Review Questions

1. ‚  

You have installed and configured an Enterprise root CA for your network. At what URL can your user now request new certificates for use with Exchange Server 2003?

1. http:// ServerName /exchange/certsrv

2. http:// ServerName /certsrv/exchange

3. http:// ServerName /exchange

4. http:// ServerName /certsrv

2. ‚  

This morning when you came to work, several dozen users on your network had called the help desk stating that they could not log in to the network. All of the users are using workstations that run Windows NT 4.0 Workstation or Windows 98. Users with Windows 2000 and Windows XP workstations report no problems. What do you suspect is the most likely problem?

1. The RID master cannot be contacted.

2. The Infrastructure master cannot be contacted.

3. A DNS server cannot be contacted.

4. A global catalog server cannot be contacted.

5. The PDC emulator cannot be contacted.

3. ‚  

You are troubleshooting a name resolution problem on your network. You suspect that some of your users ‚ workstations have negative cache data in their local DNS resolver caches. What can you do about this problem?

1. Issue the ipconfig /registerdns command.

2. Issue the ipconfig /flushdns command.

3. Issue the ipconfig /release command.

4. Issue the ipconfig /dropdns command.

4. ‚  

Which of the following types of Windows authentication can be used in a Windows Server 2003 network that is operating at the Windows 2000 mixed domain functional mode? (Choose all that apply.)

1. Kerberos v3

2. Kerberos v5

3. NTLM

4. Basic

5. Basic over SSL

5. ‚  

You have just configured your Exchange server for IMAP4 client access. IMAP4 clients can be authenticated with either Basic (Clear-Text) or Basic over SSL. The administrator of your firewall informs you that the firewall will allow traffic from SMTP (port 25), IMAP4 (port 143), and HTTP (port 80). What additional port must be opened on the firewall to allow your Exchange server IMAP4 configuration to be used?

1. 993

2. 443

3. 137

4. 135

6. ‚  

Which of the following constructs is used to verify the identity of a person associated with a public key?

1. Certificates

2. Private key

3. Trust

4. Certificate Authority

7. ‚  

Which of the following authentication protocols passes a person ‚ s username and password over the network? (Choose all that apply.)

1. Basic

2. Basic over SSL

3. NTLM

4. Kerberos v5

8. ‚  

One of your network users has reported that he cannot log into the network. You have checked with two dozen other users on the same IP subnet and no one else has reported any problems. In this situation, what is the most likely cause of the problem?

1. A domain controller could not be reached.

2. A global catalog server could not be reached.

3. The user ‚ s workstation has incorrect TCP/IP settings configured.

4. The DNS server could not be reached.

9. ‚  

A new Exchange server has been installed and configured for HTTP and POPThe network project plan calls for allowing the following clients to access this server: HTTP using Windows Integrated authentication, and POP3 and Microsoft Outlook using secure passwords. You refer to the current firewall configuration and see that it is open to DNS, HTTP, SMTP, and ports higher than 10What ports, if any, must you open to enable the desired Exchange clients to pass through the firewall? (Choose all that apply.)

1. 389

2. 110

3. 443

4. 135

5. All of the above

10. ‚  

When a user digitally signs a message, which two keys are used in the process?

1. The sender ‚ s public signing key

2. The sender ‚ s private signing key

3. The recipient ‚ s public signing key

4. The recipient ‚ s private signing key

11. ‚  

Your Exchange server is configured for anonymous HTTP clients, but those clients who are outside your firewall report that they cannot access the directory. What is the problem?

1. The DS needs to be stopped and restarted.

2. Windows Integrated authentication needs to be enabled.

3. The HTTP port is not open on the firewall.

4. Basic (Clear-Text) authentication is needed.

12. ‚  

When a user encrypts a message, what keys are used in the process? (Choose all that apply.)

1. The sender ‚ s public encryption key

2. The sender ‚ s private encryption key

3. The recipient ‚ s public encryption key

4. The recipient ‚ s private encryption key

5. A secret key

13. ‚  

Your network is configured as shown below. Your company uses two firewalls to create a perimeter network. Your front-end server has its name and IP address entered into a public DNS server on the Internet. Both firewalls prohibit traffic on all ports that are not explicitly allowed. The ports that are currently open on both firewalls are port 25 (SMTP), port 53 (DNS), and port 80 (HTTP).

Management requires that users be able to connect over the Internet to your Exchange server using Microsoft Outlook. Policy dictates that passwords be transmitted in a secure manner. In addition, management would like web clients that do not support Windows Integrated authentication to be able to connect to your Exchange server but not transmit user information in clear text, and management would like POP3 clients to be able to connect to the Exchange server and download their messages. The last two items are desired, but not required, of your final solution.

You propose to perform the following actions:

‚ Outlook Client

Back-End Server

Global Catalog

Open Ports 25, 53, and 80

Open Ports 25, 53, and 80

Internet

Interior Firewall

Front-End Server

Exterior Firewall

Web Client

POP3 Client

Open port 135 on the exterior firewall.

‚ Open port 110 on the exterior firewall.

‚ Open port 443 on the exterior firewall.

