IMPLEMENTING, MANAGING, AND MAINTAINING A …raymond.chan/win310/answ… · · 2010-05-10implementing, managing, and maintaining a microsoft windows server ... textbook chapter

CHAPTER ANSWERS

IMPLEMENTING, MANAGING, AND MAINTAINING A MICROSOFT WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE

CHAPTER ANSWERS

IMPLEMENTING, MANAGING, AND MAINTAINING A MICROSOFT WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE

2 TEXTBOOK CHAPTER 1 ANSWERS: IMPLEMENTING DHCP

CHAPTER 1IMPLEMENTING DHCP

CHAPTER REVIEW QUESTIONS1. Under what circumstances should network administrators use DHCP?

ANSWER

Network administrators should use DHCP in situations in which manually configur-ing each host on a network becomes inefficient. As the number of hosts on a net-work grows, and as the number of configuration options for each host also grows, so does the need for and benefit of using DHCP.

2. Place the following DHCP message types in the order in which a success-ful initial IP address assignment procedure uses them.

a. DHCPACK

b. DHCPOFFER

c. DHCPREQUEST

d. DHCPDISCOVER

ANSWER

d, b, c, a. The client broadcasts a DHCPDISCOVER message to find the DHCP server, the server responds with a DHCPOFFER message, the client accepts the offer with a DHCPREQUEST message, and the server confirms by sending a DHCPACK message.

3. How does a DHCP client respond when its attempt to renew its IP address lease fails and the lease expires?

ANSWER

The IP address is released and the client begins the process of acquiring a new lease.

4. You have configured a scope with an address range of 192.168.0.11 through 192.168.0.254. However, your DNS server on the same subnet has already been assigned a static address of 192.168.0.200. With the least administrative effort, how can you allow for compatibility between the DNS server’s address and DHCP service on the subnet?

ANSWER

By configuring an exclusion for the address 192.168.0.200, you can most easily allow for compatibility between the DNS server and the currently configured DHCP scope.

5. Within your only subnet, you want 10 specific DHCP clients (out of 150 total on the network) to use a test DNS server that is not assigned to any other computers through DHCP. How can you best achieve this objective?

ANSWER

The best way to achieve this objective is to create a new user class, configure a 006 DNS Servers option for the class that specifies the IP address of the test DNS server, and then set the class of the 10 DHCP clients by running the Ipconfig /setclassid command.

TEXTBOOK CHAPTER 1 ANSWERS: IMPLEMENTING DHCP 3

CHAPTER CASE SCENARIOS

Case Scenario 1-1: Obtaining an IP Address

Last month, a server was configured for DHCP and was functioning normally. Five days ago, a test server on the same network segment was promoted to be the first domain controller on the network. Today several users on the same subnet as the original DHCP server have complained that they are unable to obtain an IP address using DHCP. What is the most likely reason users are unable to obtain an IP address?

a. The user’s IP address leases have expired.

b. A DHCP relay agent is missing or incorrectly configured.

c. There are duplicate IP addresses on the network.

d. The DHCP server must be authorized and is not.

ANSWER

d. Because Active Directory was introduced onto the network, the DHCP servers must now be authorized. Expired IP address leases trigger the acquisition of a new address and do not, by themselves, prevent a computer from obtaining a new address. A missing DHCP relay agent would cause clients on remote subnets not to obtain new addresses; however, the clients that have complained about not receiving an address are not using a DHCP relay agent. Although a duplicate IP address would prevent network communication, it does not prevent a computer from obtaining a new IP address from the DHCP server.

Case Scenario 1-2: Maximizing Lease Availability

You are configuring DHCP scope options for Contoso, Ltd. The company has a lim-ited number of IP addresses available for clients, and it wants to configure DHCP to maximize lease availability. Choose all of the following actions that will accom-plish this objective:

a. Set long lease durations for IP addresses.

b. Set short lease durations for IP addresses.

c. Configure a DHCP option to automatically release an IP address when the computer shuts down.

d. Create DHCP reservations for all portable computers.

ANSWER

b, c. A is incorrect because setting long lease durations means that clients that no longer need leases may still hold them. IP addresses not in use will not be reclaimed unless the computer is configured to release the IP address lease at shutdown, manually releases the lease, or the lease period expires. A long lease period will ultimately result in fewer available addresses. B is correct because set-ting short lease durations enables faster recovery of IP addresses and results in a greater number of available addresses. C is correct because configuring a client to release an address on shutdown results in more available IP addresses. D is incorrect because creating DHCP reservations does not increase the available addresses, but in fact will decrease them.

4 TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP

CHAPTER 2MANAGING AND MONITORING DHCP

CHAPTER REVIEW QUESTIONS1. You have a Windows NT 4 client for which you want to enable dynamic

updates. You want the DHCP server to automatically update both the A record and PTR record. Which action will accomplish this?

a. Take no action. Updating of the A record and PTR record happens automatically by default.

b. In the DNS tab of the DHCP server properties dialog box, select Dynamically Update DNS A And PTR Records For DHCP Clients That Do Not Request Updates.

c. In the DNS tab of the DHCP server properties dialog box, select Always Dynamically Update DNS A And PTR Records.

d. Register the client as a dynamic host with the DHCP server.

ANSWER

b. Because pre–Windows 2000 clients can neither directly update their records nor request the DHCP server to update their records, you must select Update DNS A And PTR Records For DHCP Clients That Do Not Request Updates.

2. You have not modified the default settings for DNS on the DHCP client or server. Which of the following client record or records will the DHCP server update in DNS? (Assume the clients are running Windows XP.)

a. The PTR resource record

b. The A resource record

c. Both the PTR and A resource records

d. Neither the PTR nor the A resource record

ANSWER

a. By default, the DHCP server updates only the PTR record for DHCP clients running Windows 2000 and later. You can configure the DHCP server to update Windows 2000 and later clients, as well as pre–Windows 2000 DHCP clients.

TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP 5

3. For a zone in which only secure dynamic updates are allowed, you have configured your DHCP server to perform dynamic updates on behalf of Windows NT 4 clients. Other dynamic DNS settings on the DHCP server have the default settings. After you migrate the clients to Windows XP, you find that their A resource records are no longer being updated. What is the most likely explanation for this problem?

ANSWER

The DHCP server is not a member of the DnsUpdateProxy security group.

4. True or False: If a DNS zone accepts only secure dynamic updates and the DHCP server is a member of the DnsUpdateProxy security group, the resource records created by the Netlogon service for the domain controller lack security? Explain your answer.

ANSWER

True. Being a member of the DnsUpdateProxy security group enables servers to update records without taking ownership of records and without requiring creden-tials for update. Although this enables multiple entities to update the same record, it also poses a security risk.

5. Automatic and manual backups of the DHCP database are successfully performed. You want to restore the following: all of the scopes, reserva-tions, leases, options, and security credentials. What should you do?

a. Restore from the automatic backup.

b. Restore from the manual backup.

c. Restore from an offline backup.

d. Restore from the automatic or manual backup, and reconfigure security credentials manually.

ANSWER

d. Regardless of how you back up and restore a DHCP database, you must recon-figure security credentials manually.

6 TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP

6. You just completed a restoration of the DHCP database. You start the DHCP console to verify a successful restoration. You notice the scope and options are displayed, but active leases are not. What should you do to repopulate the active leases?

a. The restoration failed. Perform the restoration again.

b. The restoration failed because the backup was corrupt. Locate a valid backup and use it to restore the DHCP database.

c. Using the DHCP console, perform reconciliation.

d. Delete the Tmp.mdb file, and restart the DHCP service.

