Free MCSE Braindumps, the best braindumps site for certification exams like 070-290, 070-270 and more!

QUESTION NO: 1
You are a network administrator for Alecnet. The network contains two Windows Server 2003
computers named AlecnetA and AlecnetB. These servers host an intranet application. Currently, 40
users connect to AlecnetA and 44 users connect to AlecnetB.
The company is adding 35 employees who will need access to the intranet application. Testing shows that
each server is capable of supporting approximately 50 users without adversely affecting the performance
of the application.
You need to provide a solution for supporting the additional 35 employees. The solution must include
providing server fault tolerance. You need to minimize the costs and administrative effort required by
your solution.
You add a new server named AlecnetC to the network and install the intranet application on
AlecnetC.
What else should you do?
A. Use Network Load Balancing Manager to configure AlecnetA, AlecnetB, and AlecnetC as a
Network Load Balancing cluster.
B. Use Cluster Administrator to configure AlecnetA, AlecnetB, and AlecnetC as a three-node server
cluster.
Use the Majority Node Set option.
Configure the cluster so that all three nodes are active.
C. Use Cluster Administrator to configure AlecnetA, AlecnetB, and AlecnetC as a three-node server
cluster.
Configure the cluster so that two nodes are active and one node is a hot standby node.
D. Use DNS load balancing to utilize all three servers by using the same virtual server name.
Answer: A
Explanation: We can use Network Load Balancing to balance the load on the three web servers.
Reference: Deploying Network Load Balancing
Overview of the NLB Deployment Process
A Network Load Balancing cluster comprises multiple servers running any version of the Microsoft®
Windows® Server 2003 2003 family, including Windows Server 2003 2003 Standard Edition, Windows Server
2003 2003 Enterprise Edition, Windows Server 2003 2003 Datacenter Edition, and Windows Server 2003 2003
Web Edition.
Clustering allows you to combine application servers to provide a level of scaling, availability, or security that
is not possible with an individual server. Network Load Balancing distributes incoming client requests among

- 4 -
the servers in the cluster to more evenly balance the workload of each server and prevent overload on any one
server. To client computers, the Network Load Balancing cluster appears as a single server that is highly
scalable and fault tolerant. The Network Load Balancing deployment process assumes that your design team has
completed the design of the Network Load Balancing solution for your organization and has performed limited
testing in a lab. After the design team tests the design in the lab, your deployment team implements the Network
Load Balancing solution first in a pilot environment and then in your production environment.
Upon completing the deployment process presented here, your Network Load Balancing solution (the Network
Load Balancing cluster and the applications and services running on the cluster) will be in place. For more
information about the procedures for deploying Network Load Balancing on individual servers, see the
appropriate Network Load Balancing topics in Help and Support Center for Windows Server 2003 2003.
Incorrect Answers:
B: We already have three servers. A cluster would require different hardware and would thus be more
expensive.
C: We already have three servers. A cluster would require different hardware and would thus be more
expensive.
D: Round Robin DNS would load balance the servers, but if one server failed, clients would still be directed to
the failed server.
QUESTION NO: 2
You are the network administrator for Alecnet. The network consists of a single Active Directory
domain named Alecnet.com. All domain controllers run Windows Server 2003. All application servers
run Windows Server 2003.
Client computers in the accounting department run Windows XP Professional. Client computers in the
engineering department run Windows 2000 Professional. Client computers in the Sales department run
either Windows NT Workstation 4.0 or Windows 98. All client computers access data files on the
application server.
You need to plan the method of securing the data transmissions for the client computers. You want to
ensure that the data is not modified while it is transmitted between the application servers and the client
computers. You also want to protect the confidentiality of the data, if possible.
What should you do?
To answer, drag the appropriate method or methods to the correct department’s client computers.

- 5 -
Answer:
Sales
Explanation
We can use IPSEC on Windows 2000 and Windows XP but we cannot use IPSEC for Legacy clients except for
VPNs.
Sales contains Windows NT 4.0 and Windows 98; in this case we use SMB signing.

