900 name = 900 exam = 70-216 1. Your network has 3 Win2000 WINS servers. How would you manually compact the WINS database on one of the WINS servers? a. Use the Compact command from the command line and specify the sysvol/wins folder. b. Stop the Server's WINS Server. Use the Jetpack command line tool to compact the WINS database. Restart the server's WINS Server c. Stop the Server's WINS Server. Use the Compact command from the command line. Restart the Server's WINS Server d. Backup the WINS Database. Use the jetpack command line tool to compact the WINS database. Do an authoritative restore of the backup Answer:b The correct syntax for Jetpack.exe is: jetpack database_name temporary_database_name These are example commands to compact the DHCP database: cd %systemroot%\system32\dhcp net stop dhcpserver jetpack dhcp.mdb tmp.mdb net start dhcpserver 2. You are creating a DHCP scope for your 192.168.1.32/28 subnet. The subnet consists of Windows 2000, Windows 98, and Windows 95 computers. You have two UNIX computers on this subnet that will be assigned the two highest available static IP addresses. The subnet's default gateway will be assigned the lowest available IP address on the subnet. Which scope should you create on your DHCP server? a. 192.168.1.34 - 192.168.1.46 b. 192.168.1.34 - 192.168.1.44 c. 192.168.1.33 - 192.168.1.45 d. 192.168.1.34 - 192.168.1.61 e. 192.168.1.33 - 192.168.1.60 Answer:b [agreed and why] 192.168.1.32 (Subnet Address) 192.168.1.33 (Lowest avaliable IP) Reserved for Gateway 192.168.1.34-44 (avaliable scope IP) 192.168.1.45-46 (highest 2 IP) Reserved for Unix machines 192.168.1.47 (Broadcast address) 3. You install Network Monitor on a Windows 2000 Server to analyze ISO and TP4 communications to the Microsoft Exchange Server on your network. How should you configure Network Monitor? (Choose two) a. Change the Temporary Capture Directory. b. Copy ISO.dll and TP4.dll to Netmon Subdirectory. c. Copy ISO.DLL and TP4.DLL to the NetMon\Parsers subdirectory. d. Modify the Parser.ini. e. Modify the Netmon.ini. Answer:c, d The information in this article applies to: Microsoft Exchange Server, versions 5.5, 4.0, 5.0 SUMMARY This article explains how to configure the ISO and TP4 Parser for Network Monitor. MORE INFORMATION - Copy the Iso.dll, Iso.ini, Tp4.dll files to your NetMon\Parsers subdirectory. These files are located in the BackOffice Resource Kit. - Make following additions to your Parser.ini file. The Parser.ini file is located in the NetMon directory. 4. Your network uses an address of 172.30.0.0/16. Your projected growth for the network indicates a need for at least 25 subnets with a minimum of 1,000 hosts per subnet. What subnet mask should you configure to meet these needs? a. 255.255.252.0 Answer:a Max subnets = 62 Hosts per subnet = 1022 Subnet ID = 172.30.0.0 Subnet Host range = 172.30.0.1 - 172.30.3.254 Broadcast = 172.30.3.255 5. To centralize administration you implement a Remote Authentication Dial-In Service (RADIUS) server. Each of your branch offices will support their own Routing and Remote Access Server. You remove the default remote access policy. What should you do to implement one company policy that requires all dial-up communications to use 40-bit encryption, and require secure communications? (Choose two) a. Create one remote access policy on each Routing and Remote Access server. b. Create one remote access policy on the RADIUS server. c. Set encryption to Basic in the remote access policy. d. Set encryption to Strong in the remote access policy or policies. e. Enable the Secure Server IPSec policy on the RADIUS server. f. Enable the Server IPSec policy on the RADIUS server. Answer:b, c IAS is Microsoft's implementation of a RADIUS Server. It centralizes authentication, authorization and administration of RAS (NAS). As such, Remote Access Policies (RAPs) are centralized as well. For encryption, the default setting allows Microsoft Point-to-Point Encryption (MPPE) when requested by the remote access client. To force encryption for dial-up networking connections, you need to modify the encryption settings on the policy profile to require encryption. For dial-up networking connections, clear the No encryption option and select the following options on the Encryption tab on the properties of the remote access policy profile: - Basic You should use this option when communicating with older Microsoft dial-up networking clients who are connecting from outside North America. This option uses Microsoft Point-to-Point Encryption (MPPE) and a 40-bit encryption key. - Strong You should use this option when communicating with Windows 2000 and Windows 98 dial-up networking clients who are connecting from outside North America. This option uses MPPE and a 56-bit encryption key. - Strongest You should use this option when communicating with dial-up networking clients who are connecting from inside North America. This option uses MPPE and a 128-bit encryption key and is only available on North American versions of Windows 2000. 6. You administer your company's Windows 2000 network. Your network consists of 5 Windows 2000 Server computers, 300 Windows 2000 Professional computers, and 10 UNIX servers. One of your Windows 2000 Server computers is your DNS server. The DNS zone is configured as an Active Directory integrated zone. The DNS zone is also configured to allow dynamic updates. Users report that although they can access the Windows 2000 computers by host name, they cannot access the UNIX servers by host name. What should you do? a. Manually enter A (host) records for the UNIX servers in the zone database b. Manually add the UNIX servers to the Windows 2000 domain c. On the DNS server, manually create a HOSTS file that contains the records for the UNIX servers d. Configure a UNIX computer to be a DNS server in a secondary zone Answer:a Since Dynamic Updates is configured, the answer seems simple. The Unix Servers aren't able to send the Client FQDN (81) option which triggers the dynamic update. Windows 2000 clients by default, can register both A and PTR Records dynamically. This question does not mention a Windows 2000 DHCP Server, which can be enabled to update DNS Records (A and PTR) for clients that do not support Dynamic Updates. 7. You are the administrator for a Windows 2000 network. Your internal DNS server is located behind a firewall. When you test your DNS server by using the Monitoring tab on the server's properties page, the DNS server passes the simple test but fails the recursive test. What should you do? a. Run ipconfig /registerdns b. Delete the %systemroot%\system32\dns\cache.dns file c. Copy the %systemroot%\system32\dns\samples\cache.dns file to %systemroot%\dns, and overwrite the existing cache.dns file d. Create a forward lookup zone for the root zone. Name the forward lookup zone "." Answer:c SYMPTOMS You may experience one or more of the following symptoms: 1 The DNS server is unable to resolve names for which it is not authoritative. 2 There are no servers listed on the DNS server Root Hints tab. 3 The servers listed on the Root Hints tab do not match the Cache.dns file in the %systemroot%\system32\dns folder. 4 When you replace the Cache.dns file in the %systemroot%\system32\dns folder, it does not update the root hints listed in the DNS Manager. CAUSE This issue can occur because the DNS server is a domain controller and is configured to load zone data on startup from Active Directory and the registry. If the root hints specified in the Active Directory have been deleted, modified, incorrectly entered or damaged, this behavior occurs. RESOLUTION To work around this issue if the DNS server needs hints for the Internet root servers: 1 If it is running, quit the DNS MMC snap-in. At a command prompt, type net stop dns, and then press ENTER. 2 After the DNS Server Service stops, type copy %systemroot%\system32\dns\samples\cache.dns %systemroot%\system32\dns, and then press ENTER. Note that if you are prompted to overwrite an existing file, type y, and then press ENTER.. 3 Start the Active Directory Users and Computers MMC snap-in. Click Advanced Features on the View menu. 4 Expand the System folder, expand MicrosoftDNS, right-click RootDNSServers, and then click Delete. 5 Click Yes when you are prompted to delete this object, and then click Yes again when you are prompted to delete this object and the objects it contains. 6 Quit the Active Directory Users and Computers MMC snap-in. 7 At the command prompt, type net start dns, and then press ENTER. Exit the command prompt. 8 Start the DNS MMC snap-in, and then verify that the root servers appear on the Root Hints tab in the server properties. 9 Start the Active Directory Users and Computers MMC snap-in, and then verify that the RootDNSServers container has been recreated and contains the root servers that were listed in the DNS Manager. If multiple domain controllers exist that are running DNS, the new root hints are automatically be replicated. MORE INFORMATION By default, when DNS is running on a Windows 2000 domain controller, the root hints are read from Active Directory upon startup first. If no root hints exist in Active Directory, the Cache.dns file is read. If the listing of root DNS servers becomes damaged in Active Directory or is missing, it may be necessary to replace them with the entries listed in the %systemroot%\system32\dns\backup\Cache.dns file. By default, the DNS service implements root hints using a file, Cache.dns, stored in the %SystemRoot%\System32\Dns folder on the server computer. This file normally contains the NS and A resource records for the Internet root servers. If, however, you are using the DNS service on a private network, you can edit or replace this file with similar records that point to your own internal root DNS servers. 8. Your WAN network consists of ten internal subnets in two physical buildings connected by routers. An additional subnet is configured for Internet access. All routers on the network will be multihomed Windows 2000 Servers running Routing and Remote Access. You want to accomplish the following goals: a. Administrative overhead for routing tale configuration is minimized. b. Broadcast traffic for routing table configuration is minimized. c. Link redundancy within ten minutes is ensured in case of router failure. d. Ensure convergence times of less than one minute for all known routes. e. Internal routing information will never be exposed to external routers. You take the following actions: - Install RIP version 1 - Configure RIP to use all interfaces on all multihomed computers. - Enable RIP authentication by specifying a password on each interface. What results do these actions produce? (Choose all that apply) Answer:a,e a is correct because RIP V1 facilitates the automatic exchange of routing information. b Incorrect, Broadcast traffic for routing table configuration is not minimized because all RIP V1 route announcements are addressed to the IP Subnet and MAC-Level, even non-RIP hosts receive RIP announcements. The amount of broadcasts traffic can become significant on large networks. c and d Link redundancy within ten minutes in case or router failure and Ensure convergence times of less than one minute for all known routes is not ensured because by default each router table entry through learned through RIP is given a timeout of 3 minutes past the time it was received in a RIP announcement from a neighbouring RIP router. When a router fails because of hardware or software failure it can take several minutes for the topology change to propagate through the internetwork. With 10 subnets, this could take up to 30 minutes for a failed router to be recognized. This is also known as Slow Convergence Lontar: I choice E because "Enable RIP authentication by specifying a password on each interface" 9. You are the admoinistrator of you company windows 2000 / novell netware 5.0 routed network. All client on the network are configured with windows 2000 professional. Both the windows 2000 professional client computers and windows 2000 server computers to communicate with the novell netware 5.0 servers NWLink has been installed on all windows 2000 client and server computers. What protocol or protocols muct be installed on the novell netware 5.0 server for network communication to succeed? (choose all that apply) a. IPX/SPX b. TCP/IP c. NWLink d. Microsoft CHAP (MS-CHAP) e. SNMP Answer:a Even though TCP/IP is the default protocol installed on Novell Netware 5-0, you still need use NWLINK and IPX for communication as CSNW or GSNW do not work over TCP/IP. 10. Your Web server is configured to run a third party Web application for users on your network. Users complain that each time they try to connect to a secure Web page stored on the Web server, they receive the error message "Web page requested is not available". They have no problem connecting to FTP. You have verified that the Web service has started. What should you do to diagnose this problem? a. Verify that port 443 is permitted in your TCP/IP filter. b. Verify that port 80 is permitted in your TCP/IP filter. c. Verify that port 21 and port 20 is permitted in your TCP/IP filter. d. Verify that the correct NTFS file permissions are configured for the web page. Answer:a Key point is secure page. SSL requests (on port 443) HTTP on port 80 HTTP server (HTTPS) on port 443 By default, Web data (HTTP) uses Transmission Control Protocol (TCP) port 80, while SSL (HTTPS) uses TCP port 443. The standard port for an SSL connection is port 443. When HTTPS is used in an Internet browser, port 443 is assumed. Port 20 en 21 is for FTP 11. Your domain is in mixed mode. Routing and Remote Access is enabled for remote access on Srv1. The domain also has a Windows NT 4.0 member server computer named Srv2. Srv2 is running Remote Access Service (RAS). Users in the domain use Windows 2000 Professional computers to dial in to the network through Srv1 or Srv2. However, Srv2 is not able to validate remote access credentials of domain accounts. How should you configure the network to enable Srv2 to validate remote access domain users? a. Add the Everyone group to the RRAS access group b. Configure srv2 as a DHCP relay agent c. Configure Srv1 to use MSChap for authentication and Srv2 to use Chap d. Add the Everyone group to the Pre-Windows 2000 Compatible Access group. Answer: d For a Windows NT version 4.0 Service Pack 4 and later remote access server that is a member of a Windows 2000 mixed mode domain or a Windows 2000 remote access server that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the net localgroup "Pre-Windows 2000 Compatible Access" command. If not, issue the net localgroup "Pre-Windows 2000 Compatible Access" everyone /add command on a domain controller computer and then restart the domain controller computer. 12. Your network consists of Windows 2000 Server computers, Windows 2000 Professional computers, and one NetWare server. Administrators must have complete access to the Sys volume on the NetWare server. All other users should have read only access. Configuring Gateway Service for NetWare on a Windows 2000 Server computer. What should you do to configure the appropriate access to the NetWare server? (Choose two) a. Create an NT Gateway group on the 2000 server. b. Add the NT Gateway User Account to the NTGateway Group on the Netware Server c. Grant Full Control permission to Admins and Read permission to users on the Windows2000 Server d. Grant Full Control Permission to Admins and Read permission for users on the Netware Server Answer:b,c page 644 internetworking guide RESKIT 2000 *create a Unique user account on Netware *create a Netware Group account named NTGATEWAY *Make the Netware user account member of the NTGATEWAY group account Creating a gateway Before you can create a gateway to NetWare resources on a computer running Windows 2000 Server: - The NetWare server must have a group named NTGATEWAY with the necessary rights for the resources that you want to access. - You must have a user account on the NetWare network with the necessary rights for the resources that you want to access. - The NetWare user account you use must be a member of the NTGATEWAY group. The NetWare user account you use to enable gateways can be either a Novell Directory Services (NDS) account or a bindery account. If the server will have gateways to both NDS resources and resources on servers running bindery security, the user account must be a bindery account. (This account can connect to NDS resources through bindery emulation.) If you create gateways only to NDS resources, the account can be an NDS account. Creating a gateway is a two-step process: *. First, you enable gateways on the server running Windows 2000 Server. When you enable a gateway, you must type the name and password of the user account that has access to the NetWare server and is a member of the NTGATEWAY group on that NetWare server. You need to do this only once for each server that will act as a gateway. For each volume or printer to which you want to create a gateway, you activate a gateway. When you activate a gateway, you specify the NetWare resource and a share name that Microsoft client users will use to connect to the resource. To activate a gateway for a volume, you can use Gateway Service for NetWare (in Control Panel). To activate a gateway for a printer, you can use the Add Printer wizard. If you are activating a gateway to an NDS resource, and the gateway user account is a bindery user account, specify the resource that uses the bindery context name. If you are using a NDS user account, and you do not plan on also creating gateways to bindery resources, specify the NDS resource name. Security for gateway resources is provided on two levels: - On the computer running Windows 2000 Server and acting as a gateway, you can set share-level permissions for each resource made available through the gateway. - On the NetWare file server, the NetWare administrator can assign trustee rights to the user account that is used for the gateway or to the NTGATEWAY group. These rights are enforced for all Microsoft client users who access the resource through the gateway. There is no auditing of gateway access. Reason & Source : Windows 2000 Resource Kit Internetworking Guide Preparing the NetWare Server for Gateway Service for NetWare: To establish connectivity to NetWare resources for a Windows 2000 Server-based computer running Gateway Service for NetWare, you need to create user and group accounts. You must first create a unique user account on the NetWare network to serve as the NetWare interface for the Windows 2000 Server-based gateway computer running Gateway Service for NetWare. The password for the NetWare user account must be identical to the password used to enable the Windows 2000 Server gateway, described in "Configuring a Gateway on the Windows 2000 Server-Based Computer" later in this chapter. You must also create a unique NetWare group account named NTGATEWAY. You must create this account on the NetWare network. The NTGATEWAY group account acts as a common access point to NetWare resources for all Windows 2000 Server gateway users; therefore, you must set appropriate trustee access rights on the NTGATEWAY group account for all the NetWare resources that the group must access. Finally, make the NetWare user account that you created a member of the NTGATEWAY group account. Preparing the NetWare Server for Client Service for NetWare: To establish connectivity to NetWare resources for a Windows 2000 Professional computer running Client Service for NetWare, you need to create a unique user account on the NetWare network and set the necessary rights for the user's resource needs. You or the user must also synchronize the passwords. 13. You are the administrator of your domain. You have client computers evenly distributed across five sites. Atlanta.xco.com recently upgraded its two DNS servers that service the subdomain. You suspect the upgrade has resulted in an incorrect configuration of your zone delegation. What should you do to verify proper zone delegations? a. Use System Monitor to confirm that the counters for the DNS zone transfer failure are zero. b. Use System Monitor to confirm that the counters for the DNS recursive query are zero. c. Run the nslookup -querytype=ns atlanta.xco.com command with the server option set to query the atalanta.xco.com server. Ping the records displayed in the output of the nslookup command. d. Run the nslookup -ls -d atlanta.xco.com command. Ping the records displayed in the output of the nslookup command. Answer:c To verify a zone delegation using the nslookup command 1 At a Command Prompt, type: nslookup root_server_ip_address where root_server_ip_address is the IP address of a valid root server for your network. 2 At the nslookup command prompt, type: set norecursion 3 After the previous command completes, type: set q=rr_type **** q=querytype where rr_type is the type of resource record (RR) for the failed name for which you are attempting to verify (or troubleshoot) a zone delegation. For example, type set q=a if the type of RR used by the failed name is a host (A) RR. 4 Type the fully qualified domain name (FQDN) for the failed name. Use the trailing period (.) when entering the name. If zone delegations are set correctly, a list of name server (NS) RRs for delegated servers should be returned in the response. 5 If the NS query response contains no names or IP addresses for delegated servers, type q=ns and query again using the FQDN for the parent zone of the failed name. For example, if the failed name you used in the previous step was example.microsoft.com, query for microsoft.com. 6 If the response contains name server (NS) RRs, but no host (A) RRs, type set recursion and query individually for any of the A RRs of servers listed in the NS RRs. If, for each NS RR you encounter in a zone, you do not find at least one valid IP address in an A RR, you have a broken delegation. 7 Either fix the broken delegation or retry the delegation test described in the previous step using a different IP address. If more than one A RR or IP address is found, use it to repeat the delegation test described in the previous step. To fix a delegation, add or update an A RR in the parent zone with a valid IP address for a correct DNS server for the delegated zone. 14. Your domain has a Windows 2000 member server computer named London and a DHCP server. Routing and Remote Access is enabled for remote access on London. The domain is in native mode. Users in the domain dial in to the network by using Windows 2000 Professional portable computers. Dial-up connection configuration for the Windows 2000 Professional computers is set to obtain an IP address automatically. You do not want to change this configuration. You want to designate a fixed IP address for each of the users. All users should receive a different fixed IP address when a dial-up connection is made. How should you configure the network to accomplish this goal? a. Configure each laptop with a specific static IP address b. Create a user class for the laptops and exclude these IP addresses from the DHCP scope c. In Active Directory Users and Computers, assign a static IP address for each user d. Create a separate subnet for the laptops and configure DHCP to issue IP addresses for this subnet only to the laptops Answer:c You set static IP addresses for each individual user in Active Directory Users and Computers > Dial-In tab. 15. To allow Internet access through a dial-up connection to Server A, you install NAT routing protocol. All computers in your network use Automatic Private IP addressing. There is no DHCP server in the network. Server A is configured as below: LAN interface has an IP address of 10.65.3.1 and a subnet mask of 255.255.255.0. NAT automatically assigns IP addresses of 10.65.3.2 through 10.65.3.60 to computers on the private interface. NAT uses a demand-dial interface named Dial ISP to connect to the ISP. The demand-dial interface uses an address pool of 207.46.179.33 through 207.46.179.36. The routing table has a default static route for the public interface. What configuration should you use for the static route for the public interface? a. Interface: Local Network Connection Destination: 207.46.179.44 Network Mask: 255.255.255.255 Gateway: 0.0.0.0 b. Interface: Local Network Connection Destination: 10.65.3.0 Network Mask: 255.255.255.0 Gateway: 10.65.3.1 c. Interface: Dial ISP Destination: 0.0.0.0 Network Mask: 0.0.0.0 Gateway: None d. Interface: Local Network Connection Destination: 207.46.174.32 Network Mask: 255.255.255.240 Gateway: 207.46.179.32 Answer:c Reason: Deploying network address translation To deploy network address translation for a small office or home office network, you need to configure: 1 The network address translation computer. 2 Other computers on the small office or home network. Configuring the network address translation computer To configure the network address translation (NAT) computer, you can complete the following steps: 1 Install and enable the Routing and Remote Access service. In the Routing and Remote Access Server Setup wizard, choose the options for Internet connection server and to set up a router with the Network Address Translation (NAT) routing protocol. After the wizard is finished, all of the configuration for Network Address Translation (NAT) is complete. You do not need to complete steps 2 through 8. If you have already enabled the Routing and Remote Access service, then complete steps 2 through 8 as needed. 2 Configure the IP address of the home network interface. For the IP address of the LAN adapter that connects to the home network, you need to configure the following: 1 IP address: 192.168.0.1 2 Subnet mask: 255.255.255.0 3 No default gateway Note 4 The IP address in the preceding configuration for the home network interface is based on the default address range of 192.168.0.0 with a subnet mask of 255.255.255.0, which is configured for the addressing component of network address translation. If you change this default address range, you should change the IP address of the private interface for the network address translation computer to be the first IP address in the configured range. Using the first IP address in the range is a recommended practice, not a requirement of the network address translation components. 3 Enable routing on your dial-up port. If your connection to the Internet is a permanent connection that appears in Windows 2000 as a LAN interface (such as DDS, T-Carrier, Frame Relay, permanent ISDN, xDSL, or cable modem) or if you are connecting your computer running Windows 2000 to another router before the connection to the Internet, and the LAN interface is configured with an IP address, subnet mask, and default gateway either statically or through DHCP, skip to step 6 4 Create a demand-dial interface to connect to your Internet service provider. You need to create a demand-dial interface that is enabled for IP routing and uses your dial-up equipment and the credentials that you use to dial your Internet service provider (ISP). Create a default static route that uses the Internet interface. **** For a default static route, you need to select the demand-dial interface (for dial-up connections) or LAN interface (for permanent or intermediate router connections) that is used to connect to the Internet. The destination is 0.0.0.0 and the network mask is 0.0.0.0. For a demand-dial interface, the gateway IP address is not configurable. 5 Add the NAT routing protocol. 6 Add your Internet and home network interfaces to the NAT routing protocol. 7 Enable network address translation addressing and name resolution. Note The network address translation addressing feature only assigns addresses from a single range that corresponds to a single subnet. If multiple home network LAN interfaces are added to the NAT routing protocol, a single subnet configuration (where all LAN interfaces are connected to the same network) is assumed. If the LAN interfaces correspond to different networks, connectivity between clients on different networks who receive addresses from the network address translation computer may not be possible. Configuring other computers on the small office or home network You need to configure the TCP/IP protocol on the other computers on the small office or home network to obtain an IP address automatically, and then restart them. When the computers on the home network receive their IP address configuration from the network address translation computer, they are configured with: 1 IP address (from the address range of 192.168.0.0 with a subnet mask of 255.255.255.0). 2 Subnet mask (255.255.255.0). 3 Default gateway (the IP address of the interface for the network address translation computer on the small office or home network). 4 DNS server (the IP address of the interface for the network address translation computer on the small office or home network). 16. Your company policy is to allow only Administrators in your Houston office to install and use Network Monitor. You have been informed that Administrators in New York are installing and using Network Monitor. After you install Network Monitor, what should you do to monitor how many copies of Network Monitor are currently running? (Choose two) a. On the Tools Menu in Net Monitor select Identify Network Monitor Users b. Install Network Monitor on a computer on the second segment c. Remove the default Remote Access Policy d. Remove the "access Network Monitor" permission for Domain Admins Answer:a,b First off, I think we're missing some info from the question or an Exhibit. Choose Tools ?Identify Network Monitor Users to identify who else in the network has installed and is using Network Monitor. Only the Network Monitor tool will be detected; other network monitoring tools (3rd Party) will not. In some instances, your network design might prevent you from detecting another installation of Network Monitor. Such as, your router does not forward multicast. Network Monitor components Network Monitor is composed of an administrative tool called Network Monitor and a network protocol called the Network Monitor driver. Both of these components must be installed in order for you to capture, display, and analyze network packets (also called frames). Network Monitor You use Network Monitor to capture and display the frames that a computer running Windows 2000 Server receives from a local area network (LAN). Network administrators can use Network Monitor to detect and troubleshoot networking problems that the local computer may experience. Network Monitor can be installed only on computers running Windows 2000 Server. When you install Network Monitor, the Network Monitor Driver is installed automatically on the same computer. The Network Monitor driver The Network Monitor driver enables Network Monitor to receive frames from a network adapter, and allows users of the version of Network Monitor provided with Microsoft Systems Management Server (Systems Management Server Network Monitor) to capture and display frames from a remote computer, including those with a dial-up network connection. When the user of a computer running the Systems Management Server Network Monitor connects remotely to a computer on which the Network Monitor driver has been installed, and that user initiates a capture, statistics from the capture are transferred over the network to the managing computer. The Network Monitor driver can be installed only on computers running Microsoft Windows 2000 Professional or Windows 2000 Server. 17. Your network has 1,900 hosts, and requires Internet connectivity. Your network is not routed, except for the connection to the Internet. You have been assigned the following eight network addresses from your ISP: 192.24.32.0/24 192.24.33.0/24 192.24.34.0/24 192.30.35.0/24 192.30.36.0/24 192.30.37.0/24 192.30.38.0/24 192.30.39.0/24 Your goal is to minimize the complexity of the routing tables, while maintaining Internet connectivity for all hosts. What subnet mask should you use? a.255.255.252.0 b.255.255.248.0 c.255.255.255.248 d.255.255.240.0 Answer:b 1900 hosts = 11 bits (2048) 1111.1111.1111.1111.1111.1000.0000.0000 3 bits are 0 = 8 256-8=248 19. You administer a Windows 2000 Server network. The network contains a dedicated FTP server that is using the default ports. Your network also contains a Web server using the default ports. You want to configure a filter to prevent malicious attacks on other services running on the FTP server. Which filters should you configure? a. Input filter for the Source IP Address of FTP Server and the TCP Source Port 20 Input filter for the Source IP Address of FTP Server and the TCP Source Port 21 Output filter for the Destination IP Address of FTP Server and the TCP Destination Port 20 Output filter for the Destination IP Address of FTP Server and the TCP Destination Port 21 b. Output filter for the Source IP Address of FTP Server and the TCP Source Port 20 Output filter for the Source IP Address of FTP Server and the TCP Source Port 21. Input filter for the Destination IP Address of FTP Server and the TCP Destination Port 20 Input filter for the Destination IP Address of FTP Server and the TCP Destination Port 21 c. Input filter for the Source IP Address of Web Server and the TCP Source Port 20 Input filter for the Source IP Address of Web Server and the TCP Source Port 21 Output filter for the Destination IP Address of Web Server and the TCP destination Port 20 Output filter for the Destination IP Address of Web Server and the TCP destination Port 21 d. Output filter for the Source IP Address of Web Server and the TCP Source Port 20 Output filter for the Source IP Address of Web Server and the TCP Source Port 21 Input filter for the Destination IP Address of Web Server and the TCP Destination Port 20 Input filter for the Destination IP Address of Web Server and the TCP Destination Port 21 Answer:b 20. You are the administrator of your company's network You are configuring your users' portable computers to allow users to connect to the company network by using Routing and Remote Access. You test the portable computers on the LAN and verify that they can successfully connect to resources on the company network by name. When you test the connection through Remote Access, all of the portable computers can successfully connect, but they cannot access files on computers on different segments by using the computer name. What should you do to resolve this problem? a. Set the authentication method to Allow remote systems to connect without authentication b. Enable the computer account for each portable computer c. Change the computer name on each portable computer d. Install the DHCP Relay Agent on the Remote Access server Answer:d Using DHCPINFORM and the DHCP Relay Agent After the connection negotiation is complete, Windows 2000 and Windows 98 remote access clients send their remote access servers a DHCPINFORM message. DHCPINFORM is a DHCP message that is used by DHCP clients to obtain DHCP options. While remote access clients do not use DHCP to obtain IP addresses for the remote access connection, remote access clients running Windows 2000 and Windows 98 use the DHCPINFORM message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPINFORM message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPINFORM messages, if it has been configured with the DHCP Relay Agent. The response to the DHCPINFORM message is forwarded back to the requesting remote access client. If the DHCPINFORM response contains DNS and WINS server IP address options, then these new values override what was allocated during the connection negotiation process. To facilitate the forwarding of DHCPINFORM messages between remote access clients and DHCP servers, the remote access server uses the DHCP Relay Agent, a component of the Windows 2000 Routing and Remote Access service. To configure the remote access server to use the DHCP Relay Agent, you need to add the Internal interface to the DHCP Relay Agent IP routing protocol in Routing and Remote Access. If the remote access server is using DHCP to obtain IP addresses for remote access clients, then the remote access server uses the DHCP Relay Agent to forward DHCPINFORM messages to the DHCP server of the selected LAN interface If the remote access server is using a static IP address pool to obtain IP addresses for remote access clients, then you must configure the DHCP Relay Agent with the IP address of at least one DHCP server. Otherwise, DHCPINFORM messages sent by remote access clients are silently discarded by the remote access server. 21.You are the administrator of a Windows 2000 network. You have offices in two locations. In both offices you have recently installed a Windows 2000 Server configured as both Routing and Remote access server and Fax service server. A batch file and the windows scheduler are used to maintain accounting information at both offices. Users are reporting that the accounting data does not seem to be synchronizing. No problems with Fax services or RRAS services have been reported. After further investigation, you find the synchronization is indeed failing. What should you do to resolve this problem? a. Stop the FAX service. b. Enable Multilinking for the Fax Service and RRAS service. c. Enable Internet Connecting Sharing. d. Configure the server as a Router. Answer:a Cause: The Windows 2000 Fax service is enabled and your modem does not support adaptive answer. Solution: If the Windows 2000 Fax service and the Routing and Remote Access service are sharing the same modem, verify that the modem supports adaptive answer. If the modem does not support adaptive answer, you must disable fax on the modem to receive incoming remote access connections. 22. You have Macintosh users who inform you that they cannot request valid user certificates from your Enterprise Certificate Authority. What should you do to allow these users to request certificates by using Web based enrollment? a. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to "Basic Authentication". b. In the Internet Information Services console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to "Encrypted Authentication". c. Install an Enterprise Subordinate Certificate Authority that uses a commercial CA as a parent. d. Delete the CA, install File and Print sharing for Macintosh, Reinstall the CA. Answer:a 23. You install and configure DHCP Server service on a Windows 2000 Server to automate TCP/IP client configuration. You create a scope that contains the range of valid IP addresses. You create an exclusion range, and address reservations for your TCP/IP network printers so they will always receive the same address. None of your printers are receiving addresses from the DHCP server. Client computers are not experiencing problems. What should you do? a. Remove the address reservation for the printers b. Remove the exclusion range for the addresses that are in use by the printers. c. Disable address conflict detection feature of the dhcp server service d. Enable address conflict detection feature of the dhcp server service Answer:b When address are excluded they are unavaliable to be assigned by DHCP even if they are Reserved. 