Best Microsoft 70-293 Exam Questions for Free, Download the Latest 70-293 Dumps, Practice Test and Study Guide
Enjoy Free Microsoft 70-293 Exam Questions. Download the Best 70-293 Cheat-Test Sample Questions.
Version: 8.5 Release Date: May, 2012
Q: 1
You work as a network administrator for ABC.com. The ABC.com network consists of a single
Active Directory domain named ABC.com. There are currently 120 Web servers running Windows
2000 Server and are contained in an Organizational Unit (OU) named ABC_WebServers
ABC.com management took a decision to uABCrade all Web servers to Windows Server 2003.
You disable all services on the Web servers that are not required. After running the IIS Lockdown
Wizard on a recently deployed web server, you discover that services such as NNTP that are not
required are still enabled on the Web server.
How can you ensure that the services that are not required are forever disabled on the Web
servers without affecting the other servers on the network? Choose two.
A. Set up a GPO that will change the startup type for the services to Automatic.
B. By linking the GPO to the ABC_WebServers OU.
C. Set up a GPO with the Hisecws.inf security template imported into the GPO.
D. By linking the GPO to the domain.
E. Set up a GPO in order to set the startup type of the redundant services to Disabled.
F. By linking the GPO to the Domain Controllers OU.
G. Set up a GPO in order to apply a startup script to stop the redundant services.
Answer: B,E
Explanation: Windows Server 2003 installs a great many services with the operating system, and
configures a number of with the Automatic startup type, so that these services load automatically
when the system starts. Many of these services are not needed in a typical member server
configuration, and it is a good idea to disable the ones that the computer does not need. Services
are programs that run continuously in the background, waiting for another application to call on
them. Instead of controlling the services manually, using the Services console, you can configure
service parameters as part of a GPO. Applying the GPO to a container object causes the services
on all the computers in that container to be reconfigured. To configure service parameters in the
Group Policy Object Editor console, you browse to the Computer Configuration\Windows
Settings\Security Settings\System Services container and select the policies corresponding to the
services you want to control.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:1-6
Q: 2
You are working as the administrator at ABC.com. ABC.com has headquarters in London and
branch offices in Berlin, Minsk, and Athens. The Berlin, Minsk and Athens branch offices each
have a Windows Server 2003 domain controller named ABC-DC01, ABC-DC02 and ABC-DC03
respectively. All client computers on the ABC.com network run Windows XP Professional.
One morning users at the Minsk branch office complain that they are experiencing intermittent
problems authenticating to the domain. You believe that a specific client computer is the cause of
this issue and so need to discover the IP address client computer.
How would you capture authentication event details on ABC-DC02 in the Minsk branch office?
A. By monitoring the logon events using the SysMon utility.
B. By recording the connections to the NETLOGON share using the SysMon utility.
C. By recording the authentication events with the NetMon utility.
D. By monitoring the authentication events using the Performance and Reliability Monitor.
Answer: C
Explanation: The question states that you need to find out the IP address of the client computer
that is the source of the problem. Using Network Monitor to capture traffic is the only way to do
this.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;175062
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 826
Q: 3
You are working as the administrator at ABC.com. Part of you job description includes the
deployment of applications on the ABC.com network. To this end you operate by testing new
application deployment in a test environment prior to deployment on the production network.
The new application that should be tested requires 2 processors and 3 GB of RAM to run
successfully. Further requirements of this application also include shared folders and installation of
software on client computers. You install the application on a Windows Server 2003 Web Edition
computer and install the application on 30 test client computers.
During routine monitoring you discover that only a small amount of client computers are able to
connect and run the application. You decide to turn off the computers that are able to make a
connection and discover that the computers that failed to open the application can now run the
application.
How would you ensure that all client computers can connect to the server and run the application?
A. By running a second instance of the application on the server.
B. By increasing the Request Queue Limit on the Default Application Pool.
C. By modifying the test server operating system to Window Server 2003 Standard Edition.
D. By increasing the amount of RAM in the server to 4GB.
Answer: C
Explanation: Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it
reserves 1GB of it for the operating system; only 1GB of RAM is available for the application.
Therefore, we need to install Window Server 2003 Standard Edition or Enterprise Edition to
support enough RAM.
Q: 4
You are an Enterprise administrator for ABC.com. All servers on the corporate network run
Windows Server 2003 and all client computers run Windows XP.
The network contains a server named ABC-SR01 that has Routing and Remote Access service
and a modem installed which connects to an external phone line.
A partner company uses a dial-up connection to connect to ABC-SR01 to upload product and
inventory information. This connection happens between the hours of 1:00am and 2:00am every
morning and uses a domain user account to log on to ABC-SR01.
You have been asked by the security officer to secure the connection.
How can you ensure that the dial-up connection is initiated only from the partner company and that
access is restricted to just ABC-SR01? Choose three.
A. Set up the log on hours restriction for the domain user account to restrict the log on to between
the hours of 1:00am and 2:00am.
B. Set up a local user account on ABC-SR01. Have the dial-up connection configured to log on
with this account.
C. Set up the remote access policy on ABC-SR01 to allow the connection for the specified user
account between the hours of 1:00am and 2:00am.
D. Set up the remote access policy with the Verify Caller ID option to only allow calling from the
phone number of the partner company modem.
E. Set up the remote access policy to allow access to the domain user account only.
Answer: B,C,D
Explanation: To allow only the minimum amount of access to the network, ensure that only the
partner's application can connect to your network over the dial-up connection, you need to first
create a local account named on ABC-SR01. You need to then add this account to the local Users
group and direct the partner company to use this account for remote access.
You can use a local account to provide remote access to users. The user account for a standalone
server or server running Active Directory contains a set of dial-in properties that are used
when allowing or denying a connection attempt made by a user. You can use the Remote Access
Permission (Dial-in or VPN) property to set remote access permission to be explicitly allowed,
denied, or determined through remote access policies.
Next, you need to configure a remote access policy on ABC-SR01 to allow the connection for only
the specified user account between 1 AM and 2 AM.
In all cases, remote access policies are used to authorize the connection attempt. If access is
explicitly allowed, remote access policy conditions, user account properties, or profile properties
can still deny the connection attempt.
You need to then configure the policy to allow only the specific calling station identifier of the
partner company's computer. When the Verify Caller ID property is enabled, the server verifies the
caller's phone number. If the caller's phone number does not match the configured phone number,
the connection attempt is denied.
Reference: Dial-in properties of a user account
http://technet.microsoft.com/en-us/library/cc738142.aspx
Q: 5
You are an Enterprise administrator for ABC.com. The company consists of an Active Directory
domain called ad.ABC.com. All servers on the corporate network run Windows Server 2003. At
present there is no provision was made for Internet connectivity.
A server named ABC2 has the DNS server service role installed. The DNS zones on ABC2 are
shown below:
The corporate network also contains a UNIX-based DNS A server named ABC-SR25 hosts a
separate DNS zone on a separate network called ABC.com. ABC-SR25 provides DNS services to
the UNIX-based computers and is configured to run the latest version of BIND and the ABC.com
contains publicly accessible Web and mail servers.
The company has a security policy set, according to which, the resources located on the internal
network and the internal network's DNS namespace should never be exposed to the Internet.
Besides this, according to the current network design, ABC-SR25 must attempt to resolve any
name resolution requests before sending them to name servers on the Internet.
The company plans to allow users of the internal network to access Internet-based resources. To
implement the security policy of the company, you decided to send all name resolution requests
for Internet-based resources from internal network computers through ABC2. You thus need to
devise a name resolution strategy for Internet access as well as configuring ABC2 so that it will
comply with the set criteria and restrictions.
Which two of the following options should you perform?
A. Have the Cache.dns file copied from ABC2 to ABC-SR25.
B. Have the root zone removed from ABC2.
C. ABC2 should be set up to forward requests to ABC-SR25.
D. Install Services for Unix on ABC2.
E. The root zone should be configured on ABC-SR25.
F. Disable recursion on ABC-SR25.
Answer: B,C
Explanation: To plan a name resolution strategy for Internet access and configure ABC2 so that it
sends all name resolution requests for Internet-based resources from internal network computers
through ABC2, you need to delete the root zone from ABC2. Configure ABC2 to forward requests
to ABC-SR25
A DNS server running Windows Server 2003 follows specific steps in its name-resolution process.
A DNS server first queries its cache, it checks its zone records, it sends requests to forwarders,
and then it tries resolution by using root servers.
The root zone indicates to your DNS server that it is a root Internet server. Therefore, your DNS
server does not use forwarders or root hints in the name-resolution process. Deleting the root
zone from ABC2 will allow you to first send requests to ABC2 and then forward requests to ABCSR25
by configuring forward lookup zone. If the root zone is configured, you will not be able to use
the DNS server to resolve queries for hosts in zones for which the server is not authoritative and
will not be able to use this DNS Server to resolve queries on the Internet.
Reference: How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380
Reference: DNS Root Hints in Windows 2003
http://www.computerperformance.co.uk/w2k3/services/DNS_root_hints.htm
Q: 6
You are working as the administrator at ABC.com. The network consists of a single Active
Directory domain named ABC.com with the domain functional level set at Windows Server 2003.
All network servers run Windows Server 2003 and all client computers run Windows XP
Professional.
The ABC.com domain is divided into organizational units (OU). All the resource servers are
contained in an OU named ABC_SERVERS and the workstations are contained in an OU named
ABC_CLIENTS. All resource servers operate at near capacity during business hours. All
workstations have low resource usage during business hours.
You received instructions to configure baseline security templates for the resource servers and the
workstations. To this end you configured two baseline security templates named
ABC_SERVERS.inf and ABC_CLIENTS.inf respectively. The ABC_SERVERS.inf template
contains many configuration settings. Applying the ABC_SERVERS.inf template would have a
performance impact on the servers. The ABC_CLIENTS.inf contains just a few settings so
applying this template would not adversely affect the performance of the workstations.
How would you apply the security templates so that the settings will be periodically enforced whilst
ensuring that the solution reduces the impact on the resource servers? Choose three.
A. By setting up a GPO named SERVER-GPO and link it to the ABC_SERVERS OU.
B. By having the ABC_SERVERS.inf template imported into SERVER-GPO.
C. By having the ABC_SERVERS.inf and the ABC_CLIENTS.inf templates imported into the
Default Domain Policy GPO.
D. By scheduling SECEDIT on each resource server to regularly apply the ABC_SERVERS.inf
settings during off-peak hours.
E. By having a GPO named CLIENT-GPO created and linked to the ABC_CLIENTS OU.
F. By having the ABC_CLIENTS.inf template imported into CLIENT-GPO.
G. By having SERVER-GPO and CLIENT-GPO linked to the domain.
Answer: D,E,F
Explanation: The question states that you need to apply the baseline security templates so that
the settings will be periodically enforced. To accomplish this you must create a scheduled task so
that the performance impact on resource servers is minimized. Furthermore, the question also
states that ABC_CLIENTS.inf is a baseline security template for client computers. Therefore, the
GPO has to be linked to the OU that contains the client computers, and the ABC_CLIENTS.inf
template must be imported to the said GPO so that it can be applied.
Secedit.exe is a command line tool that performs the same functions as the Security Configuration
And Analysis snap-in, and can also apply specific parts of templates to the computer. You can use
Secedit.exe in scripts and batch files to automate security template deployments.
You can create a baseline security configuration in a GPO directly, or import a security template
into a GPO. Link the baseline security GPO to OUs in which member servers’ computer objects
exist.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 10
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: UABCrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, Chapter 9
Q: 7
You are working as the administrator at ABC.com. The ABC.com network consists of a single
Active Directory domain named ABC.com. The ABC.com network contains a DMZ that contains a
two-node Network Load Balancing cluster, which is located in a data centre that is physically
impenetrable to unauthorized persons.
The cluster servers run Windows Server 2003 Web Edition and host an e-commerce website. The
NLB cluster uses a virtual IP address that can be accessed from the Internet.
What can you do to mitigate the cluster’s most obvious security vulnerability?
A. Configure the cluster to require IPSec.
B. Configure the network cards to use packet filtering on all inbound traffic to the cluster.
C. Use EFS on the server hard disks.
D. Configure intrusion detection the servers on the DMZ.
E. Configure Mac addressing on the servers in the DMZ.
Answer: B
Explanation: The most sensitive element in this case is the network card that uses an Internetaddressable
virtual IP address. The question doesn’t mention a firewall implementation or an
intrusion detection system (Usually Hardware). Therefore, we should set up packet filtering.
You can configure packet filtering to accept or deny specific types of packets. Packet headers are
examined for source and destination addresses, TCP and UDP port numbers, and other
information.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 7:
5
Q: 8
You are working for a administrator for ABC.com. The ABC.com network consists of a single
Active Directory domain named ABC.com. All the servers on the network run Windows Server
2003 servers.
You have configured four servers in a network load balancing cluster. You need to enable the
cluster in unicast mode although each server only has one network card. After your configuration,
the NLB cluster has successfully converged.
You discover that you can optimize the use of the cluster by moving a specific application to each
node of the cluster. However for this application to execute, all the nodes of the cluster must be
configured by a Network Load Balancing Port Rule.
When you open Network Load Balancing Manager on one of the NLB nodes, you receive a
message saying that Network Load Balancing Manager is unable to see the other nodes in the
cluster.
How can you add a port rule to the cluster nodes?
