Answer Key

Question 1

Answer C is correct. You can set day and time restrictions for remote users by configuring the conditions of the remote access policy. Answer A is incorrect because day and time restrictions are no longer configured through the properties of a user account as they were in Windows NT 4.0. You cannot configure day and time restrictions by configuring the properties of the remote access server or the ports; therefore, answers B and D are incorrect.

Question 2

Answer B is correct. You must change the user account names on each router to match that of the name assigned to the demand-dial interface name on the answering routing. In order for a two-way demand dial connection to work, the user account names used for authentication must be identical to the name assigned to the demand dial interface. The name of the demand dial interface on the branch office router must be changed to SRV02. The name of the demand dial interface on the head office routing must be changed to SRV01. Answer D is incorrect because the user accounts used for remote authentication between the demand dial routers do not need to be identical. Answers A and C are incorrect because the demand dial interface on the calling router must be identical to the user account name on the calling router.

Question 3

Answer D is correct. You need to configure the clients with the IP address of the WINS server. To do so, you must install the DHCP Relay Agent on the RAS server so that it can forward DHCPInform messages between the clients and the DHCP server. Answer A is incorrect because you cannot configure optional parameters on the RAS server. You can configure clients with the IP address of the WINS server; however, it's easier from a management perspective to centralize IP address assignment and use a relay agent instead. Therefore, answer B is incorrect. Answer C is incorrect because configuring the RAS server with the IP address of the WINS server will not resolve the problem.

Question 4

Answer B is correct. You use the gpupdate/force command to manually refresh all settings regardless of whether they have changed. Answers A and E are incorrect because secedit was the command used in Windows 2000 to refresh policy changes. Answer C is incorrect because this command refreshes only the computer settings. Answer D is incorrect because the gpupdate command does not support the /refreshpolicy switch.

Question 5

Answers A and B are correct. You can include the subnets 172.31.128.0/18 and 172.31.192.0/18 in Area1. With the routing protocol Open Shortest Path First (OSPF), an area consists of contiguous subnets that can be represented via route summarization. The network prefix "/18" indicates that the first 18 bits represent the subnet identifiers (IDs). This includes the first two bits of the third octet. The subnets that can be defined in this octet are represented in binary notation as 00000000, 01000000, 10000000, and 11000000. In decimal notation, the value of the subnet ID in the third octet can be 0, 64, 128, or 192. Answers C, D, and E are incorrect. The address 172.31.96.0/18 represents a host on subnet 172.31.64.0. The address 172.31.160.0/18 represents a host on subnet 172.31.128.0. The address 172.31.224.0/18 represents a host on subnet 172.31.192.0.

Question 6

Answer B is correct. The Extensible Authentication Protocol (EAP) is required to support smart card authentication. Answers A, C, and D are incorrect because they do not support smart card authentication.

Question 7

Answer C is correct. When you create demand-dial connections, the user account name on the answering router must match the demand-dial interface name on the calling router. Therefore, answers A, B, and D are incorrect.

Question 8

Answer D is correct. To have changes propagated throughout the network when changes occur, and to reduce the administrative overhead associated with updating the routing tables, a routing protocol is required. Because you cannot use OSPF with nonpersistent connections, you must use RIPv2 (or RIPv1). Therefore, answers A and C are incorrect. Answer B is incorrect because whenever possible you should use RIPv2 instead of RIPv1. RIPv2 supports enhanced features that are not available with RIPv1.

Question 9

Answer B is correct. The correct syntax when adding new static routes using the route command is route add mask metric. Therefore, answers A, C, and D are incorrect.

Question 10

Answer D is correct. If you assign the Server (Request Security) policy, the server always attempts secure communications. Unsecured communications are still allowed if the client is not IPSec-aware. Answer A is incorrect because communications are not allowed if the client is not IPSec-aware. Answer B is incorrect because Assigning Client (Respond Only) means that the server responds only to requests for secure communications but does not attempt to secure all communications. Answer C is incorrect because IPSec is not configured through the properties of TCP/IP.

