70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure
1. You are
the administrator of your company's network. The network consists of a single
Windows 2000 domain. The network has Windows 2000Server computers, Windows 2000
Professional computers, and Windows NT Workstation 4 computers distributed
across two IP subnets as shown in the exhibit (Click the Exhibit button) Two
Windows 2000 domain controllers are located on Subnet1. Each domain controller
is also a DNS server hosting an Active Directory integrated zone. You implement
WINS for NetBIOS name resolution on your network. WINS is installed on a server
on Subnet2. Users of the Windows NT Workstation 4 computers on Subnet2 report
that they are receiving the following error message 'Domain Controller cannot be
located' Subsequently, these users cannot be validated on the network. Windows
NT Workstation 4 users on Subnet1 are not experiencing this problem. However,
they do report that response times for logon requests are extremely slow. None
of the Windows 2000 Professional users on either subnet report these problems
You want to ensure that Windows NT Workstation 4 users on Subnet2 can be
validated. You also want to improve logon request response time for users on
Subnet1.
What should you do?
A. Configure the router to forward NetBIOS broadcast packets
B. Configure the Windows NT Workstation 4 computers as DNS clients in the
existing zone
C. Configure the Windows NT Workstation 4 computers as WINS clients
D. Configure the Windows 2000 Server domain controller computers as WINS
clients
Answer: D
2. You manage a network of 1,500 Windows 2000 Professional computers, all
configured to use Dynamic Host Configuration Protocol (DHCP). You decide to
implement Windows Internet Name Service (WINS) on your network for NetBIOS name
resolution.
You set up a Windows 2000 Server computer and install the WINS service. You want
to configure the client computers to use WINS.
What is the easiest way to do this?
A. Configure the DHCP server with the 138 UDP/netbios option only
B. Configure each client with the address of the WINS server manually
C. Configure the DHCP server with options 44 WINS/NBNS and 46 WINS/NBT
D. Configure the DHCP server with the 137 TCP/netbios and 138 UDP/netbios
option
Answer: C
3. Your domain has a Windows 2000 member server computer named Srv1. Routing and
Remote Access and CHAP is enabled for remote access on Srv1. You have also
configured the appropriate remote access policy to use CHAP. However, users who
require CHAP report that they are not able to dial in to Srv1. What should you
do?
A. Configure SRV1 to disable LCP extensions
B. Configure clients to use MSCHAP for dialin
C. Configure SRV1 to use SPAP for dialin
D. Disable "Mutual authentication" on SRV1
Answer: A
4. Your network has a main office and one branch office. You use PPTP to connect
the main office to the branch office.
What is the strongest possible level of data encryption for the connection?
A. MS-CHAP v2
B. MSCHAP
C. PAP
D. EAP
Answer: A
5. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
Your company has an intranet Web application named appz that utilizes resources
on Internet Information Services (IIS).
For performance reasons, your company mirrors the content of appz on three Web
servers: IIS1, IIS2, and IIS3. You want to configure your network to allow
access to the other Web servers in the event of failures. You want to configure
DNS by using the fewest possible resources.
What should you do?
A. Configure one DNS server so that it has one DNS zone.
Enable Round Robin.
Create an A (host) record for appz for each Web server's IP address.
B. Configure one DNS server so that it has one DNS zone.
Disable Round Robin.
Create an A (host) record for appz for each Web server's IP address.
C. Configure three DNS servers so that each has one DNS zone.
Enable Round Robin.
Add an A (host) record for appz for each Web server on each DNS server.
D. Configure three DNS servers so that each has one DNS zone.
Disable Round Robin.
Add an A (host) record for appz for each Web server on each DNS server.
Answer: A
6. You are the administrator of your company's network. The network consists of
a single IP subnet that uses DHCP to automate client computer configuration. You
install a WINS server on the network. Users report that the network response
time is slow. You discover that the levels of broadcast traffic have not been
reduced. When you view the WINS database, you also find that the only entry is
for the WINS server itself. What should you do?
A. Configure the WINS server as a DHCP client computer
B. Configure the DHCP server as a WINS client computer
C. Configure a DHCP scope option to include the address of the WINS server
D. Configure static mappings on the WINS server for each client computer
E. Configure a reservation in the DHCP scope for the WINS server.
Answer: C
7. You are the administrator of a Windows 2000 network. The network consists of
a Windows 2000 Server computer named ServerA and 45 Windows 2000 Professional
computers. ServerA has a dial-up connection that connects to the Internet. To
allow all Windows 2000 Professional computers on the network to access the
Internet through the dial-up connection of ServerA, you install and configure
the Network Address Translation (NAT) routing protocol on ServerA. All Windows
2000 Professional computers in the network are configured to use Automatic
Private IP Addressing (APIPA). There is no DHCP server on the network. You want
to configure the network to use IP addresses in the range of 172.16.65.1 through
172.16.65.250 for ServerA and the 45 Windows 2000 Professional computers.
How should you configure ServerA to accomplish this goal? (Choose all that
apply.)
A. Assign an IP address of 172.16.65.1 to the LAN interface of ServerA.
B. Enable Internet Connection Sharing on the dial-up connection of ServerA.
C. Configure Routing and Remote Access on ServerA to automatically assign IP
addresses in the range of 172.16.65.2 through 172.16.65.250
to dial-in client computers.
D. Configure the NAT routing protocol on ServerA to automatically assign IP
addresses in the range of 172.16.65.2 through 172.16.65.250 to
computers on the private interface.
E. Configure the public NAT interface to use an address pool in the range of
172.16.65.2 through 172.16.65.250.
Answer: AD
8. You are the administrator of a Windows 2000 network. The network consists of
a Windows 2000 Server computer named Access1 and eight Windows 2000 Professional
computers. Access1 has a dial-up connection that connects to the Internet.
Access1 uses a static IP address of 10.1.6.1, a subnet mask of 255.255.0.0, and
no default gateway for the LAN adapter. The eight Windows 2000 Professional
computers use static IP addresses of 10.1.7.2 through 10.1.7.9, a subnet mask of
255.255.0.0, and no default gateway. To allow all Windows 2000 Professional
computers in the network to access the Internet through the dial-up connection
of Access1, you want to implement Internet Connection Sharing. How should you
configure the network to accomplish this goal? (Choose two.)
A. Enable Internet Connection Sharing on the dial-up connection of Access1.
B. Configure Access1 to use an IP address of 10.1.7.1.
C. Configure the eight Windows 2000 Professional computers to use a default
gateway of 10.1.6.1.
D. Configure the eight Windows 2000 Professional computers to use dynamic
TCP/IP addressing.
E. Configure Access1 and the eight Windows 2000 Professional computers to
use a subnet mask of 255.255.255.0.
Answer: AD
9. You have been given the network ID of 172.24.8.0/22 from your ISP. All of the
routers in your network use either RIP V2, or OSPF. Each of the two subnets you
will be creating will contain only 75 computers. You want to use the most
specific number of bits and the first two available network ID numbers in your
subnet mask. Drag and Drop question with the following Answer (choose 2).
a. 172.24.12.0/22
b. 172.24.16.0/22
c. 172.24.24.0/22
d. 172.24.8.128/25
e. 172.24.9.0/25
f. 172.24.16.0/25
Answer: DE
10. You are the administrator of a Windows 2000 network that has a main office
and one branch office. The company leases a 128-Kbps ISDN line to connect the
main office to the branch office. You configure Routing and Remote Access on a
stand-alone Windows 2000 Server computer in each office to provide a demand-dial
connection. You want to encrypt traffic over the ISDN connection, and you want
to prevent unnecessary connections over the ISDN line. What should you do?
A. Configure a PPTP demand-dial connection to connect the two offices over
the ISDN connection and ensure that data encryption is enabled.
Set the IP Demand Dial Filters to exclude NetBIOS broadcast traffic.
B. Configure a PPTP demand-dial connection to connect the two offices over the
ISDN connection and ensure that data encryption is enabled.
Set the IP Demand Dial Filters to exclude Remote Procedure Call traffic.
C. Configure an L2TP demand-dial connection to connect the two offices over the
ISDN connection.
Configure inbound and outbound filters to exclude all NetBIOS broadcast traffic.
D. Configure an L2TP demand-dial connection to connect the two offices over the
ISDN connection.
In the demand dial filter list, configure filters to exclude Remote Procedure
Call traffic.
Answer: A
11. You are the administrator of one standard primary DNS server and two
standard secondary DNS servers in a Windows2000 domain. There are no other DNS
servers on the network. The domain includes Windows2000 Professional computers
and Windows98 computers. The DNS zones for the domain are configured to allow
for dynamic updates. All three DNS servers are located on domain controllers.
What should you do to allow client computers to be able to register with any DNS
server?
A. Change the zone type of the DNS zone for the Windows2000 domain on all
three DNS servers to Active Directory integrated.
B. Change the settings on the standard primary DNS server to notify the two
standard secondary DNS servers when the zone is updated.
C. Change the settings on the standard primary DNS server to allow zone transfer
to only the two standard secondary DNS servers.
D. Change the dynamic update option on the standard primary DNS server to allow
only secure updates.
Answer: A
12. You are the administrator of your company's network. Your primary internal
DNS server is installed on a UNIX computer named ns1.contoso.com. The
ns1.contoso.com server is configured to send zone transfers to a secondary DNS
server installed on a Windows 2000 Server computer named ns2.contoso.com. The
ns1.contoso.com server is also configured to send zone transfers to a DNS server
installed on a Windows NT Server 4.0 computer named ns3.contoso.com. When you
examine the records in the zone file on the ns2.contoso.com server, you notice
that they do not match the records found on either the ns1.contoso.com server or
the ns3contoso.com server.
What should you do to correct this problem? (Choose all that apply)
A. Install the DNS Server service on a separate Windows 2000 Server computer
on your network
B. Create subzones on the UNIX DNS server.
C. Delegate the subzones that contain the SRV (service) records to a separate
DNS server
D. Configure the primary DNS server so that only the root zone is
transferred to the Windows 2000 DNS server.
E. Configure the WINS resource records so that they are not replicated to
secondary name servers
F. Clear the Fail on load if bad zone data check box in the properties of the
primary DNS server
G. Change the zone on the primary DNS server from an Active Directory integrated
zone to a standard primary zone.
Answer: ABC
13. To allow Internet access through a dial-up connection to London, you install
a NAT routing protocol. All computers in your network use You have one DCHP and
your ISP has allocated 207.46.179.4-.7 to your network. How should you configure
these addresses?
A. RRAS policy
B. RRAS policy
C. Configure the LAN interface to use an address pool with a starting address of
207.46.179.4 and a mask of 255.255.255.252
D. Configure the public interface to use an address pool with a starting
address of 207.46.179.4 and a mask of 255.255.255.252
Answer: D
14. You are the administrator of a Windows 2000 network. The network consists of
two segments connected by a router. Each segment contains two Windows 2000
Server computers and 50 Windows 2000 Professional computers. The network has one
DHCP server that has active scopes for both segments. The IP addresses
configured in the two scopes are 10.65.1.0/24 for one segment and 10.65.2.0/24
for the other segment. The IP address of the DHCP server is 10.65.1.2. The
network is shown in the exhibit. (Click the <> button.)
