70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure

11. You are the administrator of a Windows 2000 Server computer named ServerA. ServerA has Internet Information services (IIS) installed and is used to host your company's public internet web site. The company plans to create a secure web site where customers can access their account and billing information. Customers will access this web site by using a variety of web browsers. A new web site has been created and configured to use Basic authentication.

You are asked to ensure that all information transmitted between ServerA and the customers' computers is encrypted. How should you configure the new web site?

A. Enable the web site to use Integrated Windows Authentication.
B. Enable the web site to use Digest authentication for Windows domain servers.
C. Enable the web site to use a web server certificate and enable SSL for the web site.
D. Enable the web site to use a web server certificate and enable IPSec on ServerA.

Answer: C

Explanation: Secure Sockets Layer (SSL) encrypts the content and the data that is being transmitted. Most popular browsers have built-in SSL support. Certificates are required for the server and client's browser to set up an SSL connection over which encrypted information can be sent. The certificate-based SSL features in IIS consist of a server certificate, an optional client certificate, and various digital keys. Note: Certificates are digital identification documents that allow both servers and clients to authenticate each other. Server certificates usually contain information about your company and the organization that issued the certificate.

Incorrect Answers:
A: Integrated Windows authentication would not, by itself, secure the connections. It would only prevent access to anonymous users and would only authenticate and provide access to users who have valid domain user accounts. This would thus provide for the authenticity of the clients that access the server but would not provide for the encryption of the data that is transmitted between the client and the server.
B: Digest authentication encrypts client-supplied passwords in compatible browsers (Internet Explorer), but it does not encrypt the content and data that is transmitted between the client and the server.
D: To be able to use IPSec both the server and the clients must be enabled for IPSec. We however do not have control over the client computers as they belong to the customers. We therefore cannot ensure that IPSec is enabled on the client computers and therefore cannot implement IPSec.

12. You are the administrator of your company's file servers. An employee named Maria is promoted to the new position of manager in the marketing department. Maria needs to be able to review all the documents that are used by other employees in the marketing department. However, she does not need to make changes to these documents.

All the marketing documents are stored in subfolders in a single marketing folder, which is shared as Marketing. Each employee in the marketing department has a subfolder in the Marketing folder. Currently, only the employee, the Administrators group, and the Power Users group have permissions for each employee's subfolder. Permissions inheritance is enabled on the Marketing folder. The resources and permissions are shown in the following table.

Exhibit

You need to allow Maria to review the documents of all of the other marketing employees without giving her unnecessary permissions. What should you do?

A. Make Maria a member of the Power Users group.
B. Share each existing subfolder and assign Maria the Allow-Read permission for each of the new shares.
C. Assign Maria the Allow-Read NTFS permission for the Marketing folder.
D. Assign Maria the Allow-Read permission for the Marketing share.

Answer: C

Explanation: We need to allow read access for Maria. She must be able to read the files but must not be able to change them. She already has full Share permission to the Marketing share. We must give Maria NTFS permissions as well as her effective permission is a combination of the sum of her Share Permissions and a sum of her NTFS permissions. By giving Maria NTFS Read Permission on share her permission on the folders would be read as her effective permission is the most restrictive of her accumulative Share permissions and her accumulative NTFS permissions.

Note: To calculate a user's effective permission on a share:
1. Calculate the NTFS permissions. They are accumulative except for DENY that overrides all permissions.
2. Calculate the Share permission. They are accumulative.
3. Combine the calculated NTFS and Share permissions. The result is the most restrictive permission.

Incorrect Answers:
A: Adding Maria to the Power Users group would give her modify permission (NTFS: modify + Share: Full = Modify) on the all the file and folders on the share. This would provide her with more permissions than is the required.
B: By creating shares for each subfolder and give Maria the read share permission would not give Maria access to the files, since she does not have any NTFS permissions (NTFS: none + Share: read = none).
D: Giving Maria Read permissions on the share would not give Maria any more rights since she already has Full Control Share permission as a member of the Everyone group. Maria would have no permission to the folders (NTFS:none + Share:Full = none).

