| Question 1 | Most protocols used by a mail server have an insecure and an SSL-encrypted version. Which of the following protocols, used by a front-end server located on a screened subnet, should always use the unencrypted, rather than the SSL-secured version? A. POP3 B. IMAP4 C. SMTP D. HTTP
|
| A1: | Answer C is correct. The SMTP port (25) is used by all Internet mail servers to communicate with one another. If port 25 is blocked, the front-end mail server cannot receive communication from the mail servers of other organizations on the Internet. Answers A, B, and D are incorrect. The other protocols listed (POP3, IMAP4, and HTTP) can be used with encryption without compromising the ability of Exchange Server 2003 to transmit and receive email from other Internet mail servers. |
| Question 2 | You administrate an Exchange Server 2003 front-end server located behind a firewall on a screened subnet. You have users who need to access their mailbox files from host locations on the Internet. These remote users will be connecting across the firewall using the secure version of the POP3 protocol. Which of the following ports on the firewall should be open to support these clients sending and receiving email via this front-end server? (Choose all that apply.) A. 25 B. 993 C. 995 D. 143 E. 636
|
| A2: | Answers A and C are correct. Port 25 is required to transmit email via SMTP. Also, mail servers on the Internet that attempt to forward mail to your organization use port 25 to communicate and route mail. Port 995 is the secure POP3 protocol, which remote users use to securely retrieve email across the Internet. Answer B is incorrect; port 993 is used for IMAP4 SSL, a protocol that this server does not need to support. Answer D is incorrect; port 143 is the insecure IMAP4 port, which is also not in use. Answer E is incorrect; port 636 is the secure LDAP port. Although LDAP might be required on the internal firewall, it is not required on the external firewall. |
| Question 3 | Which of the following roles that can be delegated via the Exchange Administration Delegation Wizard have the right to add, delete, and rename objects? (Choose all that apply.) A. Exchange Full Administrator B. Exchange Administrator C. Exchange View Only Administrator D. Exchange Management Administrator
|
| A3: | Answers A and B are correct. Both the Exchange Full Administrator and the Exchange Administrator roles have the right to add, delete, and rename objects. Answer C is incorrect; the Exchange View Only Administrator cannot add, delete, or rename objects. Answer D is incorrect; the Exchange Management Administrator role does not exist. |
| Question 4 | In which of the following situations would it be best practice to create a separate administrative group? A. When you want to move several existing servers into a new administrative group and delegate permissions to them B. When you are installing several new servers in the organization for which you want to delegate control to a small group of administrators C. When you are installing several new servers at a brand-new branch office location that will be administered by the current Exchange administration team D. When you need to change the delegated permissions of several users to a group of Exchange servers within the organization
|
| A4: | Answer B is correct. Administrative groups are primarily used as delegation points. You can delegate permissions to a particular administrative group, and those permissions will be inherited by all objects within that group. Servers can be installed into an administrative group, but cannot be moved into an administrative group if they were originally configured as members of another group. Answer A is incorrect because servers cannot be moved between administrative groups. Answer C is incorrect; the new servers will be administered by the current administration team. There is no need to create a new administrative group. Answer D is incorrect; changing delegated permissions can be done within the context of an original administrative group structure. |
| Question 5 | You want to allow several users who are connected to a local ISP MAPI access to your Exchange Server 2003 computer. You do not want to use VPN and have decided that RPC over HTTP provides the best option. In this situation, which of the following statements regarding the remote clients are true? (Choose all that apply.) A. RPC over HTTP can only be used by the Outlook 2003 client. B. For RPC over HTTP to work, the Exchange Server 2003 server must be configured as a front-end server and must be hosted on Windows Server 2003. C. Any MAPI client can use RPC over HTTP. D. Authentication credentials must be passed in an unencrypted form to the RPC over HTTP proxy server. E. The client running Outlook 2003 must use Windows XP with Service Pack 1 installed.
