Chapter 11. Answers to Practice Exam 2

The correct answer is B. Standard Primary and Standard Secondary DNS zones are sometimes referred to as traditional DNS zone files. Both types are stored as text files on the DNS server's hard drive. Active Directory “integrated zones and Standard Primary DNS zones are both read/write copies of the DNS zone; therefore, answers A and C are incorrect. Stub zones are read-only copies of a DNS zone that contain a subset of the records associated with that zone, but the scenario called for an entire copy of the zone data and interoperation of the DNS server and the zone with BIND “based DNS servers; therefore, answer C is incorrect.

The correct answer is C. An Active Directory “integrated zone is a type of DNS zone that allows for secure dynamic updates. Standard Primary and Standard Secondary DNS zones are sometimes referred to as traditional DNS zone files. Both types are stored as text files on the DNS server's hard drive. These zone types do not allow for secure dynamic updates; therefore, answers A and B are incorrect. Stub zones are read-only copies of a DNS zone that contain a subset of the records associated with that zone. These zone types do not allow for secure dynamic updates; therefore, answer D is incorrect.

The correct answer is D. A DNS server configured with a stub zone is not authoritative for that zone, but it identifies the DNS servers that are authoritative for the zone.

The correct answer is D. The actual issue here is that no default gateway is configured for PSERVER1, so it has no way to communicate outside its own subnet, which makes answer D the best choice. The PING locahost should return the result of 127.0.0.1. The subnet mask on the user's workstation is fine, so this eliminates answer A, and answer B states that the default gateway on the user 's workstation is incorrect, when it's actually missing, so this answer is not correct.

The correct answers are A, B, and E. There is no way a workstation with an IP address of 199.254.15.35 can use a subnet mask of 255.255.255.240 and default gateway of 199.254.15.1. There is nothing wrong with the settings on PSERVER, so none of these selections is the correct answer; therefore, answers C, D, F, and G are incorrect.

The correct answer is D. The question stated that PSERVER1 is on the 10 network; that means its hostname should be 67.35.10 (with an IP address of 10.67.35.10). The question also mentioned that ROUTER1 has an IP address of 10.99.35.1. For these two systems to be on the same subnet, they both need to use the same subnet mask of 255.0.0.0. Although it might seem odd, the IP address of 10.67.35.10 using a subnet mask of 255.0.0.0 and a default gateway of 10.99.35.1 for PSERVER1 is fine. There are no incorrect settings on the workstation, and none of the other settings on PSERVER is incorrect; therefore, answers A, B, and C are incorrect.

The correct answers are A and D. Unless another mechanism is already installed to facilitate the connection, an RRAS server needs to be installed at the Hartford and Wallingford locations to secure the connection between the two locations. L2TP and IPSec are the only suitable protocols; therefore, answers B and C are incorrect. Installing VPN servers does not secure all IP traffic between the Hartford and Wallingford locations; therefore, answers E and F are incorrect.

The correct answers are B, C, and E. The Microsoft L2TP/IPSec VPN client must be installed on systems running Windows 98, Windows Me, or Windows NT Workstation 4.0 because those legacy operating systems cannot support this client on their own. Windows 2000 supports these protocols; therefore, answer A is incorrect. Implementing an L2TP and IPSec strategy running in Transport mode is necessary to set up secure traffic. The best way to implement it is by configuring a domain security policy, so answers C and E are also applicable . You do not need to configure a local security policy; therefore, answers D and F are incorrect. You want to set up required security, not requested ; therefore, answer G is incorrect.

The correct answers are B and F. The easiest way to configure and secure the IP traffic from the Hartford location to the remote office in Wallingford is to use the installed RRAS server and configure a local security policy to require security for all communications between them. Answer A is incorrect because you do not need to install the Microsoft L2TP/IPSec VPN client ”the security association is made between the two RRAS servers, as this is the least amount of administrative effort. None of the other options completely addresses all the scenario's needs and requirements better than these two choices; therefore, answers A, C, D, and E are incorrect.

The correct answer is E. None of the primary or secondary objectives has been met. Remote Assistance will not be enabled for all client systems in your environment because the Windows 2000 systems cannot be administered. Additionally, security will be changed by opening port 3389 on the firewall when it isn't necessary.

