Question 1:

A smart card is a credit-card-sized device that is inserted into a smart card reader, which
is either installed internally in your computer or connected externally to your computer.
Which of the following protocols must be enabled to support smart card logon?
Correct Answer: E
EAP
Explanation: If a certificate is installed either in the certificate store on your computer or
on a smart card, and the Extensible Authentication Protocol (EAP) is enabled, you can
use certificate-based authentication in a single network logon process, which provides
tamper-resistant storage of authentication information.
Question 2:
You currently are the administrator for a network with four servers and 150 clients. 50 of
the clients have just had Windows XP Professional installed and have been configured
with the default settings. You would like all of the Windows XP Professional clients to
automatically register themselves with the DNS server.
You install a domain controller for a domain named certtutor.net but do not configure
DNS as part of the installation. After finishing the install of Active Directory, you configure
a standard primary zone for the certtutor.net domain on the domain controller. What
additional steps must you take to ensure that the Windows XP Professional clients will
get registered with the DNS server? Choose all that apply.
Correct Answer: C, E
Enable the zone for the certtutor.net domain to accept dynamic updates.
Install a DHCP server and configure the scope options so that the clients will use the
new domain controller as their DNS server.
Explanation: If you create a DNS zone after installing Active Directory, the zone must be
configured for dynamic updates. This can be done through the DNS console by setting the "Allow
dynamic updates?" of the zone to Yes. By default, all Windows XP clients are DHCP clients and
will attempt to register their DNS records with the DNS server. You do not need to configure the
DHCP server to enable updates for DNS clients that do not support dynamic updates unless you
have pre-Windows 2000 clients that you would like to be automatically registered with the DNS
server.
Question 3:
Marc is currently the network administrator for a large financial institution. Recently there have
been cases of inconsistent network behavior, which Marc believes could be due to a
malfunctioning router. Which Windows Server 2003 utility would be best for Marc to use to
determine the amount of packet loss at a given router or link?
Correct Answer: E
Pathping
Explanation: The pathping command is a route tracing tool that combines features of the ping
and tracert commands with additional information that neither of those tools provides. The
pathping command sends packets to each router on the way to a final destination over a period of
time, and then computes results based on the packets returned from each hop. Since the command

shows the degree of packet loss at any given router or link, it is easy to determine which routers
or links might be causing network problems.
Question 4:
You are assigning a range of IP addresses to hosts on your Windows 2003 network. You would
like to use the network ID of 117.72.32.0/20. What is the available range of IP addresses that you
can use given the network ID specified above?
Correct Answer: B
117.72.32.1 - 117.72.47.254
Explanation: A network ID of 117.72.32.0/20 means that a subnet mask will be used that contain
20 1s in its binary form (The decimal equivalent of this will be a subnet mask of 255.255.240.0).
The subnet mask will look like the following:
11111111 11111111 11110000 00000000
Therefore, the first 20 digits if IP addresses will represent the network ID and the last 12
digits will represent the host ID. In this case the network portion will be:
01110101 01001000 0010
The smallest host ID will be:
0000 00000001
which will yield an IP address of 117.72.32.1. Note that all zeros is not a valid host ID.
The largest host ID will be:
1111 11111110
which will yield an IP address of 117.72.47.254. Note that ones is not a valid host ID.
Therefore the available address range given a network ID of 117.72.32.0/20 will be
117.72.32.1 - 117.72.47.254.

Question 5:
Rooska is very concerned about someone gaining unauthorized access to several documents that
he shares with co-workers. Rooska's computer is a member of a workgroup called ProjectA1 and
he has local administrator rights to his machine. He has configured the NTFS permissions
properly so that only the appropriate people have access to the files. He also would like to
configure his computer so that the data sent to other machines is sent in an encrypted format.
Rooska configures his machine with an IP Security (IPSec) policy of Client (Respond
Only). However when Rooska tests the IPSec policy he finds that not all of the data
being sent from his computer is being sent in an encrypted format. Which of the
following is the best explanation for this behavior?
Correct Answer: C
The Client (Respond Policy) does not secure data unless the destination computer requests it.
Therefore data sent from a machine with the IPSec policy of Client (Respond Policy) is not
guaranteed to be encrypted.
Explanation: The long-term direction for secure networking, IPSec is a suite of cryptographybased protection services and security protocols. Because it requires no changes to applications or
protocols, you can easily deploy IPSec for existing networks.

