster IP address from the server interfaces that receive the PPTP connections B. Remove the dedicated IP address from the server interfaces that receive the PPTP connections C. Edit the default remote access profile to grant access only to VPN connection and to increase the Disconnect if idle setting to 10 minutes. D. Edit the default remote access policy to grant access only to NAS Port Type VPN and to increase the Disconnect If Idle setting to 10 minutes. Answer: B Explanation: If we are using Network Load Balancing to load balance Point-to-Point Tunneling Protocol (PPTP), clients running Windows 95, Windows 98, or Windows NT 4.0 may, under certain circumstances, be unable to connect to a Network Load Balancing cluster. This problem can occur if the Network Load Balancing hosts use a dedicated IP address on the network adapter to which Network Load Balancing is bound. To avoid the problem, we must remove the dedicated IP address from all Network Load Balancing cluster hosts. This problem does not occur with Windows 2000 clients. Incorrect Answers: A: The dedicated IP address, not the cluster IP address, should be removed the server interfaces that receive the PPTP connections. C: The connections for the downlevel clients are immediately rejected. They are not disconnected because of the Disconnect if idle setting. The Disconnect if idle is disabled by default. D: The Disconnect if idle is disabled by default. The problem cannot be fixed by restricting access to only to NAS Port Type VPN. 98. You are the administrator for Miller Textiles. The network consists of one Windows 2000 domain named millertextiles.local. For security reasons, you want to ensure that internal name resolution traffic never passes outside the network. You also want to ensure that external name requests are handled by an external DNS server. What should you do to accomplish these goals? A. Create a new standard primary zone for your local namespace and enter only internal addresses into the host table. B. Create a new active directory integrated zone for your logical namespace and enter only internal addresses into the host table. C. Delete the root zone for your local namespace and configure all internal DNS servers to forward name resolution requests to the external DNS server. D. Create a new root zone for the internet and configure all internal DNS servers to forward all requests to this zone. Answer: C Explanation: By deleting the root zone and configure all internal DNS servers to forward name resolutions requests to the external DNS server all external name requests are handled by an external DNS server. The default root zone might contain records to Internet root servers, but that zone is deleted. Also internal name resolution would never be passed to the external DNS server. Incorrect Answers: A: An external DNS server must be used for external name resolution. B: An external DNS server must be used for external name resolution. D: It’s less administrative effort to directly use an external DNS server compared to create on new root zone for the Internet. 99. You are the administrator of a Windows 2000 network. The network has 300 Windows 2000 Professional computers, one Windows 2000-based WINS server, and four Windows 2000 DHCP servers, and eight other Windows 2000 server computers. The 300 Windows 2000 Professional computers and the servers are divided over four different locations named North Building, East Building, South Building and West Building. The WINS server is in the East Building location. The TCP/IP configuration of the WINS client computers is provided by four DHCP servers on the network. The Windows 2000 Professional computers NetBIOS-based resources in the network. Because of a malfunction on the WINS server’s hard disk, you replace it and restore the WINS database from a backup that is one week old. After the new WINS server is in place, users report that they cannot browse any of the resources in the other locations. What should you do to enable users to browse resources in other locations again? A. On the WINS server, use Jetpack.exe utility on the WINS database. B. On the WINS server, use Verify Database Consistency command. C. On the Windows 2000 Server computer, use the Nbtstat -RR to release and refresh the WINS registrations. D. On the WINS client computers, use the ipconfig/registerdns command to register names and IP addresses. Answer: C Explanation: The command nbtstat —RR releases names registered with a WINS server and then renews their registrations. This will release obsolete records and all WINS clients will get registered properly again. Incorrect Answers: A: Jetpack.exe is used for DHCP databases not for the WINS database. B: Consistency checking helps maintain database integrity among WINS servers that are configured as replication partners. It is not used to fix the records of a single WINS database. D: IPConfig /RegisterDNS register a host record in a DNS zone, not a NetBios record in the WINS database. 100. You are the administrator of your company’s network. The network consists of iO Windows 2000 server computers, 200 Windows 2000 Professional computers, and 20 UNIX servers. You are using Windows 2000 as your DNS server. Your DNS zone is considered as an active directory integrated zone. Your DNS zone is also configured to allow dynamic updates. User report that although they can access the Windows 2000 computers by host name, they cannot access the UNIX servers by host names. What should you do to correct this problem? A. Manually enter A (host) records for the UNIX servers to the zone database. B. Manually add the UNIX servers to the Windows 2000 domain. C. On the DNS server, manually create the Hosts file that contains the records for the UNIX servers. D. Configure a UNIX computer to be a DNS server in a secondary zone. Answer: A Explanation: By default Windows 2000 clients can register both A and PTR Records dynamically. The UNIX servers are unable to do it. A (Host) records must be added manually to the DNS zone for these UNIX servers. Incorrect Answers: B: The UNIX does not have to join the domain; users just want to access them. C: A Host file that contains the records for the UNIX servers must be copied to all clients computers, it cannot only be saved at the DNS server. D: The UNIX computers must be registered in the DNS zone. A UNIX server in a secondary zone will not help. 101. You are the administrator of the contoso.com domain. Your network consists of 7,000 client computers distributed evenly across five sites. Each site has its own Windows 2000 domain, and each site has been delegated authority from your root DNS server to manage its own namespace. In the site named boston.contoso.com, the local administrator has recently upgraded the two DNS servers that service the subdomain. You suspect that the upgrade to the DNS server has resulted into an incorrect configuration of your zone delegation. What should you do to verify that your zone delegations are properly reconfigured? A. Start system monitor. Confirm that the counters for DNS; Recursive Query Failures are zero. B. Start system monitor. Confirm that the counters for DNS: Zone Transfer Failures are zero. C. Run the nslookup -querytype=ns boston.contoso.com. command with the server options to query the boston.contoso.com server. Ping the records displayed in the output of the nslookup command. D. Run the nslookup —ls- d. boston.contoso.com. command with the server option set to query the boston.contoso.com server. Ping the records displayed in the output of the nslookup command. Answer: C Explanation: The nslookup utility is used to verify zone delegation. We can use it to find the NS (=name server, dns server) records. You do this with the command: nslookup querytyp=ns address. Then ping the addresses of these records. Reference: Windows 2000 Server documentation, To verify a zone delegation using the nslookup command Incorrect Answers: A: System monitor monitors system performance; it cannot be used to monitor this type of traffic. B: System monitor monitors system performance; it cannot be used to monitor this type of traffic D: The nslookup command ls -d boston.contoso.com would give a full listing of the records in that domain. 102. You are the administrator of your company’s network. Your company has a main office, two branch offices, and two small branch offices. The company’s network consists of one Windows 2000 domain. The main office and the two large branch offices are connected by a dedicated Ti lines. The two small branch offices use 128-Kbps ISDN lines and routing and remote access over the Internet to connect to the company’s internal network. You are designing your DNS name resolution environment. You want to accomplish the following goals: • DNS name resolution traffic across the WAN links will be minimized. • DNS replication traffic across the WAN links will be minimized. • DNS replication traffic across the public WAN links will be secured. • Name resolution performance for the client computers will be optimized. You take the following actions: • Install the DNS server service on one server at each office. • Create the standard primary zone at the main office. • Create a standard secondary zone at the four other offices. • Configure client computers to query their local DNS server. Which result or results do these actions produce? (Choose all that apply) A. DNS name resolution traffic across the WAN links is minimized. B. DNS replication traffic across the WAN link is minimized C. DNS replication traffic across the public WAN links is secured. D. Name resolution performance for client computers is optimized. Answer: A, D Explanation: The clients on each office are configured to use their local DNS server for name resolution, so the DNS name resolution traffic across the WAN links are minimized and name resolution performance for the client are optimized. Incorrect Answers: B: DNS replication on the WAN links is not minimized since incremental zone transfers only can be used in Active Directory integrated zones, not in replication between primary and secondary DNS zones. C: DNS replication on the public WAN links is secure. Active Directory integrated zones would enable secure replication, but replication between primary and secondary DNS zones is not secure. 103. You are the administrator of your company’s network. The network consists of a single Windows 2000 domain that spans multiple locations. The locations are connected over the Internet by using Routing and Remote Access. Resources are located on TCP/IP hosts on your network. To facilitate name resolution for client access to these resources, you implement Windows 2000 DNS servers on your network. You want to ensure that when the zone transfer traffic between your DNS servers crosses the Internet links between the locations, it cannot be compromised by outside parties. What should you do? A. Select the option to allow zone transfers only to servers listed on the Name Servers tab. B. Set up an Active Directory integrated zone. C. Set the Allow Dynamic Updates setting for your zone to No. D. Set the Allow Dynamic Updates setting for your zone to Only Secure Updates Answer: B Explanation: Only Active Directory integrated zone transfers will provide secure DNS replication traffic. Active Directory integrated zone transfers are included in Active Directory replication. Active Directory replication use secure channel to make the replication traffic safe from outside parties. Incorrect Answers: A: The servers listed on the Name Servers tab are the destinations of the zones transfers. It does not concern the security of the zone transfers. C: Configuring the Allow Dynamic Updates setting to No disables Dynamic DNS, but the zone transfers would still be insecure. D: Configuring the Allow Dynamic Updates setting to Only Secure would make the updates of the DNS zone secure, but the zone transfers would still be insecure. 104. You are the administrator of your company’s network, which consists of a LAN with S,000 computers on iS subnets. Each subnet is a separate network segment. You anticipate that the number of hosts on your network will increase by iO percent each year for the next three years. The network includes three Windows 2000 server computers configure as routers. — You need to configure the routers so that existing hosts on all subnets can communicate with existing hosts on all other subnets. Your solution must minimize network protocol traffic, and it must allow the subnets to be reconfigured to accommodate the anticipated growth. What should you do? A. Create two additional subnets for each router. Enable Routing and remote access on each router and add the OSPF protocol in a default configuration. Add each network interface on each router to the OSPF protocol. B. Reconfigure the routers and network segments in a backbone configuration. Add two additional subnets for each router. Enable routing and remote access on each router and add the OSPF protocol in a default configuration. Add each network interface on each router to the OSPF protocol. C. Enable routing and remote access on each router and add RIP in a default configuration. Add each network interface on each router to RIP. D. Enable routing and remote access on each router and add RIP, configured to use RIP neighbors instead of broadcast or multicast routing. Add each network interface on each router to RIP. Answer: B Explanation: For larger network, like in this scenario, performance of RIP would suffer, mostly because it is based on broadcasts. OSPF on the other hand is designed for large scale networks. OSPF divides the internetwork into different areas — every area is a contiguous network. The areas are connected with each other through a backbone area. The routers connected to the backbone area are called backbone routers. Incorrect Answers: A: Areas connecting to each other through backbones, not new subnets on every router, is the way OSPF is set up. C: OSPF, not RIP, is the preferred routing protocol in larger networks. D: OSPF, not RIP, is the preferred routing protocol in larger networks. 105. You are the administrator of your company’s network, which includes a Windows 2000 Server computer named AXi that runs Routing and Remote Access. You configure remote access policies on AXi as shown in the following table. Policy Order Weekday 7:00 AM — 6:00 PM: Allow 1 Administrators: Allow 2 Weekday6:OOP:M—7:OOA.M: Deny 3 Support Managers: Allow 4 Weekend: Deny 5 Your management revises its access policies. Members of the Support Managers group are now allowed to dial in 24 hours a day, seven days a week. Members of the Administrators group are no longer allowed to dial in on weekends. To implement these changes, you need to reconfigure the remote access policies on AXi. What should you do? A. Move the Weekend: Deny policy directly above your current policy 2. B. Move the Support Managers: Allow policy directly above your current policy 3. C. Move the Administrators: Allow policy above your current policy 1. Move the Weekday 6:00 P.M. — 7:00 A.M: Deny Policy directly below your current policy 3. D. Move the Support Managers: Allow policy above your current policy 2. Move the Weekend: Deny policy directly above your current policy 3. Answer: D Explanation: We must fix two problems in this scenario: 1. The Administrators should no longer be allowed to log in on weekends. 2. The Support Managers must be allowed to login all hours, all days. They are now only allowed to log in Weekdays 7 AM to 6 PM. We must take into consideration that the Policys are processed in order and the first matching Policy is applied. Moving the Support Managers: Allow policy above the current policy 2 would ensure that the Support Managers have access all hours, all days. Moving the Weekend: Deny policy directly above the current policy 3 (at this moment the 3rd policy is the Administrators: Allow policy) would ensure that only the Support Managers would get Weekend access. The rest of the users, including the Administrators would be denied access during the weekend. Incorrect Answers: A: If we move the Weekend: Deny policy above the policy 2, everyone would be denied access during the weekends. B: If we only move the Support Managers: Allow Policy, the Administrators would still be able to log on during weekends. C: Moving the Administrators: Allow policy to the first spot, would ensure that the Administrators are log on all days, all hours. But they should not have access during the weekends. 106. You are the network administrator for Luceme Publishing. Your company employs a full-time staff. It also contracts authors for short-term projects. All full-time employees use portable computers running Windows 2000 Professional. These users require remote access to network resources, such as applications and printers. Contracted authors use personal computers that run a variety of operating systems, including Windows 98, Windows NT 4.0, and Windows 2000 Professional. The authors require remote access to the network so they can upload revised documents to file servers. You allow remote access to the network only by means of a virtual private network connection through the Internet. You configure 40 PPTP ports on a single VPN server. To ensure high availability of the VPN service, you configure three additional VPN servers. You configure 40 L2TP ports on each new server. You configure round robin DNS entries for all four VPN servers. Several authors now report that they experience rejected connections when they dial the VPN servers. After repeated attempts they are eventually able to connect. Full-time employees report no problems. You need to correct this problem while ensuring the highest possible level of security for each connection. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two) A. Configure 40 PPTP ports on each new VPN server B. Configure 40 L2TP ports on the original VPN server C. Remove the 40 PPTP ports on the original VPN server D. Remove the 40 L2TP ports from each new VPN server. E. Remove the dedicated IP address from the server interfaces that receive the VPN connections. F. Remove the round robin DNS entries for the VPN servers and assign users to specific VPN servers. Answer: A, D Explanation: In this scenario one VPN server is configured for PPTP, the other three are configured for L2TP. L2TP is supported by Windows 2000, but it is not supported by downlevel clients such as Windows 98 and Windows NT 4.0. When a remote downlevel client connects the connection will only be successful when it uses the VPN server configured for PPTP, that is it is 25% chance of getting a connection. The Windows 2000 remote clients get access either by PPTP or by L2TP. A: By configuring all VPN server with 40 PPTP ports there would be no problem to get a connection for any author, including the ones using downlevel clients. D: L2TP is not encrypted unless it is used in connection with IPSec. By removing L2TP from all L2TP ports only secure PPTP connections would be allowed. Incorrect Answers: B: L2TP is not secure. Windows 2000 clients which get L2TP connections would have unencrypted connections. C: The L2TP ports, not the PPTP ports, should be removed. The downlevel clients, Windows 95 or Windows NT 4.0, would not be able to be granted remote access if PPTP ports are removed. E: The IP address configuration of the server interface has a correct setting. The problem at hand concerns the L2TP protocol. F: Round robin is working correctly. It is not necessary to change the configuration of round robin. 107. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. Company employees need to access network resources when they are working remotely. Some remote users work at home, using personal desktop computers that run either Windows 98 or Windows 2000 Professional. The home computers do not have computer accounts in the company’s domain. Other remote users have company-issued portable computers that run Windows 2000 Professional. The portable computers have computer accounts in the company’s domain. The portable computers also contain a smart card reader, which is the only means of authentication for the employees who use them. To provide secure access for all remote users, you enable Routing and remote access on a Windows 2000 Server computer that is connected to the Internet. You also create ports for 2S PPTP virtual private network connections. You verify that all VPN client computers are configured correctly. To ensure security, you create a single routing and remote access policy for all users and configure authentication as shown in the exhibit. All remote users with desktop computers running Windows 2000 Professional can now successfully connect to the VPN server. However, no other remote users can establish a connection. You need to enable all remote users to connect to the VPN server. You also need to ensure the highest possible level of authentication security. Which two actions should you perform in the remote access profile? (Each correct answer presents part of the solution. Choose two) A. Create computer accounts for all the home computers B. Select the Extensible Authentication Protocol check box and select Smart Card or other certificate in the list box. C. Select the Extensible Authentication Protocol check box and select MD5 Challenge in the lost box. D. Select the Microsoft Encrypted Authenticated check box E. Select the Unencrypted Authentication check box. F. Clear the Microsoft encrypted Authentication Version 2 check box. Answer: A, B Explanation: Select the Extensible Authentication Protocol (EAP) with the Smart Card or other certificate option must be selected since the portable computers have smart card readers as the only means of authentication. Smart card authentication requires computer accounts for all the home computers. Reference: Microsoft Server Documentation, EAP Incorrect Answers: C: MD5 challenge cannot be used since the portable computers have smart card readers as the only means of authentication. D: Microsoft CHAP would not provide highest possible level of authentication security. E: Unencrypted Authentication would not provide highest possible level of authentication security. F: It is not necessary to clear the MS CHAP V2 check box. It is cleared automatically when Extensible Authentication Protocol is selected. 108. You are the administrator of your company’s network. Your network consists of a single segment, which you divide into four segments by installing routers. The new configuration includes a DHCP server running Windows 2000 on segment B. Each new segment also includes one client computer running Windows 2000 Professional. These computers are named Clienti through Client4. Segment C and segment D each include one file server running Windows 2000 Server. The file servers are named Filei and File2. You configure the client computers as DHCP clients. You assign static IP addresses to the Windows 2000 Server computers. You create four scopes on the DHCP server with the correct IP addresses. When you test your configuration, you discover that Clienti; Client2, and Client4 cannot communicate with any other computers on the network. Client3 can communicate with Filei and File2, but not with other client computers. You need to ensure that all client computers can communicate with both file servers and with each other. Which action or actions should you perform? (Choose all that apply) A. Configure Clienti as a DHCP Relay Agent. B. Configure Client2 as a DHCP Relay Agent. C. Configure Client4 as a DHCP Relay Agent. D. Configure File 1 as a DHCP Relay Agent. E. Configure File2 as a DHCP Relay Agent. F. Configure Router A to forward BOOTP packets. G. Configure Router B to forward BOOTP packets. Answer: D, E, F Explanation: In this scenario apparently the DHCP configuration information are not able to reach the remote subnets. The most likely cause is that the routers are not BOOTP-enabled and blocks this traffic. D, E: We must ensure that Client 1, Client2, and Client4 can communicate with other computers on the network. We already know that File 1 and File2 are able to communicate with other computers, in particular with Client3. We could therefore use them as DHCP Relay agents. This will ensure that Client2 and Client4 receive proper IP configuration. F: We must also ensure that Clienti can work as a DHCP client. We ensure this by configuring RouterA to forward BOOTP packets. Note: Only Windows 2000 Server computers, not Windows 2000 Professional computers, can be configured as DHCP Relay Agents. Incorrect Answers: A: Clienti is not able to ftmnction as DHCP Relay agent since it is a Windows 2000 Professional computer. B: Client2 is not able to function as DHCP Relay agent since it is a Windows 2000 Professional computer. C: Client4 is not able to ftmnction as DHCP Relay agent since it is a Windows 2000 Professional computer. G: By examining the exhibit, we see that we in order for Clienti to receive IP configuration from the DHCP Server RouterA, not RouterB, must be BOOTP enabled. 109. You are the network administrator for a branch office of a large company. Your network is connected to the company network by means of a Windows 2000 routing and remote access two-way demand-dial connection over ISDN. In addition to e-mail and application traffic, sensitive company data is transferred across this connection. You want to accomplish the following goals: • All data transmitted over the connection will be secure. • Rouge routers will be prevented from exchanging router information with either router. • Both routers in the connection will be able to validate each other. • Both routers in connection will maintain up-to-date routing tables. • Traffic over the demand-dial link during peak business hours will be minimized. You take the following actions: • Enable MS—CHAP as the authentication protocol on both routing and remote access servers. • Enable open shortest path first (OSPF) on the demand-dial interfaces. • Set the Require Encryption option in the Advanced Security settings on both routing and remote access servers. Which result or results do these actions produce? (Choose all that apply) A. All data transmitted over the connection is secure. B. Rogue routers are prevented from exchanging router information with either router. C. Both routers in the connection are able to validate each other. D. Both routers in connection maintain up-to-date routing tables. E. Traffic over the demand-dial link during peak business hours is minimized. Answer: A, D Explanation: MS-CHAP has been enabled as the chosen authentication protocol and it supports data encryption so all data transmitted over the connection is secure. OSPF has been enabled on the demand-dial interfaces so both routers are able to keep up-to-date routing tables. Incorrect Answers: B: OSPF could be configured to prevent rouge router from communicating with the real routers. But this has not been done here. C: MS-CHAP V2 and EAP-TLS supports two-way authentication. MS-CHAP only provides one way authentication; the routers will not be able to validate each other. E: Nothing has been done to minimize traffic on the demand-dial link during peak business hours. 110. You are the administrator of your Windows 2000 network. The network contains a Windows 2000 Server computer named RouterA. Routing and remote access is enabled as a router on RouterA. RouterA has a LAN interface named Neti. The Neti interface uses an IP address of 192.168.1.2. You want to specify which type of network traffic will be allowed into the router through the Neti interface. The only traffic that should be allowed into the Net interface is HTTP uses TCP port 80 or TCP port 443. The other interfaces of the router have no restriction on types of the network traffic allowed. When you move monitor, you notice the other network traffic is still Net interface. What should you do? A. Configure the network connection to use TCP/IP filtering. Permit only TCP port 80 and TCP port 443. B. Configure the input packet filters to drop all packets except packets allowed by the filters. you configure two input packet filters on the Neti interface as shown in the following dialogue box. Anv Any 192.168.1.2 255.255.255... ICP Any 443 C. Configure two output packet filters to filter on both TCP port 80 and TCP port 443. D. Configure the Neti interface to drop all UDP packets. Answer: B Explanation: By configuring the input packet filters to drop all packets except the packets allowed by the filters, only TCP port 80 and TCP port 443 traffic will be allowed. Incorrect Answers: A: To configure the router, the Routing and Remote access console should be used. Not by configuring TCP/IP filtering on the LAN interface. C: Input filter, not output filters, should be used to decide which traffic should be allowed into the router. D: The Net Interface should allow only TCP port 80 and TCP port 443. Dropping all UDP packets is not enough. 111. You are the administrator of Windows 2000 network. The network of 85 Windows 2000 Professional computers and two Windows 2000 Server computers named Amsterdam and Utrecht. Amsterdam has a permanent cable modem connection to the Internet. All Windows 2000 Professional computers on the network are configured to use automatic private IP addressing (APIPA). The network does not contain a DHCP server. To allow all Windows 2000 Professional computers on the network to access the Internet through the cable modem connection of Amsterdam, you install and configure the network address translation (NAT) routing protocol on Amsterdam. You decide to use IP addresses in the range of 172.20.20.1 through 172.20.20.150 for the network. Amsterdam is configured to use an IP address of 172.20.20.1. Utrecht is a web server configured with an IP address of 172.20.20.2 and a default gateway of 172.20.20.1 You want to allow Internet users from outside your internal network to access the resources on Utrecht through the NAT on Amsterdam. How should you configure the network to accomplish this goal? A. Configure the NAT routing protocol to enable the use of a network application. Specify web server as the name of the application. Use the web port number as the remote server port number. B. Configure the public interface of the NAT routing protocol to use an address pool with an address of 172.20.20.2 C. Configure the public interface NAT routing protocol to use a special port that maps to the web server port and an IP address 172.20.20.2 D. Configured Amsterdam so that it has a static route on the private network. Use a destination address of 172.20.20.2, a network mask of 255.255.255.255, and a gateway of 172.20.20.1 Answer: C Explanation: When using the NAT routing protocol we have to use port mappings to give external Internet users access to local resources. If multiple private addresses are mapped to a single public address, as seems to be the case in this scenario, NAT uses dynamically chosen TCP and UDP ports to distinguish one intranet location from another. Incorrect Answers: A: Network application is not used to give external users access to local resources. B: The public interface cannot use private addresses. D: We do not configure static routes on the private network to enable external access of internal resources. 112. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named ServerA and SO Windows 2000 Professional computers. ServerA has a dial-up connection that connects to the Internet. All Windows 2000 Professional computers in the network are configured to use Automatic Private IP addressing (APIPA). There is no DHCP server on the network. To allow all Windows 2000 Professional computer on the network to access the Internet through the dial- up connection of ServerA, you decide to install the network address translation (NAT) routing protocol. You configure ServerA as follows: • The LAN interface on ServerA has an IP address of iO.65.3.i and a subnet mask of 2SS.2SS.2SS.O • NAT automatically assign IP addresses in the range of iO.65.3.2 through iO.65.3.60 to computers on the private interface. • NAT uses a demand-dial interface named Dial ISP to connect to the Internet service provider. • The Dial ISP interface uses an address spool in the range of 207.46.i79.44 through 207.46.i79.36 • The routing table has a default static route for the public interface. Which configuration should you use for the static route for the public interface? A. Interface: local area connection Destination: 207.46.179.33 Network Mask: 255.255.255.255 Gateway: 0.0.0.0 B. Interface: local area connection Destination: 10.65.3.0 Network Mask: 255.255.255.0 Gateway: 10.65.3.1 C. Interface: Dial ISP Destination: 0.0.0.0 Network Mask: 0.0.0.0 Gateway: None D. Interface: Dial ISP Destination: 207.46.179.32 Network Mask: 255.255.255.240 Gateway: 207.46.179.32 Answer: C Explanation: For a default static route, we need to select the demand-dial interface (for dial-up connections) or LAN interface (for permanent or intermediate router connections) that is used to connect to the Internet. The destination is 0.0.0.0 and the network mask is 0.0.0.0. For a demand-dial interface, the gateway IP address is not configurable. Incorrect Answers: A: Destination and network mask has to be 0.0.0.0 B: Destination and network mask has to be 0.0.0.0 D: Destination and network mask has be 0.0.0.0 113. You are the administrator of your company’s network. To allow users to access network resources when they are not in the office, you configure remote access services in their native mode Windows 2000 domain. Because your company operates 24 hours a day and seven days a week, and because your users are not running Windows 98 and Windows NT workstation, you do not want to apply any time or authentication restrictions. To accomplish this, you delete the default remote access policy. However, you want to restrict access by unauthorized users. You grant all users in the domain to allow access dial-in permission, but you begin to receive reports that users are not able to receive the connection. What should you do to resolve the problem? A. Create a new remote access policy that has the condition to grant all members of the domain users group dial-in access. B. Create a new group policy that grants dial-in permissions to the domain user group. C. Edit the remote access profile to allow the use of encrypted authentication (CHAP) as the only authentication method. D. Edit the remote access profile to allow the users of unencrypted authentication (PAP, SPAP) as the only authentication method. Answer: A Explanation: The access to a RRAS server is through the combination of the user’s Dial-in permissions; Remote Access Policy, which specifies various conditions for permitting a condition; and Remote Access Profiles, which determines what kind of access that RRAS grants if a connection is permitted. In this scenario the dial-in permission is set to Allow for all users in the native domain. Still a remote access policy must allow the users to get access. The default remote access policy has been deleted so a new one has to be created. By setting the condition to grant all members of the domain users group access, only authorized domain users will be granted remote access. Incorrect Answers: B: Group policies cannot be used to grant remote access. C: Remote access profiles cannot grant remote access, they can only be used to decide which kind of access a user would after access has been granted. D: Remote access profiles cannot grant remote access, they can only be used to decide which kind of access a user would after access has been granted. 114. You are the network administrator of a Woodgrove bank. Woodgrove bank needs records of every one who will access company’s network by routing and remote access. You are configuring the routing and remote access server for remote access. You need to log all logon activity on the routing and remote access server. What should you do? A. In the Audit Policy for the domain, enable Directory Service Access. B. In the Audit Policy for the domain, enable Audit Logon Events. C. In the Audit Policy for the domain, enable Audit Account Logon Events. D. On the Routing and Remote Access server, enable log authentication requests in the Remote Access Logging properties. E. On the Routing and Remote Access server, enable log accounting requests in the remote access logging properties. Answer: D Explanation: The Log authentication requests option can help by alerting us to problems with transaction volume and of unauthorized attempts to access resources. To enable Log Authentication requests we must open the Routing and Remote Access console and click Remote access logging in the console tree. In the details pane, right-click Local File, and then click Properties. Select the Settings tab, select one or more check boxes for recording authentication and select the Log authentication requests check box. Incorrect Answers: A: This setting is configured in the Routing and Remote access console, not in the audit policy for the domain B: This setting is configured in the Routing and Remote access console, not in the audit policy for the domain C: This setting is configured in the Routing and Remote access console, not in the audit policy for the domain E: The Log authentication requests, not the Log accounting requests, should be selected. 115. You are the administrator of your company’s network. You need to implement a remote access solution that is highly available and highly secure. Your company consists of a single location and has a T3 connection to the Internet. Your company has 1,000 salespeople who need reliable connectivity to the company network from any remote location. All servers are running Windows 2000 Advanced Server, and all client computers are running Windows 2000 Professional. You want to accomplish the following goals: • No single point of failure, aside from total loss of the T3, will result in total loss of remote access connectivity. • No authentication traffic will be carried as clear text. • No data traffic will be carried as clear text. • Support for at least 200 simultaneous remote users accessing the network will be available at all times. You take the following actions: • Install three virtual private network (VPN) servers at the main office. • Configure each VPN server to support 150 PPTP connections. • Configure the client computers to use Password Authentication Protocol (PAP) as the authentication protocol. Which result or results do these actions produce? (Choose all that apply) A. No single point of failure, aside from total loss of the T3, results in total loss of remote access connectivity. B. No authentication traffic is carried as clear text C. No data traffic is carried as clear text D. Support for at least 200 simultaneous remote users accessing the network is available at all times Answer: A, D. Explanation: Three VPN servers have been installed at the main office. This provides redundancy. The three VPN servers provide 150 connections each. 450 simultaneous connections are supported. Even if one VPN is stopped 300 simultaneous connections will still be provided. Incorrect Answers: B: PAP uses no encryption for authentication. The authentication traffic is sent in clear text. C: PPP encryption requires either EAP-TLS, MS-CHAP or MS-CHAP v2 in combination with Point-to- Point Encryption (MPPE) to encrypt data. PPP does not provide data encryption. 116. You are the administrator of your company’s network. The company’s Internet web server runs on Windows 2000 Server computer. The web server is not a member of domain and you want to keep the web server separate from the rest of your network. Your company wants its customers to be able to connect to the web sever to make online transactions. You want to ensure that these transactions are secured through encryption. You also want to assure customers of the identity of your web server when they make online transactions. What should you do? A. Install an enterprise certificate authority. B. Install a subordinate enterprise certificate authority that uses a commercial CA as the parent. C. Install a stand-alone certificate authority. D. Install a subordinate stand-alone certificate authority that uses a commercial CA as the parent. Answer: D Explanation: The web server is not a member of the domain and it is kept separate from the rest of the network. The Certificate Authority (CA) should therefore not be a part of the domain; it should not be an Enterprise CA or a subordinate Enterprise CA. The CA must be a subordinate CA to commercial CA so that the external customers can connect to the commercial and get certificates that verify the authenticity of your web server. Incorrect Answers: A: The CA of the web server should not be a part of the domain. It should not be an enterprise certificate authority. B: The CA of the web server should not be a part of the domain. It should not be a subordinate enterprise certificate authority. C: The external customers must be able to connect to the CA. The CA cannot be a stand-alone CA; it must use a commercial CA as its parent. 118. You are the administrator of a Windows 2000 network. The network consists of a single domain that has three Windows 2000 domain controllers, 1000 Windows and 2000 Professional workstations. Your company wants to make use of digital certificates by installing its own certificate authority (CA). You want to protect the root CA and the private key. You also want to ensure that you are able to effectively manage your company’s public key infrastructure. You want to accomplish the following goals: • The server that is hosting the root CA will have a maximum amount of protection from any security breaches that could occur on the network. • The server that is hosting the root CA will be able to certify other CAs and revoke certificates. • All the servers in your domain will be able to access the revocation status of all certificates in your public key infrastructure. • Certificate requests by users or computers in the domain will immediately be processed and either granted or denied. You take the following actions. • On a member Windows 2000 Server computer connected to the network, install a stand-alone root CA. • Disconnect the server on which you install the stand-alone root CA from the network and place it in a secure and separate location. Which result or results do these actions produce? (Choose all that apply) A. The server that is hosting the root CA has maximum amount of protection from any security breeches that can occur on the network. B. The server that is hosting the root CA is able to certify other CAs and revoke certificates. C. All the servers in your domain are able to access the revocation status of all certificates in your public key infrastructure. D. Certificate requests made by users or computers in the domain are immediately processed and either granted or denied. Answer: A Explanation: In this scenario the CA is very well protected since it is disconnected. Reference: HOW TO: Install a Windows 2000 Certificate Services Offline Root Certificate Authority (Q271386) Incorrect Answers: B: The root CA is disconnected and will not be able to certify other CAs or revoke certificates. C: The root CA periodically publishes a certificate revocation list (CRL). Programs check the CRLs for all the CAs in the chain of certificates from the end entity to the root of the hierarchy to decide whether or not to trust a particular certificate. The location of the CRL is always included in the certificate in a field called the CRL Distribution Point (CDP). In this case, the root CA in the hierarchy is offline, so the root certificate must be modified to include a CDP that is accessible by users on the network. However, in this scenario no CDP has been created and no revocation status can be accessed. D: The root CA is disconnected and certificates requests will not be made immediately. In fact the will not processed at all since no CRL Distribution Point (CDP) has been defined (see C.) 119. You are configuring a Windows 2000 server computer on your company’s network. The network consists of Windows 2000 server computers and NetWare 4.1 servers on two separate subnetworks. On the subnetwork1, you want Windows 2000 server computers to provide file and print services to Windows-based client computers that use TCP/IP. On subnetwork2, you want the Windows 2000 server computer to provide application services to NetWare client computers that use strictly IPXISPX. The Windows 2000 server computer has two network adapter cards installed. The Windows 2000 server computer will not function as a router for either subnetwork. You want to configure the Windows 2000 server computer to provide services on both subnetworks. You also want to optimize network performance for the Windows 2000 server computer and ensure that the response time for both server and client services is minimized. What should you do? (Choose Two) A. Configure the network bindings on the Windows 2000 server computer to unbind TCP/IP to the adapter connected to the subnetworkl. B. Configure the network bindings on the Windows 2000 server computer to unbind NWlink to the adapter connected to the subnetwork 1. C. Configure the network bindings on the Windows 2000 server computer to unbind TCP/IP to the adapter connected to the subnetwork2. D. Configure the network bindings on the Windows 2000 server computer to unbind NWlink to the adapter connected to the subnetwork2. E. Configure a unique internal network number for each subnetwork on the Windows 2000 server computer. Answer: B, C Explanation: In this scenario network performance should be optimized. A good practice is to remove unused protocols from the network adapters since every installed network protocol brings some overhead. On subnetworkl the only network protocol used is TCP/IP. Therefore the NWLink protocol should be unbound on the adapter connected to the subnetworkl on Windows 2000 router computer. On subnetwork2 the only network protocol used is NWLink. Therefore the TCP/IP protocol should be unbound on the adapter connected to the subnetwork2 on Windows 2000 router computer. Incorrect Answers: A: TCP/IP is used by the clients on the subnetworkl. On the router the TCP/IP protocol must not be removed on the adapter connected to the subnetworkl. D: NWLink is used by the clients on the subnetworkl. On the router the NWLink protocol must not be removed on the adapter connected to the subnetworkl. E: Internal network numbers are needed on networks with two or more NWLink subnets were either FPNW or IPX routing is running. This is not the case here. 120. You are the network administrator for your company. Your company has three networks connected by a router. The router is configured as follows: Interfaceo-subnet0-IPAddressl 72.30.4. lSubnetMask255.255. 255.0 Interfacel-subnetl-IPAddressl 72.30.5. lSubnetMask255.255. 255.0 Interface2-subnet2-IPAddressl 72.30.6. lSubnetMask255.255. 255.0 Only subnet 1 and subnet 2 contain client computer. Subnet 1 and subnet 2 each contain a Windows 2000 DHCP server, which is responsible for assigning addresses to client computers on the local subnet. The scopes are configured as shown in subnet 1 scope properties and Subnet 2 scope properties. Subnet 0 contains a web server and provides connectivity to the Internet. Users are experiencing connectivity problems. Computers on subneti can communicate with any host on their own subnet, but cannot communicate with hosts on Subnet 0 or Subnet 2. Computers on Subnet2 cannot communicate with hosts on subnet 1, but they are not experiencing any problems with connectivity to subnet 0. What should you do to correct this problem? A. Modify the routing tablets on the router to enable routing from subnet 1 to subnet 0 and subnet 2. B. Modify the routing tablets on each host on subnet 1 to enable direct connectivity to hosts on subnet 0 and subnet 2. C. Delete and re-create the scope on the DHCP server on subnet 1 to reflect the correct subnet mask. D. Delete and re-create the scope on the DHCP server on subnet 2 to reflect the correct subnet mask. E. Delete and re-create the scopes on the both DHCP servers to reflect the same configuration information for each subnet. Answer: C Explanation: In this scenario there is a network communication problem. Clients 1 on subnet 1 are able to communicate with each other but they cannot connect to resources on the other subnets. Clients on subnet2 can connect to all computers except the ones on subnet 1. The conclusion is that all the clients on subnet 1 have an incorrect IP configuration. They are all DHCP clients so the DHCP server has been configured incorrectly. By looking at the exhibit we see that the subnet mask of scopel is 255.255.0.0 but according the configuration of the routers it should have the subnet mask of 255.255.255.0. Incorrect Answers: A: The routing table should not be changed. It has the correct information. Every client, except the ones on subnet 1, has proper network access. B: The routing table should not be changed. It has the correct information. Every client, except the ones on subnet 1, has proper network access. D: The clients on subnet 2 work correctly. There is no point in changing the scope of the DHCP server on subnet 2. E: Only the scopel, not both the scopes, has to be changed. 121. You are the administrator of your company’s network. You are configuring your Windows 2000 network to support a Simple Network Management Protocol (SNMP) management application. Your SNMP management application is installed on server8. The application can successfully manage all computers except the servers in the west.com domain have the identical SNMP settings. You need to successfully manage all computers from your SNMP management application. What should you do? A. Join serverl, server2, server3, and server4 to the east.com domain B. Establish a trust relationship that allows the west. com domain to trust the east.com domain C. Configure all servers so that they have the same community name D. Set the send authentication trap property to 172.16.96.1 on all servers in west.com domain Answer: C Explanation: In this scenario the servers have different community names. To able to communicate within SNMP they must have the same community name. Therefore we must configure all servers so that they have the same community name. We can assign groups of hosts to SNMP communities for limited security checking of agents and management systems or for administration. Communities are identified by community names that we assign. A host can belong to multiple communities at the same time, but an agent does not accept a request incorrect A: Joining the server to same domain will not solve the problem. The community names but the same. B: Explicit trust relationships were used in Windows NT 4.0. It is not necessary to apply them here between two Windows 2000 domains. D: When an SNMP agent receives a request that does not contain a valid community name or the host sending the message is not on the list of acceptable hosts, the agent can send an authentication trap message to one or more trap destinations. Authentication traps cannot be configured to send traps to particular servers based on either IP address or domain. The traps are only sent to servers with a valid community name. 122. You are the administrator of Windows 2000 network. You want to create a DHCP scope for the 192.168.1.32/28 subnet. The computers on this subnet are running Windows 9S, Windows 98 and Windows 2000. You also have two UNIX computers on this subnet that will static IP addresses. These UNIX computers will be assigned the two highest available IP addresses on the subnet. The subnet’s default gateway will be assigned the lowest available IP address on the subnet. The scope should only include the available addresses. Which scope should you create on your DHCP server for this subnet? A. 192.168.1.34-192.168.1.46. B. 192.168.1.34-192.168.1.44. C. 192.168.1.33-192.168.1.45. D. 192.168.1.34-192.168.1.61. E. 192.168.1.33-192.168.1.60. Answer: B Explanation: From 192.168.1.32/28 we see that the subnet has 28 bits. Subnet mask inbinary: 11111111.11111111.11111111.11110000 The first IP address of the subnet is 192.168.1.32 The last IP address of the subnet 192.168.1.32 + 0.0.0.15 = 192.168.1.32.47 If we analyze the subnet in more detail we get: 192.168.1.32 (Subnet Address, always reserved — cannot be used) (All 0’s in host range) 192.168.1.33 (Lowest available IP, reserved for Gateway 192.168.1.34-44 (available host IP addresses which can be used in the scope) 192.168.1.45-46 (highest 2 IP addresses, which are reserved for the Unix machines) 192.168.1.47 (Broadcast address, always reserved — cannot be used) (All l’s on host range) And we se that range 192.168.1.34-44 can be used for hosts. The DHCP scope must be defined for this range. Incorrect Answers: A: This scope includes 192.168.1.45 and 192.168.1.46 that should be reserved for the UNIX machines. C: This scope includes 192.168.1.45 that should be reserved for one of the UNIX machines. The scope also includes 192.168.1.33 that should be reserved for the default gateway). D: The highest available IP address of this subnet is 192.168.1.47 not 192.168.1.61. E: The highest available IP address of this subnet is 192.168.1.47 not 192.168.1.61. The scope also includes 192.168.1.33 that should be reserved for the default gateway). 124. You are the administrator of your company’s network. The network uses TCP/IP exclusively as its transport protocol. The network does not require connectivity to the internet. You are using the address 172.30.0.0/16 for the network. To improve performance and accommodate recent company growth, you need to develop a strategy to segregate portions of the network. Your initial plan calls for 2S subnets with a maximum of 1,000 hosts per subnet. However, projected growth for the company over the next year indicates a need for at least SS subnets with maximum of 1,000 hosts per subnet. Which subnet mask should you configure to meet both the current and future needs of your network? A. 255.255.240.0. B. 255.255.248.0. C. 255.255.252.0. D. 255.255.254.0. E. 255.255.255.0. Answer: C Explanation: The subnet mask must support minimum 1000 host per subnet and at least 55 subnets. 1000 hosts per subnet indicate that at least 10 bits (2**9=512 < 1000 < 10242**l0) for the hosts. This leaves 22 (32-10) bits for the subnet mask. Subnet mask, binary: 11111111. 11111111. 11111100.00000000 Subnet mask, decimal: 255.255.252.0 We should also check that this subnet mask accommodates for at least 55 subnets. 172.30.0.0/16 is used for the network and the host requires 10 bits, which leaves 6 (32-16-10) for the subnets. This allows 62 (2**6~2) subnets which works fine. Incorrect Answers: A: The subnet mask 255.255.240.0 would allow 4094 (2*l2~2) hosts, and 14 (2**4~2) subnets. At least 55 subnets was the requirement. B: The subnet mask 255.255.248.0 would allow 2046 (2*ll~2) hosts, and 30 (2**5~2) subnets. At least 55 subnets was the requirement. D: The subnet mask 255.255.255.0 would allow 254 (2*8~2) hosts, and 254 (2**8~2) subnets. At least 1000 hosts was the requirement. 125. You are the administrator of your company’s network. Your company wants to analyze ISO and TP4 communications to the Microsoft Exchange Server computer on your network. To analyze this information, you install Network Monitor on a Windows 2000 Server computer located on the same segment as your Exchange server computer. How should you configure network Monitor? (Choose two) A. Change the Temporary Capture Directory. B. Copy ISO.dll and TP4.dll to Netmon Subdirectory. C. Copy ISO.dll and TP4.dll to Netmon\Parsers Subdirectory. D. Modify the Parser.ini. E. Modify the Netmon.ini. Answer: C, D Explanation: To configure Network monitor to monitor a Microsoft Exchange server we must first copy the Iso.dll, Iso.ini, Tp4.dll files to our NetMon\Parsers subdirectory, these files are located in the BackOffice Resource Kit. We must then make some modifications to the Parser.ini file, the Parser.ini file is located in the NetMon directory. Reference: How to Install ISO and TP4 Parser for Network Monitor (Q168862) Incorrect Answers: A: The temporary directory does not have to be changed. B: The files ISO.dll and TP4.dll should be copied to Netmon\Parsers Subdirectory, not to the Netmon Subdirectory. E: The Parser.ini file, not the Netmon.ini file, should be modified. 126. You are the administrator of your company’s network. Your network is configured to use DHCP to automate the TCP/IP configuration of client computers on your network. All client computers are running Windows 2000 Professional. To provide router and DNS server information to the client computers, you configure options at the scope level. Your network has certain computers that always require specific address and configuration. You configure reservations in your scope for these computers. Your Internet service provider (ISP) brings a new router online, which changes your Internet gateway. You reconfigure your scope options to reflect the new router address. Users of the computers that have the reserved addresses report that they can no longer gain access to Internet, even after they have restarted their computers. Which two actions should you take to resolve the problem? (Choose Two) A. Use the ipconfig/release command at each client computer. B. Use the ipconfig/renew command at each client computer. C. Configure the scope options to include the perform router discovery button. D. Configure the server option to include the perform router discovery option. E. Configure the options on each address reservation to include the new router information. Answer: B, E Explanation: After reconfiguring the scope options for the reserved addresses, you need to renew the IP configuration on the client computers. The Router address, the default gateway, has changed. The IP configuration of the computers has to be changed. This will be done in the following three places: • at the computers with static IP addresses. You have to do it manually on each of these computers. (this is not listed as an alternative in the question). • at the DHCP server you must configure the ROUTER information which the DCHP server will provide the DHCP clients. This is already been done for the scope option, but to for the option on each address reservation. • the DHCP clients, the ones with reserved IP addresses, must get the new DCHP information. This can be done by ipconfig /renew command or by restarting the computers. Note 1: When you use ipconfig /renew, all network adapters on the computer that uses DHCP (except those that are manually configured) try to contact a DHCP server and renew their existing configuration or obtain a new configuration. Note 2: To configure the ROUTER option for the reserved IP addresses follow these steps: From the Administrative Tools folder, open DHCP console, select Scope, select Reservations, Right click one Reservation, choose Configure options, select the General Tab (if not chosen), Enable 003 Router, and at Data entry enter either Gateway name or Gateway IP address of the router. Incorrect Answers: A: Ipconfig/release would just release the current TCP/IP configuration. The client would have no TCP/IP configuration. C, D: Performed Router Discovery specifies whether the client solicits routers using the router discovery method in RFC 1256”. It does not apply. We just have to configure the correct default gateway. 128. You are the administrator of a Windows 2000 domain. The domain has six Windows 2000 Server computers, 400 Windows 2000 Professional computers and 2S0 Windows NT Workstation 4.0 computers. Three of the Windows 2000 Server computers are the DHCP servers. The other three servers are DNS servers. The TCP/IP configuration of all the Windows 2000 Professional computers and Windows NT Workstation 4.0 computers is provided by DHCP servers. For fault tolerance all three DHCP servers are configured so that they have scopes for all the computers in the network. You configure the DHCP servers to always register and update client computers information on the configured DNS servers. To increase security, you configure the DNS zones on all DNS servers to only allow secure updates. After you perform this configuration of the DNS zones, you discover that the client computer information in the DNS zones is no longer updated correctly when IP address changes occur for Windows 2000 Professional computers and Windows NT 4.0 Workstation computers. You want IP address changes for client computer to appear correctly in DNS zones that only allow secure updates. What should you do? A. Add the computer accounts of the three DHCP servers to the DnsUpdateProxy global security group. B. Configure the three DNS servers to use a time to live (TTL) interval on resource record that is shorter than the lease time used by the DHCP servers. C. Configure the three DHCP servers to enable updates for DNS client computers that do not support dynamic update. D. On the Windows 2000 Professional computers and Windows NT Workstation 4.0 computers, configure the DHCP client computers to not release the DHCP lease at shutdown. Answer: A Explanation: If a DHCP server performs a secure dynamic update on a name, the DHCP server becomes the owner of that name, and only that DHCP server can update the name. This problem occurs when you use multiple Windows 2000 DHCP servers on your network and also configure your zones to allow secure dynamic updates only. The solution to this problem is to use Active Directory Users and Computers to add your DHCP server computers to the built-in DnsUpdateProxyGroup. This will permit all of your DHCP servers the secure rights to perform proxy updates for any of your DHCP clients. Incorrect Answers: B: Decreasing the TTL time at the four DNS servers would make increase replication between the DNS servers, but it would allow the DHCP servers to perform secure updates. C: The DHCP servers are not able to perform secure updates. D: This is a security problem, not a DHCP client configuration problem. 