The correct answer is B. Using the Classless Inter-Domain Routing setup of 177.25.0.128/26 allows 6 bits of host addressing, which means 62 host addresses are available per subnet, so answer B the only correct choice.

The correct answers are B and C. RIPv2 can use CIDR and VLSM. OSPF is a link-state protocol based on an algorithm that determines the shortest path between source and destination nodes on a routed network. OSPF is a better choice than either version of RIP when you are considering routing 17 hops between the farthest segments of a network. RIPv1 is difficult to deploy in larger environments because it supports the main classes of IP addresses only and cannot use CIDR or VLSM (; therefore, answer A is incorrect. BGP uses TCP to send detected routing changes and updated router table information between gateway hosts on autonomous systems, such as gateway hosts on the Internet. The routing table contains a list of known routers, the IP addresses they can reach, and any cost metric associated with the routes; therefore, answer D is incorrect.

The correct answers are A and D. Bridges and switches operate at the Data Link layer (Layer 2 of the OSI model) and automatically forward all broadcast traffic received; therefore, Subnets 1 and 2 will be part of the same broadcast domain, making answer A correct. Although Layer 2 switches can be found at the borders of collision domains, they do not form a border of a broadcast domain. Because Layer 2 switches do form the borders of collision domains, Subnets 1 and 2 will be in different collision domains, making answer D correct. Because answers B and C state the opposite , they are incorrect.

The correct answer is A. The Application layer hosts the Telnet, FTP, DNS, SMTP, RIP, and SNMP protocols. The host-to-host transport layer of the TCP/IP architecture hosts both TCP and UDP; therefore, answer B is incorrect. The Internet layer hosts the IP, ARP, ICMP, and IGMP protocols; therefore, answer C is incorrect. The network interface layer hosts standards such as frame relay, ATM, ethernet, and token ring; therefore, answer D is incorrect.

The correct answer is B. The host-to-host transport layer of the TCP/IP architecture hosts both TCP and UDP. The Application layer of the TCP/IP architecture hosts the Telnet, FTP, DNS, SMTP, RIP, and SNMP protocols; therefore, answer A is incorrect. The Internet layer hosts the IP, ARP, ICMP, and IGMP protocols; therefore, answer C is incorrect. The network interface layer hosts standards such as frame relay, ATM, ethernet, and token ring; therefore, answer D is incorrect.

The correct answer is E. Protocols normally found at the Network layer of the OSI model are IP, ARP, RARP, ICMP, RIP, OSFP, IGMP, IPX, NWLink, NetBEUI, OSI, DDP, and DECnet. Because IP traffic is what you need to report on, answer E is correct. The protocols normally found at the Application layer are DNS, FTP, TFTP, BOOTP, SNMP, RLOGIN, SMTP, MIME, NFS, FINGER, TELNET, NCP, APPC, AFP, and SMB; therefore, answer A is incorrect. The Presentation layer translates from application to network format and vice versa; therefore, answer B is incorrect. The protocols normally found at the Session layer are NetBIOS, Named Pipes, Mail Slots, and RPC; therefore, answer C is incorrect. The protocols normally found at the Transport layer are TCP, SPX, NWLink, NetBIOS, NetBEUI, and ATP; therefore, answer D is incorrect.

The correct answer is B. PPP logs provide control and error messages for a PPP connection and are one of the best resources available for troubleshooting PPP connectivity issues. When systems on your network are configured with RRAS enabled for network access by clients , you can use Windows Authentication or Windows Accounting to log authentication and accounting information for network access connections. This level of logging is in addition to any events recorded in the System log, but it does not give you the required information, so answer A is incorrect. The RRAS service supports logging authentication events and information for remote connections via the Remote Authentication Dial-In User Service (RADIUS) server when RADIUS authentication and accounting are enabled through the Internet Authentication Service. However, this does not give you the required information, so answer C is incorrect. You can use audit logging in Windows Server 2003 to monitor IPSec events to troubleshoot unsuccessful L2TP connections and IPSec encryption; therefore, answer D is incorrect.