Users in the segment that does not have the DHCP server report that their
Windows 2000 Professional computers are using IP addresses in the range of
169.254.0.0/16. Windows 2000 Professional computers in the other segment use IP
addresses in the range of 10.65.1.0/24.
You want the Windows 2000 Professional computers in the segment that does not
have the DHCP server to automatically use IP addresses in the range of
10.65.2.0/24. How should you configure the network to accomplish this goal?
A. Enable and configure the DHCP Relay Agent service on the DHCP server.
B. Enable and configure the DHCP Relay Agent service on a server in the
segment that does not have the DHCP server.
C. On the DHCP server, configure a packet filter to receive IP packets that
use the BOOTP port.
D. On a server in the segment that does not have the DHCP server, configure a
packet filter to receive IP packets that use the BOOTP port.
Answer: B
15. You are the administrator of a Windows 2000 network. The network consists of
two Windows 2000 Server computers named ServerA and ServerB and 180 Windows 2000
Professional computers on one segment. ServerA has an IP address of 192.168.2.1.
ServerA is a DHCP server. The TCP/IP configuration of all the Windows 2000
Professional computers is provided by the DHCP server. The range of IP addresses
used at ServerA is 192.168.20/24. The lease time used is 15 days. You want to
change the IP addresses on the network from 192.168.20/24 to 10.178.0/24.
ServerB has an IP address of 10.178.1. You install another DHCP server on
ServerB. The range of IP addresses used at ServerB is 10.178.0/24 The lease time
used is 15 days. The network is shown in the exhibit (Click the Exhibit button )
To ensure compatibility, the two address ranges will be used concurrently on the
same segment for three months. Routing between the two address ranges is
provided by a router on the network. After you activate the DHCP scope on
ServerB, users report that they are unable to obtain a valid IP address. When
you investigate the problem, you discover that each of the two DHCP servers
responds with DHCP negative acknowledge (DHCPNAK) messages to leases requested
by the client computers. What should you do?
A. On the Windows 2000 Professional computers, disable Automatic Private IP
Addressing (APIPA)
B. On the Windows 2000 Professional computers, configure the DHCP client
computers to release the DHCP lease at shutdown.
C. On both DHCP servers, set the number of times the DHCP server should attempt
conflict detection to 0
D. On both DHCP servers, configure a superscope so that it has both address
ranges.
Define an exclusion range for the entire address range of 10.178.01/24 on
ServerA and of 192.168.20/124 on ServerB
E. On both DHCP servers, set scope option 031 Perform Router Discoverv to 1
to enable the option on the Windows 2000 Professional
computers
Answer: D
16. You are the administrator of a Windows 2000 network. The network consists of
a Windows 2000 Server computer named SrvA and 30 Windows 2000 Professional
computers. SrvA has a dial-up connection that connects to the Internet All
Windows2000Pro computers on the network are configured to use Automatic Private
IP Addressing (APIPA). There is no DHCP server on the network.
SrvA is configured to use an IP address of 192.168.0.1. Routing and Remote
Access and all the ports on SrvA are enabled for demand-dial routing. The
Network Address Translation (NAT) routing protocol is added. You want to allow
all Windows 2000 Professional computers on the network to access the Internet
through a translated demand-dial connection on SrvA.
How should you configure the network? (Choose four)
A. Create a new demand-dial interface for the local area connection
B. Create a new demand-dial interface for the dial-up connection
C. Add a public and a private interface to the NAT routing protocol
D. Configure the IP address of the Internet service provider (ISP) as the
default gateway on the private interface
E. Add a default static route that uses the public interface.
F. Configure the NAT routing protocol to enable network address translation
assignment and name resolution
G. Configure the public NAT interface with an address pool of 192.168.0.1
Answer: BCEF
17. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
You are configuring your Windows 2000 Server computer that runs Internet
Information Services (IIS). Your server uses the IP address of 131.107.2.2 to
support Internet users. Your server uses the IP address of 10.1.1.2 to support
an intranet application.
You want to configure your server to permit only Web communications from the
Internet. You also want to configure your server to allow access to shared
folders and other resources for users on the intranet.
What should you do? (Choose two.)
A. Enable a TCP/IP filter.
Permit only port 80 on the network adapter that uses the IP address of
131.107.2.2.
B. Enable a TCP/IP filter.
Permit only port 21 and port 20 on the network adapter that uses the IP address
of 131.107.2.2.
C. Permit all ports on the network adapter that uses the IP address of
131.107.2.2.
D. Enable a TCP/IP filter.
Permit only port 80 on the network adapter that uses the IP address of 10.1.1.2.
E. Enable a TCP/IP filter.
Permit only port 21 and port 20 on the network adapter that uses the IP address
of 10.1.1.2.
F. Permit all ports on the network adapter that uses the IP address of
10.1.1.2.
Answer: AF
18. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
You are configuring your Windows 2000 Server computer that runs Internet
Information Services (IIS). Your server uses the IP address of 131.107.2.2 to
support Internet users. Your server uses the IP address of 10.1.1.2 to support
an intranet application.
You want to configure your server to permit only FTP communications. You also
want to configure your server to allow access to shared folders and other
resources for users on the intranet.
What should you do? (Choose two.)
A. Enable a TCP/IP filter.
Permit only port 80 on the network adapter that uses the IP address of
131.107.2.2.
B. Enable a TCP/IP filter.
Permit only port 21 and port 20 on the network adapter that uses the IP address
of 131.107.2.2.
C. Permit all ports on the network adapter that uses the IP address of
131.107.2.2.
D. Enable a TCP/IP filter.
Permit only port 80 on the network adapter that uses the IP address of 10.1.1.2.
E. Enable a TCP/IP filter.
Permit only port 21 and port 20 on the network adapter that uses the IP address
of 10.1.1.2.
F. Permit all ports on the network adapter that uses the IP address of
10.1.1.2.
Answer: BF
19. You are the administrator of a Windows 2000 network. You need to assign
network ID numbers and host addresses to the computers in one of your company's
branch offices. A single route to the branch office is advertised as
192.168.16.0/21. The branch office has 150 computers on a single subnet of
192.168.16.0/24. However, the company wants to be able to add up to another
2,000 computers to the branch office. You want to be able to accommodate all
computers in the branch office, while also taking advantage of route
summarization.
Which steps should you take to achieve this goal? (Choose all that apply.)
A. In the branch office, add another route advertised as 192.168.32.0/22.
B. In the branch office, add additional network ID numbers 192.168.33.0/24 -
192.168.39.0/24.
C. In the branch office, add additional network ID numbers 192.168.17.0/24 -
192.168.23.0/24.
D. In the branch office, add additional network ID numbers 192.168.24.0/24 -
192.168.31.0/24.
E. Change the advertisement to the branch office to 192.168.16.0/20.
Answer: CDE (for 2150 computers you need 9 subnets, so 8 more – I think D will
give these 8; so AD)
20. You are the administrator of a Windows 2000 network. The network contains a
Windows 2000 Server computer named Dublin. Dublin has two network interfaces
named SideA and SideB. Routing and Remote Access is enabled as a router on
Dublin. Only the network segment connected to the SideA interface has a DHCP
server. The DHCP server is a Windows 2000 Server computer named ServerA. The
network is shown in the exhibit. (Click the <> button.)
You want to allow computers on the segment connected to the SideB interface to
receive IP addresses from ServerA.
How should you configure Dublin to accomplish this goal? (Choose all that
apply.)
A. Create an IP tunnel to connect the SideA interface to the SideB interface.
B. Create a static route to the IP address of the SideB interface.
C. Configure the DHCP Relay Agent routing protocol to run on the SideA
interface.
D. Configure the DHCP Relay Agent routing protocol to run on the SideB
interface.
E. Configure the DHCP Relay Agent routing protocol to use the IP address of the
DHCP server as the server address.
F. Configure the DHCP Relay Agent routing protocol to use the port number of the
DHCP server.
Answer: DE
21. You are the administrator of a Windows 2000 network. The network consists of
a single domain that has three Windows 2000 domain controllers and 1,000 Windows
2000 Professional workstations. Your company wants to make use of digital
certificates by installing its own Certificate Authority (CA). You want to
protect the root CA and the private key. You also want to ensure that you are
able to effectively manage your company's Public Key Infrastructure.
You want to accomplish the following goals:
• The server that is hosting the root CA will have a maximum amount of
protection from any security breaches that could occur on the network.
• The server that is hosting the root CA will be able to certify other CAs and
revoke certificates.
• All the servers in your domain will be able to access the revocation status of
all certificates in your Public Key Infrastructure.
• Certificate requests made by users or computers in the domain will immediately
be processed and either granted or denied.
You take the following actions:
• On a member Windows 2000 Server computer connected to the network, install a
stand-alone root CA.
• Disconnect the server on which you installed the stand-alone root CA from the
network and place it in a secure and separate location.
Which result or results do these actions produce? (Choose all that apply.)
A. The server that is hosting the root CA has a maximum amount of protection
from any security breaches that could occur on the network.
B. The server that is hosting the root CA is able to certify other CAs and
revoke certificates.
C. All the servers in your domain are able to access the revocation status
of all certificates in your Public Key Infrastructure.
D. Certificate requests made by users or computers in the domain are immediately
processed and either granted or denied.
Answer: AB
22. You are the administrator of a Windows 2000 domain. The domain has six
Windows 2000-based Routing and Remote Access servers and two Windows 2000-based
Internet Authentication Service (IAS) servers named IAS1 and IAS2. The six
Routing and Remote Access servers use the two IAS servers to authenticate remote
access credentials. On IAS1, you change the remote access policies. You want to
ensure that this change is also enforced on IAS2. What should you do?
A. In the Active Directory Sites and Services console, force replication from
IAS1 to IAS2.
B. On IAS1, select Register Service in Active Directory. Repeat this command on
IAS2.
C. Use the Netsh command-line utility to copy the IAS configuration from IAS1
to IAS2.
D. Manually copy the Ras.mdb file from IAS1 to IAS2.
Answer: C
23. Your company has three offices, but plans to expand to six. You are
replacing your bridge with two routers named Router1 and Router2 to accommodate
increased traffic. To Configure router1, which routing entry should you add?
A. Execute route add 172.16.64.160 mask 255.255.255.224 172.16.64.129 -p.
B. Execute route add 172.16.64.160 mask 255.255.255.240 172.16.64.129 -p.
C. Execute route add 172.16.64.96 mask 255.255.255.224 172.16.64.97 -p.
D. Execute route add 172.16.64.96 mask 255.255.255.240 172.16.64.130 -p.
E. Execute route add 172.16.64.96 mask 255.255.255.224 172.16.64.130 -p.
Answer: A
24. You are configuring a Windows 2000 Professional computer as a client
computer in your company's network. The servers in the network consist of a mix
of Windows 2000 Server computers, Windows NT Server 4.0 computers, and NetWare
3.11 and 4.1 servers.
