1. You are a systems administrator for your company. All server computers in the company are running Microsoft Windows Server 2003. Early one morning, you decide to monitor the company's public Web server, which is named WS15. You open Event Viewer and examine the security log. A single event is listed in the log. This event is shown in the exhibit. What does this event indicate?A. The user Administrator attempted to impersonate the NT AUTHORITY\SYSTEM account but failed. B. The operating system could not audit a logon attempt by the user NT AUTHORITY\SYSTEM. c. The user NT AUTHORITY\SYSTEM attempted to impersonate the Administrator account but failed. D. The operating system could not audit a logon attempt by the user Administrator. ANSWER: CEXPLANATION: The event indicates that the operating system attempted to impersonate the Administrator account and failed. For example, a developer who logged on to the Web server with non-administrative privileges could have attempted to use the RUNAS command to run an application under the Administrator account. The account that logged the event is the local system account. If the Administrator account attempted to impersonate the local system account, then the user would be specified as Administrator and the logon account would be specified as NT AUTHORITY\SYSTEM. This event does not indicate that the operating system failed to audit a logon attempt. If the operating system failed to audit a logon attempt, then there would not be an event in the security log. 2. You are a systems administrator for your company. All server computers in the company are running Microsoft Windows Server 2003. The company's Active Directory infrastructure consists of two domains named contoso.com and nwtraders.com. Both domains are part of the same forest. The contoso.com domain contains the public Web server in the company. The nwtraders.com domain contains all users, groups, and computers in the company's internal network. A firewall prevents incoming Kerberos traffic to the Web server. All employees in the company will use a Web application on the Web server to schedule vacations, enter hours worked on projects, and change personal information in the company's database. The company has strict security rules regarding the Web application's use. For instance, passwords should not be compromised if intercepted during transmission. Some files in the Web application directory can be accessed by only members of the HR Managers group, while others should be accessible to only members of the HR group. All other files should be accessible to all users in the domain. The appropriate NTFS permissions are configured on all files in the application directory. Non-employees should not be able to access the Web application. The current IIS configuration for the application directory is shown in the exhibit. What configuration change or changes should you make in IIS? (Choose all that apply. Each answer is part of the solution.)A. Enter contoso.com in the realm text box. B. Check the Integrated Windows authentication check box. C. Enter nwtraders.com in the default domain text box. D. Check the .NET Passport authentication check box. E. Clear the Basic authentication check box. F. Enter nwtraders.com in the realm text box. G. Enter contoso.com in the default domain text box. H. Clear the Enable anonymous access check box. ANSWER: E,F,HEXPLAINATION: You should clear the Basic authentication check box. Basic authentication allows user names and passwords to be sent over the Internet in clear text. With basic authentication, a user's password could be compromised if a request is intercepted during transmission of the credentials. You should clear the Enable anonymous access check box. This prevents unauthenticated users from accessing the Web application. You should leave the Digest authentication for Windows domain servers check box checked and enter nwtraders.com in the realm text box. This text box identifies the domain that will be used to authenticate users. In this scenario, all users are members of the nwtraders.com domain. With digest authentication, the user must explicitly supply a user name and password to access a Web application. Unlike basic authentication, only a hash of the password will be sent to a domain controller during transmission of the credentials. You should not check Integrated Windows authentication. Integrated Windows authentication uses Kerberos tickets to authenticate users. However, the company's firewall prevents incoming Kerberos traffic to the Web servers. You should not enter contoso.com in the realm text box. This text box identifies the domain that will be used to authenticate users. In this scenario, all users are members of the nwtraders.com domain. You can enter a domain name in the default domain text box only if basic authentication is enabled. However, in this scenario, you should not enable basic authentication. You should not check the .NET Passport authentication text box. .NET Passport authentication does not authenticate domain users. 3. You are a systems administrator for your company. The company's server computers are running Microsoft Windows Server 2003. You are troubleshooting one of the company's application servers named AppServ2. AppServ2 contains a 1.5GHz processor. It has a 60 GB hard drive and 128 MB of memory. Users run shared applications on AppServ2 from their desktop computers. Some of these applications run continuously for weeks. As more applications are added to AppServ2, users experience slower performance with all applications. All applications have been tested and contain no memory leaks. Some of the applications are multi-threaded. You use System Monitor to troubleshoot the problem. You monitor the counters shown in the exhibit. What should you do to solve the performance problem?A. Add more hard disk space to the computer. B. Add more memory to the computer. C. Replace the processor with a faster one. D. Replace the network adapter with a faster one. ANSWER: BEXPLANATION: You should add more memory to the computer. Although the applications contain no memory leaks, it is possible that each application uses large amounts of memory. The high value for the Pages / Sec counter indicates that constant paging is taking place. Paging is the process of using disk space to store data that would otherwise be stored in memory. The Pages / Sec value should typically be no more than 20. You should not replace the processor with a faster one. For application servers, you would generally add an additional processor to handle multi-threaded applications. In either case, you should first rule out memory problems. You should not add more hard disk space to the computer. Although the Average Disk Queue Length counter has an average of 1000 (the scale for this counter is 100), you should first rule out a memory problem. As more paging occurs, disk input/output (I/O) will increase. As a consequence, if the disk I/O subsystem is too slow, the Average Disk Queue Length value might increase to a value above normal. You should not replace the network adapter with a faster one. The Current Bandwidth counter shows only the maximum bandwidth for the associated network adapter. It does not show the amount of bandwidth being used. 4. You are a systems administrator for an enterprise organization. All server computers in the company are running Microsoft Windows Server 2003. All client computers are running Microsoft Windows XP Professional. The company hosts its own Web site. All executable and data files associated with the Web site reside at C:\Inetpub\wwwroot\Public on the company's public Web server. You need to monitor the Web server to ensure that no unauthorized users are attempting to modify the files in the Web site's directory. What should you do?A. Examine the security log for Failure Audit events in the Account Logon and Logon/Logoff categories. B. Create an alert log to notify you when the Total Files Received counter of the Web Service performance object increases. C. Create a counter log to monitor the Total Files Received counter of the Web Service performance object at 30-minute intervals. D. Examine the application log for Folder Redirection errors. ANSWER: AEXPLAINATION: You should examine the security log for Failure Audit events in the Account Logon and Logon/Logoff categories. These events indicate whether an attempt to log on to the computer was successful or not. You do not need to examine the application log for Folder Redirection errors. Folder Redirection applies to users' personal folders, including the My Documents and My Pictures folders. It allows an administrator to redirect personal folders for all users to a single location. You should not create a counter or alert log to monitor the Total Files Received performance counter. This counter will not give an indication of who submitted the file to the Web server. Also, this counter applies only to files that are submitted using an HTTP POST request. Unauthorized users might use other methods to submit files, such as using Remote Desktop Connection.5. You are a systems administrator for an enterprise organization. All server computers in the company are running Microsoft Windows Server 2003. Business hours are from 9:00 AM to 6:00 PM, Monday through Friday. Only systems administrators are allowed to work outside of these hours. You are responsible for managing the backup operations on the company's file server, which contains a single basic volume. All users in the sales department use data on a shared folder named Sales. You want to perform nightly differential backups and weekly full backups of Sales. Each nightly backup occurs at 6:00 PM. Each weekly backup occurs on Mondays at 6:00 AM. You estimate each backup operation to use the capacity of a single tape. You want to have the ability to restore only the most current data each week. However, you want to minimize the number of tapes used during a backup. What is the least number of tapes that you need for the backups? (Choose two answers. Each answer is part of the solution.)a. One tape for all daily backups B. One tape for each daily backup C. One tape for all weekly backups D. One tape for all weekly and daily backups ANSWER: C,D6. You are a systems administrator for a law firm. All server computers in the company are running Microsoft Windows Server 2003. The lawyers in the firm need a central folder to store and share customer contracts. Any lawyer in the firm should be able to store new scanned contracts and subfolders in this folder. They should also be able to delete and change any contracts in the folder and its subfolders. Paralegals should only be able to view the scanned contracts. No one else, besides administrators, should have access to the folder. All paralegals are members of the Paralegals domain local security group. The lawyers are members of the Lawyers global security group. You create a folder named Contracts on the department's file server. You share this folder as Scanned Contracts. The folder is configured with default share permissions. Read, Write, and Modify permissions are granted to Everyone on the folder. The file server is located in a secure room, and only administrators can access the server. How should you modify share-level permissions on the Contracts folder so that the appropriate users have the minimum required privileges? (Choose all that apply. Each answer is part of the solution.)A. Grant Read share permissions to Paralegals. B. Grant Change share permissions to Lawyers. C. Remove Everyone from the share permissions list. D. Deny Full Control share permissions to Everyone. E. Grant Full Control share permissions to Lawyers. ANSWER: A,B,CEXPLAINATION: By default, share-level permissions grant Read access to Everyone. You should first remove Everyone from the share permission list. You should then grant Read share permissions to Paralegals and Change share permissions to Lawyers. Change permissions allow the lawyers to create, delete, and change any files and folders in the shared folder, provided the lawyers have appropriate NTFS permissions on the files and folders. By default, Everyone is granted Read NTFS permissions. However, Read, Modify, and Write permissions are explicitly configured on the folder for Everyone. This allows administrators to access to folder directly, and it allows only lawyers and paralegals to access the folder through the share. The NTFS and share-level defaults are new in Windows Server 2003. In previous versions of Windows, default share-level permissions granted Full Control access to everyone, and default NTFS permissions granted Read, Write, and Modify access to Everyone. These new defaults provide stronger baseline security than did previous versions of Windows. You should not deny Full Control share permissions to Everyone. If you do this, no one will be able to access the shared folder, regardless of the permissions granted to individual users or groups. You should not grant Full Control share permissions to Lawyers. The lawyers should be able to create, delete, and change contracts, nothing more. Full Control share permissions allow you to change NTFS permissions on files and folders in a shared folder. 