ANSWER

c. Because the scope and options are displayed, it is unlikely that the restoration failed or that the backup was corrupt. Performing reconciliation will repopulate the active lease information from the registry into the DHCP database. Deleting the Tmp.mdb file has no effect on restoring the active leases.

7. You are monitoring a DHCP server and you want to save the audit log that was created last Tuesday. Today is Monday. What should you do?

a. Do nothing; the DHCP server automatically saves the log after writing to it.

b. Remove the log file from the directory.

c. Change the location of the log files.

d. On Wednesday, stop and start the DHCP Server service.

ANSWER

b. To prevent the log file from being overwritten, remove it from the designated log file directory. Although it is true that the DHCP server saves the file after writing to it, if you do nothing, it will overwrite the file by default. Changing the location of the log files will prevent you from overwriting the file, but changing the location each time you want to prevent a file from being overwritten is not efficient. You can prevent overwriting of the file by starting and stopping the DHCP Server service.

8. You want to determine how many IP addresses are available for lease across all scopes. What tool should you use for this?

a. System Event Log

b. DHCP scope statistics

c. DHCP server statistics

d. DHCP audit log

ANSWER

c. Only the DHCP server statistics window shows you the addresses available across different scopes.

TEXTBOOK CHAPTER 2 ANSWERS: MANAGING AND MONITORING DHCP 7


Case Scenario 2-1: Monitoring DHCP RequestsYou have been monitoring DHCP server activity by using System Monitor. You have been viewing the Discovers/sec counter. You observe a sudden increase in the number of DHCP requests. Which of the following statements could explain the sudden increase?

a. A large number of clients are initializing simultaneously and attempting to locate a DHCP server.

b. A large number of clients are shutting down simultaneously and releasing their IP address leases.

c. Scope leases are too short, forcing an increase in DHCPNACK messages.

d. Two new DHCP servers have been initialized on the network and are querying the directory service for the enterprise root.

ANSWER

a. Clients send these messages when they log on to the network and obtain a new address lease. When clients shut down, they do not send DHCPDISCOVER messages. If the scope lease is too short, leases expire quickly. In this scenario, clients send DHCPREQUEST messages, not DHCPNACK messages. When a DHCP server queries the directory service, it sends DHCPINFORM messages, not DHCPDISCOVER messages.

Case Scenario 2-2: Monitoring DHCP Network TrafficRecently, users have complained that the network is slow at different periods throughout the week. You suspect heavy DHCP traffic is a contributing cause. When DHCP traffic is heavier than normal, you want notification of it. How can you accomplish this?

ANSWER

To determine what is normal, you must first create a performance baseline for comparison to current conditions. After you have created a performance baseline, determine a threshold for notification (for example, a 50 percent to 100 percent increase in traffic), and then set an alert to notify you.

8 TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS

CHAPTER 3IMPLEMENTING NAME RESOLUTION USING DNS

CHAPTER REVIEW QUESTIONS1. Describe the process by which secondary servers determine whether a

zone transfer should be initiated.

ANSWER

The secondary server conducts an SOA query, in which the serial number value in the primary zone’s SOA resource record is compared to the serial number value in the secondary server’s own version of the zone database. If the secondary server determines that the master zone has a higher serial number, a transfer is initiated.

2. What is the difference between an IXFR query and an AXFR query?

ANSWER

IXFR queries initiate an incremental zone transfer. In these transfers, only the updated information is transferred across the network. AXFR queries initiate an all-zone transfer. In these transfers, the complete zone database is transferred across the network.

3. You discover that an administrator has adjusted the default TTL value for your company’s primary DNS zone to 5 minutes. Which of the following is the most likely effect of this change?

a. Primary servers initiate a zone transfer every 5 minutes.

b. DNS clients have to query the server more frequently to resolve names for which the server is authoritative.

c. Secondary servers initiate a zone transfer every 5 minutes.

d. DNS hosts reregister their records more frequently.

ANSWER

d. Smaller TTL values help ensure that information about the domain is more con-sistent across the DNS databases, especially in environments in which the data changes frequently, but because records expire more quickly, clients must query the server more frequently. This also increases the load on the name servers that contain the name, and it also increases Internet traffic.Answer a is not correct because the TTL does not dictate the frequency of zone transfers. Answer b is not correct because the TTL does not dictate the frequency of zone transfers. Answer c is not correct because changing the TTL has no impact on how frequently DNS hosts register their records.

TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS 9

4. Relative to file-backed zones, storing DNS zones in Active Directory results in which of the following?

a. Less frequent transfer of information

b. Increased need for administration

c. Less saturation of network bandwidth

d. Ability to perform secure dynamic updates

ANSWER

a. Using Active Directory–integrated zones, or storing zones in Active Directory, means less administration and more efficient replication, which results in lower bandwidth utilization and access control to records resulting in secure dynamic updates. Answer b is not correct because storing zones in Active Directory requires less need for administration. Answer c is not correct because storing zones in Active Directory enables transfers to take advantage of the more efficient replication process provided by Active Directory. Answer d is not correct because Active Directory provides the capability for secure dynamic updates.

5. You want to consolidate DNS traffic between your network and the Internet. How could you use a forwarder to accomplish this?

ANSWER

One possible answer is to configure the firewall used by your network to allow only one DNS server to communicate with the Internet. Configure the other DNS servers to forward queries they cannot resolve locally to the Internet-facing DNS server. The Internet-facing DNS server acts as a forwarder to the other servers.

6. What are some reasons a source server might respond with an AXFR to an IXFR request?

ANSWER

The primary server for a zone is not required to perform an incremental zone transfer. It can choose to perform a full zone transfer if the primary DNS server does not support incremental zone transfers, if the primary DNS server does not have all the necessary data for performing an incremental zone transfer, or if an incremental zone transfer would consume more network bandwidth than a full zone transfer.

7. True or False: A primary server always initiates a zone transfer?

ANSWER

False. A secondary server always initiates a zone transfer.

10 TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS


Case Scenario 3-1: Minimizing DNS Traffic and Administration

Contoso, Ltd., has a branch office connected to corporate headquarters with a slow WAN link. The company wants to minimize the amount of traffic generated by the local DNS server on this link and minimize DNS administration in the branch office.

How would you configure the DNS server to meet these requirements?

a. Disable round-robin and netmask ordering.

b. Reduce the refresh interval in the SOA resource record for the primary zone.

c. Do not configure any forward or reverse zones, but configure the server to use a forwarder.

d. Configure the forward lookup zone with a WINS lookup record, and decrease the cache time-out value.

ANSWER

c. This will make the server a caching-only server, which will eliminate zone transfer network traffic. Answer a is incorrect because disabling round-robin and net-mask ordering changes how addresses are returned to clients, but does nothing to lower administration or use of bandwidth. Answer b is incorrect because reducing the refresh interval will likely consume more, not less, bandwidth. Answer d is incorrect because the DNS server will still create network traffic to use WINS records. Decreasing the cache time-out value increases the number of lookups and consequently the amount of network traffic.

TEXTBOOK CHAPTER 3 ANSWERS: IMPLEMENTING NAME RESOLUTION USING DNS 11

Case Scenario 3-2: Troubleshooting Access to External Resources

You are the network administrator for Contoso, Ltd. Users are complaining that they cannot access resources external to the local network. You eliminate connec-tivity issues to the DNS server and narrow the problem to name resolution. Using Ping.exe, you are able to successfully resolve local hosts but cannot resolve names external to the local network. Which of the following is the most likely cause of this issue? Choose the correct answer.

a. The local DNS server is not authoritative for the Internet DNS domains.

b. Iterative queries are disabled on the DNS servers.

c. Recursive queries are disabled on the DNS servers.

d. DNS root hints are missing or incorrectly configured.

