Self Test

1.

You are the administrator of a Windows Server 2003 network. Recently, your company made a sudden and unexpected announcement that it would be merging with another company called Syngress Industries, a large company that has more than 20,000 employees. You learn that, in the short term, communications between the two companies will need to take place over persistent VPNs using each company’s respective connections to the Internet, both of which are operating at about 75 percent capacity. You will need to set up trust relationships between two AD forests. Furthermore, you plan to move significant amounts of data between the two networks. You learn the Syngress Industries uses a child domain of its Internet domain namespace for its AD forest root. The name of the internal domain is ad.syngress.com.

You want to ensure that your DNS infrastructure can resolve names for internal hosts of Syngress Industries. You also want to ensure that your solution is the most effective in terms of resource usage. What should you do to enable name resolution for internal hosts of Syngress Industries?

1. Create a secondary zone for ad.syngress.com on you DNS servers.

2. Create a stub zone for syngress.com on your DNS servers.

3. Create an Active Directory-integrated zone for ad.syngress.com

4. Create a conditional forwarding configuration on your DNS servers for ad.syngress.com

2.

You are the administrator of a Windows Server 2003 network. Your boss has just read an article on how DNS servers can be compromised so that they will redirect recursive queries to bogus Web sites that can cause potential harm. Your boss has asked you to ensure that the DNS servers in the DMZ have the highest level of protection possible against this and other types of common attacks on DNS servers. You have two DNS servers. DNS-A is used to resolve name mappings for your public Web and mail server. The other DNS server, DNS-B, is used by the internal proxy server to resolve Web site addresses to IP addresses. What actions should you take to carry out your boss’s order to provide the highest possible security against common multiple DNS attacks? (Select the best answer.)

1. Enable protection against cache pollution on DNS-B and disable recursion on DNS-A

2. Enable protection against cache pollution on DNS-A and disable recursion on DNS-B

3. Disable recursion on DNS-A and configure the firewall to not allow any inbound traffic with destination ports of TCP or UDP port 53 to reach DNS-B

4. Disable recursion on DNS-B and configure the firewall to not allow any inbound traffic with destination ports of TCP or UDP port 25 to reach DNS-A

3.

You are the administrator of a Windows network that consists of a mixture of Windows NT 4, Windows 2000, and Windows Server 2003 servers, providing a mix of file, print, messaging, and other services critical to your network. You are currently running WINS, DNS, and DHCP services on your network. You have already enabled dynamic DNS on your forward and reverse lookup zones, but you want to ensure that all of your client computers can find the name-to-address mapping of all your servers using DNS. You want to minimize the administrative effort for this project. What action should you take? (Select the best answer.)

1. Place the DHCP servers in the DnsUpdateProxy group.

2. Enable DHCP to update forward and reverse lookup zones on behalf of all DHCP clients.

3. Manually enter the records for servers that have static addresses.

4. Create a WINS resource record in the forward and reverse lookup zones.

4.

You are using ISA Server 2000 as a firewall and Web proxy server to protect your internal AD network and provide Web proxy and caching services for HTTP requests. You currently are using three DNS servers to support the DNS queries. DNS-A is used for your internal AD root. DNS-B is used to provide name resolution for Internet clients that want to connect to your public Web and mail servers. DNS-C is used to provide Internet name resolution. How should you configure the DNS and ISA Server access rules to provide the maximum security and functionality for your DNS infrastructure?

1. On DNS-A, remove the root hints file and enable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, remove the root hints file and disable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and update the root hints file. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 with a source port of ANY.

2. On DNS-A, remove the root hints file and disable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, remove the root hints file and disable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and update the root hints file. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 with a source port of ANY.

3. On DNS-A, remove the root hints file and enable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, remove the root hints file and disable recursion. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and update the root hints file. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 with a source port of ANY.

4. On DNS-A, remove the root hints file and disable recursion. Configure ISA Server to allow no traffic to or from this server. On DNS-B, update the root hints file and enable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port 53 to the DNS server with a source port of ANY. On DNS-C, disable recursion and update the root hints file. Configure ISA Server to allow outbound traffic on TCP and UDP port 53 with a source port of ANY.

5.

You are the administrator of a Windows Server 2003 network. Your company has recently merged with another company and you have set up trusts between the AD forests and have set up conditional forwarding on your DNS servers to resolve names in the AD forest of the newly merged company. You would like your users to be able to resolve names in the newly merged company with the least possible effort and typing on their part. You would like to implement a solution with the least possible effort on your part. What should you do?