7. You are a systems administrator for an enterprise organization. All server computers in the company are running Microsoft Windows Server 2003. You just installed a new disk into the company's file server. You open the Disk Management tool shown in the exhibit. The new disk has not been formatted. You need to configure the disk so that it reserves space for five logical drives. The initial capacity for each drive will be 5 GB. However, you want the ability to increase this capacity in the future without affecting any data already stored on the drives. What should you do? (Choose all that apply. Each answer is part of the solution.)A. Create five NTFS simple volumes on Disk 1. B. Create five NTFS extended partitions on Disk 1. C. Create five NTFS primary partitions on Disk 1. D. Create four NTFS extended partitions on Disk 1. E. Convert Disk 1 from basic to dynamic. F. Create one NTFS primary partition on Disk 1. answers: A,EEXPLAINATION: You should first convert Disk 1 from basic to dynamic. Once basic disks are portioned, they cannot be extended. They need to be recreated, which would result in data loss. With a dynamic disk, you can extend volumes without having to reformat them. You should then create five NTFS simple volumes on Disk 1. Because each volume will have a capacity of only 5 GB, you will be able to extend each volume using the unallocated space on the disk. You should not create partitions on Disk 1. Partitions can be created only on basic disks. However, in this scenario, you should convert the disk from basic to dynamic. Basic disks support up to four partitions, which can contain three primary partitions and one extended partition. You cannot create more than one extended partition on a basic disk. Although an extended partition can contain multiple logical drives, each logical drive cannot be extended to a capacity greater than its initial capacity. 8. You are a systems administrator for a software development company. All server computers in the company are running Microsoft Windows Server 2003. All client computers are running Microsoft Windows XP Professional. Business hours are from 8:00 AM to 5:00 PM, Monday through Friday. Everyone works only during these hours, and everyone has both a client computer and a handheld PC. You recently upgraded the development department's file server from Windows 2000 Server to Windows Server 2003. After the upgrade, the development manager informed you that their source control application is not compatible with the new operating system. On Tuesday, you configure Volume Shadow Copies on the file server as a temporary version control system. You schedule Volume Shadow Copies to run daily at 12:00 PM and 5:00 PM. A folder named Software Engineering is shared on the volume where Volume Shadow Copies is configured. This folder contains a file named Requirements.doc that is used by the entire development team. The following Monday, Valerie, the program manager for the department, informs you that she needs to view Requirements.doc as it existed last Friday morning. However, she does not want to affect other users. Other users should continue to use the latest version of the document. What should you inform Valerie to do to successfully view the correct version of the file? (Choose two answers. Each answer is part of the solution.)A. Restore Friday's Requirements.doc file. B. Copy Thursday's Requirements.doc file to another folder. C. Configure Volume Shadow Copies. D. Install the Previous Versions client software. E. Move Requirements.doc from Software Engineering to another folder. F. Copy Friday's Requirements.doc file to another folder. ANSWER: B,DEXPLAINATION: Valerie should first install the Previous Versions client software. This software is available in the CLIENTS\TWCLIENT subfolder of the system folder. Once she installs this software, each shared file's Properties dialog will contain an extra tab named Previous Versions. She can use this tab to select previous versions of Requirements.doc. Once she selects a version, she can view, copy, or restore that version. Valerie should copy Thursday's Requirements.doc file to another folder. This allows users to continue using the latest version of Reqruiements.doc that exists in the shared folder. Valerie should not configure Volume Shadow Copies. Volume Shadow Copies is configured on the file server. It cannot be configured on client computers. Valerie should not copy Friday's Requirements.doc file to another folder. She needs to view Requirements.doc as it existed at 8:00 AM Friday morning. Therefore, she needs to view Thursday's version. Shadow copies are made daily at 12:00 PM and 5:00 PM. If Valerie views Friday's version, the document will contain changes that existed as of either 12:00 PM or 5:00 PM, depending on which version she selects. Valerie should not move Requirements.doc from the Software Engineering folder to another folder. If she does, her action will affect other users. Valerie should not restore Friday's Requirements.doc file. Restoring a file replaces the current file in the shared folder. Therefore, other users would not be able to use the latest version. If everyone needs the version that existed on Friday morning, then Valerie should restore Thursday's version. 9. You are the network administrator for Sunshine Networks. You have a network of 17 sites, running Windows Server 2003 servers and RRAS to provide routing, and you're using OSPF as the dynamic routing protocol. You recently installed a Layer 3 switch in the core of your headquarters network, and the help desk has been receiving calls about "host unreachable" error messages. After you make sure the hosts are up, you decide to look at a network decode to determine what the problem could be. You start Network Monitor to capture network traffic, but you don't seem to be capturing all the network traffic. When you view the capture, you see only the packets sent to and from your own computer. What could be the problem?A. You have not installed the network component on all the servers.B. The network adapter is not running in promiscuous mode.C. You have not enabled OSPF on the network adapter.   ANSWER: BFor the network adapter to intercept all the packets on the network, it has to be running in promiscuous mode.10. In windows 2003 and earlier, which kind of volume should the operating system be installed on?A. StripedB. Simplec. Mirroredd. Raid-5e. spanedanswer: C11. On a dynamic disk, if you move a disk from one computer to another, what will the status of the disk read in Disk Manager?a. Not initializedb. unaccessiblec. foreignd. unreadablee. offlinef. Initializinganswer: CWhen you move a dynamic from one computer to another, the status of the disk on the new computer shows foreign. This can also sometimes occur even when the disk hasn't been moved. All information about a dynamic disk is stored on the disk itself. To solve this problem, import the disk.12. You recently were infected by a boot sector virus, what will the status of the disk read in Disk Manager?a. Unaccessibleb. offlinec. unknownd. unreadablee. Initializingf. Not initializedanswer: c13. On a mirrored volume, if one or both members of the mirror fail, what will the status of disk read in Disk Manager?a. Data Incompleteb. Initializingc. Unaccessibled. Unreadablee. Failed Redundancyf. Data Not Redundantanswer: e14. what will the status of the disk read in Disk Manager if the parity disk fails in a raid-5 set?a. Data incompleteb. Initializingc. Data not redundantd. unaccessiblee. Stale Dataf. Failed Redundancyanswer: e15. On a domain Controller who can shut down the system?a. Account operatorsb. print operatorsc. power usersd. Administratorse. Server opratorsf. backup operatorsanswer: a,b,d,e,f16. You need to change a user's profile to a mandotary profile. How do you do this?a. rename the username.txt file to username.manb. This cannot be done on a per user basis, use a groupc. select the user, right click, properties, profile tab.d. copy the mandotary user profile file to the user's home directoryanswer: c17. As a system Administrator, you have set up user profiles to control the end user's desktop. Your company hardware standards include Dell , HP, and several clone manufactured computers. You log on as end user, bob, configure the desktop, save it, and log off. Another user logs on, but reports that the screen resolution on their computer isn't very good. What happened? (select the best asnswer)a. Roaming user profiles can only be installed on a domain controller, your profiles was stored on a member server.b. The appropriate permissions were not set for the new end user.c. you are using different video cards on the computers. a roaming user profile created on a computer with an SVGA card won't work on a ocmputer with a VGA card.d. You cannot use roaming user profiles for different hardware brands.answer: c18. select the four user profile typesa. End Userb. Roamingc. locald. Mandatorye. Temporary Userf. Networkanswer: b,c,d,e19. you want to ensure that open files are backed up and that end user can still use applications while a back up is being performed, what would you choose?a. Incremental Backupb. Differential backupc. Normal backupd. Volume shadow copye. daily backupf. copy backupanswer: d20. Select the methods to restore the distributed services data that is part of the system state data (Active Directory is part of this) Select Three.a. Normal (nonauthoritative) restoreb. complete restorec. system state data restored. primary restoree. authoritative restoreanswer: a,d,e21. You have installed a new device driver and the device does not respond, which utility would you use?a. Last Known Good Configuration Startup optionb. device Driver Roll Backc. Automated system recoveryd. Windows Installation CDe. Disable the driverf. backup utilityanswer: b22. Which of the following commands, issued from the command prompt of a Windows Server 2003 domain controller located in the rooslan.com.au will provide you with the SID of Kasia's user account, assuming that Kasia's user account is a member of the SISTER OU (which is an OU off the root of the directory)? A. dsget user -sid "CN=kasia,CN=SISTER,DC=rooslan,DC=com,DC=au" B. dsquery user -sid "CN=kasia,CN=SISTER,DC=rooslan,DC=com,DC=au" C. dsget user -sid "CN=kasia,OU=SISTER,DC=rooslan,DC=com,DC=au" D. dsquery user -sid "CN=kasia,OU=SISTER,DC=rooslan,DC=com,DC=au" answer: cExplanation: Only one answer provides the correct syntax, noting correctly that the designation for the SISTER OU is OU= rather than CN= (which is what happens if the object is located in the default users container). DSQUERY can not be used to retrieve the SIDs of users. 23. Enrious has a Windows 2003 Member Server YGRADSILL that is part of a workgroup called NEFARIOUS. Enrious has local administrator rights on YGRADSILL and has created local accounts and configured NTFS permissions properly so that only specified users have access to files that Enrious wishes to share. Because some of these files contain sensitive data in plain text format, Enrious would like to configure YGRADSILL so that data shared with other users is transmitted in Encrypted Format. This will mean that if someone is running a packet sniffer on the network they will not be able to view the contents of packets transmitting the plain text files as these files will be encrypted. Enrious configures YGRADSILL with an IP Security policy of Client (Respond Only). Enrious then tests this policy by running a data capture on the network, logging in via another workstation and copying a plain text file across. When he examines the contents of the packets he finds that he can read the plain text files. Which of the following is the best explanation for this behavior? A. The Client (Respond Policy) does not secure data unless the destination computer requests it. Therefore data sent from a machine with the IPSec policy of Client (Respond Policy) is not guaranteed to be encrypted. B. IPSec will encrypt data on the local hard drive but will not encrypt data that is sent over the network. In order to encrypt data sent over the network you must use Encrypting File System to first encrypt the data. C. The local policy on YGRADSILL is being overwritten by the domain policy. Domain policy will always override any conflicting settings at the local level. D. NTFS permissions will always override IPSec policy settings. If the user receiving the data has NTFS permission of Read or greater, the data will not be sent in an encrypted format. answer: AExplanation: Explanation: The long-term direction for secure networking, IPSec is a suite of cryptography-based protection services and security protocols. Because it requires no changes to applications or protocols, you can easily deploy IPSec for existing networks. Activating the Client (Respond Only) IPSec policy will not secure traffic unless the destination computer requests it. A server policy may need to be customized to work transparently with some programs and networks. 