Magaging and maintaining a Microsoft Windows server 2003 environment for an MCSA Certified on Windows 2000

70-292

Managing and Maintaining

a Microsoft Windows Server 2003 Environment

for an MCSA Certified on Windows 2000

Version 50.0

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 2 -

Important Note, Please Read Carefully

Study Tips

This product will provide you questions and answers along with detailed explanations carefully compiled

and written by our experts. Try to understand the concepts behind the questions instead of cramming the

questions. Go through the entire document at least twice so that you make sure that you are not missing

anything.

Further Material

For this test TestKing also provides:

* Study Guide. Concepts and labs. Provides a foundation of knowledge.

* Online Testing. Practice the questions in an exam environment.

Try a demo: http://www.testking.com/index.cfm?pageid=724

Latest Version

We are constantly reviewing our products. New material is added and old material is revised. Free updates

are available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4

days before the scheduled exam date.

Here is the procedure to get the latest version:

1. Go to www.testking.com

2. Click on Member zone/Log in

3. The latest versions of all purchased products are downloadable from here. Just click the links.

For most updates, it is enough just to print the new questions at the end of the new version, not the whole

document.

Feedback

Feedback on specific questions should be send to [email protected]. You should state: Exam number

and version, question number, and login ID.

Our experts will answer your mail promptly.

Copyright

Each pdf file contains a unique serial number associated with your particular name and contact information

for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing

reserves the right to take legal action against you according to the International Copyright Laws.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 3 -

QUESTION NO: 1

You are the network administrator for TestKing. The network consists of a single Active Directory

domain named testking.com. The network contains 100 Windows 2000 Professional computers and

three Windows Server 2003 computers. Information about the three servers is shown in the following

table.

You add a network interface print device named TestKingPrinter1 to the network. You manually

configure the IP address for TestKingPrinter1. TestKingPrinter1 is not currently registered on the

DNS server. The relevant portion of the network is shown in the exhibit.

You need to ensure that client computers can connect to TestKingPrinter1 by using its name.

What should you do?

A. On TestKingSrvA, add an alias (CNAME) record that references TestKingPrinter1.

B. In the Hosts file on TestKingSrvC, add a line that references TestKingPrinter1.

C. On TestKingSrvA, add a service locator (SRV) record that reference TestKingPrinter1.

D. On TestKingSrvA, add a host (A) record that references TestKingPrinter1.

E. In the Hosts file on TestKingSrvB, add a line that references TestKingPrinter1.

Answer: D

Explanation: The clients’ printer software needs to know the IP address of the printer. For this, we can

simply enter a host (A) record in the DNS zone. An A record maps a hostname to an IP address.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 4 -

Incorrect Answers:

A: An alias (CNAME) can only point to an A record. We need to create the A record.

B: We should use DNS, not a hosts file.

C: We don’t need an SRV record for a printer. SRV records are used for computers providing a service,

like a domain controller for example.

E: We should use DNS, not a hosts file.

QUESTION NO: 2

You are a network administrator for Fabrikam, Inc. A German company named TestKing GmBh.,

recently acquired Fabrikam, Inc., and another company named Proseware, Inc. Your team is

responsible for establishing connectivity between the companies.

Each of the three companies has its own Active Directory forest. The relevant portion of the network

is shown in the exhibit.

TestKing1, TestKing3, and TestKing5 run Windows Server 2003. Each of these servers is the DNS

server for its respective domain. All three servers can currently resolve Internet host names.

TestKing3 is configured as a secondary zone server for fabrikam.com and proseware.com.

You need to configure TestKing5 to resolve host names for testking.com and proseware.com as

quickly as possible, without adding new zones to TestKing5.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose

two)

A. Forward requests for testking.com to 131.107.1.2.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 5 -

B. Forward requests for testking.com to 131.107.3.2.

C. Forward requests for testking.com to 131.107.10.2.

D. Forward requests for proseware.com to 131.107.1.2.

E. Forward requests for proseware.com to 131.107.3.2.

F. Forward requests for proseware.com to 131.107.10.2.

Answer: B, D.