1. Using ADSI, create an msDS-AllowedDNSSuffixes attribute in the domain object container and include the domain suffix of the newly merged AD forest in the list of allowable suffixes.

2. Create a group policy that configures the DNS clients with a custom DNS suffix search list.

3. Configure the DHCP server option 81 to supply the name of the domain suffix of the newly merged AD forest to DHCP clients.

4. Configure a stub zone for a root domain of the newly merged company on your DNS servers.

6.

You are a DNS administrator of a large, distributed Windows Server 2003 network. The AD domain tree consists of a number of child domains that reflect the geographic locations of the different offices of the company. You are responsible for the DNS root domain of the AD forest and the child domain of the office where you work. All administrative responsibility for the remaining child domains is performed by locally based administrators in their respective offices. The capacity of the WAN links connecting the various offices is showing signs of being insufficient. You want to ensure that DNS resolution for the child domains outside your administrative control will work company-wide in a fault-tolerant manner without adding additional strain to available resources. What should you do? (Select the best answer.)

1. On the root DNS servers, configure conditional forwarding for the child domains.

2. On the DNS servers in the child domain under your control, configure secondary zones for the other child domains.

3. On the root DNS servers, configure stub zones for the child domains.

4. On the DNS servers in the child domain under your control, configure secondary zones for the other child domains.

7.

You are the enterprise administrator of a Windows network that comprises a number of Windows 2000 and Window 2003 domain controllers. You want to use Active Directory-integrated zones for your zone data to enhance security and optimize replication of zone data. What should you choose as the replication scope? (Select the best answer.)

1. To all DNS servers in the forest

2. To all domain controllers in the AD domain

3. To all DNS servers in the AD domain

4. To all domain controllers specified in the scope of an application partition

1.

D

2.

C

3.

D

4.

A

5.

B

6.

C

7.

B

8.

You are an administrator of a Windows Server 2003 network. You want to automate the backups of the WINS database. You want this backup to occur at least once every 24 hours. What should you do? (Select the best answer.)

1. Configure the Windows Backup utility to back up the contents of the %systemroot%\System32\Wins folder once every 24 hours.

2. Using the AT command scheduler, create a batch file that temporarily stops the WINS service, copies the WINS database to another location, and then restarts the service.

3. Use a third-party backup solution that is capable of backing up open files and configure it to back up the contents of the %systemroot%\System32\Wins folder once every 24 hours.

4. In the WINS server console, configure a path to store backups of the database and initiate a manual backup.

9.

You are the administrator of a Windows Server 2003 network. You are responsible for a number of WINS servers that are set up as push/pull replication partners to each other. You have a number of static mappings in your WINS database and want to remove one of these mappings from the WINS database. You want to ensure that the record is deleted on all servers with the least administrative effort. How should you delete the WINS static mapping? (Select the best answer.)

1. On the owner server of the mapping, find the record and perform a simple deletion.

2. On the owner server of the mapping, find the record and perform a tombstone deletion.

3. On all of the WINS servers, find the record and perform a simple deletion.

4. On all of the WINS servers, find the record and perform a tombstone deletion.

10.

You are the administrator of a Windows Server 2003 network. You have five WINS servers and need to reconfigure the replication topology as a result of some recent upgrades to your WAN links. All of your WAN links connecting the head office and your four branch offices now have ample bandwidth to handle additional traffic. You want to ensure the shortest convergence time of replicated records, while at the same time keep the number of replication partnership agreements to an absolute minimum. What replication topology should you choose? (Select the best answer.)

1. Ring topology

2. Mesh topology

3. Hub-and-spoke topology

4. Hybrid of ring and hub-and-spoke topology

8.

D

9.

B

10.

C

11.

You are an administrator of a Windows Server 2003 network. Your company, Syngress Industries, manages its own DNS for its public Web and mail servers. The primary DNS server for the syngress.com domain is located in a DMZ protected by ISA Server. Your ISP is hosting secondary servers for the syngress.com domain on its BIND 9 servers. While going through your performance logs, you notice a brief but sudden increase in the number of AXFR requests received and AXFR success sent events. Previously, these counters had values of zero in your logs. You suspect your ISP has changed the configuration of its BIND servers, but the ISP denies it and insists that the secondary zones are behaving optimally. You are concerned by these values and decide to investigate the issue and correct it, if necessary. What is the likely cause of the problem and what should you do? (Select the best answer.)