13. You are the administrator of a Windows 2000 file server named ServerA. ServerA is a member of a Windows 2000 Domain. On a volume that is formatted as NTFS, you create and share folders for the sales department. Managers in the sales department need to read and modify files in all of the department's folders. Users named Peter, Maria, and Marc need to read files in the G:\Sales\Reports folder, and they need full control of files in their personal folders. You configure folder and share permissions as shown in the following table.

Exhibit

A user in the Managers group informs you that she can read the files in Marc's folder but cannot update them.

You need to allow all users in the Managers group to update all of the files in the sales department's folder. What should you do?

A. Instruct the users in the Managers group to access the files by using the Sales share.
B. Assign the Managers group the Allow-Full Control permission for the Marc$ share.
C. Re-create the Marc$ share as Marc.
D. Ensure that the Managers group has the Allow-Full Control permission for the published share object in Active Directory that is associated with the Sales share.

Answer: A

Explanation: The Managers has full Share Permissions on the Sales share and full NTFS permissions the Sales folders and all its subfolders. The combined permission is also full permission (Share:Full + NTFS:Full=Full). Note: The calculation of effective permission on a share can be done by:
1. Calculate the NTFS permissions. They are accumulative except for DENY that overrides all permissions.
2. Calculate the Share permission. They are accumulative.
3. Combine the calculated NTFS and Share permissions. The result is the most restrictive permission.

Incorrect Answers:
B: Assigning Full Control permission to the Managers group on Marc$ share would solve the problem for this particular share. Managers would still be denied access if they connected to the Maria$ or the Peter$ share though.
C: A share that ends with a $ sign is a hidden share, which means it cannot be seen while browsing the network. A hidden share uses the Share permissions in exactly the same way as a non-hidden share. Recreating the Marc$ share as Marc wouldn't change anything.
D: Access to a share is decided by NTFS and Share permissions, not by permissions assigned in the Active Directory. The Active Directory can be used to publish a share to users to make it more convenient for them to access the share.

14. You are a network administrator for your company. The network is configured as shown in the exhibit. You notice that connectivity from the New York office to the London office is inconsistent. You need to find out where the network packets are being dropped and what percentage of packets is being dropped. What should you do?

Exhibit

A. On NYDC01, run the tracert LONDCO01 command. View the results and find out where the results time out.
B. On LONDC01, run the tracert NYDCO01 command. View the results and find out where the results time out.
C. On NYDC01, run the ping LONDC01 command. View the results.
D. On LONDC01, run the ping NYDC01 command. View the results.
E. On NYDC01, run the pathping LONDC01 command. View the results.
F. On TORDC01, run the pathping LONDC01 command. View the results.

Answer: E

Explanation:
We must troubleshoot the connection from New York to London. We should issue any troubleshooting from source location New York.

The pathping combines features of the ping and tracert commands to identify which routers are on the path. It also provides additional information that neither of those commands provides. It sends pings periodically to all of the routers over a given time period, and computes statistics based on the number returned from each. Since pathping shows the degree of packet loss at any given router or link, you can determine which routers or links might be causing network problems.

Incorrect Answers:
A: Tracert doesn't provide as much useful information as pathping.
B: Tracert doesn't provide as much useful information as pathping.
The command should be issued at New York not at London.
C: The ping command only provides a result of either success or failure (and ping time). It will not provide any information on where the problem is located.
D: The ping command only provides a result of either success or failure (and ping time). It will not provide any information on where the problem is located.
The command should be issued at New York not at London.
F: The command should be issued at New York not at London.

15.You are a network administrator for Fabrikam, Inc. The network consists of a Windows 2000 Domain named ad.fabrikam.com. The domain contains two DNS servers that host an Active Directory integrated zone for ad.fabrikam.com. A Windows 2000 web server named ServerA is a member of ad.fabrikam.com. An intranet web site was recently created on ServerA. You want users to access the new Web site by using the URL home.portal.fabrikam.com.

What should you do?