Question 11

Answer A is correct. If both servers are configured with the Client (Respond Only) policy, they respond only to requests for secure communications. You must configure both of the servers with Server (Require Security). Answer B is incorrect because you can configure IPSec through Active Directory or on the local computer. Answer C is incorrect because computers are not configured as IPSec clients. Answer D is incorrect because the workgroup membership has no impact on how servers respond to security.

Question 12

SRV-01 should be configured with the Server (Request Security) IPSec policy. This will ensure that the server always attempts to use IPSec but does not require it. NonIPSec-aware clients will still be able to communicate with the server. SRV-02 should be configured with the Secure Server (Require Security) IPSec policy. This will ensure that any communications between SRV-01 and SRV-02 and communications between client computers and SRV-02 are always secure. SRV-02 will require IPSec and will not be able to communicate with nonIPSec-aware clients. Client computers on the private network should be configured with the Client (Respond Only) IPSec policy. This ensures that any communications between client computers and the two servers is always secured but still allows them to communicate with nonIPSec-aware servers.

Question 13

Answer D is correct. The two tunneling protocols supported by Windows Server 2003 are the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP). However, when all systems are running Windows Server 2003, PPTP should not be used. PPTP should be used only for backward compatibility. Therefore answer B is incorrect. PPP and SLIP establish dial-up connections. Therefore, answers A and C are incorrect.

Question 14

Answer C is correct. To increase the number of available PPTP ports, open the Ports properties window within the Routing and Remote Access management console. Select PPTP and click Configure. Therefore, answers A, B, and D are incorrect.

Question 15

Answer D is correct. Because all the remote access users are running Windows XP Professional, the authentication protocol should be MS-CHAP version 2. Answers B and C are incorrect because they are not as secure as MS-CHAP version 2. Answer A is incorrect because PAP sends credentials in cleartext and should only be used for non-Windows clients.

Question 16

Answer D is correct. Install a DHCP server on Subnet C and configure it with a scope for remote access clients. The scope should assign the clients the IP address of the DHCP server. Configure RRAS to use DHCP and configure it as a relay agent. This step ensures that remote users are assigned the IP address of the DNS server. Therefore, answers A, B, and C are incorrect.

Question 17

Answer C is correct. If the connection attempt does not match the conditions of the first policy in the list, the conditions of the next policy are evaluated. The permissions and profile settings of a policy are not evaluated until the connection attempt meets the conditions of a policy. Therefore, answers A, B, and D are incorrect.

Question 18

Answer D is correct. Because the president needs remote access from various locations, you should select the Set by Caller option. To limit where network administrators can dial in from, select Always Callback To. In this way, the remote access server always calls them back at the configured phone numbers, ensuring that is where they are attempting remote access. Selecting No Callback disables this feature. Therefore, answers A, B, and C are incorrect.

Question 19

Answer B is correct. If you delete the default remote access policy and no other policy exists, users will not be permitted remote access. Therefore, you must create a remote access policy to solve the problem. Answer A is incorrect because disabling and then enabling Routing and Remote Access re-creates the default policy, but it is not the easiest solution. You would have to reconfigure the remote access server afterward. Answer C is incorrect because dial-in permission can be granted through the properties of a user account, but a policy must still exist. Answer D is incorrect because you cannot configure profile settings until you create a policy.

Question 20

Answer C is correct because the connection attempt matches the conditions of the first policy. The permissions and profile settings of this policy are evaluated. The profile settings restrict dial-in access after 5 p.m., so the connection attempt is denied. Therefore, answer A is incorrect. Answer B is incorrect because if a connection attempt does not meet the profile settings of the policy, no other policies in the list are evaluated and the connection attempt is denied. Answer D is incorrect because day and time restrictions are not configured through the user account properties.

