| Question 1 | You are the Web hosting administrator for your company's e-commerce environment, and you need to configure a single internal persistent static route to your internal subnet of 50.0.0.0 /8 on the internal NIC only. The server is using an internal IP address of 199.168.1.225 and an external address of 12.155.34.66. You go to a command prompt and enter the following: C:\>route add 50.0.0.0 mask 255.0.0.0 12.155.34.66 Which of the following steps have been met? (Choose two.) -
A. A static entry has been established. -
B. A persistent static entry has been established. -
C. The static route to your internal subnet of 50.0.0.0 /8 has been correctly configured. -
D. The static route to your internal subnet of 50.0.0.0 /8 has not been correctly configured. -
E. An incorrect persistent static entry has been established. | | A1: | The correct answers are A and D. A static entry has been established. However, the entry is not on the correct route, as it has been tied to the external IP address, and the task called for it to be tied to the internal address. Also, although it is a static entry, it has not been made persistent. When you add a route using the ROUTE ADD command, you need to use the -p switch to make the route persistent, or it is removed when the system restarts. By default, manually entered routes are not rebuilt when the system is restarted unless they are configured as persistent. | | Question 2 | You are the network administrator for your Windows Server 2003 mixed-mode domain, and you have been tasked with solving the issue of routing in your environment. Currently, you use static routing, but now that your network has expanded, this method has become unmanageable. You have decided to review the available dynamic routing protocols: RIPv1, RIPv2, and OSPF. For a network that has a little more than 30 routing points and up to 17 hops between the farthest segments, which of the following options is the best choice? | | A2: | The correct answer is C. RIPv1 and RIPv2 are best used on medium- sized networks with about 50 routers maximum, and the maximum number of routers (hops) that any IP packet must cross is less than 16. When using any version of RIP, you need to consider that the update announcements generated by RIP routers can cause unacceptable levels of network traffic when more than 50 RIP routers are in use. In this scenario, there is less cause for concern because there are fewer than 30 routing points. The main reason this will not work is that there are 17 hops between the farthest segments. Destination addresses that are 16 or more hops away are unreachable from RIP routers. OSPF is a link-state protocol based on an algorithm that determines the shortest path between source and destination nodes on a routed network, which is a better choice than either version of RIP when you are considering routing 17 hops between the farthest segments of a network. | | Question 3 | You are the network administrator for your Windows Server 2003 domain, and you have been tasked with solving the issue of routing in your environment. You have decided to use RIPv1 as your network's dynamic routing protocol, and you would like to configure router broadcasts by using multicast announcements. Your addressing scheme uses the CIDR address of 128.211.0.0 / 21. Which of the following answers are the most relevant to the information supplied? (Choose two.) -
A. RIPv1 routers use multicast announcements. -
B. RIPv1 routers use broadcast announcements. -
C. RIPv1 routers do not support CIDR. -
D. RIPv1 routers support CIDR. -
E. RIPv1 routers support CIDR only in native-mode forests. | | A3: | The correct answers are B and C. RIPv1 is difficult to deploy in larger environments because it supports the main classes of IP addresses only and cannot use Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv1 is limited in security measures as well. Routers that exchange routing information using RIPv1 do not authenticate with each other, which could allow a Denial of Service (DoS) attack in which a hacker corrupts routing tables. RIPv2 network routers broadcast their routing tables to other RIPv2 routers at predefined intervals via broadcast or multicast. RIPv1 uses broadcast only. | | Question 4 | You are considering a Data Link layer switch on your LAN in an effort to form a border on your broadcast and collision domains to limit the traffic in two different locations. Location 1 has four Windows XP Professional workstations and one Windows Server 2003 system connected to HUB1, which is connected directly to HUB2. Location 2 has three Windows 2000 Professional workstations, one Windows 2000 Server system, and one Windows NT 4 server running Service Pack 5 (SP5). These systems are connected to HUB2, which is directly connected to HUB1. You install the Data Link layer switch and connect HUB1 to port 1 on the switch and HUB2 to port 15 on the switch. What are the end results of your actions? (Choose two.) -
A. Location 1 and Location 2 will be part of the same broadcast domain. -
B. Location 1 and Location 2 will be in different broadcast domains. -
C. Location 1 and Location 2 will be part of the same collision domain. -
D. Location 1 and Location 2 will be in different collision domains. -
