Managing and maintaining a Mcrosoft Windows server 2003 environment for an MCSA certified on windows 2000

070-292

Managing and Maintaining

a Microsoft Windows Server 2003 Environment

for an MCSA Certified on Windows 2000

Version 9.0

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 2 -

Important Note, Please Read Carefully

Study Tips

This product will provide you questions and answers along with detailed explanations

carefully compiled and written by our experts. Try to understand the concepts behind

the questions instead of cramming the questions. Go through the entire document at

least twice so that you make sure that you are not missing anything.

Further Material

For this test TestKing also provides:

* Study Guide. Concepts and labs. Provides a foundation of knowledge.

* Online Testing. Practice the questions in an exam environment.

Try a demo: http://www.testking.com/index.cfm?pageid=724

Latest Version

We are constantly reviewing our products. New material is added and old material is

revised. Free updates are available for 90 days after the purchase. You should check

your member zone at TestKing an update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

1. Go to www.testking.com

2. Click on Member zone/Log in

3. The latest versions of all purchased products are downloadable from here. Just

click the links.

For most updates, it is enough just to print the new questions at the end of the new

version, not the whole document.

Feedback

Feedback on specific questions should be send to [email protected]. You

should state: Exam number and version, question number, and login ID.

Our experts will answer your mail promptly.

Copyright

Each pdf file contains a unique serial number associated with your particular name

and contact information for security purposes. So if we find out that a particular pdf

file is being distributed by you, TestKing reserves the right to take legal action against

you according to the International Copyright Laws.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 3 -

QUESTION NO: 1

You are the network administrator for TestKing. The network consists of a

single Active Directory domain named testking.com. The network contains 100

Windows 2000 Professional computers and three Windows Server 2003

computers. Information about the three servers is shown in the following table.

You add a network interface print device named TestKingPrinter1 to the

network. You manually configure the IP address for TestKingPrinter1.

TestKingPrinter1 is not currently registered on the DNS server. The relevant

portion of the network is shown in the exhibit.

You need to ensure that client computers can connect to TestKingPrinter1 by

using its name.

What should you do?

A. On TestKingSrvA, add an alias (CNAME) record that references

TestKingPrinter1.

B. In the Hosts file on TestKingSrvC, add a line that references

TestKingPrinter1.

C. On TestKingSrvA, add a service locator (SRV) record that reference

TestKingPrinter1.

D. On TestKingSrvA, add a host (A) record that references TestKingPrinter1.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 4 -

E. In the Hosts file on TestKingSrvB, add a line that references

TestKingPrinter1.

Answer: D

Explanation: The clients’ printer software needs to know the IP address of the

printer. For this, we can simply enter a host (A) record in the DNS zone. An A

record maps a hostname to an IP address.

Incorrect Answers:

A: An alias (CNAME) can only point to an A record. We need to create the A

record.

B: We should use DNS, not a hosts file.

C: We don’t need an SRV record for a printer. SRV records are used for computers

providing a service, like a domain controller for example.

E: We should use DNS, not a hosts file.

QUESTION NO: 2

You are a network administrator for Fabrikam, Inc. A German company named

TestKing GmBh., recently acquired Fabrikam, Inc., and another company

named Proseware, Inc. Your team is responsible for establishing connectivity

between the companies.

Each of the three companies has its own Active Directory forest. The relevant

portion of the network is shown in the exhibit.

TestKing1, TestKing3, and TestKing5 run Windows Server 2003. Each of these

servers is the DNS server for its respective domain. All three servers can

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 5 -

currently resolve Internet host names. TestKing3 is configured as a secondary

zone server for fabrikam.com and proseware.com.

You need to configure TestKing5 to resolve host names for testking.com and

proseware.com as quickly as possible, without adding new zones to TestKing5.

Which two actions should you perform? (Each correct answer presents part of

the solution. Choose two)

A. Forward requests for testking.com to 131.107.1.2.

B. Forward requests for testking.com to 131.107.3.2.

C. Forward requests for testking.com to 131.107.10.2.

D. Forward requests for proseware.com to 131.107.1.2.

E. Forward requests for proseware.com to 131.107.3.2.

F. Forward requests for proseware.com to 131.107.10.2.

Answer: B, D.

Explanation: Testking3 (10.107.3.2) is able to resolve hostnames for testking.com,

proseware.com and fabrikam.com. Therefore to resolve hostnames for testking.com

and proseware.com as quickly as possible, we could forward resolution requests for

those two domains to testking3 (10.107.3.2). However, while answers D and E would

both work for proseware.com, it is probably better to forward requests for

proseware.com to the primary DNS server for that domain (131.107.1.2).