- 6 -
With Windows 2000 and Windows XP both methods are supported in this case and for security reasons we will
use IPSEC rules.
SMB signed is supported by Windows 2000 an XP by local policies or domain policies to be enforced
To be supported in legacy clients you must modify the registry in Windows 98 and Windows NT
SMB on Windows 98 KB article 230545
Windows 98 includes an updated version of the SMB authentication protocol. However, using SMB signing
slows down performance when it is enabled. This setting should be used only when network security is a
concern. The performance decrease usually averages between 10-15 percent. SMB signing requires that every
packet is signed for and every packet must be verified.
SMB on Windows NT KB article 161372
Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block (SMB)
authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol
IPSEC
The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was
not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering
by using address, protocol and port information in network packets. IPsec was also designed as an
administrative tool to enhance the security of communications in a way that is transparent to the programs.
Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or
IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos
service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be
used.
IPSEC is not supported on legacy clients just is supported for VPN
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp
Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows
Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP)
connections with Internet Protocol security (IPSec).
?? Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking
version 1.4 upgrade.
?? Windows Me with the Virtual Private Networking communications component and Microsoft Internet
Explorer 5.5 (or later)
?? Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling
Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later)
QUESTION NO: 3

- 7 -
You are the systems engineer for Alecnet. The network consists of a single Active Directory domain
named Alecnet.com. All servers run Windows Server 2003. A Windows Server 2003 computer named
AlecnetDNS1 functions as the internal DNS server and has zones configured as shown in the exhibit.
The network is not currently connected to the Internet. Alecnet maintains a separate network that
contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS
domain named Alecnet.com. The Alecnet.com zone is hosted by a UNIX-based DNS server named
UNIXDNS, which is running the latest version of BIND.
The company plans to allow users of the internal network to access Internet-based resources. The
company’s written security policy states that resources located on the internal network must never be
exposed to the Internet. The written security policy states that the internal network’s DNS namespace
must never be exposed to the Internet. To meet these requirements, the design specifies that all name
resolution requests for Internet-based resources from computers on the internal network must be sent
from AlecnetDNS1. The current design also specifies that UNIXDNS must attempt to resolve any
name resolution requests before sending them to name servers on the Internet.
You need to plan a name resolution strategy for Internet access. You need to configure AlecnetDNS1
so that it complies with company requirements and restrictions.
What should you do?
A. Delete the root zone form AlecnetDNS1.
Configure AlecnetDNS1 to forward requests to UNIXDNS.
B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the
C:\Windows\System32\Dns folder on AlecnetDNS1.
C. Add a name server (NS) resource record for UNIXDNS to your zone.
Configure UNIXDNS with current root hints.

- 8 -
D. On AlecnetDNS1, configure a secondary zone named Alecnet.com that uses UNIXDNS as the
master server.
Configure UNIXDNS to forward requests to your ISP’s DNS servers.
Answer: A
Explanation: We need to delete the root zone from the internal DNS server. This will enable us to configure
the server to forward internet name resolution requests to the external DNS server (UNIXDNS).
A DNS server configured to use a forwarder will behave differently than a DNS server that is not configured to
use a forwarder. A DNS server configured to use a forwarder behaves as follows:
1. When the DNS server receives a query, it attempts to resolve this query using the primary and secondary
zones that it hosts and its cache.
2. If the query cannot be resolved using this local data, then it will forward the query to the DNS server
designated as a forwarder.
3. The DNS server will wait briefly for an answer from the forwarder before attempting to contact the DNS
servers specified in its root hints.
Incorrect Answers:
B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don’t want the internal
DNS server to query the root DNS servers, so we don’t need the cache.dns file.
C: Unixdns already has root hints. An NS record on the internal DNS server won’t fulfil the requirements of
the question.
D: We don’t need a secondary zone on the internal DNS server. All external resolution requests must be
forwarded to the external DNS server.
QUESTION NO: 4
You are the system engineer for Alecnet. The network consists of a single Active Directory domain
named Alecnet.com. All servers run Windows Server 2003. The network is connected to the Internet by a
dedicated T3 line.
Alecnet enters into a partnership with another company for a new project. The partner company’s
network consists of a single Active Directory forest that contains two domains. All servers in the network
run Windows 2003 Server. The partner network is also connected to the Internet by a dedicated T3 line.
The partner network is accessible by a VPN connection that was established between the two networks.
The VPN connection was tested and was verified to provide a functional connection between the two
networks.
Users from both companies need to connect to resources located on another network. A forest trust
relationship exists between the two companies’ forests to allow user access to resources. Users in your
company report that they can access resources on the partner network, but that it can take up to several
minutes for the connection to be established. This problem is most pronounced during the morning.