Explanation: Testking3 (10.107.3.2) is able to resolve hostnames for testking.com, proseware.com and

fabrikam.com. Therefore to resolve hostnames for testking.com and proseware.com as quickly as possible,

we could forward resolution requests for those two domains to testking3 (10.107.3.2). However, while

answers D and E would both work for proseware.com, it is probably better to forward requests for

proseware.com to the primary DNS server for that domain (131.107.1.2).

Incorrect Answers:

A: 131.107.1.2 can resolve hostnames for proseware.com, but not testking.com.

C: 131.107.10.2 can resolve internet domain names, but not hostnames for proseware.com or testking.com.

E: This would work, and so could be an answer.

F: 131.107.10.2 can resolve internet domain names, but not hostnames for proseware.com or testking.com.

QUESTION NO: 3

You are the network administrator for TestKing. The network consists of a single DNS domain

named testking.com.

You replace a UNIX server with a Windows Server 2003 computer named TestKing1.

TestKing1 is the DNS server and start authority (SOA) for testking.com. A UNIX server named

TestKing2 is the mail server for testking.com.

You receive reports that Internet users cannot send e-mail to the testking.com domain. The host

addresses are shown in the following window.

You need to ensure that Internet users can send e-mail to the testking.com domain.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 6 -

What should you do?

A. Add an _smtp service locator (SRV) DNS record for TestKing2.

B. Add a mail exchange (MX) DNS record for TestKing2.

C. Add an alias (CNAME) record for mail.testking.com.

D. Enable the SMTP service on TestKing1.

Answer: B

Explanation: Email servers on the internet query Testking1 for the address of the mail server for the

domain. The address of the mail server is held in an MX (Mail Exchange) record.

Incorrect Answers:

A: Email servers find other email servers by using MX records, not SRV records.

C: Email servers find other email servers by using CNAME records

D: The SMTP service should be running on the mail server, not the DNS server.

QUESTION NO: 4

You are the network administrator for TestKing. The network contains Windows Server 2003

computers and Windows XP Professional computers. You are configuring Automatic Updates on the

servers.

The written company network security policy states that all updates must be reviewed and approved

before they are installed. All updates are received from the Microsoft Windows Update servers.

You want to automate the updates as much as possible.

What should you do?

To answer, configure the appropriate option or options in the dialog box.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 7 -

Answer: Check the “Keep my computer up to date” checkbox. Select the “Download the updates

automatically and notify me when they are ready to be installed” radio button.

Explanation: The updates will be automatically downloaded, but you will be able to review the updates

before they are installed.

QUESTION NO: 5

You are the network administrator for TestKing. The network consists of a single Active Directory

domain testking.com. The domain contains 35 Windows Server 2003 computers; 3,000 Windows XP

Professional computers; 2,200 Windows 2000 Professional computers.

The written company security policy states that all computers in the domain must be examined, with

the following goals:

• To find out whether all available security updates are present.

• To find out whether shared folders are present.

• To record the file system type on each hard disk.

You need to provide this security assessment of every computer and verify that the requirements of

the written security policy are met.

What should you do?

A. Open the Default Domain Policy and enable the Configure Automatic Updates policy.

B. Open the Default Domain Policy and enable the Audit object access policy, the Audit account

management policy, and the Audit system events policy.

C. On a server, install and run mbsacli.exe with the appropriate configuration switches.

D. On a server, install and run HFNetChk.exe with the appropriate configuration switches.

Answer: C

Explanation: The Microsoft Baseline Security Analyser can perform all the required assessments.

Mbsacli.exe includes HFNetChk.exe which is used to scan for missing security updates.

In general, the MBSA scans for security issues in the Windows operating systems (Windows NT 4,

Windows 2000, Windows XP), such as Guest account status, file system type, available file shares,

members of the Administrators group, etc. Descriptions of each OS check are shown in the security reports

with instructions on fixing any issues found.

Incorrect Answers:

A: This won’t check for missing updates, shared folders or file system type.

