Alex is a network administrator. He's been asked to implement dynamic IP addressing the company's newly installed network, which has two subnets in one Active Directory domain with servers running Windows Server 2003. After Alex installs and configures the DHCP server in SubnetA, client computers in SubnetA are able to obtain DHCP leases and the proper TCP/IP configuration. However, client computers on SubnetB are unable to obtain DHCP leases. What is the most likely cause of this problem?
The DHCP server is not authorized is SubnetB.
The DHCP scope for SubnetB is not active.
The DHCP Server service is stopped.
A DHCP Relay Agent is not installed in SubnetB.
Answer D is correct. A DHCP Relay Agent (or a BOOTP-compatible router) must be installed in SubnetB to route DHCP broadcast messages between networks.
Sam's computer is configured to use DHCP. When Sam logs on, he notices he can't connect to the network. The computer has no IP address according to ipconfig. Which of the following is most likely true?
No DHCP server is on the network.
The computer is using Automatic Private IP Addressing.
The network cable to the computer is disconnected.
The computer is using dynamic IP addressing.
Answer C is correct. APIPA requires an active network connection (in most cases) for automatic configuration to work properly. If the network cable to a computer is disconnected or improperly connected, the computer may not be assigned an IP address. When you type ipconfig /all at a command prompt, you may see an error stating "Media Disconnected."
The company has two subnets in one Active Directory domain with servers running Windows Server 2003. On the DHCP server, Scope1 provides dynamic addressing for SubnetA, and Scope2 provides dynamic addressing for SubnetB. Clients in SubnetA are able to obtain DHCP leases, but are unable to access resources in SubnetB. What is the best way to solve the problem?
Reconfigure the network's DHCP Relay agent.
Activate Scope1.
Activate Scope1 and Scope2.
Configure the default gateway on client computers.
Configure the TCP/IP router option for Scope1.
Answer E is correct. If client computers have an improperly configured gateway, they are not able to access resources outside of their local subnet. The best way to solve this problem is to configure the TCP/IP router option (option 003) for Scope1. Although you could configure a default gateway on client computers, this is not the best way to solve the problem, so Answer D is incorrect.
Which of the following is most likely true if a computer with an IP address of 169.254.0.11?
No DHCP server is on the network.
A DHCP server is assigning the computer's IP address.
The computer has a static IP address.
The network cable is disconnected.
Answer A is correct. When DHCP is configured but not available, or the client lease is expired and cannot be renewed, clients use Automatic Private IP Addressing. With APIPA, clients assign themselves an IP address in the range of 169.254.0.1-169.254.255.254, with a subnet mask of 255.255.0.0.
Paula is a network administrator for an Active Directory domain with servers running Windows Server 2003. Paula recently installed a second DHCP server on the local subnet. When testing the server, she notices the DHCP Server service is being shut down and she can't get the service to stay running. What is the most likely cause of this problem?
The DHCP Server service is improperly installed.
The DHCP server does not have an active scope.
The active scope has invalid TCP/IP options.
The DHCP server has not be authorized in Active Directory.
Answer D is correct. With Windows 2000 or later, a workgroup or stand-alone DHCP server configured on the same subnet as a domain's authorized DHCP server is considered to be a rogue server. As part of a network protection process, the rogue server automatically stops its DHCP Server service and stops leasing IP addresses to clients. To resolve this issue, you must authorize the DHCP server in Active Directory.
Tom is responsible for the managing DHCP. The organization has a single Class C subnet with 254 available IP addresses. The network ID is 192.168.10.0. Tom wants a single scope to cover all 254 IP addresses. However, he needs to ensure 14 of the IP addresses aren't used by DHCP clients and that 8 of the IP addresses are always assigned to the same member servers. Which of the following should be done to configure the scope?
Create the scope for the IP address range 192.168.10.0-192.168.10.255.
Create the scope for the IP address range 192.168.10.1-192.168.10.254.
Create an exclusion range for the 8 member servers and reserve the other 14 IP addresses.
Create an exclusion range for the 14 member servers and reserve the other 8 IP addresses.
Answers B and D are correct. With standard network configurations, the network ID is the .0 address of the subnet, such as 192.168.10.0, and the broadcast address is the .255 address of the subnet, such as 192.168.10.255. The assignable IP address for the network is 192.168.10.1 to 192.168.10.254. To ensure a client computer gets the same IP address, create a reservation on a lease. To ensure an IP address is not used, create an exclusion.
You want to configure multiple standard scopes so that they can be easily activated or deactivated. What should you do?
Create a multicast scope and add the standard scopes to it.
Create a superscope and add the standard scopes to it.
Delete all the scopes except one.
Configure server options instead of scope options.
Answer B is correct. A superscope is a container for scopes that allows you to more easily work with multiple scopes. After you create a superscope, you can add to it the scopes you want to manage as a group.
