Managing and maintaining a Mcrosoft Windows server 2003 environment for an MCSA certified on windows 2000

070-292

Managing and Maintaining

a Microsoft Windows Server 2003 Environment

for an MCSA Certified on Windows 2000

Version 8.0

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 2 -

Important Note, Please Read Carefully

Study Tips

This product will provide you questions and answers along with detailed explanations carefully compiled and

written by our experts. Try to understand the concepts behind the questions instead of cramming the questions.

Go through the entire document at least twice so that you make sure that you are not missing anything.

Further Material

For this test TestKing also provides:

* Study Guide. Concepts and labs. Provides a foundation of knowledge.

* Online Testing. Practice the questions in an exam environment.

Try a demo: http://www.testking.com/index.cfm?pageid=724

Latest Version

We are constantly reviewing our products. New material is added and old material is revised. Free updates are

available for 90 days after the purchase. You should check your member zone at TestKing an update 3-4 days

before the scheduled exam date.

Here is the procedure to get the latest version:

1. Go to www.testking.com

2. Click on Member zone/Log in

3. The latest versions of all purchased products are downloadable from here. Just click the links.

For most updates, it is enough just to print the new questions at the end of the new version, not the whole

document.

Feedback

Feedback on specific questions should be send to [email protected]. You should state: Exam number and

version, question number, and login ID.

Our experts will answer your mail promptly.

Copyright

Each pdf file contains a unique serial number associated with your particular name and contact information for

security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the

right to take legal action against you according to the International Copyright Laws.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 3 -

QUESTION NO: 1

You are the network administrator for TestKing. The network consists of a single Active Directory

domain named testking.com. The network contains 100 Windows 2000 Professional computers and three

Windows Server 2003 computers. Information about the three servers is shown in the following table.

You add a network interface print device named TestKingPrinter1 to the network. You manually

configure the IP address for TestKingPrinter1. TestKingPrinter1 is not currently registered on the DNS

server. The relevant portion of the network is shown in the exhibit.

You need to ensure that client computers can connect to TestKingPrinter1 by using its name.

What should you do?

A. On TestKingSrvA, add an alias (CNAME) record that references TestKingPrinter1.

B. In the Hosts file on TestKingSrvC, add a line that references TestKingPrinter1.

C. On TestKingSrvA, add a service locator (SRV) record that reference TestKingPrinter1.

D. On TestKingSrvA, add a host (A) record that references TestKingPrinter1.

E. In the Hosts file on TestKingSrvB, add a line that references TestKingPrinter1.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 4 -

Answer: D

Explanation: The clients’ printer software needs to know the IP address of the printer. For this, we can simply

enter a host (A) record in the DNS zone. An A record maps a hostname to an IP address.

Incorrect Answers:

A: An alias (CNAME) can only point to an A record. We need to create the A record.

B: We should use DNS, not a hosts file.

C: We don’t need an SRV record for a printer. SRV records are used for computers providing a service, like a

domain controller for example.

E: We should use DNS, not a hosts file.

QUESTION NO: 2

You are a network administrator for Fabrikam, Inc. A German company named TestKing GmBh.,

recently acquired Fabrikam, Inc., and another company named Proseware, Inc. Your team is responsible

for establishing connectivity between the companies.

Each of the three companies has its own Active Directory forest. The relevant portion of the network is

shown in the exhibit.

TestKing1, TestKing3, and TestKing5 run Windows Server 2003. Each of these servers is the DNS server

for its respective domain. All three servers can currently resolve Internet host names. TestKing3 is

configured as a secondary zone server for fabrikam.com and proseware.com.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 5 -

You need to configure TestKing5 to resolve host names for testking.com and proseware.com as quickly as

possible, without adding new zones to TestKing5.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)

A. Forward requests for testking.com to 131.107.1.2.

B. Forward requests for testking.com to 131.107.3.2.

C. Forward requests for testking.com to 131.107.10.2.

D. Forward requests for proseware.com to 131.107.1.2.

E. Forward requests for proseware.com to 131.107.3.2.

F. Forward requests for proseware.com to 131.107.10.2.

Answer: B, E.