The correct answer is D. You can use audit logging in Windows Server 2003 to monitor IPSec events to troubleshoot unsuccessful L2TP connections and IPSec encryption. When systems on your network are configured with RRAS enabled for network access by clients, you can use Windows Authentication or Windows Accounting to log authentication and accounting information for network access connections, but it does not give you the required information, so answer A is incorrect. PPP logs provide control and error messages for a PPP connection and are one of the best resources available for troubleshooting PPP connectivity issues, but they do not give you the required information, so answer B is incorrect. The RRAS service supports logging authentication events and information for remote connections via the RADIUS server when RADIUS authentication and accounting are enabled through the Internet Authentication Service, but it does not give you the information necessary, so answer C is incorrect.

The correct answer is C. Event 532 means that a logon attempt was made using an expired account. Event ID 529 indicates that a logon attempt was made with an unknown username or a known username with an invalid password; therefore, answer A is incorrect. Event ID 530 indicates that a logon attempt was made by a user who violated account logon time restrictions; therefore, answer B is incorrect. Event ID 531 indicates that a logon attempt was made using a disabled account; therefore, answer D is incorrect.

The correct answer is D. Event ID 531 indicates that a logon attempt was made using a disabled account. Answer A is incorrect because event ID 529 indicates that a logon attempt was made with an unknown username or a known username with an invalid password. Answer B is incorrect because event ID 530 indicates that a logon attempt was made by a user who violated account logon time restrictions. Answer C is incorrect because event ID 532 indicates that a logon attempt was made using an expired account.

The correct answer is B. The only correct choice is route delete 192.168.1.0 mask 255.255.255.0 203.11.4.225 . Entering route delete -p 192.168.1.0 mask 255.255.255.0 203.11.4.225 throws an error; therefore, answer A is incorrect. Likewise, entering route delete -p 192.168.1.0/24 203.11.4.225 causes an error; therefore, answer C is incorrect. Entering route delete 192.168.1.0/24 203.11.4.225 deletes the persistent route from the external connection; therefore, answer D is incorrect.

The correct answer is C. A forest is a collection of Active Directory domain trees that may or may not be a part of a contiguous namespace, which makes answer C the only possible correct answer. None of the other answers correctly defines a forest; therefore, answers A, B, and D are incorrect.

The correct answers are A, B, C, and D. When you need to define and outline at the highest level the four main planning, design, and implementation steps for upper management, you need to include information about the proposed DHCP design for your environment, an outline of integrating the DHCP design with existing services, an outline of the proposed scope configuration for the domain, and an outline of the proposed implementation of the DHCP solution. Answer E implies that an outline of the proposed hardware implementation for your DHCP solution is required, but you don't need this information until you go into a deep design plan during the outline of the overall proposed DHCP design; therefore, answer E is incorrect. Answer F implies that an outline of the proposed exclusion ranges for your DHCP scopes is required, but this information is normally part of the deeper outline of the proposed scope configuration for the domain; therefore, answer F is incorrect.

The correct answers are A, C, and E. When you are designing your DNS deployment for your enterprise, you need to scale the system for memory requirements and size calculations. Under typical design usage, 4MB of RAM is the minimum requirement when a DNS server is started without any zones and uses additional RAM for each DNS zone added to the server. Note that an additional 100 bytes of RAM is used for each resource record added to the server's DNS zones. The remaining answers do not supply the required values; therefore, answers B, D, and F are incorrect.

The correct answer is A. When your solution needs to allow client systems to resolve DNS queries as often as possible on a network with limited bandwidth and to make sure there is no single point of failure on this site for name resolution, your only option is installing two caching-only DNS servers locally. Forward-only DNS servers do not function if the external link to other DNS servers goes down. This is also true for non-recursive DNS servers and conditional-forwarder DNS servers; therefore, answers B, C, and D are incorrect.

The correct answer is D. A conditional-forwarder DNS server forwards specific DNS queries according to the DNS domain name in the query. Because the question specified that client systems must always be able to resolve DNS queries for gunderville.com and have no single point of failure for name resolution, the best answer to this question is D. None of the other answers supplies the correct solution; therefore, answers A, B, and C are incorrect.