A. By opening Network Load Balancing Manager on a different host.
B. By creating an additional virtual IP address on the cluster.
C. By modifying the Network Connection Properties on every host.
D. By removing each host from the cluster before creating the port rule.
Answer: C
Explanation: You can configure many Network Load Balancing options through either Network
Load Balancing Manager or the Network Load Balancing Properties dialog box accessed through
Network Connections. However, Network Load Balancing Manager is the preferred method. Using
both Network Load Balancing Manager and Network Connections together to change Network
Load Balancing properties can lead to unpredictable results.
Reference: Network Load Balancing Best practices / Use Network Load Balancing Manager.
http://technet.microsoft.com/en-us/library/cc740265.aspx
Q: 9
You are working as an administrator for ABC.com. The network consists of a single Active
Directory domain named ABC.com. All server run Windows Server 2003 and all client computer
run Windows XP Professional.
The ABC.com departments are organized into organizational units (OUs). The Administration OU
is named ABC_ADMIN, and the Sales OU is named ABC_SALES. All file servers for all
departments are located in their respective OUs. The ABC_SALES OU is a child OU of the
ABC_ADMIN OU.
A new ABC.com written security policy states that servers in the ABC_ADMIN OU should be
highly secure. All communications with ABC-ADMIN servers should be encrypted. The security
policy also states that auditing should be enabled for file and folder deletion on Sales servers.
Communications with the Sales servers should not be encrypted.
How should you configure Group Policy for the ABC_Admin and ABC_Sales OU? Choose three.
A. Configure a GPO to apply the Hisecws.inf security template. Link this GPO to the ABC_ADMIN
OU.
B. Configure a GPO to enable the Audit object access audit policy on computer objects. Link this
GPO to the ABC_SALES OU.
C. Configure a GPO to apply the Hisecws.inf security template. Link this GPO to the ABC_Sales
OU.
D. Configure a GPO to enable the Audit object access audit policy on computer objects. Link this
GPO to the ABC_ADMIN OU.
E. Block group policy inheritance on the ABC_ADMIN OU.
F. Block group policy inheritance on the ABC_SALES OU.
Answer: A,B,F
Explanation: The Hisecws.inf security template increases security on a server. One of the
security settings is to require secure encrypted communications. A GPO with this template needs
to be applied to the ABC_ADMIN OU. We don’t want those settings applying to the ABC_SALES
OU though so we need to block inheritance on the ABC_SALES OU. We need to apply a GPO to
the ABC_SALES OU to apply the auditing settings.
Audit Object Access
A user accesses an operating system element such as a file, folder, or registry key. To audit
elements like these, you must enable this policy and you must enable auditing on the resource
that you want to monitor. For example, to audit user accesses of a particular file or folder, you
display its Properties dialog box with the Security tab active, navigate to the Auditing tab in the
Advanced Security Settings dialog box for that file or folder, and then add the users or groups
whose access to that file or folder you want to audit.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapters 9
and 10
Q: 10
You are working as an administrator at ABC.com. The ABC.com network consists of a single
Active Directory domain named ABC.com which contains Windows Server 2003 servers Windows
XP Professional client computers.
You want to improve network security and need to pinpoint all computers that have the known
vulnerabilities.
What should you do to automate the process of collecting information on existing vulnerabilities for
each computer, on a nightly basis?
A. By scheduling secedit to compare the security settings with a baseline and run on a nightly
basis.
B. By installing Anti-Virus software on the computers and configuring the software to update on a
nightly basis.
C. By configuring a scheduled task to run the mbsacli utility on a nightly basis.
D. By having Microsoft Baseline Security Analyzer (MBSA) installed on a server on the network.
E. By configuring Automatic Updates to use a local SUS server and run on a nightly basis.
F. You configuring Automatic Updates to run on a nightly basis and use the Microsoft Updates
servers.
Answer: C
Explanation: We can schedule the mbsacli.exe command to periodically scan for security
vulnerabilities.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 830
Q: 11
You work as the network administrator at ABC.com. The ABC.com network consists of a single
Active Directory domain named ABC.com. The ABC.com network contains several servers and
several hundred client computers. All servers on the ABC.com network run Windows Server 2003.
The client computers run a mix of Windows 98, Windows NT Workstation, Windows 2000
Professional and Windows XP Professional.
How can you make sure that all client computers use Kerberos authentication when users log in to
the domain?
A. Set up the domain controllers to require IPSec.
B. By uABCrading the Windows 98 and Windows NT computers to Windows 2000 Professional or
Windows XP Professional computers.
C. Apply a Group Policy Object to require Kerberos authentication.
D. By configuring the Default Domain Controllers group policy to require Kerberos authentication.
E. By configuring the Default Domain Controllers group policy to disallow NTLM authentication.
Answer: B
Explanation: By default, in a Windows 2003 domain, Windows 2000 and Windows XP clients use
Kerberos as their authentication protocol. Windows 98 and Windows NT don’t support Kerberos
authentication. Therefore, we need uABCrade the Windows 98 and Windows NT computers.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, p. 11: 39-42
Q: 12
You are working as a network administrator at ABC.com. The ABC.com network consists of a
single Active Directory domain named ABC.com. ABC.com has its headquarters in Chicago and
has branch offices all over the country. All servers on the ABC.com network run Windows Server
2003 and all client computers run Windows XP Professional.
A new ABC.com directive states that the branch offices should be able to connect to the Chicago
headquarters using VPN connections over the internet.
The Routing and Remote Access service has been enabled and configured on a Windows 2003
Server in each branch office. You are in the process of configuring four Windows 2003 servers in
the Chicago office to handle the VPN connections from the branch offices.
To enable centralized authentication and remote access policy management, you have installed
the Internet Authentication Service on a server named ABC-IAS1.
Which three of the following steps should you perform to complete the configuration?
A. You should have ABC-IAS1 configured with the remote access policies.
B. You should have the Routing and Remote Access servers in the Chicago office configured with
the remote access polices.
C. Set up the RADIUS clients located at the branch offices on ABC-IAS1.
D. Set up the RADIUS clients in the Chicago office on ABC-IAS1.
E. Set up the Routing and Remote Access servers at the branch offices to utilize RADIUS
authentication and accounting.
F. Set up the Routing and Remote Access servers in the Chicago office to utilize Windows
authentication and accounting.
G. Set up the Routing and Remote Access servers in the Chicago office to utilize RADIUS
authentication and accounting.
H. Configure the Routing and Remote Access servers at the branch offices to utilize Windows
authentication and accounting.
Answer: A,D,G
Explanation: Internet Authentication Service (IAS) is the Microsoft implementation of Remote
Authentication Dial-In User Service (RADIUS), an authentication and accounting system used by
many Internet Service Providers (ISPs). When a user connects to an ISP using a username and
password, the information is passed to a RADIUS server, which checks that the information is
correct, and then authorizes access to the ISP system.
RADIUS proxy and server support is a new feature in Windows Server 2003. You can install and
use the Microsoft Internet Authentication Service (IAS) server for both RADIUS servers and
RADIUS proxies.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 5:
28
Q: 13
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional.
A domain controller named ABC-DC1 is configured as a DNS server. DC1 hosts the DNS zone for
the ABC.com internal LAN.
An external DNS server named ABC-DNS1 hosts the DNS zone for the ABC.com external website
and is configured with root hints. ABC-DNS1 is outside of the network firewall.
You need to protect the client computers by minimizing the risk of DNS-related attacks from the
Internet, without impacting on their access to Internet-based sites.
How should you configure the DNS servers and client computers?
A. DNS forwarding should be configured on ABC-DNS1 for ABC-DC1 and client computers must
be configured to use ABC-DC1.
B. The firewall should be configured to block all DNS traffic.
C. DNS forwarding should be configured on ABC-DC1 for ABC-DNS1 and client computers must
be configured to use ABC-DNS1.
D. A root zone should be added to ABC-DC1 and client computers must be configured to use
ABC-DC1.
Answer: A
Explanation: Install one server on your perimeter network, for Internet name resolution, and
another on your internal network, to host your private namespace and provide internal name
resolution services. Then configure the internal DNS server to forward all Internet name resolution
requests to the external DNS server. This way, no computers on the Internet communicate directly
with your internal DNS server, making it less vulnerable to all kinds of attacks.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004,
Chapter 4.
Q: 14
The ABC.com network consists of a single Active Directory domain named ABC.com. All
computers on the ABC.com network are members of the ABC.com domain.
You install a new server named ABC-CA1 and configure it as a Certification Authority for the
ABC.com domain.
How would you enable an Active Directory global group named CA-Admins to issue, revoke and
approve certificates without assigning more permissions than necessary?
A. Make the CA-Admins group also members of the Domain Admins group in the domain.
B. Make the CA-Admins group also members of the local Administrators group on ABC-CA1.
C. Grant the CA-Admins group Full Control permission to the Certificated Template container in
the Active Directory.
D. Make the CA-Admins group members of the Cert Publishers group in Active Directory.
E. Grant the Certificate Managers role to the CA-Admins group.
Answer: E
Explanation: To be able to issue, approve and revoke certificates, the Certificate Administrators
group needs to be assigned the role of Certificate Manager. The Certificate Manager approves
certificate enrollment and revocation requests. This is a CA role, and is sometimes referred to as
CA Officer.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp.
11-4 to 11-8.
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 12, p. 890
Q: 15
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional. The ABC.com network contains an application server named ABC-SR20.
You had to reboot ABC-SR20 after you installed a new service on it but the logon screen was not
displayed once ABC-SR20 has rebooted. Your attempts to restore the server by using the Last
Known Good Configuration and Safe Mode startup options also fail. You restore ABC-SR20 from
backup. After later researching the problem, you discover that the service you installed was not
compatible with a driver.
How could you configure the servers to enable you to recover from this type of failure as quickly as
possible if this type of problem happens again?
A. By checking the hardware compatibility list before installing the service.
B. By installing the Recovery Console on the servers.
C. By configuring Automated System Recovery (ASR) backups.
D. By configuring the server hard disks in a RAID system.
Answer: B
Explanation:
• We know that this service causes the failure.
• We want minimum of time and minimum of data loss.
• We want a solution for all servers.
• We want to make sure other services that fail do not result in the same type of failure.
Recovery Console is a text-mode command interpreter that can be used without starting Windows
Server 2003. It allows you to access the hard disk and use commands to troubleshoot and
manage problems that prevent the operating system from starting properly.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder & Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 2, p. 120
Q: 16
The ABC.com network consists of a single Active Directory domain named ABC.com. All the
servers on the network run Windows Server 2003 servers and all the client computers run
Windows XP.
The network contains a two node server cluster for file sharing that has been created using two
Windows Server 2003 Enterprise Edition servers named ABC-SR01 and ABC-SR02. Both servers
contain a single hard disk containing the system volume. Both servers connect to a shared storage
array which hosts the shared folders.
ABC-SR01 is configured as the preferred owner of the file sharing resources. To prepare your
network for any disaster recovery, you decide to take regular backups using the Backup or
Restore Wizard.
A Full backup of the shared folders is taken every night.
A Full backup of ABC-SR01 and ABC-SR02 is taken every Saturday night.
Incremental backups of ABC-SR01 and ABC-SR02 are taken every night. System State Data
backups and Automated System Recovery (ASR) of both servers are taken every night.
During a routine monitoring check on Friday you discover that ABC-SR02 has gone offline.
How can you recover the cluster as soon as possible? Choose all that apply.
A. Evict ABC-SR02 from the cluster.
B. Restore the last full backup then restore the last incremental backup.
C. Restore the last full backup then restore the last incremental backup and the last System State
backup.
D. Perform an ASR restore on ABC-SR02.
E. Add ABC-SR02 back into the cluster.
Answer: A,D,E
Explanation: To recover ABC-SR02and restore it to the cluster while ensuring minimum data loss
and recovery time, you need to restore ABC-SR02 by using ASR, and then add ABC-SR02to the
server cluster. This is because ASR is used to restore complete backup including system files,
registry, active directory and all complete application software. The complete backup is required
because cluster is a clone of complete node. To restore the server to the cluster, you can then add
this node to the cluster. This process will save time and data loss.
Reference: How can I create an Automated System Recovery (ASR) backup?
http://windowsitpro.com/article/articleid/37650/how-can-i-create-an-automated-system-recoveryasr-
backup.html
Q: 17
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional.
A server named ABC-SR12 contains two volumes named Drive D and Drive E and has been
designated to function as an application server.
The application on ABC-SR12 is a custom application that is currently used by the ABC.com Sales
Department. The application has been installed on the ABC-SR12 Drive D. You configure the
application database on Drive D, and you configure the application to store its database
transaction log files on the ABC-SR12 Drive E.
After a few days, Sales users report that the application has failed. You investigate the cause of
the failure and discover that the ABC-SR12 Drive E is almost completely filled with the
application’s transaction log files.
You back up the database and delete the log files and the application runs successfully.
You want to design a solution that keeps the application running. The log files should not be
deleted unless the database has been backed up.
What should you do to keep the application running? Choose two.
A. Enable file compression on the E: drive.
B. Have a script created that will back up the database then delete the log files.
C. Configure an alert on ABC-SR12 to run the script when there is less then 25 percent of free
space on the E-drive.
D. Configure a script to delete the log files.
E. Create a scheduled task to run the script every week.
Answer: B,C
Explanation: Set an alert on a counter with options to send an administrative message, an
application is executed, or a log is started when the configured threshold on the counter is
breached.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 602
Q: 18
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2000 and all client computers run Windows XP
Professional.
A junior administrator has configured a DHCP server named ABC-SR21.
You received reports from the ABC.com users complaining that they are unable to access web
sites on the internet. All ABC.com users are able to connect to network resources. You need to
investigate the complaint and therefore run the ipconfig.exe /all command on one of the client
computers and received the following results:
How would you enable the client computers to access Internet web sites?