If you complete the proposed actions, will you have achieved the required and/or desired results?

1. You will achieve the required result and both of the desired results.

2. You will achieve the required result and one of the desired results.

3. You will achieve only the required result.

4. You will not achieve the required result.

14. ‚  

Your network is configured as shown below. Your company uses two firewalls to create a perimeter network. Your front-end server has its name and IP address entered into a public DNS server on the Internet. Both firewalls prohibit traffic on all ports that are not explicitly allowed. The ports that are currently open on both firewalls are port 25 (SMTP), port 53 (DNS), and port 80 (HTTP).

Management requires that users be able to connect over the Internet to your Exchange server using Microsoft Outlook. Policy dictates that passwords be transmitted in a secure manner. In addition, management would like web clients that do not support Windows Integrated authentication to be able to connect to your Exchange server but not transmit user information in clear text, and management would like POP3 clients to be able to connect to the Exchange server and download their messages. The last two items are desired, but not required, of your final solution.

You propose to perform the following actions:

‚ Outlook Client

Back-End Server

Global Catalog

Open Ports 25, 53, and 80

Open Ports 25, 53, and 80

Internet

Interior Firewall

Front-End Server

Exterior Firewall

Web Client

POP3 Client

Open port 135 on the exterior firewall.

‚ Open port 110 on the exterior firewall.

‚ Open port 443 on the exterior firewall.

‚ Open port 3268 on the interior firewall.

If you complete the proposed actions, will you have achieved the required and/or desired results?

1. You will achieve the required result and both of the desired results.

2. You will achieve the required result and one of the desired results.

3. You will achieve only the required result.

4. You will not achieve the required result.

15. ‚  

Your network is configured as shown below. Your company uses two firewalls to create a perimeter network. Your front-end server has its name and IP address entered into a public DNS server on the Internet. Both firewalls prohibit traffic on all ports that are not explicitly allowed. The ports that are currently open on both firewalls are port 25 (SMTP), port 53 (DNS), and port 80 (HTTP).

Management requires that users be able to connect over the Internet to your Exchange server using Microsoft Outlook. Policy dictates that passwords be transmitted in a secure manner. In addition, management would like web clients that do not support Windows Integrated authentication to be able to connect to your Exchange server but not transmit user information in clear text, and management would like POP3 clients to be able to connect to the Exchange server and download their messages. The last two items are desired, but not required, of your final solution.

You propose to perform the following actions:

‚ Outlook Client

Back-End Server

Global Catalog

Open Ports 25, 53, and 80

Open Ports 25, 53, and 80

Internet

Interior Firewall

Front-End Server

Exterior Firewall

Web Client

POP3 Client

Open port 135 on the exterior firewall.

‚ Open port 110 on the exterior firewall.

‚ Open port 3268 on the interior firewall.

If you complete the proposed actions, will you have achieved the required and/or desired results?

1. You will achieve the required result and both of the desired results.

2. You will achieve the required result and one of the desired results.

3. You will achieve only the required result.

4. You will not achieve the required result.

16. ‚  

What security feature of Windows Server 2003 lets you log the actions of users and groups based on certain criteria?

1. Auditing

2. Diagnostics logging

3. Accounting

4. Tracking

17. ‚  

You have configured an X.400 Connector between your mixed-mode organization and a foreign messaging system. The ports that are currently open on your company ‚ s firewall are port 25 (SMTP), port 53 (DNS), and port 80 (HTTP). What additional port would you need to open to allow the traffic for the X.400 Connector to pass?

1. 98

2. 102

3. 110

4. 119

18. ‚  

You are attempting to isolate and troubleshoot a problem with host name resolution on your network. You suspect that one of your Exchange Server 2003 servers is not properly registering its DNS information with your Active Directory DNS servers. What command can you use to examine the DNS zone data to determine whether the required DNS records exist?

1. telnet

2. nslookup

3. pathping

4. netstat

19. ‚  

Which of the following types of Certificate Authority does not require access to the Active Directory?

1. Enterprise CA

2. Organization CA

3. Stand-alone CA

4. Domain CA

20. ‚  

You are attempting to isolate and troubleshoot a problem with packet loss somewhere in your network. You suspect that one or more routers in your internal network may be dropping packets. What command should you use to gather the most complete information about the status of all links and routers between one host and another?

1. telnet

2. nslookup

3. pathping

4. netstat

1. ‚  

D. The web enrollment pages of your CA are accessible at http:// ServerName /certsrv .

2. ‚  

E. The PDC emulator is required in order for users on legacy workstations that are not Active Directory ‚ aware to successfully log in to the network. In this scenario where only these users are affected, the problem is most likely with connectivity to the PDC emulator or else the PDC emulator is not responding to client requests .

3. ‚  

B. The ipconfig /flushdns command is used to clear the local DNS resolver cache. The ipconfig /registerdns command is used to manually force the host to register itself with dynamic DNS. The ipconfig /release command is used to release a DHCP lease from one or more network adapters.

