Which of the following operating systems can act as an Active Directory client and join the domain using a computer account?
Windows 95
Windows 98
Windows Me
Windows 2000 Professional
Windows XP Home Edition
Answer D is correct. Windows 2000 Professional, Windows XP Professional, and Windows Vista computers can act as Active Directory clients and join the domain using computer accounts.
Which editions of Windows could you use for 4-node clustering with 8 processors and 32 GB RAM?
Windows Server 2003, Web Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
Answers C and D are correct. Web Edition and Standard Edition do not support clustering. Enterprise Edition and Datacenter Edition support server clusters with up to eight nodes.
Although you can use the Configure Your Server Wizard to configure a server as domain controller, which program or utility do you use to promote or demote a domain controller?
NETSH DIAG
DCPROMO.EXE
Active Directory Users And Computers
NTDSUTIL.EXE
LSASS.EXE
Answer B is correct. Promote and demote domain controllers using the Active Directory Installation Wizard (dcpromo). To start this wizard, click Start 
Run. Type dcpromo in the Open field, and then click OK.
The Everyone group should be granted Full Control on Drives D and G.
The Domain Users group should be granted Full Control on Drives D and G.
Permissions for the Everyone group should be removed from Drives D and G.
Permissions for the Authenticated Users group should be removed from Drives D and G.
Answers B and C are correct. Setup doesn't grant any special permissions on additional drives. Instead, Setup grants the Everyone group Full Control on the entire drive, and it is up to the administrator to configure appropriate permissions.
Mary is a network administrator who has been given the task of configuration on a new file server. Windows Server 2003 Standard Edition has already been installed. The file server has three hard drives formatted with NTFS. The C drive is the system drive. Drives D and G are data drives. After configuring filesystem permissions, Mary created a shared folder on each data drive for users. What configuration option should Mary choose to ensure administrators have Full Control on the shared folders and other users have Change access?
All Users Have Read-Only Access.
Administrators Have Full Access; Other Users Have Read-Only Access.
Administrators Have Full Access; Other Users Have Read And Write Access.
None of the above; the administrator must configure custom permissions.
Answer C is correct. Administrators Have Full Access; Other Users Have Read And Write Access grants administrators Full Control and the Everyone group Change access.
John is a new system administrator. He is configuring security for several new workstations running Windows XP Professional. The computers are members of the Temp OU, and he noticed that users are able to reuse old passwords whenever they are prompted to change them. Which of the following account policies can be used to prevent this behavior?
Enforce Password History
Maximum Password Age
Minimum Password Age
Store Passwords Using Reversible Encryption
Answer A is correct. Enforce Password History determines how many previously used passwords will be maintained in the user's password history. When this policy is enabled and set to a value greater than zero, a user cannot use a password that is in the history, and thus, a user cannot reuse a recently used password.
While continuing to look at the domain security for the Temp OU, John noticed that a user was able to repeatedly enter a wrong password. He watched the user enter eight bad passwords in a row before finally getting the right password on the ninth attempt. Which of the following account policies can be set to ensure accounts are locked out indefinitely after 3 bad logon attempts in a 15-minute period?
Account Lockout Duration
Account Lockout Threshold
Reset Account Lockout Counter After
All of the above
Answer D is correct. All three account policies must be set to meet the requirements. In this case, Account Lockout Duration needs to be set to 0, Account Lockout Threshold needs to be set to 3, and Reset Account Lockout Counter After needs to be set to 15.
You've just promoted a server running Windows Server 2003 to be a domain controller. After you log on to the server, you run the Security Configuration And Analysis tool and notice security settings aren't what you expect them to be. What is the most likely reason for the security changes on the server?
Domain controllers don't have local security settings, and during promotion, any previously applied security template is removed.
During promotion, domain controllers are made members of the Domain Controllers OU and have the DC Security template applied during promotion.
Domain controllers don't have a SAM database and use only Active Directory for security.
During promotion, domain controllers are configured with default security using the Setup Security template.