A. Have the DHCP service disabled then execute the ipconfig command with the /renew
parameter all client computers.
B. Execute the ipconfig /release command then run the ipconfig /renew command on all client
computers.
C. Configure the DHCP scope global options to include a default gateway then execute the
ipconfig command with the /renew parameter on all client computers.
D. Execute the ipconfig command with the /registerdns parameter on all client computers.
E. Execute the ipconfig command with the /flushdns parameter on all client computers.
Answer: C
Explanation: We can see from the exhibit that the affected computer received its IP configuration
from ABC-SR21. We can also see that the IP configuration has no default gateway addresses.
Obviously, ABC-SR21 is misconfigured. We need to add the default gateway then run ipconfig
/renew on the clients to receive the new configuration.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p.
2:44
Q: 19
The ABC.com network consists of a single Active Directory domain named ABC.com.
You want to improve the security on the Windows Server 2003 domain controllers by configuring
enahnced password policies and audit settings.
Which security template should you apply to the domain controllers?
A. Setup security.inf.
B. Hisecws.inf.
C. DC security.inf.
D. Securews.inf.
E. Securedc.inf.
F. Compatws.inf.
G. Rootsec.inf.
Answer: E
Explanation: Securedc.inf contains policy settings that increase the security on a domain
controller to a level that remains compatible with most functions and applications. The template
includes more stringent account policies, enhanced auditing policies and security options, and
increased restrictions for anonymous users and LanManager systems.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004,
Chapter 10
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit: UABCrading Your
Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and
Implementing a Microsoft Windows Server 2003 Environment: Exams 70-292 and 70-296,
Microsoft Press, Redmond, Washington, 2004, Chapter 9
Q: 20
The ABC.com network consists of a single Active Directory domain named ABC.com. ABC.com
has its headquarters in Chicago and several branch offices at various locations throughout the
country. All servers on the ABC.com network run Windows Server 2003.
You are in the process of configuring a VPN connection between the Chicago office and a branch
office in Dallas using Windows Server 2003 computers running Routing and Remote Access
(RRAS).
A ABC.com written security policy states that the requirements below must be met:
• Data transmitted over the VPN must be encrypted with end to end encryption.
• The VPN connection authentication should be at the computer level rather than at user level and
with no credential information transmitted over the internet.
How should you configure the VPN? Choose two.
A. Use a PPTP connection.
B. Use EAP-TLS authentication.
C. Use a PPP connection.
D. Use MS-CHAP v2 authentication.
E. Use MS-CHAP authentication.
F. Use PAP authentication.
G. Use an L2TP/IPSec connection.
Answer: B,G
Explanation: For computer level authentication, we must use L2TP/IPSec connections. To
establish an IPSec security association, the VPN client and the VPN server use the Internet Key
Exchange (IKE) protocol to exchange either computer certificates or a preshared key. In either
case, the VPN client and server authenticate each other at the computer level. Computer
certificate authentication is highly recommended, as it is a much stronger authentication method.
Computer-level authentication is only done for L2TP/IPSec connections.
Reference:
Deborah Littlejohn Shinder, Dr. Thomas W. Shinder, Chad Todd and Laura Hunter, Implementing,
Managing, and Maintaining a Windows Server 2003 Network Infrastructure Guide & DVD Training
System, Syngress Publishing Inc., Rockland, 2003, pp. 591, 594-595
Q: 21
All servers on the corporate network run Windows Server 2003 and all clients run Windows XP.
You have been asked to install a new application called App1 for the network users. The
application needs two processors and 3GB RAM to run successfully.
To test App1, you assemble a server named ABC-AppSrv with 4GB RAM and two processors and
install Windows 2003 Standard Edition 32-bit on it. You install App1 on the server and install the
client component of the application on 20 client computers.
When you execute the application, you discover that the application is running very slowly on the
20 client computers. When you disconnect some of the client computers, the application runs
faster on the remaining client computers.
How can you improve the performance of App1?
A. Install the 64-bit version of Windows Server 2003 on ABC-AppSrv.
B. Use Task Manager to increase the priority of App1 on ABC-AppSrv.
C. Add more RAM to ABC-AppSrv.
D. Change the operating system on ABC-AppSrv to Windows Server 2003 Enterprise Edition.
E. Add the /3GB switch to the boot.ini file.
Answer: E
Explanation: Although the Windows Server 2003 standard edition supports 4GB of RAM, it
reservers 2GB RAM for the operating system. This leaves only 2 GB RAM for the application.
Because of the insufficient amount of RAM, the application runs slowly.
To correct the problem you need to change modify the boot.ini file by adding the /3GB switch. This
will configure the server to leave 3GB of RAM for the application and use just 1GB of RAM for the
operating system.
Reference: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active
Directory Infrastructure. P. 1:28
Jill Spealman, Kurt Hudson&Melisa Craft, MCSE Self Paced Training Kit.
Q: 22
The ABC.com network consists of a single Active Directory domain named ABC.com.
You deploy an enterprise certification authority (CA) on a Windows Server 2003 computer named
ABC-CA1. The primary purpose of the CA is issue company users with digital certificates to
enable them to authenticate with the new company Intranet website.
You create a new certificate template named Web Authentication. You enable the Web
Authentication certificate template on ABC-CA1 and configure the default domain group policy so
that users who log on to the domain receive a Web Authentication certificate.
The following morning users complain that they do not have certificates which can be used to
authenticate to the Intranet Web site.
How can you ensure the users are issued with a certificate?
A. By configuring ABC-CA1 to be an Enterprise Subordinate CA of a public CA such as Verisign.
B. By modifying the permissions of the Web Authentication certificate template to give the Domain
Users group the Allow – Autoenroll permission.
C. By adding your Domain Admin user account to the Cert Managers group in Active Directory.
D. By configuring the Default Domain Controllers GPO to assign the certificates to users when
they log on.
Answer: B
Explanation: For users to request certificates from an enterprise CA, they must have permission
to use the templates corresponding to the certificates they need.
Reference:
Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: UABCrading Your Certification
to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a
Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press,
Redmond, Washington, 2004, pp. 25-14.
Q: 23
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
are configured with Windows Server 2003 and all client computers with Windows XP Professional.
At present there are 100 servers in an organizational unit named Terminal Servers, configured to
run Terminal Services.
The Terminal Servers host in-house applications. Only ABC.com users with Power Users group
membership can run these in-house applications.
A new ABC.com security policy states that the Power Users Group must be empty on all servers.
How would you ensure that the in-house applications will be available to users on the servers
when the new security requirement is enabled? Choose two.
A. Set up a GPO in link it to the Terminal Servers OU.
B. Set up the Compatws.inf security template to allow the Local Users group to run the legacy
applications. Import the Compatws.inf template into the GPO.
C. Change the legacy application executable file permissions to allow the Local Users group Full
Control permission.
D. Place the Domain Users group on the Local Administrators group on the Terminal Servers.
E. Set up the Terminal Servers to run in Application Mode.
F. Set up the Terminal Servers to run in Remote Administration Mode.
Answer: A,B
Explanation: The default Windows 2003 security configuration gives members of the local Users
group strict security settings, while members of the local Power Users group have security settings
that are compatible with Windows NT 4.0 user assignments. This default configuration enables
certified Windows 2003 applications to run in the standard Windows environment for Users, while
still allowing applications that are not certified for Windows 2003 to run successfully under the less
secure Power Users configuration. However, if Windows 2003 users are members of the Power
Users group in order to run applications not certified for Windows 2003, this may be too insecure
for some environments. Some organizations may find it preferable to assign users, by default, only
as members of the Users group and then decrease the security privileges for the Users group to
the level where applications not certified for Windows 2003 run successfully. The compatible
template (compatws.inf) is designed for such organizations. By lowering the security levels on
specific files, folders, and registry keys that are commonly accessed by applications, the
compatible template allows most applications to run successfully under a User context. In addition,
since it is assumed that the administrator applying the compatible template does not want users to
be Power Users, all members of the Power Users group are removed.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 8:5
Q: 24
The ABC.com network consists of a single Active Directory domain named ABC.com. All client
computers on the ABC.com network run Windows XP Professional.
You use your client computer named ABC-WS294. You want to use Microsoft Baseline Security
Analyzer (MBSA) on ABC-WS294 to analyze network servers for security vulnerabilities.
Which of the following services are the minimum required to be running on the network servers for
you to scan them with MBSA? Choose all that apply.
A. Remote Registry.
B. Workstation service.
C. Server service.
D. Print Spooler service.
Answer: A,C
Explanation:
The Remote Registry and Server services should be enabled.
The following are the requirements for a computer running the tool that is scanning a remote
machine(s):
• Windows Server 2003, Windows 2000, or Windows XP
• Internet Explorer 5.01 or greater
• An XML parser (MSXML version 3.0 SP2 or later) is required in order for the tool to function
correctly. Systems not running Internet Explorer 5.01 or greater will need to download and install
an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup.
If you opt to not install the XML parser that is bundled with the tool, see the notes below on
obtaining an XML parser separately.
• The IIS Common Files are required on the computer on which the tool is installed if performing
remote scans of IIS computers.
The following services must be enabled: Workstation service and Client for Microsoft Networks.
The following are the requirements for a computer to be scanned remotely by the tool:
• Windows NT 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP
computers that use simple file sharing), or Windows Server 2003
• IIS 4.0, 5.0, 6.0 (required for IIS vulnerability checks)
• SQL 7.0, 2000 (required for SQL vulnerability checks)
• Microsoft Office 2000, XP (required for Office vulnerability checks)
The following services must be installed/enabled: Server service, Remote Registry service, File &
Print Sharing
Reference:
From the readmefile for MBSA
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12:50-51
Q: 25
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003. The ABC.com network also contains a file
server named ABC-SR10.
A ABC.com user named Rory Allen complains that when connecting to ABC-SR10, it often takes
quite some time to respond. Other users report the same problem.
Your investigations reveal that the network interface on ABC-SR10 has a large load during times
when the server is slow to respond. You suspect that one of the network computers is causing the
problem.
How would you identify the problematic machine?
A. By examining the event logs on ABC-SR10.
B. By viewing the Local Area Connection status on ABC-SR10.
C. By using Network Monitor to inspect the network traffic on the client computers.
D. By using System Monitor to inspect the performance monitor counters on ABC-SR10.
E. By examining the event logs on the client computers.
F. By using System Monitor to inspect the performance monitor counters on the client computers.
G. By using Network Monitor to inspect the network traffic on ABC-SR10.
Answer: G
Explanation: Network Monitor Capture Utility (Netcap.exe) is a command-line Support Tool that
allows a system administrator to monitor network packets and save the information to a capture
(.cap) file. You can use information gathered by using Network Monitor Capture Utility to analyze
network use patterns and diagnose specific network problems.
This command-line tool allows a system administrator to monitor packets on a LAN and write the
information to a log file. NetCap uses the Network Monitor Driver to sniff packets on local network
segments.
Network Monitor captures network traffic information and gives detailed information about the
frames being sent and received. This tool can help you analyze complex patterns of network
traffic. Network Monitor can help you view the header information included in HTTP and FTP
requests. Generally, you need to design a capture filter, which functions like a database query and
singles out a subset of the frames being transmitted. You can also use a capture trigger that
responds to events on your network by initiating an action, such as starting an executable file. An
abbreviated version of Network Monitor is included with members of the Windows Server 2003
family. A complete version of Network Monitor is included with Microsoft Systems Management
Server.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp.
6: 7-12
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): implementing,
managing, and maintaining a Microsoft Windows Server 2003 network infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 3, and 6.
Dan Holme, and Orin Thomas, MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Microsoft Press, Redmond,
Washington, 2004, Chapter 12.
Q: 26
The ABC.com network consists of a single Windows 2000 Active Directory Domain. All client
computers on the ABC.com network run Windows XP Professional.
To improve security within the network, you install Certificate Services on a Windows Server 2003
member server named ABC-CA1. You configure ABC-CA1 as the root certification authority (CA)
for the ABC.com domain.
You open Certificate Templates on ABC-CA1 and discover that you cannot configure certificate
templates for autoenrollment.
The Certificate Templates console is shown below.
How can you configure Active Directory so that it supports autoenrollment of certificates?
A. UABCrade the domain functional level to Windows 2000 Native mode.
B. Execute the dcpromo command on ABC-CA1 to uABCrade it to a domain controller.
C. Execute the adprep command with the /domainprep parameter on ABC-CA1 to update the
domain schema.
D. Execute the adprep command with the /forestprep parameter on the schema operations master
in order to update the forest schema.
E. Execute the adprep command with the /forestprep parameter on ABC-CA1 in order to update
the forest schema.
Answer: D
Explanation: The autoenrollment feature has several infrastructure requirements. These include:
Windows Server 2003 schema and Group Policy updates
Windows 2000 or Windows Server 2003 domain controllers
Windows XP Client
Windows Server 2003, Enterprise Edition running as an Enterprise certificate authority (CA)
In this question, we have a Windows 2000 domain; therefore, we have Windows 2000 domain
controllers. The Enterprise CA is running on a Windows Server 2003 member server which will
work fine only if the forest schema is a Windows Server 2003 schema. We can update the forest
schema with the adprep /forestprep command.
Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain
/certenrl.asp?frame=true
David Watts & Will Willis, Windows Server 2003 Active Directory Infrastructure Exam Cram 2
(Exam 70-294): Que Publishing, Indianapolis, 2004, Chapter 3
Q: 27
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 Enterprise Edition and all client computers run
Windows XP Professional. ABC.com has its headquarters in Chicago and a branch office in
Dallas.