Activating the Client (Respond Only) IPSec policy will not secure traffic unless the
destination computer requests it. A server policy may need to be customized to work
transparently with some programs and networks.
Question 6:
Upon arriving at work one morning, you find that some of your users are complaining about
connectivity problems. It turns out that they can communicate fine with some of the other
machines on their network segment, but are having trouble communicating with other machines
on their network segment.
Furthermore, they are unable to access any network resources on other segments. What
is most likely the issue here and how would you best resolve it?
Correct Answer: D
Some machines may have received Automatic Private IP Addresses. Use the Ipconfig utility to
determine what IP addresses they have been assigned and check to see if a functioning DHCP
server is available for their segment.
Explanation: Automatic Private IP Addressing can assign a TCP/IP address to DHCP clients
automatically. However, Automatic Private IP Addressing doesn't generate all the information that
typically is provided by DHCP, such as the address of a default gateway.
Consequently, computers enabled with Automatic Private IP Addressing can
communicate only with computers on the same subnet that also have addresses of the
form 169.254.x.y (addresses that have also been assigned through Automatic Private IP
Addressing). If the switch was broken, they could not communicate with other systems
on their subnet.
Question 7:
Your network contains two routed subnets: Subnet A and Subnet B. Subnet B contains a Windows
Server 2003 system configured as a DHCP server. This server has scopes created for both Subnet
A and Subnet B. Subnet A does not contain a DHCP server.
The clients on Subnet A are not receiving IP addresses from the DHCP server. What can
you do to enable clients in Subnet A to receive dynamically assigned IP addresses?
Choose all that apply.

Correct Answer: C, D, F
Configure an RFC 1542-compliant router to forward BOOTP messaging between subnets.
Configure a DHCP relay agent on Subnet A to forward DHCP messages to Subnet B.
Install and configure a DHCP server on Subnet A.
Explanation: If you require the DHCP service to support additional subnets on your routed
network, you must first determine whether the routers used to connect adjoining subnets can
support relaying of BOOTP and DHCP messages. If your routers are not RFC 1542-compliant
and cannot be used for DHCP and BOOTP relay, you have two additional options.
1. You can configure a computer running either Windows Server 2003, Windows 2000
Server or Windows NT Server 4.0 as a DHCP Relay Agent component. This computer
selectively forwards messages back and forth between clients on the local subnet and a
remote DHCP server, using the IP address of the remote server.

2. A computer running Windows Server 2003 can be configured as a DHCP server for
the local subnet. This server computer must contain and manage scope and other
address-configurable information for the local subnet it serves.
Question 8:
Rooska is setting up dial-up connections for a group of users on the network that he administers.
He would like to configure the dial-up connection to require data encryption for all connections.
Which of the following protocols support data encryption? Choose all that apply.

Correct Answer: A, D, F
MS-CHAP v2
MS-CHAP
EAP/TLS
Explanation: Remote access connections, whether they be dial-up or virtual private network
connections can be configured to enforce various levels of password authentication and data
encryption. Security considerations and usability issues play the determining factors as to which
methods of authentication and encryption to require. Authentication methods range from
unencrytped to custom, such as the Extensible Authentication Protocol (EAP).
Data is only encrypted if MS-CHAP, MS-CHAP v2, or EAP/TLS authentication is
negotiated. These are the only authentication protocols that generate their own initial
encryption keys, which are required for encryption.
Question 9:
Oksana has configured a Windows XP Professional machine in a small branch office to have a
dial-up 56K connection to the Internet. She would like to make that connection available to the
other users in the branch office through the Internet Connection Sharing (ICS) feature in
Windows XP. How can she enable ICS on a network connection?

Correct Answer: C
Open Network and Dial-up Connections, right-click the connection that you want to share,
choose properties and select the "Enable Internet connection sharing for this connection" check
box from the sharing tab.
Explanation: To enable Internet connection sharing on a network connection:
1. Open Network and Dial-up Connections
2. Right-click the dial-up, VPN, or incoming connection you want to share, and then click
Properties.
3. On the Sharing tab, select the Enable Internet connection sharing for this connection
check box.
4. If you want this connection to dial automatically when another computer on your home
network attempts to access external resources, select the Enable on-demand dialing
check box.
Question 10:
In Windows 2003 you are presented with two possible tunnelling protocols: L2TP and PPTP.
Which of the following are correct statements about the differences between L2TP and PPTP?
Choose all that apply.

Correct Answer: A, C, D
PPTP has built-in encryption while L2TP does not.
L2TP supports tunnel authentication while PPTP does not.
L2TP can transmit over Frame Relay, X.25 or ATM while PPTP cannot.
Explanation: L2TP supports tunnel authentication while PPTP does not. L2TP supports header
compression while PPTP does not.
PPTP and L2TP can both run on IP-based networks although L2TP has the ability to
encapsulate PPP frames over X.25, Frame Relay and ATM networks as well. L2TP
provides the optional use of IPSec encryption while PPTP uses built-in PPP encryption,
sometimes called Microsoft Point-to-Point Encryption (MPPE).
Question 11:
You are currently configuring a box running Windows Server 2003 named ServerWest7.
Occasionally you will use a dial-up connection from this computer to connect to another
computer in a different location and retrieve information. The remote computer does not currently
have a connection to the Internet.
Which remote access protocols can you use on ServerWest7 to establish the
connection? Choose all that apply.

