Chapter 2: Planning Server Roles and Server Security

1.

Your network consists of two machines running Windows Server 2003 Standard Edition, one machine running Windows Server 2003 Datacenter Edition, one machine running Windows Server 2003 Web Edition, and two machines running Windows Server 2003 Enterprise Edition. You want two of these machines to be domain controllers on the network. Which machines will you promote to domain controllers and how will you configure them in this role?

1. Configure the two machines running Windows Server 2003 Enterprise Edition to be domain controllers using the secedit /configure tool.

2. Promote the Windows Server 2003 Datacenter Edition and Windows Server 2003 Web Edition using the DCPROMO tool.

3. Configure a machine running Windows Server 2003 Standard Edition and a machine running Windows Server 2003 Enterprise Edition to be domain controllers using the Configure Your Server Wizard.

4. Configure machines running Windows Server 2003 Standard Edition and Windows Server 2003 Web Edition using the Manage Your Server tool.

2.

Your network is upgrading from Windows NT 4 to Windows Server 2003 and will consist of two domains in a single forest. One domain is a child of the other domain and dedicated to the Sales departments in the organization. During the upgrade, all workstations will be upgraded to Windows XP and Windows 2000 Professional. When the last BDC is removed from the network, what role will the PDC emulator play on the network?

1. The PDC emulator will be used to modify object classes and attributes.

2. The PDC emulator will receive preferred replication of password changes performed by other domain controllers in the domain.

3. The PDC emulator in the child domain will be used to synchronize the time on all domain controllers in the forest.

4. The PDC emulator will be used to add new domains and remove unneeded ones from the forest.

3.

The only protocol used by your network is TCP/IP, despite the fact that workstations in the organization do not have access to the Internet. A user has been accessing files on server on your network and now wants to connect to a Web server that is used as part of the company’s intranet. The user enters the URL of the Web site into Internet Explorer. Which of the following servers will be used to provide information needed to connect to the Web server?

1. DHCP server

2. DNS server

3. WINS server

4. File server

4.

You want to set up a discussion group that can be accessed over the corporate intranet, so that users can view and post messages in a forum that can be viewed by other employees. Which of the following services would you use to implement this functionality?

1. HTTP

2. FTP

3. NNTP

4. SMTP

1.

C. Configure a machine running Windows Server 2003 Standard Edition and a machine running Windows Server 2003 Enterprise Edition to be domain controllers using the Configure Your Server Wizard. The Configure Your Server Wizard allows you to add and remove roles, including the domain controller role. This tool can be used to make servers into domain controllers, as long as the servers are running the Standard Edition, Enterprise Edition, or Datacenter Edition of Windows Server 2003.

A, B, D. Answer A is incorrect because secedit /configure is a command-line tool that is used to configure the security settings of a computer. It isn’t used to promote member servers to domain controllers. Answer B is incorrect because servers running the Web Edition of Windows Server 2003 cannot be domain controllers. Answer D is incorrect for this same reason. It is also incorrect because the Manage Your Server tool can be used to invoke the Configure Your Server Wizard (which can configure servers be domain controllers), but doesn’t actually create the domain controller itself.

2.

B. The PDC emulator will receive preferred replication of password changes performed by other domain controllers in the domain. When a password is changed on a domain controller, it is sent to the PDC emulator. The PDC emulator is responsible for this because it can take time to replicate password changes to all domain controllers in a domain.

A, C, D. Answer A is incorrect because the schema master is used for making changes to the schema, including modifying classes and their attributes. Answer C is incorrect because, although the PDC emulator synchronizes the time on domain controllers, it only does so within the domain (not the entire forest). The PDC emulator is a domain-wide operations master role and affects only the domain. Answer C is also incorrect because the PDC emulator in a child domain will look to the PDC emulator in the forest root for time synchronization. Answer D is incorrect because the domain naming master is in charge of adding new domains and removing unneeded ones from the forest.

3.

B. DNS servers map fully qualified domain names (like www.syngress.com) to IP addresses. When a user enters a DNS name into a Web browser or other application, it is sent to a DNS server, which looks up the IP address for the requested name. This IP address is sent back to the client, which uses it to locate and communicate with the server.