The correct answers are A, B, and E. Low-level security DNS deployments have little to no security configurations. They can be found in designs and deployments where an enterprise's DNS infrastructure is fully exposed to the Internet and name resolution is performed by all DNS servers in the network. Often these DNS servers are configured with root hints pointing to root servers for the Internet, and all DNS servers have cache pollution prevention disabled. The DNS servers in a low-level security configuration have dynamic updating enabled on all DNS zones, and UDP and TCP port 53 traffic are allowed to pass at the network firewall. Only answers A, B, and E outline the parameters of a low-level security DNS deployment. All other options are for medium-level and high-level DNS security designs; therefore, answers C, D, F, and G are incorrect.

The correct answers are D, F, and G. A medium-level security configuration is usually deployed with security features that are available to the DNS service when servers are configured with Standard Primary DNS zones on member servers. This type of DNS configuration might have limited direct exposure to the Internet, so zone transfers are limited to only the servers listed in the name server (NS) resource records. The DNS servers can use other DNS servers as forwarders when they cannot resolve names locally, and proxy servers and gateways are used for name resolution for Internet systems. Dynamic updating is not configured for any DNS zones, and cache pollution prevention is enabled. Only answers D, F, and G outline the parameters of a medium-level security DNS deployment. All other options are for low-level and high-level DNS security designs; therefore, answers A, B, C, and E are incorrect.

The correct answers are B, C, and H. The usagunderville.com domain is not a child of gunderville.com because it is not part of the contiguous namespace. The usa_gunderville.com name uses a non-compliant underscore (_) character. The usa#1.gunderville.com name uses a # symbol, which is not RFC 1123 compliant. As defined in RFC 1123, you can use all uppercase letters (A “Z), lowercase letters (a “z), numbers (0 “9), and the hyphen (-) for DNS namespaces on the Internet. The name u.s.a.gunderville.com is an acceptable child domain to gunderville.com ; u would be a child of the s domain, which is a child of the a domain; therefore, answer A is incorrect. The names usa.internal.gunderville.com , usa.external.gunderville.com , usainternal.gunderville.com , u.s.a-one.gunderville.com , and usa-one.gunderville.com all use RFC 1123 “compliant characters and are part of the contiguous namespace, so they are not incorrect.

The correct answer is D. Each site has two DNS servers for each DNS namespace. So the Wallingford site has two DNS servers for gunderville.com , two DNS servers for usa.gunderville.com , and two DNS servers for connecticut.usa.gunderville.com ”a total of six DNS servers in that site. Because there are six sites, there are 36 DNS servers total, making answers A, B, and C incorrect.

The correct answer is A. Each site has two DNS servers for each DNS namespace. So the Wallingford site has two DNS servers for gunderville.com , two DNS servers for usa.gunderville.com , and two DNS servers for connecticut.usa.gunderville.com ”a total of six DNS servers in that site. Because there are six sites, there are 36 DNS servers total. There can be only one Standard Primary zone for any DNS name space; there are three domain namespaces total, so answer A is the only correct answer.

The correct answer is D. Each site has two DNS servers for each DNS namespace. So the Wallingford site has two DNS servers for gunderville.com , two DNS servers for usa.gunderville.com , and two DNS servers for connecticut.usa.gunderville.com ”a total of six DNS servers in that site. Because there are six sites, there are 36 DNS servers total. There can be only one Standard Primary zone for any DNS name space; there are three domain namespaces total, so there are three Standard Primary zones. That means the remaining 33 DNS servers have a total of 33 Standard Secondary DNS zones.

The correct answer is D. Each site has two DNS servers for each DNS namespace. So the Wallingford site has two DNS servers for gunderville.com , two DNS servers for usa.gunderville.com , and two DNS servers for connecticut.usa.gunderville.com ”a total of six DNS servers in that site. Because there are six sites, there are 36 DNS servers total.

There can be only one Standard Primary zone for any DNS name space; there are three domain namespaces total, so there are three Standard Primary zones. That means the remaining 33 DNS servers have a total of 33 Standard Secondary DNS zones. All DNS servers store zone information. For gunderville.com , that means the Wallingford site has two DNS servers, the NH site has two DNS servers, the Connecticut site has two DNS servers, and the New England site has two DNS servers. The HQ site and the BU site for gunderville.com also have two DNS servers. Therefore, 12 DNS servers store zone information for gunderville.com , and one server is a Standard primary DNS zone. That means 11 DNS servers are deployed across the sites with Standard Secondary DNS zones, so only answer D is correct.