24. Cameron, Michael and Julie all have user accounts within a Windows Server 2003 Domain. They all use a shared folder named TECHDOC that resides on a 2003 Member Server. There are four groups that have been assigned permissions to this share. These are the ENGINEERING, MARKETING, MANAGERS and ACCOUNTANTS groups. Cameron is a member of the ENGINEERING, MARKETING and MANAGERS groups. Julie is a member of the ENGINEERING and MARKETING groups and Michael is a member of the MANAGERS and ACCOUNTANTS groups. The SHARE permissions for TECHDOC are as follows. Cameron - Full Control (ALLOW) Michael - Full Control (ALLOW) Julie - Full Control (ALLOW) Managers - Full Control (DENY) Accountants - Full Control (DENY) Engineering - Read (ALLOW) Marketing - Read (ALLOW) NTFS permissions for the folder hosting the TECHDOC share and its subfolders are: Cameron - Full Control (ALLOW) Michael - Full Control (ALLOW) Julie - Full Control (ALLOW) Managers - Full Control (ALLOW) Accountants - Full Control (DENY) Engineering - Read (ALLOW) Marketing - Read (DENY) What will Michael's effective permissions be to files on the TECHDOC share if he is attempting to access it from a workstation on the network? A. Read B. Full Control C. Change (Read, Write, Execute and Delete) D. No Access answer : dExplanation: The appropriate way to determine effective share level and NTFS level permissions is to follow three simple steps: Step One. Calculate the effective share-level permission. The effective share-level permission will be the least restrictive permission of all of those assigned to a user or to groups that the user is a member of. The exception is the No Access permission which will override all other permissions. Step Two. Calculate the effective NTFS permission. The effective NTFS permission will be the cumulative of all of the NTFS permissions assigned to the user and to groups that the user is a member of. The exception is if there are any Deny permissions assigned. Deny permissions will override Allow permissions. Step Three. The effective overall permission will be the most restrictive of the effective share-level permission and the effective NTFS permission. References: File and Folder Permissions, Windows Server 2003 Online Help. 25. Rooslan is the systems administrator for a medium-sized organization that has three office locations spread across the city. A single Windows 2003 functional level domain exists in the organization. Active Directory has been configured so that each location corresponds to a separate site in AD. Head office has the site name CENTRAL, the western office has the site name WESTOFF and the northern office the site name NORTHOFF. In total there are 540 users in the organization. 250 users are located at Head Office, 150 are located at the northern office and 140 are located at the western office. Head Office houses the Accounting, Senior Management and Sales teams. The northern office houses the Design and Research teams. The western office houses the Production and Implementation teams. Both the northern and western offices have small management teams as well. At present the DOMAIN GPO has been set to assign an Enforced Password History of 5, a Maximum Password Age of 15 days, a Minimum Password Age of 2 days and a Minimum Password Length of 8 characters. One of the managers from the northern office has forwarded a proposal to the HR department to change the current login account security policies for members of the Design and Research teams. The proposal suggests that the Design and Research teams have an Enforced Password History of 3, a Maximum Password Age of 50 days, a Minimum Password Age of 0 days and a Minimum Password Length of 6 characters. HR has granted provisional approval to this request dependant on the feasibility of it being implemented without altering the login account security policy for other users in the domain. What should Rooslan report to HR? (select one) A. That the proposal can be implemented by modifying the default domain GPO with the following security settings applied: Enforced Password History of 3, a Maximum Password Age of 50 days, a Minimum Password Age of 0 days and a Minimum Password Length of 6 characters. All users from the Research and Design teams should be added to a new security group called PASSPOL. The security permission for the default domain GPO should be set to READ and APPLY GROUP POLICY for the PASSPOL group. No other groups should be assigned permissions to the default domain GPO. B. That the proposal can be implemented by creating a GPO named NORTHGPO with the following security settings applied: Enforced Password History of 3, a Maximum Password Age of 50 days, a Minimum Password Age of 0 days and a Minimum Password Length of 6 characters. All users from the Research and Design teams should be added to a new security group called PASSPOL. The NORTHGPO should be applied to the NORTHOFF site with the "No Override" option set. C. That this can not be done without creating a separate domain for the members of the Research and Design teams and having them log into that new domain from this time forward. Password policy settings are applied domain wide via Group Policy. Password policy settings that are applied at any other level (site, OU) are ignored by Active Directory even if the "No Override" option is set. D. That the proposal can be implemented by creating a GPO named NORTHGPO with the following security settings applied: Enforced Password History of 3, a Maximum Password Age of 50 days, a Minimum Password Age of 0 days and a Minimum Password Length of 6 characters. All users from the Research and Design team's accounts should be moved to a new an Organizational Unit called PASSPOL. The NORTHGPO should be applied to the PASSPOL OU with the "No Override" option set. E. That the proposal can be implemented by creating a GPO named NORTHGPO with the following security settings applied: Enforced Password History of 3, a Maximum Password Age of 50 days, a Minimum Password Age of 0 days and a Minimum Password Length of 6 characters. All users from the Research and Design teams should be added to a new security group called PASSPOL. The NORTHGPO should be applied to the DOMAIN. The security permission for the NORTHGPO should be set to READ and APPLY GROUP POLICY for the PASSPOL group. No other groups should be assigned permissions to the GPO. answer: cPassword policy settings are set domain wide. To set different password policies for different sets of users each set must have accounts in a separate domain. These domains can be child domains of the original as there is no policy inheritance from parent to child domains. If the default domain policy was edited as suggested in in one answer the original settings for other users would be wiped out. Reference: Windows Server 2003 Online Help. 26. It is fundamentally important for Systems Administrators of 2003 Server Networks to understand what does, and what does not get backed up as part of the System State Data. Understanding this allows an administrator to better prepare in case things go wrong.On a Windows 2003 server that acts as a Domain Controller, an Intranet Server running IIS as well as Certificate Services, which of the following things will be backed up if the System State Data in Windows Backup?A. SYSVOL directory B. Paging file C. Boot files, including the system files D. COM+ Class Registration database E. Certificate Services database F. IIS MetadirectoryG. Active Directory directory service H. User home directories I. Registry answer: A, C, D, E, F, G, I Explanation: Explanation: For Windows Server 2003 operating systems, the System State data comprises the registry, COM+ Class Registration database, system boot files, and the Certificate Services database (if the server is a certificate server).  If the server is a domain controller, Active Directory and the SYSVOL directory  are also contained in the System State data. If the server hosts IIS the IISMetadirectory is backed up - and if it is part of a cluster, Cluster Service information is included27. Oksana is the Remote Access Administrator for an Australian company based in Tonga. The company outsources IT projects to Tongan programmers scattered across the islands and then sends the resulting code back to Melbourne head office for checking. She has recently recieved reports that some of the users connection to the central server located in Nuku'alofa (the Tongan capital - I bet you did not know that) is too slow - and this is impacting on their ability to code productively. Unfortunately at this stage higher speed methods of Internet access such as DSL and cable modem are not available to the outer island users. Oksana decides instead to send out additional modems to those users who remotely access the Nuku'alofa server so that they will be able to connect to the network using multiple modems simultaneously. What additional software configuration would Oksana need to make to her Windows Server 2003 Remote Access Server to upgrade it so that it can support bandwidth sharing over multiple modems? A. Install the Routing Information Protocol Version II. B. Configure Routing and Remote Access (RRAS) to support the Remote Authentication Dial-In User Service (RADIUS). C. Enable dual callback. D. Install the Routing Information Protocol Version II. E. Enable multilink. answer: eExplanation: Windows Server 2003 remote access supports Multilink and the Bandwidth Allocation Protocol (BAP). With Multilink, multiple physical links to appear as a single logical link over which data is sent and received. To enable the use of Multilink do the following: To enable Multilink 1. Open Routing and Remote Access 2. Right-click the server name for which you want to enable Multilink, and then click Properties. 3. On the PPP tab, select the Multilink connections check box. 28. TestCorp is a medium sized organization with several locations in suburban and rural areas. Active Directory has been configured with five different sites, each one corresponding to a separate company location. Users at the rural site named Waverley need to have their "My Documents" folder mapped to an individual user directory under the \\wavfiles\sharedoc\ shared folder. Users at the rural site named Morwell need to have their "My Documents" folder mapped to an individual user directory under the \\morfiles\sharedoc\ shared folder. At the present time, users at the Bendigo, Melbourne and Sydney sites do not need their "My Documents" folder redirected. Which of the following methods will correctly redirect the location of the My Documents folder for the sites in question? (select two) A. Create a GPO named WAVGPO and apply it to the Waverley site with the "No Override" option checked. Edit the GPO and navigate to the My Documents folder in the Folder Redirection node under the Windows Settings node in the User Configuration container. Select the properties of the My Documents folder and adjust the Setting value to BASIC and the Target Folder Location Properties to "Create a folder under the Root Path" and enter \\wavfiles\sharedoc in the root path location. B. Create a group named MORUSERS and add all of the users located at the Morwell site to this group. Create a GPO named MORGPO and apply it to the MORUSERS group. Edit the GPO and navigate to the My Documents folder in the Folder Redirection node under the Windows Settings node in the User Configuration container. Select the properties of the My Documents folder and adjust the Setting value to BASIC and the Target Folder Location Properties to "Create a folder under the Root Path" and enter \\morfiles\sharedoc in the root path location. C. Create a GPO named MORGPO and apply it to the Morwell site with the "No Override" option checked. Edit the GPO and navigate to the My Documents folder in the Folder Redirection node under the Windows Settings node in the User Configuration container. Select the properties of the My Documents folder and adjust the Setting value to BASIC and the Target Folder Location Properties to "Create a folder under the Root Path" and enter \\morfiles\sharedoc in the root path location. D. Create a group named WAVUSERS and add all of the users located at the Waverley site to this group. Create a GPO named WAVGPO and apply it to the WAVUSERS group. Edit the GPO and navigate to the My Documents folder in the Folder Redirection node under the Windows Settings node in the User Configuration container. Select the properties of the My Documents folder and adjust the Setting value to BASIC and the Target Folder Location Properties to "Create a folder under the Root Path" and enter \\wavfiles\sharedoc in the root path location. E. Create a group named WAVUSERS and add all of the users located at the Waverley site to this group. Create a GPO named WAVGPO and apply it to the DOMAIN. Edit the GPO and navigate to the My Documents folder in the Folder Redirection node under the Windows Settings node in the User Configuration container. Select the properties of the My Documents folder and adjust the Setting value to ADVANCED. Add the group WAVUSERS and set the Target Folder Location Properties to "Create a folder under the Root Path" and enter \\morfiles\sharedoc in the root path location. F. Create a group named MORUSERS and add all of the users located at the Morwell site to this group. Create a GPO named MORGPO and apply it to the DOMAIN. Edit the GPO and navigate to the My Documents folder in the Folder Redirection node under the Windows Settings node in the User Configuration container. Select the properties of the My Documents folder and adjust the Setting value to ADVANCED. Add the group MORSUERS and set the Target Folder Location Properties to "Create a folder under the Root Path" and enter \\wavfiles\sharedoc in the root path location. answer: a, cExplanation: There are several ways to go about this. Of the options presented only the two correct answers will achieve the goals. 