Correct Answer: A, C
Point-to-Point Protocol
Serial Line Internet Protocol
Explanation: The two protocols support for remote access connections in Windows 2003 are
Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP). Windows 2003 operating
systems can be PPP clients or SLIP clients. They can also host PPP connections. However, they
can not host SLIP connections.
Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) are
protocols used in Virtual Private Networks (VPNs). A VPN allows two computers to
communicate with each other through existing connections to the Internet. Since the
remote computer in the above example is not connected to the Internet, L2TP and PPTP
will not be used.
The Microsoft RAS protocol is an older networking protocol used on clients running
Windows NT version 3.1, Windows for Workgroups, Microsoft MS-DOS and Microsoft
LAN Manager.
Question 12:
You have recently upgraded a server running Windows NT 4.0 to Windows Server 2003. After
finished the upgrade to Windows Server 2003 you decide to promote the server to a domain
controller through the use of the DCPromo.exe utility. Because you do not have any existing DNS
servers on the network you choose to create a DNS zone during the Active Directory install. What
type of zone is created when you perform such an action?

Correct Answer: C
Active Directory-Integrated Zone
Explanation: If no DNS server is present on the network when you install Active Directory you
have the option to install DNS and create a zone. By default, this zone will be an Active
Directory-Integrated Zone.
Question 13:
You wish to install a VPN server on one of the Windows Server 2003 systems that exist within
your organization. The server has an Ethernet card that is connected to a cable modem which in
turn is connected via an ISP to the Internet. The server also has another Ethernet card that is
connected to the local intranet. You wish to secure the VPN server from sending or receiving any
traffic on its Internet interface, except for PPTP or L2TP over IPSec traffic from branch office
routers or remote access clients. Which of the following should you do?

Correct Answer: C
Configure PPTP and L2TP over IPSec input and output filters on the Internet interface.
Explanation: PPTP and L2TP over IPSec input and output filters need to be configured on the
Internet interface. Configuring them on the intranet interface will not secure the Internet interface
from receiving and sending traffic other than that specified. You would not use a remote access
policy to do this sort of protocol filtering.
Question 14:
You are responsible for a Remote Access Server in a Windows 2003 functional level domain. The
remote access permission for all user accounts is set to "Control access through Remote-Access
Policy". One of your users named Suresh is a member of the Canadians group and the Tutors
group. The Tutors group has been granted remote access permission through a remote access
policy ("Policy1") However the Canadians group has been denied remote access permission
through a different remote access policy ("Policy2"). Because Policy1 is listed first and Policy2 is
listed second, Suresh is permitted to dial in to the Remote Access Server. Another user on your
network named Mike is only a member of the Canadians group and therefore cannot access the
Remote Access Server. He asks you to modify the configuration to allow members of the
Canadians group to dial in to the server. If you agree to do so what action would you perform to
accomplish this?

Correct Answer: C
Using Routing and Remote Access, change the permission for Policy2 from "Deny remote access
permission" to "Allow remote access permission".
Explanation: If you would like to allow connections only for those user accounts that belong to a
specific set of groups perform the following steps:
1. Create a new policy.
2. Add the Windows-Groups condition to the new policy, and then add the groups that
are allowed remote access.
3. Select the Grant remote access permission option on the new policy.
Question 15:

You would like to monitor the security of traffic on your corporate LAN. You are aware that
certain types of traffic are being encrypted using IPSec. You decide to run the IPSecMon utility to
view additional information. Which of the following statistics can you view through the
IPSecMon utility? Choose all that apply.

Correct Answer: A, B, C, F
Key Additions
Authenticated Bytes Sent
Active Associations
Bad SPI Packets
Explanation: The IP Security Monitor (IPSecMon) is a Windows-based tool used to confirm
whether your secured communications are successful by displaying the active security
associations on local or remote computers. IPSecMon can be run locally or remotely if you have a
network connection to the remote computer. IPSecMon displays an entry for each active security
association. Among the statistics that you can view using IPSecMon are Active Associations,
Authenticated Bytes Sent, Bad SPI Packets and Key Additions.
Question 16:
A virtual private network (VPN) is the extension of a private network that encompasses links
across shared or public networks like the Internet. With a VPN, you can send data between two
computers across a shared or public network in a manner that emulates a point-to- point private
link. Virtual private networking is the act of creating and configuring a virtual private network.
Which of the following are protocols that you can use to connect to a Windows 2003
VPN Server via the Internet? Choose all that apply.