You install and configure both TCP/IP and NWLink IPX/SPX on the Windows 2000
Professional computer. You also install the client software for both Microsoft
and NetWare networks. When you attach the computer to the network, you can
communicate with all of the Windows-based servers and the NetWare 4.1 servers,
but you cannot see the NetWare 3.11 servers in My Network Places. You also
cannot map drives by using either Microsoft-specific or NetWare-specific
commands. What should you do to correct this problem?
A. Edit the NetworkNumber value in the registry to specify the network number
for the NetWare 3.11 servers.
B. Edit the NetworkNumber value in the registry to specify the network number
for the NetWare 4.1 servers.
C. Edit the NetworkNumber value in the registry to specify the network number
for both the NetWare 3.11 and the NetWare 4.1 servers.
D. Edit the PktType value in the registry to include the hexadecimal value for
the 802.2 frame type.
E. Edit the PktType value in the registry to include the hexadecimal value for
the 802.3 frame type.
F. Edit the PktType value in the registry to include the hexadecimal values
for both the 802.2 and 802.3 frame types.
Answer: F
25. You are the administrator of a mixed Windows NT 4.0 and Windows 2000
network. All of the Windows 2000 Server computers in your network are member
servers of a single Windows NT 4.0 domain. You want to use two of these servers
to test configurations of IPSec that are using the Kerberos authentication
protocol. What should you do?
A. On both servers, create a new IPSec policy.
Configure a rule so that it will not use a tunnel.
Specify shared secret key authentication.
Assign the new policy.
B. On one of your servers, install a stand-alone root Certificate Authority
(CA).
Create a digital certificate for both servers.
On both servers, create a new IPSec policy and specify the issued certificate
for authentication.
Assign the new policy.
C. On both servers, create a new IPSec policy.
Specify the tunnel end point as the IP address of the partner server and specify
a shared secret key to use for authentication.
Assign the new policy.
D. Promote one of the servers to a domain controller.
Assign the domain controller the default Secure Server IPSec policy.
Assign the other server the default Client IPSec policy.
Answer: D
26. You are configuring your users' portable computers to allow users to connect
to the company network by using Routing and Remote Access. You test the portable
computers on the LAN and verify that they can successfully connect to resources
on the network by name. When you test the connection through RRAS all of the
computers can successfully connect but they cannot access files on computers
which are on different segments by using the computer names. What should you do
to resolve this problem?
a. Configure TCP/IP filters on the RRAS server to allow TCP/IP traffic to pass
b. Install the DHCP Relay Agent on the RRAS server
c. Configure the RRAS server with a static IP address
d. Create A (Host) record for the RRAS server in DNS
Answer: B
27. You are the administrator of your company's network. You configure a Windows
2000 Server computer as the DNS server for your network. You create both
standard primary forward lookup and reverse lookup zones. You discover that when
you use the nslookup utility, you cannot resolve host names from IP addresses on
your network. You also discover that when you run the Tracert.exe utility, you
receive the following error message. "Unable to resolve target system name".
What should you do?
A. Create A (host) records in the forward lookup zone
B. Create A (host) records in the reverse lookup zone
C. Create PTR (pointer) records in the forward lookup zone
D. Create PTR (pointer) records in the reverse lookup zone
Answer: D
28. You are the administrator of your company's DNS server. Your company has two
Microsoft Exchange Server computers that are configured for sending and
receiving mail. The servers are named Ex1 and Ex2. Ex1 is configured to route
incoming Internet Mail. Ex2 is configured as a secondary source for incoming
Internet Mail. You want to configure your DNS server to route all incoming
Internet Mail to Ex1 and then to Ex2. What should you do to accomplish this
goal?
A. For Ex1, create an MX (mail exchanger) record that has a Mail server
priority of 10.
For Ex2, create an MX record that has a Mail server priority of 20.
B. For Ex2, create an MX (mail exchanger) record that has a Mail server
priority of 10.
For Ex1, create an MX record that has a Mail server priority of 20.
C. Create an MINFO (mail information) record that has Ex1 as the responsible
mailbox and Ex2 as the error mailbox.
D. Create an MINFO (mail information) record that has Ex1 as the responsible
mailbox and Ex2 as the error mailbox.
Answer: A
29. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
Your users utilize an application that performs frequent DNS queries. The DNS
Server service is installed on all three servers. Srv3 is the only DNS server
that has access to the Internet. You want to configure your DNS servers so that
they function with a minimum of administrative intervention. What should you do?
(Choose two.)
A. Configure Srv1 and Srv2 to forward.
B. Configure Srv3 to forward.
C. Disable recursion on Srv1 and Srv2.
D. Disable recursion on Srv3.
E. Enable recursion on Srv1 and Srv2.
F. Enable recursion on Srv3.
Answer: AC
30. Miller Textiles is planning to implement an intranet that employees can use
to place orders. Miller Textiles has a main office in Atlanta and regional
offices in Los Angeles, Miami, and New Orleans.
You want to accomplish the following goals:
• Configuration costs will be minimized.
• Each office will have the ability to manage its own DNS server's information.
• Each office will have the ability to create more subdivisions in its namespace
design.
• Time required for users to access information from their local resources will
be minimized.
• The number of Active Directory domain trees will be limited to one.
You take the following actions:
• Create four DNS zones named atlanta.com, la.com, miami.com, and no.com.
• Register all four DNS zones with InterNIC.
Which result or results do these actions produce? (Choose all that apply.)
A. Configuration costs are minimized.
B. Each office has the ability to manage its own DNS server's information.
C. Each office has the ability to create more subdivisions in its namespace
design.
D. Time required for users to access information from their local resources is
minimized.
E. The number of Active Directory domain trees is limited to one.
Answer: BCD
31. You are an administrator of the Contoso, Ltd., network. You are responsible
for a branch office location domain named seattle.contoso.com. You want to
automate the TCP/IP configuration of client computers in your domain. You
install the DHCP Server service on a Windows 2000 Server computer and configure
a scope for your network. Users report that they cannot access resources on the
network. You discover that your DHCP server is not authorized in Active
Directory. When you attempt to authorize your server, you receive the following
error message: "Access denied."
What should be done before you can authorize your DHCP server on the network?
A. You must be granted membership in the Domain Admins group in the local
domain.
B. You must be granted membership in the Enterprise Admins group at the
forest root.
C. Group Policy settings must be defined by the administrators at the forest
root domain to explicitly allow you to authorize a DHCP server.
D. Default Group Policy settings in your own domain must be defined to allow you
to authorize a DHCP server.
Answer: B
32. You are the administrator of your company's network. Your company has a
Windows 2000 domain installed. You installed the DHCP Server service, but you
did not configure it. Andrew is an employee at your company who belongs only to
the Domain User group. Andrew will be responsible for deciding where DHCP
servers should be placed on the network. When Andrew tries to authorize his
server, the server displays the following error message: "Access denied."
Andrew needs to have the ability to authorize only DHCP servers. What should you
do?
A. Add Andrew to the Schema Admins group.
B. Add Andrew to the DHCP Administrators group.
C. Delegate Control to Andrew on the NetServices system container in Active
Directory.
D. Delegate Control to Andrew on the Query-Policies system container in
Active Directory.
Answer: C
33. You are the administrator of your company's network. The network consists of
10 Windows 2000 Server computers, 100 Windows 2000 Professional computers, and
10 UNIX servers. To automate the configuration of client computers on the
network, you install and configure the DHCP Server service on a Windows 2000
Server computer. You also create a scope that contains the range of valid IP
addresses for your network. Users report receiving IP address conflict messages
when starting their computers. The Windows 2000 Server computers also display
conflict messages. You discover that the UNIX computers are starting to fail or
are not responding. What should you do?
A. Create reservations in the scope for the Windows 2000 Server computers.
B. Create reservations in the scope for the UNIX servers.
C. Exclude the range of static addresses in use by all of the servers in the
scope.
D. Exclude the range of addresses in use by all of the client computers in
the scope.
Answer: C
34. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
Windows 2000 Professional is installed on all computers. You install a DHCP
server on Segment B. You create a scope for each segment on your network. All of
your Windows 2000 Professional computers are configured as DHCP client
computers. When users on Segment A and Segment C start their computers, they
receive an improper IP address that begins with 169.254.0.0. You want to
configure computers on Segment A and Segment C to obtain IP addresses while
minimizing costs. What should you do?
A. Install a DHCP Relay Agent on Prof1 and Prof7.
B. Install the DHCP Server service on a computer on Segment A and a computer
on Segment C.
C. Create one superscope on the DHCP server.
D. Create the Multicast Scope on the DHCP server.
Answer: A
35. You are the enterprise administrator for a Windows 2000 domain that contains
Windows 2000 Professional computers. You install Windows 2000 DHCP server on a
member server in the domain. The DHCP server is located on the same network
segment as the Windows 2000 Professional computers. You create and activate a
DHCP scope for the network segment. The Windows 2000 Professional computers are
configured as DHCP client computers, but they do not receive IP addresses.
What should you do so that each DHCP client computer receives an IP address?
A. In the Device Manager console, start the DHCP service.
B. Move the DHCP server to the same site as the Windows 2000 Professional
computers.
C. In Active Directory, authorize the DHCP server.
D. Define a DHCP Option Class for the Windows 2000 Professional computers.
Answer: C
36. You are the enterprise administrator of a Windows 2000 network. The network
consists of six Windows 2000 domains in a domain tree. All the domains have
Windows 2000 Server computers and Windows 2000 Professional computers. The
TCP/IP configuration of the Windows 2000 Professional computers is provided by
DHCP servers. The DHCP servers are installed on Windows 2000 member servers in
the domains. You create a new universal security group named DHCP Authorize
Admins. You want to delegate the ability to authorize DHCP servers to members of
the DHCP Authorize Admins group. What should you do?
A. In each domain, place the DHCP Authorize Admins group in the DHCP
Administrators group.
B. In the DHCP console on one of the DHCP servers, select Manage authorized
servers and add the DHCP Authorize Admins group to the list.
C. Grant the DHCP Authorize Admins group Full Control permission on the
appropriate container object in Active Directory.
D. Grant the DHCP Authorize Admins group Full Control permission on the
Systemroot\system32\DHCP folder on each DHCP server.
Answer: C
37. You are the administrator of a Windows 2000 network. The network consists of
two Windows 2000 Server computers named Server1 and Server2, and 75 Windows 2000
Professional computers. Server1 is a DHCP server. The TCP/IP configuration of
all the Windows 2000 Professional computers is provided by the Server1 DHCP
server. Your company's technical-support personnel belong to the Helpdesk global
group. To allow the technical-support personnel to respond to support calls more
effectively, you want them to have only Read access to the DHCP console and the
DHCP leases information. What should you do?