129. You are the administrator of your company’s network. To automate the configuration of TCP/IP client computers and network printers on your network you install and configure the DHCP server service on a Windows 2000 Server computer. You also create a scope that contains the range of valid IP addresses for your network. To ensure that the TCP/IP network printers will always receive the same address, you create an exclusion range for the addresses in use by the printers. You also create addresses reservations for each printer. You discover that none of the printers are receiving addresses from the DHCP server. The client computers report no configuration problems. What should you do to correct the problem? A. Remove the address reservations for the printers. B. Remove the exclusion range for the addresses that are in use by the printers. C. Disable the address conflict detection feature of the DHCP server service. D. Enable the address conflict detection feature of the DHCP server service. Answer: B Explanation: In this scenario an exclusion range exists for the IP addresses used by the printers. This prevents the DHCP server from using any of these IP addresses. The exclusion range for the printers has to be removed. Incorrect Answers: A: The exclusion range, not the reservation, has to be removed. C: Address conflict detection configuration concerns how the DCHP server detects address conflicts. It will not solve the problem with the excluded IP addresses. D: Address conflict detection configuration concerns how the DCHP server detects address conflicts. It will not solve the problem with the excluded IP addresses. 130. You are the administrator of your company’s network. Your network is configured to use DHCP to automate the TCP/IP configuration of client computers on your network. The network consists of three subnets connected by a BOOTP-enabled router. All client computers are running Windows 2000 Professional. You have configured a DHCP server with a scope for each subnet as shown in the exhibit. Users on subnet 2 and 3 report that they periodically cannot access the network resources. You discover that at times of high network usage, client computers on the remote subnets are being configured with addresses in the network address range of i69.2S4.0.0, which is not a valid address range on your network. You want to ensure that all client computers receive addresses from DHCP and do not get configured with invalid addresses. What should you do? A. Install a DHCP server on each remote subnet and configure a subnet-specific scope on each DHCP server. B. Install a DHCP server on each remote subnet and configure identical scope on each DHCP server. C. Install a DHCP relay agent on each remote subnet. D. Create an administrative template entry in Group Policy to enable automatic private IP addressing (APIPA) in the registry of each client computer. Answer: A Explanation: During times of high network usage, client computers on the remote subnets are configured with IP addresses in the 169.254.x.x range. This is the APIPA range, which is used to automatically configure clients when they are unable to receive IP configuration from the DHCP server. This apparently is a network bandwidth problem. By installing a DHCP server locally on each remote subnet and configure it for that particular subnet, the clients would use the local DHCP server instead of the central DHCP server. This would reduce network traffic. Incorrect Answers: B: The DHCP servers should be configured with a local scope, not an identical scope on each of the DHCP servers. This will ensure that clients use their local DHCP server. C: The remote clients are able to use the central DHCP, except during times of high network usage. Installing a DHCP Relay agent is not necessary and it would not reduce network traffic. D: APIPA is enabled by default on Windows 2000 computers. 131. You are the administrator of Windows 2000 network. The network consists of 15 Windows 2000 Server computer computers, SO Windows 2000 Professional desktop computers and 200 Windows 2000 Professional portable computers. The portable computers are frequently utilized by users at locations that are not on the network. The TCP/IP configuration of all the Windows 2000 Professional computers is provided by two DHCP servers on the network. You want to configure different lease times for the desktop computers and portable computers. The desktop computers should use the default lease time. The portable computers should use a default lease time of four hours. Which three actions should you take to achieve these goals? (Choose Three) A. On the portable computer, set the DHCP class ID setting to Windows 2000 portable computer. B. On the portable computer, set the DHCP vendor class ID setting to Windows 2000 options. C. On the portable computers, manually configure a DHCP lease time of four hours. Allow other TCP/IP parameters to be configured by the DHCP servers. D. On the DHCP servers, configure the scope so that it has an empty lease duration value. E. On the DHCP servers, define a new user class that has the ID specified on the portable computers. F. On the DHCP servers, configure the scope options to use a lease time of four hours for the portable computer user class. G. On the DHCP servers, create a superscope that has two scope ranges. Use one scope for portable computer so that it has a lease time of four hours and one scope for desktop computers so that it has a default lease time. Answer: A, E, F Explanation: User classes allow DHCP clients to differentiate themselves by specifying a User Class option. When available for client use, this option includes a user-determined class ID that can help to group clients of similar configuration needs within a scope, such as providing a shorter lease time for portable computers that move frequently or use remote access often. Typically a DHCP server will be used to distribute different options that are specific to the needs of clients. In this scenario, we need to: Set the DHCP class ID setting to ‘Windows 2000 laptop computers’; on the DHCP servers, define a new user class that has the ID specified for the portable computers; and on the DHCP servers, configure the scope options to use a lease time of four hours for the portable computer user class. To set DHCP class ID information at a DHCP-enabled client computer running Windows 2000 we must open a command prompt and use the IPConfig command-line utility with the /setclass switch to set the DHCP class ID the client uses when obtaining its lease from the DHCP server. To configure a User Class Lease Time we must open the DHCP console, select the DHCP Server, open Scope, Right click Scope options, select Configure Options, select the Advanced ban, Select appropriate Vendor Class and User Class (=Windows2000LapTopComputers in this example), Select 051 Lease, and Enter lease time: 14400 (4 hours = 14400 seconds) Incorrect Answers: B: The vendor class is by vendors, not by users. The vendor class cannot be used to set a specific lease time for the portable computers. C: Lease time cannot be configured at the clients. D: The scope should be configured to use a lease time of four hours, not an empty lease time. G: The idea of creating a scope for a specific type of computers is not practical. Instead we should differentiate the computers by using User Classes. 132. You are the administrator of Windows 2000 domain named nwtraders.mstf. You install a DHCP server at one of your company’s branch offices, you create a scope that has 60 IP addresses. Users in the branch office inform that each time they restart their computers they receive the following error message “DHCP is unavailable.” You investigate by using the DHCP audit log, which displays the following activity: ID Date,Time,Description,IP Address,Host Name,MAC Address 00, 12/05/99, 01:19:56. ,Started,,, 54,12/05/99,01:19:57,Authorization failed,,nwtraders.msft, You want to ensure that your users no longer receive the DHCP errors. What should you do? A. Run the Jetpack command. B. Reconcile all scopes. C. Authorize the DHCP scope. D. Authorize the DHCP server. Answer: D Explanation: The audit file shows that the DHCP service tried to start but that the authorization failed. The reason is that the DHCP Server is not authorized in the Active Directory. Authorization of DHCP servers in Windows 2000 is designed to avoid rogue DHCP server leasing illegally or incorrectly. Incorrect Answers: A: The jetpack command line is used to manage, for example compact, the WINS database file. B: Scopes are reconsolided to renew the records of the DHCP database, it is not used to start the DHCP Server service. C: DHCP scopes must be activated not authorized, before they can be used. 133. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 based DHCP server, two Windows 2000 based DNS server, a Windows 2000 based routing and remote access server and 60 Windows 2000 Professional portable computers. The DHCP server has a scope that has an IP address range of iO.6S.4.20 through iO.6S.4.80 with subnet mask 2SS.2SS.2SS.0. You want the portable computers to use the DNS server that has an IP address of iO.6S.4.i2 when they dial in to the routing and remote access server. The routing and remote access server gathers IP addresses from the DHCP server for distribution to the portable computers when the portable computers dial in. You configure the DHCP scope so that it has an IP address of iO.6S.4.i2 for the DNS servers scope option. When users dial into the network by using the portable computer, all portable computers receive the IP address of iO.6S.4.i3 for the DNS server. How should you configure the network so that the portable computers will receive the IP address of iO.6S.4.i2 for the DNS server? A. Configure the DHCP server to always register and update client computer information to contain the configured DNS server. B. Configure the routing and remote access server to use the LAN interface to obtain DHCP, DNS and WINS addresses for dial-up client computers. C. Configure the LAN interface of the routing and remote access server to not use an IP address for the DNS server. D. Enable the DHCP relay agent on the internal interface of the routing and remote access server. Configure the DHCP relay agent to use 10.65.4.1 as the IP address of DHCP server. Answer: D In this scenario there are two DNS servers on the network. The scope of the DHCP server has been configured to include the DNS address of 10.65.4.12. But when a RAS client gets access to the network they are configured with the IP address of the other DNS Server, 10.65.4.13. This can be explained by the fact that the RAS clients are not configured by the DHCP server, instead the RRAS server supplies IP Configuration, specifically the RAS clients get the same DNS settings as the RRAS server. The DHCPNFORM messages from the DHCP server are unable to reach the RAS clients. By enabling the DHCP relay agent on the internal interface of the RRAS server and configure it to use the DHCP server with IP address 10.65.4.1, the DHCP Relay agent will relay DHCPINFORM messages to the RAS clients and they will receive proper IP configuration. Incorrect Answers: A: In this scenario the RAS clients are unable to reach the DHCP server. Furthermore, configuring the DHCP server to always register and update client computer information would help downlevel computer to register in DNS, but it will not help them getting the correct IP address of the DNS server; therefore reconfiguring the DHCP server will not solve the problem. B: In this scenario the RAS clients most likely already get the DNS, WINS of the RRAS server LAN interface. But this is not the correct network configuration for the RAS clients. They must be able to get DHCPINFORM messages from the DHCP server instead. C: The RRAS servers LAN interface must have a DNS configuration so that the RRAS server can use network resources. The RAS clients get their DNS settings from the RRAS server LAN interface DNS settings. If the DNS setting of the RRAS server LAN interface is set not to contain an IP address, the RAS clients DNS setting would also be set not to contain an IP address. 134. You are the administrator of your company’s network. All client computers are DHCP clients. All servers have static IP addresses. The router is configured to forward BOOTP packets to DHCP1. While you are performing hardware upgrades to DHCP1, you inadvertently delete the DHCP database file. You have no recent backup of this database. You reconfigure the DHCP server with the correct scopes. Now you need to ensure that all computers on your network can obtain IP addresses, and that they experience no interruption in network connectivity. What should you do? A. Add IP address reservation for the servers B. Run the ipconfig/release command and then the ipconfig/renew command on each client computer C. Configure the DHCP server to delete address conflicts. D. Add a scope option to enable dynamic DNS on client computers. Answer: B Explanation: By releasing and renewing the IP configuration of the clients, they would release their current IP address configuration and they would obtain new IP addresses from the DHCP server. This will ensure that obtain IP addresses from the correct scope. Incorrect Answers: A: The servers use static IP addresses. These addresses should either be excluded from the scope or reserved. This would also not be our first step to solve this problem; we should renew the IP configuration on the clients. C: We cannot configure a DHCP server to delete address conflicts. We can use address conflict detection to make the DHCP server check if an IP address is used, before it leases it to a client; but this is not the problem in this scenario. D: Dynamic DNS is enabled by default on Windows 2000 computers. 135. You are the administrator of your company’s network, which currently consists of a single Token Ring network segment. You reconfigure the network to consist of two separate segments. All client computers run Windows NT workstation 4.0, and all are DHCP clients. All client computers also run third-party TN3270 terminal emulation client software to connect to the main frame computer. All servers have static IP addresses. Users now report that they cannot access Internet resource. They report no problems accessing resources on the mainframe computer. From Clienti, you ping a well-known Internet host. You receive the following error message: “Destination host unreachable.” You must ensure that client computer can access Internet resources without affecting connectivity for the mainframe computer. What should you do? A. Configure a DHCP global DNS option to be a DNS server on the Internet. Configure a Hosts file entry from the mainframe computer on each client computer. B. For DHCP clients on SegmentA, configure a DHCP scope Router option to be Router2. Configure a DHCP scope static Route option to specify the route to the mainframe computer. C. In the protocol binding properties for the client computers, move the DLC protocol below the TCP/IP protocol D. Disconnect Router2 from segment2 from SegmentA. Connect Router2 to SegmentB Answer: B Explanation: The clients are able to reach the mainframe on segmentB but they are unable to access Internet. The attempt to reach Internet using an IP address also failed (the ping command failed). This is not a DNS problem. In this scenario the clients on SegmentA are configured with a default gateway setting of Router 1 segmentA interface, since the clients are able to reach the mainframe. To solve this problem the clients must be able to be configured to use both routers. By creating a static route to the mainframe computer and by configuring the DHCP server scope Router option to Router2, the clients would be able to access both the mainframe and the Internet. Incorrect Answers: A: Configuring the DHCP scope DNS option to an external Internet DNS server would not provide Internet access since they clients still would be able to use router2. The clients must be configured to use router2, preferably by making router2 the default gateway. C: Changing the binding order of the protocols would not get Internet access. D: Connecting the Router 2 to SegmentB would not solve the Internet connectivity problem; on the contrary it would require even more configuration, since the clients on segmentA now would have to pass two routers before accessing Internet. 136. You are the administrator of your company’s network. All client computers run Windows 2000 Professional. All servers run either Windows 2000 Server, Windows NT server 4.0, or UNIX. All DNS servers run versions of BIND prior to 4.9.4. You are planning a migration to an Active Directory domain structure. You install the DNS server service on several Windows 2000 member servers, choosing all default settings. Now you need to migrate your existing DNS records to the new DNS servers, while maintaining your existing DNS servers as secondary DNS servers. Your solution must involve the fewest possible changes to your current network configuration. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three) A. Upgrade all BND versions to 8.2.2 B. Disable fast zone transfers C. Copy and rename all zone files from the UNIX DNS servers to the systemroot\System32\DNS folder on the new DNS servers D. Initiate a zone transfer from the new DNS servers to the UNIX DNS servers E. Configure the new DNS servers with primary DNS zones. Configure the UNIX DNS servers as secondary zone servers. F. Configure the new DNS servers with Active Directory integrated zones. Configure the UNIX DNS servers as secondary zone servers. Answer: B, D, E Explanation: By default, all Windows-based DNS servers use a fast zone transfer format, which uses compression and can include multiple records per TCP message during a connected transfer. This format is also compatible with more recent Berkeley Internet Name Domain (BND -based DNS servers that run versions 4.9.4 and later. The DNS migration process in this scenario can be accomplished in three steps. First disable fast zone transfers on the Windows 2000 DNS servers. The reason for this is that DNS BIND 4.9.4 or later is required to support the fast zone transfer feature of Windows 2000 DNS. The fast zone transfer option is enabled by default in Windows 2000 DNS. Then initiate a zone transfer from the new DNS servers to the UNIX DNS servers. And configure the new DNS servers with primary DNS zones. Configure the UNIX DNS servers as secondary zone servers. To migrate from BND servers using zone transfer we must install a DNS server on a Windows 2000 server computer. At the new server use the DNS console to add secondary zones for all of our existing zones hosted at the BND-based DNS servers and configure the BIND servers as the master servers for each of the secondary zones you need to create. We must then initiate zone transfer at our Windows 2000 DNS servers to transfer the zones from the BIND servers. After completing the zone transfers, we must convert any of the secondary zones to primary zones that were obtained from primary zones at the BND servers and for the other secondary zones that remain, we must update the master servers for those zones to use the new primary servers running Windows 2000 Server. Incorrect Answers: A: Upgrading all UNIX servers to BND 8.2.2 would allow fast zone transfers and support for integration with Active Directory integrated zones. But it might not be possible and it would require more administrative effort than just disabling the fast zone transfers, by enabling BND secondaries on the Windows 2000 DNS servers. C: It is possible to migrate the UNIX DNS zones to Windows 2000 DNS, and this method of copying and renaming would work. Though it would require more administrative effort than simply initiate a zone transfer from a Windows 2000 DNS server. F: The BIND DNS servers must be upgraded to version 8.1.2 or later to meet the DNS requirements for Active Directory support. 137. You are the administrator o your company’s network, which consists of a single Windows 2000 Domain. The network includes two domain controllers running Windows 2000 Server and two backup domain controllers running Windows NT 4.0. Another Windows 2000 Server computer named VPN1 runs Routing and Remote access. All client computers run Windows 2000 Professional. Employees who travel to customer sites use company-issued portable computers. These computers are configured for smart card support with company-issued certificates. Traveling employees dial in to VPN1 for network access. You need to configure VPN1 to ensure that virtual private network (VPN) connections are as secure as possible. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two) A. Require Microsoft Point-to-Point Encryption (MPPE) for all dial-up users B. Require L2TP/IPSec tunnel connections for all dial-up users C. Require PPTP tunnel connections for all dial-up users D. Require MS-CHAP v2 authentication for all dial-up users E. Require EAP smart cards or certificates for authentication for all dial-up users. Answer: C, E Explanation: The portable computers are configured for smart card support with company-issued certificates. Only the Extensible Authentication Protocol (EAP) supports smart card authentication. In Windows 2000 there are two tunneling protocols: PPTP and L2TP/IPSec. L2TP supports tunnel authentication but Microsoft’s PPTP implementation relies on the user’s password as the basis for creating session keys for authentication and encryption. This reliance on user password makes the implementation, as weak as any user’s password. This makes L2TP/IPSec more secure than PPTP. But you cannot use L2TP for dial up connections, so we will have to use PPTP. Incorrect Answers: A: Point-to-Point Encryption Protocol (MPPE) is only used for PPTP connections not L2TP connections. B: L2TP cannot be used on dial-up connections. D: Only EAP, not MS-CHAP V2, can be used for smart card authentication. 140. You are the administrator if your company’s network, which includes two Windows 2000 Server computers named Gate 1 and Apps2. The network also includes SO client computers running Windows 2000 Professional. Apps2 runs a custom client/server application that is used to store confidential information. Gate 1 runs routing and remote access and provides connectivity to your company’s Internet service provider by means of an ISDN connection. Gatei also accesses information stored on Apps2. Client computers use Gatei to access Internet resources. You need to ensure that all communications with Apps2 are secure and encrypted. You apply the Secure Server IPSec policy to Apps2 and to Gatei, and you apply the client IPSec policy to all SO client computers. Users now report that they cannot access any Internet resources. On investigation, you discover that Gatei connects to your ISP and then immediately drops the connection. You must ensure that Gatei can be used to access Internet resources. You must also ensure that communications with Apps2 remains encrypted. What should you do? A. Remove the client IPSec policy from all 50 client computers B. Remove the secure Server IPSec policy from Gatel and assign the Server IPSec policy on Gatel C. Remove the Secure Server IPSec policy from Gate 1 and assign the Client IPSec policy on Gate 1 D. Remove the Secure Server IPSec policy from Apps2 and assign the Server IPSec policy o Apps2. Answer: B Explanation: The Secure Server (Require Security) security policy does not allow unsecured communications with clients. The Server (Request Security) policy causes the server to attempt to initiate secure communications for every session. If a client who is not IPSec-aware initiates a session, it will be allowed. The Client (Respond Only) policy allows communications in plaintext but will respond to IPSec requests and attempt to negotiate security. The problem in this scenario is that when Gate 1 uses Secure Server (Require Security) security it will not accept the connection to Internet, since Internet is not IPSec enabled. By removing the secure Server IPSec policy from Gatel and assign the Server IPSec policy on Gatel, Gatel would accept Internet connections. All local connections would still be encrypted since Apps2 uses Secure Server and the client IPSec policy has been already been applied to the 50 client computers Incorrect Answers: A: By removing the client IPSec policy from all 50 client computers, Gate 1 and Apps2 would no longer accept any connections to them. C: If the Client (Respond Only) policy would be used on Gate 1, the connections between Gatel and the clients would be in plaintext. D: Changing IPSec policy of Apps2 would not help. Gate 1 would still require security and would not accept Internet connections. 141. You are the network administrator for your company. For a test lab, you configure a single, dedicated network segment that consists of five servers and 40 client computers. The test lab must have connectivity to your production network. You are given an IP address range of i92.i68.S.66 to i92.i68.S.i27 to use for the test lab. You decide to configure one of the test lab servers as a Windows 2000 DHCP server. This server will automatically provide IP addressing information to the other computers in the test lab. You manually configure a static IP address and subnet mask of i92.i68.S.iO/24 on the new DHCP server. You create a scope on the DHCP server for the i92.i68.S.64/26 subnet. The scope includes an IP address range of i92.i68.S.66 to i92.i68.S.i27. You successfully activate the scope on the DHCP server, but none of the DHCP clients can receive an IP address lease. How should you correct this problem? A. Edit the network address for the scope to be 192.168.5.0/24 B. Edit the network address for the scope to be 192.168.5.0/26 C. Edit the IP address and subnet mask of the DHCP server to be 192.168.5.65/26, and configure an exclusion for that IP address in the DHCP scope. D. Edit the IP address and subnet mask of the DHCP server to be 192.168.5.66/26, and configure an exclusion for that IP address in the DHCP scope. Answer: D Explanation: In this scenario the subnet masks of the DHCP server and the scope are different. Therefore the DHCP would not be able to provide IP configuration for the clients. By changing the network address for the scope to 192.168.5.0/24 the clients would to receive IP configuration information from the DHCP server. Incorrect Answers: A: By changing the network address for the scope to be 192.168.5.0/24, the scope would work, but it is not necessary to use large scope like that. B: If the network address for the scope is changed to 192.168.5.0/26, the subnet masks would still differ. C: You have been given the range 192.168.5.66 to 192.168.5.127 to use for the test lab. The IP address 192.168.5.65 is outside that range. 142. You are the administrator of your company’s network, which includes one Windows 2000 domain in native mode. Four servers on the network are available for remote users. All four are member servers running Windows NT server 4.0 and the routing and remote access service. Currently, remote access is administered individually by Active Directory user attributes. You want to administer remote access by using centralized remote access policies. Which two courses of action should you perform? (Each correct answer presents part of the solution. Choose two) A. Configure the four servers as RADIUS clients B. Change the domain to mixed mode C. Configure the four servers as domain controllers in their own Windows NT 4.0 domain. Create a one-way trust from the Windows NT 4.0 domain to the Windows 2000 domain. D. On a Windows 2000 member server, configure the Internet Authentication service. Create a remote access policy on the lAS server E. On a Windows 2000 member server, configure the Internet Authentication service. Create a remote access policy on a domain controller to administer all remote users. Answer: A, D Explanation: lAS is a Remote Authentication Dial-In User Service (RADIUS) server. RADIUS is a network protocol that enables remote authentication, authorization, and accounting of users who are connecting to a network access server (NAS). A network access server such as Windows Routing and Remote Access can be a RADIUS client or RADIUS server. lAS is used to centralize management of routing and remote access. To set up lAS we must install lAS on a Windows 2000 member server; create a remote access policy on the lAS server; and configure the four servers as RADIUS clients. Incorrect Answers: B: A native mode Windows 2000 domain cannot be changed to a mixed-mode domain. lAS and radius works on Windows NT. C: With lAS the management is centralized. The Windows NT 4.0 servers are not domain controllers. E: With lAS the remote access policy should be centralized and created on the lAS server, not on any domain controller. 143. You are the administrator of your company’s network, which consists of a single segment. The network includes 100 client computers running Windows 2000 Professional and four servers running Windows 2000 Server. A server named AppSrvi runs a client/server application that is used by every employee in the company. Users report that network response times are very slow. When you examine the client/server application, you discover that it is transmitting large amounts of data to one client computer in the network. The application dos not indicate which computer is receiving the data. You need to identify this computer. What should you do? A. Run performance Monitor on your client computer. Create an alert that fires when network utilization exceeds 75 percent. B. Run performance Monitor on AppSrvl. Create an alert that fires when network utilization exceeds 75 percent. C. Install network monitor on your client computer by using the Windows 2000 server CD-ROM. Run Network Monitor and create a filter to capture packets sent to any client computer. D. Install network monitor on your client computer by using the Windows 2000 server CD-ROM. Run Network Monitor and create a filter to capture packets containing the Ethernet address of AppSrvl. Answer: D Explanation: The filter should only capture traffic that is generated by the client/server application which is running on App 1. The filter should only capture packets containing the Ethernet address of AppSrvl Incorrect Answers: A: Network monitor, not performance monitor (or the performance console), should be used to monitor network traffic. B: Network monitor, not performance monitor (or the performance console), should be used to monitor network traffic. C: The filter should be set capture traffic only from the AppSrvl, not for traffic send to any computer. 