Answer B is correct. By default, computers accounts for domain controllers are stored in the Domain Controllers OU. When the server is promoted to a domain controller, the server's computer account is moved to the Domain Controllers OU. The default security for domain controllers comes from the DC Security template, which is applied when a server is promoted to be a domain controller.
What is the proper way to create and then apply a custom security template to a computer?
Use the Security Templates snap-in to create a custom template, configure the security settings as necessary, and then apply the settings using Security Configuration And Analysis.
Create a database in Security Configuration And Analysis, modify the security settings as necessary, and then apply the database to the computer.
Create a database in Security Configuration And Analysis, modify the security settings as necessary, and then apply the settings using the SECEDIT utility.
Create a database in the SECEDIT utility, modify the security settings as necessary in Security Configuration And Analysis, and then apply the template to the computer using the Security Templates snap-in.
Answer A is correct. Use the Security Templates snap-in to create and manage security templates. Use Security Configuration And Analysis to analyze security and apply security templates to a computer. You could also use the SECEDIT utility to apply a security template.
You have created a custom template for computers in the Workstations OU. After creating a rollback template and applying the custom template, you found that the template has caused some undesirable side effects. Which of the following procedures would correct the problem by restoring the previous security settings exactly as they were?
Reapply the default template using Security Configuration And Analysis, and then import this into the Workstation GPO.
Use Security Configuration And Analysis to apply a rollback template and then import this into the Workstation GPO.
Use Security Configuration And Analysis to apply a rollback template, import this into the Workstation GPO, and then manually modify for access control lists on files and in the Registry as necessary.
Import the default template into Workstation GPO.
Answer C is correct. As discussed in the section "Applying security template settings and analyzing security" in Chapter 5, a rollback template is a reverse template that allows you to remove the settings applied with a custom template. Rollback templates, however, do not recover setting for access control lists on files or the Registry.
Which OSI layer is responsible for packet addressing and data encapsulation?
Application
Session
Transport
Network
Data-link
Answer E is correct. The Data Link Layer is responsible for packet addressing, media access control, and data encapsulation.
Which of the following protocols are part of the TCP/IP protocol suite?
Transmission Control Protocol
Internet Protocol (TCP/IP)
User Datagram Protocol (UDP)
Internet Package Exchange (IPX)
NetBIOS Extended User Interface (NetBEUI)
Answers A, B, and C are correct. Most current networks use Transmission Control Protocol/Internet Protocol (TCP/IP). IP operates at the network layer. TCP operates at the transport layer. There is an additional transport layer protocol included in the TCP/IP protocol suite called User Datagram Protocol (UDP).
You are planning the infrastructure for a new network. The data center is centrally located, and the furthest location from the data center is 400 meters. The longest cable runs are 480 meters from the central switch and your plan allows you to use up to 4 repeaters. Which of the following UTP cabling options could be used?
10Base-T, Category 3 UTP
100Base-T, Category 5 UTP
1000Base-T, Category 5E UTP
None of the above
Answer A. With standard Ethernet running at 10 megabits per second using repeaters, the furthest a computer could possibly be from the central switch/router is 500 meters. With standard Ethernet running at 100 megabits per second using repeaters, the furthest a computer could possibly be from the central switch/router is 300 meters. With standard Ethernet running at 1,000 megabits per second using repeaters the furthest a computer could possibly be from the central switch/router is 200 meters.
You are designing a new network and plan to use Class C IP addresses. You want to be able to create 4 subnets with 60 hosts on each subnet, so you allocate 26 bits to the network ID. Which of the following subnet masks should you use for the network?
255.255.255.128
255.255.255.192
255.255.255.224
255.255.255.240
Answer B is correct. This subnet mask allows you to create up to four subnets with up to 62 hosts on each. You can use the formula 2^x to calculate the number of subnets, where x is the number of additional network bits in the network mask from the standard network bits in the network for the IP address class. With the standard Class C network address, there are 24 bits in the network mask. You are creating a /26 network, meaning you are using two additional bits for the network ID. Using the formula (2^2 = 4), you can determine there will be four subnets.