|
| A5: | Answers A, B, D, and E are correct. RPC over HTTP can only be used by the Outlook 2003 client running on Windows XP SP1 or later. As the RPC over HTTP service is only available on Windows Server 2003, this operating system must be used to host the front-end server that will authenticate this traffic. RPC over HTTP only uses Basic, rather than Windows Integrated or Digest authentication. Basic authentication passes credentials in an unencrypted form over the network. Answer C is incorrect; currently, only Outlook 2003 supports RPC over HTTP, though it is likely that all clients will support this technology in the future. |
| Question 6 | Who is able to decrypt a message that has been encrypted via a PKI public key? (Choose all that apply.) A. The person who originally encrypted the message B. The person who has the private key C. The key recovery agent for the CA that issued the private key D. The Exchange administrator for the server that hosts the recipient's mailbox
|
| A6: | Answers B and C are correct. The person who holds the private key can decrypt a message that has been encrypted via the public key. A key recovery agent can recover a private key. Because a key recovery agent has access to the private key after it is recovered, the person who has configured the key recovery agent could also decrypt the message. Answer A is incorrect; unless the person who encrypted the message has access to the private key, he cannot decrypt the message. Answer D is incorrect; the Exchange administrator for the server that hosts the mailbox is unlikely to have access to the private key, and, hence, is unlikely to be able to decrypt the message. |
| Question 7 | You have configured the Exchange User certificate templates on an enterprise subordinate CA located within your Windows Server 2003 domain. The certificate is configured to enroll for authenticated users. You verify that the mailbox store supports S/MIME. You run Outlook to configure the security settings, but there is no available signing or encryption certificates. Which of the following actions should you take? A. Go back to the certificates template MMC and ensure that the Exchange Users group also has enroll and read permissions for the Exchange User certificate. B. Go back to the certificates template MMC and ensure that the Authenticated Users group has full control permissions for the Exchange User certificate. C. Go to the enterprise subordinate CA Control Panel and ensure that the CA is configured to issue Exchange User group certificates. D. Log off and log back on again.
|
| A7: | Answer C is correct. After a certificate template has been properly configured, the CA must also be configured to issue certificates based on that template. Answer A is incorrect; the question states that the certificate is configured to enroll for authenticated users. Answer B is incorrect; the full control permission is unnecessary in this situation. Answer D is incorrect; because autoenroll is configured, the certificate will be issued without the requirement of the user logging back on. |
| Question 8 | Users of Exchange Server 2003 in your organization have been successfully using digital certificates to sign and encrypt email for the last few months. Last week, you installed another Exchange Server 2003 system and have recently moved several mailboxes over to the new server to lighten the load on the existing infrastructure. You have received several reports from users of the new server that they are unable to store encrypted or signed messages. Which of the following steps can you take to resolve this problem? A. Ensure that the mailbox stores on the new server are configured to support S/MIME signatures. B. Ensure that the mailbox stores on the old servers are configured to support S/MIME signatures. C. Check that these users' Exchange User certificates have not expired. D. Check that the CA is online.
|
| A8: | Answer A is correct. Signed and encrypted email cannot be stored on the server unless the mailbox stores are configured to support S/MIME signatures. Answer B is incorrect; the messages are not being stored on the old mailbox stores, hence they are irrelevant to this situation. Answer C is incorrect; if certificates had expired, these users would simply be unable to view encrypted content and would be unable to verify digital signatures. Answer D is incorrect; because nothing has been heard from other users except those using the new server, it is unlikely that the CA has gone offline. |
| Question 9 | Which of the following statements is true if the Exchange User certificate template is not configured for autoenrollment? (Choose all that apply.) A. Users will have to use the Certificate MMC to request an Exchange User certificate from the CA. B. Administrators can apply a logon script to request the Exchange User certificate from the CA. C. Users will be unable to digitally sign communication. D. Users will be unable to encrypt messages sent via Outlook.
|
| A9: | Answers A and B are correct. If autoenrollment is not configured, a user must manually request a certificate from the CA. Rather than walking users through the complex process of requesting a certificate, this can be scripted to occur automatically. Answer C is incorrect; users can still get these certificates, they just cannot do so automatically. Answer D is incorrect; after they have a certificate, users will be able to sign and encrypt messages. |
| Question 10 | Which of the following statements about keeping Exchange Server 2003 up to date with hotfixes and service packs is correct? A. The server on which Exchange Server 2003 is hosted can be kept up to date via SUS. B. All Exchange hotfixes and service packs must be installed manually on each Exchange Server 2003 computer. C. All Windows Server 2003 hotfixes and service packs must be installed manually on each Windows Server 2003 computer hosting Exchange Server 2003. D. Exchange Server 2003 service packs can be deployed to Exchange Server 2003 computers via the Active Directory Group Policy Object.
|
| A10: | Answer A is correct. Exchange Server 2003 is hosted on either a Windows 2000 Server or Windows Server 2003 computer. Both Windows 2000 Server and Windows Server 2003 can have hotfixes and service pack installation managed via Software Update Services (SUS). Answer B is incorrect; installation of hotfixes and service packs can be scripted to occur without direct administrator intervention. Answer C is incorrect; Windows Server 2003 hotfixes and service packs can be deployed via SUS. Answer D is incorrect; Active Directory cannot be used to deploy service packs. |