144. You are the administrator of your company’s network, which serves a single site with 150 users. The network includes eight servers running Windows 2000 server. One server hosts your internal web site. All servers have static IP addresses in the range from 10.1.1.2 through 10.1.1.10. All client computers run Windows 2000 Professional and are DHCP clients, using an address range of 10.1.1.11 through 10.1.1.200 You need to provide Internet access to internal users. To do so, you plan to use a pool of 100 IP addresses supplied by a contracted Internet service provider. Your solution must involve the least possible administrative effort. What should you do? (Select two.) A. Allow all client computers to use automatic Private IP addressing for IP address assignment. Configure all servers to use static IP addresses in the 192.168.0.0 subnet. B. Install a server for network address translation. Add the IP address of the private interface of this server to the excluded range on your DHCP server. Change the IP address of the private interface for the network address translation protocol to 10.1.1.201. C. Install a server for network address translation and enable the default DHCP allocator. Add the existing server addresses to the excluded range. Change the IP address of the private interface for the network Address Translation protocol to 10.1.1.201 D. Map internal addresses and port numbers of your servers to the pool of IP addresses and port numbers assigned by your Internet service provider. Answer: B, D Explanation: B: We must an address translation scheme in this scenario. NAT would be sufficient. We must also make sure that DCHP is configured with proper exclusion range for the servers with static IP addresses. Furthermore, we should configure the internal interface of the NAT server with an appropriate static address. D: Using NAT you can use several public IP addresses by mapping the internal addresses and port numbers to the pool of public IP addresses and port number used. Incorrect Answers: A: We must configure network address translation, either through NAT or through a proxy server. C: We can’t use both a DHCP server and the default DHCP allocator. If we want to use the DHCP allocator we must disable the DHCP service first. 145. You are the administrator of your company’s network. The network includes two UNIX DNS servers, three UNIX file servers, one Windows 2000 DHCP server, and 100 Windows 2000 Professional computers. All Windows 2000 Professional computers are configured to obtain IP address assignments from the DHCP server. The DHCP server is configured to assign the addresses of both DNS servers to all clients for name resolution. You want to replace your UNIX DNS servers with Windows 2000 DNS servers. You install the DNS server service on a new Windows 2000 Server computer. You configure this server to require secure dynamic updates. You update the DHCP scope to assign the address of the new DNS server to all client computers, and to stop issuing the addresses of the UNIX DNS servers. Three days later, users report that they cannot access resources located on the UNIX file servers. You need to ensure that all users can access the resources on the UNIX file servers. What should you do? A. Install the DHCP relay agent in a Windows 2000 Professional computer located on the same subnet as the UNIX file servers B. Reconfigures the new DNS server so it does not require secure dynamic updates C. Create A (host) records on the new DNS server that point to the UNIX file servers. D. Create SRV (service) records that point to the UNIX file servers E. Create CNAME (canonical name) records that point to the UNIX file servers Answer: C Explanation: The UNIX file servers are unreachable. They were unreachable before the UNIX DNS servers were replaced by the Windows 2000 DNS servers. The DHCP server is configured to assign the addresses of both DNS servers to all clients for name resolution. The Windows 2000 DNS servers is configured to require secure dynamic updates. The Windows 2000 clients are able to dynamically register themselves in DNS, but the UNIX computers are not able to do that. A (host) records for UNIX file servers must manually be added on the Windows 2000 DNS server. Incorrect Answers: A: The DHCP relay agent cannot be installed on Windows 2000 Professional computers, only on Windows 2000 Server computers. B: UNIX computers cannot register themselves dynamically in the DNS zone, even tough the “require secure dynamic” option is dropped at the DNS zone. D: The UNIX file servers are not providing any network service in the domain, therefore it is not necessary to create SRV (service) records that point to the UNIX file servers. E: CNAME (canonical name) records are used to create aliases of resources. An A (host) record for the UNIX file servers does not exist in the DNS server zone. Making a CNAME record with A (host) record would need work. 146. You are the administrator of your company’s network. Your DMZ network includes a DHCP server that provides IP addressing information to remote users. The relevant portion of the DMZ is configured as shown in the exhibit. Every five minutes, the management servers collect performance and security log information from all servers on segment A. You need to ensure that the DHCP server cannot issue IP addressing information to any DHCP clients on segment A. Your solution must be effective even if a valid scope for that segment is created on the DHCP server. What should you do? A. Disable the DHCP service binding to network adapter A B. Disable TCP/IP binding to network adapter A C. Disable NetBIOS over TCP/IP binding to network adapter A D. Disable the client for Microsoft Networks on network adapter A Answer: A Explanation: By disabling the binding of the service on an interface, we achieve a more efficient way of disabling DHCP response to clients, rather than completely removing TCP/IP which might result in a total loss of connectivity. Note: To selectively set DHCP server bindings for network connections 1. Open DHCP 2. In the console tree, click the applicable DHCP server. 3. On the Action menu, click Properties. 4. Click the Advanced tab. 5. Click Bindings. 6. In the Bindings dialog box, for the list of Connections and server bindings, select or clear check boxes for any statically configured network connections that should be enabled or disabled for use at the applicable DHCP server. 7. Click Apply. Incorrect Answers: B: This proposed solution has a drawback. If we disable the TCP/IP protocol on the interface no TCP/IP traffic would occur on the interface. This might result in might result in a total loss of connectivity. C: The “Disable NetBIOS over TCP/IP binding” is a WINS configuration and would not prevent DHCP leases on the interface. D: Client for Microsoft Network is network service. Disabling it will not prevent DHCP issuing IP addressing information on segment A. 147. You are the administrator of your company’s network, which links your main office and one branch office. The network includes servers and client computers running Windows NT 4.0 in addition to servers and client computers running Windows 2000. You use both WINS and DNS for name resolution. A computer named Remotei, located at the branch office, runs Windows NT server 4.0 and the routing and remote access service. Remote 1 is connected by means of a demand-dial connection to Corpi, which is located at the main office. Corpi runs Windows 2000 Server and routing and remote access. Corpi also functions as your WINS server and DNS server. Regular analysis of the WINS Administrator statistics on Corpi reveals that queries fail more than they success. Using Network Monitor, you discover failed queries from Remotei to Corpi for the name discover failed queries from Remotei to Corpi for the name JSPNR1\’IPTGSBSSDIR. Further investigation reveals that the name is a broadcast from Remotei for a non-registering service. Client computers can still connect to necessary resources. However, network traffic is increasing because of broadcast traffic and large numbers of log entries. You want to stop the broadcast queries from Remote 1. What should you do? A. Create a static entry in the WINS database for JSPNRMPTGSBSSDIR. Map the entry to the IP addresses of the network adapters in Remote 1. B. Install WNS on Remotel, configured as a replication partner with Corp 1 C. Add an entry to the LMHOSTS file on Remote 1 for JSPNRMPTGSBSSDIR as the IP address of the local RRAS interface on Remote 1 D. Annually register JSPNRMPTGSBSSDIR on Corpi by running the nbstat —RR command Answer: C Explanation: The name JSPNRMPTGSBSSDIR is announced regularly and is a normal occurrence from a Windows NT Server or Workstation computer running the Windows NT Remote Access Service (RAS). In this scenario the WINS server and DNS server are placed across a dial-up router on the network. This behavior causes unnecessary broadcast traffic across these interfaces. A trace at the main office from Network Monitor show queries for the name remote name JSPNRMPTGSBSSDIR. Microsoft gives two possible solutions: I. Create an LMHOSTS file with the entry: x.x.x.x JSPNRMPTGSBSSDIR #PRE where x.x.x.x is an IP address associated with the RAS server’s network interface card. This corresponds to alternative C above. II. Create an A record for JSPNRMPTGSBSSDIR in the domain for which the DNS server is authoritative. This is not option here. Reference: RAS Service Broadcasts Name Query Every Two Minutes (Q150820) WINS Statistics Show More Failures Than Successes (Q151 475) Incorrect Answers: A, C, D: The problem, an remote Windows NT 4.0 RAS server broadcasting for the WNS name JSPNRMPTGSBSSDIR, is described in Q150820 and Q15 1475. The proposed solutions (A, C, D) are not given as possible solutions to the problem. 148. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. The network contains S,000 client computers running Windows 2000 Professional. The network also contains two domain controllers named DC1 and DC2. The relevant portion of your network configuration is shown in the exhibit. Users now report that their computers often start very slowly. Users also report that they are often unable to access network resources. When you monitor the network, you discover that each DHCP server is issuing DHCPNACK messages to the other DHCP server and to requesting client computers Which two actions should you perform to correct this problem? (Each correct answer presents part of the solution. Choose two) A. Authorize DHCP-Svrl in the domain B. Authorize DHCP-Svr2 in the domain C. Set an exclusion range of 172.30.50.0 to 172.30.100.254 on DHCP-Svrl D. Set an exclusion range of 172.30.0.100 to 172.30.49.254 on DHCP-Svr2 E. Enable conflict detection on each DHCP server F. Disable conflict detection on each DHCP server G. Increase the lease duration on each DHCP server H. Decrease the lease duration on each DHCP server Answer: C, D Explanation: The scopes of the DHCP servers are overlapping, which are a configuration error. We should make sure that you never configure multiple DHCP servers on the same LAN with overlapping scopes. If we do we might get the result described in this scenario. Exclusion ranges could be used for redundancy. By excluding 50% of IP address at one DHCP server and excluding the other 50% of the other IP addresses there would be no overlapping scopes and DHCP would still work even if one of the DHCP servers fail. Incorrect Answers: A: Authorization of DHCP servers must be done to make them be able to run. But the DHCP servers are already running. Authorization is done to prevent rogue DHCP servers for register incorrect IP configuration. B: The DHCP servers are already running, so they are already authorized. E: Conflict detection might help somewhat, but the DHCP server have overlapping scopes and this quickly make the DHCP databases inconsistent. F: Conflict detection is disabled by default. It will not help here. G: In this scenario the overlapping scopes are the problem not the lease duration. H: In this scenario the overlapping scopes are the problem not the lease duration. 149. You are the network administrator for Trey Research. Your network contains a single Windows 2000 domain named treyresearch.com All servers and client computers on the network use static TCP/IP addresses. You decide to implement DHCP on your network. You install Windows 2000 Server on a new computer named Tcpipsvr. You configure the server as a domain controller in a new domain named addressing.treyresearch.com , which is a child domain of TreyResearch.com You install the DHCP service on Tcpipsvr. However, the service will not start. How should you correct this problem? A. Configure the DHCP service to use a domain administrator account to log on to the domain B. Demote Tcpipsvr to a stand-alone server. Add Tcpipsvr to TreyResearch.com C. Log on to Tcpipsvr as an enterprise administrator and authorize Tcpipsvr D. Log on to a TreyResearch.com domain controller as a domain administrator. Run the delegate control wizard on addressing treyresearch.com E. Log on to addressing.treyreasearch.com as a domain administrator and authorize Tcpipsvr Answer: C Explanation: Windows 2000 DHCP servers in a Windows 2000 Domain are required to be authorized in the Active Directory before they are allowed to run. This feature is useful to prevent rogue servers from causing DHCP problems. The authorization must be done by a Enterprise Administrator. Incorrect Answers: A: The DHCP server service is run in the context of the localsystem. By running the DHCP service in the context of a domain administrator is unnecessary and could provide a security risk. It would make the DHCP server start. B: Windows 2000 DHCP server must be authorized in the Active Directory before it can run. Demoting the server to stand-alone server would make it unable to authorize it. D: The Delegation Of Control wizard steps you through the process of assigning permissions at the OU level. It would not to make the DHCP server to start. E: The authorization must be done by a Enterprise Administrator, not by a domain Administrator. 150. You are the administrator of your company’s network, which consist of a single Windows 2000 domain. The relevant portion of its configuration is shown in the exhibit. RAS1 is a Windows 2000 Server computer running routing and remote access. Your firewall is a hardware-based firewall solution that supports port filtering and General routing Encapsulation packet editing. All computers on your internal subnet use private IP addresses in the iOxxx range. The firewall provides network address translation for Internet access. Company employees must be able to use the Internet to connect to your internal subnet. You need to ensure that the connections are as secure as possible. Which three courses of action should you perform? (Each correct answer presents part of the solution. Choose three) A. Configure the client computers to dial in to RAS 1 by using an L2TP virtual private network. Configure RASi to accept L2TP connections. B. Configure the client computers to dial in to RAS 1 by using a PPTP virtual private network. Configure RAS 1 to accept PPTP connections. C. Configure the firewall to route incoming traffic on the PPTP port to RAS 1 D. Configure the firewall to route incoming traffic on the L2TP port to RAS 1 E. Configure the firewall to edit the GRE call ID on incoming GRE packets F. Install a server encryption certificate on RAS 1 Answer: B, C, E Explanation: B: The firewall provides network address translation. This makes it impossible to use L2TP/IPSec since IPSEC changes the IP headers. We cannot use the L2TP protocol since it would not provide any security, which is a requirement. So the clients and the RAS server must be configured to use PPTP. C: PPTP use port 1723 for maintenance traffic. Incoming traffic in this port should be routed to RAS 1. E: If we are using a PPTP tunnel, then we can place our VPN server behind the firewall if the firewall supports GRE packet editing, which is the case in this scenario. Unlike the TCP and IP protocols, which communicate on ports, the GRE protocol uses “call ID numbers” to establish sessions. Reference: Technet: VPNs and Network Address Translators Incorrect Answers: A: L2TP/IPSEC cannot be used in connection with NAT. D: There are no L2TP ports to be configured on the firewall. We must use PPTP not L2TP or L2TP/IPSec. F: PPTP includes encrypted tunneling. Installing a server encryption certificate would not improve the encryption of the tunnel. 151. You are the network administrator for the Baldwin Museum of Science. Your network includes a member server named met!, which is connected to the Internet. met! runs Windows 2000 server. Your institution sponsors joint research projects with Trey Research, whose main laboratory is located in another city. The Trey Research network includes a PPTP server named Trey3. You need to create a demand-dial router connection to this server. You create a virtual private network demand-dial interface on met!. You use a domain account to configure the dial-out credentials, accepting default settings. However, you change the VPN server type from automatic to PPTP. When you try to connect to Trey3, you receive an error message stating that access is denied. How should you correct this problem? A. Change the tunnel type to L2TP/IPSec. Configure an IPSec policy on Ineti and Trey3 for pre-shared key authentication. B. Ensure that a new user account is created on Trey3. Change the dial-out credentials on Ineti to use the new account C. For the dial-out account on Ineti, obtain a certificate from a commercial certificate provider trusted by the Trey Research domain. D. Ensure that the default remote access policy is removed from Trey3. On Ineti, change the VPN server type to automatic. Answer: C Explanation: Three authentication methods are available when forming a VPN: Kerberos 5, certificates and preshared secret key. The two most scalable methods, Kerberos and certificates, require Active Directory. Certificate authentication also requires access to a CA (certificate authority). If the two computers are in the same domain or in a trusted domain, you can use Kerberos authentication. By obtaining a certificate from a commercial certificate provider trusted by the Trey Research domain Ineti would be able to authenticated by Trey3. Incorrect Answers: A: To use pre-shared key authentication L2TP/IPSec tunnel type must be used, the registry must be edited, and the IPSec Policy must configured for the pre-shared key. The registry has not been edited. Note: To implement the Pre-shared Key authentication method for use with a L2TP/IPSec connection we must add the ProhibitlpSec registry value to both Windows 2000-based endpoint computers. We must then manually configure an IPSec policy before a L2TP/IPSec connection can be established between two Windows 2000-based computers. B: Ineti and Trey3 do not belong to the same domain. Therefore Kerberos authentication is not possible. D: Removing that the default remote access policy from Trey3 would make it harder to get remote access. 152. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. All employees use company-issued portable computers that run Windows 2000 Professional. These computers have computer accounts in the company’s domain. These computers also contain a smart card reader, which is the only means of authentication for their users. You need to provide secure access to network resources for users who work remotely. You enable routing and remote access on a stand-alone Windows 2000 Server computer that is connected to the Internet. You also create ports for 2S PPTP virtual private network connections. You verify that all VPN client connections are configured correctly. To ensure security, you create a routing and remote access policy and configure authentication as shown in the exhibit. What should you do? A. Join the VPN server to the domain and select smart card or other certificate for the EAP method in the remote access policy. B. Configure 25 L2TP ports on the VPN server and remove the 25 PPTP ports C. Select the Unencrypted Authentication (PAP, SPAP) check box in the remote access policy D. Clear the Microsoft encrypted Authentication (MS-CHAP) check box in the remote access policy E. Clear the Microsoft encrypted Authentication version 2 (MS-CHAP v2) check box in the remote access policy. Answer: D Explanation: We should clear the Microsoft encrypted Authentication (MS-CHAP) check box in the remote access policy as MS-CHAP uses a lower level of authentication than the MS-CHAP v2. You need to enable all remote users to connect to the VPN server. You also need to ensure the highest possible level of authentication security. Incorrect Answers: A: Only the company-issued portable computers has got smart card readers, and only these computers would be able to use EAP Smart Card or other Certificate. The users who work remotely and access the network through Internet cannot use EAP. They must use another protocol, preferably the MS-CHAP V2 protocol. B: L2TP does not provide any encryption unless it is combined with IPSec. Therefore PPTP must be used. C: PAP is unencrypted and shouldn’t be an allowed authentication protocol. E: Clear the MS-CHAP checkbox, not the MS-CHAP V2 checkbox. MS-CHAP V2 is more secure authentication protocol. 153. You are the administrator of your company’s network. The relevant portion of its configuration is shown in the following diagram. All client computers run either Windows 2000 Professional or Windows 98. WinDNSi runs Windows 2000 Server and the DNS server service. Routeri runs Windows 2000 Server and routing and remote access. Routeri also contains two network adapters. The first adapter connects to Subneti and is not configured with any TCP/IP filters. The second adapter connects to Subnet2 and is configured as shown in the exhibit. You want Routeri to enable users to access Web sites and FTP sites, while blocking other outgoing traffic. However, users report that they cannot access any Web sites or FTP sites. Which action should you perform on Router 1 to correct this problem? A. On the network adapter for Subnet 2, delete the input filter for destination ports 80 and 443. B. In Routing and Remote access, move the input filters from the network adapter for Subnet2 to the network adapter for subnet 1 C. On the network adapter for Subnet2, change the input filters to drop all packets left unspecified rather than to receive all packets left unspecified. D. In routing and remote access, copy the input filters from the network adapter for subnet 2 to the output filters of the network adapters for subnet 1. Answer: C Explanation: By examining the exhibit we see that Subnet2 is set to “Receive all packets except those that meet the criterion below”. And we see that the Destination ports of 20 (FTP), 21 (FTP), 53 (DNS), 80 (HTTP) and 443 (HTTPS). This means that no accesses to Web sites or FTP sites are allowed. By changing this setting to “Drop all packets except those that meet the criterion below” the only access provided would be access to FTP sites and Web Sites (and DNS server). Incorrect Answers: A: It is not necessary to delete the filter; it is applied incorrectly. It should drop, not receive, all packets except those that meets the criteria. B: The input filter is correctly placed on network adapter on Subnet2, which connects to the Internet. It filters incoming network traffic. If the input filter were moved to network adapter for subnet, then the filter would be applied to all ingoing traffic to the local network. It would be almost work in the same way. D: The input filter is correctly placed on network adapter on Subnet2, which connects to the Internet. It filters incoming network traffic. If the input filter were moved to the output filter for network adapter for subnet, then the filter would be applied to all outgoing traffic from the local network 154. You are the administrator of your company’s network, which initially consists of a single segment. You divide the network into four segments numbered 1 through 4. All four segments are connected by a single router. Each segment includes SO client computers running Windows 2000 Professional and two servers running Windows 2000 Server. An employee named Bruno uses a client computer located on segment2. He works with a custom client/server application that uses TCP/IP for communications. The application server is located on segment1. Bruno’s custom application intermittently returns error messages. You run network monitor on your client computer, which is located on segment 3. You perform a packet capture, but you cannot find any captured packets that were sent between Bruno’s computer and the application server. You need to examine the network traffic that is sent between Bruno’s computer and the application server. What should you do? A. Run Network Monitor on the application server and perform a packet capture B. Create a Network Monitor trigger on your client computer and perform a packet capture C. On your client computer, modify the Parsers.ini file and specify a parser for the client/server application. Perform a packet capture. D. On your client computer, configure network Monitor to capture only packets that are sent from the Ethernet address of the application server. Perform a packet capture. Answer: A Explanation: Network Monitor monitors traffic only on the local network segment. To monitor remote traffic, you must use the version of Network Monitor that ships with Microsoft Systems Management Server (SMS) version 1.2 or 2.0. We are interested in traffic between Bruno’s computer and the application server. By putting the Network Monitor on the application server and by filtering on Bruno’s computer we would be able to capture all traffic between the two computers.’ Incorrect Answers: B: Our computer is located on segment3, the application server is on segmenti and Bruno’s computer is on segment2. Network Monitor monitors traffic only on the local network segment. We would not be able to monitor the traffic between Bruno’s and the Application server from your computer. C: We would not be able to monitor the traffic between Bruno’s and the Application server from our computer. D: We would not be able to monitor the traffic between Bruno’s and the Application server from our computer. 155. You are the administrator of your company’s network, which includes a Windows 2000 Server computer named CorpllS. This server runs Internet Information Services and hosts a web application named WebApp. The application is used by internal users for company billing and invoicing. Your company’s developers modify WebApp. Now the application allows downloads of your product catalog, encrypts communications between CorpllS and Web browsers, and accepts orders and credit card numbers from employees who access CorpllS from the Internet. You install the modified version of WebApp on CorpllS. You configure a TCP/IP packet filter to allow HTTP and FTP traffic to pass. Users report that they can no longer access WebApp. When they try, they receive the following error message, “Web page requested is not available.” How should you correct this problem? A. Assign the default server (Request security) IPSec policy on CorpllS. B. Create a custom IPSec policy for CorpllS that requests but does not require clients to use IPSec authentication. C. Configure a packet filter to allow TLS and SSL traffic to pass D. Configure the Web site properties on CorpllS to allow anonymous connections. Answer: C Explanation: In this scenario WebApp is used on the LAN by internal users. It is running smoothly. A modified version of WebApp is used by employees through the Internet. The modification includes encryption of communications between CotpIIS and Web browsers. This is either an authentication problem or an encryption problem. To clue to the problem is the error message “Web page requested is not available.” This is not the error message an incorrect authentication attempt would produce. The available techniques to provide encryption through internet are to create a VPN with L2TP/IPSec or to use Secure Sockets Layer (SSL), also called HTTPS. In this scenario no VPN is used which leaves SSL. SSL (HTTPS) uses TCP port 443. The TCP/IP packet filer has been configured to only allow HTTP and FTP traffic to pass. By modifying the filter so that SSL traffic is allowed to pass, employees would be able to use the modified WebApp through Internet. Incorrect Answers: A: To be able to use IPSec a VPN connection must be established. B: To be able to use IPSec a VPN connection must be established. D: The error message indicates that this is not an authentication problem. It is an encryption problem. 156. You are the network administrator for a test lab. The test lab network includes 10 network segments and five Windows 2000 computers configured as RIP routers. Periodically, the subnet configurations for the lab change to support varying testing requirements. A typical configuration is shown in the exhibit. Sample network traces on several of the subnets show a significant amount of UDP port S20 broadcast traffic. You want to reduce the UDP broadcast traffic on the text lab network. What should you do? A. Configure each router to accept announcements from listed routers only. B. Increase the Periodic announcement interval setting on the routers to 600 seconds. C. Increase the Time before routes expire setting on the routers to 3,600 seconds D. Configure the routers to use the auto-static update mode Answer: B Explanation: RIP uses regular broadcasts to keep its routing tables updated. These broadcasts use UDP port 520. These broadcasts are by scheduled for every 30 seconds. You can change this default setting by changing the Periodic announcement interval setting. By changing this setting to 600 seconds, the broadcasts would be scheduled for every 10 minutes, and broadcasts on UDP port 520 would decrease. Incorrect Answers: A: By configuring each router to accept announcements from listed routers only, you would decrease the work load of the routers, but it will not reduce RIP broadcasts. C: The Time before routers expire setting has the default setting of 180 seconds. If the route is not updated in this time, it expires and is no longer a valid route. By increasing it to 3,600 seconds the routes would remain valid for a longer time, but it would not decrease the broadcasts on UDP port 520. D: Auto-static updates are used for demand-dial interfaces not on other networks, instead Periodic update is used. Periodic update use the Periodic announcement interval setting, which is the setting that should be increased. 