QUESTION 1
You work as a network administrator for Certkingdom.com. The Certkingdom.com network consists of a single
Active Directory domain named Certkingdom.com. There are currently 120 Web servers running Windows
2000 Server and are contained in an Organizational Unit (OU) named ABC_WebServers
Certkingdom.com management took a decision to uABCrade all Web servers to Windows Server 2003.
You disable all services on the Web servers that are not required. After running the IIS Lockdown
Wizard on a recently deployed web server, you discover that services such as NNTP that are not
required are still enabled on the Web server.
How can you ensure that the services that are not required are forever disabled on the Web
servers without affecting the other servers on the network? Choose two.
A. Set up a GPO that will change the startup type for the services to Automatic.
B. By linking the GPO to the ABC_WebServers OU.
C. Set up a GPO with the Hisecws.inf security template imported into the GPO.
D. By linking the GPO to the domain.
E. Set up a GPO in order to set the startup type of the redundant services to Disabled.
F. By linking the GPO to the Domain Controllers OU.
G. Set up a GPO in order to apply a startup script to stop the redundant services.
Answer: B,E
Explanation: Windows Server 2003 installs a great many services with the operating system, and
configures a number of with the Automatic startup type, so that these services load automatically
when the system starts. Many of these services are not needed in a typical member server
configuration, and it is a good idea to disable the ones that the computer does not need. Services
are programs that run continuously in the background, waiting for another application to call on
them. Instead of controlling the services manually, using the Services console, you can configure
service parameters as part of a GPO. Applying the GPO to a container object causes the services
on all the computers in that container to be reconfigured. To configure service parameters in the
Group Policy Object Editor console, you browse to the Computer Configuration\Windows
Settings\Security Settings\System Services container and select the policies corresponding to the
services you want to control.
Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294);
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:1-6
QUESTION 2
You are working as the administrator at Certkingdom.com. Certkingdom.com has headquarters in London and
branch offices in Berlin, Minsk, and Athens. The Berlin, Minsk and Athens branch offices each
have a Windows Server 2003 domain controller named ABC-DC01, ABC-DC02 and ABC-DC03
respectively. All client computers on the Certkingdom.com network run Windows XP Professional.
One morning users at the Minsk branch office complain that they are experiencing intermittent
problems authenticating to the domain. You believe that a specific client computer is the cause of
this issue and so need to discover the IP address client computer.
How would you capture authentication event details on ABC-DC02 in the Minsk branch office?
A. By monitoring the logon events using the SysMon utility.
B. By recording the connections to the NETLOGON share using the SysMon utility.
C. By recording the authentication events with the NetMon utility.
D. By monitoring the authentication events using the Performance and Reliability Monitor.
Answer: C
Explanation: The question states that you need to find out the IP address of the client computer
that is the source of the problem. Using Network Monitor to capture traffic is the only way to do
this.
Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;175062
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 826
QUESTION 3
You are working as the administrator at Certkingdom.com. Part of you job description includes the
deployment of applications on the Certkingdom.com network. To this end you operate by testing new
application deployment in a test environment prior to deployment on the production network.
The new application that should be tested requires 2 processors and 3 GB of RAM to run
successfully. Further requirements of this application also include shared folders and installation of
software on client computers. You install the application on a Windows Server 2003 Web Edition
computer and install the application on 30 test client computers.
During routine monitoring you discover that only a small amount of client computers are able to
connect and run the application. You decide to turn off the computers that are able to make a
connection and discover that the computers that failed to open the application can now run the
application.
How would you ensure that all client computers can connect to the server and run the application?
A. By running a second instance of the application on the server.
B. By increasing the Request Queue Limit on the Default Application Pool.
C. By modifying the test server operating system to Window Server 2003 Standard Edition.
D. By increasing the amount of RAM in the server to 4GB.
Answer: C
Explanation: Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it
reserves 1GB of it for the operating system; only 1GB of RAM is available for the application.
Therefore, we need to install Window Server 2003 Standard Edition or Enterprise Edition to
support enough RAM.
QUESTION 4
You are an Enterprise administrator for Certkingdom.com. All servers on the corporate network run
Windows Server 2003 and all client computers run Windows XP.
The network contains a server named ABC-SR01 that has Routing and Remote Access service
and a modem installed which connects to an external phone line.
A partner company uses a dial-up connection to connect to ABC-SR01 to upload product and
inventory information. This connection happens between the hours of 1:00am and 2:00am every
morning and uses a domain user account to log on to ABC-SR01.