29. Which of the following is the correct order in which Group Policies get applied? A. Local > Site > Domain > Organizational Unit B. Domain > Organizational Unit > Site C. Organizational Unit > Domain > Site > Local D. Local > Domain > Organizational Unit E. Site > Domain > Organizational Unit > Local answer: a, dExplanation: The local Group Policy object is applied first. Then site-linked Group Policy objects are applied in administratively specified order, then domain-linked ones in specified order, and lastly organizational unit-linked Group Policy objects beginning at the highest (in Active Directory hierarchy) organizational unit containing the user or computer account and ending with the lowest (closest to the user or computer) organizational unit containing the user or computer. At each organizational unit, any Group Policy objects linked to it are applied in administratively specified order. 30. You are informed by a colleague that it is a good idea to run the Disk Defragmenter Utility on your Windows Server 2003 system regularly. You haven't run this utility since you installed Windows Server 2003 over six months ago. You noticed a slowdown in system performance lately and decide to follow your colleague's recommendation. You launch the Disk Defragmenter Utility but are uncertain whether you will be able to defragment all of the drives on your computer. You are currently dual-booting between Windows Server 2003 and Windows 98. You have a mixture of FAT, FAT32 and NTFS partitions on your computer. Which of the following will be true when you attempt to defragment these partitions from Windows Server 2003? A. You will be able to defragment only the FAT and the FAT32 partitions. B. You will be able to defragment only the FAT32 and the NTFS partitions. C. You will be able to defragment only the FAT and the NTFS partitions. D. You will be able to defragment all of the partitions E. You will be able to defragment only the NTFS partition(s). F. You will be able to defragment only the FAT32 partition(s). G. You will be able to defragment only the FAT partition(s). answer: dYou will be able to defragment all of the partitions. Explanation: The disk defragmenter utility works with all of the supported file systems in Windows 2000 (FAT, FAT32 and NTFS). 31. You are preparing a report for your boss that compares the different file systems that can be used with Windows Server 2003. You have created the following table but are not certain that all of the entries are correct: FAT 	FAT32 	NTFS  NO 	NO 	YES Support for long filenames YES 	NO 	YES Support for disk compression YES 	YES 	YES Shared folder security NO 	NO 	YES NTFS security NO 	NO 	YES Support for disk quotas NO 	YES 	YES Support for EFS Which of the following rows in the table are at least partially incorrect? Choose all that apply. A. The "NTFS security" row B. The "Support for disk quotas" row C. The "Support for EFS" row D. The "Shared folder security" row E. The "Support for long filenames" row F. The "Support for disk compression" row answer: c,e,fExplanation: The FAT file system can not support long filenames, however FAT32 can. The FAT file system does not support disk compression. The FAT 32 file system does not support EFS. 32. You are experiencing some network connectivity problems on your corporate LAN. You company currently has its network divided into two subnets (PLATO and SOCRATES). The subnets are configured with the following information: PLATO SUBNET: (SUBNET1)Network ID: 192.168.1.0 Subnet Mask: 255.255.255.0 Router Interface: 192.168.1.1 SOCRATES SUBNET: (SUBNET2)Network ID: 192.168.2.0 Subnet Mask: 255.255.255.0 Router Interface: 192.168.2.1 You have a Server named THOMASKUHN running Windows Server 2003 on Subnet Socrates with an IP address of 192.168.2.10 and a properly configured subnet mask and default gateway. Routing has been properly configured between the two subnets. Which of the following computers running Windows XP Professional will be able to properly communicate with THOMASKUHN? Choose all that apply. A. Workstation5 on Subnet2 that is configured with an IP address of 192.168.2.143, a subnet mask of 255.255.255.0 and no default gateway B. Workstation4 on Subnet2 that is configured with an IP address of 192.168.2.17, a subnet mask of 255.255.0.0 and a default gateway of 192.168.2.1 C. Workstation1 on Subnet1 that is configured with an IP address of 192.168.2.14, a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1 D. Workstation2 on Subnet1 that is configured with an IP address of 192.168.1.101, a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1 E. Workstation3 on Subnet1 that is configured with an IP address of 192.168.1.255, a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1 answer: a,b,dExplanation: In the above example, Workstation1 should have an IP address in the range 192.168.1.2 - 192.168.1.254. Because the IP address is incorrect, Workstation1 will not be able to communicate with THOMASKUHN. Workstation2 is properly configured and will be able to communicate with THOMASKUHN. Given the network ID, Workstation3 has an IP address that is used for broadcast messages. Therefore, Workstation3 will not be able to properly communicate with THOAMSKUHN. Workstation4 does not have a proper subnet mask but still will be able to communicate with THOMASKUHN as it perceives (correctly) the computer to be on the same subnet as itself. So as an answer it is correct. However, communication problems will arise if Workstation4 attempts to communicate with computers on other subnets (like subnet plato) and therefore the subnet mask should be changed to 255.255.255.0. Workstation5 is properly configured and will be able to communicate with THOMASKUHN. 33. Which of the following can not be configured in the application pools on IIS in Windows Server 2003? (Select all that apply) A. Shut down worker processes if they are idle for a specific amount of time. B. Shut down worker processes if their CPU usage drops below a specified level. C. Disable application pool if it suffers a specified number of failures in a specified number of minutes. D. Force worker process to recycle after a virtual memory limit is reached. answer: bExplanation: Application pools can not be configured to shut down worker processes if their CPU usage drops below a specified level. They can be configured to shut down worker processes if their CPU usage rises above a specified level. 34. Clamberto would like his assistant to be able to restore backups on a stand alone Windows Server 2003 system. Out of the groups listed below, which have the requisite permissions to restore backups on a stand alone Windows Server 2003 system? (select all that apply) A. Users. B. Backup Operators. C. Print Operators. D. Administrators. E. Replicator. F. Power Users. answer: b,dExplanation: Only Backup Operators and Administrators have the right to restore backups on a Windows Server 2003 system. Backups are sensitive as they can contain user data and system data (such as certificate databases). The number of people that should be allowed to restore backups should be limited, as someone who can restore a backup essentially has full access to all data on a Server system. Power Users do not have the right to restore backups. 35. When software is installed on a server, important system files can be overwritten by unsigned or incompatible versions if the person doing the installing has sufficient Administrator rights. This can lead to system instability or even to the point that the system is unable to be booted up. Windows Server 2003 has a feature called File System Verification. If you wish to set file signature verification options so that all users of a server are prevented from installing unsigned drivers in the future, which of the following tasks should you perform? A. In System Properties in Control Panel, click Hardware, click Driver Signing and choose Ignore. B. While logged on as a member of the Administrators group, run the following sfc.exe utility with the /scanonce switch. C. In System Properties in Control Panel, click Hardware, click Driver Signing and choose Warn. D. In System Properties in Control Panel, click Hardware, click Driver Signing and choose Block. Also check the "Apply setting as system default" checkbox. answer: dExplanation: Explanation: To prevent the future installation of unsigned drivers do the following: 1. Open System in Control Panel. 2. Click the Hardware tab, and then click Driver Signing. 3. Under File signature verification, click one of the following: -Click Block to prevent an installation program from installing device drivers without a digital signature. If you are a logged on as an administrator or as a member of the Administrators group, click Apply setting as system default to apply the selected setting as the default for all users who log on to this computer. System File Checker (sfc.exe) is a command line utility that scans and verifies the versions of all protected system files after you restart your computer. 36. Clamberto works for an engineering firm which has workers that telecommute from all across rural Queensland. Because of the remoteness of many of the workers the best connection available is still a 56K analog modem hooked up to a phone line. Clamberto suggests to management that additional modems be purchased for these tellecommuters as well as additional phone lines into their home offices. His suggestion is that they use multiple 56K analog modems to access the Windows Server 2003 Remote Access Server simultaneously. What configuration change must be made on the 2003 RRAS server to enable this scheme to work? A. Install the Extensible Authentication Protocol (EAP). B. Enable multilink. C. Install the Bandwidth Allocation Protocol (BAP). D. Enable dual callback. E. Configure Routing and Remote Access (RRAS) to support the Remote Authentication Dial-In User Service (RADIUS). answer: bExplanation: Windows 2003 remote access supports Multilink and the Bandwidth Allocation Protocol (BAP). With Multilink, multiple physical links to appear as a single logical link over which data is sent and received. To enable Multilink 1. Open Routing and Remote Access2. Right-click the server name for which you want to enable Multilink, and then click Properties. 3. On the PPP tab, select the Multilink connections check box.References: http://www.microsoft.com/windows2000/en/server/help/, "To enable Multilink", "Multilink and BAP" 37. There are six files that have compression status as outlined in the table below hosted on a Windows Server 2003 DC named BLOGGER. ALPHA.TXT = COMPRESSEDBETA.TXT = UNCOMPRESSEDGAMMA.TXT = UNCOMPRESSEDDELTA.TXT = UNCOMPRESSEDEPSILON.TXT = COMPRESSEDOMEGA.TXT = COMPRESSED.All of the files are located in a folder on the ROME volume called COMPTEST. Elsewhere on the ROME volume there are the following folders with the following compression stats: ATLAS = COMPRESSEDAWESOME = UNCOMPRESSEDOn the MILAN volume, formatted with NTFS, there are the following folders. WARHAMMER = UNCOMPRESSEDRIFLEMAN = COMPRESSEDThe following actions are performed: ALPHA.TXT is moved to WARHAMMER. BETA.TXT is copied to RIFLEMAN. GAMMA.TXT is moved to ATLAS. DELTA.TXT is copied to AWESOME. EPSILON.TXT is copied to WARHAMMER. OMEGA.TXT is moved to AWESOME. Which files will now be compressed after performing the actions listed above? Choose all that apply. A. ALPHA.TXT B. DELTA.TXT C. GAMMA.TXT D. EPSILON.TXT E. OMEGA.TXT F. BETA.TXT answer: e,fExplanation: If you move a file within the same drive it retains its compression status (e.g. a file that was compressed will remain compressed even if moved into an uncompressed folder). A file that is copied to another folder on the same drive will inherit the compression status of the folder it is copied into. If you either move or copy a file to a folder on a different NTFS drive, it will inherit the compression status of the folder that it is moved or copied to. 38. You are attempting to determine what level of access Rooslan has to a particular folder that he is trying to access on one of the servers in your domain. Rooslan is a member of the Minerals and Extractions groups. The permissions for the folder are configured as follows: Share Permissions: Rooslan - Full Control (Allow) Minerals - Read (Allow) Extractions - Change (Allow) NTFS Permissions (for the folder and all contents of the folder): Rooslan - Read (Allow) Minerals - Full Control (Allow) Extractions - Full Control (Deny) What will Rooslan's effective permission be to the folder? A. Read B. No Access C. Change (Read, Write, Execute and Delete) D. Full Control answer: bExplanation: First realise that Rooslan will not be accessing the server from the console. He is a normal user - not an administrator. You'd be amazed how many people forget that normal users CAN NOT log onto servers. The appropriate way to determine effective permissions to a resource is illustrated in the three steps below: 1. Determine the effective share-level permission. The effective share-level permission will be the least restrictive permission of all of those assigned to a user or to groups that the user is a member of. The exception is the No Access permission which will override all other permissions. 