Chapter 6: Planning, Implementing, and Maintaining a Name Resolution Strategy


Planning for Host Name Resolution

1.

You are the administrator of a Windows Server 2003 network. Recently, your company made a sudden and unexpected announcement that it would be merging with another company called Syngress Industries, a large company that has more than 20,000 employees. You learn that, in the short term, communications between the two companies will need to take place over persistent VPNs using each company’s respective connections to the Internet, both of which are operating at about 75 percent capacity. You will need to set up trust relationships between two AD forests. Furthermore, you plan to move significant amounts of data between the two networks. You learn the Syngress Industries uses a child domain of its Internet domain namespace for its AD forest root. The name of the internal domain is ad.syngress.com. You want to ensure that your DNS infrastructure can resolve names for internal hosts of Syngress Industries. You also want to ensure that your solution is the most effective in terms of resource usage. What should you do to enable name resolution for internal hosts of Syngress Industries?

  1. Create a secondary zone for ad.syngress.com on you DNS servers.

  2. Create a stub zone for syngress.com on your DNS servers.

  3. Create an Active Directory-integrated zone for ad.syngress.com

  4. Create a conditional forwarding configuration on your DNS servers for ad.syngress.com

 d . configuring conditional forwarding is the correct answer because it best satisfies the condition to be the most effective in terms of resource usage, which primarily is bandwidth in this case. after a time, the forwarding servers would acquire a cache of frequently accessed resources in the ad.syngress.com domain. a , b , c . answer a is incorrect because creating a secondary zone would enable name resolution, but would cause a significant amount of zone replication traffic over the vpn. answer b s solution might work if the syngress.com zone contained ns records to delegate authority to the ad.syngress.com domain. however, this would be a bad security practice, since syngress.com is used for internet clients to resolve names of the publicly available syngress.com servers. furthermore, the presence of a firewall between the syngress.com dns servers and the ad.syngress.com servers would mean that the ns and a glue address records would resolve to external ip addresses of the firewall and not ip addresses on the internal network. answer c is incorrect because your organizations are in two separate ad forests.

2.

You are the administrator of a Windows Server 2003 network. Your boss has just read an article on how DNS servers can be compromised so that they will redirect recursive queries to bogus Web sites that can cause potential harm. Your boss has asked you to ensure that the DNS servers in the DMZ have the highest level of protection possible against this and other types of common attacks on DNS servers. You have two DNS servers. DNS-A is used to resolve name mappings for your public Web and mail server. The other DNS server, DNS-B, is used by the internal proxy server to resolve Web site addresses to IP addresses. What actions should you take to carry out your boss’s order to provide the highest possible security against common multiple DNS attacks? (Select the best answer.)

  1. Enable protection against cache pollution on DNS-B and disable recursion on DNS-A

  2. Enable protection against cache pollution on DNS-A and disable recursion on DNS-B

  3. Disable recursion on DNS-A and configure the firewall to not allow any inbound traffic with destination ports of TCP or UDP port 53 to reach DNS-B

  4. Disable recursion on DNS-B and configure the firewall to not allow any inbound traffic with destination ports of TCP or UDP port 25 to reach DNS-A

 c . the problem your boss is describing is cache pollution. although you can enable protection against cache pollution to mitigate this risk, you should try to stop the potential risk at the firewall, if possible. by configuring the firewall to not allow any inbound traffic that uses the dns ports from reaching dns-b, you are preventing any potentially malicious traffic in the form of bogus dns queries from reaching dns-b in the first place. you can t use the same restriction for dns-a, because it provides name resolution for internet hosts that wish to connect to your web and mail servers. however, if recursion is disabled on dns-a, it will still answer queries for zones that it is authoritative for, but it will send a negative response to recursive queries. disabling recursion also has the added benefit of providing a degree of protection against dos attacks. a , b , d . answer a is workable and provides additional security. however, the boss wants the highest level of protection against multiple common attacks on dns servers, so this choice is not as good as answer c. answers b and d are wrong because they compromise the ability of dns-a to resolve the names of your web and mail servers.

3.

You are the administrator of a Windows network that consists of a mixture of Windows NT 4, Windows 2000, and Windows Server 2003 servers, providing a mix of file, print, messaging, and other services critical to your network. You are currently running WINS, DNS, and DHCP services on your network. You have already enabled dynamic DNS on your forward and reverse lookup zones, but you want to ensure that all of your client computers can find the name-to-address mapping of all your servers using DNS. You want to minimize the administrative effort for this project. What action should you take? (Select the best answer.)