You can use the formula 2^x - 2 to calculate the number of nodes on a subnet, where x is the number of host bits in the network mask. The /26 network mask means there are six bits for hosts. Using the formula (2^6 - 2 = 62), you can determine there will be 62 hosts on each subnet. You have to subtract two hosts to account for the subnet ID and the broadcast IP address, which aren't assigned to hosts.
You are designing a network for a large branch office and have been assigned the network address 10.10.0.0/18. What are the maximum number of subnets and the maximum number of hosts on each subnet?
64 subnets; 262,142 hosts
128 subnets; 131,070 hosts
256 subnets; 65,534 hosts
512 subnets; 32,766 hosts
1024 subnets; 16,382 hosts
Answer E is correct. You can use the formula 2^x to calculate the number of subnets, where x is the number of additional network bits in the network mask from the standard network bits in the network for the IP address class. With the standard Class A network address, there are eight bits in the network mask. You are creating a /18 network, meaning you are using 10 additional bits for the network ID. Using the formula (2^10 = 1024), you can determine there will be 1,024 subnets.
You can use the formula 2^x - 2 to calculate the number of nodes on a subnet, where x is the number of host bits in the network mask. The /18 network mask means there are 14 bits for hosts. Using the formula (2^14 - 2 = 16,382), you can determine there will be 16,382 hosts on each subnet. You have to subtract two hosts to account for the subnet ID and the broadcast IP address, which aren't assigned to hosts.
You are designing a network and plan to use subnetting. You plan to use services running Routing And Remote Access Service to provide IP routing for unicast network traffic. Which routing protocols can you use?
RIP version 1
RIP version 2
OSPF
IGMP
Answers B and C are correct; both RIP version 2 and OSPF Classless Inter-Domain Routing (CIDR). RIP version 1 does not support CIDR. IGMP is used for multicast network traffic.
You are installing a network in an office located above a factory floor and there is a lot of electromagnetic interference. Which of the following network media should you use?
UTP cabling
B Fiber optic cabling
IEEE 802.11a wireless
IEEE 802.11b wireless
Answer B is correct. Fiber optic cabling uses a strand of plastic or glass that carries signals in the form of light pulses. Using light pulses ensures that fiber optic cables are not affected by electromagnetic interference.
You are designing an Internet connectivity strategy for a large office with 500 users. You've determined that between 50 and 100 users will be using email or browsing the Web at any given time. The amount of data downloaded is about equal to the amount of data uploaded. Which of the following Internet access solutions would provide the most reliable solution for both downstream and upstream transmissions?
ISDN (Basic Rate Interface)
ISDN (Primary Rate Interface)
Cable/DSL Modem
T-1
Answer D is correct. While ISDN (Primary Rate Interface) and Cable/DSL modem could possibly do the job, a T-1 is a dedicated line with 1.544 Mbps transmissions speed for both downstream and upstream traffic.
You are a network administer at a large organization. The company has a T-1 connection to a local ISP, which is shared by all clients. Clients access the Internet using NAT. Several users have reported that they can't access the Internet. You start diagnosing the problem and find that all users reporting the problem are on the same subnet. Users on other subnets are not experiencing any problems accessing the Internet. Which of the following could be the cause of the problem?
The NAT router is malfunctioning.
The T-1 connection is down.
The users' DNS Server is down.
The users' default gateway for the subnet is malfunctioning.
The users' DHCP server is down.
Answer D is correct. The users' default gateway for the subnet is a LAN router responsible for connecting the subnet to the rest of the network. If this router is malfunctioning, none of the users on that subnet will be able to access the other parts of the network or the Internet.
When clients obtain TCP/IP settings from a DHCP server, which of the following options should be configured via DHCP?
IP Address
Subnet Mask
Network ID
Router
Answer D is correct. IP Address, Subnet Mask, and Network ID are not valid TCP/IP options. Router is the DHCP option used to set the default gateway. Set the IP address and subnet mask to use through scope properties.