ANSWER

d. Root hints are DNS resource records stored on a DNS server that list the IP addresses for the DNS root servers on the Internet. If the DNS root hints are missing or incorrectly configured, the DNS server will not be able to forward requests for the queried Internet domain.Answer a is incorrect. The local DNS server is authoritative for only the organiza-tion’s DNS domain. Internet DNS servers are authoritative for all first-level DNS domains. Answer b is incorrect because you cannot disable iterative queries on the DNS server. Answer c is incorrect. If recursive queries are disabled on the DNS server, the DNS server would send DNS referrals back to the client. The client would still be able to connect to Internet resources.

12 TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS

CHAPTER 4MANAGING AND MONITORING DNS

CHAPTER REVIEW QUESTIONS1. What is the function of round robin in DNS?

ANSWER

Round robin rotates the order of matching resource records in the response list returned to DNS clients. Each successive DNS client that queries for a multi-homed name gets a different resource record at the top of the list.

2. Which feature takes priority—round robin or netmask ordering?

ANSWER

Round robin is secondary to subnet prioritization. When the Enable Netmask Ordering check box is also selected, round robin is used as a secondary means to order returned resource records for multihomed computers.

3. Which of the following are valid reasons to monitor the TTL settings on your DNS servers? Choose all that apply.

a. Query traffic increases as DNS clients request information that has expired from their cache.

b. DNS clients may be caching outdated records.

c. DNS clients may not be able to resolve host names.

d. Query traffic decreases as DNS clients request information that has expired from their cache.

ANSWER

a and b. Answer c is incorrect because TTL has no effect on whether clients are able to resolve host names. Answer d is incorrect because traffic increases, not decreases.

4. What type of test query can be run from the Monitoring tab of the DNS server properties page?

a. Recursive query

b. Simple query

c. Verbose query

d. Interval query

ANSWER

a and b.

TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS 13

5. Which of the following approaches provides the best early warning of a DNS service failure?

a. Create an alert based on the standard performance counters, and set the threshold to notify you if the counters exceed 95 percent of the recommended threshold.

b. Create an alert based on the counters that you decide are appropriate indicators of a failure, and set the threshold to notify you when it is 10 percent below the baseline.

c. Create an alert based on the standard counters, and set the threshold to notify you if the counters exceed 75 percent of the recommended threshold.

d. Create an alert based on the counters that you decide are appropriate indicators of a failure, and set the threshold to notify you when it is 10 percent above the baseline.

ANSWER

d. Answers a and c are incorrect because standard counters should be customized for your organization’s specific conditions. Answer b is incorrect because when the threshold is at or slightly below the baseline, conditions are normal, not problematic.

6. You are a systems administrator for Contoso, Ltd. Contoso is planning its DNS zones, and you have been asked to recommend the best way to configure the zones on the company’s Microsoft Windows Server 2003 computers.

You recommend using Active Directory–integrated zones. Why do you recommend this configuration?

Choose all answers that apply.

a. DNS data is replicated with Active Directory.

b. You can configure secure dynamic updates.

c. The DNS load will be shared because the other domain controllers will become secondary DNS servers.

d. You can configure a replication scope.

ANSWER

a, b, and d. However, the additional DNS servers will not become secondary DNS servers but masters that can both read and write DNS data.


7. You are the administrator for Contoso, Ltd., and have updated the IP address for a host by using the DNS console. Assuming it exists, which of the following types of resource records is associated with the host record and must also be updated?

a. A resource record

b. MX resource record

c. NS resource record

d. PTR resource record

e. SOA resource record

f. SRV resource record

ANSWER

d. A PTR record is associated with an address (A) resource record. It maps an IP address to a host name. If the associated host name changes, so must the PTR record. Answer a is incorrect because it is the record being updated. Answer b is incorrect because a mail exchanger (MX) record specifies a mail server for the domain and it may not be required to change if an A resource record changes. Answer c is incorrect because an NS record specifies the server responsible for the zone. Answer e is incorrect because it specifies the start of authority and is not impacted by a change in a host record. Answer f is incorrect because an SRV record specifies a server providing a specific service and is not necessarily associ-ated with a host record.

8. A client computer on the internal network of Contoso, Ltd., is unable to connect to a file server. You verify the file server is running and are able to connect to it using another client computer on the same subnet. You suspect the client computer that cannot connect has outdated information in its local cache. Which of the following actions would fix the issue?

a. At the client computer, run the Ipconfig /flushdns command.

b. At the file server, run the Ipconfig /flushdns command.

c. At the file server, run Nslookup.

d. At the file server, stop and start the DNS Client service.

ANSWER

a. Running the Ipconfig /flushdns command clears the client cache.Answer b is incorrect because although running Ipconfig /flushdns clears the cache on the file server, it does not solve the problem on the client. Answer c is incorrect because running Nslookup on the server does not remove the outdated information on the client. Answer d is incorrect because stopping and starting the DNS Client service on the server does not remove outdated information on the client.

TEXTBOOK CHAPTER 4 ANSWERS: MANAGING AND MONITORING DNS 15


Case Scenario 4-1: Enabling Network Users to Connect to Internet Host Names

You are the network administrator for Contoso, Ltd. The Contoso network consists of a single domain, contoso.com, which is protected from the Internet by a fire-wall. The firewall runs on a computer named NS1 that is directly connected to the Internet. NS1 also runs the DNS Server service, and its firewall allows DNS traffic to pass between the Internet and the DNS Server service on NS1 but not between the Internet and the internal network. The DNS Server service on NS1 is configured to use round robin. Behind the firewall, two computers are running Windows Server 2003—NS2 and NS3, which host a primary and secondary DNS server, respectively, for the contoso.com zone.

Users on the company network report that, although they use host names to con-nect to computers on the local private network, they cannot use host names to connect to Internet destinations, such as www.microsoft.com.

Which of the following actions requires the least amount of administrative effort to enable network users to connect to Internet host names?

a. Disable recursion on NS2 and NS3.

b. Enable netmask ordering on NS1.

c. Configure NS2 and NS3 to use NS1 as a forwarder.

d. Disable round robin on NS1.

ANSWER

c. Disabling recursion will force NS2 and NS3 to use iterative queries, but will not enable them to resolve external names. Enabling netmask ordering will provide results in the most efficient order for clients, but does not enable internal clients to resolve external addresses. Configuring NS2 and NS3 to use NS1 as a forwarder will result in successful name resolution for internal clients. Disabling round robin will prevent any possible load balancing, but does not enable internal clients to resolve external host names.


Case Scenario 4-2: Implementing DNS Updates

You are the system administrator for Contoso, Ltd. The company has grown rapidly over the past year, and currently Contoso is using only a single DNS zone. Recently, the Marketing department has made several requests for DNS changes that were delayed. Users would like the ability to make their own DNS updates.

What should you do to try to address this problem?

a. Create a secondary server in the Marketing department so that users can manage their own zone.

b. Delegate the marketing domain to a DNS server in the Marketing department.

c. Place a domain controller running DNS in the Marketing department so that people in the department can make changes.

d. Upgrade the network infrastructure to improve network performance.

ANSWER

b. The marketing domain would reside on a computer in the Marketing department where marketing personnel could administer the zone themselves and make changes as necessary.

TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY 17

CHAPTER 5NETWORK SECURITY

CHAPTER EXERCISE

Exercise 5-5: Using the Security ConfigurationAnd Analysis Snap-In

Analyzing System Security7. In the details pane, review the policies that were analyzed. They display

the result of a comparison between actual settings and the database setting.

