Chapter 10. Answer Key for Practice Exam 2

Answer C is correct. You can set day and time restrictions for remote users by configuring the conditions of the remote access policy. Answer A is incorrect because day and time restrictions are no longer configured through the properties of a user account as they were in Windows NT 4.0. You cannot configure day and time restrictions by configuring the properties of the remote access server or the ports; therefore, answers B and D are incorrect.

Answer B is correct. Policy elements are evaluated in the following order: conditions, permissions, profile. Therefore, answers A and D are incorrect. Answer C is incorrect because "properties" is not a remote access policy element.

Answer D is correct. You need to configure the clients with the IP address of the WINS server. To do so, you must install the DHCP Relay Agent on the RAS server so that it can forward DHCPInform messages between the clients and the DHCP server. Answer A is incorrect because you cannot configure optional parameters on the RAS server. You can configure clients with the IP address of the WINS server; however, it's easier from a management perspective to centralize IP address assignment and use a relay agent instead. Therefore, answer B is incorrect. Answer C is incorrect because the DHCP Relay Agent isn't installed on a DHCP server.

Answer B is correct. You use the gpupdate /force command to manually refresh all settings regardless of whether they have changed. Answers A and E are incorrect because secedit was the command used in Windows 2000 to refresh policy changes. Answer C is incorrect because this command refreshes only the computer settings. Answer D is incorrect because the gpupdate command does not support the /refreshpolicy switch.

Answer A is correct. To centralize the authentication of remote access clients and accounting information, you should install the Internet Authentication Service (IAS). Answer B is incorrect because IIS is for Web hosting. Answer C is incorrect because RADIUS is the protocol used by IAS to provide authentication and accounting services. Answer D is incorrect because Routing and Remote Access Service (RRAS) is not used to centralize authentication and accounting information, but to provide a variety of services, including remote access, VPN, and routing.

Answer B is correct. The Extensible Authentication Protocol (EAP) is required to support smart card authentication. Answers A, C, and D are incorrect because they do not support smart card authentication.

Answer C is correct. When you create demand-dial connections, the user account name on the answering router must match the demand-dial interface name on the calling router. Therefore, answers A, B, and D are incorrect.

Answer D is correct. To have changes propagated throughout the network when changes occur, and to reduce the administrative overhead associated with updating the routing tables, a routing protocol is required. Because you cannot use OSPF with nonpersistent connections, you must use RIPv2 (or RIPv1). Therefore, answers A and C are incorrect. Answer B is incorrect because ICMP is not a routing protocol.

Answer B is correct. The correct syntax when adding new static routes using the route command is route add < network > mask < subnetmask > < gateway > metric . Therefore, answers A, C, and D are incorrect.

Answer D is correct. If you assign the Server (Request Security) policy, the server always attempts secure communications. Unsecured communications are still allowed if the client is not IPSec aware. Answer A is incorrect because communications are not allowed if the client is not IPSec aware. Answer B is incorrect because Assigning Client (Respond Only) means that the server responds only to requests for secure communications but does not attempt to secure all communications. Answer C is incorrect because IPSec is not configured through the Properties of TCP/IP.

Answer A is correct. If both servers are configured with the Client (Respond Only) policy, they respond only to requests for secure communications. You must configure both of the servers with Server (Require Security). Answer B is incorrect because you can configure IPSec through Active Directory or on the local computer. Answer C is incorrect because computers are not configured as IPSec clients. Answer D is incorrect because the workgroup membership has no impact on how servers respond to security.

Answer B is correct. To refresh policy settings, you can use the gpupdate command. Answer A is incorrect because it was the command used in Windows 2000. Answer C is incorrect because this command restores default group policy objects to their original state. Answer D is incorrect because this command displays group policy settings for a computer.

Answers B and D are correct. The two tunneling protocols supported by Windows Server 2003 are the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP). PPP and SLIP establish dial-up connections. Therefore, answers A and C are incorrect.

Answer C is correct. To increase the number of available PPTP ports, open the Ports Properties window within the Routing and Remote Access management console. Select PPTP and click Configure. Therefore, answers A, B, and D are incorrect.

Answer D is correct. Because all the remote access users are running Windows XP Professional, the authentication protocol should be MS-CHAP version 2. Answers B and C are incorrect because they are not as secure as MS-CHAP version 2. Answer A is incorrect because PAP sends credentials in cleartext and should only be used for non-Windows clients.

