|
1. | You are the administrator of a Windows Server 2003 network. Recently, your company made a sudden and unexpected announcement that it would be merging with another company called Syngress Industries, a large company that has more than 20,000 employees. You learn that, in the short term, communications between the two companies will need to take place over persistent VPNs using each company’s respective connections to the Internet, both of which are operating at about 75 percent capacity. You will need to set up trust relationships between two AD forests. Furthermore, you plan to move significant amounts of data between the two networks. You learn the Syngress Industries uses a child domain of its Internet domain namespace for its AD forest root. The name of the internal domain is ad.syngress.com. You want to ensure that your DNS infrastructure can resolve names for internal hosts of Syngress Industries. You also want to ensure that your solution is the most effective in terms of resource usage. What should you do to enable name resolution for internal hosts of Syngress Industries?
|
|
2. | You are the administrator of a Windows Server 2003 network. Your boss has just read an article on how DNS servers can be compromised so that they will redirect recursive queries to bogus Web sites that can cause potential harm. Your boss has asked you to ensure that the DNS servers in the DMZ have the highest level of protection possible against this and other types of common attacks on DNS servers. You have two DNS servers. DNS-A is used to resolve name mappings for your public Web and mail server. The other DNS server, DNS-B, is used by the internal proxy server to resolve Web site addresses to IP addresses. What actions should you take to carry out your boss’s order to provide the highest possible security against common multiple DNS attacks? (Select the best answer.)
|
|
3. | You are the administrator of a Windows network that consists of a mixture of Windows NT 4, Windows 2000, and Windows Server 2003 servers, providing a mix of file, print, messaging, and other services critical to your network. You are currently running WINS, DNS, and DHCP services on your network. You have already enabled dynamic DNS on your forward and reverse lookup zones, but you want to ensure that all of your client computers can find the name-to-address mapping of all your servers using DNS. You want to minimize the administrative effort for this project. What action should you take? (Select the best answer.)
|
|
4. | You are using ISA Server 2000 as a firewall and Web proxy server to protect your internal AD network and provide Web proxy and caching services for HTTP requests. You currently are using three DNS servers to support the DNS queries. DNS-A is used for your internal AD root. DNS-B is used to provide name resolution for Internet clients that want to connect to your public Web and mail servers. DNS-C is used to provide Internet name resolution. How should you configure the DNS and ISA Server access rules to provide the maximum security and functionality for your DNS infrastructure?
|
|
5. | You are the administrator of a Windows Server 2003 network. Your company has recently merged with another company and you have set up trusts between the AD forests and have set up conditional forwarding on your DNS servers to resolve names in the AD forest of the newly merged company. You would like your users to be able to resolve names in the newly merged company with the least possible effort and typing on their part. You would like to implement a solution with the least possible effort on your part. What should you do?
|
|
6. | You are a DNS administrator of a large, distributed Windows Server 2003 network. The AD domain tree consists of a number of child domains that reflect the geographic locations of the different offices of the company. You are responsible for the DNS root domain of the AD forest and the child domain of the office where you work. All administrative responsibility for the remaining child domains is performed by locally based administrators in their respective offices. The capacity of the WAN links connecting the various offices is showing signs of being insufficient. You want to ensure that DNS resolution for the child domains outside your administrative control will work company-wide in a fault-tolerant manner without adding additional strain to available resources. What should you do? (Select the best answer.)
|
|
7. | You are the enterprise administrator of a Windows network that comprises a number of Windows 2000 and Window 2003 domain controllers. You want to use Active Directory-integrated zones for your zone data to enhance security and optimize replication of zone data. What should you choose as the replication scope? (Select the best answer.)