A. Place the Helpdesk global group in the DHCP Users group.
B. Add the members of the Helpdesk global group to the built-in group named
Pre-Windows 2000 Compatible Access.
C. In the DHCP console on the Server1 DHCP server, select Manage authorized
servers and add the Helpdesk global group to the list.
D. On the Server1 DHCP server, grant the Helpdesk global group Read permission
on the Systemroot\system32\DHCP folder.
Answer: A
38. You are the administrator of a Windows 2000 network. The network consists of
one Windows 2000 Server computer named Paris and 60 Windows 2000 Professional
computers. Paris is a DHCP server. The TCP/IP configuration of all the Windows
2000 Professional computers is provided by the DHCP server. The DHCP server is
configured to use DHCP audit logging. A member of your company's security team
informs you that on a Friday afternoon two weeks ago, there was a potential
security breach on the network. You want to find out if there was an actual
security breach or if an error or malfunction on the DHCP server created the
appearance of a security breach. What should you do?
A. Check the Systemroot\system32\dhcp\DhcpSrvLog.Fri file on Paris for relevant
event codes from Friday two weeks ago.
B. Check the Event Viewer on Paris for events reported by the DHCP Server
service Friday two weeks ago.
C. Reconcile all DHCP scopes and check whether any inconsistencies occurred
Friday two weeks ago.
D. Check the DHCP database file to determine whether any corruption occurred
Friday two weeks ago.
Answer: B
39. You are the network administrator for Trey Research. Trey Research's network
consists of 90 client computers and 50 portable computers, all running Windows
2000 Professional. Only 20 of the users of the portable computers will ever be
in the office at the same time. To accommodate the number of users on the
network, Trey Research purchases a subnetted Class B subnet with a 25-bit mask.
All users need access to the Internet while in the office. How should you
configure DHCP?
A. Create two scopes that have different lease durations.
B. Create manual reservations for all portable computer users.
C. Create one scope that has two user classes, each with a different lease
duration.
D. Create one scope that has two vendor classes, each with a different lease
duration.
Answer: C
40. You are the administrator of your company's network. The network consists of
three network segments connected by a router as shown in the exhibit. (Click the
<> button.)
You install the DHCP Server service on a Windows 2000 Server computer to
automate the configuration of client computers on your network. You create
scopes for each subnet's range of addresses and activate each scope. Users from
Subnet 2 and Subnet 3 report that they cannot connect to the network. Users from
Subnet 1 report no connectivity problems. You discover that computers on subnets
2 and 3 are not receiving a TCP/IP configuration from the DHCP server. What
should you do to resolve this problem?
A. Install the DHCP Relay Agent service on the DHCP server.
B. Install the DHCP Relay Agent service on a computer on each remote subnet.
C. Install the WINS Server service on a Windows 2000 Server computer and
configure the client computers to use WINS to find the DHCP
server.
D. Install the WINS Proxy Agent service on a computer on each remote subnet.
E. Install the DNS Server service on a Windows 2000 Server computer and
configure the client computers to use DNS to find the DHCP
server.
F. Install a DNS caching-only server on a computer on each remote subnet.
Answer: B
41. You are the enterprise administrator of a Windows 2000 domain. All client
computers in the domain are either Windows 98 computers or Windows 2000
computers. Your Windows 2000 users run an Internet application that must access
files from a Windows NT computer named WNT_101. None of your Windows 2000
computers can connect to WNT_101, but WNT_101 can connect to every Windows 2000
computer.
What should you do?
A. Release and renew the IP address of WNT_101.
B. Select the Enable updates for DNS clients that do not support dynamic
update check box.
C. Clear the Discard forward (name-to-address) lookups when lease expires
check box.
D. Set the DNS zone for the Windows 2000 domain to Active Directory Integrated
Primary.
Answer: B
42. You are the administrator of Windows 2000 network. You have two Windows 2000
domain controller in a single domain. Your primary DNS server installed on a
domain controller named dc1. Contoso. com. You had two secondary DNS server
install on member server named srv1. contoso. com and srv. contoso. com. You
want to increase fault tolerance for your DNS infrastructure. You also want to
optimize and simplify the management of replication and zone transfer on your
network. How should you accomplish these goals?
A. Promote the member servers that are hosting the DNS server to domain
controller.
B. Add srv1. contoso. com and srv2. contoso. com to notify list on the primary
DNS server.
C. Remove the DNS server service from the member server.
Install the DNS server service on the domain controller.
Convert the zone hosted by dc1. contoso. com to an active directory integrated
zone.
D. Set the time to lift TTL value in the SOA start of authority record on the
primary DNS server to a low value.
Answer: C
43. You are the administrator of a Windows 2000 domain. The domain has a Windows
2000 member server computer named ServerA. Routing and Remote Access is enabled
for remote access on ServerA. ServerA uses an IP address of 10.1.2.50. The
domain also has a Windows 2000-based WINS server. The configuration of the IP
addresses that ServerA will assign to remote access client computers is shown in
the following dialog box. Users have Windows 2000 Professional portable
computers. When users are in the office, they connect directly to the network by
using their portable computers. When users are traveling, they dial in to the
network by using their portable computers.
Users report that when they dial in to ServerA by using their portable
computers, they are unable to access NetBIOS-based resources on the
network. They are able to access these NetBIOS-based resources when they are
directly connected to the network. You investigate this problem and discover
that the remote access client computers do receive an IP address in the static
pool from ServerA, but they do not receive WINS configuration information. What
should you do?
A. Configure the remote access client computers to use Automatic Private IP
Addressing (APIPA).
B. Configure the LAN interface of ServerA so that it has an IP address for
the WINS server.
C. Configure ServerA to use a different mask for the static address pool.
D. Configure ServerA to use DHCP to assign IP addresses to remote access client
computers.
Answer: B
44. You are the administrator of a Windows 2000 domain. The domain has a Windows
2000 member server computer named Antille1. Routing and Remote Access is enabled
for remote access on Antille1. Users in the domain dial in to the network by
using Windows 2000 Professional computers. You want to enable the dial-in Set by
Caller callback option for half of your users. To ensure that you can easily
manage this option, you create a new global security group named Callback Users.
You want to allow members of this group to supply a callback number when they
dial in to Antille1. What should you do to accomplish this goal?
A. In the Active Directory Users and Computers console, add the Callback
Users group to the RAS and IAS Servers group.
B. In the Active Directory Users and Computers console, configure the properties
of the Callback
Users group by selecting the Set by Caller callback option.
C. Create a remote access policy that has the Callback
Users group as a condition.
Specify the Set by Caller callback privilege in the policy profile.
D. Create a remote access policy that has the Callback
Users group and the Set by Caller callback privilege as conditions.
Answer: C
45. You are the administrator of a Windows 2000 domain. The domain has a Windows
2000 member server computer named Madrid. Routing and Remote Access is enabled
for remote access on Madrid. Users in the domain dial in to the network by using
Windows 2000 Professional computers. The Windows 2000 Professional computers are
in the domain. You configure Routing and Remote Access to log authentication
requests. Analysis of the remote access log files shows that there is an
unusually high number of failed authentication attempts. You want to reduce the
risk of a successful password dictionary attack staged by users who dial in to
the remote access server. What should you do?
A. Configure an account lockout policy in the local Group Policy object (GPO) of
Madrid.
B. Configure an account lockout policy in a Group Policy object (GPO) assigned
to the domain.
C. In the registry of Madrid, specify the maximum number of remote access
authentication failed attempts a user can make before the user is denied access.
D. On Madrid, configure Routing and Remote Access to use MS-CHAP v2.
Answer: C
46. You are
the administrator of a Windows 2000 domain. The domain has a Windows 2000 member
server computer named Moscow. Routing and Remote Access is enabled for remote
access on Moscow. You want to allow users in the domain to dial in to the
network by using Windows 2000 Professional computers. The Windows 2000
Professional computers are in the domain. You want to ensure that the remote
access client computers can positively confirm that they are dialing in to the
actual Moscow remote access server. How should you configure the network to
accomplish this goal?
A. Configure the Windows 2000 Professional computers and Moscow to only use
EAP-MD5 CHAP.
B. Configure the Windows 2000 Professional computers and Moscow to only use
MS-CHAP v2.
C. Configure the Windows 2000 Professional computers to use Remote
Authentication Dial-In User Service (RADIUS) for remote authentication.
D. In Active Directory, add Moscow to the RAS and IAS Servers group.
Answer: B
47. You are the administrator of a Windows 2000 domain. The domain has a Windows
2000 member server computer named Helsinki. Routing and Remote Access is enabled
for remote access on Helsinki. Users in the domain are able to dial in to the
network by using their Windows 2000 Professional computers. Your company has a
group named Sales. You want to allow members of the Sales group to use a smart
card for remote authentication. The dial-in permission for all users in the
Sales group is set to Control access through Remote Access Policy.
You create a new remote access policy named Sales Access. This remote access
policy grants remote access to members of the Sales group any time of the day.
This remote access policy is the first policy on the list of remote access
policies on Helsinki. Members of the Sales group are able to dial in to the
network, but they report that they are unable to use the smart card for remote
authentication. You want to ensure that members of the Sales group are able to
use the smart card authentication method. What should you do?
A. In Active Directory, add Helsinki to the Pre-Windows 2000 Compatible Access
group.
B. Enable EAP as an authentication method on the Helsinki remote access
server and the Windows 2000 remote access client computers.
Enable EAP in the profile of the Sales Access remote access policy.
C. For all members of the Sales group, select Store passwords using reversible
encryption.
D. For all members of the Sales group, configure the user account to be trusted
for delegation.
Answer: B
48. Routing and Remote Access is enabled for remote access to your member
server. Users dial into the network by using their Windows 2000 Professional
computers. Members of the Accounting group use smart cards for remote
authentication. Their dial-in permission is set to Control access through Remote
Access Policy. You create a new remote access policy named Accounting Access. It
grants the Accounting group access any time of the day. It's the first policy on
the list. When Accounting dials into they network, they report that they are
unable to use the smart card for remote authentication. What should you do?
(Choose all that apply)
A. Enable EAP on the member server and the Windows 2000 remote access
clients.
B. Enable EAP in the profile for the Accounting group remote access policy.
Answer: AB
49. You are the administrator of your company's network. You want to use the
Internet to connect your company's main office to a branch office. You install
Routing and Remote Access on both ServerA at the main office and ServerB at the
branch office. You want to ensure that traffic is encrypted and that it can be
routed between the main office and the branch office. Your solution must also
support persistent connections between the main office and the branch office.
What should you do?
A. Configure a demand-dial interface for L2TP on ServerA and ServerB.
Configure each interface on ServerA and ServerB to initiate and receive calls to
and from each other.
Configure each interface to require data encryption.
B. Configure a demand-dial interface for PPTP on ServerA and ServerB.
Configure each interface on ServerA and ServerB to initiate and receive calls to
and from each other.