Correct Answer: C, E
L2TP
PPTP
Explanation: L2TP is an industry-standard Internet tunneling protocol that does not require IP
connectivity between the client workstation and the server. It requires only that the tunnel
medium provide packet-oriented point-to-point connectivity.
PPTP Networking technology that supports multiprotocol virtual private networks
(VPNs), enabling remote users to access corporate networks securely across the
Internet or other networks by dialing into an Internet service provider (ISP) or by
connecting directly to the Internet.
Question 17:
You wish to set a Windows Server 2003 system as a WINS Proxy. Which of the following is the
registry key that you should add the value EnableProxy to, and set it to 1?

Correct Answer: A
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NetBT\Parameters

Explanation: A WINS proxy is a WINS client computer configured to act on behalf of other host
computers that cannot directly use WINS. WINS proxies help resolve NetBIOS name queries for
computers located on routed TCP/IP networks.
Question 18:
To properly configure DNS, it is essential to understand the various type of records that can be
created. Which of the following answer choices properly matches the DNS resource record type
with its proper description?

Correct Answer: D
A = Host Record, CNAME = Alias Record, SRV = Service Resource Record
Explanation: An A record is a host record.
A CNAME record is an alias record or a canonical name record.
An SRV record is a service resource record.
Question 19:
A reverse DNS lookup does which of the following?

Correct Answer: D
Provides IP to FQDN address resolution.
Explanation: An example of a reverse DNS lookup would be opening a command prompt in
Windows Server 2003 and typing:
Nslookup 128.250.213.163
If you are connected to the Internet and your DNS is properly configured, it should
return:
Name: adhocalypse.arts.unimelb.edu.au Address: 128.250.213.163
Question 20:
You have just installed a brand new Primary Windows Server 2003 DNS server on your brand
new network. This DNS server has been set up by you to host your new internet domain
funkyj.com.au. This server is hosted on the IP address 203.31.20.2. At the moment you only have
5 hostnames listed in your database. This list is as follows:
router.funkyj.com.au IN A 203.31.20.1 dns.funkyj.com.au IN A 203.31.20.2
mail.funkyj.com.au IN A 203.31.20.3 fileserv.funkyj.com.au IN A 203.31.20.4
wrkstn1.funkyj.com.au IN A 203.31.20.5
At present wrkstn1.funkyj.com.au is using your ISP's DNS servers to serve its requests.
Up until this point in time you have been servicing internal addresses via a Hosts file.
However in the next 2 months you plan on migrating fully to Active Directory and are
hence aware that you need a proper DNS for internal resolution.
Before you go on with installing a secondary server you want to check out whether or not
things are working correctly on this DNS server. You run a command prompt on the
Windows XP Professional workstation wrkstn1.funkyj.com.au. and type
nslookup - 203.31.20.2
And then enter the following, one on each line.
fileserv.funkyj.com.au 203.31.20.4 www.mcsetutor.com

The queries for fileserv.funkyj.com.au and www.mcsetutor.com come back with the
expected IP addresses. However, when you do a query for the IP address 203.31.20.4
you get an error. What is the most likely cause of the problem?

Correct Answer: B
The reverse lookup zone is not correctly configured for your new DNS server.
Explanation: When an IP will not resolve to an FQDN on your local DNS server it most likely
indicates that the reverse lookup zone has not been configured correctly. You do not need a
reverse lookup zone to be properly configured for Active Directory to function but you will need
it configured properly if you would like to resolve IP addresses to FQDNs.
Question 21:
You are the new Network Administrator at FunkyJ Industries. FunkyJ has their headquarters in
downtown Melbourne as well as 4 offices in different suburbs scattered throughout Melbourne.
There is an existing WAN in place and all suburban sites are connected via ISDN to a central site
that in turn has a T3 link to the Internet.
Each site has about 100 hosts running Windows XP Professional and two Windows
Server 2003 servers. One of the servers is used as a file server, and the other is running
Terminal Services in Application Server mode. The XP Pro workstation users are using
StarOffice for most of their productivity work, Outlook Express for e-mail and Internet
Explorer for Web browsing.
FunkyJ industries runs a legacy database called MikTek and users on their XP Pro
desktops connect via the Terminal Services client to access it. The machine running
Terminal Services in each site also has a 56K modem installed. From time to time this
modem is used to dial into a supplier's server and exchange data. This exchange
typically takes place on Thursdays at 4 PM. Your corporate e-mail server is located on
the central site, an old Sun box running Sendmail. Your DNS servers are also located at
the central site.
On Monday, the router at one of the suburban sites (named Waverley) fails completely.
You do not have a hot spare and you will not be able to get another one from your
supplier for 2 days. You have been out to the site and the users are upset because now
they can't retrieve their email from the mail servers at central office. Your manager would
like you to find some way for the people at this site to access their e-mail and suggests
that perhaps e-mail can be received over the 56K modem in the Terminal Server. Until
the router is back up, she wants the traffic limited to sending and receiving e-mail off the
server in head office.
Which of the following should you do to accomplish this?