|
|
Answers
1. | D. Configuring conditional forwarding is the correct answer because it best satisfies the condition to be the most effective in terms of resource usage, which primarily is bandwidth in this case. After a time, the forwarding servers would acquire a cache of frequently accessed resources in the ad.syngress.com domain. A, B, C. Answer A is incorrect because creating a secondary zone would enable name resolution, but would cause a significant amount of zone replication traffic over the VPN. Answer B’s solution might work if the syngress.com zone contained NS records to delegate authority to the ad.syngress.com domain. However, this would be a bad security practice, since syngress.com is used for Internet clients to resolve names of the publicly available syngress.com servers. Furthermore, the presence of a firewall between the syngress.com DNS servers and the ad.syngress.com servers would mean that the NS and A glue address records would resolve to external IP addresses of the firewall and not IP addresses on the internal network. Answer C is incorrect because your organizations are in two separate AD forests. |
2. | C. The problem your boss is describing is cache pollution. Although you can enable protection against cache pollution to mitigate this risk, you should try to stop the potential risk at the firewall, if possible. By configuring the firewall to not allow any inbound traffic that uses the DNS ports from reaching DNS-B, you are preventing any potentially malicious traffic in the form of bogus DNS queries from reaching DNS-B in the first place. You can’t use the same restriction for DNS-A, because it provides name resolution for Internet hosts that wish to connect to your Web and mail servers. However, if recursion is disabled on DNS-A, it will still answer queries for zones that it is authoritative for, but it will send a negative response to recursive queries. Disabling recursion also has the added benefit of providing a degree of protection against DoS attacks. A, B, D. Answer A is workable and provides additional security. However, the boss wants the highest level of protection against multiple common attacks on DNS servers, so this choice is not as good as Answer C. Answers B and D are wrong because they compromise the ability of DNS-A to resolve the names of your Web and mail servers. |
3. | D. Windows NT 4 operating systems are not able to update static addresses in a dynamic zone. You must either manually enter resource records for these servers or configure the DNS to query the WINS server when it cannot resolve a name mapping. Since the latter involves the least administrative effort, Answer D is the correct choice. A, B, C. Answer A is incorrect because it will not have an effect on whether resource records for clients are created in the DNS zones. Answer B is incorrect because it is unlikely a server is going to be configured as a DHCP client. Answer C would work, but it involves more administrative effort than the correct response and has a greater risk of introducing error. |
4. | A. DNS-A is used for internal DNS resolution. You do not want it to perform recursion to the Internet or be accessible through the firewall. You need to remove the root hints file and prevent ISA Server from forwarding Internet traffic to it. However, it should still be able to perform recursion on your internal network. DNS-B is used to provide authoritative responses to requests from Internet clients who wish to connect to Web and mail servers, but it should not be able to perform recursion. You should disable recursion and remove the root hints file on this server. ISA Server needs to be configured to allow inbound traffic to this server on TCP and UDP port 53 with a source port of ANY. DNS-C is used by ISA Server itself to provide name resolution for Web proxy requests. It needs to be able to perform recursion. ISA Server should be configured to allow it to communicate with external DNS servers using TCP and UDP port 53 with a source port of ANY. B, C, D. The remaining responses are incorrect because they do not meet the requirements, as explained above. |
5. | B. To enable DNS clients to resolve unqualified names (single computer names that require the least typing on the part of the client) in a disjointed namespace, you must create a custom DNS suffix search list. You can manually configure this on the DNS clients. However, Group Policy is the most efficient means of implementing this configuration on the client computers. A, C, D. Answer A would allow the primary computer name to be different from the AD domain name the computer is a member of and is not a relevant solution. Answer C is incorrect because DHCP option 81 allows you to specify only one domain name, which should be the domain name used for your own AD domain. Answer D is incorrect because a stub zone would only accomplish what your conditional forwarding is already doing. |
6. | C. When you configure stub zones on the DNS servers responsible for the root, the SOA, NS, and A records that indicate the authoritative servers for the child domains are automatically updated whenever a local administrator makes changes to these records in the primary zone. These DNS servers for these subdomains are not under your control, so, if you were to configure conditional forwarding on the root DNS servers, the local administrators would need to inform you so that you could manually make the required configuration changes. Stub zones provide the most fault-tolerant solution. Configuring secondary zones on the root DNS servers would also allow fault-tolerant name resolution, but would increase replication traffic across the WAN. A, B, D. Answers B and D are incorrect because the solution must ensure DNS resolution for the entire company. If you were to implement these solutions in your child domain, the scope of the solution would be limited to your domain and not the other child domains. Of course, you and the other administrators may want to implement such solutions to minimize the amount of DNS referral traffic that would occur if DNS servers had to walk the tree to perform iterative queries in an attempt to resolve names in the various child domains. |
7. | B. Because you still have Windows 2000 domain controllers in your environment, your only choice is store the zone data in the domain partition. A, C, D. These answers are incorrect because they require the presence of an application directory partition, which is not available on Windows 2000 domain controllers. |
8. | You are an administrator of a Windows Server 2003 network. You want to automate the backups of the WINS database. You want this backup to occur at least once every 24 hours. What should you do? (Select the best answer.)
|
|
9. | You are the administrator of a Windows Server 2003 network. You are responsible for a number of WINS servers that are set up as push/pull replication partners to each other. You have a number of static mappings in your WINS database and want to remove one of these mappings from the WINS database. You want to ensure that the record is deleted on all servers with the least administrative effort. How should you delete the WINS static mapping? (Select the best answer.)