24. You are the administrator of a Windows 2000 domain The domain has four Windows 2000-based WINS servers . You want to delegate the ability to create the four WINS servers' performance logs to a domain user named Kim . You do not want Kim to be able to change the configuration of the four WINS servers The performance logs for the WINS servers are created by using the Performance console. How should you configure the network to accomplish this goal? a. Add the user Kim to the Domain Local group named Wins Users. b. Create a new Domain Local group named Performance Administrators Add the user Kim to the Performance Administrators group c. On the four WINS servers, change the NTFS permissions on the System32\Wins folder to include Read permission for user Kim d. On the four WINS servers, change the Registry permissions on the HKEY -LOCAL-MACHINE\system\CUrrentContro\Set\ServiCeS\W key to include Read permission for user Kim. Answer:a The Wins Users Domain Local Group is a Security Group, whose members have view-only access to the WINS Server. 25. You are the administrator of your company's network. Your Windows 2000 Server computer named Srv2 cannot communicate with your UNIX server named Srv1 Srv2 can communicate with other computers on your network. You try to ping Srv1, but you receive the following error message. "Unknown host Srv1." You create an A (host) record that has the correct name and IP address. However, when you try to ping Srv1 again, you receive the same error message What should you do to resolve this problem? a. Restart the DNS server b. Clear the DNS Server Cache c. Run the ipconfig Iregisterdns command on Srv2 d. Run the ipconfig /flushdns command on Srv2 Answer:d ipconfig/flushdns Purges the DNS Resolver cache. The IPConfig /flushdns command provides you with a means to flush and reset the contents of the DNS client resolver cache. During DNS troubleshooting, if necessary, you can use this procedure to discard negative cache entries from the cache, as well as, any other dynamically added entries. Although the ipconfig command is provided for earlier versions of Windows, the /flushdns option is only available for use at computers running Windows 2000. The DNS Client service must also be started. 26. You are configuring a Windows 2000 network for dial-up access. Your company issues smart cards to all users who have dial-up access. What should you do to configure your Routing and Remote Access server? (Choose two) a. Configure the use of Mutual Authentication. b. Configure the RRAS server to use SLIP for dial-in c. Select the Extensible Authentication Protocol (EAP) check box d. Install a smart card logon certificate on the RRAS. e. Configure the RRAS server to use the PAP protocol f. Configure the RRAS server to use the IPSec protocol Answer:c,d Using smart cards for remote access The use of smart cards for user authentication is the strongest form of authentication in Windows 2000. For remote access connections, you must use the Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS). To use smart cards for remote access authentication, you must do the following: ? Configure remote access on the remote access server. ? ****Install a computer certificate on the remote access server computer. ? Enable a smart card logon process for the domain. ? ****Enable the Extensible Authentication Protocol (EAP) and configure the Smart card or other certificate (TLS) EAP type on the remote access server computer. ? Enable smart card authentication on the dial-up or VPN connection on the remote access client computer. EAP-TLS EAP-Transport Level Security (EAP-TLS) is an EAP type that is used in certificate-based security environments. If you are using smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and secured private key exchange between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key exchange method. EAP-TLS is only supported on a remote access server running Windows 2000 that is a member of a Windows 2000 mixed-mode or native-mode domain. A remote access server running stand-alone Windows 2000 does not support EAP-TLS. For information about configuring smart cards for remote access clients, see Using smart cards for remote access. 27. You are the administrator of a Windows 2000 network. Your company's primary DNS server, named ns1.contoso.com, is heavily used, and the CPU utilization on this server is consistently high. Because of the large number of records that are stored on the DNS server, you suspect that some DNS queries result in Answer that exceed the limit for a single UDP packet You want to know if Answer to DNS queries are exceeding the limit for a single UDP packet What should you do? a. Start System Monitor. On the DNS server, monitor the counters for DNS TCP Responses Sent and DNS TCP Responses Sent/Sec. b. Start System Monitor. On the DNS server, monitor the counters for DNS UDP Message Memory. c. Use Network Monitor to analyze network traffic. Use nslookup on a separate computer to query for NS records on the primary DNS server. Compare the number of UDP packets returned from the DNS server in response to your queries with the number of queries you issued d. Use Network Monitor to analyze network traffic. From a client computer on your network, ping host records that are stored on your DNS server. Compare the number of UDP packets returned from the DNS server in response to your queries with the number of queries you issued Answer:c 28. Your network consists of a Windows 2000 Server (Net_Serv) and several Windows 2000 Professional computers. Your server has a dial-up connection to the Internet. Your Windows 2000 Professional computers are configured to use APIPA. There is no DHCP server on the network. You want to implement Internet Connection Sharing to allow the Windows 2000 Professional computers to access the Internet through the dial up connection on Net_Serv. How should you configure the server? (Choose all that apply) a. Enable Internet Connection sharing Lan interface of Net_Serv b. Enable Internet Connection Sharing on the dial-up connection of the server. c. Configure Net_Serv to use a static IP address of 10.1.1.1 for the Lan interface d. Configure the server to use APIPA for the LAN interface. e. Install and configure the DHCP server service on Net_Serv. Answer:b,d To enable Internet connection sharing on a network connection 1 Open Network and Dial-up Connections 2 Right-click the dial-up, VPN, or incoming connection you want to share, and then click Properties 3 On the Sharing tab, select the Enable Internet connection sharing for this connection check box 4 If you want this connection to dial automatically when another computer on your home network attempts to access external resources, select the Enable on-demand dialing check box. Important --- You should not use this feature in a network with other Windows 2000 Server domain controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP. ****When you enable Internet connection sharing, the network adapter connected to the home or small office network is given a new static IP address configuration. Existing TCP/IP connections on the Internet connection sharing computer are lost and need to be reestablished. ****To use the Internet connection sharing feature, users on your home office or small office network must configure TCP/IP on their local area connection to obtain an IP address automatically. For more information, see To configure TCP/IP settings. Home office or small office network users must also configure Internet options for Internet connection sharing. For more information, see To configure Internet options for Internet connection sharing. If the Internet connection sharing computer is using ISDN or a modem to connect to the Internet, you must select the Enable on-demand dialing check box. 29. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named Vegas Routing and Remote Access is enabled for remote access on Vegas Some of the remote access client computers require the use of CHAP. You enable CHAP on Vegas You also configure the appropriate remote access policy to use CHAP. However, users who require CHAP report that they are not able to dial in to Vegas. What should you do? a. Configure Vegas to prohibit the use of U\.N Manager authentication b. Configure Vegas to disable the use of link Control Protocol (lCP) extensions c. Configure the user accounts by selecting Store passwords using reversible encryption. Set the user passwords to change the next time each user logs on d. Configure the user accounts to use a static IP address when they dial in to the network Answer:c For a stand-alone Windows 2000 remote access server, you must also enable "Store password using reversible encryption for all users in the domain" in the Local Computer Policy. CHAP ?Server Help The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients. A remote access server running Windows 2000 supports CHAP so that non-Microsoft remote access clients are authenticated. To enable CHAP-based authentication, you must do the following: 1 Enable CHAP as an authentication protocol on the remote access server. For more information, see To enable authentication protocols. CHAP is disabled by default. 2 Enable CHAP on the appropriate remote access policy. For more information, see Introduction to remote access policies and To configure authentication. 3 ****Enable storage of a reversibly encrypted form of the user's password. You can enable storage of a reversibly encrypted form of the user's password per user account or enable storage for all accounts in a domain. For more information, see To enable reversibly encrypted passwords in a domain. 4 ****Force a reset of the user's password so that the new password is in a reversibly encrypted form. When you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either reset user passwords or set user passwords to be changed the next time each user logs on. For more information, see To reset a user password and To modify user account properties. Once the password is changed, it is stored in a reversibly encrypted form. If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on with a remote access connection by using CHAP. You cannot change passwords during the authentication process by using CHAPˇXthe logon attempt fails. One workaround for the remote access user is to temporarily log on by using MS-CHAP to change the password. 5 Enable CHAP on the remote access client running Windows 2000. For more information, see Challenge Handshake Authentication Protocol (CHAP). Notes ? If your password expires, CHAP cannot change passwords during the authentication process. ? Make sure your network access server (NAS) supports CHAP before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation. 30. Your domain has six Windows 2000-based Routing and Remote Access servers and two Windows 2000-based Internet Authentication Service servers. The Routing and Remote Access servers use the IAS server to authenticate remote access credentials. You change the remote access policies on the first IAS server. How do you ensure that this change is enforced on the second IAS server? a. Use the Netsh command-line utility to copy the IAS configuration from the first IAS server to the second IAS server. Answer:a Comment from Leo: From WIN2K Resource Kit: Import/Export of Configuration to Manage Multiple IAS Servers IAS configuration can be imported/exported by running netsh from the command prompt. How can I manage the configuration of remote access policies from a central location? Remote access policies are stored locally on the IAS server. All RADIUS clients of the IAS server are subject to the same set of policies. You can copy the configuration of one IAS server, including policies, with the following procedure: 1 At a command prompt, type netsh aaaa show config > path\file.ext. This stores the configuration settings, including registry settings, in a text file. The path can be relative, absolute, or a UNC path. 2 Copy the file you created to the destination computer and, at a command prompt on the destination computer, type netsh exec path\file.ext. A message appears indicating whether the update was successful. Notes ? You do not need to stop IAS on the destination computer to run the netsh exec command. When the command is run, IAS is automatically refreshed with the updated configuration settings. ? This procedure will not work if the source and destination computer are running different versions of Windows 2000. ? This procedure replicates all IAS, remote access policy, registry, and logging configuration. 31. You administer your company's network. You have 20 Windows 2000 Professional computers operating in a switched network environment running TCP/IP. Ten of the Windows 2000 Professional computers are on subnet a The other ten windows 2000 Professional computers are on subnet b The company uses a Windows 2000 Server computer running Internet Authentication Service (IAS) to connect to the Internet. The IAS server is on subnet b You decide to set up Network Monitor to monitor all traffic on your network. You install Network Monitor on the IAS server. You configure Network Monitor properly to monitor all TCP/IP traffic. Which packets will you be able to monitor? a. All packets. b. Packets sent from the IAS server only. c. Packets addressed to the IAS server only. d. All packets addressed to and sent from the IAS computer. Answer:c NetWork Monitor Tool ?Page 410-411, 663 Internetworking Guide RESKIT 2000 Troubleshooting by Using Network Monitor If a problem still exists after checking basic IAS configuration, the Network Monitor (NetMon) tool can be used to record a trace of the problem for further analysis. When you use Network Monitor for IAS troubleshooting, consider the following: ? NetMon must be installed on a computer that is running IAS server. ? If you use NetMon in a switched network environment, you see only the traffic addressed to the computer that is running NetMon. 32. You are planning to migrate your 100 network computers from IPX/SPX to TCP/IP and establish connectivity with the Internet. Your ISP assigns the address 192.168.16.0/24 to your network. You require 10 subnets with at least 10 hosts per subnet. What subnet mask should you use? a. 255.255.255.224 b. 255.255.255.192 c. 255.255.255.240 d. 255.255.255.248 Answer:c max subs 14 hosts per sub 14 host range 192.168.16.1 192.168.16.14 subnet ID 192.168.16.0 Broadcast 192.168.16.15 10 hosts is 4 bits (16) and 10 subnets is also 4 bits (16) subnet == 256-16 = 240 33. You enable route and remote access on a computer running win2000 server. The Windows 2000 server is configured for use as a VPN Access to the VPN should be limited to employees who belong to the windows 2000 domain local security group VPN-Access. You configure an account for each member of the VPN-Access group by setting the option "control access through Remote Access Policy". You then delete the default remote access policy. What step should you take to limit access to the VPN to only members of the VPN_Access Group? a. Configure the remote access server to use the EAP-TIS authentication. b. Create a remote access policy and set the condition Windows-Groups to VPN-access in the policy c. Create a remote access policy and set the profile associated with the policy to allow access only to VPN-Access d. Create a remote access policy and set the permissions of the remote access policy object to allow read only to VPN-Access Answer:b 34. Your network has two Windows 2000-based WINS servers. How should you configure the network to automatically backup the WINS database of both WINS servers? a. Use the backup command and backup the Wins.db database b. In the WINS console on both WINS servers configure the General properties of the WINS server to specify a default backup path. c. Backup the sysvol folder on both servers d. Use the file replication service and replicate the WINS database to a secure location Answer:b The WINS console provides backup tools so that you can back up and restore the WINS database. After you specify a backup folder for the database, WINS performs complete database backups every three hours, using the specified folder. 35. You have seven Windows 2000-based WINS servers in separate locations. How should you configure these servers to have a convergence time of less than 60 minutes. What should you do? a. Create a display of the seven WINS servers in a circular arrangement Configure each WINS server as a push/pull partner with the two WINS servers beside it in the circle .Use a replication interval of 25 minutes b. Designate one of the WINS servers as the central WINS server. Configure the other WINS servers as push/pull partners with the central server. Configure the central WINS server as push/pull partner with the other WINS servers. Use a replication interval of 25 minutes. c. Configure each WINS server to automatically configure the other WINS servers as its replication partners Use the default interval time for automatic partners configuration. d. Configure each WINS server to use a renew interval of 50 minutes. Use the default value for the verification interval Answer:b 36. You are the Network Administrator of your company network. Your network uses IPSec to ensure private and secure communications over your TCP/IP network. Using the least amount of administrative overhead you want to prevent the re-use of the previous session keys. What should you do? a. Install the Ipsec Policy Agent Service. b. Impliment an IPSec policy, View the IPSec policy using the MMC IP security Policy management snap-in. Select the Master key Prefect forward Secrecy check box. c. Impliment an IPSec policy, View the IPSec policy using the MMC IP security Policy management snap-in. Select the Session key Prefect forward Secrecy check box. d. Impliment an IPSec policy, View the IPSec policy using the MMC IP security Policy management snap-in. ON the generate a new key every property sheet modify the time allocations. Answer:c Repeated re-keying off a session key can compromise the Diffie-Hellman shared secret. Thus, a session key refresh limit is implemented to avoid a security compromise. Select the Session key Perfect Forward Secrecy check box to guarantee that no master keys or master keying material will be re-used to generate the session key. 37. You are the administrator of your companies network. You want to configure remote administration for your network. You install Routing and Remote Accessona Windows 2000 domain controller. You want to accomplish the following goals: a. Only administrators have dial-up access b. Dial-up connections are accepted only between 4.00 PM and 7.00 a.M c. Connections are forcibly disconnected after 20 minutes of inactivity d. All connections encrypt all communications e. Connections are limited to 60 minutes You take the following actions Set the level or levels of encryption to No Encryption and Basic. Add Domain Admins to the Windows Group Policy condition. Configure the rest of the remote access policy as shown in the exhibit (Click the Exhibit button) Configure the remote access policy Disconnect if idle for 60 minutes Configure the remote access policy Restrict maximum session time 20 minutes Configure the remote access policy Restrict access to the following days and times to Sun 07:00-16:00 Mon 07:00-16:00 Tue 07:00-16:00 Wed 07:00-16:00 Thu 07:00-16:00 Fri 07:00-16:00 Sat 07:00-16:00 What result or results do these actions produce? (Choose all that apply) Answer:a If you just add domain admins to the windows group policy condition and don't change default policy (deny access) no one can connect to RAS because access is still denied. If you permit encryption No Encryption or Basic it may be encrypted communication (40-bit) and no-encrypted communication. I think A, D ?rong, and we should look at exhibit to see whether B, C, E would be wrong or right. The Advanced tab you are shown in question 33 has the following: Idle time 60 Max session time 20 Allow dial times Sun 07:00-16:00 Mon 07:00-16:00 etc. The idle time and the max session times were backwards so neither of those was accomplished. The Allow Dial-In times should have been 12:00-07:00 and 16:00-12:00 for every day of the week. With those numbers, NOTHING WAS ACCOMPLISHED!!! 38. You are the administrator of a single Windows 2000 domain that uses TCP/IP as it only network protocol. DHCP is used to automatically assign TCP/IP information to your Windows 2000 Professional client computers. As of late, you have added several new Windows 2000 Professional clients to the network. Users are reporting that they cannot always access network resources. After further investigation you find that the IP address from one of the troubled computers 169.254.0.16. What should you do to resolve the problem: a) Add another scope to the DHCP-server for the new machines b) Shorten the lease duration for the existing scope c) Assign static IP-addresses to the new Windows 2000 desktops d) Add enough new addresses to the existing DHCP scope to include the new client computers Answer:d First off, this question is a hard choice. Assigning a static IP is really out of reason, as it adds administrative overhead. Adding another scope would require also creating a Superscope, so that isn't an option. Shortening the lease duration will help but, I think increasing the scope is the best answer. This is not recommended, but can be done. *You cannot decrease a scope, only increase. Cause: The scope in use is full and can no longer lease addresses to requesting clients. Solution: If the DHCP server does not have IP addresses available to provide to its clients, it returns DHCP negative acknowledgment messages (DHCPNAKs) to them. When this occurs, consider the following possible solutions: 1 Expand the address range by increasing the End IP address for the current scope. 2 Create a new additional scope and a superscope, then add the current scope and the new scope to the superscope. 3 Create a new scope or extend the range. Optimally, you could renumber your current IP network. Deactivate the old scope as needed, and then configure and activate the new one. 4 Reduce the lease duration. This can help to expedite the reclaiming of lapsed scope addresses. Other DHCP-related procedures and techniques might also help to accelerate or ease the transition from an existing scope being retired to a new scope created to take its place at the server. These include deleting client leases from the scope being retired, excluding addresses from that scope, and then deactivating it once the new scope has been activated. This ensures that the DHCP client obtains leasing from the new scope. 39. You are the administrator of your company's network Your company has branch offices in New York and Paris . Because each branch office will support its own Routing and Remote Access server, you implement a Remote Authentication Dial-In User Service (RADIUS) server to centralize administration You remove the default remote access policy. You need to implement one company policy that requires all dial-up communications to use 40-bit encryption. You want to configure your network to require secure communications by using the least amount of administrative effort. What should you do? (Choose two) a. Create one remote access policy on each Routing and Remote Access server b. Create one remote access policy on the RADIUS server c. Set encryption to Basic in the remote access policy or policies d. Set encryption to Strong in the remote access policy or policies e. Enable the Secure Server IPSec policy on the RADIUS server f. Enable the Server IPSec policy on the RADIUS server Answer:b,c 40. You are the network administrator for a windows 2000 domain. Client computers in your domain are Windows 98 computers or Windows 2000 computers. Clients in your domain use a client/server application that accesses files from one of the NT4.0 server computers. Users are reporting that they cannot connect to this Windows NT server computer. The Windows NT 4.0 server computer can successfully connect to the Windows 2000 computers. What should you do? a. On the Windows NT 4.0 computer run "IPConfig /registerDNS" command b. On the DHCP server select Enable Updates for DNS Clients That Do Not Support Dynamic Update checkbox c. On the DNS server select Enable Updates for DNS Clients That Do Not Support Dynamic Update checkbox d. Run the "Ipconfig /flushdns" command on all of the Win2000 computers Answer:b Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address. Dynamic updates can be sent for any of the following reasons or events: An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections. An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the IPConfig /renew command is used. The IPConfig /RegisterDNS command is used to manually force a refresh of the client name registration in DNS. At startup time, when the computer is turned on. Win 95,Win 98 and NT 4.0 do not support dynamic updates. Dynamic updates are disabled by default in Win2000. Secondary zones do not support dynamic updates. The main clue here is that you are dealing with an NT 4.0 computer that is not configured as a client. OK so why is it configured on the DHCP server not the DNS server? When one of the previous events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections not configured to use DHCP. 43. You are the administrator of a Windows 2000 network that consists of a single domain. Because no employee in your company should have the ability to encrypt files by using Encrypting File System (EFS), you need to remove this ability from all users in the domain What should you do to accomplish this goal? (Choose all that apply) a. From the Run command, start Secpolmsc b. Go to the Encrypted Data Recovery Agents container and delete the certificate you find. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy. c. Go to the Public Key Policies container and delete the Encrypted Data Recovery Agents policy. From the Active Directory Users and Computers console, access the Group Policy Editor and edit the domain policy. d. From the Active Directory Users and computers MMC console select the Encrypted Data Recovery Agents container and delete the certificate you find. e. From the Active Directory Users and computers MMC console access the Group Policy Editor and edit the domain policy, select the Encrypted Data Recovery Agents container and initialize the empty policy. f. From the Active Directory Users and Computers console, select the Public Key Policies container and initialize the empty policy. Answer:d,e 44. Your main office and two branch offices are connected by dedicated T1 lines. Two additional branch offices use 128-Kbps ISDN lines and Routing and Remote Access over the Internet to connect to the company's network. You are designing your DNS name resolution environment, and want to accomplish the following goals: DNS Name resolution traffic across the WAN should be minimized. DNS Replication traffic across the WAN should be minimized. DNS Replication traffic across the public WAN should be secure. Name resolution performance for client computers should be dynamic updates You take the following actions: Install the DNS Server service on one Domain Controller at each office. Create an Active Directory integrated zone on each DNS server at each office. Configure client computers to query their local DNS server. Configure the zones to allow dynamic updates. What results do these actions produce? (Choose all that apply) a. Name resolution traffic is minimized. b. Replication traffic is minimized. c. Name resolution performance for client computers is optimized. d. Replication traffic across the public WAN is secure. Answer:a,b,c,d Name resolution traffic is minimized because you installed multiple Domain Controllers. Replication traffic is minimized because of Active Directory Integrated Zones (compression and IXFR). Replication traffic across the public WAN is secure by default for new Active Direct Inter Zones. Name resolution performance is optimized by having a name server at each location. More Efficient Replication of Large Zones. Active Directory replicates on a per-property basis, propagating only relevant changes. This is more efficient than full zone transfers and thus minimizing replication traffic.) Explanation for D (secured replication traffic): Standard Primary and Secondary servers create zone transfer traffic. By creating an AD integrated zone, Active Directory will take over the role of transferring the zone information amongst the DNS Servers by incorporating it into its AD replication. This also makes the transfer of the DNS information more secure Why is D correct. What is secure replication. Anyone suggest an article on this topic Ok, I may be off here but to me a - correct (traffic is localized due to use of 4 dns) b - incorrect (I dont see where you're actually controlling replication, AD will still replicate based on its default schedule) c -correct (local dns with AD zones) d - correct (ad zone is secure) active directory replication is secure b is correct (asked my teacher mcse w2k) traffic is minimized compared to having a standard primary and secondary replicating every 15 mns. Active integrated 90mn interval time replication. 45. Your main office and two branch offices are connected by dedicated T1 lines. Two additional branch offices use 128-Kbps ISDN lines and Routing and Remote Access over the Internet to connect to the company's network. You are designing your DNS name resolution environment, and want to accomplish the following goals: DNS Name resolution traffic across the WAN should be minimized. DNS Replication traffic across the WAN should be minimized. DNS Replication traffic across the public WAN should be secure. Name resolution performance for client computers should be optimized. You take the following actions: Install the DNS Server service on one server at each office. Create a standard primary zone at the main office. Create a standard secondary zone at the four other offices. Configure client computers to query their local DNS server. What results do these actions produce? a. DNS Name resolution traffic across the WAN should be minimized. b. DNS Replication traffic across the WAN should be minimized. c. DNS Replication traffic across the public WAN should be secure. d. Name resolution performance for client computers should be optimized. Answer:a,d A is correct because DNS Name resolution traffic across the WAN will be minimized because a DNS server has been installed at each location so DNS requests can be handled by the local server. D is correct because Name resolution performance is optimised by having a name server at each location. B is incorrect because the other four offices are configured as Secondary zones, therefore, they initiate data replication with the primary zone by default every 15 minutes. C DNS Replication traffic across the public WAN will not be secure because Zone Transfer Security has not been initiated. 46. You are a branch office network administrator. You are connected to the company network via a Windows 2000 Routing and Remote Access two-way demand-dial connection over ISDN. Sensitive company data, e-mail, and application traffic is sent across the connection. You want to accomplish the following goals: a. All data should be secure. b. Rogue routers will be prevented from exchanging router information with either router. c. Both routers will be able to validate each other. d. Both routers will maintain up-to-date routing tables. e. Traffic over the link during peak business hours will be minimized. You take the following actions: Install a Certificate Services server at the main office. Enable EAP-TLS as the authentication protocol on both Routing and Remote Access servers. Enable RIP version 2 on the demand-dial interfaces. Which results do these actions produce? (Choose all that apply) Answer:a,d 47. You are a branch office network administrator. You are connected to the company network via a Windows 2000 Routing and Remote Access two-way demand-dial connection over ISDN. Sensitive company data, e-mail, and application traffic is sent across the connection. You want to accomplish the following goals: All data should be secure. Rogue routers will be prevented from exchanging router information with either router. Both routers will be able to validate each other. Both routers will maintain up-to-date routing tables. Traffic over the link during peak business hours will be minimized. You take the following actions: Enable MS-CHAP as the authentication protocol on both Routing and Remote Access servers. Enable OSPF on the demand-dial interfaces. Set the Require Encryption option on both Routing and Remote Access servers. Which results do these actions produce? (Choose all that apply) a. All data transmitted over the connection is secure. b. Prevent Rogue routers from exchanging router information with either router. c. Both routers will be able to validate each other. d. Both routers maintain up-to-date routing tables. e. Traffic over the link during peak business hours will be minimized. Answer:a,d 48. The DNS server on your network is not performing as well as you think it could. You think there are resource records that are no longer in use and this is causing the poor performance. What can you do to fix this? a. From the DNS console, select Recover unused resource records from the Action menu b. From the DNS console, select 'Scavenge stale resource records' from the Action menu c. From the command line, run the ipconfig utility with a command line argument 'clean' d. From the command line, run the netstat utility with a command line argument 'optimize' Answer:b If left unmanaged, the presence of stale RRs in zone data might cause some problems. The following are examples: ? If a large number of stale RRs remain in server zones, they can eventually take up server disk space and cause unnecessarily long zone transfers. ? DNS servers loading zones with stale RRs might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network. ? The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness. ? In some cases, the presence of a stale RR in a zone could prevent a DNS domain name from being used by another computer or host device. Scavenging for any RRs that persist beyond the specified refresh period. When a Windows 2000 DNS server performs a scavenging operation, it can determine that RRs have aged to the point of becoming stale and remove them from zone data. Servers can be configured to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server. 49. You are a network administrator for your company Windows 2000 network. Network users are reporting that DNS server performance is suffering and queries seem to be incorrect. You need to resolve these issues as well as conduct maintenance and optimisation. You want to accomplish the following goals: a. Clear the DNS cache. b. Refresh the DNS zones. c. Scavenge stale records. d. Configure query settings. e. Execute scripts. You perform the following actions: On the DNS server you run dnscmd.exe command from the command line. On the DNS server you run Performance Monitor. Answer:a,b,c,d,e 50. You are the admin for a large dynamic IP network that uses OSPF. All servers are running win2k advanced server. You want to better manage the internal routers and area border routers of the network. Which 3 procedures can aid this? (Choose 3) a. Ensure ABR's are connected without going through the backbone b. Ensure ABR's are source and route filtering is not too restrictive c. Ensure ABR's are physically or logically (through a virtual link) connected to the backbone d. Ensure ABR's are configured with the proper destination and network mask pairs that summarize the areas routes Answer:b,c,d. 51. Your domain has a Windows 2000 member server named Ras1 and a Windows 2000-based DHCP Server named Dhc1. Routing and Remote Access is enabled on Ras1. Two DNS servers use IP addresses of 10.1.5.2 and 10.1.5.3. Ras1 is configured to use DHCP to assign IP addresses to remote access clients. DHCP server scope options include: Vendor: Standard, Value: 10 1 5 3, Class--None. It does not have any client reservations. When remote access clients dial into Ras1, they receive an IP address from the DHCP scope range, but they do not receive the DNS address configured in the DHCP scope. They receive a DNS server address of 10 1 5 2 How should you configure your network to allow remote access clients to receive the DNS option from the DHCP server? a. Configure the remote access client computers to enable DHCP on the dial-up connection b. Configure Ras1 to use Windows Authentication c. Install and configure the DHCP Relay Agent routing protocol on the internal interface on Ras1 d. On the DHCP server, configure the DNS scope option of 10 1 5 3 for the Default Routing and Remote Access user class Answer:c 52. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named Srv1 and 12 Windows 2000 Professional computers. Srv1 has a dial-up connection that connects to the Internet. Srv1 is configured to use Internet Connection Sharing to allow Internet access through the dial-up connection of Srv1. The 12 Windows 2000 Professional computers are configured for static TCP/IP addressing. The IP addresses are 192.168.0 1 through 192.168.0.12, and the subnet mask is 255.255.255.0 The 12 Windows 2000 Professional computers have no default gateway configured. You discover that the Windows 2000 Professional computers are not able to access the Internet through the dial-up connection of Srv1. You confirm that the preferred DNS server on the Windows 2000 Professional computers is configured correctly. What should you do to allow all 12 computers to access the Internet through the dial-up connection of Srv1? (Choose all that apply) a. Change the default gateway on all 12 Windows 2000 Professional computers to 192 168 0 1 b. Change the default gateway on all 12 Windows 2000 Professional computers to 169 254 0 1 c. Change the subnet mask on all 12 Windows 2000 Professional computers to 255 255 0 0 d. Change the IP address on all 12 Windows 2000 Professional computers to 169 254 0 2 through 169 254 0 13 e. On the Windows 2000 Professional computer with IP address 192.168.0.1, change the IP address to 192 168 0 13 Answer:a,e Note: From MS Technet Q241769 SYMPTOMS When you try to enable Internet Connection Sharing (ICS) on your Windows 2000-based computer on a network, you may receive the following error message - Cannot enable shared access. Error 783-Internet Connection Sharing cannot be enabled. The LAN connection selected as the private network is either not present, or is disconnected from the network. Please ensure that the LAN adapter is connected before enabling Internet Connection Sharing. CAUSE This problem can occur if the Internet Protocol (IP) address 192 168 0 1 is already in use on another computer on your network. When you enable ICS, your computer is assigned the 192 168 0 1 IP address, and if this address is already in use on another computer, the error message listed earlier in this article is generated. RESOLUTION To work around this problem, disconnect the computer using the 192 168 0 1 IP address from the network, or change its IP address to something other than 192 168 0 1 With this Class C IP addressing the Subnet mask should be 255 255 255 0 When you enable Internet connection sharing, certain protocols, services, interfaces, and routes are configured automatically. The following table describes these configured items. Configured item Action IP address 192 168 .0 1 - Configured with a subnet mask of 255 255 255 0 on the LAN adapter that is connected to the small office or home office network. Autodial feature - Enabled. Static default IP route - Created when the dial-up connection is established. Internet connection sharing service - Started. DHCP allocator - Enabled with the default range of 192 168 0 1 and a subnet mask of 255 255 255 0 DNS proxy - Enabled. Note If you are enabling Internet connection sharing on a LAN connection, TCP/IP for the LAN interface that is connected to the Internet must be configured with a default gateway. 53. What should you do to log all logon activity on the Routing and Remote Access Server? a. Using the domain audit policy and enable audit log on events b. Using the domain audit policy and enable directory service access. c. Using the domain audit policy and enable audit account log on events. d. On the Routing and remote access server enable log accounting requests in the remote access logging properties. e. On the Routing and remote access server enable log authentication requests in Remote Access Logging properties. Answer:e To select requests to be logged 1- Open Internet Authentication Service 2 -In the console tree, click Remote access logging. 3 -In the details pane, right-click Local File, and then click Properties. 4 -On the Settings tab, select one or more check boxes for recording authentication and accounting requests in the IAS log files: 1- To capture accounting requests and responses, select the Log accounting requests check box. 2 -To capture authentication requests, access-accept packets, and access-reject packets, select the Log authentication requests check box. 3- To capture periodic status updates, such as interim accounting packets, select the Log periodic status check box. Note: The Log authentication requests option can help by alerting you to problems with transaction volume and of unauthorized attempts to access resources. 54. Your organization is using CA to provide identification to users. You would like to ensure customers of your identity while providing employees access to secure areas on your web server. What type of CA would you install? a. Install an enterprise CA on your server. b. Install a stand-alone CA on your server. c. Install a subordinate enterprise CA on your server from a known commercial CA. d. Install a stand-alone subordinate CA on your server from a known commercial CA. Answer:c [Troytec says B] 55. Administrators of your Sales organizational unit want to be able to manage EFS for the users in their department. These administrators belong to a group named SalesAdmin which has full administrative privileges to the OU. You install an Enterprise Certificate Authority for use by the entire company. However, the administrators of the Sales department notify you that they are unable to create a Group Policy that allows them to manage EFS for their department. What should you do? (Choose two) a. Grant the enroll permission to the SalesAdmin group for the Recovery Certificate Template b. Add the SalesAdmin group's certificate to the CA's RCL c. Add a new policy setting for an EFS Recovery Agent certificate in the Certification Authority console for the CA. d. Install a Enterprise Subordinate CA on one of the computers in the Sales OU Answer:a,c 56. Your network consists of computers running Win2000 server, Win2000 Professional, Win95 and OS/2 with Lan Manager 2.2c. All are on the same subnet. You want applications on the OS/2 client that use NetBIOS names to be able to resolve the NetBIOS names to IP Addresses from a WINS database. You install WINS on one of the Win2000 servers. What else should you do to enable the applications on the OS/2 computer to resolve NetBIOS names to IP addresses from the WINS database? a. Configure one of the Win2000 Professional computers as a WINS Proxy Agent b. Add static mappings for the OS/2 computer in the WINS database c. Configure a DHCP relay agent on the network d. Configure a wins proxy agent on the OS/2 computer e. Configure the OS/2 computer as a WINS Client f. Configure the network to use DDNS. Configure the OS/2 computer with a static IP address and add a PTR record in the DNS database Answer:a WINS Proxy is used when either Non-WINS clients need to resolve NetBIOS names, when your router doesn't route NetBIOS broadcasts. Use static mappings if the Non-WINS clients need to be resolved by other WINS clients. 57. You are the administrator of a Web server (IIS) that runs on a Windows 2000 Server computer. Your company web site has ActiveX controls. You want these ActiveX controls to be automatically download to your customers browsers. The default security settings on your customers' browsers prevents this. What should you do to automate the downloading of your ActiveX controls? a. Install an Enterprise CA on one of your domain controllers and have it issue a certificate for code signing. b. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for code signing. c. Install an Enterprise CA on one of your domain controllers. Install an Enterprise Subordinate CA on one of your member servers. Issue code signing certificates to your Web developers. d. Configure your Web server to request code signing certificates from a commercial CA such as Verisign. Answer:b 58. Your network consists of three DHCP servers and three DNS servers. The TCP/IP configuration for your Windows 2000 Professional and NT Workstation clients is provided by the DHCP servers. All three DHCP servers are configured so that they have scopes for all the computers in the network, and always register and update client computer information on the DNS servers. You configure the DNS zones on all DNS servers to only allow secure updates. After you complete the configuration, you notice the client computer information in the DNS zones is no longer updated correctly after IP changes. What should you do? a. Add the computer accounts of the three DHCP servers to the DnsUpdateProxy global security group. b. Configure a shorter time to live (TTL) interval resource record for the four DNS servers than the lease time used by the DHCP servers c. Configure the four DHCP servers to enable updates for DNS client computers that do not support dynamic updates d. Configure the DHCP client computers to NOT release the DHCP lease at shut down or log off Answer:a DnsUpdateProxy If you use multiple Windows 2000 DHCP servers on your network and also configure your zones to allow secure dynamic updates only, you need to use Active Directory Users and Computers to add your DHCP server computers to the built-in DnsUpdateProxyGroup. This will permit all of your DHCP servers the secure rights to perform proxy updates for any of your DHCP clients. Security concerns when using the DnsUpdateProxy group Although adding all DHCP servers as members to this special built-in group helps to resolve some DNS update concerns about maintaining secure updates, this solution also introduces some additional security concerns. For example, any DNS domain names registered by the computer running the DHCP server are nonsecure. The host (A) resource record for the DHCP server itself is an example of such a record. This issue is more significant if the DHCP server (that is a member of the DnsUpdateProxy group) is installed on a domain controller. To protect against issue, you can manually specify a different owner for any DNS records associated with the DHCP server itself. In this case, all service location (SRV), host (A), or alias (CNAME) resource records registered by the Netlogon service for the domain controller are nonsecure. To minimize the problem, it is recommended that you do not install a DHCP server on a domain controller. Another strong argument against running a Windows 2000 DHCP server on a Windows 2000 domain controller is that the DHCP server has full control over all DNS objects stored in Active Directory, because the DHCP server is running under the computer (in this case, the domain controller) account. 59. You are implementing a remote access policy that is highly available and highly secure. Your company utilizes a T3 connection to the Internet. All the servers are running Windows 2000 Advanced Server, and all clients are running Windows 2000 Professional. You want to accomplish the following goals: a. No single point of failure will result in total loss of remote access connectivity. b. No authentication traffic will be carried as clear text. c. No data traffic will be carried as clear text. d. Support for 200 simultaneous remote users must be available at all times. You take the following actions: Install a VPN server at the main office. Configure the VPN server to support 250 PPTP connections. Configure the client computers to use CHAP as the authentication protocol. Which results do these actions produce? (Choose all that apply) Answer:b,c,d 60. You are the administrator of your company's network. You need to Implement a remote access solution that is highly available and highly secure. Your company consists of a single location and has a T3 connection to the Internet. Your company has 1,000 salespeople who need reliable connectivity to the company network from any remote location. All servers are running Windows 2000 Advanced Server, and all client computers are running Windows 2000 Professional. You want to accomplish the following goals: No single point of failure, aside from total loss of the T3, will result in total loss of remote access connectivity. No authentication traffic will be carried as clear text. No data traffic will be carried as clear text. Support for at least 200 simultaneous remote users accessing the network will be available at all times. You take the following actions: Install three virtual private network (VPN) servers at the main office. Configure each VPN server to support 150 PPTP connections. Configure the client computers to use Password Authentication Protocol (PAP) as the authentication protocol. Create DNS Round Robin entries with a Time to Live (TTL) of zero for each VPN server Which result or results do these actions produce? (Choose all that apply) a. No single point of failure, aside from total loss of the T3, results in total loss of remote access connectivity b. No authentication traffic is carried as clear text c. No data traffic is carried as clear text d. Support for at least 200 simultaneous remote users accessing the network is available at all times Answer:a,d PPTP is as default encrypted using PPP Encryption (MPPE), but, in Windows 2000, PPP Encryption can only be used when MSCHAP (V1 or V2) or EAP-TLS is configured. [Data encryption is only available via PPP over a VPN if MS-CHAP V1, V2 or EAP-TLS are in use as the user_level authentication method.] PAP passes plaintext passwords. By using Round Robin, you actually create 450 PPTP connections. But, if one of the VPNs goes off line, the DNS Server will not forward to the next server. 61. You are the administrator of your company's network.To monitor the traffic on your network,you install Network Monitor.You need to monitor the source IP address,destination IP address,and destination port number of every TCP/IP frames on the network,you want to log the information for a period of 3 hours. What should you do(two) a. On the Captuer Buffer Settings menu,increase buffer size. b. On the Captuer Buffer Settings menu,decrease buffer size. c. On the Captuer Buffer Settings menu,increase frame size. d. On the Captuer Buffer Settings menu,decrease frame size. e. Change the Tempory Capture Directory Answer:a,d Buffer Size (MB) The size of your capture buffer. By default, the buffer size is set to 1.0 MB. Frame Size (bytes) The number of bytes that you want Network Monitor to capture from each frame. By default, the frame size is Full (65,535). 63. You are the administrator of a Windows 2000 network The network has four Windows 2000-based WINS servers named NY1, NY2, Bos1, and Bos2. The network has computers in two locations Boston and New York . The Bos 1 and Bos2 WINS servers are at the Boston location The NY1 and NY2 WINS servers are at the New York location. You want to configure the replication between the WINS servers to accomplish the following goals: The NY1 and NY2 WINS servers must replicate changes in the local database to each other immediately following each new registration or IP address change registration. The Bos1 and Bos2 WINS servers must replicate changes in the local database to each other every 30 minutes. The changes in the WINS database in either location should be replicated to the other location every three hours. How should you configure the WINS servers to accomplish these goals? (Choose three) a. Configure the WINS servers to enable burst handling. Set the number of requests for burst handling to 1 b. Configure the NY1 and NY2 WINS servers as push/pull partners of each other. Configure both WINS servers to use persistent connections for push replication partners Set the number of changes before replication to 1 c. Configure the Bos1 and Bos2 WINS servers as push/pull partners of each other Specify a replication interval of 30 minutes d. Configure the Bos1 and Bos2 WINS servers as push/pull partners of each other Configure both WINS servers to enable periodic database consistency checking every 30 minutes e. Configure the NY1 and the Bos1 WINS servers as push partners of each other. Configure both WINS servers to update statistics every three hours f. Configure the NY1 and the Bos1 WINS servers as push/pull partners of each other Specify a replication interval of three hours Answer:b,c,f By default, persistent connections are not used and replication with partners does not occur except at configured intervals. This default can be changed, but a specified minimum number of update changes to WINS must be set first. Without the use of persistent connections, a minimum value of 20 for Number of changes in version ID before replication is required. With persistent connections enabled for push replication, the default value of 0 causes the local WINS server to send a push trigger and notify its push partners each time an update occurs. An update is defined as an incremental increase to the highest version ID in the local WINS database for records the server owns. This can occur when a new name record is registered and added locally or if an IP address change occurs for an existing record. With persistent connections, you can reduce the update frequency for push notifications, by specifying a non-zero value instead. If a value greater than zero is used, WINS only starts push replication when the highest ID for records it owns has increased an equal number of times. 64. You install the Win2000 DHCP server service on a member server in your Win2000 domain. The domain contains only Win2000 Professional computers. The DHCP server is located on the same network segment as the Win2000 Professional computers. You create and activate a DHCP scope for the network segment. The win2000 Pro computers are configured as DHCP client computers but they do not receive IP addresses. What should you do so that each DHCP client receives an IP address? a. Stop and restart the DHCP server service b. Authorize the DHCP server in Active Directory c. Install a DHCP relay agent on one of the Win2000 Professional computers d. Run "registerDNS" on the DHCP server Answer:b To authorize a DHCP server in Active Directory 1 Open DHCP 2 In the console tree, click DHCP. 3 On the Action menu, click Manage authorized servers. The Manage Authorized Servers dialog box appears. 4 Click Authorize. 5 When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK. Note 1 To open DHCP, click Start, point to Programs, point to Administrative Tools, and then click DHCP. 2 For a DHCP server to be authorized in an Active Directory domain environment, you must first be logged on as a member of the Enterprise Administrators group for the enterprise where the server is being added. 3 This procedure is usually only needed if you are running a DHCP server on a member server. In most cases, if you are installing a DHCP server on a computer also running as a domain controller, the server is automatically authorized the first time you add the server to the DHCP console. 65. You are the administrator of a windows 2000 domain named bridge.locol. at one of your offices you install a DHCP server and create a scope that has 60 IP addresses. Users in the branch office report that each time they restart their computers they receive an error message. DHCP is unavailable You check the DHCP audit file and find: ID Date, Time, description, IP Address, Host name, MAC address 00/05/01, 03:19:56 ..started?BR> 54. 12/05/01. 03:19:57, Authentication failed..bridge.locol You want to ensure that your users no longer receive the DHCP errors. What should you do ? a. Run the jetpack command b. Reconcile the scopes. c. Authorize the DHCP scope d. Authorize the DHCP server Answer:d DHCP servers are Authorized, DHCP scopes are NOT. 67. You administer a Windows 2000 network. Your network has three Windows 2000-based Windows Internet Name Service (WINS) servers. You want periodic backups of the WINS database on all WINS servers to occur automatically. What should you do? a. In the WINS console on all three WINS servers, right-click to select the server name, then select the Backup Database option b. In the WINS console on all three WINS servers, configure the General properties of each WINS server to specify the default backup path c. On all three WINS servers, use Windows Backup to schedule a regular backup of the contents of the System32\WINS subdirectory d. On all three WINS servers, configure the File Replication Service to copy the contents of the System32\WINS subdirectory to another location on the disk. Answer:b 68. You are the administrator for your company's network. Your network has three Windows 2000 Server computers, named Srvr1, Srvr2, and Srvr3. Each employee has his own Windows 2000 Professional computer. Also there is one Windows 2000 Professional computer, named Prof1, that is used by the general public. Recently several files have been written to Srvr1 and Srvr2 that could have possibly caused great harm to your company's network. You suspect that the files came from Prof1. You want to monitor the traffic between these three computers. Srvr3 is located in your office so you decide to capture the data there. You want to accomplish these goals with the least amount of administrative overhead. What should you do? a. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Prof1, Srvr1, and Srvr2. b. On Prof1, install the Network Monitor driver. On Srvr1 and Srvr2, install the Network Monitor driver. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Prof1, Srvr1, and Srvr2. c. On Prof1, install the Network Monitor Tools. Then start Network Monitor and configure capture data for Prof1. On Srvr1 and Srvr2, install the Network Monitor driver. On Srvr3, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Srvr1 and Srvr2. d. On Prof1, install the Network Monitor driver On Srvr1 and Srvr2, install the Network Monitor Tools. Then start Network Monitor and configure the capture data for Srvr1 and Srvr2, respectively. On Srvr3, install Network Monitor Tools. Then start Network Monitor and configure the capture data for Prof1. Answer:b To set up Network Monitor, perform two steps: - Install the Network Monitor driver on any computer from which you want to capture data for analysis with Network Monitor. - Install the Network Monitor utilities on a computer running Windows 2000 Server on which data will be captured. To install the Network Monitor driver 1 Click Start, point to Settings, click Control Panel, and then double-click Network and Dial-up Connections. 2 In Network and Dial-up Connections, right-click Local Area Connection, and then click Properties. 3 In the Local Area Connection Properties dialog box, click Install. 4 In the Select Network Component Type dialog box, click Protocol, and then click Add. 5 In the Select Network Protocol dialog box, click Network Monitor Driver, and then click OK. To display and analyze captured data, use the following procedure to install Network Monitor Tools on a computer running Windows 2000 Server. Network Monitor Tools installs Network Monitor along with the Network Monitor driver. W2K Network monitor tool capture only those frames, including broadcast and multicast frames, sent TO or FROM the local Computer If you use Network Monitor in a switched network enviroment, yo see only the traffic addressed to the computer that is running NetMon 69. You install Certificate Services on two computers running Windows 2000 Server. CertRoot is an Enterprise Root Certificate Authority. CertSub is an Enterprise Subordinate CA. You have two domains: sycom.com and support.sycom.com. You add a new domain, tech.sycom.com. You attempt to issue a certificate from CertSub for a user account in tech.sycom.com. The Event Viewer shows the CA was unable to publish a certificate for tech.sycom.com\DC DC is a domain controller for tech.sycom.com. What is the most likely reason you receive this error message? a. DC (tech.sycom.com domain controller) is offline b. You are not a member of the Certificate Administrators for tech.sycom.com c. CertSub is not a member of the group "tech.sycom.com\Cert Publishers" d. The Enterprise CA is offline Answer:c 71. Your network consists of two segments. The first segment contains Windows 2000 server computers and the second segment contains NetWare 4.1 servers. On subnetwork 1, you want the Windows 2000 Server computer to provide file and print services to Windows-based clients that use TCP/IP. On subnetwork 2, you want the Windows 2000 Server to provide application services to NetWare clients that use only IPX/SPX. The Windows 2000 Server has two network adapter cards, and it will not function as a router for either subnetworks you also want to increase network performance. What should you do? (Choose two) a. Unbind TCP/IP from the adapter connected to subnetwork 2. b. Unbind NWLink from the adapter connected to subnetwork 1. c. Unbind TCP/IP from the adapter connected to subnetwork 1. d. Unbind NWLink from the adapter connected to subnetwork 2. Answer:a,b Because you are not using either connection for routing, you can unbind the unused protocols from each subnetwork. 72. You are the administrator of a Windows 2000 network. The network consists of 30 Windows 2000 Professional computers and two Windows 2000 Server computers named Athens and Boston. Athens has a permanent cable modem connection to the Internet. All Windows 2000 Professional computers on the network are configured to use Automatic Private IP Addressing (APIPA). The network does not contain a DHCP server. To allow all Windows 2000 Professional computers on the network to access the Internet through the cable modem connection of Athens, you install and configure the Network Address Translation (NAT) routing protocol on Athens. You decide to use IP addresses in the range of 192.168.40.1 through 192.168.40.50 for the network. Athens is configured to use an IP address of 192.168.40.1. Boston is a Web server configured with an IP address of 192.168.40.2 and a default gateway of 192.168.40.1. Your Internet service provider (ISP) has allocated two IP addresses, 207.46.179.16 and 207.46.179.17, to your network. The network is shown in the exhibit (Click the Exhibit button). You want to allow Internet users from outside your internal network to use an IP address of 207.46.179.17 to access the resources on Boston through the NAT service on Athens. How should you configure the network to accomplish this goal? a. Configure Athens with a static route on the private interface of the NAT routing protocol. Use a destination address of 207.46.179.17, a network mask of 255.255.255.255, and a gateway of 192.168.40.2 b. Configure Boston with a static route on the U\.N interface. Use a destination address of 192.168.40.1, a network mask of 255.255.255.255, and a gateway of 207.46.179.17 c. Configure the U\.N interface of Boston to use multiple IP addresses Assign the additional lP address of 207.46.179.17 to the interface. d. Configure the public interface of the NAT routing protocol to use an address pool with a starting address of 207.46.179.16 and a mask of 255.255.255.254. Reserve a public IP address of 207.46.179.17 for the private IP address of 192.168.40.2 Answer:d Single or multiple public addresses If you are using a single public IP address allocated by your ISP, no other IP address configuration is necessary. If you are using multiple IP addresses allocated by your ISP, then you must configure the network address translation (NAT) interface with your range of public IP addresses. For the range of IP addresses given to you by your ISP, you must determine whether the range of public IP addresses can be expressed by using an IP address and a mask. If you are allocated a number of addresses that is a power of 2 (2, 4, 8, 16, and so on), you can express the range by using a single IP address and mask. For example, if you are given the four public IP addresses 200.100.100.212, 200.100.100.213, 200.100.100.214, and 200.100.100.215 by your ISP, then you can express these four addresses as 200.100.100.212 with a mask of 255.255.255.252. If your IP addresses are not expressible as an IP address and a subnet mask, you can enter them as a range or series of ranges by indicating the starting and ending IP addresses. Allowing inbound connections Normal network address translation (NAT) usage from a home or small business allows outbound connections from the private network to the public network. Programs such as Web browsers that run from the private network create connections to Internet resources. The return traffic from the Internet can cross the NAT because the connection was initiated from the private network. To allow Internet users to access resources on your private network, you must do the following: 1 Configure a static IP address configuration on the resource server including IP address (from the range of IP addresses allocated by the NAT computer), subnet mask (from the range of IP addresses allocated by the NAT computer), default gateway (the private IP address of the NAT computer), and DNS server (the private IP address of the NAT computer). 2 Exclude the IP address being used by the resource computer from the range of IP addresses being allocated by the NAT computer. 3 Configure a special port. A special port is a static mapping of a public address and port number to a private address and port number. A special port maps an inbound connection from an Internet user to a specific address on your private network. By using a special port, you can create a Web server on your private network that is accessible from the Internet. 73. You are the network administrator of your company network. Your network consists of three subnets connected by a single router. The router is configured as follows: Interface 0, subnet 0, IP address 178.60.4.1, subnet mask 255.255.0.0 Interface 1, subnet 1, IP address 178.60.5.1, subnet mask 255.255.0.0 Interface 2, subnet 2, IP address 178.60.6.2, subnet mask 255.255.0.0 Subnet1 and subnet 2 both contain client computers. Subnet 0 does not. Subnet 1 and subnet 2 each contain a windows 2000 DHCP server that is responsible for assigning IP addresses to client computers on the local subnet only. The scope properties are as follows: Subnet 1 scope, start IP address 178.60.5.100, end IP 178.60.5.254, subnet mask 255.255.255.0 Subnet 2 scope, start IP address 178.60.6.100, end IP 178.60.6.254, subnet mask 255.255.0.0 Subnet 0 contains a web server and provides connectivity to the internet. However the network is experiencing connectivity problems. Clients on subnet 1 can communicate with any host on their own subnet, but cannot communicate with hosts on subnet 2. Clients on subnet 2 cannot communicate with hosts on subnet 1 but they can successfully connect to subnet 0 what should you do to correct this problem? a. Delete and recreate the scope on subnet 1 DHCP server to reflect the correct subnet mask. b. Delete and recreate the scope on subnet 2 DHCP server to reflect the correct subnet mask c. Modify the routing table on the router to enable routing from subnet 1 to subnet 0 and subnet 2 d. Modify the routing table on each subnet 1 host computer to enable direct connectivity to hosts on subnet 0 and subnet 2. e. Delete and recreate the scopes on both subnet 1 and subnet 2 DHCP server to reflect the same configuration information for both subnets. Answer:a As you can see above, your scope on subnet 1 has the subnet mask incorrectly configured. Unfortunately you cannot change the mask in the scope options; you will have to create a new scope. 74. You are the administrator of your company's network. The network consists of 10 Windows 2000 Server computers, 200 Windows 2000 Professional computers, 250 Windows 98 computers, and 25 UNIX workstation computers running 5MB server software. The network runs only TCP/IP as its transport protocol. You implement WINS in the network for NetBIOS name resolution. Users of the Windows-based client computers report that they cannot access resources based on the UNIX computers by NetBIOS name. There is no problem accessing Windows-based resources by NetBIOS name. What should you do to resolve this problem? a. Install a WINS proxy agent on one of the UNIX computers b. Install a WINS proxy agent on one of the Windows-based computers c. On the WINS server, create static mappings for the UNIX computers d. On the WINS server, create static mappings for the Windows-based computers e. Run the IPConfig/renew command on all UNIX based computers Answer:c Static mappings are non-dynamic database entries of NetBIOS computer name-to-IP address mappings for computers on the network that are not WINS-enabled or special groups of network devices. In this case a windows-based client cannot access resources on the Unix Computer using NetBIOS ! The WINS Proxy Agent helps resolve name queries for non-WINS enabled computers, for example, from a Unix Client to a Windows Client WINS Proxy does not work with UNIX clients and also doesn't register the Non-WINS clients names with the WINS server. Static entries are only useful when you need to add a name-to-address mapping to the server database for a computer that does not directly use WINS. For example, in some networks, servers running other operating systems cannot register a NetBIOS name directly with a WINS server. Although these names might be added to and resolved from an Lmhosts file or by querying a DNS server, you might consider using a static WINS mapping instead. 75. On your Windows 2000 server, you install Client Services for Netware and NWLink with the default settings. How should you configure your Windows 2000 server to connect to all Netware servers, regardless of their versions? a. Set the adapter to frame type 803.2 b. Set the adapter to Manual Frame Type Detection and add the frame type of each Netware server c. Edit the registry to allow all frame types d. You can only connect to one type of Netware server at a time so this cannot be accomplished Answer:b By default, NWLink automatically detects the frame type used by the network adapter to which it is bound. If NWLink detects no network traffic or if multiple frame types are detected in addition to the 802.2 frame type, NWLink sets the frame type to 802.2. 76. Your WIn2000 network has 3 subnets, A, B, and c. A is at the corporate headquarters. B is used to connect a router at the HQ office to a router at the remote office (SubnetC). Two Win2000 servers are used as routers: RouterAB connects SubnetA and SubnetB. RouterBC connects subnetB and subnetC. You configure RouterAB and RouterBC to use demand-dial connections. What two steps must you take to allow a client commuter on SubnetC to access a share on a client on SubnetA? (choose two) a. Configure TCP/IP filter on the RouterAB demand-dial interface b. Configure TCP/IP filter on the RouterBC demand-dial interface c. Configure a static route for SubnetC on the demand-dial interface of RouterAB d. Configure a static route for SubnetA on the demand-dial interface of RouterBC e. Configure a static route for SubnetB on the demand-dial interface of RouterBC f. Configure a static route for SubnetB on the demand-dial interface of RouterAB Answer:c,d 79. Your network has one primary internal and external DNS server. It has secondary DNS servers that transfer zone information from the primary external DNS server. The secondary DNS servers are installed on two Win2000 Server computers and one WinNT4.0 server computer. The primary external DNS server has only a limited number of resource records in its zone file, and is used to host records for your company's Web and mail servers. The Web server and the mail server have static IP addresses. When you monitor the secondary DNS servers using System Monitor, you notice a high number of hits when monitoring the counter DNS:Zone Transfer SOA Requests Sent. How should you minimize the bandwidth that is required for this traffic. (Choose all that apply) a. Configure the notify list on the primary external DNS server to notify the secondary DNS servers when there are changes to be replicated. b. Change the interval that the secondary DNS servers use to request updates from the primary DNS server. c. Increase the value of the Refresh interval in the SOA record d. Decrease the value of the Refresh interval in the SOA record e. Configure the notify list on the secondary DNS servers to only show the primary DNS server. Answer:a,c Notify lists can be created and managed to provide a method for a master server for a zone (either the primary server or another secondary server) to push notify a list of secondary servers when the zone changes. To create or manage a notify list, you can use the DNS console to add and remove servers by their IP addresses in the notify list for a zone. The list is created and managed for each zone using the Notify tab in zone properties. By default, the notify list is based on the authoritative servers for the zone as listed on the Name Servers tab. SOA Resource Record: Refresh Interval - The time, in seconds, that a secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. When the refresh interval expires, the secondary DNS server requests a copy of the current SOA record for the zone from its source, which Answer this request. The secondary DNS server then compares the serial number of the source server's current SOA record (as indicated in the response) with the serial number in its own local SOA record. If they are different, the secondary DNS server requests a zone transfer from the primary DNS server. The default for this field is 900 seconds (15 minutes). 80. You want to configure your DNS server to allow users to type a host name in their browsers to connect to the Web server that is on the same subnet. The host name that all users will type in will be identical regardless of the subnet they are on. You have three subnets in your network, and each Web server on your network contains the same content as all of the Web servers. How should you configure your DNS server? a. On the primary DNS server, create three A (host) records that map the same host name to IP address of the Web server on each subnet. b. On the primary DNS server, create one A (host) record that is located on the same sub net as the DNS server. On the secondary DNS servers on the two remaining subnets, edit the zone file for the domain on each DNS server to include an A (host) record for the Web server on each subnet c. On the primary DNS server, create three A (host) records that map a different host name to the IP address of the Web server on each subnet. d. On the primary DNS server, create one A (host) record for one Web server and two CNAME (canonical name) records for the remaining two Web servers. Answer:a The A record (address record) yields an IP address that corresponds to a host name. There can be multiple IP addresses corresponding to a single host name; there can also be multiple host names each of which maps to the same IP address. CNAME: Description: Canonical name (CNAME) resource record. Maps an aliased or alternate DNS domain name in the owner field to a canonical or primary DNS domain name specified in the canonical_name field. The canonical or primary DNS domain name used in the data is required and must resolve to a valid DNS domain name in the namespace. Configuring round robin Round robin is a local balancing mechanism used by DNS servers to share and distribute network resource loads. You can use it to rotate host (A) resource records (RRs) contained in a query answer if multiple A RRs for a host name are found. By default, the DNS Server service uses round robin to order resource records returned in an answer of the host name resolved to more than one mapped RR. This feature provides a simple method for load balancing client use of Web servers and other frequently queried multihomed computers. For round robin to work, multiple A RRs for the queried name must first be registered in the zone. If round robin is disabled for a DNS server, the order of the response for these queries is based on a static ordering of RRs in the answer list as they are stored in the zone (either its zone file or Active Directory). Example: Round-robin rotation A forward lookup-type query (for all A RRs that match a DNS domain name) is made for a multihomed computer (multihomed.example.microsoft.com) that has three IP addresses. Separate A RRs are used to map the host's name to each of these IP addresses in the zone. In the stored example.microsoft.com zone, the RRs appear in this fixed order: multihomed IN A 10.0.0.1 multihomed IN A 10.0.0.2 multihomed IN A 10.0.0.3 The first DNS client that queries the server to resolve this host's name receives the list in default order. When a second client sends a subsequent query to resolve this name, the list is rotated as follows: multihomed IN A 10.0.0.2 multihomed IN A 10.0.0.3 multihomed IN A 10.0.0.1 **** Local subnet priority supersedes the use of round-robin rotation for multihomed names. When enabled, however, round robin continues to be a secondary method used to sort multiple RRs returned in a listed answer as part of an address (A) query response. For more information on local subnet priority, see Prioritizing local subnets. 