Explanation: Testking3 (10.107.3.2) is able to resolve hostnames for testking.com, proseware.com and

fabrikam.com. Therefore to resolve hostnames for testking.com and proseware.com as quickly as possible, we

can forward resolution requests for those two domains to testking3 (10.107.3.2).

Incorrect Answers:

A: 131.107.1.2 can resolve hostnames for proseware.com, but not testking.com.

C: 131.107.10.2 can resolve internet domain names, but not hostnames for proseware.com or testking.com.

D: This would work, and so could be an answer, but testking3 is nearer to testking5 than testking1 is.

F: 131.107.10.2 can resolve internet domain names, but not hostnames for proseware.com or testking.com.

QUESTION NO: 3

You are the network administrator for TestKing. The network consists of a single DNS domain named

testking.com.

You replace a UNIX server with a Windows Server 2003 computer named TestKing1.

TestKing1 is the DNS server and start authority (SOA) for testking.com. A UNIX server named

TestKing2 is the mail server for testking.com.

You receive reports that Internet users cannot send e-mail to the testking.com domain. The host

addresses are shown in the following window.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 6 -

You need to ensure that Internet users can send e-mail to the testking.com domain.

What should you do?

A. Add an _smtp service locator (SRV) DNS record for TestKing2.

B. Add a mail exchange (MX) DNS record for TestKing2.

C. Add an alias (CNAME) record for mail.testking.com.

D. Enable the SMTP service on TestKing1.

Answer: B

Explanation: Email servers on the internet query Testking1 for the address of the mail server for the domain.

The address of the mail server is held in an MX (Mail Exchange) record.

Incorrect Answers:

A: Email servers find other email servers by using MX records, not SRV records.

C: Email servers find other email servers by using CNAME records

D: The SMTP service should be running on the mail server, not the DNS server.

QUESTION NO: 4

You are the network administrator for TestKing. The network contains Windows Server 2003 computers

and Windows XP Professional computers. You are configuring Automatic Updates on the servers.

The written company network security policy states that all updates must be reviewed and approved

before they are installed. All updates are received from the Microsoft Windows Update servers.

You want to automate the updates as much as possible.

What should you do?

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 7 -

To answer, configure the appropriate option or options in the dialog box.

Answer: Check the “Keep my computer up to date” checkbox. Select the “Download the updates automatically

and notify me when they are ready to be installed” radio button.

Explanation: The updates will be automatically downloaded, but you will be able to review the updates before

they are installed.

QUESTION NO: 5

You are the network administrator for TestKing. The network consists of a single Active Directory

domain testking.com. The domain contains 35 Windows Server 2003 computers; 3,000 Windows XP

Professional computers; 2,200 Windows 2000 Professional computers.

The written company security policy states that all computers in the domain must be examined, with the

following goals:

• To find out whether all available security updates are present.

• To find out whether shared folders are present.

• To record the file system type on each hard disk.

You need to provide this security assessment of every computer and verify that the requirements of the

written security policy are met.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 8 -

What should you do?

A. Open the Default Domain Policy and enable the Configure Automatic Updates policy.

B. Open the Default Domain Policy and enable the Audit object access policy, the Audit account

management policy, and the Audit system events policy.

C. On a server, install and run mbsacli.exe with the appropriate configuration switches.

D. On a server, install and run HFNetChk.exe with the appropriate configuration switches.

Answer: C

Explanation: The Microsoft Baseline Security Analyser can perform all the required assessments.

Mbsacli.exe includes HFNetChk.exe which is used to scan for missing security updates.

In general, the MBSA scans for security issues in the Windows operating systems (Windows NT 4, Windows

2000, Windows XP), such as Guest account status, file system type, available file shares, members of the

Administrators group, etc. Descriptions of each OS check are shown in the security reports with instructions on

fixing any issues found.

Incorrect Answers:

A: This won’t check for missing updates, shared folders or file system type.

B: This won’t check for missing updates, shared folders or file system type.

D: This will check for missing updates but not shared folders or file system type.

QUESTION NO: 6

You are the network administrator for TestKing. The network contains Windows Server 2003 computers

and Windows XP Professional computers.

You install Software Update Services on a server named TestKingA. You create a new Group Policy

object (GPO) at the domain level.

You need to properly configure the GPO so that all computers receive their updates from TestKingA.