The network has three subnets: SubnetA, SubnetB, and SubnetC. The DHCP server on SubnetA is configured with one scope for each subnet. The network administrator configured the TCP/IP settings using Server options, which works fine for Clients on SubnetA, but not for clients on SubnetB and SubnetC. What should be done to resolve this problem?
Set scope options for the SubnetB and SubnetC scopes as appropriate to override server options.
Remove the server options and set only scope options for the SubnetA, SubnetB, and SubnetC scopes.
Remove the server options and set only class options.
Set predefined options as appropriate to override server options.
Answer A is correct. The clients on SubnetB and SubnetC are likely getting the wrong TCP/IP router option. By setting the correct TCP/IP router option as a scope option, you can override the server option for this setting.
What step does a DNS client perform first to resolve a DNS name?
The client checks its local DNS resolver cache.
The client queries its primary DNS server.
The client queries its alternate DNS server.
The client broadcasts on the local subnet.
Answer A is correct. DNS clients check their local DNS resolver cache before sending queries to DNS servers.
Which of the following correctly describes recursive and iterative queries?
A DNS server must respond directly to a recursive query or return an error, and queries other DNS servers on behalf of the client if unable to resolve a query from its cache/zone database.
A DNS server must resolve an iterative query from its local cache or return an error, and is unable to contact other DNS servers on behalf of the client.
A DNS server must resolve a recursive query from its cache if possible, and if not, must refer the client to another DNS server.
A DNS server must resolve an iterative query from its local cache/zone database or refer the client to another DNS server.
Answers A and D are correct. With a recursive query, the DNS server must respond directly to a recursive query or return an error, and queries other DNS servers on behalf of the client if unable to resolve a query. With an iterative query, a DNS server attempts to resolve the query from its records or from its cache, and if it is unable to resolve the query, the server can refer the client to another DNS server.
What is the next step a forwarder takes when it is unable to resolve a query?
The forwarder returns an error to the originating DNS server.
The forwarder returns an error directly to the client.
The forwarder uses the root hints Cache.dns file to determine the root name server to contact.
The forwarder performs a broadcast to determine the root name server to contact.
Answer C is correct. If the forwarder is unable to resolve a query, it attempts to contact the appropriate root name server. Root name servers that the DNS server can use and refer to when resolving queries are listed in the root hints, which are stored in the Cache.dns file.
What type of zone should you create if you want to create a read-only copy of the master DNS data for the zone?
Primary
Secondary
Stub
Root Hints
Answer B is correct. A secondary zone is a copy of a zone's master data and is read-only.
In what role should a DNS server be configured if it should maintain a cache of resolve queries but not have zone files?
Primary
Secondary
Stub
Forwarding-only
Answer D is correct. Forwarding-only DNS servers maintain a cache of resolved queries.
What type of resource record must you configure to enable reverse lookups for host computers?
Host (A) records
Pointer (PTR) records
Mail Exchanger (MX) records
Name Server (NS) records
Canonical Name (CNAME) records
Answer B is correct. DNS uses host (A) records to resolve computer names to IP addresses and pointer (PTR) records to resolve IP addresses to computer names.
Sarah is a network administrator. She's just installed DNS on the network, and configured a primary server and a secondary server. What must she do to specify the authoritative name servers for the zone?
Nothing, all necessary NS records are created automatically.
Create the NS records for the primary and secondary name server.
Create the NS record for the primary name server.
Create the NS record for the secondary name server.
Answer D is correct. Use NS records to specify the authoritative servers for the zone. The NS record of the primary name server for the zone is created automatically. Records for secondary name servers must be created manually.
Tom is a system administrator. Like Sarah, he's just configured DNS on his organization's network. He configured primary and secondary name servers. Clients are able to perform DNS lookups without any problems. However, the secondary server is not getting zone transfers from the primary server, even though zone transfers are enabled. Which of the following are possible resolutions for this problem?
Designating a list of servers to notify.
Allowing the DNS server to notify the servers listed on the Name Servers tab.
Disabling automatic notification.
Creating the NS record for the secondary name server.
Answers A and B are correct. After you enable zone transfers, the default configuration allows automatic notification, but only to a designated list of name servers. You must specify the designated name servers or allow notification of the name servers listed on the Name Servers tab.
You've installed DNS on a domain controller and configured a standard primary zone. To improve security, you want to ensure that only secure updates of DNS are allowed. However, when you access the zone Properties dialog box, you are not able to configure dynamic updates in the secure only mode. What should you do to resolve this problem?
Make the server a member of the DnsUpdateProxy group.
Log on with an account that is a member of the DnsAdmins group.
Change the zone type so that it is Active Directory-integrated.
Enable aging and scavenging.
Answer C is correct. By default, dynamic DNS updates are not allowed, but you can configure a zone to use secure updates. Only Active Directory-integrated primary zones can use secure-only mode. Other types of zones can be configured to allow nonsecure and secure dynamic updating.