157. ou are the network administrator for Trey Research. Your network consists of a single segment with 150 client computers. Of these computers, 100 are desktop computers and SO are portable computers. The portable computers are typically in use off-site. All client computers run Windows 2000 Professional and are DHCP clients. The DHCP scope for the segment has the characteristics shown in the following table: IP address Lease duration Conflict detection attemptsEnable dynamic update range of DNS records? 172.16.10.Slto l0days 0 Yes 172. 16. 10.250 You disconnect the 100 desktop computers from the network and replace them with new hardware. When you connect the new computers to the segment, only SO of them can communicate with other hosts on remote networks. You need to enable all the new computers to communicate with remote networks. What should you do? A. Disconnect the new computers from the network. Disable the automatic private IP addressing on the new computers, reconnect them to the network, and restart them. B. Reconnect the old desktop computers to the network. On each new computer that cannot communicate with remote networks, run the ipconfig/renew command C. Delete all the existing leases from the scope. Increase the setting for conflict detection attempts to 3. On each computer that cannot communicate with remote networks, run the ipconfig/renew command. D. Reduce the lease duration for the scope to one minute. After one minute has elapsed, reset the duration to eight days. Run the ipconfig/renew command on each computer on the network. Answer: C Explanation: The scope range contains 250 IP addresses. 50 are used by portable computers, 100 are used by the old desktops computers that has been removed. 50 are used by 50 new Desktops. 50 new Desktops do not have the correct IP configuration since the DHCP server has no IP address to lease them. The problem has occurred since the 100 removed computers still got leases in the DHCP scope. The lease time of the scope is 10 hours. By deleting the scope, increasing the setting for conflict detection attempts to 3, and renewing all the IP leases, by IPCONFIG /renew, on the clients with no connectivity, all clients would receive proper IP configuration. By increasing the conflict detection attempts from the default 0 to 3 the DHCP server will determine whether an IP address is already in use on the network before leasing or using the address. This is done by pinging the IP address, maximum 3 times, and see if there is any client responding to the ping. If no client responds the address is lease. If a client responds, that lease is added, and a new IP address is picked and tried. Incorrect Answers: A: Automatic private IP addressing (APIPA) is not the problem. It is the old leases on the DHCP scope. B: The leases of the old desktops must be removed. Reconnecting the old desktops will not help. D: By reducing the lease duration for the scope to one minute, new leases would only last for one minute. The old leases would still have a lease time of 10 hours. 158. You are the administrator of your company’s network, which consists of a single Windows 2000 domain in native mode. The network includes 2,S00 computers running Windows 2000 Professional and 30 computers running Windows 2000 Server. TCP/IP is the only network protocol in use. You install network monitor to provide performance baselines and to troubleshoot network traffic. Most of your company’s business occurs during regular business hours, which extend from 8:OOA.M 8:OOP.M, Monday through Friday. However, your customer service department operates 24 hours a day, seven days a week. Users in this department need to access a service database hosted on a computer named DBSvri. Customer service users who work from midnight until 8:00 A.M report access problems. Beginning immediately after midnight, these users cannot access DBSvri for short periods of time that occur at random intervals. You examine the event logs for DBSvri but they contain no relevant error messages. You confirm that the database is functioning correctly. You decide to monitor network traffic during the period immediately before the first occurrence of the access problem each night. You configure Network Monitor to begin a capture at the end of regular business hours. You also configure a client computer to send a message to the monitoring computer stating “No response,” as soon as the access problem occurs. Which three additional actions should you perform a Network Monitor? (Each correct answer present part of the solution. Choose three) A. Filter frame size for headers only B. Capture the entire datagram C. Configure a trigger to Initialize when the buffer reaches 100 percent D. Configure a trigger to initialize when the monitoring computer receives the message stating “No response” E. Configure a trigger to stop the trace when the monitoring computer receives the message stating “No response” F. Configure a trigger to stop the trace when the buffer reaches 100 percent. Answer: B, C, E Explanation: In this scenario we want to capture the network traffic which occurs immediately before the problem occurs. We do this by configuring to capture the entire diagram, we are only interested in small monitoring time Windows and we want as much information as possible from this time frame; starting the monitoring at midnight; reinitializing the monitoring every time the buffer reaches 100 percent to overwrite the capture buffer when it gets full; and stop the trace when we receive the message stating “No response”. We stop the monitoring as soon as we know that the problem has occurred, and this way the correct data packets, the ones captured immediately before the problem occurred, will be in the capture buffer. Incorrect Answers: A: We are interested in all information we can get our hands on. We want to capture the whole frame. D: The monitoring should end, not finish, when the monitoring computer receives the message stating “No response”. F: The traces should initialize (restart), not stop, when the buffer reaches 100 percent. Q. 160 You are the network administrator of the Adventure works network. You plan to install a new Windows 2000 domain. The DNS zone for the new domain will be hosted on a server named BIND1, which runs UNIX and BIND. You configure the adventureworks.com zone on BIND1 and enable dynamic updates. You configure a new Windows 2000 Server computer with the address of BIND1 and install the new server as your first domain controller. The installation proceeds to completion without errors. However, when you try to join additional computers to the domain, you receive the following error message. A domain controller for your domain could not be found. You verify that the domain controller is running. You examine BIND 1 and confirm that the records are being updated in the zone file. However, you discover that the master zone is not functioning. You also discover the following error message. Master zone for “adventure-works.com” (IN) rejected due to errors. You need to restore the functionality of the master zone on BIND 1. What should you do? A. Enable name checking on BIND 1 B. Disable name checking on BIND 1 C. Manually add SRV (service) records to the zone file on BIND 1 D. Configure BND1 to set authoritative AA bits on all responses. Answer: C Explanation: DNS name resolution is needed to locate Windows 2000 domain controllers. The Netlogon service uses DNS server support for the service (SRV) resource record to provide registration of domain controllers in your DNS domain namespace. In this scenario clients and services are unable to the services in the domain. This is because the UNIX DNS server does not have any SRV (service) records in the DNS zone. These records have to be added manually. Incorrect Answers: A, B: There is no such thing as a “Name Checking” setting on a DNS Server. D: Setting the authoritative AA bit setting would not help. It is a setting used for legacy clients. BIND normally caches negative responses, however, some very old servers and clients may have problems with this and generate errors. It’s probably wise to upgrade those old clients and servers rather than turning this off. 161. You are the administrator of your company’s network. The relevant portion of its configuration is shown in the exhibit. . VPN1 and routeri run Windows 2000 Server and routing and remote access. Each server contains two network adapters named NIC1 and NIC2. Internal network users need to access both internal and external resources. Subnet 1 is used by more than 10 contractors hired by your company. Their client computers run Windows 2000 Professional. Two contractors now need to access HTTP-based resources on your internal network. For security reasons, the contractors create a virtual private network connection that uses PPTP to access VPN1. To reduce network traffic through VPN1, you want to prevent the contractors from accessing internet resources over the VPN tunnel. You decide to configure a TCP/IP input filter of one of your network adapters to drop HTTP traffic. Which network adapter should you reconfigure? A. NIC1 on Routerl B. NIC1onVPN1 C. NIC2 on Routerl D. NIC2onVPN1 Answer: B Explanation: The contractors use a PPTP VPN connection to access VPN1. The contractors use HTTP resources on the Internal Subnet. They should not be allowed to access Internet resources. By dropping all incoming HTTP traffic on NIC 1 on VPN 1, the contractors will not be able to access Internet, at least not with the HTTP protocol. They would still be able to access HTTP resources on the Internal Subnet, since this data is tunneled through NIC 1 and will not be dropped. Incorrect Answers: A: Users on the Internal Subnet need to access HTTP based resources on the Internet. Dropping all incoming HTTP traffic on NIC1 on Routerl would make this impossible. HTTP traffic must be allowed to pass Router 1. C: Dropping HTTP traffic on NIC2 on Router iwould stop all Internet HTTP traffic but it would also stop HTTP based resources on the Internal Network, and the contractors must be able to use these resources. D: HTTP traffic must be allowed to pass VPN1 to allow the users on the Internal network to use HTTP resources on the Internet. 162. You are the administrator of your company network. The relevant portion of its configuration is shown in the exhibit. DNS1 is a Windows 2000 Server computer configured with a standard primary zone. QDNSS is a UNIX server configured with a secondary DNS zone. QDNSS accepts zone transfers from DNS1. The client computers on your network are configured to use DHCP to obtain IP addressing information. The DHCP server is configured to issue the IP addresses of DNS1 and QDNSS to client computers for name resolution. Users report that they sometimes cannot access any network resources by name. You discover that this problem occurs only when DNS1 has been taken offline for maintenance. You need to ensure that users can resolve names from QDNSS whenever DNS1 is unavailable. What should you do? A. Instruct your Internet service provider (ISP) to configure QDNS5 to Kerberos version 5 client software. B. Configure DNS Server service on DNS 1 to allow BIND secondary servers. C. Instruct your Internet service provider (ISP) to upgrade the DNS server software on QDNS5 with a BIND 8.1 compatible implementation. D. Configure DNS 1 SO it does not require secure zone transfers. Answer: B Explanation: The zone transfers from DNS 1 to QDNS5 is not working. Bind secondaries determines whether to use fast transfer format when transferring a zone to DNS servers running legacy Berkeley Internet Name Domain (BIND) implementations. By default, all Windows-based DNS servers use a fast zone transfer format, which uses compression and can include multiple records per TCP message during a connected transfer. This format is also compatible with more recent BIND-based DNS servers that run versions 4.9.4 and later. In this scenario the ISP’s DNS server does not appear to support this, and Bind secondaries needs to be enabled. Incorrect Answers: A: There is no need for Kerberos software on a DNS server. C: We should first allow BIND secondary servers. This would allow replication traffic with UNIX BND version 4.9.4 or later. There should be no need to upgrade QDNS5 to Bind 8.1. D: The only secure zone transfers available are Active Directory integrated zone transfers, and they are not used here. 163. You are designing your company’s new WAN. The network consists of SO Windows 2000 server computers, 2,S00 Windows 2000 Professional computers, 2,000 Windows 98 computers and SO UNIX servers. The Windows environment consists of a single Windows 2000 domain. Users store data on both of their client computers and on the server computer using collaborative object between departments within the company. The physical network consists of five subnets containing computer and a sixth subnet connecting to BOOTP routers as shown in the exhibit. At present it is not necessary for connectivity within the network. You decide to use the reserve network IP addressi72.i6.O.O. You are using DHCP to automatically configure client computers TCP/IP configurations. The server computers will have TCP/IP statically configured. You want to accomplish the following goals: • All users will be able to access resources located on all servers. • All users will be able to access resources available on all client computers. • Network traffic between the subnets will be minimized. • The network will be able to accumulate growth of up to 100 percent over the next year with minimum reconfiguration of the physical infrastructure. You take the following actions: • Place all Windows 2000 server computers on subneti. • Place all UNIX servers on subnet2. • Distribute the client computers evenly across subnet 3, subnet 4 and subnetS. • Install the DHCP server service on one of the Windows 2000 server computer and configure a scope for each subnet including complete range of IP addresses default gateway and DNS settings. • Install and configure DNS server service on one of the Windows 2000 server computer. • Configure all Windows based computers to use DHCP. • Subnet the network addresses placed by using the subnet mask 2SS.2SS.248.0. Which result or results do these actions produce? (Choose all that apply) A. All users are able to access resources located on all servers. B. All users are able to access resources located on all client computers. C. Network traffic between subnets is minimized. D. The network is able to accommodate growth of up to 100% over the next year with the minimal reconfiguration of the physical infrastructure. Answer: A Explanation: The routers are BOOTP-enabled Therefore the DHCP IP configuration traffic will pass the routers and reach all clients. The IP configuration includes correct DNS and default gateway settings. This is done by using a different scope for each subnet. These clients will then be able to reach all servers, including the UNIX servers. All servers are configured for TCP/IP. Incorrect Answers: B: All clients have received proper IP configuration from the DHCP server. However, the Windows 98 clients would not be able to register themselves in the DNS zone. The default settings of the DHCP server is not to update DHCP client information in DNS (this is not required for Windows 2000 clients as they register themselves. The Windows 98 clients would not be accessible from the other computers. We would have to configure DHCP to Automatically update DHCP client information in DNS (see picture below) to make this happen. C: To minimize network traffic you should install one DNS server and one DHCP server on each segment. This would decrease network bandwidth usage since DNS and DHCP traffic would be kept local on the subnet. D: Currently there are 4600 (50+2,500+2,000+50) computers. And in a year it will double to 9200. Need 14 bits for hosts (2** 13=8192<9200<16384=2** 14). So subnet mask will be 18 bits: Required subnetmask, binary: 11111111. 11111111.11000000.00000000 Required subnet mask, decimal: 255.255.196.0 The 21 bits subnet mask, 255.255.248.0, would only allow 2**11=2048 hosts. 164. You are the administrator of a Windows 2000 network The network consists of a Windows 2000 server computer named ServerA and 15 Windows 2000 Professional computers. ServerA has a dial-up connection that connects to the Internet. The 15 Windows 2000 Professional computers are configured to use automatic IP addresses (APIPA). There is no DHCP server on the network. To allow the 15 Windows 2000 Professional computers to access the Internet through the dial-up connection of ServerA, you want to implement Internet Connection Sharing. How should you configure Server A to accomplish this goal? (Choose all that apply) A. Enable Internet Connection Sharing on the LAN interface of server A. B. Enable Internet Connection Sharing on the dial-up connection of ServerA. C. Configure ServerA to use a static IP address of 10.1.1.1 for the LAN interface. D. Configure ServerA to use APIPA for the LAN interface. E. Install and configure the DHCP server service on ServerA. Answer: B Explanation: Basically it is very easy to implement Internet Connection Sharing (ICS), it just have to be enabled on the Internet connection interface on the computer that should share its Internet connection. ICS provides many more features than just address translation. Microsoft has added many features to make the configuration of Internet connections as simple as possible. ICS can be fully configured and administered from the Routing and Remote Access Manager. For a simple home network, a Connection Sharing Wizard can also be launched from Control Panel Connections. The wizard does not allow configuration of any options but can get a home network up on the Internet in minutes. What simplifies the configuration is automatic addressing and automatic name resolution through the DHCP allocator, DNS proxy, and WNS proxy components. Each of these components provides a simplified configuration over the full version of DHCP, DNS, and WNS servers. Incorrect Answers: A: ICS should be enabled on the dial-up connection interface, not on the LAN interface. C: When you enable Internet Connection Sharing, the network adapter connected to the home or small office network is given a new static IP address configuration. You should not assign a static IP address to it. D: When you enable Internet Connection Sharing, the network adapter connected to the home or small office network is given a new static IP address configuration. You should not configure it for APIPA. E: There is a mini-DHCP server, called DHCP allocator, included in ICS. In fact, ICS, would not work in a DHCP environment. 165. You are the administrator of your company’s network. Your company has a main office two branch offices and two small branch offices. The company network consists of one Windows 2000 domain. The main office and the two large branch offices are connected by a dedicated Ti lines as shown in the exhibit. The two branch offices use 128 KBPS ISDN lines and routing and remote access over the internet to connect to the company’s internal network. You are designing your DNS name resolution environment. You want to accomplish the following goals: • DNS name resolution traffic across the WAN links will be minimized. • DNS replication traffic across the WAN links will be minimized. • DNS replication traffic across the public WAN links will be secured. • Name resolution performance for client computers will be optimized. You take the following actions: • Install the DNS server service on one domain controller at each office. • Create an active directory integrated zone on each DNS server at each office. • Configure client computer to query their local DNS server. • Configure the zones to allow dynamic updates. Which result or result do these actions produce? (Choose all that apply) A. DNS name resolution traffic across the WAN links is minimized. B. DNS replication traffic across the WAN links is minimized. C. DNS replication traffic across the public WAN links is secured. D. Name resolution performance for client computers is optimized. Answer: A, B, C, D Explanation: A: A DNS server has been installed in each location and the clients have been configured use the local DNS server for name resolution. This minimizes DNS name resolution traffic across the WAN links. B: Active Directory integrated zones replicates on a per-property basis, propagating only relevant changes. This is more efficient than full zone transfers. Additionally compression is used as well. This minimizes zone replication traffic. C: Replication between standard and secondary DNS zones are unencrypted.. By creating an Active Directory integrated zone, DNS zone transfers will be included Active Directory replication. Active Directory replication uses secure channels which provides encryption. D: A DNS server has been installed in each location and the clients have been configured use the local DNS server for name resolution. This minimizes slow DNS name resolution traffic across the WAN links and optimizes name resolution performance. 166. You are the administrator of a Windows 2000 network. Your network consists of two sides Denver and Calgary. You have two DNS zones in your company. The primary DNS server in the Denver is named ns!.contoso.com. The ns!.contoso.com server is authoritative for the root zone contoso.com. The primary DNS server in Calgary is named ns2.calgary.contoso.com. The ns2.Calgary.contoso.com server is authoritative for the delegated sub domain calgary.contoso.com. You examine the directory service log in Event Viewer on ns!.contoso.com and notice several knowledge consistent checker (KCC) warnings. The warnings indicate that the KCC cannot establish a replication link with directory partitions in the Calgary. You decide to use nslookup to trouble shoot the problem. In the nslookup console you set the server to ns!.contoso.com and the query type to all. In the nslookup console you enter the ls -d contoso.com command. You receive a response as shown in the following graph. A. Create the Host file on nsl .contoso.com server that creates the address for ns2.calgary.contoso.com. B. Change the NS (name server) record that points to ns2.calgary.contoso.com to calgary.contoso.com. NS ns2.calgary.contoso.com. C. On the nsl.contoso.com server, run the ns lookup-type=ns-norecurse contoso.com command. D. On the nsl .contoso.com server, runs the nbtstat-a nsl .calgary.contoso.com command. Answer: B Explanation: In this scenario there are two domains: contoso.com (root domain) and calgary.contoso.com (subdomain). The DNS server nsl.contoso.com is authoritative for the root zone contoso.com. The ns2 . calgary. contoso .com server is authoritative for calgary.contoso .com. The KCC warnings indicate a replication problem. It cannot reach its replication partner in the calgary.contoso.com domain. The nslookup utility is then used to issue the command ls -d contoso.com This lists all records for the contoso.com domain. The NS (name server) records are: contoso.com NS nsl. contoso.com contoso.com NS ns2.calgary.contoso.com The first record denotes that nsl .contoso.com is authoritative the contoso.com zone. The 2nd record denotes that ns2.calgary.contoso.com is authoritative the contoso.com zone as well. The second NS record is incorrect and should be replaced by: calgary.contoso .com NS ns2 . calgary. contoso .com Note: NS, name server, records. The general format is NS The name server (NS)resource record is used to notate which DNS servers are designated as authoritative for the zone. By listing a server in the NS RR, it becomes known to others as an authoritative server for the zone. This means that any server specified in the NS RR is to be considered an authoritative source by others, and is able to answer with certainty any queries made for names included in the zone. Incorrect Answers: A: There is already a A (host) record for ns2.calgary.contoso.com present. Adding another with a host file will not help. C: We need to change a incorrect NS (name server) record. NSLOOKUP is command-line utility, which use reverse lookup queries to report back host names. It cannot be used to change records. You want to resolve the problem. What should you do? D: Nbstat is utility which is used to troubleshoot WINS problems. In this scenario we have DNS problem, not a WINS problem. 167. You are the administrator of Windows 2000 network. The network consists of two Windows 2000 server computers named ServerA and ServerB and 180 Windows 2000 Professional computers on one segment. ServerA has an IP address of 192.168.2.1. ServerA is a DHCP server. The TCP/IP configuration of all the Windows 2000 Professional computers is provided by the DHCP server. The range of IP addresses used at ServerA is 192.168.2.0/24. The lease time used is iS days. You want to change the IP address on the network from 192.168.2.0/24 to 10.17.8.0/24. Server B has an IP address of 10. 17. 8. 1. You install another DHCP server on the server B. the range of IP address used by ServerB is 10. 17. 8. 0/24. The lease time used is iS days. To ensure compatibility, the two address ranges will be concurrently on the same segment for three months. Routing between the two address ranges is provided by a router on the network. After you activate the DHCP scope on the server B, users report that they are unable to obtain a valid IP address. When you investigate the problem you discover that each of the two DHCP server responded with DHCP negative acknowledge (DHCPNACK). Messages to leases requested by the client computer. What should you do to resolve the problem? A. On a Windows 2000 Professional computer, disable automatic private IP addresses (APIPA) B. On the Windows 2000 Professional computer, configure the DHCP client computers to release the DHCP lease at shutdown C. On both DHCP server set the number of times should the DHCP server attempt conflict detection to zero. D. On both DHCP servers configure the scope so that it has both address ranges. Define an exclusion range for the entire address range 10.17.8.0/24 on Server A and for the entire address range 192.168. 2.0/24 on server B. E. On both DHCP servers set scope option 031. Perform router discovery to 1 to enable the option on Windows 2000 Professional computers. Answer: D Explanation: It is not possible to have different DHCP servers with same scopes on the same subnet. As in this scenario, they would send DHCPNACK responses to IP requests which are outside their own scope. The solution is to replace the two scopes with a superscope which includes both scopes, and use the superscope on both DHCP servers. Precautions must be taken to prevent the scopes to overlap. This is done by exclusion ranges. We exclude the entire address range of both scopes on Server B. Incorrect Answers: A: Disabling APIPA would prevent clients from using APIPA addresses; instead they would get no configuration. This will not solve the problem with the two different scopes. B: The release of IP address lease is not the problem. The problem is the two scopes on one subnet. C: Setting the conflict detection to 0, which is the default setting, the DHCP servers would not check if an IP address is already in use, before leasing it. The two scopes are the problem, not server side conflict detection. E: Performance router discovery is to configure routers, it is not a DHCP scope option. 168. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. All client computers run Windows 2000 Professional. Your network uses an IPSec policy that is defined in a Group Policy applied to all computers in the domain. You upgrade all network adapters in all computers to high-security adapters that provide encryption at the hardware level. You then delete the IPSec policy from the Group Policy. However, you learn that the IPSec policy is still being applied to all computers in the domain. You need to ensure that the IPSec policy is removed from all computers. As your first step in achieving this goal, you create a new IPSec policy with default settings. What should you do? A. Assign the new policy. Run the secedit/refreshpolicy machine_policy command on all computers. B. Assign and then unassign the new policy. Run the secedit/refreshpolicy machine_policy command on all computers. C. Assign the new policy. Run the secedit/configure /overwrite /areas securitypolicy command on all computers. D. Assign and then unassign the new policy. Run the secedit/configure /overwrite /areas securitypolicy command on all computers. Answer: B Explanation: To correctly delete a policy, it should first be unassigned, and then deleted. If a policy is deleted before it is unassigned, you can assign a new policy, and then unassign it. We should then run the secedit/refreshpolicy machine_policy command on all computers to force a policy update. IPSec policy will remain active even after the Group Policy object to which it is assigned has been deleted. You must unassign the IPSec policy before you delete the policy object. If you delete the policy objects and keep the policy assigned, the IPSec Policy Agent will assume it simply cannot find the policy and use a cached copy. Reference: IPSec Policy Is Applied After Being Deleted from a Group Policy (Q234320) Windows 2000 Server documentation, Configure system security Windows 2000 Server documentation, To assign IPSec policy to Group Policy Incorrect Answers: A: The old policy has been incorrectly deleted so we must unassign the new policy before forcing a policy update. C: The /overwrite argument is only valid when the /CFG argument is also used. D: The /overwrite argument is only valid when the /CFG argument is also used. 169. You are the administrator for your company’s Windows 2000 Server network. You company has a main office in Dallas, TX. There are three branch offices: one in Atlanta, GA, one in Chicago, IL, and one in Sacramento, CA. All branches are connected to Dallas by a Ti line. A diagram of the network in shown below: The routers between the offices support the forwarding of BOOTP messages. At each branch office, you have a local user who is responsible for all administrative duties. Currently the local administrator is responsible for configuring the TCP/IP settings for all the Windows 2000 Professional computers at his/her local branch. You have been experiencing network communication problems which were the direct result of configuration errors. You want to prevent this from happening again. What should you do? (Choose two) A. Install and configure a Dynamic Host Configuration Protocol (DHCP) Server in Dallas. B. Install and configure a Windows Internet Name Service (WINS) Server in Dallas. C. Install and configure a Domain Name System (DNS) Server in Dallas. D. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain an IP address automatically. E. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain WINS server address automatically. F. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain DNS server address automatically. Answer: A, D Explanation: Instead of manually configuring the IP settings we should use a centralized DHCP-solution. DHCP must be installed and configured on the central Server in Dallas. Every client need to be enabled for DHCP; to obtain IP configuration automatically. Incorrect Answers: B: WINS is used for name resolution, not for IP configuration of clients. C: DNS is used for name resolution, not for IP configuration of clients. E: There is no setting “Obtain WINS server address automatically” in TCP/IP properties. F: It would require a lot of administrative effort to configure IP configuration on each client computer. It is not the best solution. 170. You are the network administrator for Contoso, Ltd. The network consists of three Windows 2000 domains, as shown in the exhibit. You want to correct this problem while still maintaining the centralized administrative control. What should you do? A. Create a new primary zone for the East domain. Create a new primary zone for the West domain. B. Create a new secondary zone for the East domain. Create a new secondary zone for the West domain. C. Create a new Active Directory integrated zone for the East domain. Create a new Active Directory integrated zone for the West domain. D. Create a delegated zone for the East domain. Create a delegated zone for the West domain. Answer: B Explanation: By creating secondary zones in the east and west domains, clients in the East and West domain could be configured to use the local DNS server for name resolution. This would improve performance by avoiding name resolution on the WAN links. The administrative control would still be centralized since the secondary zone only contains read-only replicas of the primary zone file. To distribute administrative control of the DNS namespace, you use a single standard primary DNS zone to handle all name resolution for the three domains. Users report that name resolution for hosts in all three domains has been extremely slow. Incorrect Answers: A: If primary zones were created in the East and West domain, there would be three distinct DNS zones, and it would not be possible to resolve names from different Domains. C: Active Directory integrated zoned will not keep the DNS administration centralized. It would be possible to administer the DNS zone at the East and the West Domain. D: Delegated zones will allow administrators in the East Domain and West Domain to administer the zones, but the zone should only be managed centrally. 172. You are the administrator of a Windows 2000 network. The network has two Windows 2000 Server computers named Routeri and Router2. Routing and Remote Access is enabled as a router on Routeri and Router2. There are no other routers on the network. A part of the IP routing table of Routeri is shown in the following table. Destination Network Mask Gateway Interface Metric 10.30.0.0 255.255.0.0 10.30.1.1 10.30.1.1 1 10.30.1.1 255.255.255.255 127.0.0.1 127.0.0.1 1 10.40.5.0 255.255.255.0 10.40.5.1 10.40.5.1 1 10.40.5.1 255.255.255.255 127.0.0.1 127.0.0.1 1 10.255.255.255255.255.255.255 10.30.1.1 10.30.1.1 1 10.255.255.255255.255.255.255 10.40.5.1 10.40.5.1 1 To exchange routing information, you want to enable RIP for IP on Router1 and Router2. You configure RIP for IP on Routeri and Router2 as follows: • Set operation mode to Periodic update mode. • Set outgoing packet protocol to RIP version 1 broadcast. • Set incoming packet protocol to RIP version 1 and 2. • Specify Router 1 and Router2 as unicast neighbors of each other. When you monitor the IP routing table of Router2, you notice that the Server is not receiving the correct routes. What should you do? A. Configure RIP for IP to include host routes in announcements that are sent. B. Configure RIP for IP interfaces to add an input packet filter that will allow network traffic for RIP port 520. C. Set the RIP for IP outgoing packet protocol to RIP version 2broadcast. D. Specify Router 1 and Router 2 as RIP for IP peer routers. Answer: C Explanation: If a network is using a mixture of RIP v1 and RIP v2 routers, then we must configure the Windows 2000 router interfaces to advertise by using either RIP v1 broadcasts or RIP v2 broadcasts and accept either RIP vi or RIP v2 announcements. Router 1 and Router2 are configured as unicast neighbors of each other, but only RIP Version 2 supports unicast to neighbors. By changing to only RIP version 2broadcast, the routers are forced to use RIP Version 2 and the routers would be able to communicate. If we are using multiple IP routing protocols, configure only a single routing protocol per interface. Incorrect Answers: A: There is nothing wrong with the RIP announcement. Instead the incoming router interface must be configured to only support RIP version 2. B: Generally a filter is used to prevent traffic, and it cannot be used to allow traffic. By default, there is no protocol packet filter on the RIP for IP interface that prevents traffic on port 520. D: By default, RIP announcements from all sources are accepted. By configuring a list of RIP peers, RIP announcements from unauthorized RIP routers are discarded. RIP peers is used for security. 173. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named Srvi and 12 Windows 2000 Professional computers Srvi has a dial-up connection that connects to the Internet. Srvi is configured to use Internet Connection Sharing to allow Internet access through the dial-up connection of Srvi. The 12 Windows 2000 Professional computers are configured for static TCP/IP addressing. The IP addresses are i92.i68.Oi through 192.168.0.12, and the subnet mask is 2SS.2SS.2SS.0 The 12 Windows 2000 Professional computers have no default gateway configured. You discover that the Windows 2000 Professional computers are not able to access the Internet through the dial-up connection of Srvi. You confirm that the preferred DNS server on the Windows 2000 Professional computers is configured correctly. What should you do to allow all 12 computers to access the Internet through the dial-up connection of Srvi? (Choose all that apply) A. On the Windows 2000 Professional computer with IP address 192.168.0.1, change the IP address to 192. 168.0. 13 B. Change the IP address on all 12 Windows 2000 Professional computers to 169.254.0.2 through 169.254.0.13 C. Change the subnet mask on all 12 Windows 2000 Professional computers to 255.255.0.0. D. Change the default gateway on all 12 Windows 2000 Professional computers to 192.168.0.1 E. Change the default gateway on all 12 Windows 2000 Professional computers to 169.254.0.1 Answer: A, D Explanation: When we enable ICS, our computer is assigned the 192.168.0.1 IP address, and if this address is already in use on another computer, ICS would thus not be able to function. This is this case in this scenario where the 12 clients got IP address in the i92.i68.0.i-i92.i68.0.i2 range. The ICS problem is solved by changing the IP address of the computer with IP address 192.168.0.1 to 192.168.0.13 and setting the default gateway to 192.168.0.1 — the IP address of the ICS computer. Incorrect Answers: B: ICS uses IP address in the 192.168.0.1 - 192.168.0.254 range, not in the 169.254.xx.xx range. APIPA uses the 169.254.xx.xx range. C: The correct subnet mask on network using ICS is 255.255.255.0 not 255.255.0.0 E: The default gateway should be changed 192.168.0.1, which is the IP address the LAN interface of the ICS computer is assigned when ICS is enabled. The 169.254.0.1 is an IP address in the APIPA range. 174. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. The network has a persistent connection to the Internet. The relevant partition of its configuration is shown in the exhibit. Your company employs mobile salespeople who use portable computers running Windows 2000 Professional. To enable these users to access internal resources you place a virtual private network (VPN) server named VPN1 outside your firewall. This server is a stand-alone Windows 2000 Server computer running Routing and Remote Access. The firewall is configured to allow inbound access from VPN1 only. You configure L2TP ports on VPN1. Now you must configure additional output and input filters for the external network adapter on VPN1. You must ensure that VPN1 allows only VPN traffic on the Internet interface, and prevents non-VPN users from accessing internal resources. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create an input filter on VPN1 that allows L2TP ports as destination ports. As the destination IP address, use the IP address of the external interface ofVPNi. B. Create an input filter on VPN1 that allows L2TP ports as source ports. As the source IP address, use the IP address of the external interface ofVPNi. C. Create an input filter on VPN1 that allows L2TP ports as destination ports. As the destination IP address, use the IP address of the internal interface of VPN1. D. Create an output filter on VPN1 that allows L2TP ports as source ports. As the source IP address, use the IP address of the external interface ofVPNi. E. Create an output filter on VPN1 that allows L2TP ports as destination ports. As the destination IP address, use the IP address of the external interface ofVPNi. F. Create an output filter on VPN1 that allows L2TP ports as source ports. As the source IP address, use the IP address of the internal interface ofVPNi. Answer: A, F Explanation: A: The only inbound traffic allowed is traffic to the external interface on the VPN 1 server. F: The only outbound traffic allowed is traffic originating from the internal interface of VPN 1. Incorrect Answers: B: Input filters must use the L2TP ports as destination ports, not source ports. C: The only destination address allowed is the address of the external, not internal, VPN interface. D: The source of an output filter must the IP address of the internal interface of VPN 1. E: In an output filter the L2TP ports must be used as a source ports. 175. You are the administrator of your company’s network. Your network is configured as shown in the following graph. You configure your Windows 2000 Server to route all network traffic on your Intranet. Users on both segments need access to files on the other segment. A portion of the routers route table is shown in the following table. Network destinationNetmask Gateway Interface Metric 10.0.0.0 255.0.0.0 10.0.0.169 10.0.0.169 1 10.0.0.169 255.255.255.255127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.0.200 192.168.0.200 1 192.168.0.200 255.255.255.255127.0.0.1 127.0.0.1 1 You also install and start Internet Information Services Web Service on the server. Users on both segments report they cannot access the Web service. What must you do? A. Disable all TCP/IP port filters B. Create a PPTP tunnel so that it has a filter that filters everything except protocol 6. C. Run the route delete 192.168.0.0 command and route add 192.168.0.0 mask 255.255.0.0 10.0.0.169 command. D. Run the route delete 10.0.0.0 command and route add 192.168.0.0 mask 255.0.0.0 192.168.0.200 command. Answer: A Explanation: A TCP/IP filter could be blocking for example TCP port 80, which is used by the HTTP protocol By removing all filters, all traffic would be allowed to pass. The route table is correct: Destination 10.0.0.0 is routed to 10.0.0.169, the routers interface to the 10.0.0.0 subnet. Destination 10.0.0.169 routes to the loopback address 127.0.0.1. 10.0.0.169 is one of the routers interfaces. Destination 192.168.0.0 is routed to 192.168.0.200, the routers interface to the 192.16.0.0 subnet. Destination 192.168.0.200 routes to the loopback address 127.0.0.1. 192.168.0.200 is one of the routers interfaces. Incorrect Answers: B: A filter that accepts PPTP but drop everything else should allow TCP Port 1723 and IP protocol 47, not protocol 6. PPTP use TCP port 1723 for tunnel maintenance traffic. For a filter to pass PPTP data it must allow IP protocol ID 47. C: Destination 192.168.0.0 is correctly routed to 192.168.0.200, the routers interface to the 192.168.0.0 subnet. It should not be router to the other router interface 10.0.0.169. D: Destination 10.0.0.0 is correctly routed to 10.0.0.169, the routers interface to the 10.0.0.0 subnet. It shouldn’t be deleted. The following command gives an incorrect route: route add 192.168.0.0 mask 255.0.0.0 192.168.0.200 The network mask should be 255.255.0.0 not 255.0.0.0 176. Your company policy is to allow only Administrators in your Houston office to install and user Network Monitor. You have been informed that Admins in New York are installing and using Network Monitor. After you install Network Monitor, what should you do to monitor how many copies of Network Monitor are currently running? (Choose two) A. On the Tools Menu in Net Monitor select Identify Network Monitor Users B. Install Network Monitor on a computer on the second segment. C. Remove the default Remote Access Policy D. Remove the “access Network Monitor” permission for Domain Admins Answer: A, B Explanation: We use Network Monitor to capture and display the frames that a computer running Windows 2000 Server receives from a local area network (LAN). Network Monitor can only monitor traffic on its own subnet, but by installing Network Monitor on a computer in another segment/subnet, the remote Network Monitor would be able to relay the results. By selecting the Identify Network Monitor Users command in the Tools menu in the Network Monitor program all users that is currently using the Network Monitor will be listed. Incorrect Answers: C: Remote Access Policy is used to control Remote Access to the computer; it is not used for monitoring the network. D: There is no “access Network Monitor” permission” in Windows 2000. 177. On your Windows 2000 server, you install Client Services for Netware and NWLink with the default settings. How should you configure your Windows 2000 server to connect to all Netware servers, regardless of their versions? A. Set the adapter to frame type 803.2 B. Set the adapter to Manual Frame Type Detection and add the frame type of each Netware server. C. Edit the registry to allow all frame types D. You can only connect to one type of Netware server at a time so this cannot be Accomplished. Answer: B Explanation: On Windows 2000 computers NWLink automatically detects the frame type used by the network adapter. If multiple frame types are detected NWLink sets the frame type to 802.2. If more than one frame type must be supported the additional frame types must be added manually. This is done by the following steps on a Windows 2000 Server computer: Open Network and dial-up connections, Right click appropriate interface, select Properties, select NWLink, select Properties, select Manual frame type detection, choose Add and Select appropriate Frame Type. This setting could also be accomplished by editing the registry: add both types to the multi-string value PktType in HKLM\SYSTEM\CurrentControlSet\Services\NwlnkIPX\Parameters\Adapters\, where is the network adapter identifier Incorrect Answers: A: By setting the adapter frame type to 803.2 only this frame type would be allowed, not all the frame types that is used on the network. C: There is no registry setting to allow all frame types. They must be added in the Registry one by one, which would be a daunting administrative effort. It is not necessary to add allow frame types, just the ones the ones used on the network. D: This can very well be done by either adding each frame type from NWLink properties or by adding the frame types in the registry. 178. You must ensure that the remote computers are assigned valid IP addresses on your network, and that the remote users can access network resources. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Enable IP routing on VPN1. B. Create a static route on VPN 1 to route all requests the 192.168.1.0 network. C. Place a DHCP Relay Agent on the 10.0.1.0 network. D. Place a DHCP Relay Agent on the 192.168.1.0 network. E. Manually configure VPN1 with the address of the DNS server. F. Manually configure VPN1 with the address of the WINS server. Answer: A, C The purchasing agents now report that they can connect to VPN1, but they cannot access any network resources. On investigation, you discover that the remote computers are being configured with IP addresses in the i69.2S4.0.0 range. Explanation: The clients are able to connect to VPN1, but they receive IP addresses from the APIPA, 169.254.0.0, range. They do not receive IP configuration from the DHCP server on the 192.168.1.0/24 network. We must enable DCHP traffic between VPN1 and the DHCP server. A: To route IP traffic we must enable IP routing. C: Some routers will not relay all DHCP traffic. These routers are known as non-BOOTP enabled (or non RFC-i54i compliant) routers. To configure DHCP between two network segments that has non-BOOTP enabled router connecting them we need a DHCP relay agent on the network segment without any DHCP server. It seems likely that the router in this scenario is non-BOOTP enabled. We should place a DHCP Relay Agent on the 192.168.1.0 network Incorrect Answers: B: There is no need to configure a static route to the 192.168.1.0 network. The remote clients only need to be configured with the router as a Default Gateway. D: The DHCP Relay Agent should not be placed on the same network segment as the DHCP server. E: This is not a name resolution problem. F: This is not a name resolution problem. 180. You use a computer running Windows 2000 server and the DHCP Server service to create a DHCP scope with a lease length of iS days and a subnet mask of 21 bits. You now want to change the configuration for the scope to have an unlimited lease and a subnet mask of 28 bits. How would you do this? A. Delete the scope. Use the new scope wizard to create a new scope with a subnet mask of 28bits and an unlimited lease. Activate the scope. B. Right click on the scope in DHCP and select properties. Edit the properties of the scope and change the subnet mask to 28bits and the lease to unlimited C. Delete the scope. Use the new scope wizard to create a new scope with a subnet mask of 28 bits. Edit the properties of the new scope to set an unlimited lease. Activate the new scope. D. Disable the scope. Edit the properties of the scope and change the subnet mask to 8 bits and an unlimited lease. Enable the scope. Answer: C Explanation: In this scenario the original scope must be deleted, and a new scope created. We cannot change the subnet mask of an existing scope. The New Scope Wizard does not allow us to set an unlimited lease, only maximum the value of 999. After setting the unlimited lease of the scope the scope must be activated before it can be used. Incorrect Answers: A: The New Scope Wizard does not let you set an unlimited lease, only maximum the value of 999. B: We cannot change the subnet mask of an existing scope. D: We cannot change the subnet mask of an existing scope, even if the scope is disabled. 181. You are the network administrator for Humongouos Insurance. The relevant portion of your network configuration is shown in the exhibit. Location Domain name Los Angeleshumongousinsurance.com Seattle west.humongous insurance.com Chicago central.humongousinsurance.com Atlanta east.humongousinsurance.com DNS1 hosts standard primary zones for the domains in Los Angeles and Seattle. DNS2 hosts standard primary zones for the domains in Chicago and Atlanta. Both DNS1 and DNS2 are members of their local Windows 2000 domains. Each location has its own domain controller. The domain controllers are named L-DC1, S-DC1, C-DC1 and A-DC1. Users in Seattle and Atlanta report that access to some network resources is extremely slow in these locations, name resolution requests sometimes take longer than one minute to process. Company Las Angeles The network consists of four Windows 2000 domains, as shown in the following table. management expects to add more than 150 new users to each of these locations during the next few months. You are concerned that the existing DNS servers will not be adequate to handle the new users. You need to improve response times for name resolution requests in Seattle and Atlanta. You must also ensure that your DNS servers do not have a single point of failure. Your solution must take into consideration the expected growth in Seattle and Atlanta. What should you do? A. Install one new DNS server in Seattle and another one in Atlanta. Configure each DNS server with a standard primary zone. B. Install one caching-only DNS server Seattle and another one in Atlanta. Configure both DNS servers to forward name resolution requests to DNS 1 and DNS2. C. Install the DNS Server service on the domain controllers in each domain. Create a single Active Directory integrated zone for the entire forest on the DNS server in Los Angeles. Remove the DNS Server service from DNS1 and DNS2. D. Install the DNS Server service on the domain controllers in each domain. Create an Active Directory integrated zone for each domain on its local domain controller. Create secondary zones on each DNS server for each of the remote domains. Remove the DNS Server service from DNS1 and DNS2. Answer: D Explanation: In order to improve name resolution performance we install and configure DNS server at each physical location. By creating an Active Directory integrated DNS zone for each domain at the local domain controller local name resolution would not have to cross the WAN links. A further improvement and a solution to the single point of failure problem, is solved by creating secondary zones on each DNS server for each remote domain. Finally we remove the DNS Server service from the old DNS servers DNS 1 and DNS2. Incorrect Answers: A: We must remove the single point of failure. This is not achieved with this proposed solution. B: We must remove the single point of failure. This is not achieved with this proposed solution Caching-only servers are used on slow WAN links, not on Ti WAN links. C: There are several domains so we cannot create a single Active Directory integrated zone. 182. Your network consists of 90 client computers and SO portable computers. Computers in your network only run Windows 2000 Professional. Only 20 of the users of the portable computers will ever be in the office at the same time. You have a subnetted Class B subnet with a 2S-bit mask for your network. All users need access to the Internet while in the office. How should you configure DHCP? A. Create 2 scopes, one for the desktop computers and one for the portables. B. Create a superscope with 2 scopes. One scope for the desktops and one for the portables. C. Create a superscope with 2 user classes. Set each class with a different lease duration. Use a shorter lease for the portable computers D. Create one scope with 2 user classes. Set the class for the desktops with a default lease duration. Set the lease duration for the class for the portables to 1 day. Answer: D Explanation: The problem here is that only 7 bits (32-25) can be used for host, which only provides for 126 concurrent hosts on the network, but we have 140 computers. Therefore the IP lease duration of the LapTops should be lowered. In this scenario we create one user class for the portable computers and one user class for the stationary office computers, each with different lease duration. Note: User classes allow DHCP clients to differentiate themselves by specifying a User Class option. When available for client use, this option includes a user-determined class ID that can help to group clients of similar configuration needs within a scope. Incorrect Answers: A: You cannot configure a scope to be used by certain computers without using the user class option. B: You cannot configure a scope to be used by certain computers without using the user class option. C: A superscope consists of two or several scopes, not of user classes. 184. Our network consists of three network segments connected by a router. You install the DHCP server service on a Windows 2000 server. You create scopes for each subnet’s range of addresses and activate the scopes. Users from the second and third subnets report they cannot connect to the network. Users on the first subnet have no problems. You check and find that the computers on segments 2 and 3 are not receiving TCP/IP information from the DHCP server. What should you do? A. Manually configure the IP address for the DHCP server on each client on subnets 2 and 3. B. Enable dynamic updates on the DHCP server C. Install a DHCP Relay Agent on a computer on segment 2 and 3 D. None of the above Answer: C Explanation: In this scenario the clients are not able to receive IP configuration from the DHCP server. The clients use broadcasts to initiate the requests. In a subnetted network the routers must be BOOTP-enabled (or RFC 1542 compliant) to let the DHCP IP configuration traffic pass. It appears that the routers are not BOOTP- enabled, since the IP configuration works for clients on the same segment as the DHCP server, but the remote clients are properly configured. A workaround solution around the problem is to install a DHCP relay agent on each remote segment. Incorrect Answers: A: The clients use broadcasts to initiate the requests. They will not use the IP address of the DHCP server. There is no way to configure the IP address of the DHCP server on the client. B: Dynamic updates are enabled on the DNS server, not on the DHCP server. No configuration of the DHCP solves the problem at hand; the users on the subnet of the DHCP have no problems. D: The solution of this problem is to install a DHCP relay agent on each remote segment. 185. All client computers in your domain are Windows 98 or Windows 2000. Windows 2000 users run an Internet application that accesses files on a Windows NT computer. None of your Windows 2000 computers can connect to this NT computer. But the NT computer can connect to the Windows 2000 computers. What should you do? A. On the NT computer run “registerDNS” command. B. On the DHCP server select Enable Updates for DNS Clients That Do Not Support Dynamic Update checkbox C. On the DNS server select Enable Updates for DNS Clients That Do Not Support Dynamic Update checkbox D. Run “Ipconfig /flushdns” on all of the Windows 2000 computers Answer: B Explanation: In this scenario, there is no mention of either DNS or DHCP in the scenario, but DNS is mentioned in every alternative and, as we shall see, the correction answer can be reached by exclusion. Windows NT clients cannot register their own A (Host) records in the DNS zone like Windows 98 and Windows 2000 clients can. This makes it impossible for clients on the network to connect to NT computers, even though Windows 98 and Windows 2000 computers can be reached all computers. The DHCP server usually registers PTR (pointer) records when it leases IP addresses to clients. By enabling “Enable Updates for DNS Clients That Do Not Support Dynamic Update” on the DHCP serve, it will register both PTR (Pointer) and A (Host) records in the DNS zone for the Windows NT 4.0 clients. This will enable all computers to connect to the Windows NT 4.0 clients. Incorrect Answers: A: The ipconfig/registerdns command is used to manually force a name registration or is fresh of the client name registration in DNS. This is done dynamically, but Windows NT 4.0 does not support dynamic updates so this will not work. C: There is no “Enable Updates for DNS Clients That Do Not Support Dynamic Update” setting on the DNS server. This setting only exists on the DHCP Server. D: Ipconfig /flushdns would clear the DNS client resolver cache. But there are no incorrect entries stored locally at the Windows 2000 clients. The problem is that the Windows NT 4.0 clients are not registered in DNS. 187. Your network consists of two Windows 2000 servers and SO Windows 2000 Professional desktops. You configure DHCP server to automatically update your DNS server’s forward and reverse lookup zone files with the clients’ DHCP information. In the reverse lookup zone some of the client computers do not have PTR records. What should you do? A. Configure the DHCP server to always update DNS, even if a client computer does not request it. B. Enable Dynamic Updates on the DNS server C. Add the DHCP server to the DHCP Proxy Update list D. Configure the DHCP clients by putting a check mark in the “Update DNS” box on the TCP/IP properties Advanced tab. Answer: A Explanation: Windows 2000 clients usually register their A (Host) records in the DNS zone, and the DHCP server registers the PTR (Pointer) records. It seems like some of the clients has disabled the TCP/IP configuration setting “Register this connection’s addresses in DNS”, which is enabled by default. By doing this only the A (Host) record would be registered. Since we do not know how which clients this setting has been disabled the easiest solution is configure the DHCP server to always update DNS, even if a client computer does not request it. Incorrect Answers: B: The A (Host) records, as it seems — no problems mentioned, are registered in the forward lookup zones, so dynamic updates must already be enabled on the DNS server. C: There is just a single DHCP server in this scenario. The problem cannot be related to configuration of DHCP servers that are allowed to act as proxies to each other. D: There is no “Update DNS” in the TCP/IP properties. 188. Your network consists of a single Windows 2000 domain and uses TCP/IP. You use DHCP to assign addresses to your Windows 2000 Professional client computers. You add several new Windows 2000 Professional clients to your network. Users report that occasionally they cannot access network resources located on servers but workgroup resources are sometimes available. The TCP/IP configuration of one of the computers that is having problems shows the IP address of 169. 2S4. 0. 16. What should you do? A. Add more IP addresses to the existing DHCP scope to include enough for all client computers. B. Authorize DHCP in Active Directory C. Create a new scope to include the new clients D. Change the problem clients to use H mode for NetBIOS. Answer: A Explanation: In this scenario some client computers are unable to get IP configuration from the DHCP server, they have been assigned IP addresses in the APIPA range. The DHCP server has run out of IP addresses to lease after the new computers have been added to the network. The best solution is to simply add more IP addresses. Scopes can be extended dynamically. Incorrect Answers: B: The DHCP is working since it has been able to lease addresses to other computer, but it has run out of IP addresses to lease. C: It is not necessary to create a new scope for the new clients. Setting up a new scope could involve precise configuration and additional administrative effort. D: DNS, not WNS, is used for IP configuration. Windows 2000 WNS clients use H-Mode by default. 