You have been asked by the security officer to secure the connection.
How can you ensure that the dial-up connection is initiated only from the partner company and that
access is restricted to just ABC-SR01? Choose three.
A. Set up the log on hours restriction for the domain user account to restrict the log on to between
the hours of 1:00am and 2:00am.
B. Set up a local user account on ABC-SR01. Have the dial-up connection configured to log on
with this account.
C. Set up the remote access policy on ABC-SR01 to allow the connection for the specified user
account between the hours of 1:00am and 2:00am.
D. Set up the remote access policy with the Verify Caller ID option to only allow calling from the
phone number of the partner company modem.
E. Set up the remote access policy to allow access to the domain user account only.
Answer: B,C,D
Explanation: To allow only the minimum amount of access to the network, ensure that only the
partner's application can connect to your network over the dial-up connection, you need to first
create a local account named on ABC-SR01. You need to then add this account to the local Users
group and direct the partner company to use this account for remote access.
You can use a local account to provide remote access to users. The user account for a standalone
server or server running Active Directory contains a set of dial-in properties that are used
when allowing or denying a connection attempt made by a user. You can use the Remote Access
Permission (Dial-in or VPN) property to set remote access permission to be explicitly allowed,
denied, or determined through remote access policies.
Next, you need to configure a remote access policy on ABC-SR01 to allow the connection for only
the specified user account between 1 AM and 2 AM.
In all cases, remote access policies are used to authorize the connection attempt. If access is
explicitly allowed, remote access policy conditions, user account properties, or profile properties
can still deny the connection attempt.
You need to then configure the policy to allow only the specific calling station identifier of the
partner company's computer. When the Verify Caller ID property is enabled, the server verifies the
caller's phone number. If the caller's phone number does not match the configured phone number,
the connection attempt is denied.
Reference: Dial-in properties of a user account
http://technet.microsoft.com/en-us/library/cc738142.aspx
QUESTION 5
You are an Enterprise administrator for Certkingdom.com. The company consists of an Active Directory
domain called ad.Certkingdom.com. All servers on the corporate network run Windows Server 2003. At
present there is no provision was made for Internet connectivity.
A server named ABC2 has the DNS server service role installed. The DNS zones on ABC2 are
shown below:
The corporate network also contains a UNIX-based DNS A server named ABC-SR25 hosts a
separate DNS zone on a separate network called Certkingdom.com. ABC-SR25 provides DNS services to
the UNIX-based computers and is configured to run the latest version of BIND and the Certkingdom.com
contains publicly accessible Web and mail servers.
The company has a security policy set, according to which, the resources located on the internal
network and the internal network's DNS namespace should never be exposed to the Internet.
Besides this, according to the current network design, ABC-SR25 must attempt to resolve any
name resolution requests before sending them to name servers on the Internet.
The company plans to allow users of the internal network to access Internet-based resources. To
implement the security policy of the company, you decided to send all name resolution requests
for Internet-based resources from internal network computers through ABC2. You thus need to
devise a name resolution strategy for Internet access as well as configuring ABC2 so that it will
comply with the set criteria and restrictions.
Which two of the following options should you perform?
A. Have the Cache.dns file copied from ABC2 to ABC-SR25.
B. Have the root zone removed from ABC2.
C. ABC2 should be set up to forward requests to ABC-SR25.
D. Install Services for Unix on ABC2.
E. The root zone should be configured on ABC-SR25.
F. Disable recursion on ABC-SR25.
Answer: B,C
Explanation: To plan a name resolution strategy for Internet access and configure ABC2 so that it
sends all name resolution requests for Internet-based resources from internal network computers
through ABC2, you need to delete the root zone from ABC2. Configure ABC2 to forward requests
to ABC-SR25
A DNS server running Windows Server 2003 follows specific steps in its name-resolution process.
A DNS server first queries its cache, it checks its zone records, it sends requests to forwarders,
and then it tries resolution by using root servers.
The root zone indicates to your DNS server that it is a root Internet server. Therefore, your DNS
server does not use forwarders or root hints in the name-resolution process. Deleting the root
zone from ABC2 will allow you to first send requests to ABC2 and then forward requests to ABCSR25
by configuring forward lookup zone. If the root zone is configured, you will not be able to use
the DNS server to resolve queries for hosts in zones for which the server is not authoritative and
will not be able to use this DNS Server to resolve queries on the Internet.
Reference: How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380
Reference: DNS Root Hints in Windows 2003
http://www.computerperformance.co.uk/w2k3/services/DNS_root_hints.htm