QUESTION List some of the configuration settings that are the same in the database and on the computer.

ANSWER

Any setting that is labeled with a green check mark is the same in the database as it is on the computer.

QUESTION List some of the configuration settings that are different in the database than on the computer.

ANSWER

Any setting that is labeled with a red X or exclamation point. Policies labeled with a red X do not match. Policies labeled with an exclamation point exist in the data-base, but not on the computer.

CHAPTER REVIEW QUESTIONS1. Which of the following are user rights?

a. Allow log on locally

b. Access a share with full control

c. Open a database file

d. Back up files and directories

ANSWER

a and d. Answers b and c are incorrect because they are permissions.

18 TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY

2. An administrator temporarily grants a user rights to log on locally to a domain controller by applying a policy to the domain GPO. The admin-istrator does not add the user to other groups. When the user attempts to log on, Windows Server 2003 displays the following error: “User does not have the right to log on interactively.” What is the most likely cause of the problem?

ANSWER

The administrator applied the policy to the domain GPO. By default, the policy setting at the domain controller’s OU does not allow users to log on locally to the domain controller, and it overrides the domain-level policy settings.

3. You are the system administrator responsible for creating, configuring, and managing GPOs for your organization. The systems engineers present you with a plan, and you must determine whether you can use a default template. Which of the following default Group Policy templates provides the highest default security for clients?

a. Rootsec

b. Hisecws

c. Securews

d. Compatws

ANSWER

b. Hisecws is the template used for the highest level of security.

4. You are responsible for creating, configuring, and managing GPOs for your organization. You must determine which settings on the domain controller do not match the security policies that were applied using a specific template. Which of the following tools can you use to determine this?

a. Domain Security Policy

b. Security Configuration And Analysis snap-in

c. Group Policy Management

d. Active Directory Users And Computers

ANSWER

b. The Security Configuration And Analysis snap-in can evaluate security policy against current settings on a computer. The other tools cannot evaluate security policy against settings; therefore, answers a, c, and d are incorrect.

TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY 19

5. You are the system administrator responsible for creating, configuring, and managing GPOs for your organization. Before you can determine which Group Policy settings you should apply to each GPO, you must determine which types of Group Policy settings you can configure. Which of the following types of Group Policy settings can you configure in an Active Directory environment? Choose all that apply.

a. Desktop settings

b. Network connections

c. Location of computers

d. Inventory-installed software

e. Who can log on to a computer and when

ANSWER

a, b, and e. Answers c and d are incorrect because you cannot configure the location of computers and inventory-installed software with Group Policy.


Case Scenario 5-1: Folder Redirection

You are the system administrator for Contoso, Ltd., and you want to centrally store users’ data using folder redirection. Specifically, you want to configure folder redirection of the My Documents folder to each user’s existing home directory. Users should have exclusive access to their My Documents data. How will you accomplish your objectives? Choose two answers.

a. Configure a GPO to set the Folder Redirection policy to redirect to the user’s home directory setting, and link it to the appropriate OU.

b. Configure a GPO to set the Grant The User Exclusive Rights To My Doc-uments setting to Disabled, and link it to the appropriate OU.

c. Configure a GPO to set the Folder Redirection policy to redirect special OU units.

d. Configure a GPO to set the Grant The User Exclusive Rights To My Doc-uments setting to Enabled, and link it to the appropriate OU.

ANSWER

c and d. Redirecting special folders to a specific path satisfies the requirements. You must enable the Grant Exclusive Right To My Documents setting to satisfy your requirements. Answer a is incorrect. Here, you redirect the My Documents folder, not the home directory. Answer b is incorrect. You want to provide—not disable—exclusive access to the My Documents folder.

20 TEXTBOOK CHAPTER 5 ANSWERS: NETWORK SECURITY

Case Scenario 5-2: Auditing

Someone notifies you that users are having a difficult time accessing shared resources on two of the organization’s file servers. You decide to review the audit logs for these servers to determine the cause of the issues. When you review the event logs, you discover that the log contains only data from the previous 12 hours. What might be responsible for the lack of data? Choose all that apply.

a. The maximum size of the event log is too small.

b. You audited too many events.

c. The Overwrite Events Older Than [x] Days setting is set to 1 day.

d. Another administrator manually cleared the event logs.

e. The relevant events are logged to domain controllers, not member servers.

ANSWER

a, c, and d. Answer a is correct because when the maximum size of the event log is too small, events that help you determine the problem can be overwritten.Answer c is correct because it allows events to be overwritten every 24 hours, which might not allow enough log activity time. Answer d is correct because the events might have been cleared when another administrator tried to isolate a different issue. Answer b is incorrect because you cannot determine how much log activity the audit objects will produce. It is possible to audit many events that produce lit-tle log activity; or, conversely, you can audit only a few objects that produce extremely heavy log activity. Answer e is incorrect because events are logged locally to the servers that are performing the actions.

TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC 21

CHAPTER 6SECURING NETWORK TRAFFIC WITH IPSEC

CHAPTER REVIEW QUESTIONS1. Which of the following most accurately describes the functionality of the

Client (Respond Only) default policy rule?

a. The client will respond only to requests secured by IPSec.

b. The client will respond to unsecured requests, but will respond by using IPSec.

c. The client will respond to unsecured requests with an unsecured response, but will respond to secure requests with a secure response.

d. The client will respond to a server only if it can perform a reverse lookup on the IP address of the server.

ANSWER

a. The client responds by using IPSec to secure the response if this is requested. Answers b and c are incorrect because the client will not respond to unsecured requests. Answer d is incorrect because the client does not distinguish between the types of computers making the request and because a reverse lookup is not required.

2. Fabrikam, Inc., recently joined two servers to its Active Directory domain. After joining the servers to the domain, the company no longer is able to communicate on the network. You suspect that applying the IPSec policies caused the problem. Which tool would you use to determine whether your suspicion is correct?

a. Network Monitor

b. The security log in Event Viewer

c. Resultant Set of Policies (RSoP)

d. IP Security Monitor

ANSWER

c. RSoP allows you to examine the Group Policy settings that are applied to the computers. Because the computers have recently joined the domain, it is possible that new Group Policy settings apply to the computers. Answer a is incorrect. Although Network Monitor provides detailed information about network activity, you cannot use it to investigate the application of a Group Policy. Answer b is incorrect. Although the event log provides information about the application of policies, it is not an effective tool with which to determine the active policies for a particular computer. Answer d is incorrect. IP Security Monitor displays current IPSec activity and statistics, but it does not indicate which policies are applied to a particular computer.

22 TEXTBOOK CHAPTER 6 ANSWERS: SECURING NETWORK TRAFFIC WITH IPSEC

3. You wish to determine whether a quick mode association is currently in place. Which of the following tools can you use to make that determination?

a. RSoP

b. Event Viewer

c. Oakley log file

d. IP Security Monitor

ANSWER

d. Use the IP Security Monitor to determine which security associations (SAs) exist. Because IP Security Monitor provides real-time quick mode association sta-tistics, you can determine whether the association has been made. Answer a is incorrect. RSoP enables you to verify policies in effect for a given user or computer, but it does not indicate whether a quick mode association is currently in place. Answer b is incorrect. Although IPSec events can be written to Event Viewer, you cannot determine whether an association is currently in place. Answer c is incorrect. Although the Oakley log file displays SA information, it does not display real-time information about the association.