A, C, D. Answer A is incorrect because DHCP servers are used to issue IP addresses to clients. Because TCP/IP is the only protocol used on the network, and the user already has been accessing resources on a file server, this means that the user already has an IP address. Answer C is incorrect because a URL has been entered and WINS servers are used to resolve NetBIOS names to IP addresses (and vice versa). Answer D is incorrect because servers configured in the role of a file server would not need to provide any information to clients accessing an intranet Web site.

4.

C. NNTP is the Network News Transfer Protocol. The NNTP Service in IIS allows users to distribute news messages, which can be viewed using a newsreader program. Users can browse through messages stored on the server, respond to existing messages, and post new messages.

A, B, D. Answer A is incorrect because HTTP is the Hypertext Transfer Protocol, which is used by the World Wide Web Publishing Service in IIS. It allows users to access Web pages. Answer B is incorrect because FTP is the File Transfer Protocol. It is used for transferring files between clients and servers. Answer D is incorrect because SMTP is the Simple Mail Transfer Protocol, which is used for transferring e-mail.

5.

You are planning to use a server on your network as a Windows Server 2003 domain controller. The server has 128MB of RAM, 2GB of hard disk space, and four processors. Which of the following editions of Windows Server 2003 can you install on this server? (Select all that apply.)

1. Windows Server 2003 Standard Edition

2. Windows Server 2003 Enterprise Edition

3. Windows Server 2003 Datacenter Edition

4. Windows Server 2003 Web Edition

6.

You are concerned about insecure methods of authentication being used on a network. You are currently upgrading your network to Windows Server 2003, but some servers are still running Windows NT 4 and Windows 2000 Server. Even after the upgrade, some Windows 2000 Server computers will exist in the domain. You want to implement Kerberos authentication within the domain. Which of the following operating systems will be able to use it? (Select all that apply.)

1. Windows NT 4

2. Windows 2000 Server

3. Windows Server 2003

4. None of the above

7.

Your network consists of two Windows Server 2003 domain controllers, a Windows 2000 server that is used as a Web server, and a Windows NT 4 server that runs an older version of SQL Server. Your company does not have the budget to immediately replace these servers, but you want to raise the domain functional level of your domain to the highest possible level. What functional level will you raise this domain to?

1. Windows 2000 mixed

2. Windows 2000 native

3. Windows Server 2003 interim

4. Windows Server 2003

5.

A, B. Windows Server 2003 Standard Edition and Windows Server 2003 Enterprise Edition both support a computer running a minimum of 128MB of RAM and 1.5GB of hard disk space. The Standard Edition supports up to four processors. The Enterprise Edition supports up to eight processors.

C, D. Answer C is incorrect because the Datacenter Edition of Windows Server 2003 requires a minimum of 512MB of RAM. Answer D is incorrect because the Web Edition of Windows Server 2003 supports a maximum of two processors.

6.

B, C. Windows 2000 Server and Windows Server 2003 both support Kerberos authentication. Kerberos was first implemented in Windows 2000 and continues to be used in Windows Server 2003 as the default authentication service.

A, D. Answer A is incorrect because Kerberos was never supported in Windows NT 4. Answer D is incorrect because Windows 2000 and Windows Server 2003 both support Kerberos authentication.

7.

D. Because the only servers being used as domain controllers are running Windows Server 2003, the domain can be raised to the Windows Server 2003 domain functional level. The Windows Server 2003 level is used when there are only Windows Server 2003 domain controllers in the domain.

A, B, C. Answer A is incorrect because the Windows 2000 mixed level is used when there are Windows NT, Windows 2000, and Windows Server 2003 domain controllers. Because there are no Windows NT BDCs or Windows 2000 domain controllers, this isn’t the highest level that can be used. Answer B is incorrect because this level is used when there are only Windows 2000 and Windows Server 2003 domain controllers. Because there are not any Windows 2000 domain controllers, a higher level can be used. Answer C is incorrect because Windows Server 2003 interim is used when your domain consists of Windows NT and Windows Server 2003 domain controllers, and you are upgrading Windows NT domains directly to Windows Server 2003. Because there are not any Windows NT BDCs, this isn’t the highest level that can be used.