The correct answer is D. Each site has two DNS servers for each DNS namespace. So the Wallingford site has two DNS servers for gunderville.com ”a Windows Server 2003 DNS server and a BIND DNS server with a Standard Secondary zone. There are two DNS servers for usa.gunderville.com ”a Windows Server 2003 DNS server and a BIND DNS server with a Standard Secondary zone. The connecticut.usa.gunderville.com domain has two DNS servers ”a Windows Server 2003 DNS server and a BIND DNS server with a Standard Secondary zone. Therefore, this site has six DNS servers, three of which are Windows Server 2003 DNS servers with Active Directory “integrated zones and three BIND DNS servers with Standard Secondary zones. With six sites total, that means 18 DNS servers are running BIND and hosting Standard Secondary zones. Therefore, only answer D is correct.

The correct answers are A, C, and F. Both Standard Primary zones and Active Directory “integrated zones support standards outlined in the IETF specifications for domain namespaces. They also support incremental zone transfers and allow fault tolerance for name resolution, regardless of which DNS server fails, because Standard Secondary zones still resolve current DNS names if the Standard Primary DNS zone fails.

Only Active Directory “integrated DNS zones store zone information in Active Directory and allow read/write access to the DNS namespace for all DNS servers in a domain. Also, only Active Directory “integrated DNS zones allow fault tolerance for DNS updates, regardless of which DNS server fails, because these zones are multimaster copies of the zone information and can be updated on any DNS server. Answers B, D, and E are not examples of these features of Standard Primary zones and Active Directory “integrated zones.

The correct answers are A, B, and C. Standard dynamic updates of DNS consider only the client operating system and its innate ability to update DNS, not the client membership or lack thereof in the domain. Windows 98 and NT 4 systems cannot update DNS; the DHCP service needs to be enabled to perform this action. Windows 2000 Professional clients in the domain and the workgroup can update DNS dynamically, so answers D and E are incorrect. The same can be said for Windows XP clients, so answer F is incorrect.

The correct answers are D and E. Secure dynamic updates require that the DNS zone be Active Directory integrated, and this DNS zone is not. Regardless of whether clients are in a workgroup or a domain, none of the clients can update DNS dynamically because of the zones in use and the security implemented in the DNS design. Windows 98 and NT 4 systems cannot update DNS in this scenario, even if the zone is Active Directory integrated, and the operating systems cannot perform this action. The DHCP service needs to perform this task on behalf of clients.

The correct answers are A, B, and D. Dynamic updates require that DNS servers support that type of update. This support can be found in Windows Server 2003 DNS, Windows 2000 Server DNS, and BIND DNS version 8.2.1. Windows NT 4 DNS and BIND DNS version 4.9.7 servers do not support dynamic updates, so answers C and E are incorrect.

The correct answer is C. Windows NT 4 DNS and BIND DNS version 4.9.7 do not support incremental zone transfers. Incremental zone transfers require that the DNS servers support this type of transfer. This support can be found in Windows Server 2003 DNS, Windows 2000 Server DNS, and BIND DNS version 8.2.1, at a minimum. Newer versions of BIND 8.2.1 also support this feature.

The correct answers are A, B, and C. DNS in Windows Server 2003, 2000, and NT 4 can use the WINS service to look up names not found in DNS by checking for the NetBIOS name in WINS. This type of lookup often resolves name resolution issues in environments with hosts that do not use WINS for name registration or lookups, such as you might find with Unix hosts or when the client's primary registration is with WINS, as with Windows NT 4 or 9x clients. These configuration options are available only on Windows Server 2003 DNS, 2000 DNS, and NT 4 DNS configurations. None of the BIND DNS versions supports WINS and WINS-R lookups; therefore, answers D and E are incorrect.