82. You are the administrator of your company's network You have a portable computer that uses Microsoft Internet Explorer to access your company's Internet Information Services (IIS) computer. This application works successfully when your portable computer is docked at the office, but it fails when your portable computer is connected by Routing and Remote Access You want to configure your portable computer to connect to your company's network by Routing and Remote Access You want to install only what is necessary while maximizing performance and minimizing administrative overhead. What should you click in the appropriate box or boxes in the Networking tab of the dialog box? (Choose all that apply) a. Internet Protocol [TCP/IP] b. File and Printer Sharing for Microsoft Networks c. Network Load Balancing d. Client for Microsoft Networks Answer:a,d The Client for Microsoft Networks component allows a computer to access resources on a Microsoft network. The component is installed and enabled by default. 83. You are the administrator of your company's network. The network consists of 10 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and 150 Windows NT Workstation computers. For workgroup collaboration and document sharing, all client computers have file and print sharing services enabled. You are using DHCP to automate the TCP/IP configuration of all client computers. You want to accomplish the following goals: All client computers will be able to be located on the network by the network's fully qualified domain name. A (host) records for all client computers will be automatically added to the DNS zone files. PTR (pointer) records for reverse name lookup for all client computers will be automatically added to the DNS zone files A records and PTR records will be automatically removed from the DNS zone files when the DHCP lease expires You take the following actions: Configure the DHCP server to never update client information in DNS Configure the DHCP server to discard forward lookups when the lease expires Configure the DHCP scope to configure the domain name for all DHCP client computers Which result or results do these actions produce? (Choose all that apply) a. All client computers are able to be located on the network by the network's fully qualified domain name b. A records for all client computers are automatically added to the DNS zone files c. PTR records for reverse name lookup for all client computers are automatically added to the DNS zone files d. A records and PTR records are automatically removed from the DNS zone files when the DHCP lease expires Answer:d By default, Microsoft clients that support the FQDN option (currently Windows 98 and Windows 2000) register each of the adapter host records and request that the DHCP service register the PTR (pointer) record. The DHCP service adds the PTR (pointer) records to the zone and cleans up the PTR (pointer) and "A" (Host) records in the zone upon lease expiration. The DHCP service also registers both the "A" (Host) and PTR (pointer) records for legacy clients, and performs any necessary cleanup action. Clients that do not support the FQDN option can still be dynamically registered in the DNS zone. If configured to do so, the DHCP server obtains the host name of legacy clients from the DHCP REQUEST packet. After appending the domain name given for that scope, the DHCP server registers the name. NT does not support option 81 so A is wrong NT does not support dynamic DNS so B is wrong DHCP is responsible for updating the PTR record in DNS and DHCP is set to never update client information in DNS so C is wrong The Fully Qualified Domain Name (FQDN) option (code 81) allows the client to send its FQDN to the DHCP server in the DHCPREQUEST packet. When a Windows 2000-based DHCP client initializes, it negotiates a dynamic update procedure with a DHCP server. By default, the Windows 2000-based client attempts to update its host resource record (the host's A record). While this occurs, a server running Windows 2000 Advanced Server and the DHCP service attempts to upgrade the client's PTR resource record. The Windows 2000-based DHCP server can be configured to Update DNS server according to client request or Always update forward and reverse look-ups. If the DHCP server is configured to Always update forward and reverse lookups, it will update both A and PTR resource records itself regardless of the DHCP clients request. If the DHCP server is not configured to perform dynamic updates, the DHCP client will attempt to update both A and PTR resource records itself. Every time there is an address event (new address or renewal), the DHCP client sends option 81 and its fully qualified name to the DHCP server, and requests the DHCP server to register a DNS pointer resource record PTR RR on its behalf. The dynamic update client handles the A resource record registration on its own. However, the DHCP server can be configured to instruct the client to allow the server to register both records with the DNS. The Windows 2000 DHCP server handles option 81 requests as specified in the draft RFC. If a Windows 2000 DHCP client talks to a down-level DHCP server that does not handle option 81, it registers a PTR resource record on its own. Statically configured (non-DHCP) clients register both the A resource record and the PTR resource record with the DNS server themselves. By disabling DDNS, Win NT client records cannot be updated. Pertaining to W2000 clients only if the DHCP server is configured not to perform Dynamic Updates, the W2k clients attempt to update the A and PTR records. So, they are not automatically updated in this scenario. DDNS and DHCP - The DHCP Server cleans up both the A and PTR records in the zone when the lease expires. How DHCP/DNS update interaction works The DHCP server can be used to register and update the pointer (PTR) and address (A) resource records on behalf of its DHCP-enabled clients. This process requires the use of an additional DHCP option, the Client FQDN option (option 81). This option permits the client to provide its fully qualified domain name (FQDN) as well as instructions to the DHCP server on how it would like the server to process DNS dynamic updates (if any) on its behalf. When this option is issued by a qualified DHCP client, such as a DHCP-enabled computer running Windows 2000, it is processed and interpreted by Windows 2000 DHCP servers to determine how the server initiates updates on behalf of the client. For example, the server might be configured in one of the following ways to process client requests: 1 The DHCP server registers and updates client information with its configured DNS servers according to the client request. Once a new DHCP server is installed, this is the default configuration for Windows 2000 DHCP servers and clients. In this mode, any Windows 2000 DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server accommodates the client request for handling updates to its name and IP address information in DNS. This can be set at the applicable DHCP server by configuring the Update DNS only if DHCP client requests option located in Properties on the DNS tab. 2 The DHCP server always registers and updates client information with its configured DNS servers. This is a modified configuration supported for Windows 2000 DHCP servers and clients. In this mode, the DHCP server always performs updates of the client's FQDN and leased IP address information, both its host (A) and pointer (PTR) resource records, regardless of whether the client has requested to perform its own updates. This can be set at the applicable DHCP server by configuring the Always update DNS option located in Properties on the DNS tab. 3 The DHCP server never registers and updates client information with its configured DNS servers. To set this behavior, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. By disabling this feature, no client host (A) or pointer (PTR) resource records are updated in DNS for DHCP clients. If necessary, this change in setting can be made at Windows 2000 DHCP servers by clearing the Automatically update DHCP client information in DNS check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes. By default, updates are always performed for newly installed Windows 2000 DHCP servers and any new scopes created for them. Additional advanced DHCP/DNS server configuration options In addition to these standard DHCP/DNS interactions, the Windows 2000 DHCP server can be configured to perform these optional update tasks as follows: 1 The server can selectively be configured to not send updates for discarding a client host (A) resource record when the client lease expires. When the DHCP server is enabled to perform DNS updates, it always sends updates to discard the client pointer (PTR) resource records when the lease expires. Whether the server does this also with client host (A) resource records when a client's lease expires (by default, the server discards these) is a configurable option. To modify this at the applicable DHCP server, clear the Discard forward (name-to-address) lookups when leases expires check box in Properties on the DNS tab. 2 The server can be selectively configured to not send updates for clients unable to use the Client FQDN option (option 81), to request the way that updates are handled. By default, the DHCP server sends updates for clients that do not support option 81. This allows the server to perform proxy updates in DNS for all of its DHCP clients that are running earlier versions of Windows operating systems. To modify this at the applicable DHCP server, clear or select the Enable updates for DNS clients that do not support dynamic updates check box in Properties on the DNS tab. 84. You are the administrator of your company's network. The network consists of 10 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and 150 Windows NT Workstation computers. For workgroup collaboration and document sharing, all client computers have file and print sharing services enabled. You are using DHCP to automate the TCP/IP configuration of all client computers You want to accomplish the following goals: All client computers will be able to be located on the network by the network's fully qualified domain name. A (host) records for all client computers will be automatically added to the DNS zone files. PTR (pointer) records for reverse name lookup for all client computers will be automatically added to the DNS zone files A records and PTR records will be automatically removed from the DNS zone files when the DHCP lease expires You take the following actions: Configure the DHCP server to always update client computer information in DNS Configure the DHCP server to discard forward lookups when the lease expires Configure the DHCP server to update DNS for client computers that do not support dynamic updates Configure the DHCP scope to configure the domain name for all DHCP client computers. Which result or results do these actions produce? (Choose all that apply) a. All client computers are able to be located on the network by the network's fully qualified domain name b. A records for all client computers are automatically added to the DNS zone files c. PTR records for reverse name lookup for all client computers are automatically added to the DNS zone files d. A records and PTR records are automatically removed from the DNS zone files when the DHCP lease expires Answer:a,d 85. You are the administrator of your company's network. The network consists of one Windows 2000 domain that has 10 Windows 2000 Server computers and 500 Windows 2000 Professional client computers. You want all client computers to receive their TCP/IP configuration from DHCP. You install the DHCP Server service on one of your Windows 2000 Server computers and create and activate a scope of addresses. Users report that they cannot connect to the network. You discover that none of the client computers are receiving TCP/IP configurations from DHCP. The Windows 2000 Professional clients are properly configured for DHCP What should you do to resolve this problem? a. Stop and restart the DHCP Server service on the DHCP server b. Restart all client computers c. Authorize the DHCP server in Active Directory d. Add a DNS host record for the DHCP server e. install a DHCP relay agent on one of the Windows 2000 Professional computers. Answer:c 86. You are the administrator for your company's Windows 2000 domain. The network is configured by both Dynamic DNS (DDNS) and DHCP servers. All client computers run Windows 2000 Professional. A junior technician has manually updated a host resource record. Instead of disturbing the affected user by asking her to reboot her computer you decide to manually finish the update yourself. What other DNS resource records should be updated to maintain DNS integrity? (Choose all that apply) a. The associated Start of Authority (SOA) b. The associated Name Server (NS) c. The associated Address (A) d. The associated Point (PTR) e. The associated Mail Exchange (MX) f. The associated Service (SRV). g. The associated host (HINFO) resource record. Answer:d Updating DNS client information on a computer is sometimes necessary -- for example, if a computer is added or removed from an Active Directory domain. In most cases, clients perform dynamic updates for the following changes when entering or leaving a domain: 1 When a computer is joined to a domain, it adds its A and PTR records to DNS. 2 When a computer is removed from a domain, it deletes its A and PTR records from DNS. If you have enabled dynamic update for zones, these changes occur automatically. 87. You are the administrator for your company's Windows 2000 domain. You have a Windows 2000 Server computer that is your Domain Name System (DNS) server. The DNS server contains the following types of resource records: Start of Authority (SOA) Name Server (NS) Address (A) Point (PTR) Mail Exchange (MX) Service (SRV). You update an A host resource record. Which type of record may be associated with this record and need to be updated also? a. The associated SOA resource record b. The associated NS resource record c. The associated A resource record d. The associated PTR resource record Answer:d With every Host Resource Record (A) in the forward lookup zone file there is a associated reverse lookup zone file with the Pointer Resource Record (PTR) 88. You are a network administrator of a Windows 2000 Server network. A VPN has been configured and installed using the Routing and Remote Access Service. The Layer 2 Tunneling Protocol is used for all communication. Employees use the Virtual Private Network to access the network from remote locations around the world. To increase network security the point-to-point Tunneling Protocol should be disabled. How can you accomplish this? a. Use the TCP/IP properties to remove the Point-to-Point Tunneling protocol b. Disable the Point-to-Point Tunneling protocol on the ports Tab of the Routing and Remote Access Service property sheet c. Set the number of PPTP ports to 1 d. Set the number of PPTP ports to 0 Answer:c Minimum PPTP ports allowed is 1. Minimum L2TP ports allowed is 0. To create an L2TP-only server, set the number of PPTP ports to 1 and then clear the Remote Access Connection (Inbound Only) and the Demand Dial Routing Connections (Inbound and Outbound) check boxes. On the client computer, change the type of VPN server from automatic to Layer 2 Tunneling Protocol (L2TP). 89. Your network is connected to the company network via a Windows 2000 Routing and Remote Access two-way demand-dial connection over ISDN. The ISDN link must only be used once each day to transfer sales information to or from the main office during non-business hours. Several times a day, an ISDN link is initiated between the networks. You analyze the traffic and discover that it is composed of router announcement broadcasts. What should you do to prevent the link from being used during business hours? (Choose two) a. Schedule the demand-dial interface to dial only during specified hours. b. Set the Remote Access Policy to only allow connections after business hours c. Create a demand-dial filter on the interface d. Set a TCP/IP filter on the interface to prevent broadcast messages from passing Answer:a,c 90. You are the administrator for your company Windows 2000 network. You have installed Certificate Services on a Windows 2000 server and set it as the Enterprise CA. Where can you go to see the licenses the CA has issued and the CRL's? a. Active Directory services MMC. b. Browse to the %systemroot%\system32\certsrv\certenroll. c. From the CA MMC snap-in. d. HKLM\system\currentcontrolset\services\certsrv registry key. Answer:c 91. You are the administrator for your company network. The network consists of 8 windows 2000 server computers, 200 windows Professional client computers and 10 UNIX servers. Windows 2000 is being used as your DNS server. Your DNS zone is configured as an active directory integrated zone and is configured to allow dynamic updates. Users report that they can successfully access the windows 2000 computers by host name but they cannot access the UNIX servers by host names. How can they correct the problem? a. Manually enter a HOST (A) record for the UNIX servers in the zone database. b. Manually add the UNIX servers to the Windows 2000 domain c. On the DNS server, manually create the zone file that contains records for the UNIX servers. d. Configure a UNIX server to be a DNS server in the secondary zone. Answer:a 92. You are the administrator of your company's network. The network consists of one Windows 2000 domain. All servers and client computers are running Windows 2000 To facilitate name resolution and client access to resources on the servers, you have configured your DNS standard primary zone to include the addresses of all of your servers. You later add three new member servers to your network Users report that they can find these servers in the directory but cannot access these servers You want to resolve this problem. What should you do? a. Convert the DNS standard primary zone to an Active Directory integrated zone. b. Create SRV (service) records for each new server in the DNS zone. c. Set the Allow Dynamic Updates setting for the DNS standard primary zone to Yes. d. Set the Allow Dynamic Updates setting for the DNS standard primary zone to Only Secure Updates. Answer:c Cause: The DNS server supports dynamic updates but is not configured to accept them. Solution: Verify that the primary zone where clients require updates is configured to allow dynamic updates. For Windows 2000 DNS servers, the default for a new primary zone is to not accept dynamic updates. At the DNS server that loads the applicable primary zone, modify zone properties to allow updates. 93. Your company's portable computers are frequently utilized by users at locations that are not on the network. Two DHCP servers provide IP configuration to your Windows 2000 Professional clients. You want to configure different lease times for the desktop computers and portable computers. Desktop clients should use the default lease time. Portable computes should use a lease time of four hours. What should you do? (Choose three) a. On the laptop computers, set the DHCP class ID setting to Windows 2000 laptop computers? b. On the laptop computers set the DHCP vendor class ID setting to Windows 2000 option. c. On the laptop computers manually configure the DHCP a lease time of 4 hours and all other TCP/IP parameters to be configured by the DHCP servers d. On the DHCP server, configure the scope so that it has an empty lease duration value. e. On the DHCP servers, define a new user class that has the ID specified on the laptop computers. f. On the DHCP servers, configure the scope options to use a lease time of four hours for the laptop computers. Answer:aef To create a new user or vendor class 1 Open DHCP 2 In the console tree, click the applicable DHCP server. Where? 1 DHCP 2 Applicable DHCP server 3 On the Action menu, choose one of the following: 1 To create a new user class, click Define User Classes. 2 To create a new vendor class, click Define Vendor Classes. 4 Click Add. 5 In New Class, type the required information. To set DHCP class ID information at a client computer 1 At a DHCP-enabled client computer running Windows 2000, open a command prompt 2 Use the IPConfig command-line utility to set the DHCP class ID the client uses when obtaining its lease from the DHCP server. You can type the IPConfig /setclassid command as demonstrated in the following example command, which sets an ASCII string ("Windows2000LaptopComputers") as the DHCP class ID string for the local area network connection in use at the client computer: C\>IPConfig /setclassid "Local Area Connection" Windows2000LaptopComputers Windows 2000 IP Configuration DHCP ClassId successfully modified for adapter"Local Area Connection" 94. You are not running in native mode. Your company is a sales organization and has 150 salespeople. When these salespeople are out of the office, they require file and print services, e-mail, and access to the company's product and inventory database. These salespeople belong to a group named SalesMobile. Your company has dedicated T1 access to the Internet Your company also uses a virtual private network (VPN) to reduce the costs and hardware required to support the salespeople. You want to accomplish the following goals: a Required network resources will be accessible to all salespeople b Connections to the network will be made only by salespeople c Sensitive company data will be kept confidential over the VPN connections d Access to the network will only take place during business hours e All salespeople will be able to connect to the network simultaneously You take the following actions: On a Windows 2000 Server computer, install Routing and Remote Access and configure virtual private networking. Increase the WAN Miniport (PPTP) maximum port limit to 150. Create a new remote access policy that has the condition to allow access to the users in the SalesMobile group Set the new remote access policy's order of precedence higher than the default policy. Edit the default remote access profile to require strong encryption of data. Which result or results do these actions produce? (Choose all that apply) a. Required network resources are accessible to all salespeople b. Connections to the network are made only by salespeople c. Sensitive company data is kept confidential over the VPN connections d. Access to the network only takes place during business hours e. All salespeople are able to connect to the network simultaneously Answer:a,b,c,e 95. You configure a Win2000 Server as the DNS server for your network. You create both standard primary forward lookup and reverse lookup zones. When you use the NSLOOKUP utility, you cannot resolve host names from IP addresses on your network. When you run TRACERT.EXE you receive the message: "Unable to resolve target system name." What should you do? a. Configure the DNS to forward requests to an external DNS b. Install a WINS server and configure DHCP to issue the IP address of the WINS server to all DHCP clients c. Create a PTR (Pointer) records in the reverse lookup zone d. Copy the systemroot\system32\dns\cache\samples\cache.dns to systemroot\system32\dns\cache\cache.dns Answer:C 96. You are the administrator for your company Windows 2000 network. The network has 5 Windows 2000 servers and 50 Windows 2000 Professional clients. Two servers are configured to be silent RIP hosts. You find out that the RIP hosts are not receiving routes. What should you do? a. Verify RIP hosts support broadcast listening. b. Verify TCP/IP is configured for inbound traffic. c. Verify IP routing table contains the problem. d. Verify the version of RIP that the silent RIP hosts support. Answer:d Silent RIP hosts A silent RIP host (a nonrouter) processes received RIP announcements but does not make RIP announcements. The processed RIP announcements are used to build the routing table for the host. You do not need to configure silent RIP hosts with a default gateway. Silent RIP is commonly used in UNIX environments. If there are silent RIP hosts on a network, you must determine which version of RIP they support. If the silent RIP hosts only support RIP v1, then you must use RIP v1 on the network for that host. Windows 2000 Professional provides a RIP version 1 silent RIP component called the RIP Listener, which you can install as an optional networking component. 97. You are the administrator for your company's Windows 2000 Server network. The network contains 7 Windows 2000 Server computers and 60 Windows 2000 Professional client computers. Two server computers are configured to be Silent Routing Information Protocol (RIP) hosts. While running tests on the network after implementing the Silent RIP hosts, you discover a problem. You verify the version of RIP that the Silent RIP hosts support. What problem did you encounter? a. You discovered that the RIP hosts were not receiving routes b. You discovered that the host routes are not being propagated c. You discovered that the RIP routers are not receiving expected routes d. You discovered that the improper routes are being sent to the RIP routers Answer:A 98. You are the network administrator of a Windows 2000 network. The network consists of 400 Windows 2000 Professional computers. It has recently come to your attention that the users on your network have been using the same passwords since their accounts were created. To maintain security on the network you need to correct the problem. You create a Group Policy object (GPO) and filter it to the users. You want to configure the GPO to require users to create a different password periodically. Which two should you enable? a. Minimum password length b. Users must log on to change the password c. Enforce password history d. Minimum password age e. Maximum password age. Answer:c,e Setting a minimum password age would only limit users on how soon they can change their password. 99. You use a computer running Win2000 server and the DHCP Server service to create a DHCP scope with a lease length of 15 days and a subnet mask of 21 bits. You now want to change the configuration for the scope to have an unlimited lease and a subnet mask of 28 bits. How would you do this? a. Delete the scope. Use the new scope wizard to create a new scope with a subnet mask of 28bits and an unlimited lease. Activate the scope b. Right click on the scope in DHCP and select properties. Edit the properties of the scope and change the subnet mask to 28bits and the lease to unlimited c. Delete the scope. Use the new scope wizard to create a new scope with a subnet mask of 28 bits. Edit the properties of the new scope to set an unlimited lease. Activate the new scope. d. Disable the scope. Edit the properties of the scope and change the subnet mask to 28 bits and an unlimited lease. Enable the scope. Answer:c You have to create a new scope to change the subnet mask. The wizard does not let you set an unlimited lease, only 999 days -- You must activate the scope when done. 101. Your network consists of two locations containing a Win2000 Server and 45 Win2000 Professional computers. The two servers are Win2000-based routers. Although the two routers are not connected directly to each other, they are connected by a third router. This third router is administered by a different company. Users in both locations want to provide multicast based datacasting of information to the other site. You add the Internet Group Management Protocol (IGMP) to both servers. However, the third router does not support multicast forwarding or routing. How should you configure the network to allow IP multicast traffic to pass between the two locations? (choose three) a. Create an IP-in-IP interface between the servers b. Assign the interface to the IGMP routing protocol c. Run the interface in IGMP proxy mode d. Run the interface in IGMP point to point mode e. Run the interface in IGMP Router mode. f. Create a point to point interface between the 2 servers Answer:a,b,c IP-in-IP tunnels are used to forward information between endpoints acting as a bridge between portions of an IP inter-network that have differing capabilities. A typical use for IP-in-IP tunnels is the forwarding of IP multicast traffic from one area of the intranet to another area of the intranet, across a portion of the intranet that does not support multicast forwarding or routing. With IP-in-IP tunneling, an IP datagram is encapsulated with another IP header addressed to and from the endpoints of the IP-in-IP tunnel, as shown in Figure 4.5. An IP-in-IP tunnel is indicated by setting the IP Protocol field to 4 in the outer IP header. For more detailed information about IP-in-IP tunneling, see RFC 1853. Figure 4.5 IP-in-IP Tunnel Packet Structure IP-in-IP Interfaces An IP-in-IP interface is a logical interface that sends IP packets in a tunneled mode. To create an IP-in-IP interface, in the Routing and Remote Access snap-in, right-click Routing Interfaces, click New, and then click Tunnel (IP only). After the tunnel is created, add it as an IP routing interface by right-clicking the General node under IP Routing, and then clicking New Interface. After IP-in-IP interfaces are created and added as an IP routing interface, you must configure the tunnel endpoints. Then, you can configure them the same as any other IP interface, including setting packet filters to confine the traffic that is allowed into and out of the interface, and multicast scopes and boundaries. 102.You are the administrator for your company's Windows 2000 domain. On this domain, you have a Windows 2000 Server computer acting as your company's Internet interface. This morning when you came to work, you noticed that you had an unusually long wait time to access resources on your network. You run several tests but cannot seem to find any problems although the access times are incredibly long. When the users come in for work, they immediately start complaining about network performance. You then decide to start checking packets on the network. After investigating the problem, you notice that a denial of service attack has flooded your Internet server with "Destination Unreachable" packets. You want to prevent this from happening again with the least amount of administrative overhead possible. You do not want to prevent legitimate packets from being forwarded. What should you do? a. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0 and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0. b. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0 and IP Address 172.16.0.0 with Subnet Mask 255.240.0.0. c. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0, IP Address 172.16.0.0 with Subnet Mask 255.240.0.0, and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0. d. Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0, IP Address 127.0.0.1 with Subnet Mask 255.0.0.0, IP Address 172.16.0.0 with Subnet Mask 255.240.0.0, and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0. Answer:c Denial of service: The intruder floods a server with requests that consume system resources and either cause the server to stop responding or become too busy to process legitimate work. Causing the server to stop responding sometimes provides opportunities to penetrate the system. Denying Spoofed Packets from Private IP Addresses Another method of performing denial of service attacks is to flood servers with packets, such as TCP connection request packets, from addresses to which there can be no reply. In these cases, the malicious users spoof, or substitute, the source IP address of the packets with something other than the IP address of the interface on which the packets originated. An easy address to spoof is a private address because a response sent to a private address on the Internet results in an ICMP Destination Unreachable message. To drop Internet traffic from spoofed private IP addresses, configure input filters on the Internet interface to accept all packets except the following: -The Source IP Address of 10.0.0.0 with the subnet mask 255.0.0.0. - The Source IP Address of 172.16.0.0 with the subnet mask 255.240.0.0. - The Source IP Address of 192.168.0.0 with the subnet mask 255.255.0.0. 103. You are the administrator of a Windows 2000 network The network has three segments connected by a router. Each segment contains a Windows 2000-based WINS server and two other Windows 2000 Server computers. The network also has 300 Windows NT Workstation 4.0 WINS client computers distributed evenly over the three segments. Users in each network segment inform you that they cannot browse any network resources on the other network segments. They do not have problems browsing their own segment. How should you configure the network to enable users to browse for network resources on all three network segments? a. Configure all WINS client computers to be NetBIOS node type Mixed (m-node) b. Configure all WINS client computers to use all three WINS servers. c. On each WINS server, configure the Lmhosts file to contain entries that include #PRE and #DOM for the other two WINS servers d. Configure the three WINS servers as replication partners of one another Answer:d a- Wins client is a h-node (hybrid) client by default b- There are routers c- Again there are routers 104. You are the administrator of a Windows 2000 domain. The domain has two Windows 2000 member server computers named Istanbul and Rome. Routing and Remote Access is enabled for remote access on Rome. Internet Authentication Service (IAS) is installed on Istanbul. Rome uses Istanbul to authenticate remote access credentials. The remote access policies on Istanbul specify that domain members are allowed remote access to the network. However, users report that they are not allowed to dial in to Rome. When you investigate the problem, you discover that the configuration of Istanbul supports only local user accounts. What should you do? a. Add Istanbul to the RAS and IAS Servers group in Active Directory b. Configure Routing and Remote Access on Istanbul to use RADIUS Authentication c. On Istanbul, add a realm replacement rule for the Windows 2000 domain. d. On Istanbul, add a remote access policy that uses MS-CHAP Answer:a For a Windows 2000 domain, is the IAS-server computer account a member of the RAS and IAS Servers security group? In order to be able to access user account properties in a domain, the computer account of the IAS server must be a member of the RAS and IAS Servers security group of that domain. This can be assigned through the Active Directory Users and Computers administrative tool, by registering the IAS server in the Internet Authentication Service administrative tool, or by using the netsh ras add registeredserver command. 