A. Create a new domain record named portal in the ad.fabrikam.com zone. In portal, create CNAME (canonical name) record named home and specify ServerA.ad.fabrikam.com as the target host.
B. On one of the DNS severs, create a new zone named portal.fabrikam.com. In portal.fabrikam.com, create a CNAME (canonical name) record named home and specify ServerA.ad.fabrikam.com as the target host.
C. In ad.fabrikam.com, create CNAME (canonical name) record named home and specify home.portal.fabrikam.com as the target host.
D. In ad.fabrikam.com, create CNAME (canonical name) record named home.portal and specify ServerA.fabrikam.com as the target host.

Answer: B

Explanation: A DNS zone can only provide host to IP resolution within the namespace of the zone. It cannot provide name resolution for host names that are not included in the zone.

In this scenario we have a zone ad.fabrikam.com and we want to use the name home.portal.fabrikam.com as an alias for the resource ServerA.ad.fabrikam.com. We do this by creating a new zone portal.fabrikam.com, add a CNAME (alias) record which maps the host name home (which in the zone equals home.portal.fabrikam.com) to ServerA.ad.fabrikam.com.

Incorrect Answers:
A: Adding a CNAME record portal in the ad.fabrikam.zone with ServerA.ad.fabrikam.com target host would map portal.ad.fabrikam.zone to ServerA.ad.fabrikam.com, but we want to map home.portal.fabrikam.com to ServerA.ad.fabrikam.com.
C: Adding a CNAME record portal in the ad.fabrikam.zone with home.portal.fabrikam.com target host would map portal.ad.fabrikam.zone to home.portal.fabrikam.com. But no source with that name exists.
D: A CNAME record home.portal in the ad.fabrikam.com would map the home.portal.ad.fabrikam.com to the destination host, but we want to map home.portal.fabrikam.com.

16.You are a network administrator for your company. The network contains a DNS server. All client computers are configured to use the DNS server for name resolution. The network also includes four Windows 2000 Server computers, which function as file and print server; 100 Windows 95 client computers; and 100 Windows 2000 Professional computers.

The network is currently configured as a single logical subnet. The company adds two additional subnets, which are connected to the original subnet by routers. All client computers are distributed between the two new subnets. The servers remain on the original subnet.Users of the Windows 95 computers now report that they cannot access server-based files and printers.

Users of the Windows 2000 Professional computers can successfully access the servers. You verify that the Windows 95 computers are configured with the correct DNS server address. You need to ensure that all users can access server-based files and printers. What should you do?

A. Create an Lmhosts file on each Windows 95 computer. In the file, include the name and IP address of the DNS server.
B. Install WINS on a Windows 2000 Server computer. Configure all computers to use the WINS server in addition to the DNS server for name resolution.
C. Configure the Windows 95 client computers to use b-node for NetBIOS name resolution.
D. Install a WINS Proxy Agent on each of the new subnets. Configure the WINS Proxy Agents to use the DNS server's IP address for WINS name resolution.

Answer: B

Explanation: Downlevel clients, like Windows 95 and Windows NT 4.0, use WINS, not DNS, for name resolution. On the other hand Windows 2000 computers only use DNS for name resolution by default. We must provide the Windows 95 clients with a method of resolving NetBios names to IP addresses. The most practical solution with least administration would be to configure one Windows 2000 server as a WINS server.

Incorrect Answers:
A: Lmhosts files do provide host name to IP address resolution, and an appropriate lmhosts will on each Windows 95 computer would allow the Windows 95 clients to use the DNS server. This would require a lot of administrative effort.
C: By default Windows 95 clients are configured for H-mode Wins resolution; first they use Wins server and then they use broadcasts to resolve NetBios names. Changing the node type to b-node would make the clients only try broadcasts, so this is not an improvement. Note: there are four Wins Node types. They are:
??B-node, broadcast mode, only tries to resolve NetBios names with broadcasts.
??P-node, peer-peer node, only tries to resolve NetBios names through WINS server.
??M-mode, mixed mode, first use broadcast then in use broadcasts.
??H-mode, hybrid node, is the default Wins node type. H-mode first tries the WINS server then it tries broadcast.
D: WINS Proxy agent is used to enable non-WINS clients to communicate with WINS-clients. Windows 95 is a WINS client so a WINS proxy agent would not be any improvement. UNIX clients, for example, could benefit from a Wins proxy agent.