The Chicago and Dallas offices are connected by permanent leased line connection with a
hardware router at each end of the connection.
Currently all client computers in both offices receive their IP configurations from a single Windows
Server 2003 server located in the Chicago office.
You are designing a new DHCP architecture to improve the performance and reliability of the
system.
How would you ensure that DHCP services will continue to function in the event of a failure of any
single component? Choose two.
A. Set up two Windows Server 2003 computers as a DHCP server cluster in the Chicago office.
B. Install two Windows Server 2003 computers as a DHCP server cluster in the Dallas office.
C. Configure a Windows Server 2003 computer at the Dallas office as a DHCP relay agent.
D. Install a Windows Server 2003 computer as an additional DHCP server in the Dallas office.
E. Set up a Windows Server 2003 computer at the Chicago office as a DHCP relay agent.
F. Configure one DHCP server to handle 75 percent of the IP address scope and the other DHCP
server to handle 25 percent.
Answer: A,B
Explanation: The best fault tolerant solution here would be to implement a DHCP server cluster in
each office.
The Windows Server 2003 DHCP Server service is a cluster-aware application, which is an
application that can run on a cluster node and that can be managed as a cluster resource. These
applications use the Cluster API to receive status and notification information from the server
cluster.
You can implement additional DHCP (or MADCAP) server reliability by deploying a DHCP server
cluster using the Cluster service. This service is the essential software component that controls all
aspects of server cluster operation and manages the cluster database. Each node in a server
cluster runs one instance of the Cluster service provided with Windows Server 2003, Enterprise
Edition. By using clustering support for DHCP, you can implement a local method of DHCP server
failover, achieving greater fault tolerance. You can also enhance fault tolerance by combining
DHCP server clustering with a remote failover configuration, such as by using a split scope
configuration.
Another way to implement DHCP remote failover is to deploy two DHCP servers in the same
network that share a split scope configuration based on the 80/20 rule.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p.
7:2
Q: 28
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional. The ABC.com network contains a perimeter network that contains 10 Web servers.
The Web servers are not configured as members of the ABC.com domain.
You need to apply new password restrictions, audit settings, and automatic update settings to
Web servers.
How can you configure the settings on each server and guarantee that each server has the same
settings? Choose two.
A. Create a new organizational unit (OU) and move the Web servers into the new OU.
B. Apply the custom security template to the new OU.
C. Create a custom security template that contains the required security settings.
D. Import the custom security template to each Web server.
E. Configure the required security settings manually on each Web server.
Answer: C,D
Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is
to create a security template with all the required settings and import the settings using the
Security Configuration and Analysis tool.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:57
Q: 29
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003.
There are currently 6 printers connected to the ABC.com network. Each printer is configured as a
DHCP client. You have created IP reservations in the DHCP scope for each printer as shown
below.
You received reports from users complaining that they are unable to submit print jobs to any of the
network printers.
You discover that none of the network printers are receiving their IP configurations from the DHCP
server.
How can you make sure that the DHCP server provides the printers with their IP configurations?
A. By creating a new scope and creating new IP reservations within that scope.
B. By having the IP address exclusion range removed from the DHCP scope.
C. By configuring each printer with the IP address of the DHCP server.
D. By changing the scope options to include a default gateway.
Answer: B
Explanation: An exclusion range is a set of one or more IP addresses, included within the range
of a defined scope that you do not want to lease to DHCP clients. Exclusion ranges assure that
the server does not offer to DHCP clients on your network any addresses in these ranges.
Reference:
J. C. Mackin, and Ian McLean MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 7.
Q: 30
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003.
ABC.com contains a Development department. ABC.com contains a domain controller named
ABC-SR24 which is also configured as a DNS Server. A ABC.com employee named Clive Wilson
works in the Development department. One morning Clive Wilson complains that he cannot
connect to another network server.
During investigation, you notice that nslookup queries sometimes take a long time and sometimes
fail altogether.
You suspect that there is a problem with ABC-SR24.
How would you configure monitoring on ABC-SR24 so that you can review individual name
resolution queries?
A. Use System Monitor to monitor host resolution queries on ABC-SR24.
B. Use Event Viewer to view the DNS event log on ABC-SR24.
C. Select the Log packets for debugging option on the Debug Logging tab in the DNS server
properties on ABC-SR24.
D. Use Network Monitor to capture DNS query packets on ABC-SR24.
Answer: C
Explanation: If you need to analyze and monitor the DNS server performance in greater detail,
you can use the optional debug tool. You can choose to log packets based on the following:
• Their direction, either outbound or inbound
• The transport protocol, either TCP or UDP
• Their contents: queries/transfers, updates, or notifications
• Their type, either requests or responses
• Their IP address
Finally, you can choose to include detailed information.
Note: This is the only thing that’s going to let you see details about packets.
Reference:
J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing,
Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft
Press, Redmond, Washington, 2004, Chapter 5
Q: 31
All the servers on the network run Windows Server 2003 server and all the client computers run
Windows XP.
The network contains three domain controllers named ABC-DC1, ABC-DC2 and ABC-DC3. The
System State Data of each domain controller is backed up on a nightly basis.
Recently an organizational unit (OU) has been mistakenly deleted from the AD.
What is the quickest way to restore the deleted OU?
A. Reboot the domain controller in Safe Mode then use Windows Backup.
B. Reboot the domain controller in Directory Services Restore Mode then perform an authoritative
restore of the subtree where the OU was deleted using the Ntdsutil utility.
C. Reboot the domain controller in Directory Services Restore Mode then perform a nonauthoritative
restore of the subtree where the OU was deleted using the Ntdsutil utility.
D. Reboot the domain controller using the Last Known Good Configuration.
E. Use Active Directory Sites and Services to force replication from another domain controller.
Answer: B
Explanation: To restore a deleted OU, you need to first restart a domain controller in Directory
Services Restore Mode. Restarting in Directory Services Restore Mode takes the domain
controller offline. In this mode, the server is not functioning as a domain controller.
You need to then use the Ntdsutil utility to perform an authoritative restore operation of the
appropriate subtree. NTDSUTIL is used to tell Active Directory not to over-write the OU that you
wish to recover.
In case an OU is deleted from your Windows Server 2003 Active Directory, you cannot use a
normal restore because it will not work under these circumstances. What will happen is that other
Windows 2003 domain controllers will have later Update System Number and over write the
restore, and delete the OU, so you are back where you started. What you need in this situation is
the Directory Restore option from the F8 menu.
To prepare for a Directory Service Restore, first complete a normal restore and take the Windows
Server 2003 offline. Then reboot, select the special Directory Service Restore mode at the F8
menu. Next run NTDSUTIL to tell Active Directory not to over-write the OU that you wish to
recover.
Reference: Introduction to Boot Options for Windows Server 2003 / 4. Directory Services Restore -
NTDSUTIL
http://www.computerperformance.co.uk/w2k3/disaster_recovery_boot.htm#Directory_Services_Re
store_-_NTDSUTIL
Q: 32
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional.
ABC.com contains a file server named ABC-SR24. ABC-SR24 hosts the home folders for all
ABC.com users.
After about a month the ABC.com users raised complaints regarding the unacceptable long time
their home folder takes to open at certain times during the day.
You need to determine the reason for the poor performance. You verify that the processor and
memory usage is low. You suspect the hard disk may be the cause of the bottleneck.
How would you verify that the hard disk is the problem?
A. Use System Monitor to view the LogicalDisk and PhysicalDisk counters during a period of poor
performance.
B. Use Task Manager to view the page faults counter.
C. Configure Auditing on the home folders.
D. Use Network Monitor to view the amount of network traffic to and from the server.
Answer: A
Explanation: We can monitor hardware resources by using a System Monitor counter log. The
physicaldisk/ave disk queue length is a good indicator of a disk performance problem. The
Windows Performance tool is composed of two parts: System Monitor and Performance Logs and
Alerts. With System Monitor, you can collect and view real-time data about memory, disk,
processor, network, and other activity in graph, histogram, or report form. The output from the
counter log will show us which hardware resource in unable to cope with the load and needs to be
uABCraded or replaced.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp.
6: 25-28
Q: 33
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003.
ABC.com has its headquarters in Chicago and two branch offices in Dallas and Miami. The branch
offices are connected to the headquarters by means of T1 WAN links. The network at each office
is configured as a separate Active Directory site as shown below.
ABC.com users in all three sites require access to a file server named ABC-SR10 that is located in
the Chicago site.
Users in the Miami and Dallas offices are complaining about the unacceptable file server
performance during peak working hours. You want to design a solution that provides fault
tolerance for the file server and minimizes traffic over the WAN links during office hours.
Which solution would you recommend?
A. Implement a Distributed File System (DFS) with the DFS root in the Chicago office and DFS
replicas in the Dallas and Miami offices. Configure replication to occur during off-peak hours.
B. Install Windows Server 2003 file servers in the Dallas and Miami offices. Use the File
Replication Service to replicate the folders during off-peak hours.
C. Implement a two-node file server cluster in the Chicago office using Microsoft Cluster Services.
D. Implement a two-node file server cluster in each office using Microsoft Cluster Services.
Answer: A
Explanation: A DFS root is effectively a folder containing links to shared files. A domain DFS root
is stored in Active Directory. This means that users don’t need to know which physical server is
hosting the shared files. All they do is open a folder in Active Directory and view a list of shared
folders.
A DFS replica is another server hosting the same shared files. We can configure replication
between the file servers to replicate the shared files out of business hours. The users in each
office will access the files from a DFS replica in the user’s office, rather than accessing the files
over a WAN link.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 12: 15
Q: 34
The company consists of an Active Directory domain called ABC.com. All servers on the corporate
network run Windows Server 2003.
The network contains a server that runs Internet Authentication Service (IAS) called ABC-SR01.
ABC-SR01also runs the Routing and Remote Access service to provide VPN access to the
network for external users. During routine monitoring you discover that an external unauthorized
user is trying to access the network through ABC-SR01.
How would you set up ABC-SR01 to log the IP addresses of the remote computers when they
attempt to connect to the network using the VPN connection?
A. Log the details of the access attempts by the VPN users by using IAS to configure the
Authentication requests option enabled in the Remote Access Logging.
B. Log the details of the access attempts by the VPN users by configuring the Routing and
Remote Access service to log all IPSec connections.
C. Log the details of the access attempts by the VPN users by enabling auditing of TCP/IP.sys.
D. Log the details of the access attempts by the VPN users by enabling auditing of all Account
Logon events on a domain controller.
Answer: A
Explanation: Internet Authentication Service for Windows Server allows you to configure Remote
access logging, which consists of the types of events to be logged, the log file format, and log file
settings. Remote access logging in the Internet Authentication Service administrative tool is used
to configure log file settings. To access the properties for local logging, click Remote Access
Logging, right-click Local File, and then click Properties.
You can Enable or disable the logging of authentication requests in the IAS log file to log the
details of access attempts by VPN users. This setting is not enabled by default
Reference: IAS Configuration/ Remote Access Logging
http://technet.microsoft.com/en-us/library/bb742384.aspx
Q: 35
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional. The domain consists of two IP subnets named ABCA and ABCB. A server named
ABC-SR20 has Routing and Remote Access enabled and currently connects ABCA and ABCB.
Each subnet has a DHCP server which is used to sign IP configurations to client computers on the
local subnet. All servers have static IP configurations.
The network layout is shown below:
You are preparing the provision of Internet connectivity by means of implementing a Microsoft
Internet Security and Acceleration (ISA) Server 2000 array on the network. The array’s internal IP
address is 172.35.60.1.
You configure ABC-SR10 to provide the 172.35.60.1 as the default gateway. ABC-SR11 provides
the IP address 172.28.60.1 as the default gateway for ABCB client computers. ABCB client
computers can access servers on ABCA successfully.
You received complaints from the ABCB users about an inability to access Internet-based
resources.
How can you ensure that the ABCB users can access the internet?
A. By configuring ABC-SR11 in order to provide the address 172.35.60.1 as the default gateway.
B. By moving the ISA server array to ABCB.
C. By configuring 172.68.124.31 as the default gateway for ABC-SR20.
D. By adding a default route to 172.35.60.1 on ABC-SR20.
E. By configuring ABC-SR11 to provide 172.35.60.1 as a default route to the client computers.
Answer: D
Explanation: The routing and remote access server knows how to route traffic between SubnetA
and SubnetB. However, it doesn’t know how to route traffic to the internet. We can fix this by
adding a default route on ABC-SR20. The default route will tell ABC-SR20 that any traffic that isn’t
destined for SubnetA or SubnetB (i.e. any external destination) should be forwarded to the internal
interface of the ISA server (172.35.60.1).
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p.
15:30
Q: 36
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional.
All client computers are located in an organizational unit named ABC-Clients. All servers are
located in an organizational unit named ABC-Servers.
Several servers host sensitive data. A new ABC security policy states that communications with
those servers should be encrypted whereas communications with other servers should remain
unencrypted.
The Default Domain group policy has the default Client (Respond only) IPSec policy enabled. A
GPO with a custom IPSec policy is applied to the ABC-Servers OU.
While monitoring network connections, you find that no encryption is applied to network
communications.
How would you examine the policies that are being applied to the servers that contain sensitive
data?
A. Use an RSoP logging mode query and specify the name of a server that contains sensitive
data.