105. You are the administrator of a Windows 2000 network. The network consists of one Windows 2000 domain that has Windows 2000 Professional client computers and Windows NT Workstation 40 client computers. To create a digital certificate, you use a stand-alone certificate server configured as a root Certificate Authority (CA). You use the digital certificate to secure a virtual directory on your Internet Web server. Users report that when they connect to the virtual directory by means of a new URL, a Security Alert dialog box appears with the following warning message 'The security certificate was issued by a company you have not chosen to trust. You want to prevent this warning message from appearing. You also want to avoid any unnecessary reconfiguration of either the certificate server or the Web server. What should you do? a. Inform your users of the new URL that points to the host name used in the digital certificate b. Configure a Group Policy that automatically installs as a trusted authority in the client computers the digital certificate for the certificate server c. Inform your users that they need to install a client certificate from the certificate server d. Inform your users that they need to install as a trusted authority in the client computers the digital certificate for the certificate server Answer:b 107. You work for a local state agency that does not use Windows Internet Name Service (WINS) for NetBIOS name resolution. Instead, each client on the network copies a master LMHOSTS file from a central server during the logon process. After experiencing a number of problems with the current Primary Domain Controller (PDC) named MIS4 of the HR domain, you decide to promote one of the Backup Domain Controllers (BDCs) named Payroll2 to PDC status and take the former PDC offline. In the master LMHOSTS file, you take off the listing for the former PDC. What is the other change you must make? a. 128.131.24.122 Payroll2 #DOM:HR b. 128.131.24.122 Payroll2 #DOMAIN:HR c. 128.131.24.122 #PRE Payroll2 #DOM:HR d. 128.131.24.122 Payroll2 #PRE #DOM:HR Answer:d 128 131 24 122 Payroll2 #PRE #DOM:HR Ip address Cache The #DOM keyword 108. You configure DHCP to dynamically update the PTR records for clients who lease IP addresses from the server. From where is the domain name used in the PTR record obtained? a. From the DHCPDISCOVER message b. From the DHCPOFFER message c. From the DHCPACK message d. From the DHCPREQUEST message e. From the DHCPDISCOVER message Answer:d 109. Your home office network contains 2 Windows 2000 Server computers, 1 Windows 2000 Professional client computer, and 1 Windows 98 second edition client computer. You want to accomplish the following goals: Provide one Internet connection for the entire network. Provide network address translation. Provide name resolution. Provide IP address configurations for the entire network. You perform the following tasks: You enable Internet Connection Sharing. You create a connection between the network and the Internet. You install and configure LAN adapters connecting the client computers to the network. Which goal is accomplished from these tasks? a. Provide one Internet connection for the entire network b. Provide network address translation c. Provide name resolution d. Provide IP address configurations for the entire network Answer:a,b,c,d 110. Your WINS server's hard disk fails, and you replace it, and restore the WINS database from a backup that is one week old. Now, users report they cannot browse any of the resources in the other locations. What should you do? a. On the WINS server use jetpack.exe utility on the WINS database b. On the WINS server use the verify database consistency command c. On the Windows 2000 Server computers, use the NBTStat -RR command to release and refresh the WINS registrations. d. On the WINS client computer use the ipconfig/registerdns command to register names and IP addresses Answer:c 111. Your network consists of two Win2000 Servers and 75 Win2000 Professional desktops. One server is a DHCP server which provides TCP/IP configuration to all of the Win2000 Pro computers. You have a global group configured for your helpdesk personnel. You want to allow your help desk support personnel to have only Read access to the DHCP console and the DHCP lease information. What should you do? a. Give the helpdesk global group NTFS read only permission to the %root%/sysvol/DHCP folder b. Add the helpdesk global group to the DHCP Admins group c. Add the helpdesk global group to the DHCP users group d. Add the helpdesk global group to the local admins group on the DHCP server Answer:c 112. Your network contains 12 WIN2000 servers and 100 Wins2000 Professional computers across 4 subnets connected by a router. The servers are used to serve file and print resources to the clients. You install the WINS Server service on a server on one subnet. You configure the WINS option in a DHCP scope to configure all of the computers on the network to register with and query the WINS server for NetBIOS name resolution. Users on the remote subnets report that they cannot access resources located on the WINS server by using its Netbios name. Other TCP/IP connectivity is not affected. Users located on the same subnet as the WINS server are not having any problems. What should you do? a. Install a WINS proxy agent on the remote subnets b. Enable Dynamic Updates on the WINS server c. Configure the remote clients to use DNS for Netbios name resolution d. Configure the WINS server to include its own IP address as a WINS client computer Answer:d The clients on the other subnets have the server as their WINS server but since it doesn't have a static mapping for itself the clients can't access resources on it. The clients on the same subnet are accessing its resources because netbios uses broadcasts when the address isn't resolved by WINS. You only need a WINS proxy for clients that aren't WINS enabled, like UNIX workstations for example. If there were any non-WINS enabled systems on the remote subnets then you would need a WINS proxy. 113. You have three Win2000 domain controllers in a single domain. Your primary DNS server is installed on a domain controller named dc1.sycom.com. You have two secondary DNS servers installed on member servers named srv1.sycom.com and srv2.sycom.com. You want to increase fault tolerance for your DNS infrastructure. You also want to optimize and simplify replication and zone transfer management on your network. What should you do? (choose all that apply) a. Remove the DNS service from the member servers b. Install DNS on at least 2 more domain controllers. c. Convert the zone to an Active Directory integrated zone. d. Promote one of the secondary DNS servers to a primary server and have it host a new zone. e. Configure secure updates for your zone transfers Answer:a,b,c 114. DHCP automates the TCP/IP configuration of your Windows 2000 Professional clients. You configure options at the scope level to provide router and DNS server information to the clients. As your network has certain computers that always require a specific address and configuration, you configure reservations in your scope. Your Internet gateway has changed due to the ISP bringing a new router online. You then reconfigure your scope options to reflect the new router address. The users who have reserved addresses report that they can no longer access the Internet. What should you do? (Choose two) a. Use the ipconfig/renew command at each client computer. b. Use the ipconfig/release command at each client computer. c. Configure the scope options to include the Performed Router Discovery option. d. Configure the server options to include the Performed Router Discovery option. e. Configure the options on each address reservations to include the new router information Answer: a,d Router discovery provides an improved method of configuring and detecting default gateways. When using DHCP or manual default gateway configuration, there is no way to adjust to network changes. Using router discovery, clients dynamically discover routers and can switch to backup routers if a network failure or administrative change is needed. Router discovery is made up of two types of packets: Router Solicitations sent by hosts, and Router Advertisements sent by routers. Windows NT 4.0 supports router discovery as a host only. This feature is disabled by default. 115. You are the administrator of a Windows 2000 network. The network has 18,000 Windows 2000 Professional WINS client computers and six Windows 2000-based WINS servers The WINS client computers are portable client computers, and they frequently connect to the network at different locations. The WINS client computers access NetBIOS-based resources. The TCP/IP configuration of the WINS client computers is provided by DHCP servers on the network. Some of the WAN links in your network are unreliable You want to ensure that all Windows 2000 Professional computers are able to resolve NetBIOS names, even if some of the WINS servers are not available. How should you configure the network to accomplish this goal? a. On each segment, configure a computer as a WINS proxy b. Configure the DHCP servers to provide each client computer with a list of WINS servers. c. Configure the WINS servers to enable burst handling Set the number of requests for burst handling to High d. Configure the DHCP server to set the NetBIOS over TCP/IP node type for each client computer to Mixed node) Answer:b - The burst queue allows WINS to handle intermittent periods of heavy registration and refresh traffic, such as when the WINS server is either started with a clean database or when many WINS clients come online for the first time. Either situation creates a large number of requests for registration and refreshment of names. - The function of burst handling is to answer requests superficially (with a positive response), therefore decreasing the load on the network. Burst handling also extends and varies the delay interval to distribute the load over time. Burst handling is enabled for any WINS server running Windows NT Server 4-0 with the current service pack, as well as with Windows 2000 Server. A WINS server that supports burst-handling initiates burst handling once the number of WINS client registration requests exceeds the burst queue size. By default, burst handling is enabled, and the burst queue is sized to Medium. - To configure WINS clients with the IP address of one or more WINS servers, open Network and Dial-up Connections and click Local Area Connections. Click the Properties button, select the Internet Protocol (TCP/IP) Properties entry in the list, and click Properties, then click Advanced and select the WINS Address tab - In previous versions of Windows NT, clients were only able to use a primary and secondary WINS server. For Windows 2000, WINS clients can be configured with up to 12 WINS servers. These servers can be configured either statically at the Internet Protocol (TCP/IP) properties dialog box or dynamically through DHCP (using option 44). By configuring additional WINS servers, clients gain additional fault tolerance. 116. Your network consists of one Win2000 domain named sycom.local. You want to ensure that internal name resolution traffic never passes outside the network. External name request must be handled by an external DNS server. What should you do? a. Copy the systemroot\system32\dns\samples\cache.dns file to the systemroot\system32\dns\cache.dns file b. Delete the root zone for your local namespace and configure all internal DNS servers to forward name resolution requests to the external DNS server c. Install a caching DNS server on the DMZ. d. Delete the sycom.local.dns file from the systemroot\system32\dns folder and configure all DNS servers to perform only iterative name resolution Answer:b 117. You are the administrator of a Windows 2000 network. The network contains a Windows 2000 server computer named Ireland that contains two network interfaces: interface_A and interface_B. Routing and Remote access is enabled as a router on Treland. The network seqment connected to interface_A contains a Windows 2000 DHCP server named ServerD as show in the EXHIBIT. You want to allow computers on the segment connected to interface_A to be able to use the DHCP server. How should you configure Ireland to accomplish this goal (choose all that apply) a. Configure a DHCP relay agent to run on interface_A b. Configure a DHCP relay agent to run on interface_B c. create a static route to the IP address of interface_B d. create an IP tunnel to connect interface_A to interface_B e. Configure a DHCP relay agent to use the port number of the DHCP server f. Configure a DHCP relay agent to use the IP address of the DHCP server as the server address. Answer:b,f I see it as being multi homed, and mapped it by hand from question. Segiment B would need a dchp relay and you would point the relay back to the dhcp...so to me B and F are correct a- incorrect since there is already a dhcp on A why would put a dchp relay there? c-incorrect, need to configure a dhcp relay d-incorrect not a vpn issue e- incorrect throw this one away 118. You are the administrator for a Windows 2000 Server network. You have a Dynamic Host Configuration Protocol (DHCP) Server which is configured to give DHCP clients all appropriate TCP/IP settings. You also have a Domain Name System (DNS) / Windows Internet Name Service (WINS) server. You set up a Windows 2000 Server computer to be the dial-up connection server and want to configure the security for the dial-up connections. You want to accomplish the following goals: Require the entry of a password upon connection. Use the Windows logon and password for authentication. Require the use of data encryption. Automatically run a script named logon.scp upon connection. You perform the following actions: From the dial-up connection properties on the Security tab in the Security options section, select Typical (recommended settings) radio button. For the Validate my identity as follows box, select Allow unsecured password. Check the Automatically use my Windows logon name and password (and domain if any) box. Check the Require data encryption (disconnect if none) box. In the Interactive logon scripting section, check the Run script box and type in filename logon.scp. Which goal or goals are accomplished from these actions? (Choose all that apply.) a. Require the entry of a password upon connection b. Use the Windows logon and password for authentication c. Require the use of data encryption d. Automatically run a script named logon.scp upon connection Answer:a,d If you would choose Allow unsecured password then Use the Windows logon and password for authentication and require the use of data encryption become gray and you cannot check them A is correct: You still need a username & password for the connection B is wrong: If u choose "Allow Unsecure Password", this option is dimmed, and cannot be chosen C is wrong- same reason as B D is correct: This will run the script upon connection 119. Your network has two sites, Sacramento and Phoenix, and two DNS zones. The primary DNS server in Sacramento is named ns1.xco.com, and is authoritative for the root zone in xco.com. The primary DNS server in Phoenix is named ns2.phoenix.xco.com. This server is authoritative for the delegated subdomain phoenix.xco.com. You notice several Knowledge Consistency Checker (KCC) warnings. They indicate that the KCC cannot establish a replication link with the directory partitions in Phoenix. What should you do? a. On the ns2.phoenix.xco.com run the nbstat-a ns2 phoenix.xco.com command b. On the ns2.phoenix.xco.com run the ns lookup-type = ns-norecurse xco.com command c. Create the host file on ns2.phoenix.xco.com server that creates address for ns2.xco.phoenix.com d. Change the DNS record that points to the ns2.phoenix.xco.com to phoenix.xco.com. NS ns2.phoenix.xco.com. Answer:d KCC tries to find the boss (primary DNS server) which has the final authority on the DNS records to establish a replication topology and links. If an NS record for boss can't be found, no replications. NS record indicates the machine acting as name server for the zone. In our example we have two machines acting as name server. nunet.ng. NS dns1.nunet.ng. nunet.ng. NS dns2.nunet.ng. The general format is NS the name server (NS)resource record is used to notate which DNS servers are designated as authoritative for the zone. By listing a server in the NS RR, it becomes known to others as an authoritative server for the zone. This means that any server specified in the NS RR is to be considered an authoritative source by others, and is able to answer with certainty any queries made for names included in the zone. It is merely a record saying who is the boss with the final authority. 120. You are the administrator of Windows 2000 network. Netowork has two Windows 2000 server named router1 and router2. Routing and remote access is enabled as a router on router1 and router2. There are no other routers on the network. A part of the IP routing table is shown in the following. To change routing information, you want to enable RIP for IP on router1 and router2. You configure RIP for IP on router1 and router2. You Configure router1 and router2 as follow: - Set operation mode to periodic update mode - set outgoing packet protocol to RIP V1 broadcast - Set incoming packet protocol to RIP V1 and RIP v2 - specify router1 and router2 as unicast neighbours of each other When monitoring the IP routing table of router2, you note that server is not receiving the correct router from router1 Change router configuration, what should you do? a. configure RIP IP to include host router in announcements that are sent b. configure the RIP for IP interface to add an input packet filter that will allow network traffic for RIP port 320 c. Set RIP for IP outgoing packet protocol to RIP V2 broadcast d. Specify router1 and router2 as RIP for IP peer router Answer:c 120. You are the administrator of Windows 2000 network. Netowork has two Windows 2000 server named router1 and router2. Routing and remote access is enabled as a router on router1 and router2. There are no other routers on the network. A part of the IP routing table is shown in the following. To change routing information, you want to enable RIP for IP on router1 and router2. You configure RIP for IP on router1 and router2. You Configure router1 and router2 as follow: - Set operation mode to periodic update mode - set outgoing packet protocol to RIP V1 broadcast - Set incoming packet protocol to RIP V1 and RIP v2 - specify router1 and router2 as unicast neighbours of each other When monitoring the IP routing table of router2, you note that server is not receiving the correct router from router1 Change router configuration, what should you do? a. configure RIP IP to include host router in announcements that are sent b. configure the RIP for IP interface to add an input packet filter that will allow network traffic for RIP port 320 c. Set RIP for IP outgoing packet protocol to RIP V2 broadcast d. Specify router1 and router2 as RIP for IP peer router Answer:c 121. You are the administrator of your company's network. You need to Implement a remote access solution that is highly available and highly secure. Your company consists of a single location and has a T3 connection to the Internet. Your company has 1,000 salespeople who need reliable connectivity to the company network from any remote location All servers are running Windows 2000 Advanced Server, and all client computers are running Windows 2000 Professional. You want to accomplish the following goals: a- No single point of failure, aside from total loss of the T3, will result in total loss of remote access connectivity. b- No authentication traffic will be carried as clear text. c-. No data traffic will be carried as clear text. d-. Support for at least 200 simultaneous remote users accessing the network will be available at all times. You take the following actions: Install three virtual private network (VPN) servers at the main office. Configure each VPN server to support 150 PPTP connections. Configure the client computers to use microsoft challenge handshake (ms-chap v2) as the authentication protocol. Which result or results do these actions produce? (Choose all that apply) a. No single point of failure, aside from total loss of the T3, results in total loss of remote access connectivity b. No authentication traffic is carried as clear text c. No data traffic is carried as clear text d. Support for at least 200 simultaneous remote users accessing the network is available at all times Answer:a,b,c,d B is correct, because of the use of MS-CHAP v.2 C is correct, because you set up VPN connections - tunneling data D is correct because should one connection failed, there still would be another 2X150=300 connections available. 123. Your company has a SNMP-enabled network router installed on its network. Your company wants to monitor all SNMP traffic generated by the router. You install Network Monitor on a Windows 2000 server computer on your network. Your router is configured to trap to an SNMP manager installed on another server. You want to receive a notification whenever the network router raises an SNMP trap. What should you do? (Choose two) a. Create an Network Monitor filter that has a pattern match for SNMP-traffic. b. Install SNMP on the server. c. Create a network monitor trigger to run the Net Send command d. Create a TCP/IP filter on the server. e. Start the Windows 2000 Alerter Service on the server. f. Configure the network router to trap to the IP address of the server. Answer:a,c 124. You are the administrator of a single Windows 2000 Domain. You have just configure a RRAS server to allow several company managers the ability to dial-in to your company network from home. Later you receive a call from a company manager reporting that although she can successfully connect to the company network she can not access all the resource on the network. After further investigation you realize that she is only able to access resources on the subnet the dial-in server is location. What dial-in setting you ask her to change? a. IP Address b. Disable ser IP compression c. Check the ser(ver?) default gateway on remote network checkbox d. On the DNS tab of TCP/IP settings, check the register this connections address in the DNS checkbox. e. ON the WINS tab of the TCP/IP settings, check the se NetBIOS settings from the DHCP server Answer:c 125. Your network consists of 90 client computers and 50 portable computers. Computers in your network only run Windows 2000 Professional. Only 20 of the users of the portable computers will ever be in the office at the same time. You have purchased a subnetted Class B subnet with a 25-bit mask to accommodate the number of users for your network. All users need access to the Internet while in the office. How should you configure DHCP? a. Create 2 scopes, one for the desktop computers and one for the portables. b. Create a superscope with 2 scopes. One scope for the desktops and one for the portables. c. Create a superscope with 2 user classes. Set each class with a different lease duration. Use a shorter lease for the portable computers. d. Create one scope with 2 user classes. Set the class for the desktops with a default lease duration. Set the lease duration for the class for the portables to 1 day. Answer:d Reason and Source : Windows 2000 Server Resource kit TCP/IP Core Networking Guide User classes allow DHCP clients to differentiate themselves by specifying what type of client they are, such as a remote access or desktop computer. For Windows 2000 computers, you can define specific user class identifiers to convey information about a client's software configuration, its physical location in a building, or about its user preferences. For example, an identifier can specify that DHCP clients are members of a user-defined class called "2nd floor, West," which has need for a special set of router, DNS, and WINS server settings. An administrator can then configure the DHCP server to configure different option types depending on the type of client receiving the lease. Windows 2000 user classes can be used in the following ways: DHCP client computers can include the DHCP user class option when sending DHCP request messages to the DHCP server. This can specifically identify the client as part of a user class on the server. DHCP servers running the Microsoft DHCP service can recognize and interpret the DHCP user class option from clients and provide additional options (or a modified set of DHCP options) based on the client's user class identity. For example, shorter leases should be assigned to remote access clients. Desktop clients on the same network might require special settings, such as CAD platforms. These variations could also include WINS and DNS server settings. How user classes work User classes allow DHCP clients to differentiate themselves by specifying a User Class option. When available for client use, this option includes a user-determined class ID that can help to group clients of similar configuration needs within a scope. For example, you might support users and computers with mobile computing needs by configuring a user class at the DHCP server and setting the related class ID at the client computers. A user class is useful when you need to keep separate options that cover the special needs of identifying client computers, such as providing a shorter lease time for portable computers that move frequently or use remote access often. In this example, you could configure the DHCP server to distribute different options that are specific to the needs of clients. 126. You are the network administrator for Woodgrove Bank. The network is configured as shown in the exhibit. Windows 2000 professional computers on the network have their prefered preffered DNS set to 172.16.34.130. DNS is configured as in the exhibit. You try to accesss a resource on Pro7 from Pro1 and are unsuccessful. You then try to ping Pro7 using its host name from Pro1 you recieve the following error "Bad IP address" even after restarting both PCˇ¦s. What should you do.(Choose best answer) a. Run ipconfig/registerdns on Pro1 b. Delete the Pro7 entry in DNS server c. Delete the Pro1 entry in DNS server d. Delete the Pro7 in the hosts file on Pro1 e. Delete the Pro7 in the lmhosts file on Pro7 Answer:d 127. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named DeskA. Routing and Remote Access is enabled for remote access on DeskA. Your company is organizing an industry trade show in a conference center. You have set up 15 desks and telephones in the conference area. During the conference, attendees will be allowed to dial in to your network by using any of the 15 telephones. Each telephone line has its own telephone number. The conference attendees can use their own portable computers to dial in. When attendees dial in to DeskA, they do not need to specify a user name or password. However, you do not want to allow dial-in access from any telephone other than the 15 telephones in the conference area. You enable unauthenticated access on the DeskA remote access server You also create a remote access policy named Conference that allows unauthenticated access as the authentication method. Attendees report that they are not able to dial in unless they specify a user name and password You want to ensure that attendees can dial in without specifying a user name and password. What should you do? a. Create a user account named Conference Guest. Configure Routing and Remote Access to use the Conference Guest account as the default user identity. b. Configure the Conference Guest account to use the 15 phone numbers as Caller ID. Create 15 user accounts named Conf-1, Conf-2, Conf-3, and so on through Conf-15 Specify a separate Caller ID phone number for each of the 15 users. c. Create 15 user accounts that use each phone number as the user name. Configure Routing and Remote Access to use the calling number as the authentication identity. d. Configure the Conference remote access policy so that it has a Calling-Station ID condition. Use the 15 phone numbers as the condition Answer:c ANI authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, IAS receives Calling-Station-ID, and no user name and password. Enabling ANI Authorization 1- Enable unauthenticated access on the remote access server. 2- Enable unauthenticated access on the appropriate remote access policy for ANI/CLI-based authentication. 3- Create a user account for each number calling, for which you want to provide ANI/CLI authorization. The name of the user account must match the number that the user is dialing from. For example, if a user is dialing in from 555-0100, create a ?550100?user account. 4- Set the User Identity Attribute registry value (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Policy) to 31 on the authenticating server. This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt. 128. You are the administrator for your company Windows 2000 network. You have a branch office that you want to connect to your main office by using demand-dial routing. You set up a demand-dial router at both offices. However, you are not able to reach any locations at the main office beyond the demand-dial router. What should you do? a. You don't have any packet filters configured at the main office. b. You don't have any static routes configured at the main office. c. You don't have any packet filters configured at the branch office. d. You don't have any static routes configured at the branch office. e. The Demand-dial interface has not been added to the protocol being routed. Answer:b 130. Your DNS server runs on Windows 2000 Server, and provides name resolution within your Internet domain. You have five Web servers to handle company information and client reservations. Each Web server is configured to maintain exactly the same content as all the other Web servers. All the Web servers respond to the same host name. Customers are complaining about response times from your Web server. After monitoring your Web servers, you discover that four of the servers are idle. In the DNS Management console, what should you do to ensure load balancing and improve response times? a. Verify that A (host) records have been created for each server. b. Disable Round-Robin on the DNS server. c. Enable Round-Robin on the DNS server. d. Add Canonical Name (CNAME) records for each server with their IP. e. Assign a unique IP address to each web server. Answer:a,c 131. You are the administrator of your company's network The network consists of five subnets that are connected by a BOOTP relay-enabled router There are 50 Windows 2000 Server computers and 1,000 Windows 2000 Professional client computers distributed approximately evenly across the five subnets. There are also 25 UNIX servers and 100 DHCP-enabled network printers on the network You want to accomplish the following goals: The correct assignment of IP addresses to each client computer on each subnet will be automated Address conflicts between client computers and servers will be prevented Correct scope options will be applied to each client computer on each subnet Client computers that are not in use will be prevented from keeping an IP address for more than three days. Each network printer will always receive the same IP address You take the following actions: Install the DHCP Server service on a Windows 2000 Server computer. Create five scopes, each containing the address range for a specific subnet In the DHCP console, set optional client configurations for each scope in the Scope Options container Exclude the range of addresses in use by the servers Exclude the range of addresses in use by the network printers. Which result or results do these actions produce? (Choose all that apply) a. The correct assignment of IP addresses to each client computer on each subnet is automated b. Address conflicts between client computers and servers are prevented c. Correct scope options are applied to each client computer on each subnet d. Client computers that are not in use are prevented from keeping an IP address for more than three days e. Each network printer always receives the same IP address Answer:a,b,c 132. You are the administrator for your company Windows 2000 network. Your network contains 7 domain controllers all running Windows 2000 server. Two of the seven domain controllers are configured as DNS servers. The network is divided into 7 subnets and uses TCP/IP as it's only network protocol. The 500 client computers are running Windows 2000 Professional. File sharing is used to grant access to local files. You need to configure the network so all computers can resolve all addressing using DNS Client computers must also be able to continue to register and resolve addresses if a server fails. How should you configure the DNS servers? a. Configure one server with a standard zone for the domain and configure at least one server with an active directory intergrated primary zone. b. Configure one server with a standard zone for the domain and configure at least one server with an standard secondary zone. c. Configure at least two servers with Active Directory intergrated primary zones for the domain. d. Configure one server with an active directory intergrated primary zone for the domain, and configure at least one server with an standard secondary zone. e. Configure at least two servers standard primary zones for the domain. Answer:c 133. You are the network administrator for a small company. You plan to use two machines running Windows 2000 Server with multiple network cards as routers for your network. You would like to have the ability to do Classless Inter-Domain Routing as well as institute Variable Length Subnet Masks. Which of the following routing protocols can you use to support these features? Choose all that apply. a. EIGRP b. OSPF c. RIPv1 d. RIPv2 Answer: b,d 134. You have just been hired as the network administrator for a Windows 2000 network. The network uses TCP/IP exclusively and is not connected to the internet. The 190.30.0.0 address range is used. When the company was first started several years ago, the network infrastructure was not planned and default settings were used. Now that the company and network have both grown considerably, a network plan needs to be created. Network traffic has been steadly rising and performance has become as issue. You need to develop a plan to improve performance and accommodate network growth. Over the next three years the projected growth of the network is 60 subnets with 750 hosts per subnet. Which CIDR-notation network IP address should you use to meet both current and future needs of your network? a. 190.30.0.0/20 b. 190.30.0.0/21 c. 190.30.0.0/22 d. 190.30.0.0/23 Answer:c 135. You are the administrator of your companies network. Both windows 2000 and Netware 4.0 servers are present on the network. You have successfully installed client service for Netware on all Windows 2000 Professional client computers in the network and gateway service for Netware on the Windows 2000 Server Computers. You have just added another Windows 2000 Server computer to the network and have installed Gateway Services for Netware. However, the server is not able to connect to any of the netware servers. What should you do? a. On the new Windows 2000 Server computer enable NWLInk NetBIOS b. On the new Windows 2000 Server computer install the SAP Agent. c. On the new Windows 2000 Server computer install RIP routing for IPX d. On the new Windows 2000 server computer configure the NWLink IPX/SPX/NETBios Compatible Transport Protocol to use the correct Ethernet frame type. e. On the Netware 4.0 Server computers configure the NWLink IPX/SPX/NETBios compatible Transport Protocol to use the correct Ethernet Frame type. Answer:d 136. All client computers in your domain use DHCP for TCP/IP configuration. Your network admin installs a new T1 line and router for Internet access. This router is to be used by administrative staff only. You want to configure the administrative staffs' client computers to use this new router, and ensure that non-administrative staff cannot gain Internet access through this new router. You must ensure that each targeted client computer will only need to be configured once. What should you do? a. Remove the default Remote Access Policy b. Set permissions on the Remote Access Policy to "No access" for the Authenticated Users group c. Use the route add -d command and map the new router information on each of the administrative client computers d. Use the route add -p command on each of the administrative computers and enter the new router information Answer:d Reason and source : Route command help When used with the ADD command, -p makes a route persistent, even after system reboots. By default, routes are not preserved when the system is restarted. 137. You are the administrator for your company's Windows 2000 network. Your company has three offices: one in Dallas, TX, one in Houston, TX, and one in Galveston, TX. Houston and Galveston are connected to Dallas by a T1 line. Each site has its own Windows Internet Name Service (WINS) server. You have implemented WINS replication between the WINS servers. You view the WINS database on the WINS server in Houston. It contains records in the active state, records in the released state, and records in the tombstoned state. Which records will be replicated to the WINS server in Dallas? a. All the records, regardless of their state b. Only records in the active state c. Both the records in the active state and the records in the released state d. Both the records in the active state and the records in the tombstoned state e. Both the records in the released state and the records in the tombstoned state Answer:d Tombstoning When you tombstone a record you don't remove it from the database; rather it marks it as being in a tombstone state? Tombstone entries don't get purged from a WINS database until WINS runs a scavenging operation. That happens every 3 days by default. WINS replicates only records in the active and tombstone states. !! WINS replication is always incremental ?only changes in the database are replicated each time replication occurs To replicate database entries, each WINS server in a network must be configured as either a pull partner or a push partner with at least one other WINS server. How Records Change and Update A WINS server always enters name registrations in its database in an active state and time stamped with the sum of the current time and the renewal interval. The version ID is taken from the version ID counter, and the counter is then incremented. If a name is explicitly released or not refreshed during the renewal interval, the name enters the released state. The WINS server gives the database entry a time stamp using the sum of the current time and the extinction interval, and leaves the version ID unchanged. Thus, released records are not replicated. If a record remains released past the extinction interval, the WINS server changes the state of the record to tombstone, gives the record a time stamp using the sum of the current time and the extinction timeout, and increments the version ID of the record so that the record will be replicated. If a record remains in the tombstone state for a period longer than the extinction timeout, it is deleted from the database. WINS replicates only records in the active and tombstone states. In the WINS database, WINS enters these replica records with the fields received from the owner database, with the exception of owner ID and time stamp. (The owner ID comes from the local IP address-to-owner ID mapping table because the value used locally to represent a particular WINS server differs from server to server. For example, WINS-D might be represented by a 2 on WINS-B and by a 3 on WINS-A.) WINS gives an active record a time stamp that is the sum of the local current time and the verification interval. WINS gives a tombstone record a time stamp that is the sum of the local current time and the extinction timeout. 