17. You are a domain administrator for your company. The network contains two TCP/IP subnets that are connected by a router. The router is configured to forward BOOTP packets. The two subnets contain a total of 180 Windows 2000 Professional computers.

A Windows 2000 Server computer named ServerA provides DHCP services for the network. The DHCP scope on ServerA is configured as shown in the following table.

Exhibit

You are adding a new Windows 2000 Server computer named ServerB. You install the DHCP service on ServerB. You want ServerB to provide load balancing and redundancy for ServerA. How should you configure DHCP on ServerB?

A. Configure one scope with an IP address range of 172.30.10.1 to 172.30.10.100. Configure a second scope with an IP address range of 172.30.11.1 to 172.30.11.100.
B. Configure one scope with an IP address range of 172.30.10.101 to 172.30.10.200. Configure a second scope with an IP address range of 172.30.11.101 to 172.30.11.200.
C. Configure one scope with an IP address range of 172.30.10.1 to 172.30.10.200. Configure an IP address exclusion of 172.30.10.1 to 172.30.10.100.
D. Configure one scope with an IP address range of 172.30.11.1 to 172.30.11.200. Configure an IP address exclusion of 172.30.11.1 to 172.30.11.100.

Answer: B

Explanation: For redundancy, two (or more) DHCP servers must split the DHCP scope into two nonoverlapping IP address ranges. Typically they are split with the 75/25 rule (or 80/20 etc.) that specifies that the local DHCP server will use 75% of the DHCP scope and the remote DHCP server will use 25% of the DHCP scope. The other scope is split in the same fashion: the local DHCP server use 75% of the scope and the remote DHCP server use 25% of the scope. This provides redundancy and load balancing as required. In this scenario the solution would use a 50% split. This is not the optimal solution but it would provide redundancy and load balancing.

Incorrect Answers:
A: Two DHCP servers leasing IP addresses in the same range must not have overlapping scopes. Server a already uses the 172.30.10.1 to 172.30.10.100 range so ServerB cannot lease IP addresses in this range.
C: Redundancy and load balancing must be provided for both scopes. ServerB must be configured to lease address in the 172.30.11.0/24 scope as well.
D: Redundancy and load balancing must be provided for both scopes. ServerB must be configured to lease address in the 172.30.10.0/24 scope as well.

18. You are a network administrator for your company. The network uses static IP addresses on servers and client computers.

You add a new client computer to subnet A of the network. Your router administrator informs you that the new client computer is incorrectly configured.

The relevant portion of the network is shown in the exhibit.

Exhibit

You need to configure the client computer so that it can connect to all local and remote computers. What should you do?

A. Modify the IP address of the client computer so it is the same as the IP address of the file server.
B. Modify the IP address of the client computer so it is the same as the IP address of the router.
C. Modify the subnet mask of the client computer so it is the same as the subnet mask of the file server.
D. Modify the subnet mask of the file server so it is the same as the subnet mask of the client computer.

Answer: C

Explanation: In order to be able to communicate with other computers using the TCP/IP protocol a computer must have a unique address and an appropriate subnet mask. The new client must be given an IP address in the same subnet as the other clients on subnet. By studying the exhibit we see that this is the case. The subnet mask of the new client is not correct however. It must be configured with the same subnet mask as the file server. Note: In order for the new client to connect to the remote servers the default gateway setting must be set to the IP address of the Router.

Incorrect Answers:
A: All computers using the TCP/IP protocol must use a unique IP address. The new client cannot be configured with the same IP address as the File server.
B: All computers using the TCP/IP protocol must use a unique IP address. The new client cannot be configured with the same IP address as the router.
D: Changing the subnet mask of the file server to the same subnet mask as the new client would allow these two computers to communicate. However, they would not be able to communicate with other computers on the local subnet or with clients on the remote subnet.