  1. Place the DHCP servers in the DnsUpdateProxy group.

  2. Enable DHCP to update forward and reverse lookup zones on behalf of all DHCP clients.

  3. Manually enter the records for servers that have static addresses.

  4. Create a WINS resource record in the forward and reverse lookup zones.

 d . windows nt 4 operating systems are not able to update static addresses in a dynamic zone. you must either manually enter resource records for these servers or configure the dns to query the wins server when it cannot resolve a name mapping. since the latter involves the least administrative effort, answer d is the correct choice. a , b , c . answer a is incorrect because it will not have an effect on whether resource records for clients are created in the dns zones. answer b is incorrect because it is unlikely a server is going to be configured as a dhcp client. answer c would work, but it involves more administrative effort than the correct response and has a greater risk of introducing error.

4.

You are using ISA Server 2000 as a firewall and Web proxy server to protect your internal AD network and provide Web proxy and caching services for HTTP requests. You currently are using three DNS servers to support the DNS queries. DNS-A is used for your internal AD root. DNS-B is used to provide name resolution for Internet clients that want to connect to your public Web and mail servers. DNS-C is used to provide Internet name resolution. How should you configure the DNS and ISA Server access rules to provide the maximum security and functionality for your DNS infrastructure?

  1. On DNS-A, remove the root hints file and enable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, remove the root hints file and disable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and update the root hints file. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 with a source port of ANY.

  2. On DNS-A, remove the root hints file and disable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, remove the root hints file and disable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and update the root hints file. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 with a source port of ANY.

  3. On DNS-A, remove the root hints file and enable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, remove the root hints file and disable recursion. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and update the root hints file. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 with a source port of ANY.

  4. On DNS-A, remove the root hints file and disable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, update the root hints file and enable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, disable recursion and update the root hints file. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 with a source port of ANY.

 a . dns-a is used for internal dns resolution. you do not want it to perform recursion to the internet or be accessible through the firewall. you need to remove the root hints file and prevent isa server from forwarding internet traffic to it. however, it should still be able to perform recursion on your internal network. dns-b is used to provide authoritative responses to requests from internet clients who wish to connect to web and mail servers, but it should not be able to perform recursion. you should disable recursion and remove the root hints file on this server. isa server needs to be configured to allow inbound traffic to this server on tcp and udp port 53 with a source port of any. dns-c is used by isa server itself to provide name resolution for web proxy requests. it needs to be able to perform recursion. isa server should be configured to allow it to communicate with external dns servers using tcp and udp port 53 with a source port of any. b , c , d . the remaining responses are incorrect because they do not meet the requirements, as explained above.

5.

You are the administrator of a Windows Server 2003 network. Your company has recently merged with another company and you have set up trusts between the AD forests and have set up conditional forwarding on your DNS servers to resolve names in the AD forest of the newly merged company. You would like your users to be able to resolve names in the newly merged company with the least possible effort and typing on their part. You would like to implement a solution with the least possible effort on your part. What should you do?

  1. Using ADSI, create an msDS-AllowedDNSSuffixes attribute in the domain object container and include the domain suffix of the newly merged AD forest in the list of allowable suffixes.

  2. Create a group policy that configures the DNS clients with a custom DNS suffix search list.

  3. Configure the DHCP server option 81 to supply the name of the domain suffix of the newly merged AD forest to DHCP clients.

  4. Configure a stub zone for a root domain of the newly merged company on your DNS servers.

 b . to enable dns clients to resolve unqualified names (single computer names that require the least typing on the part of the client) in a disjointed namespace, you must create a custom dns suffix search list. you can manually configure this on the dns clients. however, group policy is the most efficient means of implementing this configuration on the client computers. a , c , d . answer a would allow the primary computer name to be different from the ad domain name the computer is a member of and is not a relevant solution. answer c is incorrect because dhcp option 81 allows you to specify only one domain name, which should be the domain name used for your own ad domain. answer d is incorrect because a stub zone would only accomplish what your conditional forwarding is already doing.

6.