The correct answers are A and C. An iterative query is a DNS resolution query made from a client to a DNS server, in which the server returns the best answer possible based on its local cache or stored zone data. If the server performing the iterative query does not have an exact match for the name request, it returns an error message saying that the requested name cannot be found, or it supplies a pointer to an authoritative server in another level of the domain namespace or to the Internet to query an ISP DNS name server or the root DNS servers on the Internet. A recursive query is a DNS resolution query made from a client to a DNS server, in which the server assumes the full workload and responsibility for providing a complete answer to the query. The DNS server returns a name resolution to the client system, or returns a "name not found" error if the DNS server cannot locate the DNS server that is authoritative for the requested domain name or if a lookup timeout condition is met. Answers B, D, and E describe different types of name resolution lookups.

The correct answers are A and D. A DNS name server can resolve a query only for a zone for which it has authority. When DNS servers receive a resolution request, they attempt to locate the requested information in their own database. An iterative query is a DNS resolution query made from a client to a DNS server, in which the server returns the best answer possible based on its local cache or stored zone data. If the server performing the iterative query does not have an exact match for the name request, it returns an error message saying that the requested name cannot be found, or it supplies a pointer to an authoritative server in another level of the domain namespace or to the Internet to query an ISP DNS name server or the root DNS servers on the Internet. A recursive query is a DNS resolution query made from a client to a DNS server, in which the server assumes the full workload and responsibility for providing a complete answer to the query. The DNS server returns a name resolution to the client system, or returns a "name not found" error if the DNS server cannot locate the DNS server that is authoritative for the requested domain name or if a lookup timeout condition is met. Answers B, C, E, and F describe different types of name resolution lookups.

The correct answers are D, E, G, and H. To successfully configure your DNS servers so that they provide DNS resolutions and assume the full workload and responsibility for supplying complete answers to DNS queries, you must set up your DNS servers so that they perform recursive DNS lookups on behalf of DNS clients. You do not want any DNS servers in your enterprise (except for one designated DNS server, DNS1.gunderville.com ) to contain any pointer information to root servers on the Internet, so you will need to remove root hints from DNS2.gunderville.com through DNS12.gunderville.com . Because all servers should forward DNS requests for Internet resources to the DNS1.gunderville.com DNS server, you must configure all DNS servers, DNS2.gunderville.com through DNS12.gunderville.com , as forwarders and configure them to forward to DNS1.gunderville.com . You must also allow only DNS1.gunderville.com to perform DNS queries from the internal network through the firewall to the Internet for DNS resolution. This configuration prevents client systems manually configured with IP addresses of other DNS servers on the Internet ”for example, DNS servers that belong to an ISP ”from being able to make DNS resolution requests to those Internet systems. Answers A, B, C, and F do not produce the results the scenario requires.

The correct answer is B. The zone transfer refresh interval on the Start of Authority (SOA) tab of the forward lookup zone is the best place to make changes if you want to adjust the time interval a secondary DNS server waits before querying for updated zone information. The default setting for the refresh interval is 15 minutes (900 seconds). When this threshold is met, the secondary DNS server requests a copy of the current SOA record and compares the serial number of the source server's SOA record with the serial number in its own local SOA record. If they are different, the secondary DNS server requests a zone transfer from the primary DNS server to update its information. If the default setting is not sufficient, lower the value to initiate requests more often so that updates occur more frequently. The DNS information in this scenario is very dynamic, so you need to lower the refresh interval so that your DNS servers are updated more often. None of the other options offers a better solution.

The correct answer is E. The zone transfer expire interval is the best place to make changes if you want to adjust the amount of elapsed time that must occur before a secondary server stops responding to DNS queries because of failures for zone updates. After this threshold time has been exceeded, data in this replica of DNS information is assumed to be out of date because it has not been updated. The default value is 24 hours (86,400 seconds) and can be adjusted as necessary. If your environment is more sensitive to DNS changes and has a highly dynamic DNS configuration, you might need to shorten the expire interval so that these servers go "offline" sooner than 24 hours.

The correct answer is B. When you need to configure your DNS servers from communicating with other DNS servers to resolve queries outside your domain, you need to disable recursion on DNS servers. Configuring DNS servers as forwarders actually tells them which other DNS servers to communicate with. Updating root hints has the same result. Round- robin rotation has nothing to do with allowing or preventing the DNS server from communicating with other DNS servers to resolve queries outside the domain. Caching-only DNS server are normally used to intentionally cache DNS lookup results gathered from other DNS servers.