E. Location 1 and Location 2 are in different subnets. | | A4: | The correct answers are A and D. Bridges and switches operate at the Data Link layer (Layer 2) of the OSI model and automatically forward all broadcast traffic received; therefore, Location 1 and Location 2 will be part of the same broadcast domain. Although Layer 2 switches can be found at the borders of collision domains, they do not form a border of a broadcast domain. Because Layer 2 switches do form the borders of collision domains, Location 1 and Location 2 will be in different collision domains. Only Network layer/Layer 3 devices, such as routers or Layer 3 switches, form a border of a broadcast domain. | | Question 5 | You are the network administrator for your Windows Server 2003 environment. You have been tasked with connecting three branch offices to your main office, all of which are in the same city. Branch 1 has four Windows XP Professional workstations and one Windows Server 2003 system connected locally by a hub. Branch 2 has five Windows 2000 Professional and XP Professional workstations, one Windows 2000 Server system, and one Windows NT 4 server running SP6a. These systems are also connected locally by a hub. Branch 3 has seven Windows 2000 Professional and XP Professional workstations, two Windows 2000 servers, one Windows Server 2003 system, and three Windows NT 4 servers running SP6a. These systems are also connected locally by a hub. The main office is identical in layout to Branch 3, except that its Windows NT 4 servers have been retired . You have decided to use Layer 3 switches at the main office and the branch offices to connect all the systems. What is the result of your actions? -
A. The solution will not work; routers will be needed. -
B. The offices will be in different broadcast domains. -
C. The offices will be in the same collision domain. -
D. The offices will be in the same broadcast domain. | | A5: | The correct answer is B. Because Network layer/Layer 3 devices, such as routers or Layer 3 switches, form a border of a broadcast domain, the offices will be in different broadcast domains. Routers are used to connect dissimilar LAN segments and to create smaller broadcast domains. Routers are better than switches for segmenting larger networks in an effort to improve performance and for connecting large LANs to WANs, but they are usually more expensive than similar performance switches. Layer 3 switches route packets at Layer 3 and forward frames at Layer 2. They are very fast devices with minimal latency and are used primarily for LAN-based IP or IPX routing solutions. In most cases, Layer 3 switches are used to connect virtual LANs (VLANs) or to subdivide larger LANs into smaller broadcast domains; however, with very small branch offices, as in this example, this solution would work. | | Question 6 | You are the network administrator for your Windows Server 2003 domain. You have been tasked with connecting all three of your branch offices and your main office to the Internet. Branch 1 has five Windows XP Professional workstations, three Windows 2000 Professional workstations, and one Windows Server 2003 system connected locally by a Layer 3 switch. All the clients use manually assigned IP addresses. Branch 2 has four Windows 2000 Professional workstations, four XP Professional workstations, one Windows 2000 server, and one Windows NT 4 server running SP6a. These systems are also connected locally by a Layer 3 switch. All the clients use manually assigned IP addresses. Branch 3 has six Windows 2000 Professional workstations, five Windows XP Professional workstations, two Windows 2000 servers, one Windows Server 2003 system, and three Windows NT 4 servers running Service Pack 6a. These systems are also connected locally by a Layer 3 switch. All clients use manually assigned IP addresses. The main office has five Windows 2000 Professional workstations, six XP Professional workstations, two Windows 2000 servers, and three Windows Server 2003 systems. These systems are also connected locally by a Layer 3 switch. All the clients use manually assigned IP addresses. The four locations are all connected via private leased lines to a router at the main office. You have been asked to allow all the systems to have Internet connectivity. You need to ensure that all systems can connect to the Internet and that a moderate level of security is available for all systems from one centralized point. The method of security must be inclusive to all the hosts . You need to carry out the design efficiently with the least amount of administrative effort. Which of the following actions could you take to complete this task as outlined? (Choose two.) -
A. Install ISA Server on one server and run it in firewall mode. -
B. Enable Internet Connection Sharing on one of the servers and allow all the systems to use that server as the default connection to the Internet. -
C. Install ISA Server on one server and run it in Integrated mode. -
D. Configure all the client systems to use APIPA. Configure the addresses with the ISA server as the default gateway. -
E. Configure all client systems to use APIPA. Configure the addresses with the ISA server as the proxy server in Internet Explorer. -
F. Configure the IP address of the ISA server as the proxy server in Internet Explorer on each client. -
G. Configure the IP address of the ISA server as the default gateway on each client. -
H. Enable Internet Connection Firewall on each client. -