How should you configure the GPO?

To answer, configure the appropriate option or options in the dialog box.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 9 -

Answer: Select the “Enabled” radio button. In the “Set the intranet update service for detecting updates” box,

enter the name of the server; in this case you would enter http://TestKingA. You should also enter

http://TestKingA as the address of the intranet statistics server.

QUESTION NO: 7

You are the regional network administrator for the Boston branch office of TestKing's network. The

company network consists of a single Active Directory domain testking.com. All computers in the Boston

office run Windows XP Professional.

The domain contains an organizational unit (OU) named BostonClientsOU, which contains all the

computer objects for the Boston office. A Group Policy object (GPO) named BClientsGPO is linked to

BostonClientsOU. You have been granted the right to modify the GPO.

BClientsGPO contains a software restriction policy that prevents the execution of any file that has a .vbs

file extension. All other applications are allowed to run.

You want to use a script file named maintenance.vbs, which you will schedule to run every night on the

computers in the Boston office. The maintenance.vbs file is located in the Scripts shared folder on a

server named TestKingSrvC. The contents of maintenance.vbs will frequently change based on the

maintenance tasks you want to perform.

You need to modify the software restriction policy to prevent unauthorized .vbs scripts from running on

the computers in the Boston office, while allowing maintenance.vbs to run. You want to ensure that no

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 10 -

other applications are affected by your solution. You want to implement a solution that you can configure

once, without requiring additional administration in the future, when maintenance.vbs changes.

What should you do?

A. Obtain a digital certificate.

Create a new certificate rule.

Set the security level of the rule to Unrestricted.

Digitally sign maintenance.vbs.

B. Create a new path rule.

Set the security level on the rule to Unrestricted.

Set the path to \\TestKingSrvC\Scripts\*.vbs.

C. Create a new path rule.

Set the security level on the rule to Unrestricted.

Set the path to \\TestKingSrvC\Scripts\maintenance.vbs.

D. Create a new hash rule.

Set the security level on the rule to Unrestricted.

Create a file hash of maintenance.vbs.

Answer: C

Explanation: The file will change so we can only use a path rule.

The purpose of a rule is to identify one or more software applications, and specify whether or not they are

allowed to run. Creating rules largely consists of identifying software that is an exception to the default rule.

Each rule can include descriptive text to help communicate why the rule was created.

A software restriction policy supports the following four ways to identify software:

Hash—A cryptographic fingerprint of the file.

Certificate—A software publisher certificate used to digitally sign a file.

Path—The local or universal naming convention (UNC) path of where the file is stored.

Zone—Internet Zone

Hash Rule

A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of where it is accessed or

what it is named. An administrator may not want users to run a particular version of a program. This may be the

case if the program has security or privacy bugs, or compromises system stability. With a hash rule, software

can be renamed or moved into another location on a disk, but it will still match the hash rule because the rule is

based on a cryptographic calculation involving file contents.

A hash rule consists of three pieces of data, separated by colons:

MD5 or SHA-1 hash value

File length

Hash algorithm id

It is formatted as follows:

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 11 -

[MD5 or SHA1 hash value]:[file length]:[hash algorithm id]

Files that are digitally signed will use the hash value contained in the signature, which may be SHA-1 or MD5.

Files that are not digitally signed will use an MD5 hash.

Example: The following hash rule matches a file with a length of 126 bytes and with contents that match the

MD5 (denoted by the hash algorithm identifier of 32771) hash of 7bc04acc0d6480af862d22d724c3b049—

7bc04acc0d6480af862d22d724c3b049:126:32771

Certificate Rule

A certificate rule specifies a code-signing, software publisher certificate. For example, a company can require

that all scripts and ActiveX controls be signed with a particular set of publisher certificates. Certificates used in

a certificate rule can be issued from a commercial certificate authority (CA) such as VeriSign, a Windows

2000/Windows Server 2003 PKI, or a self-signed certificate.

A certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of

the signed file to match files regardless of name or location. If you wish to make exceptions to a certificate rule,

you can use a hash rule to identify the exceptions.

Path Rule

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it

matches any program contained in that folder and any programs contained in subfolders. Both local and UNC

paths are supported.

Zone Rule.

A rule can identify software from the Internet Explorer zone from which it is downloaded.