Question 21

Answers B and E are correct. The profile settings disconnect a session after 30 minutes of idle time, restrict the maximum session to 8 hours, allow users remote access during the hours of 6 a.m. and 6 p.m., and allow users to dial in to a specified number. Therefore, answers A, C, D, and F are incorrect.

Question 22

Answer B is correct. When troubleshooting connectivity problems using the ping command, it is recommended that you use the following steps: ping the loopback address, ping the IP address of the local computer, ping the IP address of the default gateway, and then ping the IP address of a remote host. Therefore, answers A, C, and D are incorrect.

Question 23

Answer C is correct. By configuring a display filter within Network Monitor, you can filter captured data to only display specific types of information. Answer A is incorrect because triggers enable actions to be performed based on a set of conditions that must first be met. Answer B is incorrect because capture filters specify the type of information that is captured. Answer D is incorrect because packet filters specify the type of inbound and outbound traffic a computer can accept.

Question 24

Answer C is correct. By adding his user account to the Performance Monitor Users group, Joe can view performance counter data within System Monitor locally or across the network. Answer A is incorrect because adding Joe to the Performance Log Users group gives him permission to manage logs and alerts as well. Answers A and B are incorrect because it would give Joe administrative permissions to the server. Adding his user account to the Domain Admins group would give him too many permissions; therefore, answer D is incorrect.

Question 25

Answer B is correct. If you configure a capture filter, Network Monitor only captures data that meets the criteria you specify. Answer A is incorrect because display filters filter data that has already been captured. Answer C is incorrect because triggers are configured to specify an action that should occur when certain criteria are met. Answer D is incorrect because IP packet filters are used to specify the type of traffic that is permitted to reach a computer.

Question 26

Answer C is correct. By monitoring IP Datagrams/sec, you can monitor the total amount of IP datagrams sent and received by the computer each second. Answer A is incorrect because it is the number of outbound packets that could not be transmitted because of errors. Answer B is incorrect because this counter only monitors the number of TCP segments sent each second. Answer D is incorrect because this counter monitors the number of logon requests received each second by the computer.

Question 27

Answer A is correct. You should open the Main Mode Security Associations on the server. The Main Mode Security Associations area displays the persistent security association for the computer that the MMC snap-in is focused on. Security associations are established between computers after the key exchange and mutual authentication. Answer C is incorrect because RSoP is used to determine the IPSec policies that are assigned to a computer. Answer B is incorrect because the security log only contains entries that relate to auditing. Answer D is incorrect because this command was available in Windows 2000 but has been replaced by the IP Security Monitor snap-in in Windows Server 2003.

Question 28

Answer D is correct. You can use Device Manager to verify that a hardware device is functioning properly. Answer A is incorrect because System Monitor monitors performance. Answer B is incorrect because you use Network Monitor to capture and analyze network traffic. Answer C is incorrect because ping is a command-line utility used to verify network connectivity.

Question 29

Answer B is correct. The Logon Total counter determines the number of logon requests the domain controller has received since the last time it was restarted. Answers A and C are incorrect because there are no such counters within System Monitor. Answer D is incorrect because this counter determines the number of logon requests received each second.

Question 30

Answer B is correct. If the service does not start, use the Services console to verify that any services that DHCP depends on are also started. Therefore, answer A is incorrect. Answer C is incorrect because if the service fails to start, attempting to start it within the DHCP console makes no difference. Answer D is incorrect because it should be a last resort in terms of troubleshooting.

Question 31

The correct answers are:

The computer can attempt to restart the service.

The computer can automatically reboot.

Service recovery actions do not include the ability to automatically restart the failed service's dependencies nor send an email to the network administrator.

Question 32

Answer C is correct. You can use Network Monitor to capture and analyze network traffic. Answers A and D are incorrect because there are no such utilities included with Windows Server 2003. Answer B is incorrect because you use Network Diagnostics to gather information about the hardware, software, and services running on a local computer.