DNS servers can be configured to perform name resolution using several types of queries. With which type of query does the server return results only form its records or from its cache?
Forward query
Reverse query
Iterative query
Recursive query
Answer C is correct. With an iterative query, a DNS server attempts to resolve the query from its records or from its cache. If it is unable to resolve the query, the server refers the client, based on the server's root hints, to an authoritative server in another part of the domain namespace.
Tom is a network administrator. He's been asked to improve responsiveness for name resolution by configuring a local DNS server that will maintain a cache of resolved queries. What should Tom do to prepare the server?
Install the DNS Server service.
Install the DNS Server service, and then configure the server as a forwarder.
Install the DNS Server service, and then configure server to maintain copies of the necessary zones.
Install the DNS Server service, and then configure server to host the necessary zones.
Answer A is correct. A DNS server acts as a forwarding-only server if you've installed the DNS Server service on a server but have not configured DNS zones. Forwarding-only DNS servers maintain a cache of resolved queries. They contain no zones and host no domains.
Sarah is a network administrator. The network's domain structure has recently been reconfigured, and ever since, there are several clients that are unable to update their DNS records. She checked and all the clients having problems are in Technical resources department, which is part of the tech.domain.local domain. She suspects the problem has to do with the preferred DNS server the clients are using. The preferred DNS server for these clients hosts the eng.domain.local domain. What is the best and easiest way to resolve the problem?
The computer accounts for the problem clients should be moved to the eng.domain.local domain.
The DNS server should be moved to the tech.domain.local domain.
The primary DNS suffix for the computers should be changed to eng.domain.local domain.
The preferred DNS server being used for the clients should be changed.
Answer D is correct. The preferred DNS server being used by the clients doesn't host the tech.domain.local zone. Dynamic updates can only occur when the client is configured with a domain suffix that matches a zone name hosted by the preferred DNS server.
You are a network administrator. Multiple users have reported that they can access some local resources but not all, and they have no access to resources on the Internet. You try to diagnose the problem and find that the preferred DNS server used by the clients having the problem can only resolve names for zones stored on the server. The TCP/IP settings on the DNS server are configured correctly. What is the likely cause of the problem?
The DNS server has incorrect or corrupt root hints.
The DNS server's resolver cache is corrupted.
The DNS server is not getting zone transfers.
The DNS server doesn't have any forwarders configured.
Answer A is correct. A server is authoritative only for the zones that it stores. If a DNS server is unable to resolve a query, the server refers the client, based on the server's root hints, to an authoritative server in another part of the domain namespace. If a server can only resolve names for which it is authoritative, the server has problems sending queries to other servers, which could be caused by incorrect or corrupt root hints.
Which routing protocol should use to enable members of a host group to register themselves with routers?
Routing Information Protocol (RIP) version 2 for Internet Protocol
Open Shortest Path First (OSPF)
Internet Group Management Protocol (IGMP)
DHCP Relay Agent routing protocol
Answer C is correct. Internet Group Management Protocol (IGMP) is the routing protocol that makes multicasting possible. Using IGMP, members of a host group can register themselves with routers.
You are planning routing for a large, congested network. Many network segments are separated by at least 12 hops. You are considering using either link state routing or distance vector routing on a computer running Windows Server 2003. Which of the following are valid reasons link state routing would be preferred in this instance?
Link state routing uses only the number of hops for its metrics.
Links state routing factors in conditions such as network speed and congestion.
Link state routing requires little planning and is easy to configure.
Link state routing supports multicast for efficient communications with multiple routers.
Answer B is correct. With link state routing protocols, such as OSPF, routers compute metrics based on many conditions, including network speed and congestion. OSPF uses only unicast transmissions to communication with other routers and requires significant planning and configuration.
Which of the following authentication protocols is required when you want to use digital certificates?
Extensible Authentication Protocol (EAP)
Microsoft Encrypted Authentication version 2 (MS-CHAP v2)
Microsoft Encrypted Authentication (MS-CHAP)
Encrypted Authentication (CHAP)
Shiva Password Authentication Protocol (SPAP)
Answer A is correct. Extensible Authentication Protocol (EAP) allows use of nonpassword-based authentication and is required if you want to use smart cards with remote access clients or PKI certificates.