Answer D is correct. Install a DHCP server on Subnet C and configure it with a scope for remote access clients. The scope should assign the clients the IP address of the DHCP server. Configure RRAS to use DHCP and configure it as a relay agent. This step ensures that remote users are assigned the IP address of the DNS server. Therefore, answers A, B, and C are incorrect.

Answer C is correct. If the connection attempt does not match the conditions of the first policy in the list, the conditions of the next policy are evaluated. The permissions and profile settings of a policy are not evaluated until the connection attempt meets the conditions of a policy. Therefore, answers A, B, and D are incorrect.

Answer D is correct. Because the president needs remote access from various locations, you should select the Set by Caller option. To limit where network administrators can dial in from, select Always Callback to. In this way, the remote access server always calls them back at the configured phone numbers , ensuring that is where they are attempting remote access. Selecting No Callback disables this feature. Therefore, answers A, B, and C are incorrect.

Answer B is correct. If you delete the default remote access policy and no other policy exists, users will not be permitted remote access. Therefore, you must create a remote access policy to solve the problem. Answer A is incorrect because disabling and then enabling Routing and Remote Access re-creates the default policy, but it is not the easiest solution. You would have to reconfigure the remote access server afterward. Answer C is incorrect because dial-in permission can be granted through the properties of a user account, but a policy must still exist. Answer D is incorrect because you cannot configure profile settings until you create a policy.

Answer C is correct because the connection attempt matches the conditions of the first policy. The permissions and profile settings of this policy are evaluated. The profile settings restrict dial-in access after 5 p.m., so the connection attempt is denied . Therefore, answer A is incorrect. Answer B is incorrect because if a connection attempt does not meet the profile settings of a policy, no other policies in the list are evaluated. Answer D is incorrect because day and time restrictions are not configured through the user account properties.

Answers B and E are correct. The profile settings disconnect a session after 30 minutes of idle time, restrict the maximum session to 8 hours, allow users remote access during the hours of 6 a.m. and 6 p.m., and allow users to dial in to a specified number. Therefore, answers A, C, D, and F are incorrect.

Answer B is correct. When troubleshooting connectivity problems using the ping command, it is recommended that you use the following steps: ping the loopback address, ping the IP address of the local computer, ping the IP address of the default gateway, and then ping the IP address of a remote host. Therefore, answers A, C, and D are incorrect.

Answer C is correct. By configuring a display filter within Network Monitor, you can filter captured data to only display specific types of information. Answer A is incorrect because triggers enable actions to be performed based on a set of conditions that must first be met. Answer B is incorrect because capture filters specify the type of information that is captured. Answer D is incorrect because packet filters specify the type of inbound and outbound traffic a computer can accept.

Answer C is correct. By adding his user account to the Performance Monitor Users group, Joe can view performance counter data within System Monitor locally or across the network. Answer A is incorrect because adding Joe to the Performance Log Users group gives him permission to manage logs and alerts as well. Answers A and B are incorrect because it would give Joe administrative permissions to the server. Adding his user account to the Domain Admins group would give him too many permissions; therefore, answer D is incorrect.

Answer B is correct. If you configure a capture filter, Network Monitor only captures data that meets the criteria you specify. Answer A is incorrect because display filters filter data that has already been captured. Answer C is incorrect because triggers are configured to specify an action that should occur when certain criteria are met. Answer D is incorrect because IP packet filters are used to specify the type of traffic that is permitted to reach a computer.

Answer C is correct. By monitoring IP Datagrams/sec, you can monitor the total amount of IP datagrams sent and received by the computer each second. Answer A is incorrect because it is the number of outbound packets that could not be transmitted because of errors. Answer B is incorrect because this counter only monitors the number of TCP segments sent each second. Answer D is incorrect because this counter monitors the number of logon requests received each second by the computer.

Answer A is correct. You can use the ipconfig command to verify the TCP/IP configuration of a computer. Answer B is incorrect because you use the ping command to verify connectivity with a remote host. Answer C is incorrect because you use tracert to trace the route a packet takes to reach a remote host. Answer D is incorrect because pathping is a combination of ping and tracert used to determine which routers and gateways between two hosts might not be functioning.