Which command-line tool can you use to clear the DNS resolver cache on a DNS client?
ipconfig
netsh
tracert
pathping
Answer A is correct. You can clear the DNS resolver cache by typing ipconfig /flushdns.
What tool should you use to configure security templates?
Security Templates snap-in
Security Configuration And Analysis snap-in
Network Monitor
Active Directory Users And Computers
Answer A is correct. Use the Security Templates snap-in to create and configure security templates. Use the Security Configuration And Analysis snap-in to apply and analyze security templates.
Which of the following are true regarding authentication and authorization on Windows 2000 or later networks?
The primary authentication protocol is Kerberos.
Both Kerberos and NTLM are used for authorization.
IPSec can be used to secure communications using encryption.
Encryption can also be used to securely store data.
Answers A, B, C, and D are correct. On networks with computers running Windows 2000 or later, the primary authentication protocol is Kerberos. Both Kerberos and NTLM are used for authorization. IPSec can be used to secure communications using encryption. Encryption can also be used to securely store data.
Which security template would you apply to a domain controller to implement the most stringent security settings?
Rootsec
Securedc
Hisecdc
Iesacls
Answer A is correct. The Rootsec template applies root permissions to the system drive. The Securedc template contains moderate security settings for domain controllers. The Hisecdc template contains very stringent security settings that can be used to further secure domain controllers. The Iesacls template applies relaxed Registry permissions for Internet Explorer.
To whom should the Principal of Least Privilege not apply?
Temporary workers
Contract workers
Permanent employees
Administrators and other IT staff
None of the above
Answer E is correct. The Principal of Least Privilege should apply to all users, including temporary, contract, and permanent employees as well as administrators and other IT staff. No one should have more privileges or access than is required to do their job.
Which default IPSec policy should you enable if you want to ensure that only secure communications are used?
Server (Request Security) policy
Client (Respond Only)
Secure Server (Require Security)
Answer C is correct. With Secure Server (Require Security), servers require secure communications. Servers will not respond to clients that do not or cannot use secure communications.
Which of the following tools should you use to view IPSec statistics for troubleshooting?
IP Security Monitor
IP Security Policy Management
Network Monitor
Security Configuration And Analysis
Answer A is correct. In IP Security Monitor, the Main Mode and Quick Mode nodes show current filters, security methods, statistics, and security associations. The statistics can help you identify IPSec configuration problems.
Which command-line tool can you use to view detailed IPSec information?
ipconfig
netsh
TRacert
pathping
Answer B is correct. You can view detailed IPSec information by typing netsh ipsec static show all.
Mary is a network administrator. She's been tasked with setting up a remote access server to enable remote clients to connect to the server through the Internet, and to enable local clients to connect to the Internet using a public IP address from an assigned address pool. What role or roles should the remote access server be configured for?
Remote access over wireless, dial-up or VPN
NAT
VPN and NAT
Secure network/network VPN
Answer C is correct. A remote access server configured for VPN and NAT allows remote clients to connect to the server through the Internet and allows local clients to connect to the Internet using a public IP address from an assigned address pool.
John configured a remote access server to use DHCP for IP address assignment. However, when clients connect to the network, they are not assigned IP addressing and instead assign themselves APIPA addresses. What are the possible causes of this problem?
Remote Access Server is not enabled as a server option.
Broadcast name resolution is not enabled.
No DHCP server is available on the subnet, and a DHCP Relay Agent has not been configured.
The DHCP server did not have 10 available IP addresses when RRAS requested its first block of IP addresses.
Answers C and D are correct. If the subnet that the RRAS server is on doesn't have a DHCP server, a DHCP Relay Agent must be configured to allow clients to be assigned dynamic IP addressing. The DHCP server must also have a block of at least 10 IP addresses available for RRAS.
What type of RAS connection between private networks requires a permanent static route and cannot use dynamic routing?
Demand-dial connections
VPN connections
All other network connections
All of the above
Answer B is correct. When configuring VPN between private networks, you must specify the permanent static routes to the remote networks with which the RRAS server's network will communicate.
Which of the following are true with regard to using IPSec with VPN?
IPSec can be used with L2TP to enhance security.
IPSec cannot be used with PPTP.
PPPoE always uses IPSec.
A custom IPSec policy for RRAS is required.
Answers A, B, and D are correct. If you've configured VPN and set L2TP as the protocol type, you can use IPSec with L2TP to enhance security. To do this, you must define a custom IPSec policy and enable the related security options on your RRAS server.
To improve security, you want to require that all remote access clients authenticate using smart cards. What is the only authentication protocol that should be enabled on the RRAS server?