Correct Answer: C
Set up routing and remote access on two Terminal Servers on the Waverley Office Terminal
Server and on one of the other suburban servers running Terminal Services. Run the Remote
Access Server Setup Wizard on the suburban server that you want to be dialed into from the
Waverley server. Set up a static pool of IP addresses from spare IP addresses on the suburban
subnet and allow the suburban RRAS/Terminal server to allocate these to dial-in clients. Use
remote access policies on the RRAS/Terminal server to set the Calling-Station-ID to that of the
phone line connected to the Modem on the Waverley RRAS/Terminal server and set up the IP

Packet Filters on the Suburban RRAS/ Terminal server to allow TCP traffic on port 25. Similarly
set up the IP Packet Filters on the Suburban RRAS/Terminal server to deny TCP traffic on ports
21, 22 and 80. Run the demand-dial interface wizard on the Waverley RRAS/Terminal server.
Select a Username/Password combination that will be authenticated by the suburban
RRAS/Terminal server. Enter the phone number of the Suburban RRAS/Terminal server. Give the
interface a name and create a static IP route with the interface name, the address of the suburban
network with the RRAS/Terminal server and the subnet mask of that network. Change the default
gateway on all clients on the Waverley subnet to the IP address of the Waverley RRAS/Terminal
server.
Explanation: None of the other options come close to attempting to fulfill all of the requirements
specified in the scenario. The best way to limit the temporary link to all traffic but mail is by
denying the popular ports (FTP/Telnet/Web) and only allowing the Mail port. The question
specified that a Sendmail server was being used with Outlook Express clients. Therefore traffic
between this client server is going to run over TCP port 25.
Question 22:
You are running Windows Server 2003 DNS servers. You have one primary server and several
secondary servers. At the moment changes are processed by the primary and then pulled to the
secondary. The hardware on your primary server and your secondary servers is the same and your
enviroment is entirely Windows 2003 with XP workstations.
You wish to load balance changes to the DNS database more effectively and allow all
servers to accept DNS updates (rather than just the primary DNS server). Which of the
following should you do?

Correct Answer: B
Start the DNS MMC on the Primary DNS server. Select the DNS zone you want to change.
Right-click and select change. Select "Active Directory integrated" and select OK. Repeat this
step on all of the secondary DNS servers.
Explanation: Active Directory-integrated zones offer load balancing and fault tolerance. It offer
the benefits of multi-master replication versus the signle-master replication present in standard
DNS zones. You may only run Active Directory-integrated zone of servers running Windows
2000.
Question 23:
You are the administrator for a manufacturing company. You want to institute smart card security
on your network so that certain people can only log onto their machines if they have swiped their
card through a reader and entered their PIN. Which of the following protocols is required on the
Routing and Remote Access Server if you wish to require this for remote users as well?

Correct Answer: C
EAP
Explanation: EAP stands for Extensible Authentication Protocol. There is an extension to PPP
called EAP/TLS. When EAP/TLS is enabled, a remote access user is prompted to insert the smart
card and enter the PIN during network logon authentication.
Question 24:

There are two Windows Server 2003 systems in the Accounting Department of the company that
you work for. You need to make sure communicate securely with one another. You perform the
following actions on each:

1. Run MMC

2. On the Console menu, click Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog box, click Add.

4. In the Add Standalone Snap-in dialog box, click Computer Management, and then
click Add.

5. Verify that Local Computer is selected, and click Finish.

6. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add.

7. Verify that Local Computer is selected in the Group Policy Object dialog box, and
click Finish.

8. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

9. Select Computer Account, and click Next.

10. Verify that Local Computer is selected, and click Finish.

11. Close the Add Standalone Snap-in dialog box.

12. Close the Add/Remove Snap-in dialog box.

Repeat steps 1-12 on the second machine.

13. In the MMC console, select IP Security Policies on Local Machine

from the left pane.

14. Right-click Secure Server, and then choose Assign.

15. Repeat step 13 on second server.

Right-click Client, and then choose Assign.
From the second server, you run a command prompt and
ping the IP address of the first server. You receive the
following response:
Pinging 192.168.0.25 with 32 bytes of data: Negotiating IP
Security Negotiating IP Security Negotiating IP Security
Negotiating IP Security
Ping statistics for 192.168.0.25: Packets: Sent = 4,
Received = 0, Lost = 4 (100% loss)
What do you need to do to get a normal ping response and
reduce the packet loss to an acceptable level?