Incorrect answers:

A: We can’t use a certificate because the file will change.

B: *.vbs will allow any vbs script to run.

D: The hash is calculated using the filename, filesize etc. The file will change so the size will change and

therefore the hash will need to be changed.

Reference:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/rstrplcy.as

p

QUESTION NO: 8

You are the network administrator for TestKing. TestKing has offices in three countries. The network

contains Windows Server 2003 computers and Windows XP Professional computers. The network is

configured as shown in the exhibit.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 12 -

Software Update Services (SUS) is installed on one server in each office. Each SUS server is configured to

synchronize by using the default settings.

Because bandwidth at each office is limited, you want to ensure that updates require the minimum

amount of time.

What should you do?

A. Synchronize the updates with an SUS server at another office.

B. Select only the locales that are needed.

C. Configure Background Intelligent Transfer Service (BITS) to limit file transfer size to 9 MB.

D. Configure Background Intelligent Transfer Service (BITS) to delete incomplete jobs after 20 minutes.

Answer: B

Explanation: When you configure SUS, you can select multiple languages for the updates according to your

locale. In this scenario, we can reduce the bandwidth used by the synchronization by selecting only the required

locales. This will avoid downloading and synchronizing multiple copies of the same updates, but in different

languages.

Incorrect Answers:

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 13 -

A: This will not reduce the size of the updates or minimize bandwidth usage.

C: The updates may be more than 9MB, so we shouldn’t limit the transfer size.

D: This will not reduce the size of the updates or minimize bandwidth usage.

QUESTION NO: 9

You are the file server administrator for TestKing. The company network consists of a single Active

Directory domain named testking.com. The domain contains 12 Windows Server 2003 computers and

1,500 Windows XP Professional computers.

You manage three servers named TestKing1, TestKing2, and TestKing3. You need to update the driver

for the network adapater that is installed in TestKing1.

You log on to TestKing1 by using a nonadministrative domain user account named King. You open the

Computer Management console. When you select Device Manager, you receive the following error

message: “You do not have sufficient security privileges to uninstall devices or to change device

properties or device drivers”.

You need to be able to run the Computer Management console by using the local administrator account.

The local administrator account on TestKing1, TestKing2, and TestKing3 has been renamed Tess. Tess’s

password is kY74X.

In Control Panel, you open Administrative Tools. You right-click the Computer Management shortcut

and click Run as on the shortcut menu.

What should you do next?

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 14 -

Answer:

Explanation:

Choose "The following User" because you want to run the program under a different account to the one you’re

logged in with. Enter "TestKing1\Tess" in the User Name field, enter kY74X" in the password field.

070 - 292

Leading the way in IT testing and certification tools, www.testking.com

- 15 -

TestKing1\Tess indicates a user account named Tess on a computer named TestKing1; in this case, this is the

local administrator account.

QUESTION NO: 10

You are the network administrator for TestKing. The network consists of a single Active Directory

domain named testking.com. The domain contains Windows Server 2003 computers and Windows XP

Professional computers.

All confidential company files are stored on a file server named TestKing1. The written company security

states that all confidential data must be stored and transmitted in a secure manner. To comply with the

security policy, you enable Encrypting File System (EFS) on the confidential files. You also add EFS

certificates to the data decryption field (DDF) of the confidential files for the users who need to access

them.

While performing network monitoring, you notice that the confidential files that are stored on TestKing1

are being transmitted over the network without encryption.

You must ensure that encryption is always used when the confidential files on TestKing1 are stored and

transmitted over the network.

What are two possible ways to accomplish this goal? (Each correct answer presents a complete solution.

Choose two)

A. Enable offline files for the confidential files that are stored on TestKing1, and select the Encrypt offline

files to secure data check box on the client computers of the users who need to access the files.

B. Use IPSec encryption between TestKing1 and the client computers of the users who need to access the

confidential files.

C. Use Server Message Block (SMB) signing between TestKing1 and the client computers of the users who

need to access the confidential files.

D. Disable all LM and NTLM authentication methods on TestKing1.

E. Use IIS to publish the confidential files.

Enable SSL on the IIS server.

Open the files as a Web folder.

Answer: B, E

QUESTION NO: 11