You are a DNS administrator of a large, distributed Windows Server 2003 network. The AD domain tree consists of a number of child domains that reflect the geographic locations of the different offices of the company. You are responsible for the DNS root domain of the AD forest and the child domain of the office where you work. All administrative responsibility for the remaining child domains is performed by locally based administrators in their respective offices. The capacity of the WAN links connecting the various offices is showing signs of being insufficient. You want to ensure that DNS resolution for the child domains outside your administrative control will work company-wide in a fault-tolerant manner without adding additional strain to available resources. What should you do? (Select the best answer.)

  1. On the root DNS servers, configure conditional forwarding for the child domains.

  2. On the DNS servers in the child domain under your control, configure secondary zones for the other child domains.

  3. On the root DNS servers, configure stub zones for the child domains.

  4. On the DNS servers in the child domain under your control, configure secondary zones for the other child domains.

 c . when you configure stub zones on the dns servers responsible for the root, the soa, ns, and a records that indicate the authoritative servers for the child domains are automatically updated whenever a local administrator makes changes to these records in the primary zone. these dns servers for these subdomains are not under your control, so, if you were to configure conditional forwarding on the root dns servers, the local administrators would need to inform you so that you could manually make the required configuration changes. stub zones provide the most fault-tolerant solution. configuring secondary zones on the root dns servers would also allow fault-tolerant name resolution, but would increase replication traffic across the wan. a , b , d . answers b and d are incorrect because the solution must ensure dns resolution for the entire company. if you were to implement these solutions in your child domain, the scope of the solution would be limited to your domain and not the other child domains. of course, you and the other administrators may want to implement such solutions to minimize the amount of dns referral traffic that would occur if dns servers had to walk the tree to perform iterative queries in an attempt to resolve names in the various child domains.

7.

You are the enterprise administrator of a Windows network that comprises a number of Windows 2000 and Window 2003 domain controllers. You want to use Active Directory-integrated zones for your zone data to enhance security and optimize replication of zone data. What should you choose as the replication scope? (Select the best answer.)

  1. To all DNS servers in the forest

  2. To all domain controllers in the AD domain

  3. To all DNS servers in the AD domain

  4. To all domain controllers specified in the scope of an application partition

 b . because you still have windows 2000 domain controllers in your environment, your only choice is store the zone data in the domain partition. a , c , d . these answers are incorrect because they require the presence of an application directory partition, which is not available on windows 2000 domain controllers.

Answers

1.

D. Configuring conditional forwarding is the correct answer because it best satisfies the condition to be the most effective in terms of resource usage, which primarily is bandwidth in this case. After a time, the forwarding servers would acquire a cache of frequently accessed resources in the ad.syngress.com domain.

A, B, C. Answer A is incorrect because creating a secondary zone would enable name resolution, but would cause a significant amount of zone replication traffic over the VPN. Answer B’s solution might work if the syngress.com zone contained NS records to delegate authority to the ad.syngress.com domain. However, this would be a bad security practice, since syngress.com is used for Internet clients to resolve names of the publicly available syngress.com servers. Furthermore, the presence of a firewall between the syngress.com DNS servers and the ad.syngress.com servers would mean that the NS and A glue address records would resolve to external IP addresses of the firewall and not IP addresses on the internal network. Answer C is incorrect because your organizations are in two separate AD forests.

2.

C. The problem your boss is describing is cache pollution. Although you can enable protection against cache pollution to mitigate this risk, you should try to stop the potential risk at the firewall, if possible. By configuring the firewall to not allow any inbound traffic that uses the DNS ports from reaching DNS-B, you are preventing any potentially malicious traffic in the form of bogus DNS queries from reaching DNS-B in the first place. You can’t use the same restriction for DNS-A, because it provides name resolution for Internet hosts that wish to connect to your Web and mail servers. However, if recursion is disabled on DNS-A, it will still answer queries for zones that it is authoritative for, but it will send a negative response to recursive queries. Disabling recursion also has the added benefit of providing a degree of protection against DoS attacks.

A, B, D. Answer A is workable and provides additional security. However, the boss wants the highest level of protection against multiple common attacks on DNS servers, so this choice is not as good as Answer C. Answers B and D are wrong because they compromise the ability of DNS-A to resolve the names of your Web and mail servers.

3.

D. Windows NT 4 operating systems are not able to update static addresses in a dynamic zone. You must either manually enter resource records for these servers or configure the DNS to query the WINS server when it cannot resolve a name mapping. Since the latter involves the least administrative effort, Answer D is the correct choice.