The correct answers are C and D. In such a small environment, the best solution is to use LMHOSTS files and place them on all systems. Configuring DNS servers to resolve the WINS names does not work in this scenario because there is no NetBIOS (WINS) name resolution in place. You could configure one or both domain controllers with the additional role of a WINS server, but this method is not the simplest way to deploy a NetBIOS name resolution solution for your small Windows Server 2003 domain. Also, you need to consider the hardware of current domain controllers; they are already overloaded when you take their hardware configuration into account. In addition, no business growth is expected this year, and the number of clients and servers is almost always static.

The correct answers are B, C, and E. FTP runs on port 20 and 21. Because neither port is listed, clients will not be able to use this service or use LDAP, which runs on port 389. The other listed services would be allowed, as port filtering does not close out their default ports. DHCP on ports 67 and 68 would be permitted, as would HTTP and HTTPS traffic.

The correct answer is A. When the Password Must Meet Complexity Requirements policy is enabled, passwords must meet the minimum complexity requirements, such as being at least six characters long. Answer B is incorrect because when the minimum password length is set, the password needs to be at least the indicated number, not more than the indicated number. Answer C is incorrect because both policies can be linked at the domain level and not conflict with each other. Answer D is incorrect because computer policies do not conflict with user policies in this scenario.

The correct answer is A. P-node (peer-to-peer) configured clients use a NetBIOS/WINS server to resolve NetBIOS names. B-node (broadcast) configured clients use broadcasts for name registration and resolution; therefore, answer B is incorrect. M-node (mixed) configured clients use both B-node and P-node name resolution. B-node is used by default, and if the name is not resolved by broadcast, M-node clients try to resolve the name via the WINS server (P-node); therefore, answer C is incorrect. H-node (hybrid) configured clients use both P-node and B-node name resolution; therefore, answer D is incorrect.

The correct answers are A, B, and C. To configure the network to allow IP multicast traffic between the two locations, you need to create an IP-in-IP interface between the servers, assign the interface to the IGMP routing protocol, and run the interface in IGMP proxy mode. Multicasting is useful for point-to-multipoint delivery of information on a network. Multicast traffic "hits" only nodes that are specifically listening for it. IP multicast addresses are reserved and assigned from within the Class D address range of 224.0.0.0 through 239.255.255.255. IGMP is used to exchange membership status information between IP routers that support multicasting and members of multicast groups. IP-in-IP tunnels are often used for forwarding IP multicast traffic from one area of the intranet to another, across a portion of the intranet that does not support multicast forwarding or routing. IGMP router mode keeps track of multicast hosts on the network. IGMP proxy-mode interfaces are designed to work with IGMP router mode interfaces. The purpose of proxy mode is to connect the multicast router to a private network or the Internet.

The correct answers are A, D, and E. You open port 80 on the IIS server to allow HTTP traffic. You block port 119 on the IIS server, which denies newsgroup server traffic. You block port 110 on the IIS server, which denies POP3 traffic. You open port 25 on the IIS server to allow use of SMTP. You open port 443 on the IIS server, which allows secure HTTP connections. For this scenario, only answers A, D, and E describe the results of the actions taken if no default ports have been changed.

The correct answers are A, D, and E. PPTP can be used only on a IP-based network. L2TP requires only that the tunnel media provide packet-oriented, point-to-point connectivity. L2TP can use UD, frame relay permanent virtual circuits (PVCs), X.25 VCs, or Asynchronous Transfer Mode (ATM) VCs to operate over an IP network. L2TP supports header compression; PPTP does not. When header compression is enabled, L2TP operates with 4 bytes of overhead, compared with 6 bytes for PPTP. L2TP supports tunnel authentication; PPTP does not. When PPTP or L2TP is used with IPSec, IPSec provides tunnel authentication so that L2TP tunnel authentication isn't necessary. PPTP uses PPP encryption. L2TP requires IPSec for encryption. Answer B is incorrect because L2TP is not limited to IP-based networks. Answer C is incorrect because PPTP does not support header compression. Answer F is incorrect because PPTP uses MPPE, not IPSec.