You are configuring remote access and want to limit client access to the Routing And Remote Access Service server based on group membership. Which of the following procedures can you use?
Set the Dial-in properties for users in Active Directory Users And Computers.
Configure clients to use VPN with IPSec and L2TP.
Configure clients to use RADIUS servers for authentication.
Configure the server to use remote access policies.
Answer D is correct. Using Remote Access policies you can limit access based on group membership, time of day, day of the week, and more.
You are configuring IPSec policy for a group of computers that you want to use IPSec encryption whenever possible. However, some of the clients in the group don't support IPSec. Which of the following IPSec policies should you use?
Client (Respond Only) policy.
Server (Request Security) policy.
Secure Server (Require Security) policy.
A custom IPSec policy must be created.
Answer B is correct. With Server (Request Security) policy, servers always request security using Kerberos trust but do not require secure communications. This policy is intended for use when the highest levels of security are not required and servers might communicate with clients that do not support IPSec.
You want to create a group of highly available web servers. All servers are running Windows Server 2003 and are used to provide HTTP and HTTPS services on the internal network. Which high-availability software solution should you use?
Network Load Balancing
Component Load Balancing
Server clusters
Multicasting Server Grouping
Answer A is correct. Network Load Balancing is used to distribute incoming IP traffic across a cluster of servers. Any IP-based application that uses TCP, UDP, or GRE can be used with network load balancing. This means network load balancing is ideally suited to use with web servers, Internet application servers, and media servers.
Which type of clustering uses shared storage and stores the cluster configuration and recovery data on the same device?
Passive-node clusters
Single-node server clusters
Single quorum device server clusters
Majority node server clusters
Answer C is correct. Single quorum device server clusters are all connected to the same cluster storage devices. All members in the cluster use the same cluster quorum device as well. The quorum device stores cluster configuration and recovery data.
You are configuring a four-node cluster on servers running Windows Server 2003 Enterprise Edition. If all four nodes are active, you've determined that at least four processors and 4 GB of RAM are required on each server to handle the expected workload. You also think you might want to use two active nodes and two passive nodes. What are the minimum configurations to handle the workload and allow for two-node failure?
Configure four active nodes each with at least eight processors and 8 GB RAM.
Configure two active nodes and two passive each with at least four processors and 4 GB RAM.
Configure 4 active nodes each with at least 32 processors and 16 GB RAM.
Configure 2 active nodes and 2 passive each with at least 16 processors and 32 GB RAM.
Answer A is correct. If you determine that each node in the cluster must have four processors and 4 GB of RAM to handle the expected workload, you would need to double these resources to ensure that any single node could handle the additional processing load, should one of the nodes fail. In this configuration, up to two nodes could fail and the workload would be supported.
Which of the following performance counters could you use to determine a possible problem with memory or a memory leak?
Process(process_name)\Pool Paged Bytes
Memory\Available Kbytes
Memory\Nonpaged Kbytes
Processor\%Processor Time
Answers A, B, and C are correct. Increasing Process(process_name)\Pool Paged Bytes and Memory\Nonpaged Kbytes may indicate a memory leak; may need to install updated version of the program. Consistently low Memory\Available Kbytes may indicate a memory bottleneck and a need to add physical memory.
Which of the following features can you use to supplement backups and allow users to recover their own files?
Volume Shadow Copy
Automated System Recovery
Automatic Supplemental Restore
Normal backup
Answer A is correct. Backup and recovery strategy should include volume shadow copy to allow users to recover their own files. Volume shadow copy is not a replacement for backups.
Which type of backup should you use if you want to track the full set of changes since the last normal backup?
Incremental backups
Copy backups
Daily backups
Differential backups
Answer D is correct. Differential backups back up all selected files or folders with an archive flag. Each differential backup after a normal backup contains the full set of changes since the normal backup was created.