A, B, C. Answer A is incorrect because it will not have an effect on whether resource records for clients are created in the DNS zones. Answer B is incorrect because it is unlikely a server is going to be configured as a DHCP client. Answer C would work, but it involves more administrative effort than the correct response and has a greater risk of introducing error.

4.

A. DNS-A is used for internal DNS resolution. You do not want it to perform recursion to the Internet or be accessible through the firewall. You need to remove the root hints file and prevent ISA Server from forwarding Internet traffic to it. However, it should still be able to perform recursion on your internal network. DNS-B is used to provide authoritative responses to requests from Internet clients who wish to connect to Web and mail servers, but it should not be able to perform recursion. You should disable recursion and remove the root hints file on this server. ISA Server needs to be configured to allow inbound traffic to this server on TCP and UDP port 53 with a source port of ANY. DNS-C is used by ISA Server itself to provide name resolution for Web proxy requests. It needs to be able to perform recursion. ISA Server should be configured to allow it to communicate with external DNS servers using TCP and UDP port 53 with a source port of ANY.

B, C, D. The remaining responses are incorrect because they do not meet the requirements, as explained above.

5.

B. To enable DNS clients to resolve unqualified names (single computer names that require the least typing on the part of the client) in a disjointed namespace, you must create a custom DNS suffix search list. You can manually configure this on the DNS clients. However, Group Policy is the most efficient means of implementing this configuration on the client computers.

A, C, D. Answer A would allow the primary computer name to be different from the AD domain name the computer is a member of and is not a relevant solution. Answer C is incorrect because DHCP option 81 allows you to specify only one domain name, which should be the domain name used for your own AD domain. Answer D is incorrect because a stub zone would only accomplish what your conditional forwarding is already doing.

6.

C. When you configure stub zones on the DNS servers responsible for the root, the SOA, NS, and A records that indicate the authoritative servers for the child domains are automatically updated whenever a local administrator makes changes to these records in the primary zone. These DNS servers for these subdomains are not under your control, so, if you were to configure conditional forwarding on the root DNS servers, the local administrators would need to inform you so that you could manually make the required configuration changes. Stub zones provide the most fault-tolerant solution. Configuring secondary zones on the root DNS servers would also allow fault-tolerant name resolution, but would increase replication traffic across the WAN.

A, B, D. Answers B and D are incorrect because the solution must ensure DNS resolution for the entire company. If you were to implement these solutions in your child domain, the scope of the solution would be limited to your domain and not the other child domains. Of course, you and the other administrators may want to implement such solutions to minimize the amount of DNS referral traffic that would occur if DNS servers had to walk the tree to perform iterative queries in an attempt to resolve names in the various child domains.

7.

B. Because you still have Windows 2000 domain controllers in your environment, your only choice is store the zone data in the domain partition.

A, C, D. These answers are incorrect because they require the presence of an application directory partition, which is not available on Windows 2000 domain controllers.

Planning for NetBIOS Name Resolution

8.

You are an administrator of a Windows Server 2003 network. You want to automate the backups of the WINS database. You want this backup to occur at least once every 24 hours. What should you do? (Select the best answer.)

  1. Configure the Windows Backup utility to back up the contents of the %systemroot%\System32\Wins folder once every 24 hours.

  2. Using the AT command scheduler, create a batch file that temporarily stops the WINS service, copies the WINS database to another location, and then restarts the service.

  3. Use a third-party backup solution that is capable of backing up open files and configure it to back up the contents of the %systemroot%\System32\Wins folder once every 24 hours.

  4. In the WINS server console, configure a path to store backups of the database and initiate a manual backup.

 d . the wins service includes the ability to back up the wins database automatically once every 24 hours and on the wins service shutdown, or to back it up manually. to configure wins to perform automatic backups of the database, you must specify a path for the backup and perform at least one manual backup of the database. you can subsequently use windows backup or a third-party backup solution to back up the contents of the wins backup folder without needing to be concerned about the consequences of backing up an open file. a , b , c . the remaining answers are partially viable to varying degrees, but do not represent the best solution.

9.

You are the administrator of a Windows Server 2003 network. You are responsible for a number of WINS servers that are set up as push/pull replication partners to each other. You have a number of static mappings in your WINS database and want to remove one of these mappings from the WINS database. You want to ensure that the record is deleted on all servers with the least administrative effort. How should you delete the WINS static mapping? (Select the best answer.)