B: This won’t check for missing updates, shared folders or file system type.

D: This will check for missing updates but not shared folders or file system type.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 8 -

QUESTION NO: 6

You are the network administrator for TestKing. The network contains Windows Server 2003

computers and Windows XP Professional computers.

You install Software Update Services on a server named TestKingA. You create a new Group Policy

object (GPO) at the domain level.

You need to properly configure the GPO so that all computers receive their updates from TestKingA.

How should you configure the GPO?

To answer, configure the appropriate option or options in the dialog box.

Answer: Select the “Enabled” radio button. In the “Set the intranet update service for detecting updates”

box, enter the name of the server; in this case you would enter http://TestKingA. You should also enter

http://TestKingA as the address of the intranet statistics server.

QUESTION NO: 7

You are the regional network administrator for the Boston branch office of TestKing's network. The

company network consists of a single Active Directory domain testking.com. All computers in the

Boston office run Windows XP Professional.

The domain contains an organizational unit (OU) named BostonClientsOU, which contains all the

computer objects for the Boston office. A Group Policy object (GPO) named BClientsGPO is linked to

BostonClientsOU. You have been granted the right to modify the GPO.

BClientsGPO contains a software restriction policy that prevents the execution of any file that has a

.vbs file extension. All other applications are allowed to run.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 9 -

You want to use a script file named maintenance.vbs, which you will schedule to run every night on

the computers in the Boston office. The maintenance.vbs file is located in the Scripts shared folder on

a server named TestKingSrvC. The contents of maintenance.vbs will frequently change based on the

maintenance tasks you want to perform.

You need to modify the software restriction policy to prevent unauthorized .vbs scripts from running

on the computers in the Boston office, while allowing maintenance.vbs to run. You want to ensure that

no other applications are affected by your solution. You want to implement a solution that you can

configure once, without requiring additional administration in the future, when maintenance.vbs

changes.

What should you do?

A. Obtain a digital certificate.

Create a new certificate rule.

Set the security level of the rule to Unrestricted.

Digitally sign maintenance.vbs.

B. Create a new path rule.

Set the security level on the rule to Unrestricted.

Set the path to \\TestKingSrvC\Scripts\*.vbs.

C. Create a new path rule.

Set the security level on the rule to Unrestricted.

Set the path to \\TestKingSrvC\Scripts\maintenance.vbs.

D. Create a new hash rule.

Set the security level on the rule to Unrestricted.

Create a file hash of maintenance.vbs.

Answer: C

Explanation: The file will change so we can only use a path rule.

The purpose of a rule is to identify one or more software applications, and specify whether or not they are

allowed to run. Creating rules largely consists of identifying software that is an exception to the default rule.

Each rule can include descriptive text to help communicate why the rule was created.

A software restriction policy supports the following four ways to identify software:

Hash—A cryptographic fingerprint of the file.

Certificate—A software publisher certificate used to digitally sign a file.

Path—The local or universal naming convention (UNC) path of where the file is stored.

Zone—Internet Zone

Hash Rule

A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of where it is accessed or

what it is named. An administrator may not want users to run a particular version of a program. This may be

the case if the program has security or privacy bugs, or compromises system stability. With a hash rule,

software can be renamed or moved into another location on a disk, but it will still match the hash rule

because the rule is based on a cryptographic calculation involving file contents.

A hash rule consists of three pieces of data, separated by colons:

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 10 -

MD5 or SHA-1 hash value

File length

Hash algorithm id

It is formatted as follows:

[MD5 or SHA1 hash value]:[file length]:[hash algorithm id]

Files that are digitally signed will use the hash value contained in the signature, which may be SHA-1 or

MD5. Files that are not digitally signed will use an MD5 hash.

Example: The following hash rule matches a file with a length of 126 bytes and with contents that match

the MD5 (denoted by the hash algorithm identifier of 32771) hash of

7bc04acc0d6480af862d22d724c3b049—

7bc04acc0d6480af862d22d724c3b049:126:32771

Certificate Rule

A certificate rule specifies a code-signing, software publisher certificate. For example, a company can

require that all scripts and ActiveX controls be signed with a particular set of publisher certificates.