Configure each interface to require data encryption.
C. Configure one server as a dial-up PPTP server and the other as a PPTP
dial-up client computer.
Configure the dial-up client computer to require data encryption.
D. Configure one server as a dial-up L2TP server and the other as an L2TP
dial-up client computer.
Configure the dial-up server to require data encryption.
Answer: B
50. You are the network administrator for your company. Your network has three
subnets connected by a router. The router is configured as follows:
Interface 0 - Subnet 0 - IP Address: 172.30.4.1 Subnet Mask: 255.255.255.0
Interface 1 - Subnet 1 - IP Address: 172.30.5.1 Subnet Mask: 255.255.255.0
Interface 2 - Subnet 2 - IP Address: 172.30.6.2 Subnet Mask: 255.255.255.0
Only Subnet 1 and Subnet 2 contain client computers. Subnets 1 and 2 each
contain a Windows 2000 DHCP server, which is responsible for assigning addresses
to client computers on the local subnet. The scopes are configured as shown in
Subnet 1 Scope Properties and Subnet 2 Scope Properties in the exhibit. (Click
the <> button.)
Subnet 0 contains a Web server and provides connectivity to the Internet. Users
are experiencing connectivity problems. Computers on Subnet 1 can communicate
with any host on their own subnet, but cannot communicate with hosts on Subnet 0
or Subnet 2. Computers on Subnet 2 cannot communicate with hosts on Subnet 1,
but they are not experiencing any problems with connectivity to Subnet 0.
What should you do to correct this problem?
A. Modify the routing tables on the router to enable routing from Subnet 1 to
Subnet 0 and Subnet 2.
B. Modify the routing tables on each host on Subnet 1 to enable direct
connectivity to hosts on Subnet 0 and Subnet 2.
C. Delete and re-create the scope on the DHCP server on Subnet 1 to reflect
the correct subnet mask.
D. Delete and re-create the scope on the DHCP server on Subnet 2 to reflect
the correct subnet mask.
E. Delete and re-create the scopes on both DHCP servers to reflect the same
configuration information for each subnet.
Answer: C
51. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
The user of Workstation1 reports that he cannot access resources on Server1. You
discover that Workstation1 can communicate with any host on its own subnet. You
also discover that you can ping the router successfully. You cannot, however,
communicate with or ping hosts on the
second subnet. Workstation2 is not experiencing any problems.
You run the route print command on Workstation1 and see the following screen
output:
Active Routes:
Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.30.1.39
172.30.1.39 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.30.1.0 255.255.255.0 172.30.1.39 172.30.1.39 1
172.30.1.39 255.255.255.255 127.0.0.1 127.0.0.1 1
172.30.255.255 255.255.255.255 172.30.1.39 172.30.1.39 1
224.0.0.0 224.0.0.0 172.30.1.39 172.30.1.39 1
255.255.255.255 255.255.255.255 172.30.1.39 172.30.1.39 1
What should you configure to resolve the communication failure at Workstation1?
A. the subnet mask on Workstation1
B. the subnet mask on Server1
C. the default gateway parameter at Workstation1
D. the default gateway parameter at Server1
Answer: C
52. You are the administrator of your company's network. Your network is
configured as shown in the exhibit. (Click the <> button.)
Users on your network use an accounting application named appz that accesses
files on Work1. Users on Work2 are successful when accessing HTTP Web sites.
However, they cannot successfully run appz. You want Work2 to successfully run
appz. What should you do?
A. Enable NetBIOS over TCP/IP on Work2.
B. Configure Work2 as a WINS client.
C. Enable File and Printer Sharing for Microsoft Networks on Work2.
D. Run Nbtstat -RR on Work1.
Answer: A
53. You are the administrator of a Windows 2000 network. You assign TCP/IP
configurations to approximately 240 computers at one of your
company's branch offices. You manage the client configurations on these
computers by using DHCP. The branch office consists entirely of computers
running Windows 2000 Professional or Windows 2000 Server. Network traffic
reaches the branch office by using a router that advertises a single route of
192.168.8.0/23. There is only one subnet in use at the branch office. Part of
the network is shown in the exhibit. (Click the <> button.)
The IP address on the branch office router's internal interface is 192.168.8.1.
The router at the branch office is a Windows 2000 Server
computer running Routing and Remote Access. Your company has recently upgraded
the network at the branch office to 100-Mbps Ethernet.
Your company is about to hire 40 people to work at the branch office. You need
to reconfigure the network and the branch office.
What should you do?
A. Add another route of 192.168.9.0/24 to the routing table of Router A.
For the new employees, configure their computers to have addresses on the
192.168.9.0/24 subnet.
B. Add another interface to the router at the branch office that has an IP
address of 192.168.9.1/23.
Place the computers for the new employees on the 192.168.9.0/23 subnet.
C. Change the subnet mask of all the client computers and the internal
interface on the router to 255.255.253.0.
Configure the new client computers so that they have addresses between
192.168.9.1 and 192.168.9.254.
D. Bind a second IP address to the internal interface on the router of
192.168.9.1/24.
Add an additional scope including the address range 192.168.9.1 through
192.168.9.254, and create a superscope.
Answer: C
54. You are the administrator of a Windows 2000 network. You install Routing and
Remote Access on a Windows 2000 Server computer. You use this server as a
demand-dial router to connect your company's main office to a branch office. You
use PPTP as your demand-dial protocol. To secure the server, you want to
configure packet filters so that the server will receive and send only PPTP
traffic on the external interface. To configure the packet filters, you capture
a PPTP session by using Network Monitor. Based on the traffic you capture by
using Network Monitor, you configure two input filters and two output filters in
Routing and Remote Access. The input and output filters are configured as
follows, and the Drop all packets except those which meet the specified criteria
check box is selected:
Input Filter 1:
Destination IP = IP address of external interface
subnet mask = 255.255.255.255
protocol = TCP
destination port = 1723
Input Filter 2:
Destination IP = IP address of external interface
subnet mask = 255.255.255.255
protocol = TCP [established]
destination port = 1723
Output Filter 1:
Source IP = IP address of external interface
subnet mask = 255.255.255.255
protocol = TCP
source port = 1723
Output Filter 2:
Source IP = IP address of external interface
subnet mask = 255.255.255.255
protocol = TCP [established]
source port = 1723
When you implement these filters, you find that the server cannot establish a
demand-dial connection with its partner demand-dial router.
You want your server to be able to establish a demand-dial connection with its
partner demand-dial router. You also want your server to be able to drop all
packets except those that are necessary for PPTP. What should you do?
A. Remove Input Filter 2 and Output Filter 2.
B. In the input filters, set the source port to 1903. In the output filters, set
the destination port to 1903.
C. In the input filters, set the source port to 0. In the output filters, set
the destination port to 0.
D. Add an input and output filter for protocol number 47.
Answer: D
55. You are the administrator of your company's network. Your company has TCP/IP
installed on all of its computers. You want your Web server to be able to access
files stored on a Windows 2000 Server computer. What should you do to secure
your Web server?
A. Create a TCP/IP filter to only allow port 21 and port 20.
B. Create a TCP/IP filter to only allow port 80.
C. Create a TCP/IP filter to only allow protocol 6.
D. Create a TCP/IP filter to only allow protocol 6 and port 80.
Answer: B
56. You are the administrator of your company's network. Your network consists
of 6,000 computers in one Windows 2000 domain. Your company has two offices. One
office is located in New Orleans, and one office is located in Seattle. The
domain controllers for the domain reside in Seattle. Two of your users in the
New Orleans office install an atomic clock application from the Internet. These
users then report that they can no longer log on to the domain from their
computers. To correct the problem, you remove the application from their
computers. However, these users report that they still cannot log on to the
domain. What should you do to correct the problem?
A. Change the time zone on the computers in the New Orleans office.
B. Enable the computer accounts from Active Directory for computers in the New
Orleans office.
C. Select the Automatically adjust clock for daylight saving changes check box
for computers in the New Orleans office.
D. Restart the machines in the New Orleans office.
Answer: D
57. You are the administrator of your company's network. Your network consists
of 15 Windows 2000 Server computers, 100 Windows 2000
Professional computers, and one NetWare server. Your users need to access the
Sys: volume on the NetWare server. You want your company's
administrators to have complete access to the Sys: volume. You want all other
users to have read-only access. You configure Gateway Service for NetWare on a
Windows 2000 Server computer. You want to configure the appropriate access to
the NetWare server.
What should you do? (Choose two.)
A. To the NTGateway Group on the NetWare server, add the user accounts that need
access to the NetWare server.
B. To the NTGateway Group on the Windows 2000 Server computer, add the user
accounts that need access to the NetWare server.
C. To the NTGateway Group on the NetWare server, add the NT Gateway User
Account.
D. To the NTGateway Group on the Windows 2000 Server computer, add the NT
Gateway User Account.
E. On the Windows 2000 Server computer, grant Full Control permission to
administrators and Read permission to users.
Answer: CE
58. You are the administrator of a Windows 2000 network. You establish a virtual
private network (VPN) by using PPTP to connect your company's main office to its
one branch office. You configure a multihomed server in each location to use
PPTP to connect to the other location's server over the Internet. You want to
ensure that your PPTP routers send and receive only PPTP packets to and from
each other. You also want to ensure that only PPTP-encapsulated traffic is
accepted by the public interface for the VPN connection. What should you do?
A. - On the PPTP interface listed under Routing Interfaces in the Routing and
Remote Access console, select Set IP Demand Dial Filters.
- In the filter list, configure filters to allow only PPTP protocol traffic.
B. - On the interfaces listed under IP Routing/General in the Routing and
Remote Access console, select the properties of the network interface used for
the PPTP connection.
- Configure filters to allow only PPTP protocol traffic.
C. - In the advanced properties of the TCP/IP protocol for the network adapter
used for the PPTP connection, configure filters to allow only
PPTP protocol traffic.
D. - On the interfaces listed under IP Routing/General in the Routing and Remote
Access console, select the properties of the PPTP connection.
- Configure filters to allow only PPTP protocol traffic.
E. - In the advanced properties of the TCP/IP protocol for the network adapter
used for the PPTP connection, assign the Secure Server IPSec
policy.
Answer: B
59. You are the administrator of the contoso.com domain. To secure
communications, you apply the default Client IPSec policy to all client
computers, and you apply the default Secure Server IPSec policy to a server
named ServerA. You discover that client computers cannot make a connection to
ServerA. Client computers experience no problems connecting to one another. When
you ping ServerA's fully qualified domain name (FQDN) from a client computer,
you receive the following error message: "Unknown host SrvA.contoso.com."
However, when you ping ServerA's IP address, the ping is successful. You want to
resolve this problem while maintaining as high a level of security as possible
on ServerA. What should you do?
A. On ServerA, add entries to the hosts file that maps hosts names to the IP
addresses of other computers.
B. On ServerA, create a custom IPSec policy that exempts ICMP traffic between
itself and the DNS server.