2. Determine the effective NTFS permission. The effective NTFS permission will be the cumulative of all of the NTFS permissions assigned to the user and to groups that the user is a member of. The exception is if there are any Deny permissions assigned. Deny permissions will override Allow permissions. 3. The effective overall permission will be the most restrictive of the effective share-level permission and the effective NTFS permission. In the above question, the effective share-level permission would be Full Control for Rooslan. The effective NTFS permission for Rooslan would be No Access (Denying Full Control is the equivalent to giving No Access to a user). The most restrictive of Full Control and No Access would be No Access which is Rooslan's effective permission to the resource. 39. Mohareb is the administrator of a large Windows 2003 domain that serves his company MoRayMe. MoRayMe has several branches spread throughout Egypt. Each branch office has its own Local Information Tecnology Expert (LITE) who is in charge of installing and configuring MoRayMe's Windows XP Professional client systems. Each of these LITEs has been granted the user right "Add Workstations to the Domain" via editing a GPO applied to the Domain Controllers OU. Clamberto, the LITE at the Asyut office, has left a voice mail message complaining that he has added 10 systems to the domain and he is now getting an error message when he attempts to add another computer to the domain. What should Mohareb do to allow Clamberto (and other LITES) to add as many XP Pro systems to the domain as needed? A. Increase the RID pool on all the domain controllers in the domain. B. In addition to the Add Workstations to the Domain user right grant these users the Logon as a Batch File user right. C. Grant these users the security priviledge Create Computer Objects on the domain and remove the Add Workstation to the Domain user right. D. Edit the Default Domain Policy GPO and grant these users the Add Workstations to the Domain right. answer: cExplanation: -------------------------------------------------------------------------------- Explanation: In Windows 20003 the Add Workstation to Domain right is limited by per user quota, this quota is set by default to 10 computers. Once a user with only the right to add workstation to the domain has reached this limit they will no longer be able to add new computers to the domain. To grant users the ability to add unlimited numbers of computers to the domain you should give them the Create Computer Objects right in Active Directory. Once given this right they no longer require the Add Workstation to the Domain user right. There is no limit set on these users as well. 40. Your manager has requested that all Windows Server 2003 systems that you are responsible for are set up so that when they are booted up that the option to start the recovery console is presented. She also wants you to develop a backup plan to run recovery console in case your Windows Server 2003 Systems are damaged to the point where reaching this menu isn't possible, though without creating or using an ASR set. Which of the following represents the way to install recovery console so that it appears as an option when the server powers on, and which represents a way of running a recovery console at boot time independant of whether or not it is installed on the system. A. From Control Panel, choose Add/Remove Programs, select Add/Remove Windows Components and check the box for Recovery Console. Restart the computer and choose the Recovery Console option from the boot selection menu. B. Run the Recovery Console from your Windows Server 2003 installation media by choosing the Repair option. C. Restart your server. When you see the message "Please select the operating system to start", press F8. Select Windows Server 2003 Recovery Console from the menu. D. From the command prompt, run the reccom.exe utility. E. Install the Recovery Console by running winnt32 /cmdcons on the server. Restart the server and choose the Recovery Console option from the boot selection menu. answer: b, eExplanation: Explanation: The Windows 2003 Recovery Console is a command-line console that you can start from the Windows 2000 Setup program. Using the Recovery Console, you can start and stop services, format drives, read and write data on a local drive (including drives formatted to use NTFS), and perform many other administrative tasks. You may find the Recovery Console useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service that is preventing your computer from starting properly. You must be an administrator to use the Recovery Console. There are two ways to start the Recovery Console: 1. If you are unable to start your computer, you can run the Recovery Console from your Windows 2003 installation media (if you can boot your computer from your CD-ROM drive). 2. You can install the Recovery Console on your computer to make it available in case you are unable to restart Windows 2000. You can then select the Recovery Console option from the list of available operating systems. 41. Rooslan has configured the default domain policy with the following settings: Minimum Password Age: 7 Days Maximum Password Age: 21 Days He creates a user account for Clamberto. He wants to set the options "User must change password at next logon" and "Password never expires" If he did this, which of the following would be correct? A. When Clamberto logged in, he would not have to change his password. He would not have to change his password at any time in the future either. B. When Clamberto logged in, he would not have to change his password. In 21 days however he'd be forced to change his password. C. When Clamberto logged in, he'd be forced to change his password. After that Clamberto would not have to change his password again. D. When Rooslan tries to do this he'll be forced to choose between forcing Clamberto to change his password at next login and setting Clamberto's password to never expire. Rooslan will not be able to do both. E. When Clamberto logged in, he'd be forced to change his password. Clamberto will be forced to change his password again in 21 days. answer: dExplanation: Rooslan can not actually do this and will be stopped by the operating system. If he chooses to force Clamberto to change his password at login, the default domain password policy will apply. If he chooses to have Clamberto's password not expire, Clamberto will not have to change his password. 42. Marty's company is running Windows Server 2003 on all 5 of its servers. One of the servers, Moharebia has been configured with the following backup schedule:Monday - Full Backup @ 1amTuesday - Incremental Backup @ 1amWednesday - Incremental Backup @ 1amThursday - Incremental Backup @ 1amFriday - Incremental Backup @ 1amSaturday - Incremental Backup @ 1amSunday - Incremental Backup @ 1amMoharebia hosts several Web Applications which utilize the .NET Framework. The backups are written to tape. Tapes are couriered off site to a special location at 11:00am each morning during the week.On Thursday evening at 8pm Moharebia's hard drive fries itself completely and the server goes off line. Marty is paged and must drive by the special location to pick up the relevant tapes and a replacement hard disk drive.Which of the following tapes does Marty need to restore from to rebuild the server's data to the most current possible?A. FridayB. WednesdayC. SaturdayD. SundayE. TuesdayF. MondayG. Thursdayanswer: b,e, f, gExplanation: Explanation: You have five choices of backup types on a Windows 2003 system:  Copy, Daily, Differential, Incremental and Normal. An incremental backup backup backs up only those files created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). A normal backup copies all selected files and marks each file as having been backed up (in other words, the archive attribute is cleared). If you are performing a combination of normal and incremental backups, restoring files and folders requires that you have the last normal as well as all of the incremental backups since the last normal backup. References: Windows Server 2003 Help, "Backups"43. In which of the following situations could you use Emergency Management Services via the serial port to administer a Windows Server 2003?A. Recovery Console is running.B. The network stack has malfunctioned or failed.C. The server is suffering a Denial-Of-Service attack rendering the network driver unable to respond to requests.D. The server is not fully initialized.E. The server is non-functional due to a STOP error message.answer: a,b,c,d,eExplanation: In all of the above situations EMS is able to be used. EMS does give some different options to those available in Recovery Console - which is why you might choose this method of server management.Reference:Windows Server 2003 Help."Out-Of-Band Management". 44. Clamberto is the remote access administrator in a company that has a Windows Server 2003 Domain. He has several users who use various client OS to connect to a Windows Server 2003 Remote Access Server to access Clamberto's corporate network. Most of the employees of Clamberto's company live far enough from the telephone exchange to make ADSL problematic. Cable Modem companies also don't service the particular area that they live in. The company budget has enough money to provide five employees two modems each. The idea is that if they dial in with multiple modems they will be able to agregate their bandwidth to recieve better connection speeds. The employees and systems are as follows: Corey - Windows NT 3.51 Workstation. Gary - Windows XP Professional. Shuresh - Windows 95 Bob - Windows 98. Bursley - Windows NT4 Workstation. Which of the employees are running operating systems that support this bandwidth aggregation feature? Choose all that apply. A. Suresh B. Corey C. Gary D. Bursley E. Bob answer: c,d,eExplanation: Explanation: Windows NT 3.5x clients do not support Multilink functionality. Windows XP Professional clients support Multilink and can take advantage of dynamic allocation of multilinked lines. Windows 95 clients do not support Multilink functionality. Although Windows 98 clients cannot take advantage of dynamic allocation of multilinked lines they do support Multilink. Although Windows NT 4.0 clients cannot take advantage of dynamic allocation of multilinked lines they do support Multilink. References: http://www.microsoft.com/windows2000/en/server/help , "Incoming connection clients" 45. Clamberto is the systems administrator of a Windows Server 2003 system that has 10 SCSI hard disk drives installed. These disks are labelled Disk 0 through to Disk 9. Disk 0 and Disk 3 form a mirrored pair and host the system/boot volumes. Disk 1, 4 and 5 form a striped volume. Disks 2, 6 and 9 form a RAID 5 volume. Disks 7 and 8 form a spanned volume. Which of the following statements is true? A. The system will remain operational if Disks 2 and 3 fail. B. The server must be rebooted if Disk 0 fails. C. The server must be rebooted if Disk 6 fails to restore functionality to the RAID 5 volume. D. All data on the spanned volume will be lost if Disk 0 fails. E. The server must be rebooted if Disk 3 fails. answer: a,bExplanation: As Disks 2 and 3 are part of redundant volumes, the server will remain operational. Disk 0 is irrelevant to the spanned volume. If a disk in a RAID 5 volume fails the disk needs to be reactivated. This does not involve rebooting the server. If Disk 0 fails, as the primary in the Mirror the server will shut down anyway and need to be rebooted onto Disk 3. If Disk 3 fails the server will not need to be rebooted, but something must be done about the mirrored set. 46. Which of the following correctly describes how to move a website named PENTON to a new application pool named CERTTUTOR from the Default Application Pool? A. Export the PENTON website from the Default Application pool and import it into the CERTTUTOR application pool. B. From the Properties of the CERTTUTOR application pool, select the members tab and add the PENTON website. C. On the properties of the PENTON website select the Home Directory tab. Use the Application Pool dropdown to select the CERTTUTOR application pool. D. On the properties of the CERTTUTOR website select the Home Directory tab. Use the Application Pool dropdown to select the PENTON application pool. E. Drag the PENTON website from the Websites node of the IIS MMC to the CERTTUTOR application pool. answer: cExplanation: The application pool is determined from the Home Directory Tab of a Website's properties. Websites can not be dragged and dropped in the IIS MMC. Websites can not be added to an application pool by editing the application pool's properties. 