  1. On the owner server of the mapping, find the record and perform a simple deletion.

  2. On the owner server of the mapping, find the record and perform a tombstone deletion.

  3. On all of the WINS servers, find the record and perform a simple deletion.

  4. On all of the WINS servers, find the record and perform a tombstone deletion.

 b . when you perform a tombstone deletion, the record is marked with an attribute that is replicated with the record to other wins server. the attribute instructs other wins servers to remove the record through the scavenging process. a , c , d .answer a is incorrect because the record will still remain on the replication partners and will eventually be replicated back to the owner wins server. answers c and d are incorrect because they require unnecessary administrative effort to accomplish something that can be performed in one simple operation.

10.

You are the administrator of a Windows Server 2003 network. You have five WINS servers and need to reconfigure the replication topology as a result of some recent upgrades to your WAN links. All of your WAN links connecting the head office and your four branch offices now have ample bandwidth to handle additional traffic. You want to ensure the shortest convergence time of replicated records, while at the same time keep the number of replication partnership agreements to an absolute minimum. What replication topology should you choose? (Select the best answer.)

  1. Ring topology

  2. Mesh topology

  3. Hub-and-spoke topology

  4. Hybrid of ring and hub-and-spoke topology

 c . a hub-and-spoke topology ensures the shortest convergence time with the fewest replication partnerships to manage. the longest path from one server to any other is two hops. the number of partnership agreements is eight. (you need to define a push/pull partnership agreement on each side of the replication path between the hub server and the spoke servers.) a , b , d . answer a is incorrect because it would require 10 push/pull partnership agreements to establish and would result in replication paths that were three hops in distance. answer b is incorrect because it is an overly complex replication topology and would require 20 replication partnership agreements to manage. answer d is an overly complex topology for the number of wins servers and not required by the design.

Answers

8.

D. The WINS service includes the ability to back up the WINS database automatically once every 24 hours and on the WINS service shutdown, or to back it up manually. To configure WINS to perform automatic backups of the database, you must specify a path for the backup and perform at least one manual backup of the database. You can subsequently use Windows Backup or a third-party backup solution to back up the contents of the WINS backup folder without needing to be concerned about the consequences of backing up an open file.

A, B, C. The remaining answers are partially viable to varying degrees, but do not represent the best solution.

9.

B. When you perform a tombstone deletion, the record is marked with an attribute that is replicated with the record to other WINS server. The attribute instructs other WINS servers to remove the record through the scavenging process.

A, C, D. Answer A is incorrect because the record will still remain on the replication partners and will eventually be replicated back to the owner WINS server. Answers C and D are incorrect because they require unnecessary administrative effort to accomplish something that can be performed in one simple operation.

10.

C. A hub-and-spoke topology ensures the shortest convergence time with the fewest replication partnerships to manage. The longest path from one server to any other is two hops. The number of partnership agreements is eight. (You need to define a push/pull partnership agreement on each side of the replication path between the hub server and the spoke servers.)

A, B, D. Answer A is incorrect because it would require 10 push/pull partnership agreements to establish and would result in replication paths that were three hops in distance. Answer B is incorrect because it is an overly complex replication topology and would require 20 replication partnership agreements to manage. Answer D is an overly complex topology for the number of WINS servers and not required by the design.

Troubleshooting Name Resolution Issues

11.

You are an administrator of a Windows Server 2003 network. Your company, Syngress Industries, manages its own DNS for its public Web and mail servers. The primary DNS server for the syngress.com domain is located in a DMZ protected by ISA Server. Your ISP is hosting secondary servers for the syngress.com domain on its BIND 9 servers. While going through your performance logs, you notice a brief but sudden increase in the number of AXFR requests received and AXFR success sent events. Previously, these counters had values of zero in your logs. You suspect your ISP has changed the configuration of its BIND servers, but the ISP denies it and insists that the secondary zones are behaving optimally. You are concerned by these values and decide to investigate the issue and correct it, if necessary. What is the likely cause of the problem and what should you do? (Select the best answer.)

  1. A rogue DNS server is attempting to pollute the cache on your DNS server by sending bogus queries over TCP, rather then UDP. You should turn on debug logging to determine the source IP address and block all traffic from this address on ISA Server. You should also enable protection against cache pollution and inform the ISP.