C. On ServerA, create a custom IPSec policy that exempts DNS traffic between
itself and the DNS server.
D. On the DNS server, add entries to the hosts file that maps ServerA's host
name to its IP address.
Answer: C
60. You are the administrator of a Windows 2000 network that has a main office
and one branch office. You use PPTP to connect the main office to the branch
office. You want to verify that the strongest possible level of data encryption
is supported for the connection.
What should you do?
A. In the Routing and Remote Access consoles, verify that the dial-in profile
used to establish the connection between the two offices allows only MS-CHAP.
B. In the properties of the Routing and Remote Access server objects in the
Routing and Remote Access consoles, verify that the Extensible Authentication
Protocol is using MD5-CHAP.
C. In the properties of the PPTP interfaces in the Routing and Remote Access
consoles, verify that MS-CHAP v2 is being used as the authentication method.
D. In the properties of the PPTP interfaces in the Routing and Remote Access
consoles, verify that Password Authentication Protocol (PAP) is being used as
the authentication method.
Answer: C
61. You are the administrator of a Windows 2000 network. Your company has a
partnership with another company that requires you to install a third-party
groupware client/server application. The client/server application needs to be
installed on a Windows 2000 Server computer so
that the application is accessible from your intranet and the Internet. The
built-in Web server component of the client/server application must be available
from both the intranet and the Internet. The client/server application must also
be able to replicate data with another instance of the client/server application
in the partner company. You want to provide the highest level of security for
this server to protect it from any external traffic other than HTTP and
application-specific protocols. What should you do?
A. - Install the client/server application on a server on your intranet.
- On a Windows 2000 Server computer that is running Routing and Remote Access
and is connected to your intranet and the Internet, install
the Network Address Translation (NAT) IP routing protocol and a NAT interface.
- Configure NAT to translate addresses on your intranet to public addresses on
the Internet.
- Configure the Routing and Remote Access server to drop all packets from
external computers except HTTP and those that are required for
the application and Routing and Remote Access.
B. - Install the client/server application on a server on your intranet.
- On a Windows 2000 Server computer that is running Routing and Remote Access
and is connected to your intranet and the Internet, install
the Network Address Translation (NAT) IP routing protocol and a NAT interface.
- Configure NAT to translate addresses on your intranet to public addresses on
the Internet.
- On the NAT interface, configure a port to allow incoming traffic for the TCP
port number of the third-party groupware application.
C. - Install two network adapters in a Windows 2000 Server computer that is
hosting the client/server application.
- Verify that IP Forwarding is disabled.
- In the properties for the Internet connection in Network and Dial-up
Connections, clear the File and Print Sharing for Microsoft Networks
check box.
D. - Install two network adapters in a Windows 2000 Server computer that is
hosting the client/server application.
- Install and configure Routing and Remote Access.
- In the Routing and Remote Access console, enable filtering on the Internet
adapter.
- Configure inbound and outbound filters to drop all packets except HTTP and
those required for the application itself.
Answer: D
62. You are the administrator of a Windows 2000 network. You configure custom
IPSec policies on your Windows 2000 Server computers. You monitor the IPSec
security associations between one of your servers, ServerA, and two other
servers in your network. You notice that ServerA occasionally uses only
Authenticated Header (AH) instead of Encapsulating Security Payload (ESP) for
the IPSec security association when it is communicating with the other servers.
You want ServerA to always use ESP when it is communicating with other servers
that are IPSec-enabled. You also want all IPSec-enabled servers to be able to
communicate with non-IPSec-enabled computers. What should you do?
A. Assign ServerA the default Server IPSec policy.
B. Assign ServerA the default Server IPSec policy and remove any filter
actions for AH.
C. Assign ServerA the default Secure Server IPSec policy.
D. On all the IPSec-enabled computers on your network, reconfigure the order of
the filter actions so that any filter actions that allow AH are at
the bottom of the filter action list. Assign each of the servers the default
Secure Server IPSec policy.
E. Assign all of the Windows 2000 Server computers on your network the default
Client IPSec policy.
Answer: B
63. You are the administrator of your company's network. Your company has
recently upgraded to a Windows 2000 domain. Your company has also upgraded all
computers to Windows 2000 Professional computers. Your company wants to ensure
that all data sent from its servers is
encrypted. You assign the default Secure Server IPSec Policy to your domain
controller and the default Client IPSec Policy on your DNS server. After you
assign these policies, users report that they can no longer log on to the
domain. You want to ensure that users can log on to the domain. What should you
do?
A. On the domain controller, assign the default Server IPSec Policy.
B. On the DNS server, assign the default Secure Server IPSec Policy.
C. On the DNS server, assign the default Server IPSec Policy.
D. On all Windows 2000 Professional computers, assign the default Client
IPSec Policy.
Answer: D
64. You are the administrator of your company's network. Your company's network
is configured as shown in the exhibit. (Click the <> button.) Your company wants
to secure communications by ensuring authorship of all network communications.
You need to configure an IPSec policy that can verify authorship and limit
performance degradation. What should you do?
A. Assign the default Client IPSec Policy to the domain.
B. Assign the default Server IPSec Policy to the domain.
C. Assign the default Secure Server IPSec Policy to the domain.
D. Create a custom IPSec policy that has the filter action security method
set to Negotiate and the preference order set to Medium.
Assign the policy to the domain.
E. Create a custom IPSec policy that has the filter action security method
set to Negotiate and the preference order set to High.
Assign the policy to the domain.
Answer: D
65. You are the administrator of your company's network. Your company's
accounting department and human resources department have computers running
Windows 2000 Professional.
You assign the default Server IPSec Policy to the accounting department.
You enable the default Client IPSec Policy for the human resources department.
You want to confirm that the IPSec policy assigned to the accounting department
and the human resources department is working correctly. What should you do?
A. Execute the IPSecPol utility on a computer in the human resources department.
B. Open the security event log on a computer in the human resources department.
C. Execute the IPSecMon utility on a computer in the accounting department.
D. Open the system event log on a computer in the human resources
department.
Answer: C
66. You are the administrator of your company's network. The network consists of
12 subnets connected by three routers. The network contains 1,200 Windows 2000
Server computers and 15,000 Windows 2000 Professional client computers. All
client computers have file and print services installed for workgroup
collaboration purposes. You install two WINS servers on the same subnet on your
network for NetBIOS name resolution. Users report that during times of high
network traffic they cannot access resources based on client computers on other
subnets. However, they can access resources on the server computers or on client
computers on the same subnet. The problem usually disappears within one or two
hours. You check the event logs on the WINS servers and discover that there are
a large number of rejected name registrations and name resolution requests
during the times of high network utilization. What should you do to resolve this
problem?
A. Configure the WINS servers as push replication partners with one another.
B. Configure the WINS servers as pull replication partners with one another.
C. Move one of the WINS servers to a less-utilized subnet.
D. Move both WINS servers to a less-utilized subnet.
E. Configure burst handling on the WINS servers to use the High setting.
F. Disable burst handling on the WINS servers.
Answer: E
67. You are the administrator of your company's network. The network consists of
two subnets connected by a router. The network has Windows 2000 Server computers
and Windows NT Server 4.0 computers. On one subnet, the network also has three
UNIX computers that run a legacy database application. The UNIX computers are
running SMB client and server software. All client computers are running Windows
2000 Professional. You are using WINS for NetBIOS name resolution on your
network. The database application requires access to data resources stored on a
Windows 2000 Server computer. Users on both subnets need access to the
application. You want to reduce broadcast traffic for name resolution between
the UNIX servers and the Windows 2000 Server computer, and between client
computers and the UNIX servers. Which two actions should you take to accomplish
this goal? (Choose two.)
A. Create static mappings in the WINS database for the UNIX computers.
B. Create static mappings in the WINS database for the Windows 2000 Server
computers.
C. Configure a computer as a WINS proxy agent on the subnet containing the
database client computers.
D. Configure a computer as a WINS proxy agent on the subnet containing the
UNIX servers.
E. Add a WINS server to the second subnet and configure replication between
the two WINS servers.
Answer: AD
68. You are the administrator of a Windows 2000 network. The network has 400
WINS client computers and five Windows 2000-based WINS servers. Most of the WINS
client computers are portable client computers, and they frequently connect to
the network at different locations. To support this environment, you want to
configure the WINS servers to replicate changes in the local WINS database to
other WINS servers. You want this replication to occur after each 10 new
registration or IP address change registration.
How should you configure the network to accomplish this goal?
A. Configure the WINS servers to enable automatic partner configuration.
B. Configure the WINS servers to automatically update statistics.
C. Configure the WINS servers to use persistent connections for push
replication partners. Set the number of changes before replication to 1.
D. Configure the WINS servers to enable burst handling. Set the number of
requests for burst handling to 1.
Answer: C
69. You are the administrator of a Windows 2000 network for your company. The
company has a main office in Atlanta and branch office locations in Boston,
Chicago, and Dallas. The three branch office locations are connected to the
Atlanta location by means of Windows 2000-based routers. All four locations have
a Windows 2000-based DHCP server. The network is shown in the exhibit. (Click
the <> button.)
Each Friday, the Atlanta location hosts a multicast video presentation that is
broadcast to all four locations. The Atlanta location also
frequently hosts multicasting video presentations intended for the sales staff
in the Atlanta and Boston locations only. You want to ensure that
these sales staff multicasting video presentations are not sent to the Chicago
and Dallas locations. You assign specific IP multicast addresses for use with
the sales staff multicasting video presentations.
How should you configure the network to prevent the forwarding of the sales
staff multicasting video presentations to the Chicago and Dallas locations?
A. Configure a multicast scope boundary for the sales IP multicast addresses
on the Chicago and Dallas interfaces of the Atlanta router.
B. Configure the DHCP servers to provide a multicast scope for the sales IP
multicast addresses.
At the Chicago and Dallas locations, configure the scope to use a Time to Live (TTL)
of 0.
At the Atlanta and Boston locations, use the default multicast TTL.
C. Configure the network connections to the Chicago and Dallas locations to use
TCP/IP filtering.
Do not permit network traffic that has IP multicast addresses.
D. On the central router, configure a static route for the sales IP multicast
addresses.
Use the router IP address at the Boston location as the gateway for this static
route.
Answer: A
70. You are the administrator of a Windows 2000 network. The network consists of
a Windows 2000 Server computer named ServerA and 30 Windows 2000 Professional
computers. ServerA has a permanent cable modem connection to the Internet. To
allow all Windows 2000 Professional computers to receive IP multicast traffic
from the Internet, you install and configure the Internet Group Management
Protocol (IGMP) routing protocol on ServerA. You have not defined any input or
output packet filters on the network interface on ServerA. The configuration of
the interfaces of the IGMP routing protocol is shown in the following window.
Users on the network report that they are unable to receive IP multicast traffic
from IP multicasting sources on the Internet.
How should you configure ServerA to allow users to register to receive IP
multicasting traffic?