138. You are the administrator for your company's network. The company Internet web server (IIS) runs on Windows 2000 Server computer. The web server is not a member of any domain in your company network. For security reasons you want to keep the web server separate from the rest of the network. Your company has decided to allow customers to make online transactions avaliable through the web site. To ensure customer transaction security, the company has decided to accept transaction only through encryption. It has also been decided that customers should be assured of your web servers identity when they make online transactions What type of CA would you install? a. Install an enterprise CA on your server. b. Install a subordinate enterprise CA on your server from a known commercial CA. c. Install a stand-alone CA on your server. d. Install a stand-alone subordinate CA on your server from a known commercial CA. Answer:d 139. You are the administrator for your company Windows 2000 network. You have a server that uses RIP. You have been told that RIP routers are not receiving routes. What should you check? (Choose all that apply). a. Ensure RIP authentication is enabled. b. Ensure you have configured RIP peer filtering. c. Ensure you are not deploying variable length subnet masks. d. Ensure IP packet filtering is not preventing input or output of RIP announcements. Answer:c,d 140. You are the administrator of your company's network. The network consists of Windows 2000 Server computers, Windows NT Workstation client computers, and Windows for Workgroups 3.11 client computers distributed across three subnets. All client computers are configured as DHCP client computers to automate TCP/IP configuration. You install a WINS server on one subnet on your network. You also define a DHCP scope option to include the WINS server's address. Users report that they can access resources on servers on their own subnet, but they cannot access resources on other subnets. What should you do to resolve this problem? a. Use the ipconfig /renew command to refresh the client computers' configuration b. Use the ipconfig /release command to refresh the client computers' configuration c. Install a WINS proxy agent on the subnet that hosts the WINS server d. Install a WINS proxy agent on the subnets that do not host the WINS server e. Enable dynamic updates on the wins server Answer:d WINS proxy agent issues. Microsoft TCP/IP allow a WINS-enabled computer to act as a WINS proxy agent for b-node clients on the network. The WINS proxy agent can resolve broadcast name queries from the b-node clients through the WINS server. A proxy agent does not participate in the name registration process, nor does it check for duplicate names in the WINS server database for the b-node client. Examples of computers on the network that might be b-node clients include computers running MS-DOS, Windows 3.1, or Windows for Workgroups that do not have WINS client software installed, or SMB-based network servers such as IBM?LAN Server, DEC?PATHWORKS? AT&T?StarLAN, and LAN Manager for OS/2?or UNIX Systems. When the DHCP lease of your Windows 95 or Windows for Workgroups 3.11 computer is released and renewed, the node type and scope ID are not updated. For example, when you release the lease, make changes to the Node Type and Scope ID information and renew the lease with the IPCONFIG /RENEW (or WINIPCFG /RENEW for Windows 95) command, the new lease does not include the updated Node Type and Scope ID. The system default to B-node while there are no WINS servers configured. so if you have Windows for Workgroups 3.11 computers in your network ,before they reboot,they cannot update their Node type buy using ipconfig/renew,you have to install a WINS proxy agent on the subnet before they could access resources on other subnets! the answer should be d 141. You are the administrator for your company's Windows 2000 network. The network contains an FTP server, which uses the default FTP port. You want to configure a filter to allow traffic to send packets to and from the FTP server. What filters should you configure? (Choose all that apply). a. Input filter source IP address of the FTP server and TCP source port 21 b. Input filter source IP address of the FTP server and TCP source port 20 c. Output filter source IP address of the FTP server and TCP source port 21 d. Output filter source IP address of the FTP server and TCP source port 20 e. Input filter destination IP address of the FTP server and TCP source port 21 f. Input filter destination IP address of the FTP server and TCP source port 20 g. Output filter destination IP address of the FTP server and TCP source port 21 h. Output filter destination IP address of the FTP server and TCP source port 20 Answer: c,d,e,f 142. You are the administrator of a Windows 2000 network. The network has six Windows 2000-based WINS servers and two Windows 2000-based DHCP servers. To anticipate the migration of the network from WINS to DNS, you decide to remove one WINS server named Wins6 from the network by performing the following actions. On Wins6, stop the WINS Service and uninstall WINS. On the DHCP servers in the network, reconfigure the options to no longer specify Wins6 as a WINS server Configure the DHCP options to instead use the other five WINS servers equally. On WINS client computers that are manually configured to use TCP/IP, reconfigure the network properties to no longer use Wins6 as a WINS server Configure these client computers to instead use any of the other five WINS servers. On one of the remaining WINS servers, delete the static mappings originally made on Wins6. After several weeks, you notice that static mappings originally made on Wins6 are still present on all the remaining WINS servers. What should you do to permanently remove these unwanted static mappings from the remaining WINS servers? a. On the remaining WINS servers, use the Scavenge Database command in the WINS console b. On the remaining WINS servers, perform an offline compaction of the WINS database c. Configure the remaining WINS servers to use Migrate On handling of static entries d. On one of the remaining WINS servers, manually tombstone the Wins6 owner from the database . Answer:d -When simple deletion is used, records selected using the WINS console are removed from the current local WINS server that you are managing. If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS servers remain in those databases unless you specifically use the WINS console to remove them from each server, one at a time. In addition, records deleted on just one server might reappear when replication next occurs between WINS servers configured as replication partners. When you use tombstoned deletion to remove a record owned by your selected server, the selected records are removed from all WINS servers that replicate the records Manual tombstoning provides an excellent way of dealing with static records, too. When the tombstoned records are replicated, the tombstone status is updated and applied by other WINS servers that store replicated copies of these records. Each replicating WINS server updates and individually tombstones these records. Once all WINS servers have replicated these records, the records are automatically removed from WINS after the period set by the verification interval of each server. -Check the WINS database for the name. If you find a static record, remove it from the database of the primary WINS server for the client where the duplicate name was detected. Alternatively, select the Migrate (Overwrite unique static record with dynamic record) check box in Replication Partners Properties for the WINS server. Now the static mappings in the database can be updated by dynamic registrations (after WINS successfully challenges the old address). - Like any database, the WINS server database becomes littered with junk entries over time and must periodically be cleaned and backed up. Scavenging the WINS server database takes care of this. It is usually performed at the same time as regular backups. Scavenging updates the name state of WINS database entries, clearing the local WINS server database of released entries. It also clears away entries replicated from a remote WINS server that were not removed from the local WINS database when they were removed from the remote database. 143. You configure your remote access server to allow DHCP to assign addresses and configurations to the client computers. Users report that they cannot access network resources by using the server name or by searching Active Directory. You discover that when you connect to the remote access server your client computer is receiving an IP address but none of the DHCP options. What should you do to resolve this? a. Configure the RRAS server to act as a DHCP Relay Agent b. Create a static mapping for the RRAS internal interface to the DHCP server c. Enable TCP/IP filtering on the external interface of the RRAS Server d. Install a DHCP Relay Agent on the DHCP server Answer:a 144. You are the administrator of your company's network. Your company owns the Class B subnet 172.41.48.0/24 that consists of 12 servers and 200 client computers, all configured as DHCP clients. The hard disk on your company's DHCP server fails, and your server responds with a fatal error. Your company does not have a backup of the server, and you do not remember which IP addresses have been distributed throughout the network. You need to install a new DHCP server to prevent any connectivity problems that might occur. What should you do? (Choose two) A. Increase Conflict Detection Attempts on the DHCP server B. Decrease Conflict Detection Attempts on the DHCP server C. Add an exclusion for the 12 servers D. Create a scope that has a range of 172.41.48.1 to 172.41.48.200 E. Create a scope that has a range of 172.41.48.1 to 172.41.48.254 Answer:a,e Use server-side conflict detection on DHCP servers only when it is needed. Conflict detection can be used by either DHCP servers or clients to determine whether an IP address is already in use on the network before leasing or using the address. For DHCP clients running Windows 2000 and earlier versions, client computers that obtain an IP address use a gratuitous ARP request to perform client-based conflict detection before completing configuration and use of a server offered IP address. If the DHCP client detects a conflict, it will send a DHCP decline message (DHCPDECLINE) to the server. If your network includes legacy DHCP clients, you can use server-side conflict detection provided by the DHCP Server service under specific circumstances. For example, this feature might be useful during disaster recovery when scopes are deleted and recreated. By default, the DHCP service does not perform any conflict detection. To enable conflict detection, increase the number of ping attempts that the DHCP service performs for each address before leasing that address to a client. Note that for each additional conflict detection attempt that the DHCP service performs, additional seconds are added to the time needed to negotiate leases for DHCP clients. Typically, if DHCP server-side conflict detection is used, you should set the number of conflict detection attempts made by the server to use one or two pings at most. This provides the intended benefits of this feature without decreasing DHCP server performance. To open DHCP, click Start, point to Programs, point to Administrative Tools, and then click DHCP. When conflict detection attempts are set, the DHCP server uses the Packet Internet Groper (ping) process to test available scope IP addresses before including these addresses in DHCP lease offers to clients. A successful ping means the IP address is in use on the network. Therefore, the DHCP server does not offer to lease the address to a client. If the ping request fails and times out, the IP address is not in use on the network. In this case, the DHCP server offers to lease the address to a client. Each additional conflict detection attempt delays the DHCP server response by a second while waiting for the ping request to time out. This increases the load on the server. A value of no greater than two (2) for ping attempts is recommended. 145. Your network consists of one Win2000 Domain. All servers and clients are running Win2000. You have configured your DNS standard primary zone to include the addresses of all of your servers. After adding new member servers to your network, users report that they can find these servers in the directory but cannot access them. What should you do? a. Set the "Allow Dynamic Updates" setting for the DNS standard primary zone to "Yes" b. Add reservations for the new servers on the DHCP server c. Create mapping for the new servers in the WINS database d. Configure the new servers as DHCP Proxy servers Answer:a 148. You are the administrator for your company network. Your company has been assigned Class C addressing. Projected growth for the company over the next 3 years indicates a need for as many network nodes as possible. What subnet mask should you use to maximize the amount of network nodes avaliable on the network? a. 255.255.255.0 b. 255.255.255.240 c. 255.255.255.248 d. 255.255.255.252 e. 255.255.255.254 Answer:a 149. You administer your company's Windows 2000 network. Your company employs a sales force that needs access to the latest company data when traveling. You want to ensure that the company will establish a network connection for your salespeople regardless of where the call originates. Your company also allows customers access to the network using Routing and Remote Access to view and track orders. To ensure network and data security, your company wants to specify the location from which customers can connect to your network. You want to configure your company's Routing and Remote Access server (RRAS) to facilitate access for salespeople and for customers. You want both the salespeople and the customers to use mutual authentication to provide protection against remote server impersonation. Which settings should you configure? (Choose three.) a. Set Callback option to Always Callback To for salespeople b. Set Callback option to Set by Caller for salespeople c. Set Callback option to No Callback for customers d. Set Callback option to Always Callback to for customers e. Enable Microsoft Challenge Handshake Authent. Pr. version 2 (MS-CHAP v2) Answer:b,d,e 150. You configure Remote Access Service running on a windows 2000 Server computer, in a native mode Windows 2000 domain. Users will access this server to connect to the network from external locations. Your company operates 24 hours a day, 7 days a week so no time restrictions should be implemented. Public access should not be allowed. To accomplish these goals, you delete the default remote access policy. However, dial-in users are reporting that they are unable to connect. What should you do to resolve the dial-in connection problems? a. Create a new remote access policy that has the condition to grant all members of the domain users group dial-in access. b. Create a new group policy that grants dial-in permissions for the domain user group c. Edit the remote access policy to allow CHAP as the only authentication method d. Edit the remote access policy to allow PAP and SPAP as the only authentication methods Answer: a 151. You are the administrator of your company's Routing and Remote Access servers Your company's administrators are able to dial in to the company's network to perform remote monitoring and administration. This remote monitoring and administration requires an excessive amount of network bandwidth You want to allow only administrators to use multiple phone lines, and you want to limit all other users to a single phone line. You want to configure multiple phone-line network connections to adapt to changing bandwidth conditions. When the phone lines fall below 50 percent capacity, you want to reduce the number of phone lines utilized. You also want to allow all users the ability to connect to the network by Routing and Remote Access No default remote access policies currently exist What should you do? (Choose three) a. Create one remote access policy on the Routing and Remote Access server b. Create two remote access policies on the Routing and Remote Access server c. Allow Multilink d. Decrease the maximum number of ports used by the Routing and Remote Access server e. Select the Dynamic Bandwidth Allocation Protocol (BAP) or BACP for Multilink check box. f. Increase the maximum number of dial-up sessions Answer:b,c,e 152. Your network consists of two Win2000 servers and 50 Win2000 Pro desktops. You configure DHCP server to automatically update your DNS server's forward and reverse lookup zone files with the clients' DHCP information. In the reverse lookup zone some of the client computers do not have PTR records. What should you do? a. Configure the DHCP server to always update DNS, even if a client computer does not request it b. Enable Dynamic Updates on the DNS server c. Add the DHCP server to the DHCPProxyUpdate list d. Configure the DHCP clients by putting a check mark in the "Update DNS" box on the TCP/IP properties Advanced tab. Answer:a 153. You are the administrator of your company network. The TCP/IP network consists of a single Windows 2000 domain that spans multiple locations. The locations are connected over the internet by use of Routing and remote Access. Windows 2000 DNS servers are used to faciltate name resoultion for client access to resources on the network. Zone transfers between your DNS servers across the internet should be secure and should not be able to be compromised by outside parties. What should you do? a. Select the option to allow zone transfers to servers only listed on the Name Servers tab. b. Configure the active directory integrated zone. c. Configure the allow Dynamic updates setting for your zone to Yes. d. Configure the Allow Dynamic updates setting for your zone to Only secure updates. Answer:a This is from the win2k ad.srv help file: "When you select the option to install and configure a DNS server during the Active Directory Installation wizard, zones are created based on the DNS name you have specified during the process of promoting the server to a domain controller. Other tasks might also be useful once the first server in the domain is promoted to a domain controller, such as changing the zone type from Standard primary to Active Directory-integrated and changing the update policy for the zone to Allow Only Secure Updates." I agree if the question is asking for one answer, I would go with answer a - If it was a multi-answer question possibly B & D- Here's what I have researched: If you create an Active directory from scratch, it is by default is set for secure updates. If you upgrade an existing Standard Primary Zone to AD Intergrated zone, it applies non-secure dynamic updates and no dynamic updates, or it carries over these settings from what was originally configured. The thing that gets me here is the word "Secure". Is answer A really secure? Maybe they are hinting this is an Active Directory intergrated zone. So answer B may be a better answer as if it were a new ADI Zone, it would be secure by default. 154. Your network contains 10 segments connected by 4 routers RRAS is enabled as a router and they use RIPv2. You have additional routers that use v2. These other server may heave incorrect routing information. How can you ensure the first four routers do not process routes received from any other routers but Routers 1-4? Check all that apply: a. Configure the RIP routing protocol on the four routers to use RIP peer filters. List the other three routers as RIP peers. b. on Each RIP interface on the four routers, configure route filters for outgoing routes. Announce only routes that are connected to the four routers. c. Configure each RIP interface on the four router to unicast to RIP neighbors. d. Configure each RIP interface to use password authentication. e. Configure a TCP/IP filter to prevent broadcast messages from passing. f. Configure a remote Access Policy to allow only the four routers to communicate with each other. Configure a second Remote access policy to allow only the two new routers to communicate with each other Answer:a,b,c,d page 82 Internetworking guide RESKIT 2000 *Simple password authentication and MD5 -message Digest 5- Windows 2000 only support simple password authentication *Peer filtering: ability to accept or discard updates of announcements from specific routers identified by ip address *Route filtering: ability to accept or discard updates of specific network Ids or from specific routers *RIP neighbours: ability to unicast RIP announcements to specific routers to support onbroadcast technologies like frame relay. A RIP neighbour is a RIP router that receives unicasted RIP announcements Here is why: RIP version 2 authentication d-To prevent the corruption of RIP routes by an unauthorized RIP router in a RIP version 2 environment, you can configure RIP v2 router interfaces to use simple password authentication. Received RIP announcements that do not match the configured password are discarded. Peer security a-You can configure each RIP router with a list of routers (by IP address) from which RIP announcements are accepted. By default, RIP announcements from all sources are accepted. By configuring a list of RIP peers, RIP announcements from unauthorized RIP routers are discarded. Route filters b-You can configure route filters on each RIP interface so that the only routes considered for addition to the routing table are those that reflect reachable network IDs within the internetwork. Neighbors c-By default, RIP either broadcasts RIP- version 1 or RIP version 2- or multicasts (RIP v2 only) announcements. To prevent RIP traffic from being received by any node except neighboring RIP routers, the Windows 2000 router can unicast RIP announcements. to neighboring RIP routers (Ref Win2000ServerHelp) 155. You are the administrator for your company's Windows 2000 Server network. You company has a main office in Dallas, TX. There are three branch offices: one in Atlanta, GA, one in Chicago, IL, and one in Sacramento, CA. All branches are connected to Dallas by a T1 line. A diagram of the network in shown below: The routers between the offices supports the forwarding of BOOTP messages. At each branch office, you have a local user who is responsible for all administrative duties. Currently the local administrator is responsible for configuring the TCP/IP settings for all the Windows 2000 Professional computers at his/her local branch. You have been experiencing network communication problems which were the direct result of configuration errors. You want to prevent this from happening again. What should you do? (Choose two.) a. Install and configure a Dynamic Host Configuration P. (DHCP) Server in Dallas. b. Install and configure a Windows Internet Name Service (WINS) Server in Dallas. c. Install and configure a Domain Name System (DNS) Server in Dallas. d. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain an IP address automatically. e. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain WINS server address automatically. f. On each Windows 2000 Professional computer, change the TCP/IP properties to Obtain DNS server address automatically. Answer:a,d 156. You are the administrator of a Windows 2000 network Your company wants you to provide a high level of security for its Public Key Infrastructure. You decide to create an offline root Certificate Authority (CA) You want the offline root CA to be capable of processing certificate requests from files, and you want the offline root CA to be recognized as a trusted root authority for Windows 2000 client computers. How should you create the offline root CA? a. On a member Windows 2000 Server computer that is connected to the network, create an Enterprise CA. After you install the CA, remove the server to a secure and separate location b. On a member Windows 2000 Server computer, create a subordinate Enterprise CA that uses a Commercial CA as the certifying authority. After you install the CA, remove the server to a secure and separate location c. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a Stand-Alone CA. Export the certificate for the CA to a floppy disk d. In the Default Domain Group Policy object (GPO) , import the certificate to the Enterprise Trust Certificate Store e. On a stand-alone Windows 2000 Server computer that is isolated from the network, create a Stand-Alone CA. Export the certificate for the CA to a floppy disk. In the Default Domain Group Policy object (GPO), import the certificate to the Trusted Root Certification Authority Store Answer:a From Server Help answer is A You might choose to have an isolated, offline root CA for security reasons in order to protect it from possible attacks by hackers or malicious individuals via the network. Set up the offline root certification authority: Set up a Windows 2000 server that you will use for the root certification authority. The server needs to have Internet Information Services (IIS) installed as part of setup. The server needs to be a member server in an Active Directory domain. Log on to the network as a domain administrator and install the root certification authority on the server that will be offline (disconnected from the network). You need to install the root CA while the server is attached to the network so that it can update Active Directory and its root certificate will automatically be trusted by any computer or user in the domain. On the new root CA, change the URL location of the certificate revocation list (CRL) distribution point to a location of your choice that is accessible to all users in you organization's network. It is possible to enter multiple URLs. It is necessary to do this because the offline root CA's default CRL Distribution Points (CDPs) are not accessible to users on the network and, if they are left unchanged, certificate revocation checking will fail. Install subordinate certification authorities, as required by your planned certification hierarchy. These can be stand-alone certification authorities or, if you are using Active Directory, enterprise certification authorities. During setup for each subordinate CA, choose to save the CA certificate request to a file, which will be a PKCS #10 request. Copy the CA certificate request file from the subordinate certification authority to some portable storage media. Take the CA certificate request to the root certification authority. Using the root certification authority's Web pages, submit the PKCS #10 request from the file to get the CA certificate for the subordinate certification authority. On the root certification authority, accept the pending certificate request and issue the CA certificate using the Certification Authority snap-in. Using the root certification authority's Web pages, check on on the pending certificate request which you just approved. Download the new certificate and, if provided, the certification path to files on the portable storage media you are using. Take the portable storage media back to the subordinate certification authority. In Windows Explorer, locate the certificate and certification path files you just copied, right-click on each file and choose to Install Certificate. Have the Certificate Import wizard automatically place the certificates in stores based on the type of certificate. Before issuing any certificates from the subordinate certification authorities and, afterwards, every time a new CRL is published by the offline root CA. On the root certification authority, publish a certificate revocation list. (Do this only if it has not already been published using its CRL publishing schedule). In Windows Explorer on the root CA, locate the certificate revocation list you just published. The CRL's default location is: \Systemroot\system32\CertEnroll\CAname.crl Right-click on the CRL file and send it to a drive that has portable storage media. Copy the certificate revocation list file to every URL location that you specified as a CRL distribution point in the root CA's Policy settings. Your systems can now do certificate revocation checking on certificates issued by the offline root CA. 157. Your network is configured consists of three network segments connected by 2 routers which are Non Bootp enabled. Users on two of the three segments report that they are unable to access network resources. After further investigation you find that two subnets are not receiving TCP/IP configuration information from the DHCP server. All network clients should receive their TCP/IP information automatically from the DHCP server on the network. To configure the network properly, open the exhibit and drag and place the DHCP relay agents to the appropiate place or places on the network. a. Appropiate place = any segment without a DHCP server Answer:a On my exam there were 4 segments, One had the DHCP server on it, the other 3 did not, easy! 159. You are the administrator of a Windows 2000 network. The network currenlt has 60 clients computers configured as proxy clients. To dynamically manage IP adresses for these client computers a DHCP server has been installed using a scope of 172.41.64.0. the scope range of 172.41.64.1 to 172.41.79.254 with a 20-bit mask has been configured. Users report that they cannot access information on any computer on the network. How can you correct this problem? (Choose 2) a. Activate a scope b. Authorize the DHCP server c. Change the scope range to 172.41.64.1 - 172.41.79.255 d. Use a subnet mask of 255.255.193.0 e. use a subnet mask of 255.255.248.0 f. Add a reservation for each of the client computers Answer:a,f I agree with a-activate the scope b- possible (if the dchp in exh. shows a red check) c- no the scope range in 3rd oct would interfer is the bit map d- supnet incorrect for 20 bit mask e-same as d f- you can set reservations at the scope wizard, with the 60 clients and all the ips in the scope are in local to each other. Although there are 4094 host ids. While not by the book, there's nothing wrong in reserving ips for clients. So I'll say a and f 160. You are the administrator for your company's network. You have several NetWare servers running on your network and want to synchronize the user accounts between your Windows 2000 Server domain and your NetWare Servers. You select all the NetWare servers and use the Directory Service Manager for NetWare (DSMN) to synchronize the user accounts. You receive the following error message: "NWC is a NetWare 4.x server. It cannot be added to the domain." What should you do? a. Remove the bindery emulation mode option from NWC. Reboot NWC. Rerun DSMN, selecting only NWC for synchronization b. Do nothing. NetWare 4.x servers running in bindery emulation mode cannot be added to Windows 2000 Server domains under any circumstances. c. Using REGEDT32.exe on the Windows 2000 Server domain controller, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSYNC\Parameters key. Choose Add Value option for Edit menu. In Value Name, type Allow4X. In Type, enter REG_DWORD. In Data, enter 1. Close the Registry. Restart the Windows 2000 Server. d. Using REGEDT32.exe on the Windows 2000 Server domain controller, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSYNC\Parameters key. Choose Add Value option for Edit menu. In Value Name, type Allow4X. In Type, enter REG_DWORD. In Data, enter 0. Close the Registry. Restart the Windows 2000 Server Answer:c When you select a NetWare 4x server (running in bindery emulation mode) in the Select NetWare Server dialog box in Directory Service Manager for NetWare (DSMN), the following error message appears: is a Netware 4X server. It cannot be added to the Domain. By default, DSMN allows you to synchronize user accounts between Windows NT Server domains and NetWare 2x and 3x servers. To add NetWare 4x servers running in bindery emulation mode to Windows NT Server domains WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk. 1- Run Registry Editor (REGEDT32.EXE). 2- From the HKEY_LOCAL_MACHINE subtree, go to the following key: \SYSTEM\CurrentControlSet\Services\MSSYNC\Parameters 3- From the Edit menu, choose Add Value. 4- Type the following in the appropriate text boxes: Value Name: Allow4X Data Type: REG_DWORD Data 1 5- Choose OK and close the Registry Editor. 6- Shut down and restart Windows NT Server. 161. You are the administrator of a windows 2000 network. The network consists of a Windows 2000 based DHCP server, two windows 2000 based DNS server, one Windows 2000 based routing and remote access server and 50 windows 2000 Professional laptop computers. The network is configured as shown in the exhibit. The DHCP server has a scope configured to use an IP address range of 10.80.1.20 through 10.80.1.70 and a subnet mask of 255.255.255.0. the laptop computers should use the 10.80.1.12 DNS server when dialing into the routing and remote access server. You configure a DHCP scope option so that it uses an IP address of 10.80.1.12 for the DNS server. When users dial into the network from the laptop computers they receive an IP address of 10.80.1.13 for the DNS server. How should you configure the network so that all laptop computers will receive the IP address of 10.80.1.12 for the DNS server? a. Configure the LAN interface of the routing and remote access server to not use an IP address for the DNS server. b. Configure the DHCP server to always register and update client computer information to contain the configured DNS server. c. Configure the routing and remote access server to use the LAN interface to obtain DHCP, DNS and WINS addresses for dial-up client computers d. Enable the DHCP relay agent on the internal interface of the routing and remote access server. Configured Answer:b 162. You are the administrator of your company Windows 2000 Server Network. Your network is configured as shown in the EXHIBIT. An SMTP management application is installed on W2K_SVR_2. Servers in both Northamerica.com and Europe.com have identical SNMP settings, however the SNMP application cannot manage any server in the Northamerica.com domain. What should you do? a. Configure all servers with the same domain name b. Configure an SNMP agent on the Northanerica.com domain c. Configure all servers with the same community name d. Configure a DHCP relay agent in the northamerica.com domain Answer:c 163. You are the administrator of your company's network. To allow fault tolerance for your external DNS server, your Internet service provider (ISP) hosts a DNS server on its UNIX server. The UNIX server is used as the secondary DNS server for your primary external DNS server. Users inform you that they are not able to connect to the URL of the company's Web server. You investigate and discover that this inability to connect occurs during times when your primary external DNS server is unavailable. What should you do to resolve this problem? To answer, click the appropriate check box in the Advanced tab of the London Properties dialog box a. In the Server options list select the 'Disable recursion' check box b. In the Server options list deselect the 'Disable recursion' check box c. In the Server options list, select the 'Bind Secondaries' check box d. In the Server options list, deselect the 'Bind Secondaries' check box e. In the Server options list, select the 'secure cache against pollution' check box . f. In the Server options list, deselect the 'secure cache against pollution' check box. Answer:c BIND stands for Berkeley Internet Name Daemon, which is the de facto standard DNS server in the Unix world. If you want to use a Unix DNS server as a secondary, you must enable BIND secondaries on the 2000 DNS server. Open DNS server prop sheet, advanced tab, select BIND secondaries. (P-52 Sybex) 164. you are the administrator of your company's windows 2000 network. Your company allows itˇ¦s corporate customers to submit purchase orders and view order status via a routing and remote access server (RRAS). Network and data security are a high priorty. All calling information should be logged. What setting or settings should you configure? a. Enable link control protocol (LCP) ectensions b. Disable link control protocol (LCP) ectensions c. Configure the callback option to No callback for customer. d. Configure the callback option to Verify caller ID for customer. e. Configure the callback option to Always callback to the customer. f. Configure the callback option to be Set by caller for customer. Answer:a,f 165. You are in charge of setting up, maintaining and deploying your companyˇ¦s web site. You install windows 2000 server and internet information server. Your company is expecting a large number of its current customers to access the new web site. Your manager is concerned about client Access licenseˇ¦s (Calˇ¦s). what type of license is needed to comply with Microsoft License Agreement? a. Per seat licensing b. Per server licensing c. A single HTTP license d. A Microsoft internet connector license e. No license is required. Answer:e 166. Your company windows 2000 server network uses TCP/IP as it only networking protocol. Client computers use DHCP for automatically TCP/IP configuration. For a client computer to successfully receive TCP/IP information from a DHCP server, what DHCP message or messages must successfully occur? Choose all that apply a. DHCPACK message b. DHCPNACK message c. DHCPRECV message d. DHCPOFFER message e. DHCPDISCOVER message f. DHCPREQUEST message Answer:a,d,e,f 167. Your Network consists of 5 windows 2000 server computers and 300 Windows 2000 Professional client computers. TCP/IP information should be automatically assigned to each of the windows 2000 professional client computers when they logon to the network and name to IP address mappings for network hosts should be automatically maintained. What should you configure? (Choose all that apply) a. DHCP b. SNTP c. Dynamic DNS d. RRAS e. NAT f. WINS Answer:a,c 168. Your company Bridgeland inc. has a main office and 5 branch offices. The main office has a private network with 100 computers. Each branch has a private network with between 10 and 20 computers and a cable modem connection to the internet. Bridgeland inc plans to use the network address translation (NAT) feature of routing and remote access to provide each office with access to the internet. When testing the configuration you discover that connections cannot be made to any sites using fully qualified domain names. However, you can successfully connect using IP addresses. What should you do to enable connections using fully qualified domain names? a. In each of the branch offices configure the computers on the network with the address of a wins server. b. Configure a filter on the NAT servers to pass DNS packets c. In each of the branch offices configure the computers on the network with the address of the DNS server on the internet d. Create a hosts file on each of the NAT servers. Answer:c 169. You are the network administrator for Wood grove Bank. Your network is configured as shown in the exhibit (Click the Exhibit button) Srv2 and Srv3 are configured as caching-only servers. Both servers forward requests to Srv1. Srv1 is configured as the primary server for the woodgrovebank.com domain. Users on networks 10.10.72.0 and 10.10.73.0 frequently use an Internet application that gathers stock quotes from various servers on the woodgrovebank.com domain You want to reduce DNS network traffic. What should you do? a. Increase the Time to live (TTL) for the SOA (start of authority) record on Srv1 b. Increase the Time to live (TTL) for the SOA (start of authority) record on Srv2 and Srv3 c. Set the Server Optimi2ation option on Srv2 and Srv3 to Maximi2e data throughput for network applications d. Increase the forward time-out seconds on Srv2 and Srv3 Answer:a Smaller TTL values help ensure that information about the domain is more consistent across the network, in the event that this data changes often. However, this also increases the load on the name servers that contain the name, and it also increases Internet traffic The TTL states how long the RECEIVING server of this record can cache it. So if SRV2 questions SRV1 the TTL configured at SRV1 will be used by SRV2 to determine how long he can cache this record. 