  2. A malicious user is issuing an nslookup –ls or equivalent command against your DNS server. You should configure the DNS server to allow zone transfers only to the IP addresses of the secondary servers at the ISP. You should also block all external requests destined for the primary DNS server on TCP port 53 with a source port of ANY, except for the external addresses of the secondary servers. You should inform the ISP managers and ask them to confirm an equivalent level of security on their servers.

  3. A malicious user is attempting to launch a DoS attack on your DNS. You should disable recursion on the DNS server. You should also turn on debug logging to determine the source IP address of the attack and block the IP address at ISA Server. You should inform the ISP to be on the lookout for similar attacks against its DNS servers.

  4. A malicious user is issuing an nslookup –ds or equivalent command against your DNS server to get detailed information. You should turn on debug logging to determine the source IP address. Once you determine the IP address, you should block it from all communication with your DNS servers at ISA Server. You should inform the ISP managers and ask them to confirm an equivalent level of security on their servers.

 b . axfr is the dns protocol used for full zone transfers. counters in your performance logs indicate requests to do a full zone transfer have been received by and successfully responded to by your dns server. that means that someone has issued an nslookup ls or equivalent command against your dns server. by default, bind 9 servers will attempt to use ixfr to perform incremental zones transfers, unless this option is explicitly disabled. since you experienced only a brief event, it is likely the user got what he or she wanted. you should, however, protect your server against future occurrences of zone transfers to unauthorized ip addresses, which is also known as footprinting or name dumping. tcp port 53 is used for zone transfers, and blocking this port should not affect the dns server s ability to respond to name queries, which should be taking place on udp port 53. a , c , d . answer a is incorrect because an attempt to pollute the cache would normally occur as a result of rogue dns server replying with information that is superfluous to a query issued against it by the dns. answer c is incorrect because a dos attack is most effective if it ties up a dns server with recursive query requests. it is no doubt possible to tie up a dns server with excessive zone transfer requests, but you would expect this activity to be sustained over a period of time. answer d is incorrect because the nslookup ds command requests detailed information on a particular record and is used for debugging. it does not display the contents of the entire zone the way an nslookup ls command would. (note that the ls switch is available only in nslookup interactive mode; the nslookup ds switch is available only in nslookup noninteractive mode.)

12.

You are the administrator of a Windows Server 2003 network. Recently, a junior administrator has, on your instructions, rebuilt one of your WINS servers (WINS-A). You don’t have a backup of the WINS database and need to restore the database through reregistrations of WINS clients and replication with another WINS server, WINS-B. Both servers are configured as push/pull replication partners of each other. As soon as WINS-A is brought back online, users configured to use WINS-A as their WINS server immediately start to complain that they can’t access file server shares on this server. By the time you hear about the complaints and try to reproduce the results, you find that that the problem has disappeared. However, you take the complaints seriously and investigate further. You examine the WINS database on WINS-B and see some data that strikes you as odd. Based on the data shown in the table here, what problem is indicated? (Select the best answer.)

Record Name

Type

IP Address

Owner

Version

WINS-A

[00h] Workstation

192.168.100.20

192.168.179.5

20D

WINS-A

[20h] File Server

192.168.100.20

192.168.179.5

20C

  1. There is a problem with the order of service registration. The workstation service needs to be registered before the file server service.

  2. There is a problem with WINS replication that has caused the wrong owner to be associated with WINS-A.

  3. The TCP/IP stack on WINS-A is configured with the IP address of WINS-B as its secondary WINS server.

  4. The TCP/IP stack on WINS-B is not configured to register itself with a WINS server.

 c . wins-a is registering its netbios names with wins-b, rather than itself. a comparison of the ip address and owner fields show two different addresses. these should match or problems with name resolution on the network can occur. in the scenario described here, users who pointed to the wins-b server would have no problem connecting to file server shares on wins-a because the wins-b server has a mapping for the file server service on wins-a. however, users pointing to wins-a would not be able to resolve this mapping until replication had merged the record from wins-b, hence the transient nature of the problem. a wins server should always be configured to register netbios names only with itself. a , b , d . answer a is incorrect because the order in which services register has nothing to do with netbios name resolution. there might be problems with replication, but the evidence presented doesn t point to this, so answer b is incorrect. while you absolutely should configure a wins server to register its netbios records with itself, it will eventually do so even if the configuration is left blank (this could take some time), so answer d is incorrect.