A. Configure a multicast scope boundary that has an IP address of 224.0.0.0 and
a mask of 224.0.0.0.
B. Configure the Cable Modem to Internet interface to run in IGMP proxy mode.
C. Configure the LAN interface to run in IGMP proxy mode.
D. Configure all interfaces of the IGMP routing protocol to listen to multicast
heartbeat group 224.0.0.1.
Answer: B
71. You have four Windows 2000 Professional computers and two Windows 2000
server. Pro1 can ping 172.16.96.1. Pro4 can ping 172.16.64.1. All windows
professional computers can communicate with each other, but WS1 cannot ping WS2.
Segment A 172.16.64.1
WS1 172.16.71.32 255.255.224.0 172.16.64.1
Segment B 172.16.96.1
WS2 172.16.86.76 255.255.224.0 172.16.96.1
What should you do to ensure WS1 communicates with WS2?
A. Change the subnet mask of the network to 255.255.240.0
B. Change the subnet mask of the network to 255.255.192.0
C. Change the IP address of work1 to 172.16.63.32
D. Change the IP address of work1 to 172.16.103.76
E. Change the IP address of work2 to 172.16.103.76
Answer: E
72. You are the administrator of a Windows 2000 network. The network consists of
a Windows 2000 Server computer named Ras1 and 18 Windows 2000 Professional
computers. Ras1 has a dial-up connection that connects to the Internet. All
Windows 2000 Professional computers in the network are configured to use
Automatic Private IP Addressing (APIPA). The network does not contain a DHCP
server or a DNS server.
To allow all Windows 2000 Professional computers on the network to access the
Internet through the dial-up connection of Ras1, you install and configure the
Network Address Translation (NAT) routing protocol on Ras1. You decide to use IP
addresses in the range of 10.5.1.0 with a subnet mask of 255.255.255.0 for all
computers in the network. The IP addresses of the Windows 2000 Professional
computers are assigned automatically. Ras1 uses an IP address of 10.5.1.1. Users
on your network inform you that when they try to use the connection to the
Internet, they are not able to access Internet resources by using an Internet
browser. However, they are able to ping IP addresses on the Internet.
How should you configure the network to resolve this problem?
A. Configure the Windows 2000 Professional computers to use IP addresses in the
range of 192.168.0.0 with a subnet mask of 255.255.255.0.
B. Configure the Windows 2000 Professional computers to use an IP address of
10.5.1.1 as preferred DNS server.
C. Configure the NAT routing protocol to resolve IP addresses for client
computers that use DNS.
D. Configure the NAT routing protocol as a WINS proxy.
Answer: C
73. You are the administrator of a Windows 2000 network. Users in your company
need to be able to use their home computers to securely access the private area
on the company Web site. You decide to issue client certificates from your
Enterprise Certificate Authority (CA). Users will install the client
certificates in their computers at home. The users will have to request the
certificates by using their home computers
confidentially and without compromising the security of your network. Your
Enterprise CA is behind a firewall, so you place the Enterprise CA Web pages
that will be used for the certificate request on a computer that is accessible
from the Internet. You want to ensure that users can use their home computers to
request certificates from your Enterprise CA without compromising the security
of your network. You also want to ensure that you can implement your solution by
using a minimum of administrative overhead. What should you do? (Choose two.)
A. On the Directory Security tab for the certificate server Web pages, ensure
that the check boxes for anonymous access, basic authentication, and digest
authentication are cleared.
-Select the Integrated Windows NT Authentication check box.
B. On the Directory Security tab for the certificate server Web pages, ensure
that the check boxes for anonymous access, digest authentication, and integrated
Windows NT authentication are cleared.
-Select the Basic Authentication check box.
C. Create a certificate for the Web site that hosts the certificate server Web
pages.
On the Directory Security tab for the certificate server Web pages, select the
options to require secure channel and to accept client certificates.
D. In Active Directory Users and Computers, create a certificate for each of the
user accounts.
On the Directory Security tab for the certificate server Web pages, map the
certificates to the user accounts.
E.Create a certificate for the Web site that hosts the certificate server Web
pages.
On the Directory Security tab for the certificate server Web pages, select the
options to require secure channel and to require client certificates.
Answer: BC
74. You are the administrator of a Windows 2000 network. You discover that the
hard disk of the Windows 2000 Server computer that hosts your Certificate
Authority (CA) is showing signs of failure. Specifically, your certificate log
has become corrupt, and the certificate service will not start. You want to
export the CA's certificate to use as the basis for re-creating your CA on
another computer on your network. In an MMC console on your certificate server,
you add the snap-in to manage certificates.
What else should you do to export the CA's certificate?
A. Select the option to manage certificates for your user account.
In the personal certificate store, locate the certificate of the administrator
who created the CA.
Export the certificate along with the private key as a .pfx file to a floppy
disk.
B. Select the option to manage certificates for the computer account.
In the personal certificate store, locate the certificate that matches the name
of the CA.
Export the certificate along with the private key as a .pfx file to a floppy
disk.
C. Select the option to manage certificates for the service account.
Select the option to manage certificates for Certificate Services.
In the Trusted Root Authorities for the service, locate the certificate that
matches the name of the CA.
Export the certificate as a Base-64 encoded X.509 (.cer) file to a floppy disk.
D. Select the option to manage certificates for the computer account.
In the Trusted Root Authorities for the computer, locate the certificate that
matches the name of the CA.
Export the certificate as a Base-64 encoded X.509 (.cer) file to a floppy disk.
Answer: B
75. You are the administrator of a Windows 2000 network. You use certificates as
the basis for IPSec policy negotiation between computers.
These certificates are ones you requested from your offline stand-alone root
Certificate Authority (CA). You decide to enable the strongest level of
Certificate Revocation List (CRL) checking on the computers that use IPSec. When
you enable CRL checking, IPSec policy negotiation fails on your network. You
verify that the certificates you are using for your IPSec policy negotiation
have not been revoked. You believe there is a problem with the availability of
the CRL. You want to discover what is causing the failure of IPSec policy
negotiation, but you do not want to disable CRL checking. What should you do?
A. Open the console that manages the certificates for the local computer.
In the personal certificate store for the local computer, locate the certificate
issued for IPSec by the stand-alone root CA.
Locate the URL that points to the location of the CRL by viewing the properties
of the certificate.
Use a Web browser to attempt to connect to the URL.
B. In the CA console on your stand-alone root CA, view the properties of the
CA.
In the X.509 extensions for the policy module, locate the URL that points to the
CRL.
Use a Web browser to attempt to connect to the URL.
C. Open the console that manages the certificates for the local computer.
Locate the certificate for the stand-alone root CA in the Trusted Root
Certification Authorities container.
View the properties of the certificate to locate the URL that points to the
location of the CRL.
Use a Web browser to attempt to connect to the URL.
D. In the CA console on your stand-alone root CA, view the properties of the CA.
In the X.509 extensions for the policy module, view the LDAP path to the CRL.
Open Active Directory Sites and Services.
In the services node, navigate to the path indicated in the policy module for
the CA and verify that the CRL object is present.
Answer: A
76. You are the administrator of a Windows 2000 network for Parnell Aerospace.
Parnell Aerospace has a partnership with Trey Research. The network
administrator for Trey Research is Amy Jones. You and Amy decide to secure
communication between the two companies by using IPSec custom policies that are
configured to use certificate-based authentication. You have a stand-alone root
Certificate Authority (CA) named ca1.parnellaerospace.com. Amy must use this CA
to request a certificate for use with IPSec. However, Amy informs you that she
cannot configure an IPSec policy to use the certificate she requested from
ca1.parnellaerospace.com.
What should Amy do to request a certificate for use with IPSec? (Choose all that
apply.)
A. Connect to the page for Web-based enrollment.
Select the Advanced Request option.
Select the option to submit a request to the CA by using a form.
B. Connect to the page for Web-based enrollment.
Select the Advanced Request option.
Select the option to submit either a certificate request that uses a base64
encoded PKCS #10 file or a renewal request that uses a base64
encoded PKCS #7 file.
C. In the Key Options dialog box, select the Client Authentication
Certificate option.
Select Exchange as the Key Usage option.
Select the option to use the local machine store.
D. In the Key Options dialog box, select the Server Authentication
Certificate option.
Select Signature as the Key Usage option.
Select the option to enable strong private key protection.
E. Install the certificate.
Verify that the personal certificate store for the local computer contains the
certificate.
Verify that the Trusted Root Certificate Authorities folder contains an entry
for the Parnell Aerospace CA.
F. Install the certificate.
Verify that the personal certificate store for the IPSec policy agent service
contains the certificate.
Verify that the Trusted Root Certificate Authorities folder contains an entry
for the Parnell Aerospace CA.
Answer: ACE
77. You are the administrator of a Windows 2000 network. Your Public Key
Infrastructure consists of an offline root Certificate Authority (CA) and a
number of subordinate CAs. Your company is selling one of its divisions. This
division has a subordinate CA that it uses to issue certificates. You want to
ensure that once the division is sold, applications and other CAs on your
network will not accept the former division's certificates. You also want to
ensure that you can implement your solution by using a minimum amount of
administrative effort.
What should you do?
A. On the division's subordinate CA, revoke all the certificates it has issued.
Publish the Certificate Revocation List (CRL) to a server on your network.
Uninstall the CA software and remove the CA files.
B. On the company's root CA, revoke the certificate of the division's
subordinate CA.
Publish the Certificate Revocation List (CRL).
Copy the EDB.LOG file from the root CA to its Certification Distribution Point
on your network.
C. On the division's subordinate CA, revoke the certificates it has issued.
Publish the Certificate Revocation List (CRL).
Copy the EDB.LOG file from the subordinate CA to the Certification Distribution
Point on your network.
Disconnect the CA from the network.
D. On the company's root CA, revoke the certificate of the division's
subordinate CA.
Publish the Certificate Revocation List (CRL).
Copy the CRL file to the Certificate Distribution Point on your network.
E. On the division's subordinate CA, revoke the certificates it has issued.
Publish the Certificate Revocation List (CRL).
Copy the CRL file to the Certificate Distribution Point on your network.
Disconnect the CA from the network.
Answer: D
78. You are the administrator of a Windows 2000 network that uses Encrypting
File System (EFS) to encrypt sensitive files. To protect the
recovery keys that you would use to decrypt files if your users lost their keys,
you want to remove them from your computer.
What should you do?
A. From the personal certificate store, export to a floppy disk the recovery
certificate that has the private key.
B. From the personal certificate store, export to a floppy disk the encryption
certificate that has the private key.
Delete the encryption certificate from the personal certificate store.
Select the option that will delete the private key from the certificate if the
export is successful.
C. In the Group Policy console, go to the Encrypted Data Recovery Agents
container.
Select the encryption certificate and export it along with the private key to a
floppy disk.
Select the option that will delete the private key from the certificate if the
export is successful.
D. In the Group Policy console, go to the Encrypted Data Recovery Agents
container.