4. ‚  

C, D, E. The Basic (Clear-Text) and Basic over SSL authentication methods may be used on any type of network. The third method available is Integrated Windows authentication. When operating at the Windows 2000 mixed domain functional mode, Integrated Windows authentication uses the NTLM protocol supported by Windows NT 4.0. When running in native mode, Integrated Windows authentication uses Kerberos v5.

5. ‚  

A. The standard IMAP4 protocol uses port 143. IMAP4 (SSL) uses port 993, which must be opened on the firewall to allow IMAP4 (SSL) traffic to pass.

6. ‚  

A. Certificates allow verification of the claim that a given public key actually belongs to a given individual. This helps prevent someone from using a phony key to impersonate someone else.

7. ‚  

A, B. Basic authentication passes the username and password over the network in unencrypted clear text. Basic over SSL still passes the information over the network but encrypts it using SSL. Neither NTLM nor Kerberos v5 passes the information over the network at all.

8. ‚  

C. In the situation where only one or a very small number of users are affected, you should start your search by examining what could be the root of the issue. A broken or disconnected network cable would yield the same result as incorrect TCP/IP settings ‚ the inability to contact the rest of the network as required.

9. ‚  

B, D. Opening port 110 allows POP3 traffic to pass. Opening port 135 allows RPC traffic to pass and thus enables Microsoft Outlook clients. Since the HTTP port 80 and all ports over 1023 are already open, HTTP is already allowed using Windows Integrated authentication.

10. ‚  

A, B. The sender ‚ s own private signing key is used to sign the data. The data is not encrypted in any way during the signing process. The recipient of the data uses the sender ‚ s public signing key to verify the digital signature. The message is valid if the public and private signing keys correspond to one another.

11. ‚  

C. If outside users report that they are having trouble making a connection, one of the first things you should check is whether the firewall is configured to allow the traffic to pass. One way to verify that the problem is with the firewall is to determine whether an internal user can connect to the same server with the same protocol.

12. ‚  

C, D, E. First, the sender ‚ s client generates a secret key to encrypt the actual message and any attachments. Next, the recipient ‚ s public encryption key to encrypt the secret key in a lockbox is sent to the recipient. The receiving client then uses the recipient ‚ s private encryption key to decrypt the secret key, which is then used to decrypt the message.

13. ‚  

D. In order to let the appropriate clients access the front-end server, you must open port 135 (RPC) for Outlook, port 110 (POP3) for POP3 clients, and port 443 (HTTP over SSL) for web clients on the exterior firewall. The front-end and back-end servers communicate using port 80 (HTTP), which is already open on the interior firewall. However, the front-end server must also be able to look up information in the Global Catalog so that it knows the appropriate back-end server to use. Therefore, you must also open port 3268 on the interior firewall.

14. ‚  

A. In order to let the appropriate clients access the front-end server, you must open port 135 (RPC) for Outlook, port 110 (POP3) for POP3 clients, and port 443 (HTTP over SSL) for web clients on the exterior firewall. The front-end and back-end servers communicate using port 80 (HTTP), which is already open on the interior firewall. However, the front-end server must also be able to look up information in the Global Catalog so that it knows the appropriate back-end server to use. Therefore, you must also open port 3268 on the interior firewall.

15. ‚  

B. In order to let the appropriate clients access the front-end server, you must open port 135 (RPC) for Outlook, port 110 (POP3) for POP3 clients, and port 443 (HTTP over SSL) for web clients on the exterior firewall. The front-end and back-end servers communicate using port 80 (HTTP), which is already open on the interior firewall. However, the front-end server must also be able to look up information in the Global Catalog so that it knows the appropriate back-end server to use. Therefore, you must also open port 3268 on the interior firewall.

16. ‚  

A. Auditing is a feature that logs the actions of users and groups based on certain criteria. For example, a Windows Server 2003 server can audit successful and failed logon attempts or access to certain files.

17. ‚  

B. MTA traffic using X.400 over TCP/IP operates on port 102.

18. ‚  

B. Nslookup is used to gather information about and troubleshoot DNS- related name resolution issues. The pathping command provides the ability to determine the packet loss along each link in the path and at each router in the path to the destination, which can be particularly helpful when troubleshooting problems where multiple routers and links are involved. Telnet can be used to perform basic troubleshooting by verifying that a service is running on a server in instances where ICMP packets are dropped by routers or firewalls. Netstat can be used to examine protocol information and also list which ports are currently open on a host.

19. ‚  

C. Enterprise CAs are used as CAs for an enterprise and require Active Directory access. The stand-alone CA is used to issue certificates to users outside the enterprise and does not require access to the Active Directory. There is no such thing as an organization CA or a domain CA.

20. ‚  

C. The pathping command is a mix of both ping and tracert . The pathping command provides the ability to determine the packet loss along each link in the path and at each router in the path to the destination, which can be particularly helpful when troubleshooting problems where multiple routers and links are involved. Telnet can be used to perform basic troubleshooting by verifying that a service is running on a server in instances where ICMP packets are dropped by routers or firewalls. Nslookup is used to gather information about and troubleshoot DNS-related name resolution issues. Netstat can be used to examine protocol information and also list which ports are currently open on a host.