4. IPSec can be used to secure communications between two computers. Which of the following would be good reasons to use IPSec? Choose all that apply.

a. Examine Kerberos tickets

b. Block transfer of specific protocol packets

c. Allow transfer of packets with a destination TCP port of 23 from any computer to the host computer

d. Permit one user to use Telnet to access the computer, while denying another user

ANSWER

b and c. IPSec can be configured to block or accept specific protocol packets. Also, IPSec can be configured to block or accept packets based on criteria, such as TCP port number and IP address. Answer a is incorrect. Although IPSec uses Kerberos as one method of authentication, it is not a tool for examining Kerberos tickets. Answer d is incorrect. IPSec is designed for securing communication between computers; it is not used to authorize or deny user access to resources.


5. What is a good reason for assigning an IPSec policy using Netsh instead of using Group Policy?

a. Using Netsh is the only way to apply a policy that can be used to permit a user’s computer to be used for a telnet session with another computer while blocking all other telnet communications.

b. Using Netsh is more easily implemented than Group Policy when multiple machines must be configured.

c. You can apply Netsh even if the computers are not joined in a domain, whereas Group Policy can work only in a domain.

d. You can use Netsh to create a persistent policy if Group Policy cannot be used.

ANSWER

d. You cannot use Group Policy to create a persistent IPSec policy. Answer a is incorrect. IPSec is not designed to authorize or deny user access to resources. Answer b is incorrect. Both Group Policy and Netsh can be used to restrict a computer’s access to a particular protocol. Answer c is incorrect. Group policies can be applied regardless of whether the computer is joined to the domain.

6. Netsh is used to create and assign an IPSec policy for a stand-alone server running Microsoft Windows Server 2003. One of the commands used is executed from the Netsh IPSec static context. It follows:

Add rule name="SMTPBlock" policy="smtp" filterlist="smtp computerlist" filteraction="negotiate smtp" description="this rule negotiates smtp"

Why is the policy not working?

a. The policy is set with the wrong IP addresses.

b. Each policy specifies a different encryption algorithm.

c. A stand-alone server does not have a Simple Mail Transfer Protocol (SMTP) service; therefore, the policy is unassigned.

d. The policy uses Kerberos for authentication and the computer is not a member of a domain.

ANSWER

d. By default, Kerberos authentication is used and, for the policy to authenticate using Kerberos, it must be a member of an Active Directory domain. Answer a is incorrect. An IP address was not used for the command. Answer b is incorrect. A difference in algorithms between policies does not prevent them from working. Answer c is incorrect. Stand-alone servers do have an SMTP service; however, the presence of the service has no impact on the policy assignment or effectiveness.


7. You wish to set up a tool for maintenance and monitoring of IP policies on remote hosts in your domain. You add the IP Security Monitor and IP Security Policy Management snap-ins to an MMC. However, when you try to add the host 192.168.0.100 to the IP Security Monitor, you get the error message shown in Figure 6-10.

FT06xx10

Figure 6-10 IPSec console error message

How can you manage and monitor IPSec on 192.168.0.100?a. You cannot do so. The host 192.168.0.100 is a legacy host that does

not support IPSec.

b. The host 192.168.0.100 is not part of the domain. You must join the host to your domain if you want to use IP Security Monitor.

c. Only IPSec policies that use your authentication can be managed and monitored using IP Security Monitor. You must assign such a policy to 192.168.0.100.

d. You should use legacy Ipsecmon.

e. You cannot add a computer using its IP address. You must use the computer’s DNS host name.

ANSWER

d. This error occurs when you try to add a host running Windows 2000 to the IP Security Monitor. Legacy Ipsecmon is the appropriate tool to use for such hosts. Unfortunately, it is not possible to create a single-seat maintenance tool using this method if some of the client hosts run Microsoft Windows 2000. Answer a is incorrect. Figure 6-10 shows that the IP Security Policy Management snap-in has already been added to the MMC for 192.168.0.100. Therefore, 192.168.0.100 supports IPSec. Answer b is incorrect. Hosts can be managed and monitored using the IP Security Monitor snap-in whether or not they are joined to a domain. Answer c is incorrect. The authentication method has no bearing on whether IP Security Monitor can be used. Answer e is incorrect. You can add computers using an IP address or host name.


8. During the testing of the IPSec policies, the workstation you use as a test computer works correctly and the traffic is encrypted; however, when you resume testing after making some changes on one of the servers, the workstation can no longer communicate with that server. The policy that you set on the server requires you to use Kerberos as the authenticating protocol. What is the most likely cause of the communication issue?

a. Your workstation lost its connection to a domain controller.

b. Your workstation lost its connection to the CA.

c. The IPSec Policy Agent lost communication with the domain controller and must be restarted.

d. You must reapply the server’s IPSec policy.

ANSWER

c. When you troubleshoot communication issues, first stop the IPSec Policy Agent and verify communication, and then restart the IPSec Policy Agent and use the IP Security Monitor to confirm that a security association is established between the computers. Answer a is incorrect. Once the initial connection is made, the IPSec service does not need to contact a domain controller. Answer b is incorrect. It is not likely that the workstation lost its connection to the CA because the connection uses Kerberos, which means a domain controller could authenticate a new session. In addition, the question implies that this is the same session. Answer d is incorrect. Policies are reapplied every time a new connection is made. Reapplying a policy would have no effect on this issue.


Case Scenario 6-1: Securing CommunicationsYou administer a Windows Server 2003 Active Directory domain. All client PCs are in a top-level OU called Clients, and all server PCs (apart from domain controllers) are in a top-level OU called Servers. The domain controllers are in their default OU. The Secure Server (Require Security) default IPSec policy has been assigned to all servers, including domain controllers. The Client (Respond Only) default IPSec policy has been assigned to all clients. All client PCs are Windows 2000 Professional hosts.

Management is concerned that the client computers in the Research department do not securely communicate with each other and with other clients. Only four such machines exist. On one of them, you create a custom policy that requires secure communications. You export it to a file and import it into the other three client machines in the Research department. You assign the policy on all four machines.


Next, you use the IP Security Monitor console on one of the machines and find that no SAs are set up between the Research department hosts or between these machines and clients in other departments. You capture traffic using Network Monitor and discover that unencrypted traffic is passing between the Research clients. What is the first step you should take to solve the problem?

a. Change the authentication method on the custom policy to use a preshared key.

b. Change the encryption algorithm from Triple DES (3DES) to Data Encryption Standard (DES).

c. Create an OU.

d. Move the Research department computer accounts into the Servers OU.

ANSWER

c. In this scenario, assigning an IPSec policy locally has no effect. This situation happens when the hosts are in a domain and a policy has been assigned through Group Policy. In this case, the Client (Respond Only) policy has been assigned to a GPO that is linked to the Clients OU. You must create an OU called Research, move the four client computer accounts into that OU, create a GPO linked to Research, and then assign the custom IPSec policy to that GPO. Answer a is incorrect. The policy was exported from one client and exported to the others, so the same authentication method is specified in the policy on all four machines. The authentication method is unlikely to be the problem. In addition, the preshared key authentication method is weak authentication and is not appropriate in this scenario. Answer b is incorrect. A system running Windows 2000 that does not have Service Pack 2 or later installed on it does not sup-port 3DES. If 3DES is specified, the rule defaults to DES for communication with that computer. Therefore, the encryption algorithm is not a factor in this scenario. Answer d is incorrect. This approach would ensure that communication among the Research department’s computers and between the Research department’s computers and other hosts in the domain is encrypted. However, it is not the best solution. Servers are often put into one OU and clients are put into another OU for various reasons—not merely to assign IPSec policy. As a result, the Research department clients would be configured with other settings that might be inappropriate (such as the Log On Locally rights).