- 9 -
You verify that there is sufficient available bandwidth on the connection between the two networks to
provide access. You also verify that both network’s routing tables are configured correctly to route
requests to the appropriate destinations. When you attempt to connect to a server in the partner network
by host name by using the ping command, the connection times out. However, when you attempt to
connect to the server a second time by IP address by using the ping command, you receive a response
within a few seconds.
You need to improve the performance of the network connection between the two networks.
What should you do?
A. Add the partner network’s domain names and DNS server addresses to the forwarders list on your DNS
servers.
B. Update the root hints list on your DNS servers to include the host names and IP addresses of the partner
network’s DNS servers.
C. Disable recursion on the DNS servers in both companies’ networks.
D. Add the partner network’s DNS server addresses to the 006 DNS Servers scope option in your DHCP
scope.
Answer: A
Explanation: It is taking a long time to locate resources on the other network. This is because name resolution
requests are being passed to the internet root servers, then down through the internet DNS hierarchy before the
request finally reaches the appropriate DNS server. We can speed up this process by using conditional
forwarding. This would enable resolution requests for resources in the partner network to be forwarded directly
to the partner’s DNS server.
Conditional forwarders
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the
DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it
receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP
addresses of multiple DNS servers.
Incorrect Answers:
B: The root hints are used to locate internet root DNS servers.
C: This won’t help. It would mean that the internal DNS servers wouldn’t forward external resolution requests
to other DNS servers such as the root servers.
D: The partner network’s DNS servers would never be used unless the local DNS server failed.
QUESTION NO: 5
You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory
forest. The functional level of the forest is Windows Server 2003. The forest root domain is contoso.com.

- 10 -
Contoso, Ltd,. recently merged with another company named Alecnet, whose network consists of a
single Active Directory forest. The functional level of the Alecnet forest is Windows Server 2003.
The forest root domain for Alecnet is Alecnet.com. You need to create a forest trust relationship
between the two forests. Each company has dedicated connections to the Internet.
You need to configure DNS to support the forest trust relationship. You want to maintain Internet name
resolution capability for each company’s network.
What should you do?
A. Configure the contoso.com DNS servers to forward to the Alecnet.com DNS servers.
Configure the Alecnet.com DNS servers to forward to the contoso.com DNS servers.
B. Configure conditional forwarding of Alecnet.com on the contoso.com DNS servers to the Alecnet.com
DNS servers.
Configure conditional forwarding of contoso.com on the Alecnet.com DNS servers to the contoso.com
DNS servers.
C. Configure a standard primary zone for Alecnet.com on one of the contoso.com DNS servers.
Configure a standard primary zone for contoso.com on one of the Alecnet.com DNS servers.
D. Configure an Active Directory-integrated zone for Alecnet.com on the contoso.com DNS servers.
Configure an Active Directory-integrated zone for contoso.com on the Alecnet.com DNS servers.
Answer: B
Explanation: This is a typical scenario for conditional forwarding
Conditional forwarders. A conditional forwarder is a DNS server on a network that is used to forward DNS
queries according to the DNS domain name in the query. For example, a DNS server can be configured to
forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific
DNS server or to the IP addresses of multiple DNS servers.
Incorrect Answers:
A: We don’t want ALL resolution requests to be forwarded to the other DNS servers.
C: We can’t host primary zones on multiple servers.
D: We can’t host AD integrates zones on DNS servers in a different forest.
QUESTION NO: 6
You are the network administrator for Alecnet. The network consists of a single Active Directory forest
that contains three domains. Each domain contains domain controllers that run Windows 2000 Server
and domain controllers that run Windows Server 2003. The DNS Server service is installed on all domain
controllers. All client computers run Windows XP Professional.