19. You are a network administrator for your company. The network contains Windows 2000 Professional computers and Windows 2000 Server computers. A server named ServerA provides DNS, WINS, and DHCP services. DHCP is configured to issue ServerA's IP address for DNS and WINS name resolution. ServerA's DNS zone is configured to use DNS dynamic update protocol. All other computers on the network are configured to use DHCP to obtain IP addressing information.

Your company purchases another company and relocates the new employees to your company's main office. The new employees use Windows 98 client computers that are configured to use static IP addresses.

You need to ensure that the Windows 98 computers obtain dynamic IP addresses, and that they register themselves with ServerA by using DNS dynamic update protocol. Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Configure the Windows 98 client computers to use ServerA for DNS name resolution.
B. Configure the Windows 98 client computers to use ServerA for WINS name resolution.
C. Configure the Windows 98 client computers to use DHCP to obtain IP addressing information.
D. Configure the DNS server service on ServerA to perform lookups by using WINS.
E. Configure the DHCP service on ServerA to register clients by using DNS dynamic update protocol.

Answer: C, E

Explanation: We have downlevel Windows 98 clients that are not able to use DNS as the only way to resolve host names. However by integrating WINS and DNS they would be able to use host names to connect resources.

C: The Windows 98 clients are configured with static IP address configuration. We must change this configuration so that the clients use DHCP to obtain addressing information.
E: The downlevel Windows 98 clients don't handle the dynamic registration in DNS the same way as the Windows 2000 clients. In order to allow them to register dynamically we must:
1. Enable the DNS zone to allow dynamic updates. This has already been done in this scenario.
2. Configure the DHCP server to Enable updates for DNS clients that do not support dynamic updates. This setting is disabled by default and must be enabled to allow the Windows 98 clients to be registered in DNS dynamically.

Note: In a network with only Windows 2000 computers WINS would not be required.

Incorrect Answers:
A: Name resolution is not required in this scenario. We only want to be able to register the Windows 98 clients dynamically in the DNS zone.
B: Windows 98 computers are configured to be WINS clients by default. They do not have to be configured to be able to use the WINS server.
D: Integrating WINS and DNS is a good idea and would provide name resolution for the downlevel Windows 98 clients. However, the scenario only requires us to setup up dynamic registrations of the Windows 98 clients in DNS. Integrating DNS and WINS will not accomplish this.

20. You are the network administrator for one of your company's branch offices. The network is your office consists of two subnets. One subnet contains client computers and one subnet contains servers. You are using standard, classful subnet mask on the subnets. The relevant portion of the network is shown in the exhibit.

Exhibit

You need to configure the client computer so that it can connect to the file server and the domain controller on the network. How should you configure the computer? To answer click the select and place button, and then drag the appropriate configuration information to the client computer

Select And Place

Answer:A

IP address: 192.168.12.12
Subnet mask: 255.255.255.0
Default gateway: 192.168.12.1

Explanation:
Subnet mask: A classful subnet mask uses a subnet mask in one of the address classes A, B, or C. The IP address of the local interface of the Router is 192.168.12.1. This IP address belongs to a Class C network. Class C networks use a default subnet mask of 255.255.255.0 and have 192-223 as their first octet. IP address: The IP address must be included in the same subnet as the local IP address of the router (192.168.12.1) so it must have the pattern 192.168.12.xx (the subnet mask is 255.255.255.0). The only available choice is 192.168.12.12 since we cannot choose the same address as the router. Default gateway: The default gateway must be set to the IP address of the local router interface which is 192.168.12.1.

Incorrect Answers:
The subnet mask 255.255.0.0 is used for Class B networks. The first octet of an IP address in a class B network must be in the 128-191 range.
The IP address 192.168.12.1 cannot be used since all computers must have a unique IP address and the router is already using the 192.168.12.1 address.
The IP addresses 192.168.13.1 and 192.168.13.12 cannot be used since they belong to another subnet than the router.