Select the encryption certificate and export it along with the private key to a
floppy disk.
Delete the encryption certificate.
Answer: A
79. You are the administrator of a Windows 2000 network that uses Encrypting
File System (EFS) to encrypt sensitive files. To protect the
recovery keys that you would use to decrypt files if your users lost their keys,
you want to remove them from your computer. In an MMC console, you add the
snap-in to manage certificates. What else should you do to remove the recovery
keys?
A. Select the option to manage certificates for the computer account.
From the personal certificate store, export to a floppy disk the recovery
certificate that has the private key.
Select the option that will delete the private key from the certificate if the
export is successful.
B. Select the option to manage certificates for the computer account.
From the personal certificate store, export to a floppy disk the encryption
certificate that has the private key.
Delete the encryption certificate from the personal certificate store.
C. Select the option to manage certificates for your user account.
From the personal certificate store, export to a floppy disk the recovery
certificate that has the private key.
Select the option that will delete the private key from the certificate if the
export is successful.
D. Select the option to manage certificates for your user account.
From the personal certificate store, export to a floppy disk the encryption
certificate that has the private key.
Delete the encryption certificate from the personal certificate store.
Answer: C
80. You are the administrator of a Windows 2000 network. The administrators of
your company's Human Resources organizational unit (OU)
want to be able to manage Encrypting File System (EFS) for the users in their
department. The administrators of the human resources department belong to a
group named HRAdmins, which has full administrative privileges to the OU. To
make it possible for the members of HRAdmins to manage EFS for the users in
their department, you install an Enterprise Certificate Authority (CA) for use
by the entire company. However, the administrators of the human resources
department notify you that they are unable to create a Group Policy that allows
them to manage EFS for their department.
What should you do to enable the administrators of the Human Resources OU to
create a Group Policy to manage EFS for the users in their department? (Choose
two.)
A. Install a Subordinate Enterprise CA for use by the human resources
department.
B. In the Certification Authority console for the CA, add a new policy
setting for an EFS Recovery Agent certificate.
C. In the Certification Authority console for the CA, add a new policy
setting for a Basic EFS certificate.
D. In Active Directory Sites and Services, grant the Enroll permission to the
HRAdmins for the Enrollment Agent Certificate Template.
E. In Active Directory Sites and Services, grant the Enroll permission to the
HRAdmins group for the EFS Recovery Certificate Template.
F. In Active Directory Sites and Services, grant the Enroll permission to the
HRAdmins group for the EFS Certificate Template.
Answer: BE
81. . You are the administrator of your company's WAN. The network consists of
10 internal subnets in two physical sites connected by routers as shown in the
exhibit. (Click the <> button.)
You have an additional subnet that is configured for access to the Internet. The
routers on the network will be multihomed Windows 2000 Server computers running
Routing and Remote Access.
You want to accomplish the following goals:
• Administrative overhead for configuration of routing tables on each router
will be minimized.
• Broadcast traffic for configuration of routing tables on each router will be
minimized.
• In the event of a router failure, link redundancy within 10 minutes will be
ensured.
• Convergence times of less than one minute for all known routes on all routers
will be ensured.
• Internal routing information will never be exposed to external routers.
(a) You take the following actions:
• Install RIP version 1.
• Configure RIP to use all interfaces on all multihomed computers.
• Enable RIP authentication by specifying a password on each interface.
(b) You take the following actions:
• Install the Open Shortest Path First (OSPF) protocol.
• Set a non-default OSPF zone password.
• Configure OSPF to use all interfaces on all multihomed computers in a single
registered zone.
(c) You take the following actions:
• Install the Open Shortest Path First (OSPF) protocol.
• Configure OSPF to use all interfaces on all non-Internet-connected routers.
• Configure OSPF to use only the internal interfaces on the Internet-connected
router.
• Configure a static route on the Internet-connected router for the
Internet-connected interface.
Which result or results do these actions produce? (Choose all that apply.)
A. Administrative overhead for configuration of routing tables on each router is
minimized.
B. Broadcast traffic for configuration of routing tables on each router is
minimized.
C. In the event of a router failure, link redundancy within 10 minutes is
ensured.
D. Convergence times of less than one minute for all known routes on all routers
is ensured.
E. Internal routing information is never exposed to external routers.
If a, Answer: ACE
If b, Answer: BCDE
If c, Answer: BCD
(Three similar Q , Note the difference in "You take the following actions:")
82. Your main office and two branch offices are connected by dedicated T1 lines.
Two additional branch offices use 128-Kbps ISDN lines and Routing and Remote
Access over the Internet to connect to the company's network. You are designing
your DNS name resolution environment.
You want to accomplish the following goals:
• DNS name resolution traffic across the WAN links will be minimized.
• DNS replication traffic across the WAN links will be minimized.
• DNS replication traffic across the public WAN links will be secured.
• Name resolution performance for client computers will be optimized.
(a) You take the following actions:
• Install the DNS Server service on one domain controller at each office.
• Create an Active Directory integrated zone on each DNS server at each office.
• Configure client computers to query their local DNS server.
• Configure the zones to allow dynamic updates.
(b) You take the following actions:
• Install the DNS Server service on one server at each office.
• Create a standard primary zone at the main office.
• Create a standard secondary zone at the four other offices.
• Configure client computers to query their local DNS server.
(c) You take the following actions:
• Install the DNS Server service on one server at each office.
• Create a standard primary zone at the main office.
• Create standard secondary zones at the two offices connected by T1 lines.
• Configure as caching-only servers the servers at the two offices connected by
ISDN lines.
• Configure client computers to query their local DNS server.
Which result or results do these actions produce? (Choose all that apply.)
A. DNS name resolution traffic across the WAN links is minimized.
B. DNS replication traffic across the WAN links is minimized.
C. DNS replication traffic across the public WAN links is secured.
D. Name resolution performance for client computers is optimized.
If a, Answer: ABCD
If b, Answer: AD
If c, Answer: ABC
(Three similar Q , Note the difference in "You take the
following actions:")
83. You are the network administrator for a branch office of a large company.
Your network is connected to the company network by means of a Windows 2000
Routing and Remote Access two-way demand-dial connection over ISDN. In addition
to e-mail and application traffic, sensitive company data is transferred across
this connection.
You want to accomplish the following goals:
• All data transmitted over the connection will be secure.
• Rogue routers will be prevented from exchanging router information with either
router.
• Both routers in the connection will be able to validate each other.
• Both routers in the connection will maintain up-to-date routing tables.
• Traffic over the demand-dial link during peak business hours will be
minimized.
(a) You take the following actions:
• Install a Certificate Services server at the main office.
• Enable EAP-TLS as the authentication protocol on both Routing and Remote
Access servers.
• Enable RIP version 2 on the demand-dial interfaces.
(b) You take the following actions:
• Enable MS-CHAP as the authentication protocol on both Routing and Remote
Access servers.
• Enable Open Shortest Path First (OSPF) on the demand-dial interfaces.
• Set the Require Encryption option in the Advanced Security settings on both
Routing and Remote Access servers.
Which result or results do these actions produce? (Choose all that apply.)
A. All data transmitted over the connection is secure.
B. Rogue routers are prevented from exchanging router information with either
router.
C. Both routers in the connection are able to validate each other.
D. Both routers in the connection maintain up-to-date routing tables.
E. Traffic over the demand-dial link during peak business hours is minimized.
If a, Answer: BCD
If b, Answer: ABCD
84. You are implementing a remote access policy that is highly available and
highly secure. Your company utilizes a T3 connection to the Internet. All the
servers are running Windows 2000 Advanced Server, and all clients are running
Windows 2000 Professional.
You want to accomplish the following goals:
- No single point of failure will result in total loss of remote access
connectivity.
- No authentication traffic will be carried as clear text.
- No data traffic will be carried as clear text.
- Support for 200 simultaneous remote users must be available at all times.
(a) You take the following actions:
• Install a virtual private network (VPN) server at the main office.
• Configure the VPN server to support 250 PPTP connections.
• Configure the client computers to use CHAP as the authentication protocol.
(b) You take the following actions:
• Install three virtual private network (VPN) servers at the main office.
• Configure each VPN server to support 150 PPTP connections.
• Configure the client computers to use Password Authentication Protocol (PAP)
as the authentication protocol.
• Create DNS Round Robin entries with a Time to Live (TTL) of zero for each VPN
server.
(c) You take the following actions:
- Install three virtual private network (VPN) servers at the main office.
- Configure each VPN server to support 150 PPTP connections.
- Configure the client computers to use microsoft challenge handshake (MSCHAP
v2) as the authentication protocol.
(d) You take the following actions:
• Install two virtual private network (VPN) servers at the main office.
• Configure each VPN server to support 150 L2TP connections.
• Configure the client computers and remote access server to use EAP-TLS as the
authentication protocol.
• For all VPN servers, create DNS Round Robin entries that have a Time to Live (TTL)
of zero.
• Create a remote access profile to require strong encryption.
Which results do these actions produce? (Choose all that apply)
A. No single point of failure will result in total loss of remote access
connectivity.
B. No authentication traffic will be carried as clear text.
C. No data traffic will be carried as clear text.
D. Support for 200 simultaneous remote users must be available at all times.
If a, Answer: BD
If b, Answer: AD
If c, Answer: ABCD
If d, Answer: ABC
85. You are the administrator of the contoso.com domain. Your network
environment consists of a main office and two branch offices. The branch offices
are connected to the main office by 256-Kbps leased lines. You have a single DNS
zone, and all DNS servers are located at the main office. All servers on your
network are running Windows 2000 Server. Your network is not connected to the
Internet.
Users report that response times are extremely slow when they attempt to access
intranet resources. When you monitor the network, you discover that DNS name
resolution queries are generating heavy traffic across the WAN links.
You want to accomplish the following goals:
• Name resolution traffic across the WAN links will be reduced.
• Response times for name resolution queries will be reduced.
• Administrative overhead for DNS maintenance will be minimized.
• Current DNS namespace design will be maintained.
(a) You take the following actions:
• Create a new secondary DNS zone at each branch office.
• Use the primary zone at the main office as the master zone.
• Increase the refresh interval for zone transfers.
• Configure the client computers to query their local DNS servers.
(b) You take the following actions:
• Increase the refresh interval for zone transfers.
• For each branch office, create a new Windows 2000 domain in the same tree as
the first domain.
• Install a DNS server and create a new standard primary DNS zone for each new
Windows 2000 domain.
• Configure each DNS server to forward requests to the other DNS servers on the
network.
• Add resource records for each office's local intranet resources to the local
zone files.
• Configure client computers in the branch offices to query their local DNS
servers only.
Which result or results do these actions produce? (Choose all that apply.)
A. Name resolution traffic across the WAN links is reduced.
B. Response times for name resolution queries are reduced.
C. Administrative overhead for DNS maintenance is minimized.
D. Current DNS namespace design is maintained.
If a, Answer: ABD
If b, Answer: AC