47. Rooslan has been setting up a Windows Server 2003 functional level domain and is about to impliment a CA infrastructure. He not only wants to use certificates for accessing secure web servers, but to allow members of the domain to digitally sign email communication. He wants the digital certificates to be able to be mapped to domain accounts.Rooslan installs Certificate Services on one of his 5 Windows Server 2003 Domain Controllers and is confronted with the following screen:EXHIBITWhich of the following is the first Certificate Authority type that Rooslan should install in his organization.A. Domain Primary CAB. Enterprise Subordinate CA.C. Stand Alone Root CAD. Stand Alone Subordinate CA.E. Enterprise Root CA F. Domain Subordinate CA.G. Forest Subordinate CA.H. Forest Root CA answer: eExplanation: The first CA in an organization should be an Enterprise Root CA. You'd then install an Enterprise Subordinate CA and issue certificates off the subordinate.Reference:Windows 2003 Server Help, Certificate Services.48. Which of the following top level containers are new to Windows 2003's Active Directory? A. Program Data B. System C. NTDS Quotas D. Computers E. Builtin F. Domain Controllers G. Users H. LostandFound I. ForeignSecurityPrincipals answer: a,cExplanation: Windows 2003's Active Directory added two new default top level containers, NTDS Quotas and Program Data. NTDS Quotas stores quota objects. Quota objects restrict the number of objects a user can create in a partition or container. Program Data allows programs to store data in the directory without the need to create a specific new top-level container. 49. Mohareb has decided to enable secure communications for the Default Web Site onhis new Windows.NET 2003 Server. He goes to the Properties dialogue of thisWeb Site in the IIS MMC. He then selects the Directory Security tab and inthe Secure Communications area selects Server Certificate. See Exhibit.EXHIBIT He then clicks "Next" and is asked which method he wants to use to assigna certificate to this web site. Of the following options, which are onesthat will be offered to Mohareb in the next dialog?A. Create a new certificate.B. Import a certificate from a .pfx file.C. Import a certificate from a key manager backup file.D. Assign an existing certificate.E. Copy or move a certificate from a remote server to this siteanswer: a,b,c,d,eExplanation: All of these are valid options even though the wording, as some have suggested above, is rather ambiguous. The best way to demonstrate this is via an Exhibit - so look below and see for yourself.50. Which of the following rules apply to converting Universal groups to Domain Local groups when a forest is running at the Windows Server 2003 functional level? A. Universal groups can not be converted to Domain Local groups if they contain Global groups. B. Universal groups can be converted to Domain Local groups in all circumstances. C. Universal groups can not be converted to Domain Local groups if they contain other Universal groups. D. Universal groups can not be converted to Domain Local groups if they contain Domain Local groups. answer: bExplanation: There are no restrictions on converting a Universal group to a Domain Local group. 51. Oksana has been running a packet sniffer on her network as part of her duties as Routing and Remote Access Administrator and has found that some users, when remotely accessing the network, are using cleartext rather than encrypted passwords. Oksana considers this to be a huge security risk. She decides that she wants to disable the use of any authentication protocols which might pass an unencrypted password across the network. Which of the following protocols should Oksana disable? A. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) B. Password Authentication Protocol (PAP) C. Challenge Handshake Authentication Protocol (CHAP) D. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) E. Shiva Password Authentication Protocol (SPAP) answer: bExplanation: Explanation: Password Authentication Protocol (PAP) uses plaintext (unencrypted) passwords and is the least sophisticated authentication protocol. PAP is typically used if your connection and the server cannot negotiate a more secure form of validation. You may need to use this protocol if you are calling a server running an operating system other than Windows. 52. Clamberto has implimented a Windows 2003 functional level Domain. Currently Auditing is not enabled on the domain. One of Clamberto's users has lodged a complaint claiming that files on his XP workstation are being modified when he is at meetings or away from his desk. The user claims that he locks his workstation when he leaves his desk and that he logs off when he goes home at night. He is convinced that the workstation is being accessed via the LAN rather than via console. Clamberto acrees to audit the files on this XP workstation to determine the veracity of these claims, however he does not want to configure auditing for any of the other computers in the 2003 Domain. Which of the following things should Clamberto do? A. Create a GPO and link it to the organizational unit where the user's account is located. Enable the setting to "Audit Object Access" for both Successes and Failures for this GPO. B. Through the Local GPO, enable the setting to "Audit Object Access" for Failure. C. Enable successful attempts to access the files that the user is concerned about through Windows Explorer. D. Through the Local GPO, enable the setting to "Audit Object Access" for Success. E. Through the Default Domain GPO, enable the setting to "Audit Object Access" for both Successes and Failures. F. Enable failed attempts to access the files that the user is concerned about through Windows Explorer. G. Create a GPO and link it to the organizational unit where the computer account that the user logs into is located. Enable the setting to "Audit Object Access" for both Successes and Failures for this GPO. answer: c,dExplanation: Setting up auditing of files and folders is a two- step process. First, auditing must be set up through policies. If you had wanted auditing to apply to a group of computers you could have enabled auditing at the organizational unit level or at the domain level. However, in the above example it states that Clamberto only wants auditing to apply to this specific computer. In such a case, it would typically be best to apply auditing through the local GPO. Be aware though that the auditing policy may be overwritten by a different audit policy set at the domain or organizational unit level. Once the policy has been properly configured, you must also enable auditing of the specific folders and files you wish to track. This can be set up through Windows Explorer. Remember that there is no need to audit for failure as it is already asssumed that the nefarious user has gained access. References: Windows 2003 Online Help. "Audit policies, setting up file auditing" 53. Clamberto works at the Tonga Launch Facility of the New Zealand Space Agency. He has recently connected an A3 color printer to a Windows Server 2003 named FILEPRINT.TONGA.NZSA.GOV.NZ. The print queue name is colorA3. Both the Satellite Imaging (SI) sections and the Astrophysics department use this printer even though it was the Astrophysics department that purchased it. There have been some complaints from the Astrophysicists that the SI section users are sending huge hi-res pictures to the printer during the middle of the day and are stopping the Astrophysicists from printing the star charts that the printer was originally purchased to print. Clamberto would like to configure the printer so that members of the Satellite Imagine section can not print to it between 1pm and 5pm Monday through Friday. There are two members of staff though in the SI section that will be allowed to print regardless of the time of day as they work for the New Zealand Special Intelligence Service and need to be able to print satellite images as required. Currently all members of the Astrophysics department belong to the Astro group and all members of the SI section belong to the Satimage group. The printer has been installed and configured with the default permissions. Clamberto performs the following actions: 1. Changes the permissions on the original printer so that only the Astro group can print to the printer. 2. Creates a second printer named satA3. Configures the priority of satA3 at 1 for members of the SI Department who he would like to prevent from accessing the printer between 1 and 5 PM Monday through Friday. 3. Creates a third printer named satA3II. Alters the priority of this printer to 99 for the members of the SI group that are also in the Special Intelligence Service. 4. Configures the desktops of users so that members of the Astro group use the first printer (colorA3), members of the Satimage group use the second printer (satA3) and the spooks from Special Intelligence use the third printer (satA3II). Which of the following objectives has Clamberto achieved? Choose all that apply. A. Members of the SI section who are not also in the service of Special Intelligence do not have access to their printer between 10 AM and 2 PM Monday through Friday. B. Members of the Astrophysics Department have access to their printer at all times. C. Members of Special Intelligence in SI have access to their printer at all times. D. All members of both the SI Section and the Astrophysics Department have access to a printer. answer: b,c,dExplanation: By default all printers are configured to allow access to the printer at all hours during any day of the week. To restrict the time of day that a user can print to a printer, configure the schedule for the printer to only be available during certain hours. Setting priority for the printer does not prevent someone from using the printer during certain hours but rather allows users with higher priorities to print to the printer first. References: Windows Server 2003 Help. "Print server administration best practices" 54. Oksana has configured the default domain policy with the following settings: Minimum Password Age: 5 Days Maximum Password Age: 14 Days Mick has applied a GPO with the following settings to the ENGINEERS OU. Minimum Password Age: 10 Days Maximum Password Age: 20 Days Foley has applied a GPO with the following settings to the Waverley site. Minimum Password Age: 8 Days Maximum Password Age: 12 Days Oksana creates a new user named Rooslan. Rooslan's user account is a member of the ENGINEERS OU. Rooslan is located at the Waverley site. Oksana set's Rooslan's password to never expire. Rooslan does not have to change his password at next logon. Today is Wednesday the 1st of October and Rooslan logs onto the network for the first time at 3pm in the afternoon. Which of the following statements are true: A. Rooslan will not be forced to change his password. B. Rooslan will be forced to change his password on Monday the 13th of October. C. Rooslan will be forced to change his password on Wednesday the 15th of October. D. Rooslan will be forced to change his password on Tuesday the 21st of October. answer: aExplanation: Setting the password to never expire overrides Group Policy. Password policy only applies at the domain level, so password policies set at the SITE and OU level are irrelevant. 