I. Enable Internet Connection Sharing on each client. | | A6: | The correct answers are C and F. By installing ISA Server on one server and running it in Integrated mode, you will be able to use the server as a proxy to the Internet for the hosts on the network and protect them from the Internet at the same time. Configuring the IP address of the ISA server as the proxy server in Internet Explorer on each client is the only way to get all the systems connected to the Internet. Installing ISA Server on one server and running it in Firewall mode is not the best solution. Although it will protect the systems from a security standpoint, they will not be able to connect to the Internet. Enabling Internet Connection Sharing on one of the servers and allowing all the systems to use that system as the default connection to the Internet is not necessarily the best option, as the systems are left unprotected from the Internet. Configuring all client systems to use APIPA would not work because APIPA does not use a default gateway, which would not allow the systems out of their subnets. By configuring the IP address of the ISA server as the default gateway on each client, you prevent the systems from getting out of their current subnets. Enabling ICF on each client is not possible on all clients, as some of them are running legacy operating systems that do not have this option. The same is true for enabling ICS on each client. | | Question 7 | You are a domain administrator for your company, which hosts a mixed-mode Windows 2003 Active Directory forest. You have been tasked with setting up and configuring secured remote access to your intranet so that employees can successfully and securely access network resources from the field. Clients in use include Windows 2000 Professional running a mix of SP2 and SP3, Windows XP Professional running SP1, and a few Windows 98 and Windows NT 4 Workstation SP6a systems. Which of the following authentication methods is the most secure and allows all workstations to authenticate users and prevent passwords from being "seen" on the wire? -
A. Password Authentication Protocol (PAP) -
B. Shiva Password Authentication Protocol (SPAP) -
C. Challenge Handshake Authentication Protocol (CHAP) -
D. Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) -
E. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) -
F. Extensible Authentication Protocol (EAP) | | A7: | The correct answer is D. MS-CHAP v1 functions in the same manner as CHAP; the server sends a challenge to the remote client that consists of a session ID and a challenge string. The remote client must return the username and a Message Digest 4 (MD4) hash of the challenge string, the session ID, and the MD4- hashed password. MS-CHAP v1 requires only the MD4 hash of the password to validate the challenge response; it does not need the password available in plaintext, which is required in CHAP. In Windows 2000 and 2003, user passwords are stored as an MD4 hash and in a reversibly encrypted form. When CHAP is used, the remote access server decrypts the reversibly encrypted password to validate the remote access client's response. The main reason MS-CHAP v1 must be used instead of the other protocols as "most secure" is that there are Windows 98 systems on the network. The DS Client Pack needs to be installed on Windows 95 or 98 systems to use NTLMv2. Windows Me and NT 4 systems running SP4 or later support NTLMv2 without additional modification. MS-CHAP v2 is the Windows 2000 implementation of MS-CHAP. It does not support earlier Windows client versions, such as Windows NT 4 and Windows 9x. Although you should use MS-CHAP v2 whenever possible, it is not the correct answer to this question because of the legacy systems in use. EAP is an authentication protocol that can be extended with additional authentication methods, such as SmartCards, biometrics, and certificate-based authentication. All the other options require specific hardware for encryption, such as SPAP, or they do not provide any encryption at all, as in the case of PAP, which sends passwords as clear text. | | Question 8 | You are the network administrator for zandri.net , which is a Windows Server 2003 native-mode domain. You have been reviewing authentication encryption solutions for remote field users, who consist mainly of your sales force using Windows NT 4, Windows 98, and Windows 2000 Professional clients on laptop systems. Of the following solutions, which can be used to encrypt authentication? (Choose two.) -
A. SHA -
B. MD5 -
C. 40-bit DES -
D. 56-bit DES -
E. 3DES | | A8: | The correct answers are A and B. Secure Hash Algorithm (SHA) is a 160-bit key authentication encryption method, and Message Digest 5 (MD5) is a standard authentication encryption method that uses a 128-bit key. Both methods encrypt authentication attempts, but they do not encrypt data. 40-bit DES uses a single 40-bit key, and 56-bit DES uses a single 56-bit key as part of their data encryption process. Both are used for smaller security concerns when system overhead is an issue. Both encryption processes do nothing to encrypt authentication attempts. 3DES uses three 56-bit keys and processes each data block three times, using a unique key each time as part of its data encryption process. It is often used in high-security situations and is also used for data only, as it, too, does not encrypt authentication attempts. | | Question 9 | You are the network administrator for zandri.net , which is a Windows Server 2003 native-mode domain. The systems in use between your main office and your branch offices are as follows : Branch 1 has five Windows XP Professional workstations, three Windows 2000 Professional workstations, and one Windows Server 2003 system connected locally by one Windows Server 2003 system running Routing and Remote Access Service (RRAS). All the clients use manually assigned IP addresses. Branch 2 has four Windows 2000 Professional workstations, four XP Professional workstations, one Windows 2000 server, and one Windows