- 11 -
You need to add an additional DNS zone that is hosted on at least one DNS server on each domain. You
want to configure the zone to allow secure updates only.
What should you do?
A. Configure the new zone on DNS servers in the root domain.
Configure stub zones that refer to DNS servers in another two domains.
B. Configure the new zone as a primary zone on one DNS server.
Configure other DNS servers in the three domains as secondary servers for this zone.
Enable the DNS Security Extensions (DNSSEC) protocol.
C. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains.
Store the zone data in the DNS directory partition named DomainDNSZones.
D. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three domains.
Store the zone data in the DNS directory partition named ForestDNSZones.
Answer: D
Explanation: To enable secure updates, we need an Active Directory integrated zone. To replicate to the DNS
servers in the other domains, the zone must be installed on a Windows 2003 domain controller in each domain.
During the configuration of the zone, you can select the option to replicate the zone information to all domain
controllers in the forest; this will store the zone data in the DNS directory partition named ForestDNSZones.
Incorrect Answers:
A: We need Active Directory integrated zones, not stub zones.
B: Secondary zones are not writeable and so cannot accept updates.
C: If we store the zone data in the DNS directory partition named DomainDNSZones, it will only be replicated
in a single domain, not the entire forest.
QUESTION NO: 7
You are the systems engineer for Alecnet GmBh. The network consists of three Windows NT 4.0
domains in a master domain model configuration. The servers on the network run either Windows NT
Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server 4.0.
The network also contains 10 UNIX-based application servers. All host name resolution services are
provided by a UNIX-based server running the latest version of BIND, which currently hosts the zone for
the Alecnet.com domain. All NetBIOS name resolution services are provided by two Windows 2000
Server WINS servers.
The company is in the process of migrating to a single Windows Server 2003 Active Directory domainbased
network. The new domain is named Alecnet-ad.com, and it will be hosted in an Active Directoryintegrated
zone that is stored on the domain controllers. Servers that are not domain controllers will not

- 12 -
be updated at this time. The migration plan requires that all computers must use DNS to resolve host
names and computer redundancy for the Windows-based DNS servers.
You upgrade the domain controllers in the master domain to Windows Server 2003. You also migrate all
user and computer accounts to the new Active Directory domain. The DNS zone on the Windows Server
2003 computers is configured as shown in the exhibit.
You now need to configure the required redundancy between the Windows-based DNS servers and the
UNIX-based DNS server. You need to ensure that there will be no service interruption on any of the DNS
server computers.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two)
A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based DNS server
as the master server.
B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS server as the
master server.
C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS server as the
master server.
D. Add a delegation in the Alecnet.com zone that delegates authority of the Alecnet-ad.com zone to a
Windows Server 2003 DNS server.
E. Configure the Alecnet-ad.com zone to not replicate WINS-specific resource records during zone
transfers.
Answer: B, E
Explanation: This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers.
We can provide this by configuring the UNIX DNS server to resolve names in the Alecnet-ad.com domain.
With a secondary zone on the UNIX DNS server, the UNIX DNS server will be able to resolve host name
resolutions requests in the Alecnet-ad.com domain. The Alecnet-ad.com DNS is configured to query WINS if

- 13 -
required. When configuring a UNIX DNS server with a secondary zone, we should configure the zone to not
replicate WINS-specific resource records during zone transfers.
Incorrect Answers:
A: This would provide redundancy for the UNIX server; the question isn’t asking for that.
C: This won’t provide any redundancy.
D: Alecnet-ad.com isn’t a subdomain of Alecnet.com so no delegation is required.
QUESTION NO: 8
You are the network administrator for Alecnet. The network consists of an internal network and a
perimeter network. The internal network is protected by a firewall. The perimeter network is exposed to
the Internet.
You are deploying 10 Windows Server 2003 computers as Web servers. The servers will be located in the
perimeter network. The servers will host only publicly available Web pages.
You want to reduce the possibility that users can gain unauthorized access to the servers. You are
concerned that a user will probe the Web servers and find ports or services to attack.
What should you do?
A. Disable File and Printer Sharing on the servers.
B. Disable the IIS Admin service on the servers.
C. Enable Server Message Block (SMB) signing on the servers.
D. Assign the Secure Server (Require Security) IPSec policy to the servers.
Answer: A
Explanation: We can secure the web servers by disabling File and Printer sharing.
File and Printer Sharing for Microsoft Networks
The File and Printer Sharing for Microsoft Networks component allows other computers on a network to access
resources on your computer by using a Microsoft network.
This component is installed and enabled by default for all VPN connections. However, this component needs to
be enabled for PPPoE and dial-up connections. It is enabled per connection and is necessary to share local
folders. The File and Printer Sharing for Microsoft Networks component is the equivalent of the Server service
in Windows NT 4.0.
File and Printer sharing is not required on web servers because the web pages are accesses over web protocols
such as http or https, and not over a Microsoft LAN.
Incorrect Answers:

- 14 -
B: This is needed to administer the web servers. Whilst it could be disabled, disabling File and Printer sharing
will secure the servers more.
C: SMB signing is used to verify, that the data has not been changed during the transit through the network. It
will not help in reducing the possibility that users can gain unauthorized access to the servers.
D: This will prevent computers on the internet accessing the web pages.
QUESTION NO: 9
You are the network administrator for Alecnet. The network consists of a single Active Directory
domain named Alecnet.com. Alecnet’s perimeter network contains 50 Web servers that host the
company’s public Internet site. The Web servers are not members of the domain.
The network design team completed a new design specification for the security of servers in specific roles.
The network design requires that security settings must be applied to Web servers. These settings include
password restrictions, audit settings, and automatic update settings.
You need to comply with the design requirements for securing the Web servers. You also want to be able
to verify the security settings and generate a report during routine maintenance. You want to achieve
these goals by using the minimum amount of administrative effort.
What should you do?
A. Create a custom security template named Web.inf that contains the required security settings.
Create a new organizational unit (OU) named WebServers and move the Web servers into the new OU.
Apply Web.inf to the WebServers OU.
B. Create a custom security template named Web.inf that contains the required security settings, and deploy
Web.inf to each Web server by using Security Configuration and Analysis.
C. Create an image of a Web server that has the required security settings, and replicate the image to each
Web server.
D. Manually configure the required security settings on each Web server.
Answer: B
Explanation: The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a
security template with all the required settings and import the settings using the Security Configuration and
Analysis tool.
Incorrect Answers:
A: The web servers aren’t members of the domain. Therefore they cannot be moved to an OU in Active
Directory.
C: We cannot use imaging in this way.
D: This is a long way of doing it. A security template would simply the task.

- 15 -
QUESTION NO: 10
You are the network administrator for Alecnet. The network contains a Windows Server 2003 Web
server that hosts the company intranet.
The human resources department uses the server to publish information relating to vacations and public
holidays. This information does not need to be secure.
The finance department wants to publish payroll information on the server. The payroll information will
be published in a virtual directory named Payroll, which was created under the default Web site on the
server. The company’s written security policy states that all payroll-related information must be
encrypted on the network.
You need to ensure that all payroll-related information is encrypted on the network. To preserve
performance, you need to ensure that other information is not encrypted unnecessarily. You obtain and
install a server certificate.
What else should you do?
A. Select the Require secure channel (SSL) check box for the default Web site.
B. Assign the Secure Server (Require Security) IPSec policy option for the server.
C. Select the Encrypt contents to secure data check box for the Payroll folder.
D. Select the Require secure channel (SSL) check box for the Payroll virtual directory.
Answer: D
Explanation: Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private
documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL
connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol
to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL
connection start with https: instead of http:.
Incorrect Answers:
A: This will encrypt all data from the web server. We only need to encrypt the payroll data.
B: This will encrypt all data from the web server. We only need to encrypt the payroll data.
C: This will encrypt the data on the hard disk using EFS. It won’t encrypt the data as it is transferred over the
network.
QUESTION NO: 11
You are a network administrator for Alecnet Inc. The network consists of a single Active Directory
forest as shown in the exhibit.

- 16 -
Your company’s written security policy requires that all domain controllers in the child1.Alecnet.com
domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the
ability to start a domain controller to the Domain Admins group.
You need to configure the domain controllers in the child1.Alecnet.com domain to meet the new security
requirements.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two)
A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group Policy object
(GPO) on the child1.Alecnet.com domain.
B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object (GPO) in
the child1.Alecnet.com domain.
C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group Policy
object (GPO) in the child1.Alecnet.com domain.
D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object (GPO) in
the child1.Alecnet.com domain.
E. Run the system key utility (syskey) on each domain controller in the child1.Alecnet.com domain.
In the Account Database Key dialog box, select the Password Startup option.
F. Run the system key utility (syskey) on each domain controller in the child1.Alecnet.com domain.
In the Account Database Key dialog box, select the Store Startup Key Locally option.
Answer: C, E