Incorrect Answers:

A: 131.107.1.2 can resolve hostnames for proseware.com, but not testking.com.

C: 131.107.10.2 can resolve internet domain names, but not hostnames for

proseware.com or testking.com.

E: This would work, and so could be an answer.

F: 131.107.10.2 can resolve internet domain names, but not hostnames for

proseware.com or testking.com.

QUESTION NO: 3

You are the network administrator for TestKing. The network consists of a

single DNS domain named testking.com.

You replace a UNIX server with a Windows Server 2003 computer named

TestKing1.

TestKing1 is the DNS server and start authority (SOA) for testking.com. A

UNIX server named TestKing2 is the mail server for testking.com.

You receive reports that Internet users cannot send e-mail to the testking.com

domain. The host addresses are shown in the following window.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 6 -

You need to ensure that Internet users can send e-mail to the testking.com

domain.

What should you do?

A. Add an _smtp service locator (SRV) DNS record for TestKing2.

B. Add a mail exchange (MX) DNS record for TestKing2.

C. Add an alias (CNAME) record for mail.testking.com.

D. Enable the SMTP service on TestKing1.

Answer: B

Explanation: Email servers on the internet query Testking1 for the address of the

mail server for the domain. The address of the mail server is held in an MX (Mail

Exchange) record.

Incorrect Answers:

A: Email servers find other email servers by using MX records, not SRV records.

C: Email servers find other email servers by using CNAME records

D: The SMTP service should be running on the mail server, not the DNS server.

QUESTION NO: 4

You are the network administrator for TestKing. The network contains

Windows Server 2003 computers and Windows XP Professional computers. You

are configuring Automatic Updates on the servers.

The written company network security policy states that all updates must be

reviewed and approved before they are installed. All updates are received from

the Microsoft Windows Update servers.

You want to automate the updates as much as possible.

What should you do?

To answer, configure the appropriate option or options in the dialog box.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 7 -

Answer: Check the “Keep my computer up to date” checkbox. Select the “Download

the updates automatically and notify me when they are ready to be installed” radio

button.

Explanation: The updates will be automatically downloaded, but you will be able to

review the updates before they are installed.

QUESTION NO: 5

You are the network administrator for TestKing. The network consists of a

single Active Directory domain testking.com. The domain contains 35 Windows

Server 2003 computers; 3,000 Windows XP Professional computers; 2,200

Windows 2000 Professional computers.

The written company security policy states that all computers in the domain

must be examined, with the following goals:

• To find out whether all available security updates are present.

• To find out whether shared folders are present.

• To record the file system type on each hard disk.

You need to provide this security assessment of every computer and verify that

the requirements of the written security policy are met.

What should you do?

A. Open the Default Domain Policy and enable the Configure Automatic

Updates policy.

B. Open the Default Domain Policy and enable the Audit object access policy,

the Audit account management policy, and the Audit system events policy.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 8 -

C. On a server, install and run mbsacli.exe with the appropriate configuration

switches.

D. On a server, install and run HFNetChk.exe with the appropriate configuration

switches.

Answer: C

Explanation: The Microsoft Baseline Security Analyser can perform all the required

assessments. Mbsacli.exe includes HFNetChk.exe which is used to scan for missing

security updates.

In general, the MBSA scans for security issues in the Windows operating systems

(Windows NT 4, Windows 2000, Windows XP), such as Guest account status, file

system type, available file shares, members of the Administrators group, etc.

Descriptions of each OS check are shown in the security reports with instructions on

fixing any issues found.

Incorrect Answers:

A: This won’t check for missing updates, shared folders or file system type.

B: This won’t check for missing updates, shared folders or file system type.

D: This will check for missing updates but not shared folders or file system type.

QUESTION NO: 6

You are the network administrator for TestKing. The network contains

Windows Server 2003 computers and Windows XP Professional computers.

You install Software Update Services on a server named TestKingA. You create

a new Group Policy object (GPO) at the domain level.

You need to properly configure the GPO so that all computers receive their

updates from TestKingA.

How should you configure the GPO?

To answer, configure the appropriate option or options in the dialog box.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 9 -

Answer: Select the “Enabled” radio button. In the “Set the intranet update service for

detecting updates” box, enter the name of the server; in this case you would enter

http://TestKingA. You should also enter http://TestKingA as the address of the

intranet statistics server.

QUESTION NO: 7

You are the regional network administrator for the Boston branch office of

TestKing's network. The company network consists of a single Active Directory

domain testking.com. All computers in the Boston office run Windows XP

Professional.