The correct answer is A. The question called for you to scan as many desktop systems across the network as possible with the MSBA tool. This includes all desktop systems running Windows NT 4.0 SP4 and later. (Although MBSA can remotely scan systems running Windows NT 4.0 SP4 and later, it cannot be installed locally on the system and run locally.) It also includes all desktop operating systems running Windows 2000 and Windows XP, for a total of 1,422: 314 Windows NT 4 workstations, 829 Windows 2000 Professional systems, and 279 Windows XP Professional systems. None of the other options is the correct number of desktop systems that can be scanned successfully across the network.

The correct answers are A, B, D, and F. You cannot scan the Windows 95 and 98 systems simply because those platforms are not supported. You can scan the Windows NT 4 systems, as over-the-network scans are the only way that MBSA can scan NT 4 systems. This is why answer C is not correct. You can also scan all Windows Server 2003 and Windows 2000 Server systems because they have File and Print Sharing enabled. Because File and Print Sharing is not enabled on any desktop systems, except the Windows NT 4 workstations, you cannot scan the Windows 2000 Professional or Windows XP Professional systems. You can successfully scan the Windows 2000 Server and Windows Server 2003 systems because these servers have no File and Print Sharing restriction, so answers E and G are incorrect.

The correct answers are B, C, and F. Because you have decided to deploy automated updates via the Windows Update site, using the Automatic Update client, the solution does not allow administrative approval of all updates before they are deployed to systems because clients simply download all available updates posted to the public Microsoft Web site. Although this solution allows you to schedule the installation of downloaded content, it cannot be used on all clients in your environment. For these reasons, answers A, D, and E are not correct.

The correct answers are B, C, F, and G. Because you have decided to deploy automated updates via the Windows Update site, using the Automatic Update client, the solution does not allow administrative approval of all updates before they are deployed to systems because clients simply download all available updates posted to the public Microsoft Web site. Although this solution does allow you to schedule the installation of downloaded content, it cannot be used on all clients in your environment. The clients allow downloading of the latest Windows operating system and IE service packs via the Windows Update site. For these reasons, answers A, D, E, and H are not correct.

The correct answers are A, C, E, and G. When your setup uses Tunnel mode, the two RRAS servers negotiate all security for the traffic, so the Microsoft L2TP/IPSec VPN client does not need to be installed on legacy systems. All IP traffic traveling from your network over an untrusted network will be secured and support all clients in the environment. Addressing requirements for header encryption, tunnel authentication, and encryption are met by using L2TP and IPSec, as L2TP can be used on IP, frame relay, X.25, or ATM-based networks.

The correct answers are C, D, E, and F. Usually when systems need to be manually configured, a shared secret is being used. Kerberos is usually the authentication method when all subject systems are members of the same Active Directory domain. A public key certificate is often used in Internet settings, such as e-commerce, or when computer systems are not members of the local domain. Public key certificates are also used with legacy systems that cannot use Kerberos or when you have customers using an extranet, as these systems are not normally domain members and have no way to use Kerberos.

The correct answers are B, D, and E. IPSec Transport mode authenticates and encrypts data flowing between any two computers running Windows 2000 Server or Windows Server 2003. It provides security for the network and can potentially support a secure connection with multiple computers at a time. Transport mode is the default IPSec mode.

Using IPSec in Tunnel mode authenticates and encrypts data flowing within an IP tunnel created between two routers. Windows 2000 Server and Window Server 2003 require RRAS to implement Tunnel mode for IPSec. You enable Tunnel mode in the IPSec Management console and configure Tunnel mode settings by supplying an IP address for each end of the tunnel. This encrypts all data sent between systems from one location to another via the two RRAS servers.

You need to provide a secure connection for all systems between your main office and your branch offices. This requirement has not been met because IPSec Transport mode does not cover all traffic from all systems. The solution also needs to be "always" available for all systems, but the NT 4 systems cannot use this solution.

Forcing all communications to "require" security encrypts all data transferred between all hosts. With this deployment, the NT 4 systems cannot communicate with other systems. "Request" security is less secure than "require" security because "request" security still allows unsecured network connections between systems. For those NT 4 systems to be able to use L2TP/IPSec, the Microsoft L2TP/IPSec VPN client needs to be installed.