170. You are the administrator of a Windows 2000 network. The network consists of 85 Windows 2000 Professional computers and two Windows 2000 Server computers named Vancouver and Kelowna. Vancouver has a permanent cable modem connection to the Internet. All Windows 2000 Professional computers on the network are configured to use Automatic Private IP Addressing (APIPA). The network does not contain a DHCP server. To allow all Windows 2000 Professional computers on the network to access the Internet through the cable modem connection of Vancouver, you install and configure the Network Address Translation (NAT) routing protocol on the Vancouver server. You decide to use IP addresses in the range of 172.20.20.1 through 172.20.20.150 for the network. Vancouver is config.to use an IP address of 172.20.20.1 Kelowna is a Web server configured with an IP address of 172.20.20.2 and a default gateway of 172.20.20.1. You want to allow Internet users from outside your internal network to access the resources on Kelowna through the NAT service on Vancouver. How should you configure the network to accomplish this goal? a. Configure the NAT routing protocol to enable the use of the network applications, specify the web server as the name of the application use web port numbers as the remote port number. b. Configure the public interface of the NAT routing protocol to use an address pool with an address of 172.20.20.2 c. Configure the public interface NAT routing protocol to use a special port that maps the web server port to IP address 172.20.20.1 d. Configure Vahcouver so that it has a static route on the private network of the private interface use a destination address of the 172.20.20.2 a network mask of 255.255.255.255 and a gateway 172.20.20.1 Answer:c 172. You are the administrator of a single Windows 2000 domain. Client computers including Windows 2000 Professional. Windows 95 and Linux, exist on the network. A custom made Linux application is installed on all Linux client computers. The application needs to be able to resolve NETBIOS names via a WINS database. The WINS server is installed on one of he Windows 2000 servers. The Linux application currently cannot resolve NETBIOS names using the WINS database. What should you do? a. Configure the Linux client as a WINS client b. Add static mappings for all Linux clients in the WINS database. c. Configure one of the windows 2000 computers as a WINS proxy agent. d. Configure all Linux clients with static IP addresses then add a PTR record in the DNS database Answer: c 173. You are the network administrator of your company's windows 2000 network. Clients on your network include both Windows 2000 professional and Windows NT 4.0 Workstation computers. The network uses TCP/IP as its only networking protocol. The network has one server configured as both a WINS and DNS server. All client computers are configured to use this server for DNS and WINS. Users on the NT Workstation computers are reporting that they CANNOT connect to a server named SRV1. Users of the windows 2000 professional computer CAN however access SRV1 without any problems. SRV1 has a statically assigned IP address. What should you do to allow the windows NT Workstation computers access to SVR1? a. Add the WINS address used by the NT Workstation computer and select the Enable LMHOST lookup chech box. b. Select Enable LMHOSTS lookup checkbox, then import the LMHOSTS file used by the Windows NT Workstation computers. c. Select enable NETBIOS over TCP/IP option and add the WINS address used by the windows NT Workstation computer. d. Select Sse NetBIOS setting from the DHCP server?option button. Add the WINS address used by the windows NT Workstation computer Answer:c 174. You are the administrator of the companyˇ¦s windows 2000 network. The network contains 5 windows 2000 servers and 400 windows 2000 professional client computers. One of the windows 2000 servers is configured with IIS v5 and hosts your companyˇ¦s web site. Default locations and configuration settings are used. To project your network from external attacks you want to configure filters to allow traffic to send packets to and from the web server, what filters should you configure? (Choose all that apply) a. Output filter for the source IP address of the web server and the TCP source port 80 b. Output filter for the destination IP address of the web server and the TCP source port 80 c. Output filter for the source IP address of the web server and the TCP destination port 80 d. Input filter for the source IP address of the web server and the TCP source port 80 e. Input filter for the destination IP address of the web server and the TCP destination port 80 f. Input filter for the destination IP address of the web server and the TCP source port 80 Answer: a,e 175. Same as Q.141. 176. Your company provides consulting services to several large corporations. One such company has asked you to dial into their dial-up server and view some corporate documents. You create a dial-up connection on your windows 2000 portable computer to connect to a customerˇ¦s dial-up server. You are unsure of the type of server your customer is using for dial-up connections but need to ensure that your dial-up connection authentication is secure and that your logon information is not sent in plain text. You view the advanced security settings dialog box. Which option or options should you DISABLE in the advanced security settings dialogue box? (Choose all that apply) a. Unencrypted password (PAP) b. Shiva Password Authentication Protocol (SPAP) c. Challenge Handshake Protocol (CHAP) d. Microsoft CHAP (MS-CHAP) e. Microsoft CHAP V2 (MS_CHAPv2) f. For Microsoft CHAP based Protocols Answer:a 177. You are the administrator of your companyˇ¦s network. Your network is configured to use DHCP to automate the TCP/IP configuration of all client computers on your network. All client computers are running windows 2000 professional. Your network contains 3 subnets and contains a BOOTP enabled router. This 3 subnets are connected via a RFC 1542 compliant router as shown in the EXHIBIT. Users on subnet B and sunbet C report that they periodically cannot access network resources. During times of high network usage, client computers on the remote subnets are being configured with an addresses in the network address range of 169 254 0 0 which is not a valid address range on your network. You want to ensure that all client computers receive TCP/IP information from the DHCP and are not configured with invalid address information. What should you do? a. Install a DHCP relay agent on each remote subnet. b. Unstall a DHCP server on each remote subnet and configure identical scopes on each DHCP server c. Install a DHCP server on each remote subnet and configure a subnet specific scope on each DHCP server d. Create an administrative template entry in Group Policy to enable automatically private IP addressing (APIPA) in the registry of each client computer Answer:c 178. You are the administrator of a windows 2000 server network. Your network is divided into several subnets. A microsoft proxy server on its own subnet is located in front of both the client and server subnets. An intranet server is located in the server subnet. Users in both the research and development groups have access to the internet through a windows 2000 server running microsoft proxy server. As the network is currently configured, users must enter their proxy server username and password to connect to either the internet or the local intranet server. Users who do not have access to the internet must also supply their username and password before connecting to the local intranet server. All users should be able to connect to the local intranet server without a separate username and password What should you do? a. Move the intranet to the client subnet of the network b. Move the proxy server to the server subnet of the network c. Configure each client computer to bypass the proxy server for local addresses d. Configure each client computer to use port 81 for proxy server Answer:c 179. You are the administrator of your company's network. The network includes several windows 2000 servers and 4 Novel Netware servers. Your network is configured to use both TCP/IP and the Nwlink IPX/SPX/NetBIOS compatible transport protocol. Several users are reported that they are not able to connect to the windows 2000 servers, they can however connect to each other. What is the most likely cause of the problem? a. The subnet mask was set incorrectly b. File permissions were set to no access c. An incorrect frame type was selected on the server d. The workstation service on the Windows 2000 Server failed to start. Answer:c 180. You administer your company's Windows 2000 network. You are configuring your Windows 2000 network for dial-up access. The users need to access computers from home. To increase security, your company issues smart cards to all users who dial in. You need to configure the Routing and Remote Access server. What should you do? (Choose two.) a. Select Extensible Authentication Protocol (EAP) b. Select Microsoft Challenge Handshake Authentication Protocol version 1 or 2 (MS-CHAP v1 or 2) c. Install computer certificates on the Routing and Remote Access server d. Install smart card logon certificates on the Routing and Remote Access server e. Install computer certificates on the dial-up access client computers Answer: a,d 181. You are admin of Windows 2000. The network consits of two Windows 2000 Server computer named Atlanta and Orlando and 350 Windows 2000 Pro computer. Orlando is a DHCP server. The TCP/IP configuration of all Windows 2000 Pro computer is provided by the DHCP server. Atlanta and Orlando have IP addresses that are manually configured. Atlanta frequently hosts multicast-based video and audio conferens. You want to dynamically allocate multicast addresses. How should you configure the network? a. On the DHCP server, create and activate a scope so that it has a range of class D address. b. On Atlanta, configure Routing and Remote Access to enable the IGMP routing protocol in proxy mode on the LAN interface. c. On the Windows 2000 Prof computers, enable route discovery. d. On the Windows 2000 Prof computer, add a route for network destination 224.0.0.0 and mask 224.0.0.0. Answer:a 182. You configure your windows 2000 Server to route all network traffic on your Intranet. Users on both segments need access to files on the other segment. You install and start IIS Web Service on the server. Users on both segments report they cannot access the Web service. What must you do? a. Disable all TCP/IP port filters b. Stop and restart the web service c. Use the Add Route command d. Use IPCONFIG command Answer:a 183. Your network consists of three network segments connected by a router. You install the DHCP server service on a Win2000 server. You create 3 scopes for each subnet's range of addresses and activate the scopes. Users from the second and third subnets report they cannot connect to the network. Users on the first subnet have no problems. You check and find that the computers on segments 2 and 3 are not receiving TCP/IP information from the DHCP server. What should you do? a. Manually configure the IP address for the DHCP server on each client on subnets 2 and 3 b. Enable dynamic updates on the DHCP server c. Install a DHCP Relay Agent on a computer on segment 2 and 3 d. None of the above Answer:c 184. You have just taken a job with a company that would like to convert its current network operating system to Windows 2000. The company has four subnets on its TCP/IP network, each of which will have its own Backup Domain Controller (BDC), except for the subnet on which the Primary Domain Controller (PDC) will reside. The company would like to allow browsing across the entire network without needing the implement Windows Internet Name Service (WINS) on a Windows 2000 Server computer. What should you do? a. Create an LMHOSTS file. Create entries in the LMHOSTS file for the PDC and all BDCs using the #DOM keyword. Place this file on the PDC. b. Create an LMHOSTS file. Create entries in the LMHOSTS file for the PDC and all BDCs using the #DOM keyword. Place this file on the PDC and all BDCs. c. Create an LMHOSTS file. Create an entry in the LMHOSTS file for the PDC and all BDCs using the #MH keyworkd. Place this file on the PDC. d. Create an LMHOSTS file. Create an entry in the LMHOSTS file for the PDC and all BDCs using the #MH keyword. Place this file on the PDC and all BDCs Answer: b From Technet If you are using TCP/IP without using WINS, create an LMHOSTS file with a <1Bh> entry for the new domain and put it on each BDC. 185. You are the administrator of the Bridgeland.com domain. Your network consists of 5000 client computers distributed evenly across seven states. Each site has its own windows 2000 domain and each site has been delegrated authority from your root DNS server to manage its own name space. In a site named seattle.bridgeland.com the local administrator has recently upgraded the two DNS servers that service the sub domain. You suspect that the upgrade to the DNS server has resulted in an incorrect configuration of your zone delegation. What should you do to verify that your zone delegations are properly reconfigured? a. Use system monitor to confirm that the counters for the DNS zone transfer failure are zero b. Use system monitor to confirm that the counters for the DNS recursive failures to zero c. Run the nslookup ns.seattle.bridgeland.com command with the server option set to query the seattle.bridgeland.com server. Ping the records in the output of the nslookup command d. Run the nslookup -ls -d seattle.bridgeland.com command. Ping the records in the output of the nslookup command Answer:c 186. You are the administrator of a windows 2000 server network. Your network consists of 5 windows 2000 server computers and 150 windows 2000 professional client computers. Three of the windows 2000 server computers are routing and remote access servers configured as RIP v2 routers. To prevent unauthorised or misconfigured RIP routers from being placed on the network RIP authentication is used. A fellow administrator reports that the RIP v2 routers are not receiving routers. What network services or options should you confirm? (choose all that apply) a. Confirm that RIP authentication is enabled b. Confirm that RIP authentication is disabled c. Confirm that supernetting is not configured d. Confirm that you have configured RIP peer filtering e. Confirm that you are not deploying variable length subnet masks f. Confrm that IP packet filtering is not preventing input or output of RIP announcements Answer: a,f 187. You are the administrator of your company's network The network consists of a single Windows 2000 domain. The network has Windows 2000 Server computers, Windows 2000 Professional computers, and Windows NT Workstation 4 computers distributed across two IP subnets as shown in the exhibit (Click the Exhibit button) Two Windows 2000 domain controllers are located on Subnet1. Each domain controller is also a DNS server hosting an Active Directory integrated zone. You implement WINS for NetBIOS name resolution on your network. WINS is installed on a server on Subnet2. Users of the Windows NT Workstation 4 computers on Subnet2 report that they are receiving the following error message 'Domain Controller cannot be located' Subsequently, these users cannot be validated on the network. Windows NT Workstation 4 users on Subnet1 are not experiencing this problem. However, they do report that response times for logon requests are extremely slow. None of the Windows 2000 Professional users on either subnet report these problems You want to ensure that Windows NT Workstation 4 users on Subnet2 can be validated. You also want to improve logon request response time for users on Subnet1. What should you do? a. Configure the router to forward NetBIOS broadcast packets b. Configure the Windows NT Workstation 4 computers as WINS clients in the existing zone c. Configure the Windows NT Workstation 4 computers as WINS clients d. Configure the Windows 2000 Server domain controller computers as WINS clients Answer:d 188. You manage a network of 1,500 Windows 2000 Professional computers, all configured to use Dynamic Host Configuration Protocol (DHCP). You decide to implement Windows Internet Name Service (WINS) on your network for NetBIOS name resolution. You set up a Windows 2000 Server computer and install the WINS service. You want to configure the client computers to use WINS? What is the easiest way to do this? a. Configure the DHCP server with the 138 UDP/netbios option only b. Configure each client with the address of the WINS server manually c. Configure the DHCP server with options 44 WINS/NBNS and 46 WINS/NBT d. Configure the DHCP server with the 137 TCP/netbios and 138 138 UDP/netbios option Answer:c 189. Your domain has a Windows 2000 member server computer named Srv1. Routing and Remote Access and CHAP is enabled for remote access on Srv1. You have also configured the appropriate remote access policy to use CHAP. However, users who require CHAP report that they are not able to dial in to Srv1. What should you do? a. Configure SRV1 to disable LCP extensions b. Configure clients to use MSCHAP for dialin c. Configure SRV1 to use SPAP for dialin d. Disable "Mutual authentication" on SRV1 Answer:a MoranZ this is a problem let me tell you why-on article Q238734 microsoft say: If the host or router that is attempting to dial in does not support Microsoft CHAP and does not correctly implement RFC 1331, you may observe delays during authentication that lead to an unsuccessful Point-to-Point Protocol (PPP) connection because of Link Control Protocol (LCP) timeouts. But this is talking on NT 4 if I go even more far I get Q128977 This problem occurs if the remote PPP server sends an LCP echo request packet with an illegal length. RASPPPEN.DLL performs no length checking on an echo request. But nothing talks about win2000 , so I think the best choice is to go with disable LCP. 190. Your network has a main office and one branch office. You use PPTP to connect the main office to the branch office. What is the strongest possible level of data encryption for the connection? a. MS-CHAP v2 b. MSCHAP c. PAP d. EAP Answer:a 191. You manage Srv1, a computer running Windows 2000 Server that has two network adapter cards, one connected to the Internet and one connected to your internal network. You install NAT protocol to provide Internet access to client computers. Srv1 and the client computers are located at one of your remote offices. When configuring NAT, you choose "Resolve IP addresses for clients using DNS". What else should you do? a. The network adapter connected to the Internet should be configured with the address of a DNS server. Answer:a 192. You are the administrator of your company's network. The network consists of a single IP subnet that uses DHCP to automate client computer configuration. You install a WINS server on the network. Users report that the network response time is slow. You discover that the levels of broadcast traffic have not been reduced. When you view the WINS database, you also find that the only entry is for the WINS server itself. What should you do? a. Configure the WINS server as a DHCP client computer b. Configure the DHCP server as a WINS client computer c. Configure a DHCP scope option to include the address of the WINS server d. Configure static mappings on the WINS server for each client computer Answer:c 193. Your Windows 2000 Server computer is configured with a static IP address. You want to configure the computer as a DNS resolver. What step should you take?. a. Configure the address of the preferred DNS server in the TCP/IP properties of the Local Area Connection. Answer:a 194. Your company has a main office in Orlando and branch office locations in Miami, Tampa and Jacksonville. The branch offices are connected to Orlando by Windows 2000 based routers. All four locations have a Windows 2000 based DHCP server. Each Friday, the Orlando location hosts a multicast video presentation that is broadcast to all four locations. The Orlando location also frequently hosts multicasting video presentations intended for the sales staff in the Orlando and Miami locations only. You want to ensure that these sales staff multicasting video presentations are not sent to the Tampa and Jacksonville locations. You assign specific IP multicast addresses for use with the sales staff multicasting video presentations. How should you configure the network to prevent the forwarding of the sales staff multicasting video presentations to the Tampa and Jacksonville locations? a. Configure a multicast setting boundary for the sales IP multicast addresses on the Tampa and Jacksonville interfaces of the Orlando router. Answer:a 195. You have been given the network ID of 172.24.8.0/22 from your ISP. All of the routers in your network use either RIP V2, or OSPF. Each of the two subnets you will be creating will contain only 75 computers. You want to use the most specific number of bits and the first two available network ID numbers in your subnet mask. Drag and Drop question with the following Answer (choose 2). a. 172.24.12.0/22 b. 172.24.16.0/22 c. 172.24.24.0/22 d. 172.24.8.128/25 e. 172.24.9.0/25 f. 172.24.16.0/25 Answer:d,e 196. You are the administrator of a Windows2000 network that has a main office and one branch office. The company leases a 128Kbps ISDN line to connect the main office to the branch office. You configure RRAS on a standalone Windows2000 server computer in each office to provide a demand dial connection. You want to encrypt traffic over the ISDN connection and you want to prevent unnecessary connection over the ISDN line. What should you do? a. Configure a PPTP demand dial connection to connect the two offices over the ISDN connection and ensure that data encryption is enabled.Set the demand dial filters to exclude Netbios broadcast traffic. b. Configure a PPTP demand dial connection to connect the two offices over the ISDN connection and ensure that data encryption is enabled.Set the demand dial filters to exclude Remote Procedure Call traffic. c. Configure an L2TP demand dial connection to connect the two offices over the ISDN connection.Configure inbound and outbound filters to exclude all Netbios broadcast traffic. d. Configure an L2TP demand dial connection to connect the two offices over the ISDN connection.In the demand dial filter list configure filters to exclude RPC traffic . Answer:a 197. You are the administrator of one standard primary DNS server and two standard secondary DNS servers in a Windows2000 domain. There are no other DNS servers on the network. The domain includes Windows2000 Professional computers and Windows98 computers. The DNS zones for the domain are configured to allow for dynamic updates. All three DNS servers are located on domain controllers. What should you do to allow client computers to be able to register with any DNS server? a. Change the zone type of the DNS zone for the Windows2000 domain on all three DNS servers to Active Directory integrated. b. Change the settings on the standard primary DNS server to notify the two standard secondary DNS servers when the zone is updated. c. Change the settings on the standard primary DNS server to allow zone transfer to only the two standard secondary DNS servers. d. Change the dynamic update option on the standard primary DNS server to allow only secure updates. Answer:a 198. You are the administrator of a Windows 2000 domain. The domain has a Windows 2000 member server computer named Delta Routing and Remote Access is enabled for remote access on Delta. The domain is in native mode For all user accounts, the dial-in permission is set to control access through remote access policies. You want to allow all users in the domain to dial in during the workday. You also want to allow only members of the global security group named Support Staff to be able to dial in between 6 00 PM and 8 00 AM. However, you do not want to allow the Support Staff members to be able to dial in when the log files are made each day between 7:00 AM and 8:00 AM. You create four remote access policies on Delta as shown in the following table Name Domain users all policy Windows-group=Domain users Permission- Access Support staff all policy Windows-group=Support staff Permission- Access Domain users 6-8 policy Day-and-Time=6PM-8AM Windows-group=Domain users Permission- Deny Support staff 7-8 policy Day-and- Time= 7 AM-8AM Windows-group=Support staff Permission- Deny To specify the appropriate access control for Delta, click the Select and Place button, and then drag the remote access policies and place them in the correct order. A. Support staff 7-8 Deny, Support staff all, Domain users 6-8 Deny, Domain users all Answer: A 199. You administer your company's Windows 2000 network. Your company employs a sales force that needs access to the latest company data when traveling. You want to ensure that the company will establish a network connection for your salespeople regardless of where the call originates. Your company also allows customers access to the network using Routing and Remote Access to view and track orders. To ensure network and data security, your company wants to specify the location from which customers can connect to your network. You want to configure your company's Routing and Remote Access server (RRAS) to facilitate access for salespeople and for customers. You want both the salespeople and the customers to use mutual authentication to provide protection against remote server impersonation. Which settings should you configure? (Choose three.) a. Set Callback option to Always Callback To for salespeople b. Set Callback option to Set by Caller for salespeople c. Set Callback option to No Callback for customers d. Set Callback option to Always Callback to for customers e. Enable Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) f. Enable LCP extensions. Answer:b,d,e Mutual Authentication With mutual authentication, the calling router authenticates itself to the answering router and the answering router authenticates itself to the calling router. Both ends of the connection verify the identity of the other end of the connection. MS-CHAP v2 and EAP-TLS authentication methods provide mutual authentication. With MS-CHAP v2, both sides of the connection send a hash of a challenge string and the user password. If successful, both ends of the connection are ensured that the other end of the connection has access to the user account? password. With EAP-TLS, the calling router sends a user certificate that is validated by the answering router and the answering router sends a computer certificate that is validated by the calling router. EAP-TLS is the most secure form of mutual authentication, however it requires a PKI. 200. To allow Internet access through a dial-up connection to London, you install a NAT routing protocol. All computers in your network use You have one DCHP and your ISP has allocated 207.46.179.4-.7 to your network. How should you configure these addresses? a. RRAS policy b. RRAS policy c. Configure the LAN interface to use an address pool with a starting address of 207.46.179.4 and a mask of 255.255.255.252 d. Configure the public interface to use an address pool with a starting address of 207.46.17.4 and a mask of 255.255.255.252 Answer:d 201. You are the administrator of a Windows2000 network. Your Public Key Infrastructure consist of an offline root CA and a number of subordinate CAs.Your company is selling one of its divisions.This division has a subordinate CA that it uses to issue certificates. You want to insure that once the division is sold , applications and other CAs on your network will not accept the former division`s certificates. You also want to insure that you can implement your solution by using a minimum amount of administrative effort . a. On the division's subordinate CA revoke all the certificates it has issued. Publish the CRL to a server on your network. Uninstall the CA software and remove the CA files. b. On the company's root CA revoke the certificate of the division`s subordinate CA. Publish the CRL. Copy the EDB.LOG file from the root CA to its Certification Distribution Point on your network. c. On the division's subordinate CA , revoke the certificates it has issued.Publish the CRL. Copy the EDB.LOG file from the subordinate CA to the Certfication Distribution Point on your network.Disconnect the CA from the network. d. On the company's root CA revoke the certificate of the division`s subordinate CA. Publish the CRL . Copy the CRL file to the Certification Distribution Point on your network. e. On the division's subordinate CA revoke all the certificates it has issued. Publish the CRL . Copy the CRL file to the Certification Distribution Point on your network Disconnect the CA from the network . Answer:b 202. Your network consists of two segments connected by a router. It has one DHCP server that has active scopes for both segments. The IP address configured in the two scopes are 10.65.1.0/24 for the first segment, and 10.65.2.1/24 for the second segment. The DHCP server's IP address is 10.65.1.2. Users in the segment without the DHCP server report they are using IP addresses in the range of 169.254.0.0/16. The other segment is using IP address in the range of 10.65.1.0/24. What should you do to ensure the computers in the segment that does not have the DHCP server will automatically use IP addresses in the range of 10.65.2.0/24? a. Enable and configure the DHCP Relay Agent service on a server in the segment that does not have the DHCP server. Answer:a 203. You are the administrator of a Windows 2000 network. The network consists of two Windows 2000 Server computers named ServerA and ServerB and 180 Windows 2000 Professional computers on one segment. ServerA has an IP address of 192.168.2.1. ServerA is a DHCP server. The TCP/IP configuration of all the Windows 2000 Professional computers is provided by the DHCP server. The range of IP addresses used at ServerA is 192.168.20/24. The lease time used is 15 days. You want to change the IP addresses on the network from 192.168.20/24 to 10.178.0/24. ServerB has an IP address of 10.178.1. You install another DHCP server on ServerB. The range of IP addresses used at ServerB is 10.178.0/24 The lease time used is 15 days. The network is shown in the exhibit (Click the Exhibit button ) To ensure compatibility, the two address ranges will be used concurrently on the same segment for three months. Routing between the two address ranges is provided by a router on the network After you activate the DHCP scope on ServerB, users report that they are unable to obtain a valid IP address. When you investigate the problem, you discover that each of the two DHCP servers responds with DHCP negative acknowledge (DHCPNAK) messages to leases requested by the client computers. What should you do? a. On the Windows 2000 Professional computers, disable Automatic Private IP Addressing (APIPA) b. On the Windows 2000 Professional computers, configure the DHCP client computers to release the DHCP lease at shutdown. c. On both DHCP servers, set the number of times the DHCP server should attempt conflict detection to 0 d. On both DHCP servers, configure a superscope so that it has both address ranges. Define an exclusion range for the entire address range of 10.178.01/24 on ServerA and of 192.168.20/124 on ServerB e. On both DHCP servers, set scope option 031 Perform Router Discoverv to 1 to enable the option on the Windows 2000 Professional computers Answer:d 204. You run dcpromo.exe to promote SrvA, a computer running Windows 2000 Server, to the first domain controller for xco.com. You install the DNS service on SrvA. You assign a static IP address to ten Windows 2000 Professional computers and configure the IP address of SrvA as the DNS server for these computers. What should you do to insure that the A records and the PTR records for the computers running Windows 2000 Professional are recorded correctly on SrvA? a. Enable the zone for xco.com to accept dynamic updates and create a reverse lookup zone for the network and enable the zone to accept dynamic updates. Answer:a 208. You are enterprise admin of Windows 2000 domain. The domain has three Windows 2000 Server computer named Athens, Barcelona and Cairo and 90 Windows 2000 Prof computer. Your network consits of three segments conected by a router. Each segment contain one of the servers. The 90 Windows 2000 Prof computer are evenly distributedover the three segments. Athens is a DHCP server. The TCP/IP configuration of all the Windows 2000 Prof computer on the three segments is provided by the Athens DHCP server. The DHCP server has three scopes, one for each segment. The lease time for all three scopes is eight days. For performance reasons, you want to move the DHCP Server service from Athens to Barcelona. You take the following actions : - on Athens, stop and disable the DHCP Server service - on Barcelona, install, authorice, and stop the DHCP Server - copy the entire systemroot\system32\dhcp folder Athens to Barcelona You want to configure Barcelona to use the scope information and the leased addresses currently in use by the Windows 2000 Prof computers. What should you do? (Choose two) a. Enable the DHCP Relay Agent. Use about threshold of 0 seconds. b. Use the jetpack utility to manually repair the DHCP database. c. Use the Regedt32 exe registry editor to restore the DHCP registry configuration from the Systemroot\system32\dhcp\backup location. d. Copy the Systemroot\sytem32\dhcp\j50.chk file to the DHCP mdb file. e. Start the DHCP server and reconcile all scopes. f. Start the DHCP server and create a new superscope that contains the three original scope ranges. Answer:c,e 209. You are the administrator of a Windows 2000 network. The network consists of a Windows 2000 Server computer named SrvA and 30 Windows 2000 Professional computers. SrvA has a dial-up connection that connects to the Internet All Windows 2000 Professional computers on the network are configured to use Automatic Private IP Addressing (APIPA). There is no DHCP server on the network. SrvA is configured to use an IP address of 192.168.0.1. Routing and Remote Access and all the ports on SrvA are enabled for demand-dial routing. The Network Address Translation (NAT) routing protocol is added. You want to allow all Windows 2000 Professional computers on the network to access the Internet through a translated demand-dial connection on SrvA. How should you configure the network? (Choose four) a. Create a new demand-dial interface for the local area connection b. Create a new demand-dial interface for the dial-up connection c. Add a public and a private interface to the NAT routing protocol d. Configure the IP address of the Internet service provider (ISP) as the default gateway on the private interface e. Add a default static route that uses the public interface. f. Configure the NAT routing protocol to enable network address translation assignment and name resolution g. Configure the public NAT interface with an address pool of 192.168.0.1 Answer:b,c,e,f 210. You use the Group Policy Editor to create an IPSec policy for the Group Policy Object linked to an OU in your Windows 2000 domain. What should you do to insure the policy is applied to the computers in the OU? A. Use the IP Security Policies node in Group Policy Editor to assign the policy. Answer:a 211. Your network consists of a computer running Windows 2000 Server, NWLink, and SQL Server named SQL1. It has one network adapter card. You need to enable access to SQL for clients running Windows 98 and NetWare clients from Novell. The NetWare servers on your network are running NetWare version 4.11. What should you do? A. Configure a unique internal network number for SQL1. Answer:a 211. You are the administrator of a Windows 2000 domain named contoso.com. The domain has a Windows 2000 member server computer named Ras1 and a Windows 2000-based DHCP Server computer named Dora. Routing and Remote Access is enabled for remote access on Ras1. The network has two DNS servers that use IP addresses of 10.1.5.2 and 10.1.5.3 Ras1 is configured to use DHCP to assign IP addresses to the remote access client computers. The configuration of the scope options on the DHCP server is shown in the following window. DHCP dora,contoso.com[10.1.5,1] Scope [10.1.5.0] Net5 Address Pool Address Leases Reservations Server Options DNS Servers Standard 10.1.5.3 None The DHCP scope does not have any client computer reservations When remote access client computers dial in to Ras1, they receive an IP address from the DHCP scope range, but they do not receive the DNS address configured in the DHCP scope Instead, the remote access client computers receive a DNS server address of 10.1.5.2 You want the remote access client computers to receive the DNS option from the DHCP server How should you configure the network to accomplish this goal? a. Configure the remote access client computers to enable DHCP on the dial-up connection b. Configure Ras1 to use Windows Authentication. c. Install and configure the DHCP Relay Agent routing protocol on the Internal interface of Ras1 d. On the DHCP server, configure the DNS scope option of 10.1.5.3 for the Default Routing and Remote Access user class Answer:c 212. Your network consists of Windows NT 4.0 and Windows 2000 computers. All Windows 2000 Server computers are member servers of a single Windows NT 4.0 domain. You would like to use two of these servers to test IPSec configurations that are using Kerberos authentication protocol. What should you do? Promote one of the servers to a domain controller. Assign the domain controller the default Secure Server IPSec policy. Assign the other server the default Client IPSec policy. 