8.

You have just promoted a Windows Server 2003 computer to be a domain controller. After the promotion, you accidentally apply the wrong security template to it. It now has security settings than that are too high. You can automatically change the security settings back to their previous configuration using which of the following security templates?

1. Setup security

2. Rootsec

3. Iesacls

4. DC security

9.

You want to apply an existing security template to the local computer policy of a Windows Server 2003 computer. Which of the following tools would allow you to do this from the command line?

1. Security Configuration and Analysis

2. secedit /configure

3. secedit /import

4. gpupdate

10.

You have performed an analysis of a Windows Server 2003 domain controller using Security Configuration and Analysis. Once the analysis is complete, a red X appears beside the Enforce Password History policy. What does this mean?

1. The policy does not match a corresponding setting for the associated entry in the database.

2. The entry in the database and the policy’s setting match.

3. An entry exists in the database that does not correspond to any setting on the computer.

4. A setting exists on the computer that does not correspond to any entry in the database.

11.

You have created a security template and now want to apply its settings to a GPO that can be linked to containers in Active Directory. Which containers can you link a GPO to in Active Directory? (Select all that apply.)

1. Domains

2. Trusts

3. Sites

4. Local computer policy

8.

D. The DC security template is created when a server is first promoted to a domain controller, and it contains default settings for the file system, Registry, and system services. Applying this template will restore the settings to the state they were in after the server was first promoted.

A, B, C. Answer A is incorrect because the setup security template allows you to reapply default security settings on either clients or servers, but should not be used on servers that have been configured as domain controllers. Answer B is incorrect because rootsec is a template that is used to define settings for root of the system volume. Answer C is incorrect because iesacls is a template that is used to define settings to lock down Internet Explorer.

9.

B. The Secedit tool is a command-line utility that can be used to apply configuration settings stored in a security template to a local computer policy. To apply a policy, use the secedit command with the /configure switch.

A, C, D. Answer A is incorrect because the Security Configuration and Analysis tool is a graphical utility. Although it can be used to apply security templates to local computer policy, the question states that a command-line tool is required. Answer C is incorrect because secedit /import is used to import a template into the database so that it can be used to either analyze security on the machine or configure its security settings. Answer D is incorrect because gpupdate is a command that is used to trigger an update of GPO settings.

10.

A. The policy does not match a corresponding setting for the associated entry in the database. Although the Enforce Password History entry exists in the database, the value of the entry is different from what is currently configured in the policy.

B, C, D. Answer B is incorrect because a green check mark indicates that the entry in the database and the computer’s setting match. Answer C is incorrect because an exclamation mark indicates that an entry in the database does not correspond to any setting on the computer. Answer D is incorrect because a question mark indicates that the setting is on the computer, but there is no corresponding entry in the database.

11.

A, C. Security templates can be imported into GPOs in Active Directory. These GPOs can be linked to domains, sites, or OUs in the Active Directory structure.

B, D. Answer B is incorrect because trusts cannot have group policies applied to them. Answer D is incorrect because the local computer policy is stored on the machine and cannot have a GPO linked to it.

12.

You have installed a new file server on the network and formatted it to use NTFS. After formatting is complete, you use EFS to encrypt a folder containing files belonging to users. If a user accesses a file belonging to him in this folder, and then copies it across the network for another user to access, which of the following will occur?

1. The file on the hard disk and the data sent over the network will remain encrypted.

2. The file on the hard disk and the data sent over the network will be decrypted and remain that way.

3. The file on the hard disk will be decrypted, so EFS can send it encrypted over the network.

4. The file on the hard disk will remain encrypted, but data sent over the network will be unencrypted.

13.

You have created a custom security template that you now want to import into a GPO that is linked to the domain level. Which of the following tools will you use to invoke the Group Policy Object Editor to view and modify the GPO at this level?

1. Active Directory Users and Computers

2. Active Directory Sites and Services

3. gpupdate

4. Securedc

14.