The domain contains an organizational unit (OU) named BostonClientsOU,

which contains all the computer objects for the Boston office. A Group Policy

object (GPO) named BClientsGPO is linked to BostonClientsOU. You have been

granted the right to modify the GPO.

BClientsGPO contains a software restriction policy that prevents the execution

of any file that has a .vbs file extension. All other applications are allowed to run.

You want to use a script file named maintenance.vbs, which you will schedule to

run every night on the computers in the Boston office. The maintenance.vbs file

is located in the Scripts shared folder on a server named TestKingSrvC. The

contents of maintenance.vbs will frequently change based on the maintenance

tasks you want to perform.

You need to modify the software restriction policy to prevent unauthorized .vbs

scripts from running on the computers in the Boston office, while allowing

maintenance.vbs to run. You want to ensure that no other applications are

affected by your solution. You want to implement a solution that you can

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 10 -

configure once, without requiring additional administration in the future, when

maintenance.vbs changes.

What should you do?

A. Obtain a digital certificate.

Create a new certificate rule.

Set the security level of the rule to Unrestricted.

Digitally sign maintenance.vbs.

B. Create a new path rule.

Set the security level on the rule to Unrestricted.

Set the path to \\TestKingSrvC\Scripts\*.vbs.

C. Create a new path rule.

Set the security level on the rule to Unrestricted.

Set the path to \\TestKingSrvC\Scripts\maintenance.vbs.

D. Create a new hash rule.

Set the security level on the rule to Unrestricted.

Create a file hash of maintenance.vbs.

Answer: C

Explanation: The file will change so we can only use a path rule.

The purpose of a rule is to identify one or more software applications, and specify

whether or not they are allowed to run. Creating rules largely consists of identifying

software that is an exception to the default rule. Each rule can include descriptive text

to help communicate why the rule was created.

A software restriction policy supports the following four ways to identify software:

Hash—A cryptographic fingerprint of the file.

Certificate—A software publisher certificate used to digitally sign a file.

Path—The local or universal naming convention (UNC) path of where the file is

stored.

Zone—Internet Zone

Hash Rule

A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of

where it is accessed or what it is named. An administrator may not want users to run a

particular version of a program. This may be the case if the program has security or

privacy bugs, or compromises system stability. With a hash rule, software can be

renamed or moved into another location on a disk, but it will still match the hash rule

because the rule is based on a cryptographic calculation involving file contents.

A hash rule consists of three pieces of data, separated by colons:

MD5 or SHA-1 hash value

File length

Hash algorithm id

It is formatted as follows:

[MD5 or SHA1 hash value]:[file length]:[hash algorithm id]

Files that are digitally signed will use the hash value contained in the signature, which

may be SHA-1 or MD5. Files that are not digitally signed will use an MD5 hash.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 11 -

Example: The following hash rule matches a file with a length of 126 bytes and with

contents that match the MD5 (denoted by the hash algorithm identifier of 32771) hash

of 7bc04acc0d6480af862d22d724c3b049—

7bc04acc0d6480af862d22d724c3b049:126:32771

Certificate Rule

A certificate rule specifies a code-signing, software publisher certificate. For example,

a company can require that all scripts and ActiveX controls be signed with a particular

set of publisher certificates. Certificates used in a certificate rule can be issued from a

commercial certificate authority (CA) such as VeriSign, a Windows 2000/Windows

Server 2003 PKI, or a self-signed certificate.

A certificate rule is a strong way to identify software because it uses signed hashes

contained in the signature of the signed file to match files regardless of name or

location. If you wish to make exceptions to a certificate rule, you can use a hash rule

to identify the exceptions.

Path Rule

A path rule can specify a folder or fully qualified path to a program. When a path rule

specifies a folder, it matches any program contained in that folder and any programs

contained in subfolders. Both local and UNC paths are supported.

Zone Rule.

A rule can identify software from the Internet Explorer zone from which it is

downloaded.

Incorrect answers:

A: We can’t use a certificate because the file will change.

B: *.vbs will allow any vbs script to run.

D: The hash is calculated using the filename, filesize etc. The file will change so the

size will change and therefore the hash will need to be changed.

Reference:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/win

xppro/maintain/rstrplcy.asp

QUESTION NO: 8

You are the network administrator for TestKing. TestKing has offices in three

countries. The network contains Windows Server 2003 computers and Windows

XP Professional computers. The network is configured as shown in the exhibit.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 12 -

Software Update Services (SUS) is installed on one server in each office. Each

SUS server is configured to synchronize by using the default settings.

Because bandwidth at each office is limited, you want to ensure that updates

require the minimum amount of time.

What should you do?

A. Synchronize the updates with an SUS server at another office.

B. Select only the locales that are needed.

C. Configure Background Intelligent Transfer Service (BITS) to limit file transfer

size to 9 MB.