B. Examine the System Event Logs using Event Viewer to see which GPOs have been applied.
C. Examine the properties of the ABC-Servers OU in Active Directory Users and Computers.
D. Use Network Monitor to capture the data packets on the network card of a server containing
sensitive data.
Answer: A
Explanation: You can use RSoP to view all the effective group policy settings for a computer or
user, including the IPSec policies. To use RSoP, you must first load the snap-in into an MMC
console, and then perform a query on a specific computer (select Generate RSoP Data from the
Action menu), specifying the information you want to gather. The result is a display of the group
policy settings that the selected computer is using.
You can run an RSoP logging mode query to view all of the IPSec policies that are assigned to an
IPSec client. The query results display the precedence of each IPSec policy assignment, so that
you can quickly determine which IPSec policies are assigned but are not being applied and which
IPSec policy is being applied.
When you run a logging mode query, RSoP retrieves policy information from the WMI repository
on the target computer, and then displays this information in the RSoP console. In this way, RSoP
provides a view of the policy settings that are being applied to a computer at a given time.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, Chapter 12
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 10, pp. 768
Q: 37
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003.
ABC.com contains a member server named ABC-SR24. ABC-SR24 is configured as a File and
Print server and hosts shared folders for all ABC.com users.
One morning a ABC.com user named Dean Austin complains that ABC-SR24 responds poorly at
various times throughout the day. You suspect that the poor performance is caused by broadcast
traffic on the ABC.com network.
What would be the best way to monitor ABC-SR24 while minimizing administrative effort?
A. Use System Monitor to monitor the Datagrams/sec counter in the UDPv4 object.
B. Double click on the Local Area Connection and view the status of the network connection.
C. Open Task Manager and monitor the Networking tab.
D. Configure an alert in Performance Monitor to send you an alert when the Datagrams/sec
counter in the UDPv4 object is high.
Answer: D
Explanation: Performance Logs And Alerts is an MMC snap-in that uses System Monitor’s
performance counters to capture information to log files over a long period of time. Although the
Performance console works well when systems are actively performing poorly, when you can’t
wait around, you can set up triggers using the Performance console to catch bad systems in
action.
UDPv4 is one of the performance objects that provide network traffic monitoring capabilities. It
monitors the number of User Datagram Protocol (UDP) packets the computer transmits and
receives. Service applications, such as the Domain Name System (DNS) and the Dynamic Host
Configuration Protocol (DHCP), typically use UDP for client–server communications.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 6:
6
Q: 38
All servers on the ABC.com network run Windows Server 2003 and all client computers run
Windows XP Professional. The Active Directory forest operates at Windows Server 2003 level.
ABC.com has a head office in Chicago and several branch offices. Each office contains a domain
controller and is configured as an Active Directory Site. Every domain controller also serves as a
DNS server. The branch offices access the resources in the Chicago office via a 128-Kbps WAN
connection.
You received a report from branch office users that they cannot access the Chicago office
resources during peak business hours.
How can you solve the logon issues while ensuring Active Directory replication traffic across the
WAN links is kept to a minimum?
A. Configure Conditional Forwarding on the branch office DNS servers.
B. Install an additional domain controller in each branch office.
C. Configure the SRV records in the DNS zone on each domain controller to point to the local
domain controller.
D. Configure universal group membership caching for each branch office.
E. Configure the branch office domain controllers as Global Catalog servers.
Answer: D
Explanation: When a user logs on to the network, the global catalog provides universal group
membership information for the account to the domain controller processing the user logon
information. If a global catalog is not available when a user initiates a network logon process, the
user is able to log on only to the local computer unless the site has been specifically configured to
cache universal group membership lookups when processing user logon attempts. In this scenario
the domain controller must contact the global catalog server across a WAN link that is saturated.
Enabling universal group membership caching will overcome this problem.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 1-17 to 1-18, 5-41 to 5-43
Q: 39
The ABC.com network consists of a single Active Directory domain named ABC.com. All the
servers on the network run Windows Server 2003 servers and all the client computers run
Windows XP.
A two node network load balancing (NLB) cluster host a highly available intranet application. The
intranet application uses HTTP and HTTPS.
During the course of the day you receive an instruction from the CIO to reduce the cluster's
vulnerability to attack by filtering the IP ports of the Network Load Balancing cluster.
What is the easiest way to filter the IP ports of the NLB cluster?
A. Enable Windows Firewall on each server. Configure Windows Firewall to allow only HTTP and
HTTPS traffic.
B. Enable TCP/IP filtering in the Advanced TCP/IP properties on every server. Configure TCP
ports 80 and 443 as allowed ports.
C. Configure port rules on the cluster to only permit ports 80 and 443 on the cluster IP address.
D. Configure port rules on the cluster to only permit port 80 on the cluster IP address.
Answer: C
Explanation: To implement filtering on the cluster using the minimum amount of administrative
effort so that only the intranet application ports are available on the cluster, you need to use
Network Load Balancing Manager to configure port rules and then allow only the intranet
application ports on the cluster IP address.
Through configuring port rules, you can specify how client requests are processed by the servers
in the NLB cluster. A port rule basically acts a filter on a specific port(s). You can specify a protocol
parameter and a filtering mode to configure the manner in which traffic must be load balanced
between servers in the NLB cluster. A port range can be configured to define the port or set of
ports that a port rule is applicable for. Two port ranges that overlap are not allowed.
Incorrect Answers
A: Windows Firewall cannot be used on the cluster. It can only be used on a server with ICS
enabled.
B: Using TCP/IP filtering on each server will not allow you to implement filtering on the cluster.
D: This answer is close but we need port 443 as well for HTTPS traffic.
Reference: Understanding Port Rules
http://www.tech-faq.com/network-load-balancing.shtml
Q: 40
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003.
The ABC.com domain contains two Active Directory sites named ABC-Site1 and ABC-Site2. ABCSite1
contains a domain controller named ABC-DC1. ABC-Site2 contains a domain controller
named ABC-DC2. Each domain controller is configured as a DNS server and hosts the ABC.com
Active Directory Integrated Zone.
Users in ABC-Site2 report that they are unable to log on to the domain.
On a client computer in ABC-Site2, you run the “nslookup ABC-DC2” command. The command
returns the IP address of ABC-DC2.
You open Active Directory Users and Computers on the client computer but you are unable to
connect to ABC-DC2.
How can you resolve this problem?
A. Run the ipconfig /registerdns command on ABC-DC2.
B. Configure a secondary zone on ABC-DC2 for the ABC.com domain and force replication from
ABC-DC1.
C. Use Active Directory Sites and Services to force Active Directory replication.
D. Use the Services console to restart the Net Logon service on ABC-DC2.
Answer: D
Explanation: The nslookup command returned the correct IP address of ABC-DC2. This means
that the A records are present in DNS. The problem in this question is that the SRV records are
missing. We need to restore the SRV in DNS.
The Net Logon service on a domain controller registers the DNS resource records required for the
domain controller to be located in the network every 24 hours. To initiate the registration
performed by Net Logon service manually, you can restart the Net Logon service.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4:
12
Q: 41
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003. Your instruction is to set up a child domain
named us.ABC.com.
You install Windows Server 2003 on a new standalone server named ABC-DC03 and manually
assign an IP address. You attempt to run dcpromo to promote ABC-DC03 to a domain controller.
You select the new domain in an existing forest option. The wizard prompts you for the network
credentials to join the us.ABC.com to the ABC.com forest. You then receive an error message
indicating that a domain controller in the ABC.com domain cannot be found.
How can you ensure that ABC-DC03 can be promoted to a domain controller in the us.ABC.com
domain?
A. By installing the DNS Server service on ABC-DC03.
B. By creating a host (A) record for ABC-DC03 on a DNS server in the ABC.com domain.
C. By first joining ABC-DC03 to a workgroup named us.ABC.com.
D. By having the ABC-DC03 client DNS settings configured to use a DNS server in the ABC.com
domain.
E. By creating a delegation on a ABC.com DNS server to delegate the us.ABC.com zone to ABCDC03.
Answer: D
Explanation: This is typically the effect of a DNS problem because the client (in this case a
member server) can not locate the SRV records of a domain. The process needs to contact the
DNS server that is authoritative for the parent domain that you want to make a child domain in.
First, in the Active Directory installation wizard, you specify the DNS name of the Active Directory
domain for which you are promoting the server to become a domain controller. Later in the
installation process, the wizard tests for the following: Based on its TCP/IP client configuration, it
checks to see whether a preferred DNS server is configured. If a preferred DNS server is
available, it queries to find the primary authoritative server for the DNS domain you specified
earlier in the wizard.
It then tests to see whether the authoritative primary server can support and accept dynamic
updates as described in the DNS dynamic update protocol. If, at this point in the process, a
supporting DNS server cannot be located to accept updates for the specified DNS domain name
you are using with Active Directory, you are provided with the option to install the DNS Server
service.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4:
6
Q: 42
The ABC.com network consists of a single Active Directory domain named ABC.com. All the
servers on the network run Windows Server 2003 servers.
The network contains a file server named ABC-SR24. ABC-SR24 hosts shared folders for users in
the Sales department.
All shared folders are backed up using a Normal backup on a weekly basis over the weekend. An
incremental backup of the shared folders is taken every night.
A Copy backup of the shared folders is taken every Thursday night after the incremental backup.
On Friday morning, the Sales manager reports that he has accidentally deleted an important file.
He asks you to restore the file as quickly as possible. He doesn’t know when the file was last
modified.
From which backup tape or tapes should you restore the file?
A. The last normal backup and the last incremental backup.
B. The last normal backup and the incremental backups from Monday, Tuesday, Wednesday and
Thursday.
C. The last incremental backup.
D. The last normal backup.
E. The last Copy backup.
Answer: E
Explanation: A copy backup backs up every file. Since a copy backup was taken the night before
you were asked to restore the file, restoring from the copy backup would be the quickest option.
Q: 43
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003 and all client computers run Windows XP
Professional.
A file server named ABC-SR24 hosts shared folders for users in the Sales department. The
shared folders are on the D: drive of ABC-SR24. The D: drive is a 500GB volume with 100GB
used space. The D: drive of ABC-SR24 is backed up to a tape drive every night using a Full
Backup.
Users complain that it takes a long time to restore backed up files.
You want to design a backup system that improves restore times. If possible, a system that allows
users to restore their own files would be ideal.
How would you design the backup system?
A. Incremental backups should be configured on ABC-SR24.
B. The Volume Shadow Service (Shadow Copies) must be enabled on ABC-SR24 and the
Previous Versions client software should be installed on the Sales computers.
C. The Disable volume shadow copy option in the backup job properties should be deselected.
D. All Sales users should get the Backup Operators group membership on ABC-SR24.
Answer: B
Explanation: The question states drive D: has plenty of available disk space; enough space left
over to hold shadow copies of the files. The client computers will need the previous versions client
software to access the previous versions of the files.
The client software for Shadow Copies of Shared Folders is installed on the server in the
\\%systemroot%\system32\clients\twclient directory.
You can distribute the client software in a variety of ways; consider the various options before
deployment.
There are several tools included in the Windows Server 2003 family, such as Group Policy, that
can make deploying and maintaining the clients’ software easier.
If you accidentally delete a file, you can open a previous version and copy it to a safe location.
Recover from accidentally overwriting a file. If you accidentally overwrite a file, you can recover a
previous version of the file.
Compare versions of file while working.
You can use previous versions when you want to check what has changed between two versions
of a file.
Reference:
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 8, p. 602
Q: 44
The ABC.com network consists of a single Active Directory domain named ABC.com. All servers
on the ABC.com network run Windows Server 2003.
ABC.com has a main office in Chicago and a branch office in Miami. The two offices are
configured as Active Directory sites and are connected by a 56Kbps WAN link which is available
only during office hours.
The Miami site contains a domain controller named ABC-DC02.
A ABC.com user named Andy Reid works in the Miami office. One morning Andy Reid complains
that the response times on the WAN link is slow. You then investigate the problem and discover
that the problem is due to Active Directory replication activity.
How can you reduce the traffic going over the WAN connection?
A. By moving the computer object for ABC-DC02 to the Active Directory site for the Chicago office.
B. By configuring ABC-DC02 as a DNS server.
C. By having the replication interval decreased on the site link between the two sites.
D. By having the replication interval increased on the site link between the two sites.
E. By removing the Global Catalog from ABC-DC02 and enabling universal group membership in
the Miami office.
Answer: D
Explanation: The branch office contains a domain controller from the ABC.com domain.
Replication between this domain controller and a domain controller at the main office is using up
the bandwidth of the 56Kbps link between the two sites. We can reduce the WAN link usage by
increasing the replication interval, therefore ensuring that replication across the WAN link occurs
less frequently.
Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 4:
36
Q: 45
You are the server administrator for SRV05 which is a Windows Server 2003 Standard Edition file
server in your domain. Your backup strategy utilizes one full backup and then daily differential
backups. SRV05 has eight 72GB SCSI3 10,000RPM drives in an external drive array for data and
are set up using hardware RAID 5. SRV05 also has two additional 72GB SCSI3 10,000RPM
drives internal to the system and they are configured in a RAID 1 arrangement. This volume holds
the system and boot partitions for the server's operating systems and a small amount of local
application data.
The full back up is performed each Saturday at 9:00PM EST. The full back up takes 2 hours. The
daily differential backups are performed each day at 9:00PM, Monday through Friday. There is no
full backup nor differential backup performed on Sunday. The amount of time needed for the
differential backups varies but it is never less than 20 minutes and the maximum time never
exceeds 75 minutes.