Which tool can you use to determine which ports a server has open?
NETSH
NETSTAT
Security Configuration And Analysis
Security Monitor
Answer B is correct. On a server, you can type netstat -ano at a command prompt to list all TCP and UDP port connections to that server.
Which of the following are assigned by the Internet Assigned Numbers Authority (IANA)?
Well-known port numbers
Ephermeral numbers
Protocol codes
Listen Pids
Answers A and C are correct. The Internet Assigned Numbers Authority (IANA) is responsible for assigning the values used for TCP/IP protocols and ports. Commonly used protocols have permanently assigned port numbers, which are referred to as well-known ports.
You've configured IP filter lists so IPSec encrypts email traffic. The organization uses Post Office Protocol 3 (POP3) and Simple Mail Transfer Protocol (SMTP). For which of the following well-known ports should you configure the filter list?
25
80
90
110
Answers A and D are correct. Post Office Protocol 3 (POP3) uses port 110 and Simple Mail Transfer Protocol (SMTP) uses port 25.
Bob, who is not an administrator, is commonly asked to help Joe with computer problems. Your manager has asked you to configure Bob's account so Bob can remotely assist Joe. Which of the following tasks must you perform to allow Bob to do this?
Enable Remote Desktop for Administration on Joe's computer.
Enable Remote Assistance on Joe's computer.
Make Bob a member of the Remote Desktop Users group on Joe's computer.
Make Bob a member of the Remote Administrators group on Joe's computer.
Answers B and C are correct. Joe's computer must have Remote Assistance enabled and Bob's user account must be made a member of the Remote Desktop Users group on Joe's computer.
You don't want wireless clients to be able to connect directly to other wireless clients. Which wireless operating modes should you use to ensure that clients can only connect to wireless access points?
Any Available Network (Access Point Preferred)
Access Point (Infrastructure) Networks Only
Computer-to-Computer (Ad Hoc) Networks Only
Ad Hoc Networks Only
Answer B is correct. You can restrict wireless clients to infrastructure networks only to prevent risky direct computer to computer connections.
Which of the following audit policies should you enable to log all IPSec events in the Security event log?
Audit Logon Events
Audit Policy Change
Audit Security
Audit IP Policy
Answers A and B are correct. Some IPSec processes are only logged when auditing is enabled. Specifically, you must enable Audit Logon Events and Audit Policy Change for Success and Failure events.
Which type of Certificate Authority (CA) must you use if you want to use smart card certificates?
Stand-alone CA
Domain CA
Enterprise CA
Subordinate CA
Answer C is correct. Only enterprise CAs support smart card certificates. Stand-alone CAs do not store certificates in Active Directory and should not be used to issue smart card certificates.
You are planning the deployment of Public Key Infrastructure (PKI). You want the CAs to publish their certificates and revocation lists to Active Directory, and you want to use autoenrollment. Which of the following is the first CA you should deploy to support your infrastructure?
Enterprise root CA
Enterprise subordinate CA
Stand-alone root CA
Stand-alone subordinate CA
Answer A is correct. The enterprise root CA is at the top of the enterprise CA hierarchy. Enterprise CAs only publish their certificates and revocation lists to Active Directory, and use the information for automatic enrollment.
You've implemented IPSec and now you want to check to make sure it is working. Which of the following tools can you use to monitor the network to make sure all network transmissions are using IPSec?
Performance Monitor
System Monitor
Network Monitor
IP Security Monitor
Answer D is correct. Using the IP Security Monitor, you can view the current active IPSec policy and review the IPSec activity for the entire network. While you could use Network Monitor to check network packets and see they are encrypted. This would only be for a single computer and not for all computers on the network.
Which Windows components must you install to use Windows Server Update Services (WSUS)?
SQL Server
IIS
Background Intelligent Transfer Service (BITS) 2.0
Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003
SUS
Answers B, C, and D are correct. WSUS requires IIS, BITS, and .NET Framework 1.1. WSUS is the replacement for Software Update Services (SUS).