Case Scenario 6-2: Troubleshooting IPSecYour company does not use a domain structure; it uses workgroups. The Research workgroup has six clients running Windows XP Professional, four clients running Windows 2000 Professional, and two stand-alone servers running Windows Server 2003. Communication between hosts in this workgroup must be secure. A member of your support staff configures and assigns an IPSec security policy on all hosts in the Research workgroup. All hosts can ping each other by IP address, but the Research department staff cannot access files on the servers from their client PCs.


You log on to one of the servers using the local administrator account, you access the Security Settings node within Local Computer Policy, and you enable success and failure auditing for logon events. You open Event Viewer and locate a failure audit event 547 in the security log. The failure reason given is, “Failed to obtain Kerberos server credentials for the ISAKMP/ERROR_IPSEC_IKE service.” What is the most likely cause of the problem?

a. The default response rule is not activated.

b. Kerberos has been specified as the initial authentication method.

c. The 3DES encryption algorithm has been specified, and it cannot be used on the clients running Windows 2000.

d. The incorrect policy has been assigned.

ANSWER

d. The error detected occurs when Kerberos is specified as the authentication protocol in an environment that cannot support it (such as a workgroup). It is not possible to create a new policy in this environment, which means that one or more of the default policies must have been assigned. The most common mistake in this situation is to assign Secure Server (Require Security) on the servers. Answer a is incorrect. This rule specifies that to communicate securely, the computer must respond to requests for secure communication. Clearing the check box that specifies this rule would make communication less secure, but would not prevent it altogether. Answer b is incorrect. Kerberos cannot be used for authentication in this scenario because the hosts are not in an Active Directory domain. The IP Security Policy wizard would not create a policy if Kerberos were specified. Answer c is incorrect. A system running Windows 2000 that does not have Service Pack 2 or later installed does not support 3DES. If 3DES is specified, however, the rule defaults to DES for communication with that computer.

28 TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES

CHAPTER 7IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES

CHAPTER REVIEW QUESTIONS1. You are the system administrator for Contoso, Ltd., and you have been

given the responsibility of managing security patches and other updates to operating systems that already have a SUS-compatible version of Automatic Updates installed. Although you want the ability to approve updates, you do not want to store them all locally. How can you accomplish this?

ANSWER

Use the SUS Administration Web page to configure the server to use a Windows Update Web server instead of storing them locally. To configure this, load the SUS Administration Web page, click Set Options, and in the Select Where You Want To Store Updates section of the details pane, click Maintain The Updates On A Microsoft Windows Update Server, and then click Apply.

2. You want to obtain critical updates and security fixes for your PC that runs Windows XP Professional. You access the Windows Update site. However, you cannot find the Windows Update Catalog under See Also in the left pane. What is the problem?

a. You have not installed and configured SUS.

b. You have not installed and configured Automatic Updates.

c. Transmission Control Protocol (TCP) port 80 is blocked for incoming traffic on the firewall at your Internet service provider (ISP).

d. You must configure the Windows Update site.

ANSWER

d. You should select Personalize Windows Update and select the Display The Link To The Windows Update Catalog Under See Also check box. Answer a is incorrect because SUS is a server application and is not necessary in this situation. Answer b is incorrect because Automatic Updates is installed by default on com-puters running Windows XP Professional. Answer c is incorrect because you could not have accessed the Microsoft Windows Update site if port 80 were blocked.

TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES 29

3. You administer your company’s Windows Server 2003 Active Directory domain. All client PCs run Windows XP Professional. Company policy states that employees cannot download software or software updates from the Internet. Software must be installed or upgraded on client machines automatically through Group Policy. As the domain administrator, you have been exempted from this policy so that you can download operating system upgrades, security fixes, virus definitions, and Microsoft utilities from the Windows Update site. You then want these upgrades, fixes, and so forth to be installed automatically on other users’ PCs when these users log on to the domain. What should you do after you have downloaded the software?

a. Install and configure SUS on your PC.

b. Install Automatic Updates on the client computers.

c. Create a Windows installer package.

d. Configure Remote Installation Services (RIS) to distribute the software.

ANSWER

c. After you download the software you should create a Windows installer package to be used with Group Policy to distribute the software to users on your network. Answer a is incorrect because you would need SUS if users were permitted to access an internal Web server as if they were accessing the Internet to down-load and install the relevant programs. However, they cannot perform this task; so software must be installed automatically through Group Policy. Answer b is incorrect. Automatic Updates is installed by default on computers that run Windows XP Professional. The Windows Update site can be configured to send updates automatically to a client. However, in this scenario, clients do not receive updates or fixes by this method; instead, they receive them through Group Policy. Answer d is incorrect because RIS is typically used to automatically install operating systems and application software. It is not the appropriate tool for this scenario.

4. You are the system administrator for Contoso, Ltd., and you have deployed SUS. You open the SUS Administration Web page and perform a synchronization that downloads several new updates. On the Approve Updates page, you notice that the updates are already approved even though you have not yet approved them. What is the most likely reason the updates are already approved?

ANSWER

The SUS server has been configured to automatically approve all updates after synchronization.


5. You have just finished installing SUS and realize that there is not enough disk space to store all the updates locally. How can you configure SUS to solve this problem? Select the best answer.

a. Compress the drive.

b. Configure the SUS server to store the updates on the client computers.

c. Configure the SUS server to download only 80 percent of the available disk free space.

d. Configure the SUS server to use the Microsoft update site rather than to store updates locally.

ANSWER

d. SUS can be configured to maintain the updates on a Microsoft Windows Update server rather than downloading them locally. Answer a is incorrect. Although compressing the drive can provide a temporary solution, it is unlikely to solve the long-term disk space issue. Answer b is incorrect. You cannot configure clients to store updates for SUS. Answer c is incorrect. SUS cannot be configured to down-load updates based only on percentage of free space.

6. You have deployed a SUS server; however, several clients running Win-dows XP (no service pack) and Windows 2000 Service Pack 2 are unable to use the SUS server. What is the most likely reason for this problem?

ANSWER

Clients running Windows XP (with no service pack) and Windows 2000 Service Pack 2 and earlier must obtain a newer version of Automatic Updates to utilize SUS.

7. You have set up a second SUS server. You want to configure this server to download only approved updates from another server. How can you configure the second SUS server to only download approved items from a local server?

ANSWER

To configure the SUS server to only synchronize approved items from a local server, click Set Options, and in the Select Which Server To Synchronize Content From, click Synchronize From A Local Software Update Services Server, type the name of the server, and then click Synchronize List Of Approved Items Updated From This Location (Replace Mode).

8. You are troubleshooting SUS client issues and want to check event log messages. Which log should you examine to find SUS client messages?

a. Application log

b. Security log

c. System log

d. Directory Service log

ANSWER

c. SUS client logs are written to the System log.

TEXTBOOK CHAPTER 7 ANSWERS: IMPLEMENTING AND MANAGING SOFTWARE UPDATE SERVICES 31


Case Scenario 7-1: Need for SUS

You are the systems administrator for Contoso, Ltd., and you are seeking a way to keep all workstations and servers updated with the latest security patches, driver updates, and recommended updates from Microsoft. You are considering deploying SUS.

A colleague asked you why, since everyone in the company already has an operating system with Automatic Updates enabled, is a SUS server still necessary?

Which of the following answers are valid responses to your colleague’s question?

a. Although Automatic Updates keeps systems updated, you cannot rely on users to consistently accept and install updates.

b. Relying on individual users to individually download and install updates from the Internet causes increased external network traffic relative to downloading updates from an internal SUS server.

c. It is a recommended practice to test updates before deploying them. Allowing individuals to deploy their own updates without first testing the updates could be problematic.

d. A SUS server will automatically update clients running Microsoft Windows 95, a practice that Automatic Updates does not support.