DNS07 has a hard disk failure in the external array at approximately 6:00PM on a Saturday. At
7:20PM a second drive in the external array also fails. What needs to be done to bring the server
back to working order so that users can access the data on the server?
Select the best answer.
A. The failed drives need to be replaced and the data needs to be restored from the full backup.
B. The failed drives need to be replaced and the data needs to be restored from the full backup
and all of the differential backups.
C. The failed drives need to be replaced. Nothing additional needs to be done because the RAID
configuration allows the system to continue to run.
D. The failed drives need to be replaced and the data needs to be restored from the full backup
and the last differential backup.
Answer: D
Q: 46
You are a desktop administrator for ABC.com. Your organization is made up of three sites, two of
which are remote offices and one is the company headquarters. The two remote locations are
made up of four subnetworks each, interconnected internally by layer 2 switches and connected to
one another and headquarters by routers. The main company headquarters consists of eight
subnets interconnected internally by layer 3 switches.
The client systems on your network are running a number of operating systems including Windows
98, 2000, XP, and Server 2003. There are two WINS servers and two DNS servers local to each
subnet, and the clients are always configured to use those servers for name resolution only.
Recently, new server hardware was installed for SRV007 to replace a legacy system, and there
have been reported issues with incoming connectivity to the server. The serve itself seems to be
able to initiate connections to systems fine. You attempt to PING SRV007.ABC.com, and you
receive the following error:
Pinging SRV007.ABC.com [149.88.72.19] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for PING SRV007.ABC.com:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
You then log in to SRV007.ABC.com and run ipconfig and review the output
Ethernet adapter Wireless Connection:
Connection-specific DNS Suffix .ABC.com
IP Address . . . . . . . . . . . . : 149.88.72.91
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 149.88.72.1
What are the most likely reasons that this system cannot be connected to, but the system itself
can make outbound initiating connections? Each answer presents a possible solution. Select the
two best answers.
A. The server's IP address is not assigned correctly.
B. The default gateway is incorrect.
C. The IP address entry for the DNS server is incorrect.
D. The subnet mask is invalid for this subnet
E. Routing for the network is inconsistent or beginning to fail.
Answer: A,C
Q: 47
You work as a Network Administrator for Net World Inc. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. All client computers in the network run Windows XP Professional.
You have configured a test environment for your experimental works. You install Windows Server
2003 Web Edition on a server and connect it to a domain named Test. You install a laser printer
on the server. You download the latest device drivers from the printer's manufacturer site and
install them for the printer. You successfully test the printer. However, when you try to share the
printer, you are unable to do so. What is the most likely cause of the issue?
A. The Web Edition version of Windows Server 2003 does not support printer and fax sharing.
B. The server is not a part of the LAN.
C. The printer drivers are faulty.
D. The printer cable is faulty.
Answer: A
Q: 48
You work as a Network Administrator for ABC.com. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. The company's headquarters is located at Los Angeles. The company has three
branch offices located at San Jose, Oakland, and San Francisco. The company's network is
shown in the image below:
All the offices are connected to each other by using 56Kbps demand-dial connections. The branch
offices and the headquarters are required to communicate with each other on a regular basis. As
you are using demand-dial connections, you do not want the routing updates to be broadcast
throughout the network. However, for reliable communications, any changes to the network should
be sent to the routers configured on the network. Every router in the network is a server running
Windows Server 2003. Which of the following protocols will you use on the routers?
A. RIP 1
B. CHAP
C. RIP 2
D. OSPF
Answer: C
Q: 49
You work as a Network Administrator for Venus ABC.com. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. The company wants to expand its network. The clients on the network require
Internet connectivity through the router. You plan to install NAT for this purpose. The network plan
of the company is shown in the image below:
As the number of clients is quite high, a Class A private network range is required. Which of the
following is the correct Class A network address range that is set aside for private use and barred
from routing over the network?
A. 10.0.0.0 to 10.255.255.255
B. 172.16.0.0 to 172.31.255.255
C. 192.168.0.0 to 192.168.255.255
D. 111.0.0.0 to 111.255.255.255
Answer: A
Q: 50
Mark works as a Network Administrator for ABC.com. The company has its headquarters at New
York and a branch office at Miami. The headquarters has a Windows 2003 domain-based network
named Nettech.com. The network has three Windows 2003 member servers and 120 Windows
XP Professional client computers. One of the member servers named DNSServ is working as a
DNS server.
The branch office in Miami also has a Windows 2003 domain-based network named
Nettech1.com.
One Windows 2003 member server named DNSServ1 is working as a primary DNS server in
Nettech1.com. DNSServ is a secondary zone server for Nettech1.com. Mark wants to monitor the
notification traffic between these two domains and keep a record of when the primary DNS server
for Nettech1.com informs DNSServ if there are available changes in the Nettech1.com zone. What
will he do to accomplish this?
A. Execute the REPLMON command on DNSServ.
B. Enable debug logging on DNSServ by selecting the Log packets for debugging check box and
select the Notification check box.
C. Configure auditing on DNSServ.
D. Enable debug logging on DNSServ by selecting the Log packets for debugging check box.
Answer: B
Q: 51
Mark works as a Network Administrator for ABC.com. The company has a Windows 2003 single
domain-based Active Directory network. The network has five Windows 2003 member servers and
200 Windows XP Professional client computers. One of the member servers named VPNS is
configured as a VPN server. The VPNS internal interface is on a 192.168.0.1/24 private network.
The VPN server's IP address is 192.168.0.25 with a subnet mask 255.255.255.0.
Mark installs a new Windows 2003 server named FSERVER with default settings. FSERVER is
configured as a file server. The file server's IP address is 192.168.0.28 with a subnet mask
255.255.255.0. The VPN users on the network complain that they are unable to access files stored
on FSERVER. Mark checks that the file and folder permissions on FSERVER are correctly
assigned. Mark is also able to ping FSERVER by using the IP address from VPNS. However, he is
unable to ping VPNS from FSERVER. What is the most like cause of the issue?
A. The Packet filter is configured on VPNS.
B. A faulty network interface card is installed on VPNS.
C. A faulty network interface card is installed on FSERVER.
D. FSERVER is configured with an incorrect subnet mask.
E. The Packet filter is configured on FSERVER.
Answer: A
Q: 52
You work as a Network Administrator for ABC.com. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. An application named Accounts is installed on the network. The Accounts application
uses a shared folder named AccFolder to keep all its data. The AccFolder folder is placed on a file
server named uCFileServer. All users in the network use the application to update the accounts
information of various clients of the company. The application opens various data files to work
upon.
You are required to accomplish the following tasks:
· All files in the AccFolder folder should be backed up automatically twice daily.
· The backup process should take a backup of all the open files in the folder.
In order to accomplish the tasks, you take the following steps:
· Configure the Backup and Restore Wizard to take a backup of AccFolder.
· Unselect the Disable volume shadow copy check box in the Backup and Restore Wizard.
· Set the schedule of the Backup and Restore Wizard to take a backup every 12 hours through the
Advanced Schedule Options.
What will happen after taking the required steps?
A. The backup process will take a backup of all the open files in the folder.
B. Both tasks will be accomplished.
C. All the files in the AccFolder folder will be backed up automatically twice daily.
D. None of the tasks will be accomplished.
Answer: B
Q: 53
You work as a Network Administrator for ABC.com. The company has a Windows Active
Directory-based single domain single forest network. The functional level of the forest is Windows
Server 2003. An intranet-based Web site is required to be installed on the network. Two servers
are available for installing the application. You are required to accomplish the following tasks:
· The Web site should be available all the time for the clients.
· Both servers should be capable of fulfilling the clients' requests at a time.
You take the following steps:
· Create a two-node server cluster.
· Configure one server as an active server and the other as a passive server.
Which of the required tasks will be accomplished by taking these steps?
A. Both servers will be capable of fulfilling the clients' requests at a time.
B. None of the tasks will be accomplished.
C. The Web site will be available all the time for the clients.
D. Both tasks will be accomplished.
Answer: C
Q: 54
You work as a Network Administrator for ABC.com. The company has a Windows Active
Directorybased single domain single forest network. The functional level of the forest is Windows
Server 2003. All client computers in the network run Windows XP Professional. You have been
assigned the task to provide a plan for keeping the operating systems up-to-date with the latest
critical security patches and operating system fixes. The written policy of the company dictates the
following points:
· All critical updates must be tested before deploying them to the computers on the network.
· All computers must be up-to-date with the latest fixes and security patches from Microsoft as
soon as possible.
You provide the following plan to accomplish the task:
· Configure two servers to run Software Update Services (SUS) and name them TestServer and
FinalServer.
· Designate five computers on the network to test updates. Configure an Automatic Updates policy
for these computers to point to TestServer to download updates.
· For the rest of the computers, configure another Automatic Updates policy to point to FinalServer
to download updates.
· Configure FinalServer to point to TestServer to download updates.
· On TestServer, set up a synchronization schedule to check the Windows Update server for
updates everyday at 5:30 pm.
· At 5:45 pm, deploy the updates from TestServer onto the test computers.
· Approve the updates on TestServer after the successful deployment of the updates.
· Schedule FinalServer to query for the updates daily at 7:30 pm.
· Configure all computers, except the test computers, to synchronize automatically with the
FinalServer daily at 8:30 am.
What will this plan accomplish?
A. All critical updates will be tested before deploying them to the computers on the network.
B. All computers will be up-to-date with the latest fixes and security patches from Microsoft as
soon as possible.
C. Both tasks will be accomplished.
D. None of the tasks will be accomplished.
Answer: C
Q: 55
You are the network administrator for your company' single Active Directory domain. All network
servers run Windows Server 2003. All client computers run Windows XP Professional.
You are responsible for backing up and restoring all data on 10 file servers. Each file server has
two hard disks: Disk0 and Disk1. The system volume is contained on Disk0. User files and data
are stored on Disk1.
You must define a plan that allows each server to be completely restored in the event that you
have problems with a file, driver, or service. This plan must include what you should do after you
have tried and failed at using the Last Known Good Configuration and Safe Mode. Your plan
should include recovery using the least amount of administrative effort and with minimal data loss.
This plan must apply to all servers for preventive measures.
Which action should you include in your plan?
A. For each server, create an Automatic System Recovery (ASR) backup set and an ASR floppy
disk.
B. For each server, install the Recovery Console as a startup option, using the Windows Server
2003 Setup CD and h:\i386\winnt32.exe /cmdcons.
C. For each server, create a backup using the Windows Server 2003 Backup Wizard and
choosing the Back Up Selected File, Drives, or Network Data.
D. Run the Recovery Console from your Windows Server 2003 Setup CD, choose the Repair or
Recover option by pressing R, and press C to start the Recovery Console.
Answer: B
Q: 56
You administer your company's network. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. The network contains a two-node server cluster.
The company's security expert informs you that the password on the domain user account that is
used for the Cluster service has been compromised and must be changed immediately. Your
actions should cause minimal or no disruption of the services provided by the cluster because the
cluster is running a mission-critical application.
Which of the following should you do?
A. Use Active Directory Users and Computers to reset the password.
B. Use the Services console to change the password on any one of the cluster nodes.
C. Use the Cluster command with the appropriate options.
D. Use the dsmod user command with the appropriate options.
E. Use the dsmod computer command with the appropriate options.
Answer: C
Q: 57
You are the network administrator for your company. The network consists of a single Active
Directory domain. Your network contains a DMZ. It also contains a DNS server named DNSExt,
three Web servers, and an e-mail server. These servers all run the Windows Server 2003
operating system.
The internal network contains one DNS server, which contains an Active Directory-Integrated
zone. The internal network also contains four domain controllers, five file and print servers, and a
WINS server. All servers on the internal network run the Windows Server 2003 operating system.
Five subnets exist on the internal network, each containing either a DHCP server or a DHCP
Relay Agent.
The network includes 4,000 client computers. These computers run either the Windows 2000
Professional operating system or the Windows XP Professional operating system. All clients
receive their IP addressing through the DHCP server, including their DNS and WINS addressing.
For better performance, you add a DNS server named DNS2 to Subnet5. You configure the DHCP
server, DNS server, and firewall to allow for the new DNS server. This server should be configured
to allow for DNS resolution for internal resources. The external DNS server should resolve all host
names for Internet access.
You configured a forward lookup zone for the internal network on DNS2. What else should you
do?
A. On DNS2, select the Use WINS forward lookup option.
B. Configure DNS2 to forward unresolved host names to DNSExt.
C. Configure DNSExt to be the primary DNS server in the DHCP scope options.
D. Configure the new DNS server as a forwarding-only server. Select the Do Not Use Recursion
for the Domain option.
E. Configure the new DNS server as a conditional forwarding DNS server. Type the domain name
in the forwarding server box.
Answer: B
Q: 58
You are the network administrator for ABC.com. The network consists of a single Active Directory
domain named thorntonlibraries.com. Each server on the network runs Windows Server 2003.
Certificate Services is deployed to support the company's PKI infrastructure. The functional level
of the domain is Windows Server 2003. Each client computer runs the Windows XP Professional
operating system.
All desktop computers used by library employees are in locations that are accessible to library
visitors. The network also contains five kiosks that are used by library partners and visitors. Library
partners access shared files on the local network and can also access the Internet from the kiosks.
Library visitors use the kiosks only to perform searches and are not allowed the same level of
network access as the library partners. All library partners have been assigned domain user
accounts to provide specialized network access.
The library is implementing a new security policy to protect the library network. These goals must
be met:
Each employee must authenticate to their desktop computer using a smart card.
Each partner must authenticate to the kiosk computers using a smart card.