D. Configure Background Intelligent Transfer Service (BITS) to delete

incomplete jobs after 20 minutes.

Answer: B

Explanation: When you configure SUS, you can select multiple languages for the

updates according to your locale. In this scenario, we can reduce the bandwidth used

by the synchronization by selecting only the required locales. This will avoid

downloading and synchronizing multiple copies of the same updates, but in different

languages.

Incorrect Answers:

A: This will not reduce the size of the updates or minimize bandwidth usage.

C: The updates may be more than 9MB, so we shouldn’t limit the transfer size.

D: This will not reduce the size of the updates or minimize bandwidth usage.

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 13 -

QUESTION NO: 9

You are the file server administrator for TestKing. The company network

consists of a single Active Directory domain named testking.com. The domain

contains 12 Windows Server 2003 computers and 1,500 Windows XP

Professional computers.

You manage three servers named TestKing1, TestKing2, and TestKing3. You

need to update the driver for the network adapater that is installed in TestKing1.

You log on to TestKing1 by using a nonadministrative domain user account

named King. You open the Computer Management console. When you select

Device Manager, you receive the following error message: “You do not have

sufficient security privileges to uninstall devices or to change device properties or

device drivers”.

You need to be able to run the Computer Management console by using the local

administrator account. The local administrator account on TestKing1,

TestKing2, and TestKing3 has been renamed Tess. Tess’s password is kY74X.

In Control Panel, you open Administrative Tools. You right-click the Computer

Management shortcut and click Run as on the shortcut menu.

What should you do next?

Answer:

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 14 -

Explanation:

Choose "The following User" because you want to run the program under a different

account to the one you’re logged in with. Enter "TestKing1\Tess" in the User Name

field, enter kY74X" in the password field. TestKing1\Tess indicates a user account

named Tess on a computer named TestKing1; in this case, this is the local

administrator account.

QUESTION NO: 10

You are the network administrator for TestKing. The network consists of a

single Active Directory domain named testking.com. The domain contains

Windows Server 2003 computers and Windows XP Professional computers.

All confidential company files are stored on a file server named TestKing1. The

written company security states that all confidential data must be stored and

transmitted in a secure manner. To comply with the security policy, you enable

Encrypting File System (EFS) on the confidential files. You also add EFS

certificates to the data decryption field (DDF) of the confidential files for the

users who need to access them.

While performing network monitoring, you notice that the confidential files that

are stored on TestKing1 are being transmitted over the network without

encryption.

You must ensure that encryption is always used when the confidential files on

TestKing1 are stored and transmitted over the network.

What are two possible ways to accomplish this goal? (Each correct answer

presents a complete solution. Choose two)

070 -292

Leading the way in IT testing and certification tools, www.testking.com

- 15 -

A. Enable offline files for the confidential files that are stored on TestKing1, and

select the Encrypt offline files to secure data check box on the client

computers of the users who need to access the files.

B. Use IPSec encryption between TestKing1 and the client computers of the

users who need to access the confidential files.

C. Use Server Message Block (SMB) signing between TestKing1 and the client

computers of the users who need to access the confidential files.

D. Disable all LM and NTLM authentication methods on TestKing1.

E. Use IIS to publish the confidential files.

Enable SSL on the IIS server.

Open the files as a Web folder.

Answer: B, E

Explanation:

We can use IPSEC to encrypt network traffic.

We can use SMB to encrypt network traffic.

We can use SSL to secure the files

Thing about MS THUMB RULE less administrative effort.

Thing about MS FAQS some question can have two valid answers.

In this case C and E can both be valid answers.

We need to think about whether SMB singing is a valid option or not, because they

do not tell us if they are forcing the set Secure channel in the clients or server:

Secure channel: Digitally encrypt or sign secure channel data (always) Enabled

SMB signing

By default, domain controllers running Windows Server 2003 require that all clients

digitally sign SMB-based communications.

The SMB protocol provides file sharing, printer sharing, various remote

administration functions, and logon authentication.

The process for verifying that an entity or object is who or what it claims to be.

Examples include confirming the source and integrity of information, such as

verifying a digital signature or verifying the identity of a user or computer for some

clients running older operating system versions.

Client computers running Windows for Workgroups, Windows 95 without the Active

Directory client, and Windows NT 4.0 Service Pack 2 (or earlier) do not support SMB

signing.

they cannot connect to domain controllers running Windows Server 2003 by default.

To use SMB we can set the following policies.

Secure channel: Digitally encrypt or sign secure channel data (always) Enabled

Secure channel: Digitally encrypt secure channel data (when possible) Enabled