213. Your Windows 2000 Server runs IIS and uses an IP address of 131.107.2.2 to support Internet users, and 10.1.1.2 to support an Intranet application. You want to configure this server to permit only Web communications from the Internet, and to allow access to shared folders and other resources for users on the Intranet. What should you do? (Choose two) a. Enable Tcp/ip filter. permit only port 80 on the network adapter use ip 131.107.2.2 b. Enable Tcp/ip filter. permit only port 21 and 20 on the network adapter use ip 131.107.2.2 c. Permit all ports on the network adapter use ip 131.107.2.2 d. Enable Tcp/ip filter. permit only port 80 on the network adapter use ip 10.1.1.2 e. Enable Tcp/ip filter. permit only port 21 and 20 on the network adapter use ip 10.1.1.2 f. Permit all ports on the network adapter that use the IP address of 10.1.1.2. Answer:a,f 214. You are the administrator of your network.Your server has IP 131.107.2.2 to support internet users.10.1.1.2 to support an intranet application.you want to permit FTP and allow access to shared folder and other thing in the intranet.what should you do?(choose two) a.Enable Tcp/ip filter. permit only port 80 on the network adapter use ip 131.107.2.2 b.Enable Tcp/ip filter. permit only port 21 and 20 on the network adapter use ip 131.107.2.2 c.Permit all ports on the network adapter use ip 131.107.2.2 d.Enable Tcp/ip filter. permit only port 80 on the network adapter use ip 10.1.1.2 e.Enable Tcp/ip filter. permit only port 21 and 20 on the network adapter use ip 10.1.1.2 f.Permit all ports on the network adapter use ip 10.1.1.2 Answer:b,f 215. You install and configure both TCP/IP and NWLink IPX/SPX on a Windows 2000 Professional computer. Your network consists of Windows 2000 Servers, Windows NT Server 4.0, and NetWare 3.11 and 4.1 servers. You install the client software for both Microsoft and NetWare networks. But, when you attach the Windows 2000 Professional computer to the network, you are unable to see the NetWare 3.11 servers in My Network Places. You also cannot map drives by using either Microsoft-specific or NetWare-specific commands. What should you do? A. Edit the PktType value in the registry to include the hexadecimal values for both 802.3 and 802.2 frame types. Answer:a 216. You need to assign network ID numbers and host addresses to the computers in one of your branch offices. A single route to the branch office is advertised as 192.168.16.0/24. You must be able to add 2,000 additional computers to the branch. What steps must you take to be able to accommodate all computers in the branch, while taking advantage of route summarization? (Choose all that apply) a. In the branch office, add additional network ID numbers 192.168.17.0/24 - 192.168.23.0/24. b.Change the advertisement to the branch office to 192.168.16.0/20. Answer:a,b 217. Your network contains a Windows 2000 Server that has two network interfaces, East and West. Routing and Remote Access is enabled as a router on the server. Only the network segment connected to the West interface has a DHCP server hosted on a Windows 2000 Server. You want to allow computers on the East interface to receive IP addresses from the DHCP server. What should you do? (Choose all that apply) A. Configure the DHCP Relay Agent routing protocol to run on the East interface. B. Configure the DHCP Relay Agent routing protocol to use the IP address of the DHCP server as the server. Answer:a,b 218. Your network has ten segments connected by routers. Only four segments have Windows 2000-based WINS servers. Throughout the network are several NetBIOS b-node client computers. NetBIOS b-node clients cannot browse any other network segments, but are having no problems browsing their own. What should you do? A. On each segment, configure a computer as a WINS proxy. Answer:a 219. Your company has three offices, but plans to expand to six. You are replacing your bridge with two routers named Router1 and Router2 to accommodate increased traffic. To Configure router1, which routing entry should you add? a. Excute route add 172.16.64.160 mask 255.255.255.224 172.16.64.129-p b. Excute route add 172.16.64.160 mask 255.255.255.240 172.16.64.129-p c. Excute route add 172.16.64.96 mask 255.255.255.224 172.16.64.97-p d. Excute route add 172.16.64.96 mask 255.255.255.240 172.16.64.130-p e. Excute route add 172.16.64.96 mask 255.255.255.224 172.16.64.130-p Answer:e 220. You are configuring your network to support a SNMP management application. The network is configured as shown ( see exhibit) There are 2 subnets separated by a router:- West.com Servers 1, 2, 3, 4 Community name: West 172.16.64.32 255.255.224.0 Gateway: 172.16.64.1 East.com. Servers 5,6,7,8 Community name: East 172.16.96.2 255.255.224.0 Gateway: 172.16.96.1 An SNMP management application is installed on server8 on the east.com domain. Even though the servers in the West.com domain have an identical SNMP setting, the Appliction cannot manage any of the servers in the west.com domain. What should you do? a. Join servers 1,2,3 and 4 on to the East.com subnet. b. Create a trust relationship between the two subnets c. Configure all servers to have the same community name d. Send an authentication trap property 172.16.96.1 on all SubnetB machines Answer:c 221. Routing and Remote Access is enabled on Router A in your network. Router A has a LAN interface that uses an IP address of 192.168.1.2. The only traffic that you want allowed into this interface is HTTP traffic. You configure two input packets with the "Receive all packets except those that meet the criteria below" option, and specify the Destination Address of 192.168.1.2 for both filters, and Destination port of 80 for the first filter, and 443 for the second filter. You notice that other network traffic is still allowed into the router though the interface. What should you do? A. Configure the input packet filters to "Drop all packets except packets allowed by the filters". Answer:a 222. What two utilities should you use to determine the number of DNS requests submitted to a DNS server over both TCP and UDP? A. DNS console and System Monitor Answer:a 223. A user who uses a Windows 2000 Professional computer must access data on a server that requires communication using IPSec. The Event Viewer indicates the IPSec Policy Agent cannot be started. What should you do to insure that the IPSec Policy Agent is installed correctly on this computer? A. Remove and reinstall the TCP/IP protocol. Answer:a 224. You are configuring the Routing and Remote Access for remote access. You are requested to provide a record of everyone who will access the company network by Routing and Remote Access. What should you do to log all logon activity on the Routing and Remote Access Server? a. Enable log authentication requests in Remote Access Logging, on the Routing & Remote Access Server. b. Enable log accounting requests in Remote Access Logging, on the Routing & Remote Access Server. Answer:a 226. Your network consists of a single domain with three Windows 2000 domain controllers, and 1,000 Windows 2000 Professional workstations. You want to use digital certificates by installing your own CA. You must protect the root CA and the private key. You must also ensure that you can manage the Public Key Infrastructure. You want to accomplish the following goals: The server hosting the root CA will have maximum protection. The server hosting the root CA will certify other CAs and revoke certificates. All servers in the domain will be able to access the revocation status of all certificates in the Public Key Infrastructure . Certificate requests will be immediately processed. You take the following actions: Install a stand-alone root CA on a member server. Disconnect the member server, and place it in a secure and separate location. Which results do these actions produce? (Choose all that apply) A. The server that is hosting the root CA is protected from security breaches. B.The server hosting the root CA will certify other CAs and revoke certificates. Answer:A,B 227. Your company wants to be able to connect to its Web server to make credit card transactions. These transactions should be encrypted. You must assure the identity of the Web server when customers make online transactions . You must be able to support certificate-based logons for employees of your company who need access to private areas on your Web server. What should you do? A. Install a Subordinate Enterprise CA that uses a commercial CA as the parent. Answer:a 228. Your network consists of 50 Windows 2000 Server computers, 2,5000 Windows 2000 Professional computers, 3,000 Windows 98 computers and 50 UNIX servers. You have a single Windows 2000 domain. Users store data on their client computers and on the server. You have five subnets, and a sixth subnet connecting two BOOTP routers. You use DHCP to configure TCP/IP configurations. You want to accomplish the following goals: All users will be able to access resources on all servers. All users will be able to access resources on all clients. Network traffic between subnets will be minimized. You must allow for 100 percent growth over the next year with minimal reconfiguration. You take the following actions: Place all Windows 2000 Servers on Subnet 1. Place all UNIX servers on Subnet 2. Distribute clients evenly across Subnets 3, 4, and 5. Install the DHCP Server service on one of the Windows 2000 Servers, and configure a scope for each subnet. Install and configure DNS Server service on one of the Windows 2000 Servers. Configure all Windows-based computers to use DHCP. Subnet the network address space by using 255.255.248.0. Which results do these actions produce? (Choose all that apply) a. All users will be able to access resources on all servers. b. All users will be able to access resources on all clients. c. Network traffic between subnets will be minimized. d. You must allow for 100 percent growth over the next year with minimal reconfiguration. Answer: A, B 229. You are the network admin for Comtoso : The network consists of three Windows 2000 Domains (exhibit). To distribute administrativ control of the DNS namespace, you use a single standard primary DNS zone to handle all name resolution for the three domains. User report that name resolution for hosts in all three domains has been extremly slow. You want to correct this problem while still maintaining centralized administrative control. What should you do? a. Create a new primary zone for the East domain. Create a new primary zone for the West domain. b. Create a new secondary zone for the East domain. Create a new secondary zone for the West domain. c. Create a new Active Directory integrated zone for the East domain. Create a new Active Directory integrated zone for the West domain. d. Create a delegated zone for the East domain. Create a delagated zone for the West domain. Answer:b 230.Your network consists of a Windows 2000 Server and several Windows 2000 Professional computers. Your server has a dial-up connection to the Internet. Your Windows 2000 Professional computers are configured to use APIPA. There is no DHCP server on the network. You want to implement Internet Connection Sharing to allow the Windows 2000 Professional computers to access the Internet. How should you configure the server? (Choose all that apply) A. Enable Internet Connection Sharing on the dial-up connection of the server. Configure the server to use APIPA for the LAN interface. Answer:a 231. You are the administrator for a Windows 2000 Server network. The network contains three Windows 2000 Server computers and 35 Windows 2000 Professional client computers. You want to accomplish the following goals: Install and enable Network Address Translation (NAT) on the network. Allow Internet users to access resources from the network. Install and enable Internet Connection Sharing. Configure dynamic IP addresses on the network. You perform the following actions: You configure a static IP address configuration on the resource server. You exclude the IP address used by the resource computer from the range of IP addresses allocated by the NAT computer. Configure a special port with a dynamic mapping of a public address and port number to a private address and port number. Which goal or goals are accomplished from these actions? (Choose all that apply.) a. Configure dynamic IP addresses on the network b. Install and enable Internet Connection Sharing c. Allow Internet users to access resources from the network d. Install and enable Network Address Translation (NAT) on the network Answer:A The NAT routing protocol for W2K includes a DHCP allocator and a DNS Proxy The NAT can use either static or dynamic mapping. A static mapping is configured so that traffic is always mapped a specific way. You could map all traffic to and from a specific private network location to a specific Internet location. For instance, to set up a Web server on a computer on your private network, you create a static mapping that maps [Public IP Address, TCP Port 80] to [Private IP Address, TCP Port 80]. Dynamic mappings are created when users on the private network initiate traffic with Internet locations. The NAT automatically adds these mappings to its mapping table and refreshes them with each use. Dynamic mappings that are not refreshed are removed from the NAT mapping table after a configurable amount of time. For TCP connections, the default time-out is 24 hours. For UDP traffic, the default time-out is one minute. 232. You are the administrator of a Web server hosted on the Internet that is running on a Windows 2000 Server computer. Your company's Web developers have developed applications that download ActiveX controls automatically to your customers' browsers. You discover that the default security settings on your customers' browsers are preventing the ActiveX controls from being downloaded automatically. You want to facilitate the downloading of ActiveX controls from your Web server to the Internet clients What should you do? a. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for code signing b. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web developers to request a certificate for trust list signing. c. Install an Enterprise Subordinate Certificate Authority (CA) that uses a commercial CA as the parent. Create a policy on the CA that allows the Web developers to request a certificate for trust list signing d. Install an Enterprise Certificate Authority (CA). Create a policy on the CA that allows the Web developers to request a certificate for code signing Answer:a . The standalone CA model allows trust both within and outside your organization . The enterprise CA model Your enterprise act as its own CA . The enterprise CA with subordinates Subordinate CA? for individual departments . Standalone does not require AD . Enterprise does require AD A typical scenario is when a company decides to allow contractors and partners access to their intranet for cooperative design and development efforts. Often, this means they download software upgrades from their vendors. To do this securely requires: ? Client authentication, which means the server can identify and authenticate users. ? Certificates, which are needed for client authentication and access control. ? Access control, which determines which parts of the intranet a client can use. ? Code signing, which guarantees a known software publisher and intact code. !!!! ActiveX supports code signing (security authentication) so that the user can verify the author of the control before allowing the control to download. 233. You are the administrator of a Windows 2000 network Some of the members of your company's graphics department use Macintosh computers and are not using Internet Explorer as their browser. These users inform you that they cannot request valid user certificates from your Enterprise Certificate Authority (CA). You want to make it possible for these users to request certificates by using Web-based enrollment. What should you do? a. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to Basic Authentication b. In the Policy Settings container in the CA console for your CA, add a new Enrollment Agent certificate c. Edit the ACL on the user certificate template to grant the graphics department users enroll access d. In the Internet Information Services (IIS) console, access the properties for the CertSrv virtual directory. On the Directory Security tab, set the authentication type to Integrated Windows Authentication Answer:a 234. You are the administrator of a Windows 2000 network. Your network has one primary internal DNS server and one primary external DNS server. Your network has three secondary DNS servers that transfer zone information from the primary external DNS server. The secondary DNS servers are installed on two Windows 2000 Server computers and one Windows NT Server 40 computer. The primary external DNS server is used to host records for your company's Web and mail servers. It has only a limited number of resource records in its zone file The Web server and the mail server have static IP addresses. When you monitor the secondary DNS servers by using System Monitor, you notice a high number of hits when monitoring the counter DNS Zone Transfer SOA Requests Sent. You want to minimize the bandwidth that is required for this traffic What should you do? (Choose two) a. Upgrade the Windows NT Server 40 computer that is hosting the secondary DNS server to a Windows 2000 Server computer b. Configure the notify list on the primary external DNS server to notify the secondary DNS servers when there are changes to be replicated. c. Reconfigure the primary external DNS server so that it does not allow dynamic updates d. Increase the value of the Refresh interval in the SOA (start of authority) record e. Decrease the value of the Refresh interval in the SOA (start of authority) record Answer:b,d Why: found on technet I would go for "B" and "D" Why B Zones updates only when changes occured. DNS notification implements a push mechanism for notifying a select set of secondary servers for a zone when it is updated. Servers that are notified can then initiate a zone transfer to pull zone changes from their master servers and update their local replicas of the zone. Ref.Win2000ServerHelp) Why D Increasing refresh interval cause zone transfer traffic to occur more rarely... The SOA RR contains a stated refresh interval in seconds (by default, 900 seconds or 15 minutes) to indicate when the destination server should next request to renew the zone with the source server.When the refresh interval expires, an SOA query is used by the destination server to request renewal of the zone from the source server. (Ref.Win2000SErverHelp) AS these are definite Answer and only TWO required, "A" is out of the game. 235. From a client running Windows 2000 Professional, you attempt to ping a UNIX host on your network. You receive the following error message: "Unknown host computer4.company.com" You are not having connectivity problems with any other computers on your network. Eventually, you realize this message is due to the fact that you haven't registered the UNIX host with your DNS server. After adding the UNIX host to your DNS server, you still get the same error message. What step should you take next? a. Enter the command "ipconfig /registerdns" on the Windows 2000 Professional client to make sure that it is also registered in DNS. b. Check to make sure that the subnet mask is configured properly on your machine. Incorrect subnet mask configuration can often cause connectivity problems. c. Configure a default gateway for your Windows 2000 Professional client. d. Enter the command "ipconfig /flushdns" on the Windows 2000 Professional client to clear the DNS resolver cache. Answer:d 237. You are the admin of a large network consisting of four subnets: A, - B-C- and D. There are three workstations on every subnet. One workstation on Subnet B frequently uses resources from a machine on Subnet A the other two workstations on subnet B use resources located in subnet C What Should you do? a. Configure a DHCP-scope for the two machines on subnet B to use the router to connect to Subnet c. b. Create a reservation for the one machine and specify a DCHP scope option to use the router to connect to Subnet A c. Configure a static route on the router for the machine in Subnet B that gets its resources from Subnet A and add that under DHCP-scope options for that DHCP-address reservation d. Configure a static route on the router for the machines in Subnet B that get their resources from Subnet C, and add that under DHCP-scope options for that DHCP-scope Answer:a,b Used by clients to specify their unique identifier to the server. This option type is most useful for reserved clients. When a reserved client contacts the server, the DHCP service can check and match the client? identifier value to a corresponding identifier used to configure an address reservation in the server? database. When a matching reservation is found, the DHCP server returns the reserved address and its related parameters to the correct client. 238. Your company has four branch offices Atlanta, Boston, New York and Dallas. There is a multicast address used for videoconferences and the like to deliver content to all four sites. Atlanta and Boston are right beside each other connected by a router. There is a Sales videoconference held every Monday between Atlanta and Boston. How should you configure the router so that the Sales multicast video conferencing does not get broadcasted to all four branches? A. Configure TCP-filters on the router to block all multicast traffic. B. Create a static route for the Sales multicast broadcast on the router. Answer:b 239. You are the administrator of your company's network. Your primary internal DNS server is installed on a UNIX computer named ns1.contoso.com. The ns1.contoso.com server is configured to send zone transfers to a secondary DNS server installed on a Windows 2000 Server computer named ns2.contoso.com. The ns1.contoso.com server is also configured to send zone transfers to a DNS server installed on a Windows NT Server 4.0 computer named ns3.contoso.com. When you examine the records in the zone file on the ns2.contoso.com server, you notice that they do not match the records found on either the ns1.contoso.com server or the ns3contoso.com server. What should you do to correct this problem? (Choose all that apply) a. Install the DNS Server service on a separate Windows 2000 Server computer on your network b. Create sub zones on the UNIX DNS server. c. Delegate the sub zones that contain the SRV (service) records to a separate DNS server d. Configure the primary DNS server so that only the root zone is transferred to the Windows 2000 DNS server. e. Configure the WINS resource records so that they are not replicated to secondary name servers f. Clear the Fail on load if bad 2One data check box in the properties of the primary DNS server g. Change the zone on the primary DNS server from an Active Directory integrated zone to a standard primary zone. Answer:a Sub Zones are for Subdomains In Windows NT Server 4.0, Windows 2000, or later, the DNS service provides for the use of WINS lookup. This feature enables configured DNS zones to refer queries not answered from current zone information to a WINS server for further resolution. With this added search of the WINS namespace, both DNS and WINS are used to complete a full search of registered names for a matched response. WINS lookup is supported for both forward and reverse lookup zones and can be enabled on a per-zone basis or configured for selected zones. This feature should also be configured to prevent replication or zone transfer of WINS resource records to servers with other DNS implementations that do not recognize the WINS resource records. To prevent loading of a zone when bad data is found 1 Open DNS. 2 In the console tree, click the applicable DNS server. Where? L DNS L applicable DNS server 3 On the Action menu, click Properties. 4 Click the Advanced tab. 5 In Server options, select the Fail on load if bad zone data check box, and then click OK. UNIX DNS server contains non-RFC compliant characters. Some versions of UNIX permit the use of characters that cannot be recognized by a Windows NT DNS name server. Keep in mind that any zone files created and stored on UNIX DNS servers that use BIND need to be manually copied from those servers to the systemroot\System32\Dns folder on the computer running Windows 2000 Server and appropriately renamed. BIND zone files have a different naming convention from that used by DNS servers running under the DNS service provided in Windows operating systems. 240. Your network has two IP subnets. Two domain controllers are located on subnet1. Each domain controller is also a DNS server hosting an Active Directory integrated zone . You implement WINS on a server on subnet2. Windows NT Workstations on subnet 2 are receiving the following error: "Domain Controller cannot be located". Workstation users on subnet1 are not having the same problem, but are complaining about logon response times. No Windows 2000 Professional users report any problems. What must you do to ensure Workstation users on subnet2 can be validated, and improve Workstation users' response time on subnet1? A.Configure the Windows 2000 Server domain controller computers as WINS clients. Answer:a 241. You have mirrored the contents of an Intranet Web application on three Web servers that contain IIS. Using the fewest possible resources, how should you configure DNS to allow access to all Web servers in the event of a failure? a. Configure one DNS server so that it has one DNS zone. b. Enable Round Robin. c. Create an A (host) record for the application on each Web server's IP address. Answer: a,b,c 244. Routing and Remote Access is enabled for remote access to your member server. Users dial into the network by using their Windows 2000 Professional computers. Members of the Accounting group use smart cards for remote authentication. Their dial-in permission is set to Control access through Remote Access Policy. You create a new remote access policy named Accounting Access. It grants the Accounting group access any time of the day. It's the first policy on the list. When Accounting dials into they network, they report that they are unable to use the smart card for remote authentication. What should you do? a. Enable EAP on the member server and the Windows 2000 remote access clients. b. Enable EAP in the profile for the Accounting group remote access policy. Answer:a,b 245. Your network consists of one Windows 2000 domain running in native mode. You are not running Certificate Services. Salespeople in the field require file and print services, e-mail, and access to the company's database. You have dedicated T1 access to the Internet. You use VPN. You want to accomplish the following goals: Required network resources will be available to all Accounting people. Only the Accounting people will be able to make connections to the network. Confidential data should not be compromised. Network access will only occur during business hours. All Accounting staff are able to simultaneously connect to the network. You take the following actions: Install Routing and Remove Access and configure virtual private networking. Grant the Accounting staff Allow Access dial-in permission. Edit the default remote access policy to grant remote access permission. Edit the default remote access profile to require strong encryption of data. What results do these actions produce? (Choose all that apply) a. Required network resources are accessible to all accounting people. b. Connections to the network are made by accounting people only. c. Sensitive company data is kept confidential over the VPN. Answer:a,b,c 246. To allow Internet access through a dial-up connection to Server A, you install NAT routing protocol. All computers in your network use Automatic Private IP addressing. There is no DHCP server on the network. How should you configure Server A to use the IP address range of 172.16.65.1 through 172.16.65.250? (Choose all that apply) a. Assign an IP address of 172.16.65.1 to the LAN interface of Server a. b. Configure the NAT routing protocol to automatically assign addresses in the range of 172.16.65.2 through 172.16.65.250 to computers on the private interface. Answer:a,b 247. You have four Windows 2000 Professional computers and two Windows 2000 server. Pro1 can ping 172.16.96.1. Pro4 can ping 172.16.64.1. All windows professional computers can communicate with each other, but WS1 cannot ping WS2. Segment A 172.16.64.1 WS1 172.16.71.32 255.255.224.0 172.16.64.1 Segment B 172.16.96.1 WS2 172.16.86.76 255.255.224.0 172.16.96.1 What should you do to ensure WS1 communicates with WS2? a. Change the subnet mask of the network to 255.255.240.0 b. Change the subnet mask of the network to 255.255.192.0 c. Change the IP address of work1 to 172.16.63.32 d. Change the IP address of work1 to 172.16.103.76 Answer:d 248. All your client computers receive their IP adress information from the DHCP server on your network. Users on Pro4 access most of their resources from computers on segment a. Users on Pro5 access their resources from computers on Segment c. SegA172.16.128.1(Rtr-A)172.16.64.2SegB172.16.64.1(Rtr-B)172.16.96.1 SegA SegB SegC Pro1,Pro2 Pro4,Pro5, DHCP svr Pro6,Pro7 How shouold you configure your DHCP server to issue gateway addresses to Pro4 and Pro5 to offer optimum access time? (choose two) A) Create a reservation for Pro4. Configure the router option that has the value of 172.16.64.2. B)On the DHCP server scope for SegmentB, configure the router option of 172.16.64.1 Answer:a,b 250. Your network is configured as follows 172.30.1.39 172.30.1.40 172.30.1.1Router172.30.2.1 - 172.30.2.10 WS1 WS2 interface1 interface2 svr1 subnet for all 255.255.255.0 The route print command from WS1 is displayed as follows :- Network Destination Netework Gateway Interface 0.0.0.0 0.0.0.0 172,30.1.39 172.30.1.39 127.0.0.1 255.0.0.0 127.0.0.1 127.0.0.1 172.30.1.0 255.255.255.0 172.30.1.39 172.30.1.39 172.30.1.39 255.255.255.255 127.0.0.1 127.0.0.1 172.30.255.255 255.255.255.255 172.30.1.39 172.30.1.39 224.0.0.0 224.0.0.0 172.30.1.39 172.30.1.39 255.255.255.255 255.255.255.255 172.30.1.39 172.30.1.39 A. Change the default gateway on WS1 Answer:a 252. Your network consists of three subnets that are connected by a BOOTP enabled router. DHCP automates the TCP/IP configuration of your windows 2000 professional clients. The DHCP server is configured with a scope for each subnet. Users on Subnet2 and Subnet3 periodically cannot access network resources. During high network usage times, client computers on the remote subnets are being configured with the addesses in the range of 169.254.0.0 ?an invalid range. What should you do? A. Install a DHCP server on each remote subnet, and configure a subnet-specific scope. Answer:a 253. You are configuring your users' portable computers to allow users to connect to the company network by using Routing and Remote Access. You test the portable computers on the LAN and verify that they can successfully connect to resources on the network by name. When you test the connection through RRAS all of the computers can successfully connect but they cannot access files on computers which are on different segments by using the computer names. What should you do to resolve this problem? a. Configure TCP/IP filters on the RRAS server to allow TCP/IP traffic to pass b. Install the DHCP Relay Agent on the RRAS server c. Configure the RRAS server with a static IP address d. Create A (Host) record for the RRAS server in DNS Answer:b 254. You are the administrator of the contoso.com domain. Your network environment consists of a main office and two branch offices. The branch offices are connected to the main office by 256-Kbps leased lines. You have a single DNS zone, and all DNS servers are located at the main office. All servers on your network are running Windows 2000 Server. Your network is not connected to the Internet. Users report that response times are extremely slow when they attempt to access intranet resources. When you monitor the network, you discover that DNS name resolution queries are generating heavy traffic across the WAN links. You want to accomplish the following goals: Name resolution traffic across the WAN links will be reduced Response times for name resolution queries will be reduced Administrative overhead for DNS maintenance will be minimized Current DNS namespace design will be maintained. You take the following actions: Increase the refresh interval for zone transfers. For each branch office, create a new Windows 2000 domain in the same tree as the first domain. Install a DNS server and create a new standard primary DNS zone for each new Windows 2000 domain Configure each DNS server to forward requests to the other DNS servers on the network Add resource records for each office's local intranet resources to the local zone files Configure client computers in the branch offices to query their local DNS servers only. Which result or results do these actions produce? (Choose all that apply) a. Name resolution traffic across the WAN links is reduced b. Response times for name resolution queries are reduced c. Administrative overhead for DNS maintenance is minimized d. Current DNS namespace design is maintained Answer:a,b,d Troytec says A only ) contoso.com ------------------------------------ | | Branch1.contoso.com Branch2.contoso.com Install a DNS server (in contoso.com ?) create at the new DNS server Primary DNS zone, but the last one state that the client computers query their local DNS server. Every new primary DNS server is the authority over it? own namespace. So forwarding is necessary. Increase zone transfer is only from primary to secondary. Lets assume there are local primary DNS servers in the branch office. That? a new DNS Namespace So D is right With additional DNS server Administrative overhead is not minimized. So C is wrong. Has to be A-B-D 255. You are the administrator for your company's weconsult.com domain. Your network consists of a main office and two branch offices. The branches are connected to the main office by 256 Kbps leased lines. You have a single Domain Name System (DNS) zone. All DNS servers are at the main office. All servers are Windows 2000 Server computers. Your network is not connected to the Internet. Users report that response times are extremely slow when they attempt to access resources on the intranet. When you monitor the network, you discover that DNS name resolution queries are generating heavy traffic across the Wide Area Network (WAN). You want to accomplish the following goals: Name resolution traffic across the WAN will be reduced. Response times for name resolution queries will be reduced. Administrative overhead for DNS maintenance will be minimized. Current DNS namespace design will be maintained. You take the following actions: Create a new secondary DNS zone at each branch office. Use the primary zone at the main office as the master zone. Increase the refresh interval for zone transfers. Configure the client computers to query their local DNS servers. Which goal or goals are accomplished from these actions? (Choose all that apply.) a. Name resolution traffic across the WAN will be reduced b. Response times for name resolution queries will be reduced c. Administrative overhead for DNS maintenance will be minimized d. Current DNS namespace design will be maintained Answer:a,b,c,d A is right B is right C is right because secondary DNS zones are read-only zones and do not need administrative attention D is right because secondary DNS servers are read only do not alter the namespace 256. You are the administrator of a large network. At the moment you are using IP 207.200.16.0/24 for multicasting purposes. Your CEO wants to add 2000 PC's to your network, and make sure the current subnet can deal with an extra 2000 workstations. Should you: a. add another subnet ranging from 207.200.17.0 - 207.200.24.0, b. add another subnet ranging from 207.200.33.0 - 207.200.48.0. c. change the advertisement branch IP to 207.200.16.0/20 d. add another subnet ranging from 207.200.16.0/22 - 207.200.16.0/23 Answer:a,c 20 = 4096 hosts 207.200.16.0/20 207.200.32.0/20 207.200.48.0/20 257. Your network is configured as follows: ACCT1 ACCT2 MGM1 Prod1 Router --- Internet Sale1 Sale2 Prod2 The Accounting computers do not need access to the internet. You want to accomplish the following goals: - All communication invloving ACCT1 and ACCT2 should be encrypted. - Internet communications should not be encrypted. -Communications between the Sales and Management clients should be encrypted. -Performance overhead for encryption should be minimized. You take the following actions : Create the following OU strcture Sales ?Comp ?Acct Add Acct1 Acct2 to the Acct OU Add Sale1 and Sale2 to the Sale OU Add all other computers to the Comp OU Assign the default Secure Server IPSec Policy to the domain. Which results do these actions produce? (choose all that apply) a. All communication invloving ACCT1 and ACCT2 should be encrypted. b. Internet communications should not be encrypted. c. Communications between the Sales and Management clients should be encrypted. d. Performance overhead for encryption should be minimized. Answer:a,b,c 258. Your network consists of three segments connected by a router. Each segment contains one Windows 2000 Server. London is a DHCP server that provides TCP/IP configuration to all clients in the three segments. The DHCP server has three scopes, one for each segment. The lease duration is eight days for all three scopes. You want to move the DHCP Server from London to Bristol. You take the following actions: On London, stop and disable the DHCP Server service. On Bristol, install, authorize, and stop the DHCP Server service. Copy the entire Systemroot\system32\dhcp folder from London to Bristol. You want to configure Bristol to use the scope information and the lease address currently in use by the Windows 2000 Professional computers. What should you do next on Bristol? (Choose two) a. Start the DHCP server and reconcile all scopes. b. Use the registry editor to restore the DHCP registry configuration from the Systemroot\system32\dhcp\backup location. Answer:a,b 259. Routing and Remote Access is enabled for remote access to your member server. Users dial into the network by using their Windows 2000 Professional computers. Members of the Accounting group use smart cards for remote authentication. Their dial-in permission is set to Control access through Remote Access Policy. You create a new remote access policy named Accounting Access. It grants the Accounting group access any time of the day. It's the first policy on the list. When Accounting dials into they network, they report that they are unable to use the smart card for remote authentication. What should you do? a. Enable EAP on the member server and the Windows 2000 remote access clients. b. Enable EAP in the profile for the Accounting group remote access policy. Answer:a,b