Correct Answer: A
Ping the first server again. The two servers will have now

established IPSec security association and the ping will

work fine.
Explanation: The client initially sends unprotected ICMP
packets to the server but the server requires some sort of security
from the client. This will be automatically negotiated so that the
next time a ping is attempt it should be successful. If the second
computer is switched to "secure server" as answer choice C
states it would not send any traffic until it had negotiated IPSec
protection. If the first computer is set to "client" as answer
choice D states, no data is protected as neither side will request
security and therefore the objective will not be achieved.
Question 25:
You would like to apply encryption settings to the dial-in connections of your users. You would
like to configure this through the Encryption tab of the Dial-in Profile. You notice four check
boxes there to choose from: No Encryption, Basic, Strong and Strongest. Which of the following
correctly describes the types of encryption that can be used with the Basic, Strong and Strongest
levels of encryption?

Correct Answer: C
Basic encyrption allows for IPSec 56-bit DES or MPPE 40-bit encryption. Strong encryptions
allows for IPSec 56-bit DES or MPPE 56-bit encryption. Strongest encryption allows for IPSec
Triple DES (3DES) or MPPE 128-bit encryption.
Explanation: There are four levels of encyrption that you can process as part of a Remote Access
Profile:
No Encryption When selected, this option allows a non-encrypted connection. To require
encryption, clear the No Encryption option.
Basic For dial-up and PPTP-based VPN connections, Microsoft Point-to-Point
Encryption (MPPE) with a 40-bit key is used. For L2TP over IPSec-based VPN
connections, 56-bit DES encryption is used.
Strong For dial-up and PPTP-based VPN connections, MPPE with a 56-bit key is used.
For L2TP over IPSec-based VPN connections, 56-bit DES encryption is used.
Strongest For dial-up and PPTP-based VPN connections, MPPE with a 128-bit key is
used. For L2TP over IPSec-based VPN connections, triple DES (3DES) encryption is
used.
Question 26:
You want to set up an IPSec connection on two computers located on two different sides of the
city via the corporate Intranet. Each computer is connected to a local Cisco 2501 router which in
turn is connected to the ISP's router. Traffic travels across 3 routers on the ISP's network then to
the corresponding router on the other side and finally to the other PC. These routers are all part of
the corporate Intranet, though one of them routes traffic out to the Internet as well.
Most of your WAN infrastructure has been outsourced so you are only responsible for
the LAN up to the 2501 routers. Which of the following do you need to do to set up an
IPSec connection between these two locations?

Correct Answer: B

Configure the end node computers with IPSec. The routers will not need configuration to pass
this encrypted traffic across your WAN.
Explanation: It is important to understand that IPSec only needs to be activated on the clients. A
tunnel is activated between the two endpoints using encrypted IP communication. Similar to
encrypted e-mail, the e-mail is sent normally. The difference is merely that one end encrypts it
and the other end decrypts it. IPSec can be configured in other way but ultimately things like
routers and switches do not need to be IPSec aware.
Question 27:
You are the Remote Access Administrator at the company Crunchyteeth. You wish to set up your
remote access policy so that users are locked out for 48 hours if they enter the wrong password 5
consecutive times when dialing up to the remote access server. The Routing and Remote Access
Server has been set up and installed with default settings. A new group has been created called
crunchyrasusers consisting of those users who require the ability to dial in.
Your boss also suspects that people who aren't members of the authorized RAS users
group are somehow gaining access to the dialup server. Also, she wants to limit the
servers access to normal users non-business hours.
Primary Goal: Deny Users Access for 48 hours if they enter the incorrect password 5
times.
Secondary Goals: 1. Limit access to RAS service to members of the crunchyrasusers
group. 2. Restrict RAS access to between 5pm and 8am for normal users. 3. Allow
Administrators unlimited access to the RAS server at all times.
Which of the following achieves your primary goal but does not achieve any of your
secondary goals?

Correct Answer: D
Perform the following actions:

- Run regedit or regedt32.

- Go to the subkey HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\RemoteAccess\Parameters\ AccountLockout - Change the
entry on MaxDenials from zero to five.

Explanation: In this question you were asked to make sure that the primary goal was satisfied
and that all the secondary goals were not. The default lockout period is 48 hours which is
represented in hexadecimal as b40. If that doesn't make any sense to you translate it back into
decimal and divide by 60. If you wanted to change it to 24 hours simply multiply 24 by 60 and
translate it into hexadecimal. The subkey to change is in the same area and is called ResetTime.
Question 28:
You have two servers on your network that you would like to have communicate using IPSec.
You use the MMC to configure IP Security Policies for each server. You assign the "Client"
policy to each computer. After performing these actions, which of the following will be true?
Choose all that apply.