1. A rogue DNS server is attempting to pollute the cache on your DNS server by sending bogus queries over TCP, rather then UDP. You should turn on debug logging to determine the source IP address and block all traffic from this address on ISA Server. You should also enable protection against cache pollution and inform the ISP.

2. A malicious user is issuing an nslookup –ls or equivalent command against your DNS server. You should configure the DNS server to allow zone transfers only to the IP addresses of the secondary servers at the ISP. You should also block all external requests destined for the primary DNS server on TCP port 53 with a source port of ANY, except for the external addresses of the secondary servers. You should inform the ISP managers and ask them to confirm an equivalent level of security on their servers.

3. A malicious user is attempting to launch a DoS attack on your DNS. You should disable recursion on the DNS server. You should also turn on debug logging to determine the source IP address of the attack and block the IP address at ISA Server. You should inform the ISP to be on the lookout for similar attacks against its DNS servers.

4. A malicious user is issuing an nslookup –ds or equivalent command against your DNS server to get detailed information. You should turn on debug logging to determine the source IP address. Once you determine the IP address, you should block it from all communication with your DNS servers at ISA Server. You should inform the ISP managers and ask them to confirm an equivalent level of security on their servers.

12.

You are the administrator of a Windows Server 2003 network. Recently, a junior administrator has, on your instructions, rebuilt one of your WINS servers (WINS-A). You don’t have a backup of the WINS database and need to restore the database through reregistrations of WINS clients and replication with another WINS server, WINS-B. Both servers are configured as push/pull replication partners of each other. As soon as WINS-A is brought back online, users configured to use WINS-A as their WINS server immediately start to complain that they can’t access file server shares on this server. By the time you hear about the complaints and try to reproduce the results, you find that that the problem has disappeared. However, you take the complaints seriously and investigate further. You examine the WINS database on WINS-B and see some data that strikes you as odd. Based on the data shown in the table here, what problem is indicated? (Select the best answer.)

1. There is a problem with the order of service registration. The workstation service needs to be registered before the file server service.

2. There is a problem with WINS replication that has caused the wrong owner to be associated with WINS-A.

3. The TCP/IP stack on WINS-A is configured with the IP address of WINS-B as its secondary WINS server.

4. The TCP/IP stack on WINS-B is not configured to register itself with a WINS server.

13.

You are the administrator of a Windows Server 2003 network using DNS and WINS to provide name resolution services. You have two WINS servers that are set up with the default push/pull configurations. Users have been complaining for days about problems connecting to a server called File_Server2. You ping File_Server2 and get a response from the computer. However, when you issue a net view \\File_Server2 command, you get an error message stating that a duplicate name exists on the network. What is the likely cause of the problem? (Select the best answer.)

1. The underscore character cannot be used in a NetBIOS name. Rename the computer and reboot it.

2. There is a problem with the replication of the records for File_Server2. Manually initiate replication with the WINS server that is the owner of the record of File_Server2.

3. The WINS database is corrupt. Manually initiate consistency checking to restore database integrity.

4. The WINS server contains an incorrect name mapping for File_Server2.

14.

You are the administrator of a WINS server. The WINS server has suffered a hardware failure, and you have subsequently been forced to reinstall Windows Server 2003 and the WINS service. Fortunately, you have a recent backup of the WINS database. You restore the database, but notice that none of the former WINS configuration settings are present. What should you do? (Select the best answer.)

1. You need to use the %systemroot%\system32\jetpack.exe file to restore the WINS configuration after you restore the database.

2. You need to restore the original System State from the backup to the Windows Server 2003 server.

3. You need to invoke database consistency checking on the database.

4. You need to set up replication with a WINS server that was a replication of the former WINS server.

15.

You are the administrator of a Windows Server 2003 network. After restoring the Windows Server 2003 domain controller that you had taken off the network for a few hours for maintenance, your Windows 95 and 98 users have begun complaining that they are unable to access resources on this computer. You remember seeing a message about a duplicate name on the network when you turned on the domain controller, but didn’t think much of it at the time because you had changed the IP address of the domain controller before you took it offline. What action should you take?

1. Create static mappings in the WINS database for the domain controller and disable the migrate on setting.

2. Create static mappings in the WINS database for the domain controller and enable the migrate on setting.

3. Have the users of Windows 95 and 98 computers issue an nbtstat –RR command.

4. Have the users of the Windows 95 and 98 computers issue an ipconfig /flushdns command.

11.

B

12.

C

13.

D

14.

B

15.

A