NT 4 server running SP6a. These systems are also connected locally by one Windows Server 2003 system running RRAS. All the clients use manually assigned IP addresses. Branch 3 has six Windows 2000 Professional workstations, five XP Professional workstations, two Windows 2000 servers, one Windows Server 2003 system, and three Windows NT 4 servers running SP6a. These systems are also connected locally by one Windows Server 2003 system running RRAS. All the clients use manually assigned IP addresses. The main office has five Windows 2000 Professional workstations, six XP Professional workstations, two Windows 2000 servers, and three Windows Server 2003 systems. These systems are also connected locally by one Windows Server 2003 system running RRAS. All the clients use manually assigned IP addresses. Your primary objective is to provide a secure connection for all systems between your main office and your branch offices. One secondary objective is to provide a solution that is always available. The other secondary objective is to provide a solution that can work on all clients in all locations with the least amount of administrative effort. You have decided to use L2TP and IPSec encryption in its default mode to provide the necessary security for your environment. All communications will be set to "require" security. What are the results of your efforts? -
A. The primary and both secondary objectives have been satisfied. -
B. The primary and one secondary objective have been satisfied. -
C. Only the secondary objectives have been satisfied. -
D. Only one secondary objective has been satisfied. -
E. None of the objectives has been satisfied. | | A9: | The correct answer is E. IPSec Transport mode authenticates and encrypts data flowing between any two computers running Windows 2000 Server or Windows Server 2003. It provides security for the network and can potentially support a secure connection with more than one other computer at a time. Transport mode is the default IPSec mode. Using IPSec in Tunnel mode authenticates and encrypts data flowing within an IP tunnel that is created between two routers. Windows 2000 Server and Window Server 2003 requires RRAS to implement Tunnel mode for IPSec. You enable Tunnel mode in IPSec Management and configure Tunnel mode settings by supplying an IP address for each end of the tunnel. This encrypts all the data sent between any of the systems from one location to another via the two RRAS servers. Your primary objective to provide a secure connection for all systems between your main office and your branch offices has not been met because you decided to use L2TP and IPSec encryption in its default mode to provide the necessary security for your environment. This configuration is set up in Transport mode, not Tunnel mode, which is what's needed. The secondary objective of providing a solution that is always available has been met for all systems except the NT 4 systems. Forcing all communications to "require" security will encrypt all the data transferred between all hosts. With this deployment, the NT 4 systems will not be able to communicate with other systems. The secondary objective of providing a solution that can work on all clients in all locations with the least amount of administrative effort has been met for all systems except the NT 4 systems. For those NT 4 systems to be able to use L2TP/IPSec, the Microsoft L2TP/IPSec VPN client needs to be installed so that those servers can use L2TP connections with IPSec. | | Question 10 | You are the network administrator for zandri.net , which is a Windows Server 2003 native-mode domain. You have identified Point-to-Point Tunneling Protocol (PPTP) as the secure VPN connection method for your sales users in the field when they need to connect to the main office over the Internet. The users will not call into the RRAS server directly; rather, they will call into a local ISP wherever they are traveling and use the Internet to make their connection to the RRAS server. The laptop systems your sales force uses include Windows 98, Windows 2000, and Windows XP Professional. Your primary objective is to provide a secure connection for all systems between remote locations and your main office by way of the Internet. One secondary objective is to provide a solution that is always available. The other secondary objective is to provide a solution that has built-in encryption and works on IP-based infrastructures . You have decided to use RRAS for your VPN solution and PPTP. What are the results of your efforts? -
A. The primary and both secondary objectives have been satisfied. -
B. The primary and one secondary objective have been satisfied. -
C. Only the secondary objectives have been satisfied. -
D. Only one secondary objective has been satisfied. -
E. None of the objectives has been satisfied. | | A10: | The correct answer is A. The primary and both secondary objectives have been satisfied. VPNs can use PPTP or L2TP to establish connections to RRAS servers on both the Windows 2000 Server and Windows Server 2003 platforms. Both protocols can be configured to encapsulate data packets in an effort to securely send data over the Internet; however, L2TP needs to use IPSec to encrypt data because it does not have this capability built in. PPTP does have built-in encryption because it uses MPPE to encrypt data. PPTP can be used on IP-based networks only (which was all the question called for); it cannot use any other types. L2TP can be used on IP networks in addition to Frame Relay, X.25, or Asynchronous Transfer Mode (ATM) networks. |
 |