55. You are running a POP3/SMTP service on a Windows Server 2003 in a 2003 AD-Integrated Domain nzsa.gov.nz. You are concerned that this new server might act as an "open-relay" and hence would be a target for spammers to dump loads of unwanted email across the internet. Which of the following represents the best way to limit mail relaying only to your specific domain nzsa.gov.nz?A. Run the POP3 Applet. Select Properties of the nzsa.gov.nz domain and check "allow relay".B. 2003's POP3/SMTP service automatically locks down if authentication is set to AD integrated. Make sure that the .NET server is set to AD-Integrated authentication.C. By default, 2003's POP3/SMTP service does not relay mail other than to the specific domains it is configured to recieve. As nzsa.gov.nz is such a domain - no changes are necessary.D. Run the POP3 Applet. Select Properties of the nzsa.gov.nz domain and enter nzsa.gov.nz into the "relay to" box.E. Run the IIS Applet. Select the properties of the Default Virtual SMTP Server Click on Access and then on the Relay Button. Select "Don't Relay Mail".answer: cExplanation: By default 2003 server's POP3/SMTP service is not an open relay so unless something has been done to deliberately modify it - it will not relay mail to domains other than those it normally accepts email for.Windows 2003 Server Help,"Mail Relay".56. Clamberto would like to deploy Windows XP Professional to 48 computers on his company's Windows Server 2003 network. He has written a proposal to his manager that this be done via RIS. Which of the following facts, if true, would prevent Clamberto from using RIS to install Windows XP Professional on these systems? A. Active Directory has not been deployed in Clamberto's organization. B. None of the systems have a PXE-based remote boot ROM network card. C. There is only one DHCP server that is able to distribute IP addresses to these clients. D. All of the client workstations must be configured with three NTFS partitions during the remote installation. E. All of the computers are laptops which use PCMCIA network cards. answer: a,d,eExplanation: Explanation: The following are requirements of Remote Installation Services: - Active Directory is deployed - Servers running DNS and DHCP are present on the network Although computers with PXE-based remote boot ROM network cards are supported for RIS, it is not an absolute requirement that a computer have one of these cards. If a network card is on the list of supported adapters you can create a RIS client boot disk using the rbfg.exe utility. RIS installations are not supported for PCMCIA ethernet cards. Multiple partitions aren't able to be done under RIS. References: http://www.microsoft.com/windows2000/library/planning/management/remoteos.asp 57. You have installed the POP3 service on a Windows.NET Domain Controller at the offices of BischkeCorp. You are currently configuring the authentication methods that people in the office will use to connect to the server to retrieve their mail. In this situation - what are the possible authentication methods available for use for mail-retrieval?A. Plaintext Password File.B. Active Directory Integrated.C. Mailbox Specific Password.D. Local Windows Accounts.E. Encrypted Password File.answer: b,d,eExplanation: In this case the .NET server is in an AD domain - so AD Integrated is available as well as Local Windows and Encrypted Password. If the .NET Server was a stand alone member server, AD Integrated would not be available.Windows.NET Server Help,POP3 Service.58. The New Zealand Space Agency's (NZSA) Tonga launch facility has five Windows XP Professional computers and one Windows Server 2003 system that are used for diagnostics on certain payloads, such as espionage sattelites, that require higher security. The Director of the NZSA has asked that IPSEC be instituted on these laptops and on the server. Enrious configures all of the laptops and the server's local GPOs with an IPSEC policy of Client (Respond Only). The original Windows 2003 Domain GPO has not been altered since installation. A week later he configures a separate packet sniffer and finds that data transferred between the laptops and the server is not encrypted and that packets can be captured and read. Which of the following is the best explanation for this behavior? A. NTFS permissions will always override IPSec policy settings. If the user receiving the data has NTFS permission of Read or greater, the data will not be sent in an encrypted format. B. The Client (Respond Policy) does not secure data unless the destination computer requests it. Therefore data sent from a machine with the IPSec policy of Client (Respond Policy) is not guaranteed to be encrypted. C. The local policy on the XP systems and the server is being overwritten by the domain policy. Domain policy will always override any conflicting settings at the local level. The default domain policy for IPSec at the Domain level denies use of IPSEC. D. IPSec will encrypt data on the local hard drive but will not encrypt data that is sent over the network. In order to encrypt data sent over the network you must use Encrypting File System to first encrypt the data. answer: bExplanation: Explanation: Activating the Client (Respond Only) IPSec policy will not secure traffic unless the destination computer requests it. The default Windows 2003 Domain policy for IPSEC is that no policy is applied - hence the local GPOs are not being overwritten in this case. As both server and workstations are set only to respond - neither party is requesting that encryption should be used (but would respond appropriately if such an event occured). Enrious should change the setting on the server's Local GPO to either "Secure Server (Require Security)" or "Server (Request Security)" 59. You have a mix of clients on your company's Windows 2003 network including Windows 98, Windows Me and Windows XP Professional. In the past you have used to system policies to configure and restrict the desktop settings of your users. While deploying Windows XP Professional, you discover Group Policies and decide to use them to configure and restrict the Windows XP desktops. You run the gpedit.msc utility on each of the computers running Windows XP Professional and configure Group Policies from that utility. You configure them to hide certain items on the Desktop and Start Menu. You log out and then log back in. When you log back in these items are still present on the desktop and start menu. What is the most likely reason for this discrepancy? A. You did not use an mmc console to configure Group Policies. The proper console to run would be gpedit.mmc. B. You have not rebooted the computers. Policies are only applied once computers are rebooted. C. There is a system policy configured for these workstations which is overriding the Group Policy that you configured. D. The person using the computer does not have the appropriate permission to the policy file. Make sure that the user has at least read permission to the ntconfig.pol file. E. Another administrator configured a policy for the domain or for an organizational unit that is overriding the policy that you configured. F. You have not refreshed Group Policies on the local computer. You must do this using the secedit utility. answer: eExplanation: Explanation: The local Group Policy object is applied first. Then site-linked Group Policy objects are applied in administratively specified order, then domain-linked ones in specified order, and lastly organizational unit-linked Group Policy objects beginning at the highest (in Active Directory hierarchy) organizational unit containing the user or computer account and ending with the lowest (closest to the user or computer) organizational unit containing the user or computer. At each organizational unit, any Group Policy objects linked to it are applied in administratively specified order. Therefore, if there are policies present that are linked to a domain or organizational units that the user is a member of, then those policies will override any local policy if there are conflicting settings. References: http://www.microsoft.com/windows2000/library/resources/reskit/samplechapters/dsec/dsec_pol_zbgy.asp 60. Enrious uses the Offline Files features of Windows Server 2003 to continue to work with network files and programs when he has taken his XP laptop home for the day. To control when his offline files are synchronized with those on the Windows 2003 Servers on his network, he uses Synchronization Manager. Synchronization Manager can be used to regulate if and how automatic synchronization occurs. Which of the following situations can synchronization manager be configured for? Choose all that apply. A. When a user logs off from a computer B. When CPU utilization falls below 10% C. When a user logs on to the computer. D. When a computer is idle. E. When a user has made more than a specified number of changes to an offline file. answer: a,c,dExplanation: Explanation: You can have Synchronization Manager automatically synchronize the information that is available to you offline in a number of ways: Every time you log on or off your computer, or both. At specific intervals while your computer is idle. At scheduled times. Combinations of these options can be used and different options can be used for offline files from different shared sources. 61. Rooslan opens Active Directory Users and Computers and, holding down the key selects the user accounts of Oksana, Kasia, Shan and Orin. From the action menu he then selects Properties. Which of the following properties can Rooslan not configure at one time for all of these accounts? A. User must change password at next logon. B. Reset Password C. Computer Restrictions. D. Logon Hours. E. Account Expiry Date. answer: bExplanation: The passwords of multiple users can not be reset via the Properties on Multiple Object dialog. Password of multiple users must be reset manually. All of the other properties can be configured for multiple users - a big improvement over Windows 2000 where each had to be configured manually. 62. Clamberto has configured volume shadow copies on a volume that hosts a file share in his Windows Server 2003 domain. There are 5 files which are edited once a day, every day, by staff in Clamberto's organization. The staff wish to use the functionality of volume shadow copy to compare different versions of these files at different points in time. Which versions of these five files will be available from Volume Shadow Copy Services? (select all that apply) A. The version of the files that existed 100 days ago. B. The version of the files that existed 60 days ago. C. The version of the files that existed 20 days ago. D. The version of the files that existed 10 days ago. E. The version of the files that existed 40 days ago. F. The version of the files that existed 80 days ago. answer: b,c,d,eExplanation: Volume Shadow Copy Services store the last 64 versions of a file. Once the limit of 64 is reached, the oldest version is deleted to make way for the newer version. As these files had only been changed once a day, one day is equivelant to one version. Hence the version 60 days old will be available but the version 80 days old will not. Reference: Windows Server 2003 Online Help, Determining Storage Options for shadow copies. 63. Clamberto has recently deployed a tourism information application to seven thousand Windows XP Professional systems in his corporation via Active Directory. The developers who put together the tourism information application have recently released an update patch that closes several large security vulnerabilities. Clamberto would like to patch all of the seven thousand systems to which the application was deployed. Which of the following techniques presents the best way of him accomplishing this goal? A. Clamberto should replace the .msi file on the network server with a .msp file. He should then restart the Windows Installer service on all of the clients. B. Clamberto should replace the .msi file on the network server with a .mst file. He should then restart the Windows Installer service on all of the clients. C. Clamberto should replace the .msi file on the network server with a new .msi file. He should then restart the Windows Installer service on all of the clients. D. Clamberto should use the msiexec command to specify the location of a .msp file. He should then redeploy the application through Group Policies. E. Clamberto should use the msiexec command to specify the location of a .mst file. He should then redeploy the application through Group Policies. answer: dExplanation: Explanation: Network software shares (or "flats") are updated by running the following command. This command updates the software with Microsoft Software Installer (MSI): msiexec /a path to .msi file in network image /p path to .msp file This command replaces the necessary files on the network share and updates the .msi file for proper installation using the new components. After you run this command, the program should be re- deployed in Active Directory to allow clients to receive the updates. References: Windows Server 2003 Online Help - MSIEXEC 64. Rooslan has four different universal distribution groups that he wishes to change to domain global security groups in the VOLGOGRAD domain. The first Universal group is made up solely of user accounts from different domains within the forest. The second is made up of three other universal groups. The third is made up of two universal groups and two global groups that are members of the VOLGOGRAD domain. The fourth is made up of fifteen global groups that are all members of the VOLGOGRAD domain. Which of these groups will Rooslan be able to successfully convert. A. None of these groups can be converted. B. The third group can be converted. C. The fourth group can be converted. D. The first group can be converted. E. The second group can be converted. answer: cExplanation: Remember that Global groups can include accounts and Global groups from the same domain. So any converted Universal group must adhere to this rule. The first group is out because accounts are from different domains. The second is out because it contains universal groups. The third is out because of the universal groups. The only group that can be successfully converted is the fourth as all are members of the volgograd domain. Once this conversion is done, converting from distribution to security is relatively simple. 