When an employee removes his smart card from his desktop computer, he must be allowed to
maintain a protected session.
When a partner removes their smart card from a kiosk, the user account is automatically logged
off.
You perform these actions:
Configure all employee and partner user accounts to require smart card authentication.
Create an organizational unit (OU) named Computer_OU and place all desktop computer
accounts in this OU. Create a new Group Policy Object (GPO) named Employee Smart Cards with
the Interactive Logon: Smart card removal behavior and enable the Force Logoff option. Link this
GPO to Computer_OU.
Create an OU named Partner_Comps_OU and place all kiosk computer accounts in this OU.
Create a new GPO named Smart Cards and configure this GPO with the Interactive Logon: Smart
card removal behavior and enable the Lock Workstation option. Link this GPO to the Partner_OU.
With these actions, which goal(s) are met? (Choose all that apply.)
A. Each employee is configured to authenticate using a smart card.
B. Each partner is configured to authenticate to the public computer using a smart card.
C. Each partner is logged off when their smart card is removed from the computer.
D. Each employee maintains a protected session when his smart card is removed.
Answer: A,B
Q: 59
You are the network administrator for your company's network. The network consists of two Active
Directory domains: lmiweb.com and hr.lmiweb.com. The lmiweb.com domain supports most of the
company's user accounts and resources. The hr.lmiweb.com domain contains the user accounts
and resources for the company's human resources department.
The company has deployed an extensive 802.11b wireless network. Access points (APs) have
been deployed throughout the company to provide users in all departments with wireless
connectivity and serve as bridges to the wired LAN. A total of 325 users, including all members of
hr.lmiweb.com, have been issued laptops with 802.11bcompliant network adapters. No other
computers have wireless connectivity. All wireless LANs have Wired Equivalent Privacy (WEP)
enabled to secure these communications.
Human resources users work throughout the company providing employee training and
informational seminars. These users require access to the wireless LAN in all company locations.
You must ensure that all human resources data is as secure as possible as it is transmitted across
the wireless LAN. Only users with accounts in only specific users/computers groups should be
able to access the human resources division's wireless LAN. In addition, users without accounts in
this domain should not be able to view or select the LAN from their list of available networks.
What should you do? (Choose three. Each correct answer presents part of the solution.)
A. Configure MAC filtering on each department's wireless LAN.
B. Configure MAC filtering on the human resources wireless LAN.
C. Enable Service Set Identifier (SSID) broadcasting on each department's access point.
D. Configure a unique Service Set Identifier (SSID) for each department's wireless LAN.
E. Configure a unique Service Set Identifier (SSID) for the human resources wireless LAN.
F. Enable Service Set Identifier (SSID) broadcasting on all the human resources access points.
G. Disable Service Set Identifier (SSID) broadcasting on all the human resources access points.
Answer: B,E,G
Q: 60
You are the network administrator for your company. The network consists of a single Active
Directory domain with five domain controllers that run Windows Server 2003, Enterprise Edition.
You are updating the public key infrastructure (PKI) for your company. Issuing Certification
Authorities (CAs) have been provided certificates with a validity period of five years. Certificates
are issued to enable network users to encrypt files on their computers. Basic EFS certificates have
been issued and have been configured with the default validity period. You want to configure all
new EFS certificates so that they are valid for up to three years.
What should you do? (Choose all that apply. Each correct answer presents part of the solution.)
A. Duplicate and rename the Basic EFS certificate template.
B. Open the Basic EFS certificate template Properties dialog box.
C. Select the General tab and edit the validity period.
D. Select the General tab and edit the renewal period.
E. Select the Security tab and change the permission for the Administrators group to Enroll.
Answer: A,C
Q: 61
You administer your company's Web site, which contains executable programs. You want to
provide the highest level of trust to Internet users who download your programs, and you want to
ensure that users' browsers will allow them to download the programs. Your company's network
includes an enterprise root Certification Authority (CA) and an issuing enterprise subordinate CA.
Which of the following actions should you take?
A. Request a Code Signing certificate from your company's enterprise subordinate CA.
B. Request a Code Signing certificate from a commercial CA.
C. Request a User Signature Only certificate from your company's enterprise subordinate CA.
D. Request a User Signature Only certificate from a commercial CA.
Answer: B
Q: 62
You are one of the administrators for your company's Windows Server 2003 network. The relevant
portion of the network is presented in the following exhibit.
All servers, client computers and one network print device are currently configured with static IP
addresses. The network IP address is 200.10.29.0. A DHCP server has been deployed but has
not yet been configured. You must configure a new scope that will provide the existing client
computers with IP configurations. The new scope should support an additional 25 new client
computers that will be deployed within the next two months.
Which settings should be included in the new DHCP scope? (Choose three. Each correct answer
presents part of the solution.)
A. subnet mask: 255.255.255.0
B. subnet mask: 255.255.255.128
C. DHCP scope starting IP address: 200.10.29.7
DHCP scope ending IP address: 200.10.29.254
D. DHCP scope starting IP address: 200.10.29.1
DHCP scope ending IP address: 200.10.29.254
E. DHCP scope exclusion range starting IP address: 200.10.29.1
DHCP scope exclusion range ending IP address: 200.10.29.6
F. DHCP scope exclusion range starting IP address: 200.10.29.1
DHCP scope exclusion range ending IP address: 200.10.29.254
Answer: A,D,E
Q: 63
You administer your company's network. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. The network contains a two-node server cluster.
The company's security expert informs you that the password on the domain user account that is
used for the Cluster service has been compromised and must be changed immediately. Your
actions should cause minimal or no disruption of the services provided by the cluster because the
cluster is running a mission-critical application.
Which of the following should you do?
A. Use Active Directory Users and Computers to reset the password.
B. Use the Services console to change the password on any one of the cluster nodes.
C. Use the Cluster command with the appropriate options.
D. Use the dsmod user command with the appropriate options.
E. Use the dsmod computer command with the appropriate options.
Answer: C
Q: 64
You are a network administrator for a company named ABC.com. ABC.com has acquired a
company named Verigon, which will function as ABC.com's subsidiary. All client computers in
Verigon run Windows XP Professional or Windows 2000 Professional. Verigon has wellestablished
relationships with its partners and customers who have always used e-mail addresses
in the format alias@verigon.com to communicate with Verigon's employees. The ABC.com
management wants users in the new subsidiary to retain their existing e-mail addresses.
ABC.com's network currently consists of a single Active Directory domain named ABC.com.com.
All domain controllers in this domain run Windows Server 2003. ABC.com's written naming policy
requires that all employees use their e-mail addresses in order to log on. You must incorporate the
new users from Verigon into your existing network by using the least administrative effort. Your
solution should also require minimum administrative effort for network management in the future.
You must comply with ABC.com's naming policy while preserving the new users' existing e-mail
addresses.
Which of the following should you do?
A. Create a new Active Directory forest named verigon.com, and create user accounts for the
new users in the root domain of that forest.
B. Create a new tree-root domain named verigon.com, and create user accounts for the new
users in that domain.
C. Create user accounts for the new users in the existing domain, and specify an alternative user
principal name suffix of verigon.com.
D. Create user accounts for the new users in the existing domain, and assign them user logon
names in the format of alias@verigon.com.
Answer: C
Q: 65
You administer your company's Windows 2003 network. The network consists of 25 Windows
Server 2003 computers. The network contains an offline root Certification Authority (CA) located in
the main office and a subordinate issuing CA in the main office and each of the remaining four
retail locations.
One of the four retail locations has been purchased and will operate as a franchise. You must
ensure that resources on the company network will not accept certificates from the associated
subordinate CA in this retail location after the sale is completed. Your solution must use a
minimum amount of administrative effort.
What should you do? (Choose three. Each correct answer presents part of the solution.)
A. On the company's root CA, revoke the certificate of the subordinate CA.
B. Disconnect the subordinate CA from the network.
C. On the subordinate CA, remove the CA software and remove the CA files.
D. On the subordinate CA, revoke the certificates that it has issued.
E. Publish a new Certificate Revocation List.
F. Copy the Edb.log file from the root CA to its Certification Distribution Point on your network.
G. Copy the Edb.log file from the subordinate CA to its Certification Distribution Point on your
network.
H. Copy the Certificate Revocation List file to the Certificate Distribution Point on your network.
Answer: A,E,H
Q: 66
You are the backup administrator for your company. You are responsible for ensuring that all data
on ten files servers are protected against data loss. Normal business hours from 8 A.M. to 5 P.M.,
Monday through Friday, are observed. Network access is prohibited outside normal business
hours.
A member server named File1 contains shared folder accessed by users in the sales department.
The disk structure of File1 is shown in the following exhibit:
You have scheduled a daily backup of File1 as shown in the exhibit. (Click the Exhibit(s) button.)
Users in the Sales department frequently leave documents open on their desktops when they
leave work. These users occasionally request that you restore a previous version of a file from
backup. However, some of these files are not included in recent backup sets. You must modify the
backup procedures for File1 so that all files, including open documents, will be included in the daily
backup. You also want to provide users with the ability to restore their files.
What should you do? (Choose all that apply. Each correct answer presents part of the solution.)
A. Move all shared user data folders from drive D to drive F.
B. Move all shared folders user data from drive F to drive D.
C. Enable Shadow Copies of Shared Folders on drive F.
D. Enable Volume shadow copy for the scheduled backup job.
E. Select the Disable volume shadow copy option for the scheduled backup job.
F. Install the Previous Versions Client software on all Sales department computers.
G. Create a new daily backup job by using the same settings, but clear the Disable volume
shadow copy option.
Answer: A,C,F,G
Q: 67
You are proposing the purchase of a new e-mail server for your corporate network. You have
specified a new server from a major OEM manufacturer that is configured with a powerful quadprocessor
configuration, hot-swappable hard drives, and redundant power supplies and network
adapters, with a three-year onsite warranty. Due to a budget crunch, the chairperson of the budget
committee has suggested that the company can make do with a less powerful workgroup server
from a local computer store. This server has only a single processor and no redundancy features,
and a one-year onsite warranty. What reasons can you provide the budget committee members
that might convince them to authorize the purchase of the server that you specified, even though it
has a higher price tag?
A. A more powerful server will provide better performance and scalability as the company’s needs
grow over time.
B. Redundant hardware components will increase the server’s availability to service the needs of
the company’s users and customers.
C. The extended warranty on the more powerful server will increase support costs over time,
since you’re paying to cover the machine under warranty for three times as long.
D. Windows Server 2003 requires at least a dual-processor configuration.
Answer: A,B
Q: 68
You are the administrator for a network that supports a mixture of Windows NT 4 Workstation,
Windows 2000, and Windows XP Professional. You are preparing to uABCrade your network
servers from Windows NT Server to Windows Server 2003.What is the strongest level of network
authentication that you can configure your Windows domain to use in its current configuration
(without installing third-party software)?
A. Kerberos
B. LM
C. NTLM
D. NTLM version 2
Answer: D
Q: 69
The only protocol used by your network is TCP/IP, despite the fact that workstations in the
organization do not have access to the Internet. A user has been accessing files on server on your
network and now wants to connect to a Web server that is used as part of the company’s intranet.
The user enters the URL of the Web site into Internet Explorer.
Which of the following servers will be used to provide information needed to connect to the Web
server?
A. DHCP server
B. DNS server
C. WINS server
D. File server
Answer: B
Q: 70
You want to set up a discussion group that can be accessed over the corporate intranet, so that
users can view and post messages in a forum that can be viewed by other employees.
Which of the following services would you use to implement this functionality?
A. HTTP
B. FTP
C. NNTP
D. SMTP
Answer: C
Q: 71
Which of the following addresses is suitable for dividing into at least nine subnets, each with the
ability to support 200 hosts per network?
A. 10.1.1.0/24
B. 10.1.1.0/20
C. 10.1.1.0/19
D. 10.1.1.0/22
Answer: B,C
Q: 72
A client computer configured as a DCHP client was unable to obtain an address from the DCHP
server. Upon investigation, you discovered that the DCHP scope was not activated, so you
activated it. The client computer has an APIPA address of 169.254.0.1.What actions are required
for the client to obtain an IP address from the DHCP server?
A. Run ipconfig /all from a command prompt.
B. Use Netsh to assign an address to the network adapter.
C. Log off Windows XP and log on again.
D. Take no action.
Answer: D
Q: 73
Your IT Director has been reading again. He has decided that he wants to convert the network to
OSPF, but he is having some difficulty with terminology. He knows that an OSPF router can serve
one of four roles. His problem is that he can’t remember which role exists when one of the router’s
interfaces is on the backbone area. Help him out.
Which of the following is it?
A. Internal router
B. Area border router
C. Backbone router
D. Autonomous system boundary router
Answer: C
Q: 74
You have enabled RRAS on your Windows Server 2003 computer. You want to set up IP packet
filtering to help you manage access from remote clients. Where in the Routing and Remote
Access console will you enable IP packet filters?
A. The properties of the remote-access ports
B. The properties of the remote-access server
C. The profile of a remote-access policy
D. The conditions of a remote-access policy
Answer: C
Q: 75
You have an IAS server running Windows Server 2003. It supports a group of RRAS servers used
to manage VPN connections for clients. You are configuring the authentication methods for the
IAS server and want to allow the clients to use smart cards for secure and convenient
authentication. Which of the following authentication protocols should you select?
A. MS-CHAP
B. EAP-TLS
C. MD5 CHAP
D. MS-CHAP v2
Answer: B
Q: 76
You have configured an RRAS server on one Windows Server 2003 computer and an IAS server
on another, and configured the RRAS server to use the IAS server for authentication.