Answer D is correct. You can use Device Manager to verify that a hardware device is functioning properly. Answer A is incorrect because System Monitor monitors performance. Answer B is incorrect because you use Network Monitor to capture and analyze network traffic. Answer C is incorrect because ping is a command-line utility used to verify network connectivity.

Answer B is correct. The Logon Total counter determines the number of logon requests the domain controller has received since the last time it was restarted. Answers A and C are incorrect because there are no such counters within System Monitor. Answer D is incorrect because this counter determines the number of logon requests received each second.

Answer B is correct. If the service does not start, use the Services console to verify that any services that DHCP depends on are also started. Therefore, answer A is incorrect. Answer C is incorrect because if the service fails to start, attempting to start it within the DHCP console makes no difference. Answer D is incorrect because it should be a last resort in terms of troubleshooting.

Answers A and B are correct. If a service fails to start, you can configure the computer to automatically attempt to restart the service, or you can have the computer automatically reboot. The third option is to have a specific program run. Answers C and D are incorrect because recovery actions do not include the ability to automatically restart the failed service's dependencies nor send an email to the network administrator.

Answer C is correct. You can use Network Monitor to capture and analyze network traffic. Answers A and D are incorrect because there are no such utilities included with Windows Server 2003. Answer B is incorrect because you use Network Diagnostics to gather information about the hardware, software, and services running on a local computer.

Answer B is correct. You can use the tracert utility to view a list of routers a packet must pass through to reach a destination host. Answer A is incorrect because you use ping to test TCP/IP connectivity. Answer C is incorrect because ARP is the protocol used to map IP addresses to hardware addresses. Answer D is incorrect because you use ipconfig to view the IP configuration of a computer.

Answer C is correct. Before installing any new service packs , it is recommended that you test them first to determine any risks and vulnerabilities that they can introduce. Therefore, answers A, B, and D are incorrect.

Answer D is correct. The principle of least privilege is based on the idea that a user should log on with a user account that has minimum privileges. Therefore, Mary should create two accounts: one with restrictive permissions that she can use to perform day-to-day tasks and the other with additional privileges for performing administrative tasks . Answers A, B, and C are incorrect because they go against the principle of least privilege by providing administrative access.

Answer B is correct. When you see a red X beside a setting after running the Security Configuration and Analysis utility, the value for that computer setting does not match the value in the template. Therefore, answers A, C, and D are incorrect.

Answer C is correct. Security settings for a domain controller are automatically refreshed every 5 minutes. Answers A, B, and D are incorrect because they do not represent the correct value.

Answer D is correct. The security settings on a workstation or server are automatically refreshed every 90 minutes. Answers A, B, and C are incorrect because they do not represent the correct value.

Answer C is correct. When auditing is enabled, events are written to the Security log. Answer A is incorrect because events generated by applications are written to the Application log. Answer B is incorrect because there is no Audit log. Answer D is incorrect because the System log contains events generated by Windows components .

Answers B, D, and F are correct. The minimum hardware requirements to install SUS include Pentium III 700MHz, 512MB of RAM, and 6GB of storage space. Answers A, C, and E are incorrect because they do not represent the correct hardware requirements.

Answer D is correct. The IP address lease process occurs in the following order: DHCPDiscover , DHCPOffer , DHCPRequest , and DHCPAck . Therefore, answers A, B, and C are incorrect.

Answer B is correct. You authorize a DHCP server using the DHCP console by right-clicking the server and choosing the Authorize option. Answers A, C, and D are incorrect because you cannot use these tools to authorize DHCP.

Answers A, B, C, and D are correct. For a DHCP server to lease IP addresses to clients, you must install the service, create and activate a scope, and authorize the server. Answer E is incorrect because configuring scope options is not required. Answers F and G are incorrect because Active Directory does not need to be installed on the local server and dynamic updates do not need to be enabled for DHCP to function.

Answer D is correct. When creating a multicast scope, you can use IP addresses in the range of 224.0.0.1 “239.255.255.255. Answers A, B, and C are incorrect because they represent incorrect address ranges.

Answer C is correct. If clients are not configured with the IP address of the default gateway, they cannot access resources outside of their local subnet. Answer A is incorrect because the clients are already successfully leasing IP addresses from the server. Answer B would solve the problem, but it would not be the easiest solution; therefore, it is also incorrect. Answer D is incorrect because configuring the DNS server option allows clients to resolve hostnames but does not give them access outside of the local subnet.