13.

You are the administrator of a Windows Server 2003 network using DNS and WINS to provide name resolution services. You have two WINS servers that are set up with the default push/pull configurations. Users have been complaining for days about problems connecting to a server called File_Server2. You ping File_Server2 and get a response from the computer. However, when you issue a net view \\File_Server2 command, you get an error message stating that a duplicate name exists on the network. What is the likely cause of the problem? (Select the best answer.)

  1. The underscore character cannot be used in a NetBIOS name. Rename the computer and reboot it.

  2. There is a problem with the replication of the records for File_Server2. Manually initiate replication with the WINS server that is the owner of the record of File_Server2.

  3. The WINS database is corrupt. Manually initiate consistency checking to restore database integrity.

  4. The WINS server contains an incorrect name mapping for File_Server2.

 d . you can ping file_server2, so the issue is related to the netbios name resolution. when you invoke the net view command, you force the use of the netbios interface, which will subsequently enforce the rules for netbios names. computer names are exclusive and must be unique. because host name resolution resolves the name to a different ip address than the ip address resolved by the netbios name mapping, you will get a duplicate name error message. we know the ip address returned by the ping is correct and that host name resolution is working for this computer. a , b , c . answer a is incorrect because underscores are valid characters for netbios names. underscores are problematic in some implementations of dns, but are not a problem for windows dns. answer b is a possibly correct answer because, if the wins record has not replicated throughout the environment, you might see a similar problem. however, users have been complaining for some time-much longer than the default replication interval. answer c is incorrect because if there were problems with database consistency, the problems would be more widespread.

14.

You are the administrator of a WINS server. The WINS server has suffered a hardware failure, and you have subsequently been forced to reinstall Windows Server 2003 and the WINS service. Fortunately, you have a recent backup of the WINS database. You restore the database, but notice that none of the former WINS configuration settings are present. What should you do? (Select the best answer.)

  1. You need to use the %systemroot%\system32\jetpack.exe file to restore the WINS configuration after you restore the database.

  2. You need to restore the original system state from the backup to the Windows Server 2003 server.

  3. You need to invoke database consistency checking on the database.

  4. You need to set up replication with a WINS server that was a replication of the former WINS server.

 b . wins configuration settings are stored in the registry. the wins database contains only netbios registration data, not configuration information. you therefore need to restore the registry in order to restore the wins configuration settings. you can do this by restoring the system state backup or a backup of the registry itself. a , c , d . answer a is incorrect because the jetpack utility does not have this functionality. answers c and d are incorrect because the database does not contain any wins configuration information.

15.

You are the administrator of a Windows Server 2003 network. After restoring the Windows Server 2003 domain controller that you had taken off the network for a few hours for maintenance, your Windows 95 and 98 users have begun complaining that they are unable to access resources on this computer. You remember seeing a message about a duplicate name on the network when you turned on the domain controller, but didn’t think much of it at the time because you had changed the IP address of the domain controller before you took it offline. What action should you take?

  1. Create static mappings in the WINS database for the domain controller and disable the migrate on setting.

  2. Create static mappings in the WINS database for the domain controller and enable the migrate on setting.

  3. Have the users of Windows 95 and 98 computers issue an nbtstat –RR command.

  4. Have the users of the Windows 95 and 98 computers issue an ipconfig /flushdns command.

 a . it is likely that someone on your network has configured a computer with the same name as the domain controller and hijacked the netbios registration of the domain controller, resulting in a redirection attack. windows 95 and 98 clients will use netbios for logon services and to connect to file sharing resources. given the circumstances, the duplicate name message is clear evidence of this kind of attack. if another computer is registered with the same name and is online, the wins server will report a duplicate name error message back to the computer that is trying to initialize with the same name. for mission-critical servers, it is good idea to create static mappings that cannot be overwritten by dynamic registrations. this situation represents one of the few circumstances that can justify the use of static mappings. b , c , d . answer b is incorrect because enabling the migrate on setting would allow a dynamic registration to overwrite a static registration. answers c and d are incorrect because flushing either of the resolver caches on the client would have no effect on the ultimate results of having an incorrect record in the wins server.

Answers

11.