ANSWER

a, b, and c. Answer a is correct because, without a method of enforcing updates, you cannot be certain they will be installed. Answer b is correct because requiring each user to download updates from the Internet increases the amount of exter-nal network traffic relative to downloading updates and storing them centrally on an internal server. Answer c is correct because it is important to test any system configuration change before deploying it across your organization. Answer d is incorrect because SUS does not support clients running Windows 95.


Case Scenario 7-2: Stage and Test Updates

You are deploying SUS in your organization. Several workstations in your organization run a non-Microsoft application that was negatively impacted in the past after downloading certain updates. As a result, many of the users of that application have disabled the update feature and are reluctant to participate in the SUS server deployment. How should you design your deployment plan so that you can stage and test updates before distributing them to the rest of the organization?

ANSWER

Include two SUS servers in your plan that share a parent-child relationship. Down-load all updates to the parent SUS server, test the updates, and approve only updates that pass the test. When the parent has approved updates, the child SUS server downloads them and makes them available to users.

TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS 33

CHAPTER 8CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS

CHAPTER EXERCISE

Exercise 8-1: Viewing the IP Routing Table

2. At the command prompt, type route print, and then press ENTER.

QUESTION What is the Netmask for the 10.1.0.0 Network Destination?

ANSWER

The Netmask is 255.255.0.0.

CHAPTER REVIEW QUESTIONS1. You are the network administrator for Fabrikam, Inc. Fabrikam’s network

consists of several subnets. Current network users require access to only the company intranet and other internal company resources such as file shares and printers. Fabrikam, Inc., recently hired a team of developers who will be joining your network and whose connectivity requirement you must support. Which of the following options would require you to implement a routing solution for the new developer team? Choose all that apply.

a. The developer team needs corporate connectivity, but its test appli-cations must be isolated from the rest of the network.

b. The developer team uses Internet access to connect to the corporate network.

c. The developer team does not require Internet access, and its test applications do not require corporate connectivity.

d. Source code repositories must be encrypted when stored and accessed across the network.

ANSWER

a and b. Answer a is correct. This solution requires a separate subnet to isolate the traffic to the test applications and requires a routing solution to connect the two networks. Answer b is correct. This solution requires a routing solution to con-nect the two networks, the Internet, and the corporate network. Answer c is incor-rect. Because there is no requirement for separate networks/subnets, no routing solution is required. Answer d is incorrect. Encryption by itself does not require a routing solution.

34 TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS

2. You are the network administrator for Fabrikam, Inc. Fabrikam’s network consists of several subnets. Current network users require access to only the company intranet and other internal company resources such as file shares and printers. Fabrikam, Inc., recently hired a team of developers who will be joining your network and whose connectivity requirements you must support. Which of the following options would require you to determine a packet-filtering solution for the new developer team? Choose all that apply.

a. The developer team needs full corporate connectivity, but its test applications must be isolated to only specific test computers.

b. The developer team needs corporate connectivity, but its test appli-cations must be completely isolated from users on the rest of the net-work.

c. The developer team does not require Internet access and its test applications do not require corporate connectivity.

d. The developer team uses a predetermined unique protocol to test its applications.

ANSWER

a and d. Answer a is correct. Because you must isolate specific computers, you can configure packet filtering to filter for the individual IP addresses of the test computers. Answer d is correct. Because the developer team uses a predeter-mined unique protocol, you can configure packet filtering to filter for the specific protocol. Answer b is incorrect. You cannot filter for an individual account. Answer c is incorrect. A packet-filtering solution has no impact on this scenario.

3. Over the past several weeks, users have intermittently complained that they were unable to connect to the VPN server. You examine the network logs and determine that each of the complaints occurred when network usage was peaking. You have ruled out addressing as the cause. What is the most likely reason for the intermittent access problems?

ANSWER

At peak usage, the number of VPN users attempting to connect exceeds the number of available VPN ports.

4. You have configured your remote access server to distribute addresses to remote access clients through a DHCP server. However, you find that your remote access clients assign themselves with only APIPA addresses. Name two possible causes of this scenario.

ANSWER

1. A DHCP server is not available on the network segment, and a DHCP relay agent has not been configured.

2. The DHCP server did not have 10 free addresses in its scope when the Routing and Remote Access server started up.

TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS 35

5. Fabrikam, Inc., recently deployed smart cards to employees who require remote access to the corporate network. Which authentication protocol must you use to support the use of smart cards?

ANSWER

EAP-TLS.

6. Fabrikam, Inc., management wants to ensure that data transferred during remote access are encrypted. Which authentication protocols provide data encryption?

ANSWER

EAP-TLS, MS-CHAP v2, and MS-CHAP v1.

7. You have recently created a new domain in a Windows Server 2003 net-work, and the domain functional level is Windows 2000 mixed. How is the Allow Access setting in the dial-in properties of a user account differ-ent in this environment from that in other server environments?

ANSWER

In Windows 2000 mixed-mode domains, the Allow Access setting does not override the access permission set in the remote access policy. In other server environments, the Allow Access setting does override the access permission configured in the remote access policy.

8. You are troubleshooting a failed remote access connection. You verify that the user account’s dial-in properties are set to Allow Access and that the first matching remote access policy is set to Grant Remote Access Per-mission. The client still cannot connect. What should you check next?

ANSWER

You should check the remote access policy profile. Constraints configured in the remote access policy profile, such as allowed dial-up hours, are preventing the con-nection from being established.

36 TEXTBOOK CHAPTER 8 ANSWERS: CONFIGURING ROUTING BY USING ROUTING AND REMOTE ACCESS


Case Scenario 8-1: Phone Number Authentication

Fabrikam, Inc., has 10 vendors that must access the company network. For security reasons, Fabrikam wants these 10 vendors to be authenticated only by their phone numbers when dialing into the network. Because they are going to be authenticated by their phone numbers, Fabrikam does not want them to be required to enter a user-name or password for authentication. How can you implement this configuration?

ANSWER

Create a remote access policy using Calling-Station-ID as the attribute on the policy condition. Type the phone number for the first vendor. In the same policy, add a similar condition for each of the nine remaining vendors. Configure the policy to grant access to connections that match the policy conditions. Edit the policy profile to allow unauthenticated access. After the policy is configured, configure the server properties to allow unauthenticated access.

Case Scenario 8-2: Single-Credential Entry

You are a networking consultant for Fabrikam, Inc., which has already configured a PPTP-type VPN. Although users are not having trouble connecting, they must type their username and password twice. You have been asked to configure the system so users have to type their password only once to connect to the company domain. How can you allow users to avoid typing in their credentials in both the Log On To Windows screen and the VPN connection dialog box? Which authenti-cation protocols can be used over this VPN connection?

ANSWER

Instruct the employees to modify the properties of the VPN connection so that, in the Security tab, the Automatically Use My Windows Logon Name And Password (And Domain If Any) option is selected. Only MS-CHAP v1 and MS-CHAP v2 can be used.

TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE 37

CHAPTER 9MAINTAINING A NETWORK INFRASTRUCTURE

CHAPTER REVIEW QUESTIONS1. You receive a report that a user’s computer is responding slowly to user

network requests. You want a quick way to see which type of network traffic the server is receiving. You use Network Monitor. You want to see whether any general broadcast traffic is being sent. Which counter should you enable?

a. Nonunicasts/Interval

b. Unicasts/Interval

c. Bytes Sent/Interval

d. Bytes Received/Interval

ANSWER

a. Broadcast traffic, by definition, is nonunicast traffic. Answer b is incorrect because traffic displayed using this counter is again, by definition, not broadcast traffic. Answers c and d are incorrect because they include more than just broad-cast traffic and you will not be able to distinguish broadcast traffic from unicast traffic.