Answer B is correct. ISAKMP/OAKLEY is responsible for negotiating security associations before any IP data is transferred. This process includes authentication, hashing, and encryption methods . Answer A is incorrect because it is a management tool used for creating and managing IP Security policies. Answer C is incorrect because the IPSec driver is responsible for securing the data before it is transferred. Answer D is incorrect because the IPSec Policy Agent is responsible for retrieving policy information.

Answers A and C are correct. By creating a client reservation for each of the print servers, you ensure that they always lease the same IP address. You must also exclude the IP addresses from the scope to avoid any IP address conflicts. Therefore, answers B and D are incorrect.

Answer B is correct. The first elements in a remote access policy to be evaluated are the conditions. The first policy to match the conditions of the connection attempt is evaluated for permissions. If the permissions of that policy deny the user access, the connection attempt is denied. Therefore, answers A, C, and D are incorrect.

Answer C is correct. The refresh interval determines how often the secondary servers poll the primary server for updates to the zone database file. Answer A is incorrect because the retry interval determines how often a secondary server continues to contact the primary server if it does not respond. Answer B is incorrect because the serial number is used to determine when the zone data has been updated. Answer D is incorrect because Time to Live (TTL) specifies how long records from that zone should remain in the cache.

Answer C is correct. To eliminate any IP address conflicts, the IP addresses assigned to the print devices should be excluded from the scope. Answer B is incorrect because client reservations are configured for DHCP clients that must lease the same IP address each time. Answer A is incorrect because scopes are not defined for individual IP addresses. Answer D is incorrect because there is no option in DHCP called a client exclusion.

Answer B is correct. If you place a caching-only server in each branch office, no additional traffic is generated from zone transfers. Answers A and C are incorrect because each of these solutions result in zone transfer traffic on the WAN link or LAN. Answer D is incorrect because a primary DNS server already exists for the zone.

Answer B is correct. The authentication protocol must be enabled through the profile settings for the remote access policy. Therefore, answers A, C, and D are incorrect.

Answer D is correct. Because there is an existing 044 WINS/NBNS option configured at the scope level with the old IP address of the WINS server, it is overwriting the new one configured at the server level. DHCP options configured at the scope level override those configured at the server level. Therefore, answers A and B are incorrect. Answer C is incorrect because configuring this option defines how the client resolves NetBIOS names .

Answer B is correct. If you assign the Server (Request Security) policy, the server attempts secure communications with clients. If the client is not IPSec aware, it is still able to authenticate. Answer A is incorrect because the server responds only to client requests for secure communications. Answer C is incorrect because the server requires secure communications and does not allow sessions for non-IPSec “aware clients. Answer D is incorrect because there is no such default policy.

Answer B is correct. To use the Windows Groups condition, you must first create the groups within Active Directory Users and Computers. You should create and configure two policies with the appropriate settings. Use the Windows Groups condition to specify the group of users to which the policy should apply. Therefore, answers A, C, and D are incorrect.

Answer C is correct. To clear the contents of the client resolver cache, use the ipconfig command with the flushdns parameter. Answers A and D are incorrect because there are no such parameters available with the ipconfig command. Answer B is incorrect because it displays the current TCP/IP parameters configured on the client.

Answers B and C are correct. SRV1 should be using the Server (Require Security) policy. This policy ensures that only secure communications are permitted. SRV2 should be using the Client (Respond Only) policy. This policy ensures that the server does not require secure communications but responds to any requests for it. Therefore, answers A, D, E, and F are incorrect.

Answer D is correct. RIPv2 is a routing protocol that you can use with nonpersistent connections and that supports password authentication between routers. Answer A is incorrect because implementing static routes means the routing tables must be manually updated. Answer B is incorrect because ICMP is not a routing protocol. Answer C is incorrect because OSPF is not supported by nonpersistent demand-dial connections.

Answer A is correct. When you configure a two-way demand-dial connection, the user account names on the answering routers must be identical to the demand-dial interface names on the calling routers. Therefore, answers B, C, and D are incorrect.

Answer D is correct. You use the /p parameter to add a persistent route to the routing table. The route will not be removed from the routing table when the router is restarted. Therefore, answers A, B, and C are incorrect.