Certificates used in a certificate rule can be issued from a commercial certificate authority (CA) such as

VeriSign, a Windows 2000/Windows Server 2003 PKI, or a self-signed certificate.

A certificate rule is a strong way to identify software because it uses signed hashes contained in the

signature of the signed file to match files regardless of name or location. If you wish to make exceptions to a

certificate rule, you can use a hash rule to identify the exceptions.

Path Rule

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it

matches any program contained in that folder and any programs contained in subfolders. Both local and

UNC paths are supported.

Zone Rule.

A rule can identify software from the Internet Explorer zone from which it is downloaded.

Incorrect answers:

A: We can’t use a certificate because the file will change.

B: *.vbs will allow any vbs script to run.

D: The hash is calculated using the filename, filesize etc. The file will change so the size will change and

therefore the hash will need to be changed.

Reference:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/rstrplc

y.asp

QUESTION NO: 8

You are the network administrator for TestKing. TestKing has offices in three countries. The network

contains Windows Server 2003 computers and Windows XP Professional computers. The network is

configured as shown in the exhibit.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 11 -

Software Update Services (SUS) is installed on one server in each office. Each SUS server is

configured to synchronize by using the default settings.

Because bandwidth at each office is limited, you want to ensure that updates require the minimum

amount of time.

What should you do?

A. Synchronize the updates with an SUS server at another office.

B. Select only the locales that are needed.

C. Configure Background Intelligent Transfer Service (BITS) to limit file transfer size to 9 MB.

D. Configure Background Intelligent Transfer Service (BITS) to delete incomplete jobs after 20

minutes.

Answer: B

Explanation: When you configure SUS, you can select multiple languages for the updates according to

your locale. In this scenario, we can reduce the bandwidth used by the synchronization by selecting only the

required locales. This will avoid downloading and synchronizing multiple copies of the same updates, but in

different languages.

Incorrect Answers:

A: This will not reduce the size of the updates or minimize bandwidth usage.

C: The updates may be more than 9MB, so we shouldn’t limit the transfer size.

D: This will not reduce the size of the updates or minimize bandwidth usage.

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 12 -

QUESTION NO: 9

You are the file server administrator for TestKing. The company network consists of a single Active

Directory domain named testking.com. The domain contains 12 Windows Server 2003 computers and

1,500 Windows XP Professional computers.

You manage three servers named TestKing1, TestKing2, and TestKing3. You need to update the

driver for the network adapater that is installed in TestKing1.

You log on to TestKing1 by using a nonadministrative domain user account named King. You open

the Computer Management console. When you select Device Manager, you receive the following error

message: “You do not have sufficient security privileges to uninstall devices or to change device

properties or device drivers”.

You need to be able to run the Computer Management console by using the local administrator

account. The local administrator account on TestKing1, TestKing2, and TestKing3 has been renamed

Tess. Tess’s password is kY74X.

In Control Panel, you open Administrative Tools. You right-click the Computer Management

shortcut and click Run as on the shortcut menu.

What should you do next?

Answer:

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 13 -

Explanation:

Choose "The following User" because you want to run the program under a different account to the one

you’re logged in with. Enter "TestKing1\Tess" in the User Name field, enter kY74X" in the password field.

TestKing1\Tess indicates a user account named Tess on a computer named TestKing1; in this case, this is

the local administrator account.

QUESTION NO: 10

You are the network administrator for TestKing. The network consists of a single Active Directory

domain named testking.com. The domain contains Windows Server 2003 computers and Windows XP

Professional computers.

All confidential company files are stored on a file server named TestKing1. The written company

security states that all confidential data must be stored and transmitted in a secure manner. To

comply with the security policy, you enable Encrypting File System (EFS) on the confidential files.

You also add EFS certificates to the data decryption field (DDF) of the confidential files for the users

who need to access them.