Question 33

Answer B is correct. You should use the context menu of the Routing Interface Protocol (RIP) node to add at least one interface to RIP. When you add a routing protocol, the protocol is not configured by default to use an interface, so you must identify one or more interfaces, such as a Local Area Network (LAN) connection, that the protocol can use. Answer A is incorrect because the scenario does not indicate that there is a DHCP sever on the network. Answer C is incorrect because the routing tables will be built automatically. Answer D is incorrect because there is no need to remove all static routes from the routing table.

Question 34

Answer C is correct. Before installing any new service packs, it is recommended that you test them first to determine any risks and vulnerabilities that they can introduce. Therefore, answers A, B, and D are incorrect.

Question 35

Answer D is correct. The principle of least privilege is based on the idea that a user should log on with a user account that has minimum privileges. Therefore, Mary should create two accounts: one with restrictive permissions that she can use to perform day-to-day tasks and the other with additional privileges for performing administrative tasks. Answers A, B, and C are incorrect because they go against the principle of least privilege by providing administrative access.

Question 36

Answer B is correct. When you see a red X beside a setting after running the Security Configuration and Analysis utility, the value for that computer setting does not match the value in the template. Therefore, answers A, C, and D are incorrect.

Question 37

Answer C is correct. You should run the Microsoft Security Baseline Analyzer. This toll will identify any misconfigurations with the operating system and identify missing security updates. Answer A is incorrect because HFNetCHK.exe is only used to identify the security patches that need to be installed. Answer B is incorrect because the Security Configuration and Analysis tool is used to analyze security settings and compare them against a template. Answer D is incorrect because the Resultant Set of Policy tool is used to determine the impact of policy settings.

Question 38

Answer D is correct. The security settings on a workstation or server are automatically refreshed every 90 minutes. Answers A, B, and C are incorrect because they do not represent the correct value.

Question 39

Answer C is correct. When auditing is enabled, events are written to the Security log. Answer A is incorrect because events generated by applications are written to the Application log. Answer B is incorrect because there is no Audit log. Answer D is incorrect because the System log contains events generated by Windows components.

Question 40

The minimum hardware requirements to install SUS include the following:

Pentium III 700MHz

512MB of RAM

6GB of storage space.

The remaining answers are incorrect because they do not represent the correct hardware requirements.

Question 41

The IP address lease process occurs in the following order: DHCPDiscover, DHCPOffer, DHCPRequest, and DHCPAck.

Question 42

Answer B is correct. You authorize a DHCP server using the DHCP console by right-clicking the server and choosing the Authorize option. Answers A, C, and D are incorrect because you cannot use these tools to authorize DHCP.

Question 43

For a DHCP server to lease IP addresses to clients, you must perform the following actions:

Install DHCP.

Create a scope.

Activate a scope.

Authorize the server.

The remaining answers are incorrect. Configuring scope options is not required. Active Directory does not need to be installed on the local server and dynamic updates do not need to be enabled for DHCP to function.

Question 44

Answer D is correct. When creating a multicast scope, you can use IP addresses in the range of 224.0.0.1239.255.255.255. Answers A, B, and C are incorrect because they represent incorrect address ranges.

Question 45

Answer C is correct. If clients are not configured with the IP address of the default gateway, they cannot access resources outside of their local subnet. Answer A is incorrect because the clients are already successfully leasing IP addresses from the server. Answer B would solve the problem, but it would not be the easiest solution; therefore, it is also incorrect. Answer D is incorrect because configuring the DNS server option allows clients to resolve hostnames but does not give them access outside of the local subnet.

Question 46

Answer B is correct. The most efficient way to meet the requirements is to configure the Specify Intranet Microsoft Update Service Location option through a GPO. Answer A is incorrect because this would require more administrative effort. Answer C is incorrect because the UseWUServer option is not used to tell the client computer where to obtain updates from. It is used to enable the computer to use SUS. Answer D is incorrect. The Round Robin option in DNS is used to load balance requests across multiple web servers.