|
|
10. | You are the administrator of a Windows Server 2003 network. You have five WINS servers and need to reconfigure the replication topology as a result of some recent upgrades to your WAN links. All of your WAN links connecting the head office and your four branch offices now have ample bandwidth to handle additional traffic. You want to ensure the shortest convergence time of replicated records, while at the same time keep the number of replication partnership agreements to an absolute minimum. What replication topology should you choose? (Select the best answer.)
|
|
Answers
8. | D. The WINS service includes the ability to back up the WINS database automatically once every 24 hours and on the WINS service shutdown, or to back it up manually. To configure WINS to perform automatic backups of the database, you must specify a path for the backup and perform at least one manual backup of the database. You can subsequently use Windows Backup or a third-party backup solution to back up the contents of the WINS backup folder without needing to be concerned about the consequences of backing up an open file. A, B, C. The remaining answers are partially viable to varying degrees, but do not represent the best solution. |
9. | B. When you perform a tombstone deletion, the record is marked with an attribute that is replicated with the record to other WINS server. The attribute instructs other WINS servers to remove the record through the scavenging process. A, C, D. Answer A is incorrect because the record will still remain on the replication partners and will eventually be replicated back to the owner WINS server. Answers C and D are incorrect because they require unnecessary administrative effort to accomplish something that can be performed in one simple operation. |
10. | C. A hub-and-spoke topology ensures the shortest convergence time with the fewest replication partnerships to manage. The longest path from one server to any other is two hops. The number of partnership agreements is eight. (You need to define a push/pull partnership agreement on each side of the replication path between the hub server and the spoke servers.) A, B, D. Answer A is incorrect because it would require 10 push/pull partnership agreements to establish and would result in replication paths that were three hops in distance. Answer B is incorrect because it is an overly complex replication topology and would require 20 replication partnership agreements to manage. Answer D is an overly complex topology for the number of WINS servers and not required by the design. |
11. | You are an administrator of a Windows Server 2003 network. Your company, Syngress Industries, manages its own DNS for its public Web and mail servers. The primary DNS server for the syngress.com domain is located in a DMZ protected by ISA Server. Your ISP is hosting secondary servers for the syngress.com domain on its BIND 9 servers. While going through your performance logs, you notice a brief but sudden increase in the number of AXFR requests received and AXFR success sent events. Previously, these counters had values of zero in your logs. You suspect your ISP has changed the configuration of its BIND servers, but the ISP denies it and insists that the secondary zones are behaving optimally. You are concerned by these values and decide to investigate the issue and correct it, if necessary. What is the likely cause of the problem and what should you do? (Select the best answer.)
|
| |||||||||||||||
12. | You are the administrator of a Windows Server 2003 network. Recently, a junior administrator has, on your instructions, rebuilt one of your WINS servers (WINS-A). You don’t have a backup of the WINS database and need to restore the database through reregistrations of WINS clients and replication with another WINS server, WINS-B. Both servers are configured as push/pull replication partners of each other. As soon as WINS-A is brought back online, users configured to use WINS-A as their WINS server immediately start to complain that they can’t access file server shares on this server. By the time you hear about the complaints and try to reproduce the results, you find that that the problem has disappeared. However, you take the complaints seriously and investigate further. You examine the WINS database on WINS-B and see some data that strikes you as odd. Based on the data shown in the table here, what problem is indicated? (Select the best answer.)
|
| |||||||||||||||
13. | You are the administrator of a Windows Server 2003 network using DNS and WINS to provide name resolution services. You have two WINS servers that are set up with the default push/pull configurations. Users have been complaining for days about problems connecting to a server called File_Server2. You ping File_Server2 and get a response from the computer. However, when you issue a net view \\File_Server2 command, you get an error message stating that a duplicate name exists on the network. What is the likely cause of the problem? (Select the best answer.)
|
| |||||||||||||||
14. | You are the administrator of a WINS server. The WINS server has suffered a hardware failure, and you have subsequently been forced to reinstall Windows Server 2003 and the WINS service. Fortunately, you have a recent backup of the WINS database. You restore the database, but notice that none of the former WINS configuration settings are present. What should you do? (Select the best answer.)
|
| |||||||||||||||
15. | You are the administrator of a Windows Server 2003 network. After restoring the Windows Server 2003 domain controller that you had taken off the network for a few hours for maintenance, your Windows 95 and 98 users have begun complaining that they are unable to access resources on this computer. You remember seeing a message about a duplicate name on the network when you turned on the domain controller, but didn’t think much of it at the time because you had changed the IP address of the domain controller before you took it offline. What action should you take?