QUESTION NO: 17
You are the security analyst for Alecnet. The network consists of a single Active Directory domain
named Alecnet.com. All servers run Windows Server 2003. All client computers run Windows XP
Professional. The perimeter network contains an application server, which is accessible to external users.
You view the logs on your intrusion-detection system (IDS) and on the router and discover that very
large numbers of TCP SYN packets are being sent to the application server. The application server is
responding with SYN-ACK packets to several different IP addresses, but is not receiving ACK responses.
You note that all incoming SYN packets appear to be originating from IP addresses located within the
perimeter network’s subnet address range. No computers in your perimeter network are configured with
these IP addresses. The router logs show that these packets are originating from locations on the Internet.
You need to prevent this type of attack from occurring until a patch is made available from the
application vendor. Because of budget constraints, you cannot add any new hardware or software to the
network. Your solution cannot adversely affect legitimate traffic to the application server.
What should you do?
A. Relocate the application server to the company intranet.
Configure the firewall to allow inbound and outbound traffic on the ports and protocols used by the
application.
B. Configure network ingress filters on the router to drop packets that have local addresses but that appear
to originate from outside the company network.
C. Create access control lists (ACLs) and packet filters on the router to allow perimeter network access to
only authorized users and to drop all other packets originating from the Internet.
D. Configure the IDS on the perimeter network with a response rule that sends a remote shutdown
command to the application server in the event of a similar denial-of-service attack.
Answer: B
Explanation: This type of attack is known as a Denial of Service Attack.
Dropping spoofed packets
070 - 296

- 25 -
In an ideal world, each router would be configured with ingress filters that would drop packets arriving from
"internal" networks whose source address was not a member of the set of network addresses that this router
serves. The majority of routers could be so configured. Backbone routers and edge routers for complex
topologies probably could not be configured with such filters. These ingress filters should be required as part of
a "good neighbor policy." Ingress filters would not totally eliminate denial of service attacks but could
greatly reduce such attacks. An attacker could still spoof an address within a local subnet, but that would
permit backtracking the packets to the source subnet. Cisco's unicast reverse path forwarding also can be used to
block spoofed packets at edge routers. Routers that implement ingress filtering will not forward the packets
sent by a mobile host in a foreign network.
QUESTION NO: 18
You are the network administrator for Alecnet. The network consists of a single Active Directory
domain named Alecnet.com. All computers on the network are members of the domain. The network
contains a Windows Server 2003 computer named AlecnetCA.
The company uses an enterprise certification authority (CA) on AlecnetCA to issue certificates. A
certificate to encrypt files is autoenrolled to all users. The certificate is based on a custom Encryption File
System (EFS) certificate template. The validity period if the certificate is set to two years.
Currently, the network is configured to use data recovery agents. You are planning to implement key
archival for the keys that users use to decrypt files.
You configure the CA and the custom EFS certificate template to enable key archival of the encryption
private keys.
You need to ensure that the private EFS key of each user who logs on to the domain is archived.
What should you do?
A. Configure a new issuance policy for the custom EFS certificate template.
B. Configure the custom EFS certificate template to reenroll all certificate holders.
C. Select the Automatically Enroll Certificates command in the Certificates console.
D. Configure a logon script that runs the gpupdate.exe /force command for the users.
Answer: C
Key Archival and Management in Windows Server 2003
070 - 296

- 26 -
Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/
operate/kyacws03.asp
EFS always attempts to enroll for the Basic EFS template. The EFS driver generates an autoenrollment request
that Autoenrollment tries to fulfill. For customers that want to ensure that a specific template is used for EFS
(such as to include key archival), the new template should supercede the Basic EFS template. This will ensure
that Autoenrollment will not attempt enrollment for Basic EFS any more.
Key Archival
The private key database is the same as the database used to store the certificate requests. The Windows Server
2003 Certification Authority database has been extended to support storing the encrypted private key along with
the associated encrypted symmetric key and issued certificate. The recovery blob will be stored in the same row
as the signed certificate request and any other information the CA persists in its database for each request
transaction. The actual encrypted blob is stored as an encrypted PKCS #7 blob.
The Microsoft Certification Authority uses the JET database engine upon which various JET utilities may be
used for maintenance purposes.
QUESTION NO: 19
You are the network administrator for Alecnet. The network consists of a single Active Directory
forest. The forest contains Windows Server 2003 servers and Windows XP Professional computers.
The forest consists of a forest root domain named Alecnet.com and two child domains named
child1.Alecnet.com and child2.Alecnet.com. The child1.Alecnet.com domain contains a member server
named AlecnetSrvC. You configure AlecnetSrvC to be an enterprise certification authority (CA), and
you configure a user certificate template. You enable the Publish certificate in Active Directory setting in
the certificate template. You instruct users in both the child1.Alecnet.com and the child2.Alecnet.com
domains to enroll for user certificates.
You discover that the certificates for user accounts in the child1.Alecnet.com domain are being published
to Active Directory, but the certificates for user accounts in the child2.Alecnet.com domain are not.
You want certificates issued by AlecnetSrvC to child2.Alecnet.com domain user accounts to be
published in Active Directory.
What should you do?
A. Configure user certificate autoenrollment for all domain user accounts in the Alecnet.com.
070 - 296