Question 47

Answer C is correct. By creating a client reservation for each of the print servers, you ensure that they always lease the same IP address. Answer A is incorrect. You only need to exclude IP addresses that fall within the scope range that are statically assigned to computers. Answers B and D are incorrect. Both of these options will not resolve the problem.

Question 48

Answer B is correct. The first elements in a remote access policy to be evaluated are the conditions. The first policy to match the conditions of the connection attempt is evaluated for permissions. If the permissions of that policy deny the user access, the connection attempt is denied. Therefore, answers A, C, and D are incorrect.

Question 49

Answer C is correct. The refresh interval determines how often the secondary servers poll the primary server for updates to the zone database file. Answer A is incorrect because the retry interval determines how often a secondary server continues to contact the primary server if it does not respond. Answer B is incorrect because the serial number is used to determine when the zone data has been updated. Answer D is incorrect because Time to Live (TTL) specifies how long records from that zone should remain in the cache.

Question 50

Answer C is correct. To eliminate any IP address conflicts, the IP addresses assigned to the print devices should be excluded from the scope. Answer B is incorrect because client reservations are configured for DHCP clients that must lease the same IP address each time. Answer A is incorrect because scopes are not defined for individual IP addresses. Answer D is incorrect because there is no option in DHCP called a client exclusion.

Question 51

Answer B is correct. If you place a caching-only server in each branch office, no additional traffic is generated from zone transfers. Answers A and C are incorrect because each of these solutions result in zone transfer traffic on the WAN link or LAN. Answer D is incorrect because a primary DNS server already exists for the zone.

Question 52

Answer B is correct. The authentication protocol must be enabled through the profile settings for the remote access policy. Therefore, answers A, C, and D are incorrect.

Question 53

Answer D is correct. Because there is an existing 044 WINS/NBNS option configured at the scope level with the old IP address of the WINS server, it is overwriting the new one configured at the server level. DHCP options configured at the scope level override those configured at the server level. Therefore, answers A and B are incorrect. Answer C is incorrect because configuring this option defines how the client resolves NetBIOS names.

Question 54

Answer B is correct. If you assign the Server (Request Security) policy, the server attempts secure communications with clients. If the client is not IPSec-aware, it is still able to authenticate. Answer A is incorrect because the server responds only to client requests for secure communications. Answer C is incorrect because the server requires secure communications and does not allow sessions for nonIPSec-aware clients. Answer D is incorrect because there is no such default policy.

Question 55

Answer B is correct. To use the Windows Groups condition, you must first create the groups within Active Directory Users and Computers. You should create and configure two policies with the appropriate settings. Use the Windows Groups condition to specify the group of users to which the policy should apply. Therefore, answers A, C, and D are incorrect.

Question 56

Answer C is correct. To clear the contents of the client resolver cache, use the ipconfig command with the flushdns parameter. Answers A and D are incorrect because there are no such parameters available with the ipconfig command. Answer B is incorrect because it displays the current TCP/IP parameters configured on the client.

Question 57

Answers B and C are correct. SRV1 should be using the Server (Require Security) policy. This policy ensures that only secure communications are permitted. SRV2 should be using the Client (Respond Only) policy. This policy ensures that the server does not require secure communications but responds to any requests for it. Therefore, answers A, D, E, and F are incorrect.

Question 58

Answer D is correct. RIPv2 is a routing protocol that you can use with nonpersistent connections and that supports password authentication between routers. Answer A is incorrect because implementing static routes means the routing tables must be manually updated. Answer B is incorrect because ICMP is not a routing protocol. Answer C is incorrect because OSPF is not supported by nonpersistent demand-dial connections.

Question 59

Answer A is correct. A host (A) record must exist in the zone file to resolve the name to an IP address. Therefore, you must create a host record for Computer-12. Therefore, answer B is incorrect. Answers C and D are incorrect because PTR records are required to resolve an IP address to a host name.

Question 60

Answer D is correct. You use the /p parameter to add a persistent route to the routing table. The route will not be removed from the routing table when the router is restarted. Therefore, answers A, B, and C are incorrect.