MS-CHAP
MS-CHAP V2
SPAP
PAP
EAP
Answer E is correct. EAP extends the authentication methods for PPP connections to include the EAP methods configured through remote access policies. In a standard configuration, these policies allow MD5-Challenge, Protected EAP (PEAP), smart cards, or other PKI certificates to be used.
Your organization has multiple RRAS servers. Which of the following services should you install to centralize the authentication of remote access clients and the storage of accounting information?
PPPoE
IAS
RADIUS
RRAS
IIS
Answer B is correct. RADIUS servers are used to centralize the authentication of remote access clients and the storage of accounting information. A Windows Server 2003 system can be configured as a RADIUS server by installing the Internet Authentication Service (IAS). RADIUS is a protocol; IAS is the actual service.
Aaron is a network administrator. The organization has nine subnets connected with persistent connections and one network connected with a demand-dial connection. He doesn't want to have to maintain the routing tables manually, and is looking for the simplest solution that will also ensure that any changes to network topology are updated automatically. Which routing option should he implement?
SPF
OSPF
RIPv2
PPPoE
Answer C is correct. RIP is ideal for small networks and can also be used with demand-dial connections. SPF is the routing algorithm used by OSPF. OSPF cannot be used with demand-dial connections. Point-to-Point Protocol over Ethernet (PPPoE) is a communications protocol used for secure communications between private networks.
Which of the following are valid command lines for adding a static route?
route add 192.168.52.0 mask 255.255.255.0 192.168.0.1 metric 1 if 0x10003
route add 192.168.52.0 mask 255.255.255.0 192.168.0.1 if 0x10003
route add 192.168.52.0 mask 255.255.255.0 192.168.0.1 metric 1
route -p add 192.168.52.0 mask 255.255.255.0 192.168.0.1 metric 1 if 0x10003
All of the above
Answer E is correct. Answers A, B, C, and D all have valid routes. The metric and interface are optional. If you do not specify them, they are selected automatically. To make a static route persistent, you can add the -p option. Persistent static routes are not deleted even if the router is stopped and restarted.
You've configured VPN using L2TP. You know that up to 256 clients will be connecting simultaneously to the RRAS server. What modifications (if any) do you need to make to the ports on the RRAS server?
None. The default configuration allows up to 256 ports per connection type.
Since only 128 ports are allowed per connection type, you must configure another connection using PPTP.
Since only 128 ports are allowed per connection type, you must install a second RRAS server.
Since only 128 ports are preconfigured for VPN using L2TP, you must add an additional 128 ports.
Answer D is correct. The default configuration allows up to 128 ports. You can add ports by increasing the maximum ports option for L2TP connections.
Which of the following are true regarding IP addresses used with NAT?
NAT uses public IP addresses when client computers need to access the Internet.
Public IP addresses are assigned by your ISP.
A pool of IP addresses is required.
IP address reservations can be defined.
Answers A, B, and D are correct. NAT uses these public IP addresses, which are assigned by an ISP. Only one public IP address is required, but you can use a pool of IP addresses. You can also define reservations for IP addresses.
Tom is configuring NAT and the Basic Firewall. He installs and configures NAT. He enables the Basic Firewall and configures it on the LAN interface, but the Basic Firewall does not seem to be working. What is the likely problem with the configuration?
Inbound packet filters must be configured.
Outbound packed filters must be configured.
NAT cannot be enabled with Basic Firewall.
Basic Firewall is configured on the wrong interface.
Answer D is correct. The Basic Firewall must be configured for use with a public interface connected to the Internet. The Basic Firewall accepts incoming traffic from the Internet only if it has been requested by the network, and you can optionally define packet filters to control network traffic using.
You've installed network monitor and configured a network to monitor. What do you need to do to capture data?
Click Capture 
Networks
Start
Filter
Trigger
Start.
ipconfig
pathping
TRacert
ping
netsh
Answer A is correct. Typing ipconfig /all shows you the current TCP/IP configuration and you can use this information for troubleshooting.
Amy is a network administrator. She has received numerous help desk requests about computers not being able to get an IP address. When she checks the DHCP server, she sees the DHCP Server service is not started. She attempts to start the service, but it will not start. She restarts the server, but the service still does not start. What should she do to resolve the problem?
Reboot the server again.
Configure the DHCP Server service to restart automatically using recovery options.
Verify that dependent services are started and configured appropriately.
Reinstall the DHCP Server service.
Answer C is correct. She should verify that dependent services are started and configured appropriately. While Windows Server 2003 may restart dependent services when starting a service, attempted restarts can fail if the underlying dependent services are incorrectly configured or disabled.
Which of the following recovery options can you set for the Event Log service?
Restart the service.
Run a program.
Restart the computer.
None of the above.
Answer D is correct. With most services, you can configure one of four actions should a service fail: restart the service, restart the computer, run a program, or take no action. However, some critical services cannot be configured for recovery and are set so the server will restart if the service fails.