Your network consists of servers running Windows 2003 Server and workstations running Windows 2000 Professional. You have applied several custom security templates to GPOs linked to the OU, domain, and site levels in Active Directory. In addition to this, there are security settings that have also been applied at the local computer level of all machines that are on the network. Because several policies now affect the computer accounts within the domain, site, and OU, which of the following will occur when the user logs on to the domain?

1. The policy setting at the local computer level will be overwritten by the OU-level GPO, which will be overwritten by the domain-level GPO, which will finally be overwritten by the site-level GPO. For this reason, major security settings must be made at the site-level GPO; all others will be overwritten.

2. Security settings in the GPOs will not be applied to machines running Windows 2000 that have joined the domain.

3. The security settings at the local computer level will override those of the GPOs.

4. The policy settings will be cumulative and applied in the order of policies at the site level, domain level, and finally OU level.

15.

You apply custom security templates to the local computer policy on a member server and to a GPO linked to an OU in Active Directory. All servers on the network are running Windows Server 2003. After performing these actions, you find that the local computer policy has taken effect, but the group policy has not taken effect on member servers within the domain. Which of the following is the reason for this, and how can you fix it?

1. Group policy settings take effect immediately. The problem must be that the security policy was not applied properly.

2. Group policy settings are refreshed on member servers every 90 minutes. To force the server to refresh the group policy, use the secedit /refresh command.

3. Group policy settings are refreshed on servers every 5 minutes. To force the server to refresh the group policy, use the gpupdate command.

4. Group policy settings are refreshed on servers every 90 minutes. To force the server to refresh the group policy, use the gpupdate command.

12.

D. The file on the hard disk will remain encrypted, but data sent over the network will be unencrypted. EFS only encrypts data on NTFS volumes. When data that is encrypted with EFS is sent over the network, it isn’t encrypted. For data to be encrypted during transmission, other methods like IPSec are needed.

A, B, C. Answer A is incorrect because EFS only encrypts data on hard disks. It does not encrypt data transmitted over the network. Answer B is incorrect because when a file is transmitted over the network, the original file on the hard disk isn’t decrypted and left that way. EFS will keep the file on the hard disk encrypted, so others cannot access it. Answer C is incorrect, because EFS isn’t used for transmitting encrypted data over the network.

13.

A. Active Directory Users and Computers is used to view GPOs linked at this level. Active Directory Users and Computers can then be used to invoke the Group Policy Object Editor, where you can import security templates into group policies at the domain and OU levels.

B, C, D. Answer B is incorrect because Active Directory Sites and Services is used to access GPOs at the site level and can be used to invoke the Group Policy Object Editor to edit these objects. Answer C is incorrect because gpupdate is used to refresh group policies on Windows Server 2003. Answer D is incorrect because securedc is a security template that can be applied to domain controllers.

14.

D. The policy settings will be cumulative and applied in the order of policies at the site level, domain level, and finally OU level.

A, B, C. Answer A is incorrect because policy settings are cumulative and applied in the following order to computer accounts: site-level GPOs, domain-level GPOs, OU- and sub-OU level GPOs. Answer B is incorrect because GPOs can be applied to any Windows 2000 or later computer that has joined a domain. Answer C is incorrect because security settings configured in GPOs override those made at the local computer level.

15.

D. Group policy settings are refreshed on servers every 5 minutes. To force the server to refresh the group policy, use the gpupdate command. Local computer policies are stored on the computer, and they take effect immediately. Group policy settings are stored in Active Directory and need to be downloaded to the machine. Because of this, the group policy settings are refreshed at regular intervals. To force a refresh, the gpupdate command can be used.

A, B, C. Answer A is incorrect because group policy settings do not take effect immediately. The group policy settings are refreshed on computers at regular intervals. Workstations have group policy settings refreshed every 90 minutes, member servers are refreshed every 90 minutes, and domain controllers are refreshed every 5 minutes. Answer B is incorrect because the secedit /refresh command isn’t used in Windows Server 2003. It has been replaced by the gpupdate command. Answer C is incorrect because member servers are refreshed every 90 minutes. Domain controllers are refreshed every 5 minutes.