Correct Answer: B, D
All communication that passes between these servers is insecure.
These servers will not authenticate before starting to transmit traffic.
Explanation: Without one of the servers being set to be a "secure server", the data transferred
between them will not be secure. To set one of them to be a secure server, instead of selecting
"client", select "secure server" and then right click and select assign in the IP Security Policies
area of Local Machine in the MMC.
Question 29:
In the course of your duties as RAS server administrator at the company Unseen Enterprises, you
have begun experimenting with the NETSH command line utility. You have found that it can
quickly and easily tell you such things as the Radius Authentication Server, remote access
configuration and a larger amount of other useful diagnostic information.
You go to the Start Menu, select Run, type in "netsh" and press enter. This brings up the
netsh prompt. Which of the following lists of commands using the NETSH command line
utility will:
1) Tell you which remote access servers on the network are running Windows 2000 2)
Display IP remote access configuration 3) display NetBEUI remote access configuration
4) Display RADIUS authentication server.

Correct Answer: B
ras show activeservers ras ip show config ras netbeui show config ras aaaa show authserver.
Explanation: This question is rather difficult unless you are already aware of this Windows 2003
utility and have used it to administer a RAS server. As an exercise we suggest that you run netsh
from the start menu of your Windows 2003 server and type ?. This will bring up a list of
commands. In the case of this question you can just type "ras", which will put you in the ras
context. Typing ? again will give you a list of commands that are available at that level.
Question 30:
You wish to configure Network Address Translation (NAT) on a machine running Windows 2003
Server that is connected via a cable modem/Ethernet card combination to the Internet. From the
Administrative Tools menu you select Routing and Remote Access. On the Action Menu you
select "Configure and Enable Routing and Remote Access". After reading the next dialogue you
are confronted with a menu. Which of the following options should you select?

Correct Answer: D
Internet Connection Server.
Explanation: Internet Connection Server allows you to use NAT which is similar to, but more
complex than, Internet Connection Sharing (ICS). It is important for you to know your way
through the most common wizards in Windows 2003 as you may receive simulation questions
during the exam.
Question 31:

A very important consideration when planning your implmentation of Windows 2003 is what type
(or types) of DNS you will run in your organization. There are several options including
Windows 2003 & 2000 DNS, Windows NT 4.0 DNS (with Service Pack 4 or greater), and
various versions of BIND including 8.2, 8.1.2 and 4.9.7. Which of the following statements
regarding these different options are true? Choose all that apply.

Correct Answer: A, C, D
BIND 8.2 supports dynamic updates, IXFR and SRV records but does not support UTF-8.
Windows 2000 DNS supports dynamic updates, IXFR, SRV records and UTF-8.
BIND 4.9.7 supports SRV records but does not support dynamic updates, IXFR or UTF8.
Explanation: Windows 2003 & 2000 DNS supports dynamic updates, IXFR, SRV records and
UTF-8.
Windows NT 4.0 DNS (with Service Pack 4 or greater) supports SRV records but does
not support dynamic updates, IXFR or UTF-8.
BIND 8.2 supports dynamic updates, IXFR and SRV records but does not support UTF8.
BIND 8.1.2 supports dynamic updates and SRV records but does not support IXFR or
UTF-8.
BIND 4.9.7 supports SRV records but does not support dynamic updates, IXFR or UTF8.
Question 32:
Your company currently has use 30 users who connect to your corporate network from their
Windows XP Professional laptop computers when traveling. Currently they are dialing in to your
company's network using analog modems.
Your plan is to migrate them away from direct-dial remote access and toward the use of
a Virtual Private Network (VPN). You are debating whether to implement the Layer Two
Tunnelling Protocol (L2TP) or rather to use Point-to-Point Tunnelling Protocol (PPTP).
You desire the following in a VPN solution:
-For maximum security, tunnel authentication without the use of IPSec is favorable.
-For performance reasons, maximum header compression is favorable.
-The VPN solution should be able to support transmission over an IP-based network.
-The VPN solution should be compatible with both Windows XP Professional (the RAS
clients in your company) and Windows Server 2003 (the RAS server platform in your
company).
You decide to implement a PPTP VPN solution. Which of the following objectives are
achieved with this type of solution? Choose all that apply.

Correct Answer: B, C
Transmission can occur over an IP-based network.
The solution is compatible with both Windows XP Professional and Windows Server
2003.

Explanation: Here are some difference between L2TP and PPTP:

-PPTP requires that the internetwork be an IP internetwork. L2TP requires only that the
tunnel media provide packet-oriented point-to-point connectivity.
-PPTP can support only a single tunnel between end points. L2TP allows for the use of
multiple tunnels between end points
-L2TP provides for header compression. When header compression is enabled, L2TP
operates with 4 bytes of overhead, as compared to 6 bytes for PPTP.
-L2TP provides for tunnel authentication, while PPTP does not. However, when either
protocol is used over IPSec, tunnel authentication is provided by IPSec so that Layer 2
tunnel authentication is not necessary.
Both L2TP and PPTP are compatible with all of the Windows 2000/2003/XP platforms.
Question 33:
Your company is currently running Windows Server 2003 Active Directory (AD). Which of the
following accurately describes the process by which unauthorized Windows Server 2003 DHCP
servers that are members of a domain are detected and prevented from handing out IP addresses?