B. AXFR is the DNS protocol used for full zone transfers. Counters in your performance logs indicate requests to do a full zone transfer have been received by and successfully responded to by your DNS server. That means that someone has issued an nslookup –ls or equivalent command against your DNS server. By default, BIND 9 servers will attempt to use IXFR to perform incremental zones transfers, unless this option is explicitly disabled. Since you experienced only a brief event, it is likely the user got what he or she wanted. You should, however, protect your server against future occurrences of zone transfers to unauthorized IP addresses, which is also known as footprinting or name dumping. TCP port 53 is used for zone transfers, and blocking this port should not affect the DNS server’s ability to respond to name queries, which should be taking place on UDP port 53.

A, C, D. Answer A is incorrect because an attempt to pollute the cache would normally occur as a result of rogue DNS server replying with information that is superfluous to a query issued against it by the DNS. Answer C is incorrect because a DoS attack is most effective if it ties up a DNS server with recursive query requests. It is no doubt possible to tie up a DNS server with excessive zone transfer requests, but you would expect this activity to be sustained over a period of time. Answer D is incorrect because the nslookup –ds command requests detailed information on a particular record and is used for debugging. It does not display the contents of the entire zone the way an nslookup –ls command would. (Note that the –ls switch is available only in NSLookup interactive mode; the nslookup –ds switch is available only in NSLookup noninteractive mode.)

12.

C. WINS-A is registering its NetBIOS names with WINS-B, rather than itself. A comparison of the IP Address and Owner fields show two different addresses. These should match or problems with name resolution on the network can occur. In the scenario described here, users who pointed to the WINS-B server would have no problem connecting to file server shares on WINS-A because the WINS-B server has a mapping for the file server service on WINS-A. However, users pointing to WINS-A would not be able to resolve this mapping until replication had merged the record from WINS-B, hence the transient nature of the problem. A WINS server should always be configured to register NetBIOS names only with itself.

A, B, D. Answer A is incorrect because the order in which services register has nothing to do with NetBIOS name resolution. There might be problems with replication, but the evidence presented doesn’t point to this, so Answer B is incorrect. While you absolutely should configure a WINS server to register its NetBIOS records with itself, it will eventually do so even if the configuration is left blank (this could take some time), so Answer D is incorrect.

13.

D. You can ping File_Server2, so the issue is related to the NetBIOS name resolution. When you invoke the net view command, you force the use of the NetBIOS interface, which will subsequently enforce the rules for NetBIOS names. Computer names are exclusive and must be unique. Because host name resolution resolves the name to a different IP address than the IP address resolved by the NetBIOS name mapping, you will get a duplicate name error message. We know the IP address returned by the ping is correct and that host name resolution is working for this computer.

A, B, C. Answer A is incorrect because underscores are valid characters for NetBIOS names. Underscores are problematic in some implementations of DNS, but are not a problem for Windows DNS. Answer B is a possibly correct answer because, if the WINS record has not replicated throughout the environment, you might see a similar problem. However, users have been complaining for some time—much longer than the default replication interval. Answer C is incorrect because if there were problems with database consistency, the problems would be more widespread.

14.

B. WINS configuration settings are stored in the Registry. The WINS database contains only NetBIOS registration data, not configuration information. You therefore need to restore the Registry in order to restore the WINS configuration settings. You can do this by restoring the system state backup or a backup of the Registry itself.

A, C, D. Answer A is incorrect because the Jetpack utility does not have this functionality. Answers C and D are incorrect because the database does not contain any WINS configuration information.

15.

A. It is likely that someone on your network has configured a computer with the same name as the domain controller and hijacked the NetBIOS registration of the domain controller, resulting in a redirection attack. Windows 95 and 98 clients will use NetBIOS for logon services and to connect to file sharing resources. Given the circumstances, the duplicate name message is clear evidence of this kind of attack. If another computer is registered with the same name and is online, the WINS server will report a duplicate name error message back to the computer that is trying to initialize with the same name. For mission-critical servers, it is good idea to create static mappings that cannot be overwritten by dynamic registrations. This situation represents one of the few circumstances that can justify the use of static mappings.

B, C, D. Answer B is incorrect because enabling the migrate on setting would allow a dynamic registration to overwrite a static registration. Answers C and D are incorrect because flushing either of the resolver caches on the client would have no effect on the ultimate results of having an incorrect record in the WINS server.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net