In RADIUS terminology, which computer(s) are referred to as network access servers?
A. The IAS server
B. The RRAS servers
C. The clients of the RRAS server
D. Both the IAS and RRAS servers
Answer: B
Q: 77
You are the administrator of a Windows network that consists of a mixture of Windows NT 4,
Windows 2000, and Windows Server 2003 servers, providing a mix of file, print, messaging, and
other services critical to your network. You are currently running WINS, DNS, and DHCP services
on your network. You have already enabled dynamic DNS on your forward and reverse lookup
zones, but you want to ensure that all of your client computers can find the name-to-address
mapping of all your servers using DNS. You want to minimize the administrative effort for this
project. What action should you take? (Select the best answer.)
A. Place the DHCP servers in the DnsUpdateProxy group.
B. Enable DHCP to update forward and reverse lookup zones on behalf of all DHCP clients.
C. Manually enter the records for servers that have static addresses.
D. Create a WINS resource record in the forward and reverse lookup zones.
Answer: D
Q: 78
You are the enterprise administrator of a Windows network that comprises a number of Windows
2000 and Window 2003 domain controllers. You want to use Active Directory integrated zones for
your zone data to enhance security and optimize replication of zone data. What should you
choose as the replication scope? (Select the best answer.)
A. To all DNS servers in the forest
B. To all domain controllers in the AD domain
C. To all DNS servers in the AD domain
D. To all domain controllers specified in the scope of an application partition
Answer: B
Q: 79
You are the administrator of a Windows Server 2003 network. You have five WINS servers and
need to reconfigure the replication topology as a result of some recent uABCrades to your WAN
links. All of your WAN links connecting the head office and your four branch offices now have
ample bandwidth to handle additional traffic. You want to ensure the shortest convergence time of
replicated records, while at the same time keep the number of replication partnership agreements
to an absolute minimum. What replication topology should you choose? (Select the best answer.)
A. Ring topology
B. Mesh topology
C. Hub-and-spoke topology
D. Hybrid of ring and hub-and-spoke topology
Answer: C
Q: 80
You are configuring a remote access server on a Windows Server 2003 computer. The same
server is acting as a domain controller and DHCP server, assigning IP addresses to clients. Which
of the following is the simplest method of assigning IP addresses for remote clients?
A. Manually configure each client with an IP address.
B. Configure the RRAS server to use DHCP.
C. Configure a static address pool.
D. Use APIPA.
Answer: B
Q: 81
You have several users who dial in to a remote access server using multilink connections,
combining two modems into a single link. Although this provides a higher bandwidth to the users,
you find the server runs out of modem lines frequently, and most users are not using their
connections to their full potential. Which of the following is a solution to this issue?
A. Disable multilink connections.
B. Set the maximum number of multilink ports to one.
C. Use VPN instead of dial-in access.
D. Enable Bandwidth Allocation Protocol (BAP).
Answer: D
Q: 82
You have configured a VPN server running Windows Server 2003 and RRAS. Most clients are
able to access the server, but clients running Windows 98 are reporting that they are unable to
connect. Which of the following is most likely the cause of this problem?
A. Computer certificates are not installed.
B. L2TP is not enabled on the server.
C. PPTP is not enabled on the server.
D. Windows 98 does not support VPN client access.
Answer: C
Q: 83
You have configured a WAP using the EAP-TLS protocol. The WAP is connected to a LAN with a
Windows Server 2003 server. Which of the following additional tasks may be necessary to ensure
that wireless clients can connect? (Choose all that apply.)
A. Enable PPP authentication.
B. Issue computer certificates to clients.
C. Issue user certificates or smart cards to users.
D. Install and configure IAS.
Answer: B,C
Q: 84
You have recently purchased a new single-CPU, Intel Xeon-based server. This hardware will be
used to run a multithreaded CPU-intensive application. How can you ensure that the application
performs at its best on the hardware provided?
A. Turn on hyperthreading.
B. Add a second CPU.
C. Boost the processing priority of the applications threads.
D. Disable hyperthreading.
Answer: A
Q: 85
You are working on an existing server. The NIC manufacturer has notified you of an updated
driver for your card that will greatly improve performance. You download and install the new driver.
Before you reboot the system, you perform an ASR backup. When you reboot the system, it
reaches the graphical portion of the boot process and presents a STOP message. What is the
proper process for recovering from this problem?
A. Perform an ASR restore from the ASR backup set you created before the reboot.
B. Reboot the system, press F8 when prompted during the boot process, select Last Known
Good Configuration, and press Enter.
C. Reinstall the operating system and do a restore of the system from tape backup.
D. Reboot the system, press F8 when prompted during the boot process, select Safe Mode, and
press Enter.
Answer: B
Q: 86
You are a consultant. You have been called in to troubleshoot a malfunctioning NLB cluster that is
supposed to serve Web pages with IIS. The cluster contains four hosts, but only one host at a time
will successfully form the cluster. Clients appear to have no problems connecting to any of the
single-host cluster configurations. What is the most likely cause of the problem?
A. The hosts are configured with duplicate priorities.
B. The hosts are configured with different port rules.
C. The hosts are configured with different cluster IP addresses.
D. The hosts are configured with duplicate cluster IP addresses.
Answer: A
Q: 87
One of your hosts in multiple-host NLB cluster requires maintenance. The cluster is heavily used
and central to the profitability of your company. You want to bring the node down for service in the
least disruptive way. How should you accomplish this goal?
A. Use the drainstop option on the host needing maintenance.
B. Use the drainstop option on all the hosts in the cluster not needing maintenance.
C. Use the suspend option on the host needing maintenance.
D. Use the suspend option on all the hosts in the cluster not needing maintenance.
Answer: A
Q: 88
You have been hired as a consultant to help deploy IPSec for the network of a mediumsize
manufacturing firm that is developing a number of new products and must share sensitive data
about its products over the network. As part of the planning process, you must determine the best
authentication method to use with IPSec. What are the authentication methods that can be used
with IPSec? (Select all that apply.)
A. Kerberos v5
B. Perfect Forward Secrecy (PFS)
C. Shared secret
D. Diffie-Hellman groups
Answer: A,C
Q: 89
You want to use the RSoP tool in logging mode to build some reports on the existing policy
settings of one of your client computers. You have used RSoP before in planning mode, but never
in logging mode. You open the RSoP Wizard from the Active Directory Users and Computers
console, as you’ve done before, but you notice that there is no mechanism for selecting the mode,
and only planning mode seems to be available. What is the problem?
A. The RSoP Wizard runs only in planning mode.
B. You should open the RSoP Wizard from Active Directory Sites and Services instead.
C. You should open the RSoP Wizard from the RSoP MMC instead.
D. You can select logging mode when you open the RSoP in Active Directory Users and
Computers. You must have overlooked the option.
Answer: C
Q: 90
You have recently hired a new junior administrator to assist you in running the network for a
medium-sized manufacturing company. You are explaining to your new assistant that AD objects
are assigned security descriptors to allow you to implement access control. You tell your assistant
that the security descriptor contains several different components. Which of the following are
contained in the security descriptor for an object? (Select all that apply.)
A. Discretionary access control list
B. System access control list
C. Dynamic access control list
D. Ownership information
Answer: A,B,D
Q: 91
You are implementing a new wireless network and need to change the default settings for the
equipment on the WLAN. What information should you change? (Select all that apply.)
A. SSID password
B. SSID network name
C. Domain Administrator password
D. Domain Administrator account should be renamed
Answer: A,B
Q: 92
You have a number of users who need to be able to roam through the building with their laptop
computers and still stay connected to the network. Because of the nature of their work, it is
important that they have relatively fast access for transferring a lot of very large data files over the
network. You need to implement a wireless network that can connect devices up to 54 Mbps and a
minimum of 24 Mbps. Which IEEE standard should you choose?
A. 802.15
B. 802.11a
C. 802.11b
D. 802.1x
Answer: B
Q: 93
You are setting up a procedure to keep documents exchanged between members of the R & D
department secret. They will be sending these documents across the Internet to each other. Which
PKI process will you need to employ to achieve this?
A. Confidentiality
B. Non-repudiation
C. Authentication
D. Data Integrity
Answer: A
Q: 94
You are the domain administrator for ABC.com. Client systems in use include Windows 2000
Professional and Windows XP Professional. You have been asked to set up a Public Key
Infrastructure configuration for your domain. You also need to identify which features will run in
your environment.
Your domain controllers consist of only Windows Server 2003 systems and your Enterprise
Certificate Authority is installed on a Windows Server 2003 Standard Edition system.
Which of the following PKI features are supported in your environment?
Select all that apply.
A. Auto-enrollment for User certificates
B. Auto-enrollment for Computer certificates
C. Delta certificate revocation lists (CRLs)
D. Role separation
E. Qualified subordination
F. V2 templates
Answer: B,C,E
Q: 95
You are one of the Web hosting administrators for your company's e-commerce environment.
You are trying to configure a Web server called WEBSRV01 running Windows Server 2003
Standard Edition. WEBSRV01 currently hosts three different Web sites, two of which only offer
static content and one that uses Active Server Pages.
How can you enable Web services for your server so that it will allow you to offer up the different
types of content as required on each of the Web sites hosted on the server, using the least
amount of administrative effort and maintaining a high level of security on the base OS of the
server?
Select the best answer.
A. Use the Configure Your Server Wizard to configure the server in the Application Serve role by
using the default settings provided.
B. Use the Configure Your Server Wizard to configure the server in the Web server role b using
the default settings provided.
C. Add the IIS service via the Control Panel and Add/Remove Windows Components. Then,
install the service and dynamic content by manually configuring all of the required settings.
D. Use the Configure Your Server Wizard to configure the server in the Application Serve role,
and manually choose the options for dynamic content.
E. Add the IIS service via the Control Panel and Add/Remove Windows Components. Then,
install the service and dynamic content using the default settings provided when prompted.
Answer: D
Q: 96
You are the domain administrator for ABC.com. Client systems in use include Windows 2000
Professional and Windows XP Professional for most locations. For branc office one, the exception
would be six Window 98 clients that are still in use. Server systems in use include 2000 Server
and Server 2003.
Branch office one has all of the clients using DHCP locally and interconnected locally by a layer 2
switch and back to the main office via a router and a private leased line. There are a total of 43
host systems at this location, including the installed servers.
Branch office two has all of the clients using DHCP and connected locally by a layer 3 switch and
back to the main office via a Windows Server 2003 Routing and Remote Access server and an
ISP connection to a VPN server at company headquarters. There is a slower, secondary demanddial
connection back to the main office that is used if the primary connection goes down. There are
a total of 39 host systems at this location including the installed servers.
Branch office three has all of the clients using DHCP and connected locally by a layer 3 switch and
back to the main office via an ISP connection to a VPN server at company headquarters. There
are a total of 22 host systems at this location including the installed servers.
You need to provide a security configuration for data transmissions that occur over the Internet to
the main company headquarters so that all of this data is secured against tampering and
unauthorized modification.
How would this be accomplished in your environment by performing only the required steps, not
adding any additional resource load to the servers or networks than is absolutely necessary to
accomplish the required tasks, and using the least amount of administrative effort?
Select all that apply.
A. The Microsoft L2TP/IPSec VPN Client would not be needed for any of the systems in use.
B. The Microsoft L2TP/IPSec VPN Client needs to be installed on all Windows 98 system making
VPN connections to the company headquarters via the RRAS server connection.
C. The Microsoft L2TP/IPSec VPN Client needs to be installed on all Windows 98 system making
the connections to the VPN server individually by way of the PPTP adapter.
D. For securing the required traffic, the Encapsulating Security Payload (ESP) is needed as the
security method.
E. For securing the required traffic, the Authentication Header (AH) is needed as the security
method.
F. The Microsoft L2TP/IPSec VPN Client needs to be installed on all Windows 98 system using
the Dial-up Networking version 1.4 uABCrade if they were making the connections to the VPN
server individually.
Answer: A,E
Q: 97
You are a network administrator for your Windows Server 2003 domain and you are updating the
network configuration for your company. You have used part of the 191.99.74.0/16 IP address
range that your company owns and segmented the networks in this new location in such a way to
allow for 60 hosts per subnet currently and also allow for an anticipated growth of 15% for the
client systems.
Your design also calls for adding a routing configuration that will allow you to forward IP multicast
traffic and the use of the Internet Group Management Protocol (IGMP). You have decided to use
the Routing and Remote Access Service on your Windows Server 2003 system to handle this
requirement in your environment. You also need to define the standards for your network nodes
with regard to multicasting on your network.
What is a specific characteristic that is required of a host or network node that is multicastcapable?
Select the best answer.
A. The network node must be able to use a multicast routing protocol to propagate multicast
group listening information to other multicast-capable nodes.
B. The network node must be able to listen for all multicast traffic on all attached networks. Upon
receiving multicast traffic the node would have to forward the multicast packet to attached
networks where other nodes are listening or where downstream routers have nodes that are
listening.
C. The network node must be able to listen for IGMP membership report messages and update
the TCP/IP multicast forwarding table.
D. The network node must be able to register the multicast addresses being listened to by the
node with local routers so that multicast packets can be forwarded to the network of the node.
Answer: D
Latest Version: 9.5 Last Update: December, 2012
Need the Latest version of 70-293 Exam Prep Or the other Microsoft Exam Prep, Visit the Cheat-Test.com Official website.
70-293,70-293 exam,70-293 dumps,70-293 study guide,70-293 practice test,Microsoft 70-293