189. You install Certificate Services on two computers running Windows 2000 Server. CertRoot is an Enterprise Root Certificate Authority. CertSub is an Enterprise Subordinate CA. You have two domains: sycom.com and support.sycom.com. You add a new domain, tech.sycom.com. You attempt to issue a certificate from CertSub for a user account in tech.sycom.com. The Event Viewer shows the CA was unable to publish a certificate for tech. sycom.com\DC. DC is a domain controller for tech. sycom.com. What is the most likely reason you receive this error message? A. DC (tech. sycom. com domain controller) is offline B. You are not a member of the Certificate Administrators for tech. sycom.com C. CertSub is not a member of the group “tech.sycom.com\Cert Publishers” D. The Enterprise CA is offline Answer: C Explanation: In this scenario a new domain tech.sycom.com is installed. There is no Certificate Authority (CA) in the tech.sycom.com domain. To be able to issue a certificate from a domain, the Server on which the CA was installed must be a member of the Certificate Publishers group of this domain. In our scenario this translates to: Certsub must be a member of Cert Publishers group in tech.sycom.com domain. Incorrect Answers: A: If the domain controller would have been offline another error message would be shown. B: It is not necessary to be a member of the Certificate Administrators. The server, on which the CA was installed, must be a member of the domain from which the certificate was issued. D: If the Enterprise CA would have been offline another error message would be shown. 193. You configure DHCP to dynamically update the PTR records for clients who lease IP addresses from the server. From where is the domain name used in the PTR record obtained? A. From the DHCPDISCOVER message B. From the DHCPOFFER message C. From the DHCPACK message D. From the DHCPREQUEST message Answer: D Explanation: In the DHCP Lease process the client that requires an IP address broadcasts a DHCPDISCOVER. DHCP server responds by sending DHCPOFFER to which the client answers with a DHCPREQUEST. The client’s Fully Qualified Domain Name (FQDN) is included in the DHCPREQUEST message. This could be used by DHCP server to update the PTR (Pointer) record of the client. The DHCP server then acknowledges the lease with DHCPACK. Incorrect Answers: A: The DHCPDISCOVER message is a broadcast from the client. It does not include the clients FQDN. B: The DHCPOFFER message is send by the DHCP server. The FQDN is supplied by the client. C: The DHCPACK message is send by the DHCP server. The FQDN is supplied by the client. 194. Your network consists of computers running Windows 2000 server, Windows 2000 Professional, Windows 9S and OS\2 with LAN Manager 2. 2c. All are on the same subnet. You want applications on the OS/2 client that use NetBIOS names to be able to resolve the NetBIOS names to IP Addresses from a WINS database. You install WINS on one of the Windows 2000 servers. What else should you do to enable the applications on the OS/2 computer to resolve NetBIOS names to IP addresses from the WINS database? A. Configure one of the Windows 2000 Professional computers as a WINS Proxy Agent. B. Add static mappings for the OS/2 computer in the WINS database. C. Configure the OS/2 computer as a WINS Client. D. Configure the OS/2 computer with a static IP address and add a PTR record in the DNS database Answer: A Explanation: In this scenario LAN Manager 2.2c with OS/2 is not able to act as a WINS client to a WINS server on a remote subnet. This is because OS/2 clients only broadcast for WINS. To reach a WINS server on remote subnets a WINS Proxy agent, which can be installed on a Windows 2000 Professional computer, will capture those broadcasts and relay them to the WINS Server. Incorrect Answers: B: By adding a static mapping of the OS/2 computer, the clients would be able to connect to the OS/2 computer. This is not the requirement in this scenario though. C: The OS/2 computer is already configured as a WINS client but it can only use broadcasts to connect to a WINS server, which makes it impossible for it to reach a WINS server on a remote subnet. D: Giving the OS/2 computer a static IP address, and adding a PTR (pointer) record of it in DNS, would not enable it connect to the WINS server. 195. Your Windows 2000 network has 3 subnets, A, B, and C. A is at the corporate headquarters. B is used to connect a router at the HQ office to a router at the remote office. C is the subnet for the remote office. You use two Windows 2000 servers as routers: RouterAB connects SubnetA and SubnetB. RouterBC connects subnetB and subnetC. You configure RouterAB and RouterBC to use demand-dial connections. What two steps must you take to allow a client computer on SubnetC to access a share on a client on SubnetA? (Choose Two) A. Configure TCP/IP filter on the RouterAB demand-dial interface B. Configure a static route for SubnetA on the demand-dial interface of RouterBC C. Configure a static route for SubnetB on the demand-dial interface of RouterAB D. Configure TCP/IP filter on the RouterBC demand-dial interface Answer: B, C Explanation: In this scenario there is a small network with only 3 subnets. The most practical solution for a small network would be to configure the routers with static routes. However, static routes do not scale well for larger internetworks. In this scenario subnet B is already connected to both of the routers so no further routes to subnet B has to be made. Subnet A is connected to the RouterAB but not to the router BC. We have to configure a static route on Router BC to subnet A. Subnet C is connected to the RouterBC but not to the router AB. We have to configure a static route on Router AB to subnet C. Incorrect Answers: A: In this scenario we have a Routing problem, not a traffic filter problem. Static routes, not TPC/IP should be used. D: In this scenario we have a Routing problem, not a traffic filter problem. Static routes, not TPC/IP should be used. 196. Your domain has a Windows 2000 member server computer named Srvi. Routing and Remote Access and CHAP are enabled for remote access on Srvi. You have also configured the appropriate remote access policy to use CHAP. However, users who require CHAP report that they are not able to dial into SRV1. What should you do? A. Configure SRV1 to disable LCP extensions B. Configure clients to use MSCHAP for dial in C. Configure SRV1 to use SPAP for dial in D. Disable “Mutual authentication” on SRV1 Answer: A Explanation: If we cannot connect to a server by using PPP, or the remote computer terminates our connection, the server may not support LCP extensions. In Network and Dial-up Connections, clear the Enable LCP extensions check box. Incorrect Answers: B: Both the Remote Access Policy and the client is configured to use CHAP. Configuring the client to use MS-CHAP would not make any difference. C: The client is configured to use CHAP. Configuring SRV1 to use SPAP for dial-in would not allow communication. Both client and server must use the same authentication protocol. D: CHAP does not support mutual authentication, so disabling mutual authentication will not help. 198. You are the administrator of your company’s network, which consists of a single Active Directory domain in native mode. All servers on the network run Windows 2000 Server. Client computers run either Windows 2000 Professional, Windows 98, or Windows 9S. All client computers use DHCP for IP addressing and configuration. All servers have static IP addresses. The DHCP servers are configured to perform registration of DNS records for client computers. You change your DNS zones to Active Directory integrated zones and upgrade all client computers to Windows 2000 Professional. Users report that they can no longer access some network resources. IP addresses are leased by the DHCP servers, but not all A (host) records for the leased addresses of the upgraded client computers exist in the DNS zone. You must enable users to access all the network resources they need. What should you do? A. Disable the option for DHCP servers to register DHCP clients with the DNS servers. B. Reauthorize all DHCP servers in Active Directory. C. Add the DHCP servers to the DnsUpdateProxy group in Active Directory. D. Require secure dynamic updates for the existing zones. Answer: C Explanation: Ordinarily only the owner of the DNS record would be able to delete or update it. Now we must allow all DNS servers to change and delete these client DNS records. The solution to this problem is to use Active Directory Users and Computers to add your DHCP server computers to the built-in DnsUpdateProxyGroup. This will permit all of your DHCP servers the right to perform proxy updates for any of your DHCP clients. Incorrect Answers: A: The DHCP servers only register downlevel clients like Windows 2000 and Windows 95. After the upgrade all client computers are Windows 2000. Disabling the option to register DHCP clients with DNS would have no effect. B: The DHCP servers have already been authorized in the Active Directory. They were working before the upgrade of the DNS zones. D: To require secure updates would not help. 199. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. Your network includes 200 desktop client computers. Some of these computers run Windows 2000 Professional, and the rest run Windows NT Workstation 4.0. All client computers use DHCP to obtain their TCP/IP configuration. DHCP is configured to dynamically register DNS records for all DHCP clients. Five mobile users require remote access to network resources. Two of the five users have portable computers that run Windows 2000 Professional. The other three users have portable computers that run Windows NT Workstation 4.0. You install Routing and Remote Access on a server, accepting all default settings. You configure two network adapters named NIC1 and NIC2 on this server. NIC1 is connected to the Internet and NIC2 is connected to the internal network. You ensure that your DHCP server has enough IP addresses to accommodate all DHCP clients. The two remote users who use Windows 2000 Professional can now successfully connect to the remote access server. However, the other three remote users report that they are sometimes unsuccessful when they try to connect to the remote access server. How should you correct this problem? A. Configure the remote access server to use NIC 1 to obtain DHCP configuration. B. Configure the remote access server to use NIC2 to obtain DHCP configuration. C. Create a new DHCP scope for the remote users and set the DHCP lease duration to be unlimited. D. Create a new DHCP scope for the remote users and set the DHCP lease duration to be one hour. Answer: B Explanation: The remote access server should be configured to use the internal interface, NIC2, to obtain IP configuration. Incorrect Answers: A: NIC 1 is the external interface on the RAS server. DHCP configuration is provided by the DHCP server which is located on the internal network. NIC2, not NIC 1, connects to the internal network on the RAS server. C: It would be unwise to have an unlimited lease duration. In effect the clients would use static IP addresses. Furthermore, the lease duration has nothing to do with the problem at hand. D: Decreasing the lease duration would not enable the NT clients to connect. 200. You are the administrator of a Web server hosted on the Internet that runs on a Windows 2000 Server. You want to download ActiveX controls automatically to your customers’ Internet browsers. The default security settings on your customers’ browsers prevent this. What should you do to automate the downloading of your ActiveX controls? A. Install an Enterprise CA on one of your domain controllers and have it issue a certificate for code signing. B. Install an Enterprise Subordinate CA that uses a commercial CA as the parent. Create a policy on the Subordinate CA that allows the Web developers to request a certificate for code signing. C. Install an Enterprise CA on one of your domain controllers. Install an Enterprise Subordinate CA on one of your member servers. Issue code-signing certificates to your Web developers. D. Configure your Web server to request code signing certificates from a commercial CA such as Verisign. Answer: D Explanation: Only external customer will use the certificates. It is not necessary of a Certification Authority (CA) connected to the domain. The best solution is to use certificates from a commercial CA such as Verisign. Incorrect Answers: A: External customers would not be able to use an Enterprise CA since they are not a part of your domain. B: The certificate must be issued by the public CA, not the subordinate Enterprise CA, to be able to be used by external customers with no rights or permission in the domain. C: External customers would not be able to use an Enterprise Subordinate CA that uses an Enterprise CA, since they are not part of the domain. 201. You are the network administrator for the research department of Contoso Pharmaceuticals. The You need to set up a DHCP server for a new Windows 2000 lab in your department. You install a Windows 2000 Server computer as the first domain controller in a forest root domain named research.contosom.com. You then install and configure DHCP services on the new server. You ask Lilleanne, a member of the Enterprise Admins group for Contoso.com, to authorize the new DHCP server. She tries to do so. However, she receives an error message stating that the server cannot be located in the directory for Contoso.com. You need to ensure that your DHCP server is properly authorized in the directory for Contoso.com. What should you do? A. Create a one-way trust relationship from contoso.com to research.com. B. Add the enterprise Admins group for contoso.com to the Administrators group for research.contoso .com. C. Run dcpromo.exe on the DHCP server and join it to the contoso.com domain. D. Create a one-way trust relationship from research.contoso.com to contoso.com. Answer: B Explanation: Only members of the Administrators group in the local domain can authorize DHCP servers in the Active Directory. Incorrect Answers: A: There already, by default, exists a two-way trust between the domain since both domains are in the same domain tree. Furthermore this explicit trust would be in the incorrect direction. C: Active Directory is already installed on the DHCP server which is a domain controller in the research.contoso.com domain. You can’t simply move a domain controller from one domain to another by running dcpromo.exe. Note: To migrate from one domain to another the dcpromo.exe utility would have to be used twice. First to remove AD while leaving the 1st domain, and then adding AD while joining the 2nd domain. D: There is no need to add an explicit trust. There already, by default, exists a two-way trust between the domain since both domains are in the same domain tree. 202. You are the administrator for your company’s network. Your network has three Windows 2000 Server computers, named Srvr2, Srvr2, and Srvr3. Each employee has his own Windows 2000 Professional computer. Also there is one Windows 2000 Professional computer, named Profi that is used by the general public. Recently several files have been written to Srvr1 and Srvr2 that could have possibly caused great harm to your company’s network. You suspect that the files came from Profi. You want to monitor the traffic between these three computers. Srvr3 is located in your office so you decide to capture the data there. You want to accomplish these goals with the least amount of administrative overhead. What should you do? A. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Profb, Srvrb, and Srvr2. B. On Profb, install the Network Monitor driver. On Srvrb and Srvr2, install the Network Monitor driver. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Profb, Srvrb, and Srvr2. C. On Profb, install the Network Monitor Tools. Then start Network Monitor and configure capture data for Profb. On Srvrb and Srvr2, install the Network Monitor driver. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Srvrb and Srvr2. D. On Profb, install the Network Monitor driver On Srvrb and Srvr2, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Srvrb and Srvr2, respectively. On Srvr3, install Network Monitor Tools. Then start Network Monitor and configure the capture data for Profb. Answer: B Explanation: In this scenario we should install the Network Monitor tools on the computer we want to use to capture data to, i.e. 5rv3, and install the network monitor driver on the computers we want to monitor, i.e. Srvrb, 5rv2 and Profb. Incorrect Answers: A: The Network Monitor driver must be installed on all computers from where you want to capture data. C: You cannot install the Network Monitor Tools on a Windows 2000 Professional computer; a Windows 2000 Server computer is required. D: The capture traffic between Srvb, 5rv2 and Profb. By only capturing data from Profb you will not capture any communication between Srvb and 5rv2. 203. You are the administrator of your company’s network You have a portable computer that uses Microsoft Internet Explorer to access your company’s Internet Information Services (IIS) computer. This application works successfully when your portable computer is docked at the office, but it fails when your portable computer is connected by Routing and Remote Access You want to configure your portable computer to connect to your company’s network by Routing and Remote Access. You want to install only what is necessary while maximizing performance and minimizing administrative overhead. What should you click in the appropriate box or boxes in the Networking tab of the dialog box? (Choose all that apply) A. Internet Protocol (TCP/IP) B. File and Printer Sharing for Microsoft Networks C. Network Load Balancing D. Client for Microsoft Networks Answer: A, D Explanation: The TCP/IP protocol is needed to use IIS computer. The IIS application works when the computer is docked at the LAN, but it does not function when you are connecting remotely through the RRAS server. The IIS server requires Kerbores Authentication, which is through a user account in the domain, and therefore the Client for Microsoft Networks must be configured on the remote connection on the LapTop. Incorrect Answers: B: There is no requirement that the user of the LapTop should be able to share files and printers on the LapTop. C: We cannot configure Network Load Balancing on a remote connection. Network Load Balancing (NLB). NLB balances the workload among each server by allowing the group of them to be addressed by the same set of cluster Internet Protocol (IP) addresses. 204. You are the administrator of a Windows 2000 domain. The domain has two Windows 2000 member server computers named Istanbul and Rome. Routing and Remote Access is enabled for remote access on Rome. Internet Authentication Service (lAS) is installed on Istanbul Rome uses Istanbul to authenticate remote access credentials. The remote access policies on Istanbul specify that domain members are allowed remote access to the network. However, users report that they are not allowed to dial in to Rome. When you investigate the problem, you discover that the configuration of Istanbul supports only local user accounts. What should you do? A. Add Istanbul to the RAS and lAS Servers group in Active Directory B. Configure Routing and Remote Access on Istanbul to use RADIUS Authentication C. On Istanbul, add a realm replacement rule for the Windows 2000 domain D. On Istanbul, add a remote access policy that uses MS-CHAP Answer: A Explanation: If the remote access server is a member server in a Mixed-mode or Native-mode Windows 2000 domain and is configured for Windows authentication, the computer account of the RAS server computer must be a member of the RAS and lAS Servers security group. Configuring membership can be completed by a domain administrator by using the Active Directory Users And Computers snap-in to add the computer to the RAS And lAS Servers security group in the Users container. Incorrect Answers: B: This is not an authentication problem. The problem is that the configuration of lAS on Istanbul only supports local user accounts. C: Realm replacement rules are used to transform user credentials, for example by replacing the user name someone@business with someone@business.au. Then lAS will forward the authentication request as someone@business.au. But the problem is that the configuration of lAS on Istanbul only supports local user accounts. D: This is not a Remote Access Policy problem. The problem is that the configuration of lAS on Istanbul only supports local user accounts. 205. You are the administrator of a Windows 2000 network that consists of a single domain. Because no employee in your company should have the ability to encrypt files by using Encrypting File System (EFS). You need to remove this ability from all users in the domain. What should you do to accomplish this goal? (Choose all that apply) A. From the Run command, start Secpolmsc B. Go to the Encrypted Data Recovery Agents container and delete the certificate you find. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy. C. Go to the Public Key Policies container and delete the Encrypted Data Recovery Agents policy. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy. D. Go to the Encrypted Data Recovery Agents container and delete the certificate you find E. Go to the Encrypted Data Recovery Agents container and initialize the empty policy. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy F. Go to the Public Key Policies container and initialize the empty policy Answer: D, E Explanation: The ability to encrypt files must be removing from all users in the domain. This is done by going to the Encrypted Data Recovery Agents container and deleting the certificate we find there; going to the Encrypted Data Recovery Agents container and initialize the empty policy; and from the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy. There is a difference between an empty policy and no policy. In Active Directory where the effective policy is an accumulation of Group Policy Objects defined at various levels in the directory tree, the absence of a recovery policy at higher- level nodes (for example, at the domain node) allows policies at a lower level to take effect. An empty recovery policy at higher-level nodes disables EFS by providing no effective recovery certificates. On a given computer (stand-alone or joined to the domain), an effective policy must have at least one valid recovery certificate to enable EFS on that computer. Furthermore, the EFS Policy has to be deleted. Incorrect Answers: A: There is no command tool or Microsoft Management Snapin called Secpolmsc. B: An empty policy must be initialized. If not, other policies could take effect and enable EFS. C: The Encrypted Data Recovery Agents policy is contained in the Encrypted Data Recovery Agents container, not in Public Key Policies container. The empty policy must be initialized. F: The empty policy is initialized in the Encrypted Data Recovery Agents container, not the Public Key Policies container. The EFS Policy has to be deleted 206. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named DeskA. Routing and Remote Access is enabled for remote access on DeskA. Your company is organizing an industry trade show in a conference center. You have set up 15 desks and telephones in the conference area. During the conference, attendees will be allowed to dial in to your network by using any of the 15 telephones. Each telephone line has its own telephone number. The conference attendees can use their own portable computers to dial in. When attendees dial in to DeskA, they do not need to specify a user name or password However, you do not want to allow dial-in access from any telephone other than the 15 telephones in the conference area. You enable unauthenticated access on the DeskA remote access server. You also create a remote access policy named Conference that allows unauthenticated access as the authentication method. Attendees report that they are not able to dial in unless they specify a user name and password. You want to ensure that attendees can dial in without specifying a user name and password. What should you do? A. Create a user account named Conference Guest. Configure Routing and Remote Access to use the Conference Guest account as the default user identity. B. Configure the Conference Guest account to use the 15 phone numbers as Caller ID. Create 15 user accounts named Conf-b, Conf-2, Conf-3, and so on through Conf-b5 Specify a separate Caller ID phone number for each of the 15 users. C. Create 15 user accounts that use each phone number as the user name. Configure Routing and Remote Access to use the calling number as the authentication identity. D. Configure the Conference remote access policy so that it has a Calling-Station ID condition. Use the 15 phone numbers as the condition Answer: C Explanation: The calling number can be used for authentication. The remote clients would not need to provide any credentials. Automatic Number IdentificationlCalling Line Identification (ANI/CLI) authentication is the authentication of a connection attempt based on the phone number of the caller. ANI/CLI service returns the number of the caller to the receiver of the call and is provided by most standard telephone companies. In ANI/CLI authentication, a user name and password are not sent. Incorrect Answers: A: The user accounts should have the telephone numbers as user names. B: We want to avoid the need to supply user name and password. In caller ID authorization, the caller sends a valid user name and password. The caller ID that is configured for the dial-in property on the user account must match the connection attempt; otherwise, the connection attempt is rejected. D: In general, the conditions defined in a remote access policy are combined and all of them have to be met. By defining 15 Calling-Station ID condition no one would get access since a remote caller only can meet one of this conditions. 207. You are the administrator of a Windows 2000 network. Your company wants you to provide a high level of security for its Public Key Infrastructure. You decide to create an offline root Certificate Authority (CA). You want the offline root CA to be capable of processing certificate requests from files, and you want the offline root CA to be recognized as a trusted root authority for Windows 2000 client computers. How should you create the offline root CA? A. On a member Windows 2000 Server computer that is connected to the network, create an Enterprise CA. After you install the CA, remove the server to a secure and separate location B. On a member Windows 2000 Server computer, create a subordinate Enterprise CA that uses a Commercial CA as the certifying authority. After you install the CA, remove the server to a secure and separate location C. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a stand- alone CA. Export the certificate for the CA to a floppy disk D. In the Default Domain Group Policy object (GPO) , import the certificate to the Enterprise Trust Certificate Store E. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a stand- alone CA. Export the certificate for the CA to a floppy disk. In the Default Domain Group Policy object (GPO), import the certificate to the Trusted Root Certification Authority Store Answer: A Explanation: An offline root CA is used for security reasons to protect it from possible attacks by users on the network. To create an offline root Certificate Authority (CA) we must log on to a Windows 2000 member server that is a part of a domain with a domain administrators account. While the computer is connected to the network we must install a root CA, not a subordinate CA. The computer must be connected to be able to update the Active Directory, so that its certificates can be used after it has been taken offline. We must then change the URL location of the certificate revocation list (CRL) distribution point to a location to all users in you organization’s network and take the server offline. Incorrect Answers: B: The offline CA must be a root CA, not a subordinate CA. C: The computer on which the offline CA is installed must be a member of the Domain, not a standalone server. The computer must also be connected to network when the CA is installed. D: The CA must be installed on a Windows 2000 member server connected to the network. Just importing a certificate will not work. E: The CA must be installed on a Windows 2000 member server, not a standalone Windows 2000 server, connected to the network. 208. You are the administrator of a Windows 2000 network. The network consists of one Windows 2000 domain that has Windows 2000 Professional client computers and Windows NT Workstation 40 client computers. To create a digital certificate, you use a stand-alone certificate server configured as a root Certificate Authority (CA). You use the digital certificate to secure a virtual directory on your Internet Web server. Users report that when they connect to the virtual directory by means of a new URL, a Security Alert dialog box appears with the following warning message ‘The security certificate was issued by a company you have not chosen to trust. You want to prevent this warning message from appearing. You also want to avoid any unnecessary reconfiguration of either the certificate server or the Web server. What should you do? A. Inform your users of the new URL that points to the host name used in the digital certificate. B. Configure a Group Policy that automatically installs as a trusted authority in the client computers the digital certificate for the certificate server. C. Inform your users that they need to install a client certificate from the certificate server. D. Inform your users that they need to install as a trusted authority in the client computers the digital certificate for the certificate server. Answer: D Explanation: The server must be viewed as a trusted authority by the clients. They must install a certificate that makes the server a trusted authority for the client, so that they will trust the server. If all clients were Windows 2000 computer the best solution would be to use a Group Policy to deploy the trusted authority certificate, but there are Windows NT 4.0 clients and they cannot use Group Policies. The best solution in this scenario is to inform the users and ask them to install the certificate themselves. After the users has installed a trusted authority in the client computers the digital certificate for the certificate server, they would trust the application server and would not receive any more errors messages like the one given in the scenario above. A certificate is an encrypted set of authentication credentials. A certificate includes a digital signature from the certificate authority that issued the certificate. In the certificate authentication process, your computer presents its certificate to the server, and the server presents its certificate to your computer, enabling mutual authentication. Certificates are authenticated by using a public key to verify this digital signature, which is contained in a trusted authority root certificate that is stored on your computer. These root certificates are the basis for certificate verification and should be supplied only by a system administrator. Windows 2000 provides a number of trusted root certificates. We should add or remove trusted root certificates only if our system administrator advises it. Incorrect Answers: A: A trusted authority certificate for the server must be applied on the clients, not a digital certificate that points to the host name of the server. B: There are Windows NT 4.0 clients and they cannot use Group Policies. C: A trusted authority certificate, not a client certificate, must be installed. 