|
|
Answers
11. | B. AXFR is the DNS protocol used for full zone transfers. Counters in your performance logs indicate requests to do a full zone transfer have been received by and successfully responded to by your DNS server. That means that someone has issued an nslookup –ls or equivalent command against your DNS server. By default, BIND 9 servers will attempt to use IXFR to perform incremental zones transfers, unless this option is explicitly disabled. Since you experienced only a brief event, it is likely the user got what he or she wanted. You should, however, protect your server against future occurrences of zone transfers to unauthorized IP addresses, which is also known as footprinting or name dumping. TCP port 53 is used for zone transfers, and blocking this port should not affect the DNS server’s ability to respond to name queries, which should be taking place on UDP port 53. A, C, D. Answer A is incorrect because an attempt to pollute the cache would normally occur as a result of rogue DNS server replying with information that is superfluous to a query issued against it by the DNS. Answer C is incorrect because a DoS attack is most effective if it ties up a DNS server with recursive query requests. It is no doubt possible to tie up a DNS server with excessive zone transfer requests, but you would expect this activity to be sustained over a period of time. Answer D is incorrect because the nslookup –ds command requests detailed information on a particular record and is used for debugging. It does not display the contents of the entire zone the way an nslookup –ls command would. (Note that the –ls switch is available only in NSLookup interactive mode; the nslookup –ds switch is available only in NSLookup noninteractive mode.) |
12. | C. WINS-A is registering its NetBIOS names with WINS-B, rather than itself. A comparison of the IP Address and Owner fields show two different addresses. These should match or problems with name resolution on the network can occur. In the scenario described here, users who pointed to the WINS-B server would have no problem connecting to file server shares on WINS-A because the WINS-B server has a mapping for the file server service on WINS-A. However, users pointing to WINS-A would not be able to resolve this mapping until replication had merged the record from WINS-B, hence the transient nature of the problem. A WINS server should always be configured to register NetBIOS names only with itself. A, B, D. Answer A is incorrect because the order in which services register has nothing to do with NetBIOS name resolution. There might be problems with replication, but the evidence presented doesn’t point to this, so Answer B is incorrect. While you absolutely should configure a WINS server to register its NetBIOS records with itself, it will eventually do so even if the configuration is left blank (this could take some time), so Answer D is incorrect. |
13. | D. You can ping File_Server2, so the issue is related to the NetBIOS name resolution. When you invoke the net view command, you force the use of the NetBIOS interface, which will subsequently enforce the rules for NetBIOS names. Computer names are exclusive and must be unique. Because host name resolution resolves the name to a different IP address than the IP address resolved by the NetBIOS name mapping, you will get a duplicate name error message. We know the IP address returned by the ping is correct and that host name resolution is working for this computer. A, B, C. Answer A is incorrect because underscores are valid characters for NetBIOS names. Underscores are problematic in some implementations of DNS, but are not a problem for Windows DNS. Answer B is a possibly correct answer because, if the WINS record has not replicated throughout the environment, you might see a similar problem. However, users have been complaining for some time—much longer than the default replication interval. Answer C is incorrect because if there were problems with database consistency, the problems would be more widespread. |
14. | B. WINS configuration settings are stored in the Registry. The WINS database contains only NetBIOS registration data, not configuration information. You therefore need to restore the Registry in order to restore the WINS configuration settings. You can do this by restoring the system state backup or a backup of the Registry itself. A, C, D. Answer A is incorrect because the Jetpack utility does not have this functionality. Answers C and D are incorrect because the database does not contain any WINS configuration information. |
15. | A. It is likely that someone on your network has configured a computer with the same name as the domain controller and hijacked the NetBIOS registration of the domain controller, resulting in a redirection attack. Windows 95 and 98 clients will use NetBIOS for logon services and to connect to file sharing resources. Given the circumstances, the duplicate name message is clear evidence of this kind of attack. If another computer is registered with the same name and is online, the WINS server will report a duplicate name error message back to the computer that is trying to initialize with the same name. For mission-critical servers, it is good idea to create static mappings that cannot be overwritten by dynamic registrations. This situation represents one of the few circumstances that can justify the use of static mappings. B, C, D. Answer B is incorrect because enabling the migrate on setting would allow a dynamic registration to overwrite a static registration. Answers C and D are incorrect because flushing either of the resolver caches on the client would have no effect on the ultimate results of having an incorrect record in the WINS server. |
|