- 27 -
B. Configure user certificate autoenrollment for all domain user accounts in the child2.Alecnet.com
domain.
C. Add AlecnetSrvC to the Cert Publisher group in the Alecnet.com domain.
D. Add AlecnetSrvC to the Cert Publisher group in the child2.Alecnet.com domain.
Answer: D
Explanation: The problem here is that AlecnetSrvC doesn’t have the necessary permission to publish
certificates for users in child2.Alecnet.com. We can solve this problem by adding AlecnetSrvC to the Cert
Publisher group in the child2.Alecnet.com domain.
Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;219059
QUESTION NO: 20
You are a network administrator for Alecnet. The network consists of a single Active Directory domain
named Alecnet.com. The functional level of the domain is Windows Server 2003. All domain controllers
run Windows Server 2003. The domain controllers are configured as shown in the following table.
You plan to take AlecnetSrvD offline for maintenance. Another network administrator plans to add
1,250 new user accounts while AlecnetSrvD is offline.
You need to ensure that the network administrator can add the user accounts while AlecnetSrvD is
offline. You also need to ensure that there is no disruption of user account creation after AlecnetSrvD is
brought back online.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two)
A. Connect to AlecnetA by using the Ntdsutil utility.
B. Connect to AlecnetSrvD by using the Ntdsutil utility.
C. Remove the global catalog server role from AlecnetSrvD.
D. Add the global catalog server role to AlecnetSrvD.
E. Transfer the RID master role.
070 - 296

- 28 -
Answer: A, E
Explanation: The RID master is assigned to allocate unique sequences of relative IDs to each domain
controller in its domain. As the domain controllers use the IDs allocated, they contact the RID master and are
allocated additional sequences as needed. At any time, the RID master role can be assigned to only one domain
controller in each domain. The Relative ID is part of a security ID (SID) that uniquely identifies an account or
group within a domain. We will be creating 1250 new user accounts so the domain controller will need to
contact the RID master to obtain more RIDs.
We can transfer the RID master role using the ntdsutil utility.
Incorrect Answers:
B: We need to connect to the computer we will be transferring the role to, not from.
C: We have a Global Catalog on AlecnetSrvA. We don’t need another one.
D: AlecnetSrvD is already a global catalog server.
Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs
/entserver/sag_adTransRIDMaster.asp
QUESTION NO: 21
You are the network administrator for Alecnet. The network consists of a single Active Directory forest
that contains three domains. The functional level of all three domains is Windows 2000 native.
Your company is merging with a company named Acme. The Acme., network consists of a single Active
Directory forest that contains one domain named acme.com. The functional level of the domain is
Windows 2000 native. The forests of both companies are shown in the exhibit.
070 - 296

- 29 -
You need to allow users in each forest to fully access resources in the domains of the other forest. In
addition, users must be able to log on between domains by using Kerberos authentication. You need to
ensure that users can continue to access all resources by using their existing user accounts.
What should you do?
A. Demote the Windows 2000 domain controllers in the acme.com domain to become member servers.
Promote these servers into the Alecnet.com domain.
B. Demote the Windows 2000 domain controllers in the acme.com domain to become member servers.
Upgrade these servers to Windows Server 2003.
Promote the upgraded computers to become domain controllers for a new domain tree in the Alecnet
forest.
C. Upgrade the Windows 2000 domain controllers in the acme.com domain to Windows Server 2003.
Create external trust relationships between the root domains of each forest.
D. Upgrade all domain controllers in both forests to Windows Server 2003.
Raise the functional level of both forests to Windows Server 2003.
Create a forest trust relationship between the root domains of each forest.
Answer: D
Explanation: To enable users in each forest to fully access resources in the domains of the other forest and log
on to either domain with Kerberos authentication, we need to create a forest trust between the two forests. To
070 - 296

- 30 -
create a forest trust, the forests must be in Windows 2003 domain functional level. This requires that all
domain controllers in each domain are running Windows server 2003.
Incorrect Answers:
A: This will decommission the acme.com domain/forest. This isn’t a requirement.
B: This will decommission the acme.com forest. This isn’t a requirement.
C: We need a forest trust to enable Kerberos authentication across the trust link.