209. You are the administrator of a Windows 2000 domain. The domain has six Windows 2000 based Routing and Remote Access servers and two Windows 2000 based Internet Authentication Service (lAS) Servers named lAS land 1A52. The six Routing and Remote access servers use the two lAS servers to authenticate remote access credentials. On lASi, you change the remote access policies. You want to ensure that this change is also enforced on 1A52. What should you do? A. In the Active Directory Sites and Services console, force replication from lAS 1 to 1A52. B. On lAS 1, select Register service in Active Directory. Repeat this command on 1A52. C. Use the Netsh command-line utility to copy the lAS configuration from lAS 1 to 1A52. D. Manually copy the ras.mdb file from IASb to 1A52. Answer: C Explanation: Remote Access Policies are not stored in Active Directory; they are stored locally in the IAS.MDB file. To copy the lAS configuration to another server we must type netsh aaaa show config \file.txt at the command prompt. This stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a TJNC path. We must then copy the file we created to the destination computer, and at a command prompt on the destination computer, type netsh exec \file.txt. A message will appear indicating whether the update was successful or not. Incorrect Answers: A: Remote Access Policies are not stored in Active Directory; they are stored locally in the IAS.MDB file. B: Remote Access Policies are not stored in Active Directory. D: There is no such a thing like a ras.mdb file in Windows 2000. 213. You are the administrator of your company’s network, which includes one Windows 2000 Domain in native mode. Four servers on the network are available for remote users. All four member servers running Windows 2000 Server and Routing and remote access. Currently, remote access is administered individually by Active Directory user attributes. You administer remote access by using centralized remote access policies. Which courses of action should you perform? (Each correct answer presents part of the solution. Choose two) A. Configure the four servers as RADIUS clients B. Configure the four servers as domain controllers in the existing domain C. Configure the four servers as domain controllers in a new domain in a separate forest. On a Windows 2000 member server in the new domain, configure the Internet authentication service (lAS). Create a remote access policy on the lAS server. D. Configure the four servers as domain controllers in a new domain in a separate forest. On a Windows 2000 member server in the new domain, configure the Internet authentication service (lAS). Create a remote access policy on a domain controller to administer all remote access users. E. On a Windows 2000 member server in the existing domain, configure the Internet authentication service (lAS). Create a remote access policy on a domain controller to administer all remote access users. F. On a Windows 2000 member server in the existing domain, configure the Internet authentication service (lAS). Create a remote access policy on the lAS server Answer: A, F Explanation: lAS is used to centralize administration of RRAS servers. A: The RRAS servers are set up as RADIUS clients. F: We configure the central remote access computer, the lAS server, on a Windows 2000 member server and one remote access policy on it that will be used by all the RADIUS clients. Reference: Microsoft White paper, Internet Authentication Service for Windows 2000 Incorrect Answers: B: The four servers should be configured as RADIUS clients, not domain controllers. C: There is no need for the RADIUS clients to be domain controllers. On the contrary it could endanger security. D: There is no need for the RADIUS clients to be domain controllers. On the contrary it could endanger security. E: The remote access policy should be placed on the lAS server, not on a domain controller. 214. You are the network administrator for your company. The network consists of a single Windows 2000 Domain with three sites, as shown in the exhibit. Users in Site3 report they cannot log on to the domain or access any resources on the other sites. You check a client computer. It has an IP address of 169.254.13.74. What should you do? A. Disable Automatic Private IP Addressing (APIPA) on the client computers B. Add a new scope to the DHCP server for the computers in Site3 C. Configure a DHCP Relay Agent on DC3 D. Add reservations in the DHCP scope for all client computers Answer: C Explanation: The clients on Site3 are unable to communicate with the DHCP server. They are configured with APIPA address instead. By installing a DHCP Relay agent in the subnet of Site3 the clients will be able to receive IP configuration from the DHCP server. Incorrect answers: A: Disabling APIPA on the client computers will not help them receive IP configuration from the DHCP server. They would have no IP configuration at all. B: Any configuration of the DHCP server will not help. The clients are unable to receive IP configuration from the DHCP server. D: Any configuration of the DHCP server will not help. The clients are unable to receive IP configuration from the DHCP server. 215. You are the administrator of your company’s network, which consists of five servers running Windows 2000 Server and 20 client computers running Windows 2000 Professional. All servers have static IP addresses and all 20 client computers running Windows 2000 Professional. All Servers have static IP address and all client computers use Automatic Private IP Addressing (APIPA) for IP address assignment. One server is multihomed, with a persistent connection to your company’s Internet service provider (ISP). Your company is acquired by another company. You must provide Internet access for all internal users. You must also enable remote users to access your internal servers. Your solution must involve the fewest possible changes to your current network configuration. Which action or actions should you perform? (Choose all that apply.)” A. Enable Internet Connection Sharing on the multihomed server. B. Install the Network Address Translation protocol (NAT) on the multihomed server. C. Configure the multihomed server as a DHCP allocator and exclude the static server addresses. D. Map the internal server addresses and port to IP addresses in a pool assigned by your ISP. E. Configure the external interface on the multihomed server as a demand-dial interface for DNS query resolution. Answer: B, C, D Explanation: There are basically three ways to provide Internet access in a Windows 2000 network: ICS, NAT, and Proxy server. NAT is the appropriate solution in this scenario. B: NAT must be installed on the multihomed server. C: The clients are currently using private APIPA addresses. They cannot use access Internet with APIPA addresses. Instead we configure the DHCP allocator on the NAT computer. D: We provide remote access through Internet with mapping public IP addresses to ports and internal addresses. Incorrect answers: A: There is not explicitly stated in the scenario, but it seems safe to assume that the network is a Domain not a Workgroup. A Windows 2000 Domain requires a DNS server. ICS cannot be run in a network that has a DNS Server. E: There is a persistent connection, not a dial-up connection, to the ISP. There is no need of a demand-dial interface. 217. You are the network administrator for Contoso, Ltd. Your network consists of a single Windows 2000 domain and a single standard primary DNS zone. The network includes four domain controllers: D-DC1, D-DC2, S-DC, and B-DC. Users in the Seattle and Boston offices report that response times are extremely slow when they try to log on to the domain to access intranet resources. On investigation, you discover that DNS name resolution queries are generating heavy traffic across the WAN links. You need to improve network response times for users and reduce name resolution traffic between the offices. To do so, you place one new member server in Seattle and another in Boston. You install the DNS Server service on both servers. What should you do next? A. Create an Active Directory integrated zone on each new server. Convert the existing zone to an Active Directory integrated zone. Configure the client computers in each office to query their local DNS server. B. Create a standard primary zone on each new server. Add resources records for each office’s intranet resources to the zone. Configure the client computers in each office to query their local DNS server. C. Create a standard secondary zone on each new server. Use the primary zone at the main office as the master zone. Configure the client computers in each office to query their local DNS server. D. Create a standard primary zone on each new server. Configure the servers to forward requests to the DNS servers in the main office. Configure the client computers in each office to query their local DNS server. Answer: C Explanation: We should create standard secondary zones at the new member servers in Seattle and Boston. They should be configured to use the primary zone at the main office in Dallas as the master zone. Finally the client computers in Seattle and Boston should be configured to query their local DNS server. This would improve network response times and reduce name resolution on the WAN links. Incorrect Answers: A: We cannot use Active Directory integrated zones at the member Servers in Seattle and Boston. Active Directory zones require domain controllers. B: We cannot use primary zones both at Dallas and at the local offices Boston and Seattle. D: We cannot use primary zones both at Dallas and at the local offices Boston and Seattle. 218. You are the administrator of your company’s network, which includes 100 computers running Windows 2000 Professional and 10 computers running Windows 2000 Server. All client computers are DHCP clients. All servers have static IP addresses. Your company plans to use network address translation to provide Internet access for all client computers on the network. In addition, both internal and remote users must be able to access internal servers. Because you anticipate growth in the near future, you lease a pool of 100 addresses from an Internet service provider (ISP). You configure the Network Address Translation protocol (NAT) on a server named NATSvri, which has a persistent connection to the ISP. You map the ports and addresses of your internal servers to ports and addresses in the pool assigned by the ISP. Ten internal users now report that they have no Internet access. However, these users can access internal network resources. Remote users can access all internal from the Internet. You must enable all internal users to access the Internet. You must continue to enable all remote users to access internal network resources. What should you do? A. Remove the existing DHCP server and enable the DHCP allocator on NATSvrb. B. From your internal servers, remove the port and address mappings to the ports and addresses in the pool assigned by the ISP. C. Enable the translation of TCP/UDP headers for the public interface for NAT. D. Map the IP addresses of the client computers without Internet access to IP addresses in the pool assigned by the ISP. Answer: A Explanation: We must use the DHCP allocator that is included in NAT, to provide IP addresses to the clients. Incorrect Answers: B: The mapping from the IP addresses leased from the ISP to internal IP addresses and ports, provides external users with access to the local network. C: There is no need to enable NAT translation to provide Internet access. D: Mappings are used to provide external users to internal resources. Mappings will not provide internal users with Internet access. 219. You are the network administrator for Blue Yonder Airlines. Your network includes 300 client computers and 10 servers. All client computers run Windows 2000 Professional and use DHCP for IP address assignment. Eight servers run Windows 2000 Server and two servers run Windows NT Server 4.0. One Windows 2000 Server computer functions as your internal Web server. All servers have static IP addresses. You plan to provide Internet access for all your client computers by using the Network Address Translation protocol (NAT). You also want to enable both internal and remote users to access internal servers. You lease a pool of 50 IP addresses from an Internet service provider (ISP). You install and configure NAT on a Windows 2000 Server computer named NATSvr1. This computer has a persistent connection to the ISP. A. On NATSvr1, select the Clients using Domain Name System (DNS) check box. B. Map your Web server’s internal address and port to an address and port in the pool leased from the ISP. C. Install and configure an internal DNS server for your network. Configure all remote users to use this computer as their DNS server. D. From the pool leased from the ISP, reserve 10 IP addresses for use by internal servers. Answer: B Explanation: Access to internal resources to external users on the Internet is provided with mappings from public leased IP address to local addresses and ports. In this scenario we map the Web server’s internal address and port to a leased IP address. Reference: HOW TO: Configure a Windows 2000 Server as a Network Address Translation Server (Q29980b) Incorrect Answers: A: The Clients using Domain Name System (DNS) setting is a configuration that sets up NAT. It is not specifically used enable the access of internal resources through Internet. C: There is no requirement to use DNS when NAT is used. D: The leased addresses are used to create mappings. These addresses don’t have to be used by the internal clients. 221. You are the administrator of your company’s network, which is divided into 50 segments. Segments 1 through S are connected to the Internet. All segments are connected by routers. The network also includes one DHCP server. Your company purchases an online training software package that uses multicast video. The software package will be installed on a dedicated video server located on Segment 1. The video server will deliver training videos to client computers located on the same segment. You must ensure that your DHCP server can issue multicast IP addresses. You must also ensure that the multicast video cannot be received by client computers located on other segments or by external computers on the Internet. You plan to create a multicast scope. For which subnet should you create the multicast scope? A. 224.0.0.0/4 B. 224.0.0.0/8 C. 224.0.0.0/14 D. 224.0.0.0/24 Answer: D Explanation: Multicast is a scheme for using IP addresses 224.0.0.0 through 239.255.255.255 to send the same data to several machines simultaneously. Multicast boundaries are configurable administrative barriers that limit the extent of the IP internetwork over which multicast traffic can be forwarded. Without boundaries, an IP multicast router forwards all appropriate IP multicast traffic. Scope-based boundaries prevents the forwarding of IP multicast traffic with a specified group IP address or range of IP addresses. The range 224.0.0.0 through 224.0.0.255 is reserved for local purposes (as administrative and maintenance tasks) and datagrams destined to them are never forwarded by multicast routers. This is the 224.0.0.0/24 network. Reference: RFC23 65 Multicast over TCP/IP HOWTO What Is IP Multicast? (Q16501 1) Incorrect Answers: A, B, C: These networks would forward multicasts outside the local network. 222. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. The network has a persistent connection to the Internet. The relevant partition of its configuration is shown in the exhibit. (Click the Exhibit button). Your company employs mobile salespeople who use portable computers running Windows 98. To enable these users to access internal resources you place a virtual private network (VPN) server named VPN1 outside your firewall. This server is a stand-alone Windows 2000 Server computer running Routing and Remote Access. The firewall is configured to allow inbound access from VPN1 only. You configure PPTP ports on VPN1. Now you must configure packet filters. VPN1 must allow only VPN traffic on the Internet interface, and it must prevent non-VPN users from accessing internal resources. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Using the PPTP ports as the destination ports, create an input filter on VPN1. As the destination IP address, use the IP address of the external interface ofVPNb. B. Using the PPTP ports as the source ports, create an input filter on VPN1. As the source IP address, use the IP address of the external interface ofVPNb. C. Using the PPTP ports as the destination ports, create an input filter on VPN1. As the destination IP address, use the IP address of the internal interface ofVPNb. D. Using the PPTP ports as the source ports, create an output filter on VPN1. As the source IP address, use the IP address of the external interface ofVPNb. E. Using the PPTP ports as the destination ports, create an output filter on VPN1. As the destination IP address, use the IP address of the external interface ofVPNb. F. Using the PPTP ports as the source ports, create an output filter on VPN1. As the source IP address, use the IP address of the internal interface ofVPNb. Answer: A, F A: The only inbound traffic allowed is traffic to the external interface on the VPN 1 server. F: The only outbound traffic allowed is traffic originating from the internal interface of VPN 1. Incorrect Answers: B: Input filters must use the PPTP ports as destination ports. C: The only destination address allowed is the address of the external VPN interface. D: The source of an output filter must the IP address of the internal interface ofVPNb. E: In an output filter the PPTP ports must be used as a source ports. 223. You are the administrator of your company’s network. All computers on the network run Windows 2000. Two servers named ServerA and ServerB support confidential medical records database. ServerA runs the database, and ServerB runs a middle-tier application that employees use to access the database. Your company decides to implement IPSec policies to increase network security. To ensure that all communications on ServerA are secure and encrypted, and to ensure that only ServerB can access resources on ServerA, you assign the default Secure Server IPSec policy on both ServerA and ServerB. However, users report they can no longer access ServerB. How should you correct this problem? A. Change the authentication header (AH) algorithm on ServerB to MD5. B. Change the encapsulating security payload (ESP) protocol algorithm on ServerB to DES. C. Assign a custom IPSec policy on ServerA. This policy will require IPSec authentication headers (AH) and the encapsulating security payload (ESP) protocol for traffic that originates from the IP address of ServerB. D. Assign the Client (Respond Only) IPSec policy on Server B. Answer: D Explanation: We need to ensure that all communications to and from ServerA is encrypted. We can accomplish this by applying the default Secure Server IPSec policy on ServerA. In this scenario we have also applied this policy at ServerB. This enforces encryption on all communication on ServerB as well, and this is the reason that ServerB is no longer accessible to the clients (the clients haven’t been configured for IPSec). There is no requirement that all traffic to and from ServerB should be encrypted. We should change the IPSec policy to Client (Respond only). This enables non-encrypted communication with ServerB, and ServerA would still be secure. Incorrect Answers: A: We should change the IPSec policy, not the AH configuration on ServerB. B: We should change the IPSec policy, not the ESP configuration on Server B. C: There is no need to change the IPSec policy on ServerA. It must be changed on ServerB. 225. You are the administrator of your company’s network, which consists of a single site. The network contains 3,000 computers running Windows 2000 Professional and 100 computers running Windows 2000 Server. One server runs WINS. Your company acquires a subsidiary with a large network environment. The subsidiary’s network links one main office and four branch offices. The main office has two WINS servers, and each branch office has one WINS server. Their routers do not support the Internet Group Messaging Protocol (IGMP). You want to integrate your existing WINS server with the WINS servers on the subsidiary’s network. Your solution must ensure the smallest possible convergence time between the seven WINS servers. What should you do? A. Configure your WINS server and the WINS servers in the subsidiary’s main office as pushlpull partners with each other. Configure the WINS servers in the subsidiary’s branch offices as pull partners with one WINS server in the subsidiary’s main office. B. Configure your WINS server and the WINS servers in the subsidiary’s main office as pushlpull partners with each other. Configure the WINS servers in the subsidiary’s branch offices as pushlpull partners with one WINS server in the subsidiary’s main office. C. Configure all WINS servers to use the automatic partner configuration. D. Configure all WINS servers as pushlpull partners with each other. Answer: B Explanation: For fastest convergence time we should configure PUSH/PULL partners. First we configure our WINS server as PUSH/PULL partner with the WINS servers and the partner’s main office. Then we configure each branch office WINS server as a PUSH/PULL partner with one of the WINS servers at the partner’s main office. Incorrect Answers: A: The suggested solution configures the branch office WINS server as a PULL partner to one of the WINS server in the partner’s main office. But a PUSH/PULL configuration has faster convergence time than a PULL configuration. C: Automatic partner configuration will not work. The network topology is too complex. D: This would work but it would decrease performance due to unnecessary network traffic. 227. You are the administrator of your company’s network, which includes one segment named Segment A. Your company employs 300 mobile salespeople who connect their portable computers to this segment. Segment A includes a DHCP server that is configured with a single scope. The scope has the characteristics shown in the following table. IP address range Lease duration Reserved IP address 172.20.100.05 Defaul t setting 10 to 172.20. 100.254 Half of the salespeople work on-site from 8:00 A.M. to 5:30 P.M. on Mondays, Wednesdays, and Fridays. These users work remotely on other business days. The other half of the salespeople work on-site from 8:00 A.M. to 5:30 P.M. Tuesdays and Thursdays. These users work remotely on other business days. The salespeople who work on-site on Tuesdays and Thursdays report that they cannot connect to network resources. You need to ensure that all salespeople can connect to network resources when they work on-site. You also want to minimize network traffic caused by DHCP services. What should you do? A. Change the lease duration of the scope to 14 hours. B. Change the lease duration of the scope to 9 hours. C. Add IP address reservations for the computers used by the salespeople who work on-site Tuesdays and Thursdays. D. Add IP address reservations for the computers used by the salespeople who work on-site Mondays, Wednesdays and Fridays. Answer: A Explanation: In Windows 2000, the default DHCP lease duration is 8 days. We have 300 mobile users but only 249 IP addresses in the IP address range. We must decrease the DHCP lease duration so that an IP address used by one remote computer can be used by another remote computer the next day. By changing the lease duration to 14 hours this will be accomplished. Incorrect Answers: B: A lease duration of 9 hours would enable the reuse of IP addresses from one day to another. However, it would not minimize network traffic since a computer that receives a lease at 8 A.M. would renew the lease at 5 P.M. This is unnecessary. C, D: Adding IP address reservation would not free IP addresses to the following day. 229. You are the administrator of your company’s network, which consists of a single Windows 2000 domain. Company employees need to access network resources when they are working remotely. Some remote users have desktop computers that run either Windows 95, Windows 98, or Windows 2000 Professional. Other remote users have company-issued portable computers that run Windows 2000 Professional. To provide secure access for all remote users, you enable Routing and Remote Access on a Windows 2000 Server computer that is connected to the Internet. You also create ports for 25 PPTP virtual private network (VPN) connections. You verify that all VPN client connections are configured correctly. To ensure security, you create a Routing and Remote Access policy and configure authentication as shown in the exhibit. You need to enable all remote users to connect to the VPN server, regardless of client operating system. You also need to ensure the highest possible level of authentication security. What should you do? A. Select the Extensible Authentication Protocol check box and select MD-S Challenge in the list box. B. Select the Microsoft Encrypted Authentication (MS-CHAP) check box. C. Select the Encrypted Authentication (CHAP) check box. D. Select the Unencrypted Authentication (PAP, SPAP) check box. Answer: B Explanation: Windows 95 and Windows 98 don’t support MS-CHAP V2 without additional windows update packages. This is the reason that only the Windows 2000 remote users can connect to the network. However, Windows 95 and Windows 98 support the MS-CHAP authentication protocol. All remote users of Windows 2000 Professional can new connect to the VPN server successfully. No other remote users can establish a connection. Incorrect Answers: A: EAP would require further configuration to function. C: MS-CHAP is more secure than CHAP. D: MS-CHAP is more secure than PAP and SPAP. 230. You are the network administrator for Trey Research. Your network consists of a single Windows 2000 domain. All servers run Windows 2000 Server and all client computers run Windows 2000 Professional The network contains three domain controllers, which run the services shown in the following table. Domain controller Network services DC1 DNS, global catalog DC2 WINS DC3 DHCP, Certificate Services DC1 hosts an Active Directory integrated zone, which is configured to require secure dynamic updates. All servers have static IP addresses and all client computers are DHCP clients. All computers are configured to register their addresses with DNS. Users report slow response times when they query the directory. Several users report that they cannot query the directory at all. When they view the event logs on DC1, you find the following event messages. Event ID: 4011 The DNS server was unable to add or write and update of domain name ldap in zone treyresearch.com to the Active Directory. Check that the active Directory is functioning properly and add or update this domain name using the DNS console. The event data contains the error. The DNS server was unable to add or write and update of domain name gc in zone treyresearch.com to the Active Directory. Check that the active Directory is functioning properly and add or update this domain name using the DNS console. The event data contains the error. The DNS server was unable to add or write and update of domain name gc in zone treyresearch.com to the Active Directory. Check that the active Directory is functioning properly and add or update this domain name using the DNS console. The event data contains the error. You also discover the following error message, which was logged by the Netlogon service. Event ID: 5781 Dynamic registration or deregistration of one or more DNS records failed because no DNS servers are available. You verify that the DNS Server service is running on DC1. When you examine the DNS zone database, you discover that SRV (service) records for DC1 are not being registered. However, SRV records for DC2 and DC3 are being registered. How should you correct this problem? A. Install the DNS Server service and create an Active Directory integrated zone on DC2. B. Configure the primary DNS server address ofDCl with its own IP address. C. Reconfigure the treyresearch.com zone on DC1 so that it does not require secure dynamic updates. D. Configure DC2 as a global catalog server and remove the global catalog from DC 1. Answer: D Explanation: The cause of this problem is that the DNS server hosts an Active Integrated zone on a Domain controller which at the same time is running the Global catalog service. The best solution of this problem is to move the global catalog server from the DNS server DC 1 to the WINS server DC2. Reference: DNS Server Generates Event 4011 (Q252695) Incorrect Answers: A: It would, if possible at all, require a lot administrative effort to move the DNS service from DC1 to DC2. B: This is a problem with the Global catalog service, not a DNS configuration problem. C: This is a problem with the Global catalog service, not a DNS configuration problem. 231. You are the network administrator for your company. Your network consists of a single Windows 2000 domain in native mode, and it includes a Routing and Remote Access server named RAS1. RAS1 is located in your company’s New York office. Company employees who travel to Singapore must dial in to RAS1 for network access. These employees use Windows 2000 Professional computers. You need to ensure that these dial-up connections are as secure as possible. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Configure RAS1 to require Microsoft Point-to-Point Encryption (MPPE) for all dial-up users. B. Configure RAS1 to require L2TP connections for all dial-up users. C. Configure RAS1 to require MS-CHAP v2 authentication. D. Configure RAS 1 to require EAP-CHAP authentication.