2. You set up Performance Logs And Alerts to send a message to ComputerB to notify an operator when the network bandwidth utilization on ComputerA reaches a certain level. However, ComputerB never receives the message sent from ComputerA. What must you do to enable messages to be sent by ComputerA and received by ComputerB? Choose all that apply.

a. On ComputerA, start the Messenger service.

b. On ComputerA, start the Alerter service.

c. On ComputerB, start the Messenger service.

d. On ComputerB, start the Alerter service.

ANSWER

b and c. To successfully send messages, you must start the Alerter service on the sending computer and the Messenger service on the receiving computer.

38 TEXTBOOK CHAPTER 9 ANSWERS: MAINTAINING A NETWORK INFRASTRUCTURE

3. You suspect that a virus has infected your computer, which runs Win-dows Server 2003. You believe this virus transmits data from your server over the network using a specific port. You want to determine which process is using a specific port.

Which command should you run?

a. Nbtstat -RR

b. Nbtstat -r

c. Netstat -a

d. Netstat -o

ANSWER

d. Netstat -o displays the owning PID associated with each connection. Answers a and b are incorrect because Nbtstat is a NetBIOS name resolution utility and does not provide port information. Answer c is incorrect because, although it lists all connections and listening ports, it does not list PIDs.

4. A user in the branch office reports that he cannot use Microsoft Internet Explorer to open a commonly used Web site on the Internet. At your cli-ent computer in the main office, you are able to ping the target address. What should you do to troubleshoot this problem? Choose all that apply.

a. From the user’s client computer, ping the destination address.

b. From the user’s client computer, use the Network Repair feature.

c. From the DNS server, perform a simple query test.

d. From the DNS server, perform a recursive query test.

ANSWER

a and b. Answer a is correct because pinging the destination address indicates whether the client can communicate with the Web site. Answer b is correct because the Repair feature performs a set of common troubleshooting commands that might solve the problem. Answers c and d are incorrect because there is no reason to suspect the DNS server as the source of the problem. In this scenario, you should investigate client issues before considering the DNS server as the source of the problem. Furthermore, because pinging the IP address was unsuc-cessful, name resolution was not performed.


5. A user in the branch office reports that he cannot use Internet Explorer to view a commonly used Web site on the Internet. At your client computer in the main office, you run Nslookup to verify the target address and receive the correct address. At the user’s client computer, you also run Nslookup, but the address returned is incorrect. What should you do to troubleshoot this problem? Choose all that apply.

a. Verify that the client is using the correct DNS servers.

b. Run Ipconfig /flushdns.

c. Run Ipconfig /registerdns.

d. Run Ipconfig /renew.

ANSWER

a and b. You should first ensure the client is configured to use the correct DNS servers, and then clear the DNS resolver cache. Answer c is incorrect because reg-istering the client’s DNS address will not solve the Web site’s connection problem. Answer d is incorrect because renewing the existing lease will not change any configuration options on the client.

6. You install a new application, which reports that it is installing a service on the computer. However, when you attempt to run the application for the first time, it cannot start. You inspect the event log to determine the nature of the problem. You receive an error that states, “The service did not start due to a logon failure.” Which of the following steps should you take to troubleshoot this problem?

a. Verify the service has been configured to start automatically.

b. Change the password to the same name as the account.

c. Verify the correct password has been supplied on the properties page of the service.

d. Verify the account has been granted administrative rights.

ANSWER

c. The correct password must be specified on the properties page for the service to use the account to log on. Answer a is incorrect. Although you might need to configure the service account to start automatically, the error message indicates a logon problem. Changing the service start behavior will not fix a logon problem. Answer b is incorrect because there is no dependency between the name of the account and the password. Answer d is incorrect because you should grant the least amount of privilege required for a service to perform its functions.


7. You install a new application on a member server. The application reports that it is installing a service on the computer. The installation for the service requests a username and password to run the service. You provide the name DOMAIN1\Service1. However, when you attempt to run the application for the first time, it is unable to start. You suspect that the account has not been given appropriate rights to start the service. What do you do?

a. On the member server, grant the Service1 account the Log On As A Service right.

b. In the domain, grant the Service1 account the Log On As A Service right.

c. On the member server, grant the Service1 account the Log On As A Batch Job right.

d. In the domain, grant the Service1 account the Log On As A Batch Job right.

ANSWER

a. Service accounts must have the Log On As A Service right.

8. A user complains that after she rebooted her computer, she no longer has access to the Internet. You examine her network settings and see that she has an IP address in the wrong network subnet and that her default gate-way is actually part of a test network. You suspect a rogue DHCP server. Which tool should you use to locate the DHCP server?

a. Ipconfig

b. Dhcploc

c. Netdiag

d. Netstat

ANSWER

b. Use Dhcploc to locate DHCP servers on your network, including rogue DHCP servers. Answer a is correct because Ipconfig will only indicate whether the client is configured to use DHCP and the address of the DHCP server it last used. Answer c is incorrect because Netdiag does not list all DHCP servers on your net-work. Answer d is incorrect because Netstat only provides information about existing network connections of a computer running TCP/IP and network activity statistics and does list DHCP servers.


CHAPTER CASE SCENARIO

Case Scenario 9-1: Using Diagnostic Tools

You are the network administrator for Fabrikam, Inc. Users and other administra-tors report issues on the network. You must decide which diagnostic tool will most appropriately solve the problem.

Five different help desk issues are described. For each issue, determine which tool is appropriate. Choose from the following tools. Provide a reason to justify each of your choices. You might not need to use all of the possible answer choices.

The troubleshooting tools are as follows:

■ The standard version of Network Monitor

■ The Lite version of Network Monitor

■ Netstat

■ Ping

■ The testing feature in the DNS Monitoring tab

■ The Network Repair button

■ Network bridging

■ Service configurations

1. A user in Arkansas reports that he cannot browse the Internet. You ask him to ping the local gateway, and after doing so, he does not receive a successful reply from the local gateway. Other users on the network do not have the same problem.

ANSWER

Use the Network Repair button. Because only one user is having difficulty in this scenario, the loss of connectivity is probably an isolated instance and can be fixed using the series of commands provided by the Repair feature.

2. All users in the company report that they cannot browse the Internet, although the users receive replies when they ping the external resources by IP address. Access to company resources is not affected.

ANSWER

Use the DNS monitoring tests to verify whether the DNS server is receiving proper responses from the server to which it forwards.

3. A network administrator in Delaware wants to know the best way to imple-ment a new segment on the network with a different physical topology. She doesn’t want to buy a hardware router.

ANSWER

Network bridging is the best choice to connect two disparate networks together.


4. A network administrator in Delaware reports that a third-party service on a server refuses to start. He has tried to restart the service several times, but it does not start.

ANSWER

Check the service configuration. Specifically, check to see whether the service uses a domain account, whether the account has been granted the Log On As A Service right, and whether the correct password is specified in the properties page of the service.

5. An administrator in a remote office thinks her server might have been infected with a virus or a Trojan horse program. A specific port appears to be open. How can the administrator determine which process uses which port?

ANSWER

Use Netstat -o to show the ports in use and their associated PIDs. Then display Task Manager and match the PID obtained using the Netstat command to the list of processes in Task Manager to identify the process using the port in question.