Correct Answer: B
Active Directory keeps a list of all legitimate DHCP servers. When a DHCP server is started, AD
is used to verify the status of that server. If the server is not in the list of legitimate servers, no
response is returned to DHCP requests. The DHCP server is aware that it isn't authorized on that
network and doesn't serve requests for IP configuration.
Explanation: A feature of Windows 2000 and 2003 is the detection of unauthorized or "rogue"
DHCp servers. There is no DHCP Group Policy Object that is checked. Also, there is no
Master/Slave concept in DHCP. The closest thing to this is the Master Browser/Backup Browser
concept. Finally, there can be (and often is) more than one DHCP server for a given domain.
Question 34:
In order to gain a better understanding of your network traffic patterns, you recently installed the
version on Network Monitor that is included with Windows Server 2003 on a computer named
Server8-A. Server8-A is located on a subnet in your company that you have named SubnetA. You
also have another subnet that you have named SubnetB. These subnets are separated by a router.
Which of the following types of traffic will you be able to monitor using Network Monitor?
Choose all that apply

Correct Answer: A, B, E
Packets received by Server8-A
Packets sent from Server8-A
Packets broadcast to SubnetA
Explanation: The version of Network Monitor included with Windows 2000 captures and
displays frame that a computer receives from the local area network. This includes packets
adddressed specifically to that computer as well as broadcast packets for the subnet that the
computer is on. This version of Network Monitor does not have the ability to capture frames sent

to and from all computers in a network segment. That functionality is provided by the full version
of Network Monitor included with System Management Server (SMS).
Question 35:
Your company currently uses Network Address Translation (NAT) to avoid the need to have a
large pool of valid external IP addresses. The external IP address assigned to the computer
performing NAT is 217.49.101.72. Internally you are using the IP address range 10.0.0.1 through
10.0.255.254 with a subnet mask of 255.255.0.0.
You have a web server with an internal IP address of 10.0.14.200. You would like this
web server to be available to clients on the Internet when they go to IP address
217.49.101.72. Is this possible to do through NAT and if so, how can it be performed?

Correct Answer: B
Yes, this is possible to do through NAT. Create a mapping on the NAT server which maps
217.49.101.72:80 to 10.0.14.200:80.
Explanation: If you have services running on the private network that need to be accessed from
the Internet you will need to map the public IP address and port number to the appropriate private
IP address and port number. In the case of a web server, the default port number is 80.
Question 36:
Network Address Translation (NAT) can provide many benefits to an organization including a
reduced need for IP addresses and better security for internal hosts. When NAT must translate
beyond the IP, TCP and UDP headers of a packet, a NAT editor is required. Windows Server 2003
provides a built-in NAT editor for which of the following protocols? Choose all that apply.

Correct Answer: A, B, C, E
NetBIOS over TCP/IP
FTP
PPTP
ICMP
Explanation: A NAT editor makes modifications to the IP packet beyond the translation of the IP
address in the IP header, the TCP port in the TCP header, and the UDP port in the UDP header.
Windows Server 2003 includes built-in NAT editors for the following protocols:

FTP

ICMP

PPTP

NetBIOS over TCP/IP

Question 37:
You are the Systems Administrator for a large company's Windows Server 2003 network. You
have well over 5000 hosts on your network however you have only been allocated part of a class
C IP address range by your ISP. The IP range that has been assigned is 203.31.128.1 through
203.31.128.127.

Internally you are using the IP range 10.5.0.1 through 10.5.255.255. You wish to provide
several services to the Internet from servers that exist on your internal network. You
want it so that when a host on the Internet addresses one of these addresses your
RRAS server will translate it automatically into one of your internal IP numbers.
The first step in doing this is configuring the public interface of your Routing and Remote
Access Server with the IP range delegated to you by the ISP. You are logged onto the
Routing and Remote Access Server as the administrator. Which of the following
sequences of commands will do this correctly?

Correct Answer: C
Go to the Routing and Remote Access console. Double Click IP Routing Node. Click
Network Address Translation Node. Right click on external connection, select properties.
Click Address Pool. Select Add. In Start Address type 203.31.128.1 In Subnet Mask type
255.255.255.128 Click OK.
Explanation: You need to select the IP Routing Node to configure the public interface with a
given IP range. The Routing Interfaces node will not allow you to configure this. The other thing
that is important to note in this particular question is that when you type the subnet mask into the
address pool dialogue box, you automatically have the finishing IP address configured for you by
Windows 2000 if you enter the correct subnet mask (.e.g /25). It is important to note that this is
only the first step in configuring Network Address Translation. All that we have done here is set
up a particular set of IP addresses for the external (i.e. Internet) interface. More setup is required
to map each of these Internet IP addresses to the appropriate internal IP address.