While performing network monitoring, you notice that the confidential files that are stored on

TestKing1 are being transmitted over the network without encryption.

You must ensure that encryption is always used when the confidential files on TestKing1 are stored

and transmitted over the network.

What are two possible ways to accomplish this goal? (Each correct answer presents a complete

solution. Choose two)

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 14 -

A. Enable offline files for the confidential files that are stored on TestKing1, and select the Encrypt

offline files to secure data check box on the client computers of the users who need to access the

files.

B. Use IPSec encryption between TestKing1 and the client computers of the users who need to access

the confidential files.

C. Use Server Message Block (SMB) signing between TestKing1 and the client computers of the users

who need to access the confidential files.

D. Disable all LM and NTLM authentication methods on TestKing1.

E. Use IIS to publish the confidential files.

Enable SSL on the IIS server.

Open the files as a Web folder.

Answer: B, E

Explanation:

We can use IPSEC to encrypt network traffic.

We can use SMB to encrypt network traffic.

We can use SSL to secure the files

Thing about MS THUMB RULE less administrative effort.

Thing about MS FAQS some question can have two valid answers.

In this case C and E can both be valid answers.

We need to think about whether SMB singing is a valid option or not, because they do not tell us if they are

forcing the set Secure channel in the clients or server:

Secure channel: Digitally encrypt or sign secure channel data (always) Enabled

SMB signing

By default, domain controllers running Windows Server 2003 require that all clients digitally sign SMB￾based communications.

The SMB protocol provides file sharing, printer sharing, various remote administration functions, and logon

authentication.

The process for verifying that an entity or object is who or what it claims to be.

Examples include confirming the source and integrity of information, such as verifying a digital signature or

verifying the identity of a user or computer for some clients running older operating system versions.

Client computers running Windows for Workgroups, Windows 95 without the Active Directory client, and

Windows NT 4.0 Service Pack 2 (or earlier) do not support SMB signing.

they cannot connect to domain controllers running Windows Server 2003 by default.

To use SMB we can set the following policies.

Secure channel: Digitally encrypt or sign secure channel data (always) Enabled

Secure channel: Digitally encrypt secure channel data (when possible) Enabled

Secure channel: Digitally sign secure channel data (when possible) Enabled

70 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 15 -

Unlike SMB signing, SSL data transfers are always encrypted; therefore, I have answered B and E.

Encrypting Offline Files

The Windows XP Professional client can use EFS to encrypt offline files and folders.

This feature is especially attractive for travelling professionals who need to work offline periodically and

maintain data security.

Offline files reside on a user's hard drive, not the network, and they are stored in a local cache on the

computer.

Encrypting this cache enhances security on a local computer.

If the cache on the local computer is not encrypted, any encrypted files cached from the network will not be

encrypted on the local computer.

This may pose a security risk in some environments.

If you enable this setting, all files in the Offline Files cache are encrypted.

This includes existing files as well as files added later.

The cached copy on the local computer is affected, but the associated network copy is not.

The user cannot unencrypt Offline Files through the user interface.

QUESTION NO: 11

You are the network administrator in the New York office of TestKing. The company network

consists of a single Active Directory domain testking.com. The New York office currently contains one

Windows Server 2003 file server named TestKingA.

All file servers in the New York office are in an organizational unit (OU) named New York Servers.

You have been assigned the Allow – Change permission for a Group Policy object (GPO) named

NYServersGPO, which is linked to the New York Servers OU.

The written company security policy states that all new servers must be configured with specified

predefined security settings when the servers join the domain. These settings differ slightly for the

various company offices.

You plan to install Windows Sever 2003, on 15 new computers, which all functions as file servers. You

will need to configure the specified security settings on the new file servers.

TestKingA currently has the specified security settings configured in its local security policy. You

need to ensure that the security configuration of the new file servers is identical to that of TestKingA.

You export a copy of TestKingA’s local security policy settings to a template file.

You need to configure the security settings of the new servers, and you want to use the minimum

amount of administrative effort.

What should you do?