65. Windows XP Professional clients have the ability to access DFS trees on a Windows Server 2003 network. What difference, if any, is the way in which security permissions are applied in DFS as opposed to shared folder and NTFS permissions? A. Shared folder and NTFS permissions override any DFS permissions. B. Shared folder and NTFS permissions are not affected by DFS. C. The effective permission is the most restrictive of the DFS, NTFS and shared folder permissions. D. DFS permissions override any shared folder or NTFS permissions. answer: bExplanation: Explanation: There is no such thing as "DFS permissions". Rather when a user attempts to access a DFS link, normal NTFS and shared folder permissions apply. Although NTFS is not required on a volume that contains a DFS link, it is highly recommended due to the ability to assign individual file permissions. References: Windows Server 2003 Online Help, "DFS, security" 66.Clamberto wants to use the HTML Remote Administration tools to accomplish the following tasks on a Windows Server 2003 system that has the DNS and, DHCP services installed: Task 1: View the contents of the System Log via Web Browser.Task 2: View the contents of the Security Log via Web Browser. Task 3: View the contents of the Application Log via Web Browser.Task 4: Shut down the server.Task 5: Schedule a shutdown and reboot to occur 5 hours from now.Task 6: Add an AD-Integrated DNS Zone to the DNS server. Task 7: Set up a new DHCP scope for the DHCP server. How many of the above tasks can be achieved directly using Windows Server 2003's HTML Remote Administration tools via non Microsoft operating systems like Linux or Mac OSX? A. Four of these tasks can be accomplished using the HTML Remote Administration tools. B. Three of these tasks can be accomplished using the HTML Remote Administration tools. C. Two of these tasks can be accomplished using the HTML Remote Administration tools. D. One of these tasks can be accomplished using the HTML Remote Administration tools. E. Five of these tasks can be accomplished using the HTML Remote Administration tools. F. All of these tasks can be accomplished using the HTML Remote Administration tools. G. None of these tasks can be accomplished using the HTML Remote Administration tools. H. Six of these tasks can be accomplished using the HTML Remote Administration tools. answer: eExplanation: Of the tasks listed the first five can be completed via Windows Server 2003's HTML Remote Administration tools without starting the Terminal Services applet. The Terminal Services applet will only work on Microsoft OS using later versions of the Internet Explorer browser. The applet allows IE to act like a terminal services window, giving you unfetterd access to the Windows Server 2003 console. Reference: Windows Server 2003 Online Help, Remote Administration Tools, Using Web Interface for Remote Administration. 67. Clamberto is investigating Windows Server 2003's web based printing fuctions for possible inclusion on his company's network. There are some sites that are not connected directly via WAN links and are connected to via the Internet. Clamberto believes that there will be distinct advantages in being able to remotely manage and connect to printers via Internet Explorer. He is writing a report on this and wants to list the protocols that are used in this Windows Server 2003 function. Which of the following protocols should he include? A. IPP B. POP C. RADIUS D. HTMP E. TLS-EAP F. ICGMP G. HTTP answer: a,gExplanation: Explanation: Internet Printing Protocol (IPP) is a low level protocol that uses HTTP as a carrier. The way that a printer is installed depends on whether or not the printer is on the same intranet as the host attempting to install it. If they are on the same intranet, then RPCs are used to install the printer and communicate during normal operations. If they are not on the same intranet - HTTP carries the information (sending a CAB file with all the relevant settings when installation is initiated). 68. You have finished configuring a network for a small office. The office has 12 computers. 11 systems are running Windows XP Professional and one system is running Windows Server 2003. One of the XP systems has been configured with two network adapters. One of these is connected to a high speed internet connection, the other is connected to the office switch. The IP address of the external connection is 128.250.213.227. The IP address of the internal connection is 192.168.10.1. All other systems in the office are connected via UTP cable to this switch. Internet Connection Sharing and Internet Connection Firewall have been activated on the external connection. All internal systems are able to access the internet via this method. The company would like to host a website using Internet Information Services built into Windows Server 2003. The IP address of the 2003 Server is 192.168.10.22. The site is currently hosted on port 80. What should you do to allow external access to the website hosted on the 2003 system? A. On the internal adapter go to the settings for Internet Connection Sharing, select the settings tab and check the Web Server (HTTP) checkbox. Then click edit and add 192.168.10.22 and port 80 to the properties of the Web server service. B. On the external adapter go to the settings for Internet Connection Sharing, select the settings tab and check the Web Server (HTTP) checkbox. Then click edit and add 192.168.10.22 and port 80 to the properties of the Web server service. C. Remove Internet Connection Sharing and install Network Address Translation (NAT) instead. Internet Connection Sharing cannot provide external access to internal services. D. Configure a Demand-Dial Routing Interface using Routing and Remote Access on the Windows 2003 Server. Any attempts to access the internal website will activate a static route allowing connections to be established. E. Create a static route on the machine hosting Internet Connection Sharing. Specify the internal IP address of the machine hosting the website. F. None of the proposed solutions will work. G. This cannot be done. The internal machines will have private IP addresses assigned. These IP addresses are not routable on the Internet and therefore cannot provide external access to internal resources. answer: bExplanation: Windows XP and Windows Server 2003 Internet Connection Sharing have several pre-defined services that can be edited to pass traffic through the firewall if given an internal IP address and port number. This has to be done on the external adapter rather than the internal adapter. No extra firewall configuration is necessary. Windows XP and Windows Server 2003 Help, Internet Connection Sharing Settings. 69. When you first boot into Windows 2003 Server you are asked to define what roles the server will fulfill by "Adding Roles" in the "Manage Your Server" dialogue. (Thisdialogue can also be found in the Administrative Tools menu).Which of the following do not represent valid "roles" that you can add to a Windows 2003 Standard Edition Server via the "Manage Your Server" dialogue.A. Streaming media server role.B. Domain controller (Active Directory) role.C. File server role.D. WINS server role.E. Mail server (POP3) role.F. Network Time Server role.G. Print server role.answer: fExplanation: Network Time Server does not exist as a pre-configured role. Roles are a simplified way of setting up 2003 server to perform specific tasks such as be a DNS or DHCP or POP3 server. You can find out more about pre-configured roles by looking at the Windows 2003 server Help File under "Read About Server Roles". Unfortunately there is no Technet article yet!70. Paul is the administrator of several file servers in a medium sized organization. Paul has been tasked with making sure that the access permissions for the company policy documents maintained by the HR department are set up correctly. Furthermore Paul must ensure that no more than 100 connections are made to the share hosting the company policy documents at any one time so that compliance is maintained with the organization’s current level of licensing. The name of the file share used to publish the company policy documents is POLDOC. The permissions on the company policy documents should be configured so that all users except those in the HR department have read access. Users in the HR department are expected to modify the company policy documents from time to time and therefore need full control permissions to these documents. All members of the HR department’s accounts are stored in the HR OU. The other OUs that contain user accounts in the organization are the ENGINEER OU, MANAGER OU and the ACCOUNTS OU. All members of the HR department are also members of the HUMRES group. All members of the organization are members of the EMPLOYEES group. Which of the following steps could Paul take to meet his goal? (select four) A. In the share permissions for the POLDOC share ensure that the EVERYONE OU has READ permission and that the HR OU has FULL CONTROL permission. B. Assign the HUMRES group full control NTFS permission to the folder on the server that hosts the POLDOC share and that this permission applies to all child objects of this folder. C. In the properties tab of the folder that hosts the POLDOC share ensure that the NTFS permission of “maximum users allowed access to this folder” is set to 100. D. In the share permissions for the POLDOC share ensure that the EVERYONE group has READ permission and that the HUMRES group has FULL CONTROL permission. E. In the sharing tab of the folder that hosts the POLDOC share ensure that the radio button for “allow this number of users” is checked and the figure of 100 is the setting applied. F. Assign the EMPLOYEES group READ NTFS permission to the folder on the server that hosts the POLDOC share and that this permission applies to all child objects of this folder. G. Assign the ENGINEER, MANAGER and ACCOUNT OUs read NTFS permission to the folder on the server that hosts the POLDOC share as well as all subfolders. H. Assign the HR OU full control NTFS permission to the folder on the server that hosts the POLDOC share as well as all subfolders. answer: b,d,e,fExplanation: The first principle is that file, folder and share permissions are assigned to users and groups, not to Organizational Units. The next is to understand how effective permissions are calculated. The appropriate way to determine effective share level and NTFS level permissions is to follow three simple steps: Step One. Calculate the effective share-level permission. The effective share-level permission will be the least restrictive permission of all of those assigned to a user or to groups that the user is a member of. The exception is the No Access permission which will override all other permissions. Step Two. Calculate the effective NTFS permission. The effective NTFS permission will be the cumulative of all of the NTFS permissions assigned to the user and to groups that the user is a member of. The exception is if there are any Deny permissions assigned. Deny permissions will override Allow permissions. Step Three. The effective overall permission will be the most restrictive of the effective share-level permission and the effective NTFS permission. In this question permissions are doubly set with the NTFS permissions mirroring the share level permissions. The other aspect to this question is making sure that the number of people using the share at any one time is limited to 100. This is done via the sharing tab and can not be achieved by setting an NTFS permission. References: Windows Server 2003 Online Help. 71. Your manager has recently commissioned an outside consultancy to perform a security audit on your Windows 2003 Server Network. One of the findings of the audit was that a sizeable percentage of the users on the network are using authentication protocols that do not support encrypted passwords when they are remotely accessing the corporate LAN. You are shown several print outs of captured packets which clearly display the clear-text passwords being transmitted as these users attempt to authenticate. The consultants recommend that all authentication protocols which may allow the passing of unencrypted passwords be disabled. Which of the following authentication protocols should be allowed to stay in use? A. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) B. Challenge Handshake Authentication Protocol (CHAP) C. Shiva Password Authentication Protocol (SPAP) D. Password Authentication Protocol (PAP) E. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) answer: a,b,c,eExplanation: Explanation: Password Authentication Protocol (PAP) uses plaintext (unencrypted) passwords and is the least sophisticated authentication protocol. PAP is typically used if your connection and the server cannot negotiate a more secure form of validation. You may need to use this protocol if you are calling a server running an operating system other than Windows or from a client OS that has less sophisticated authentication methods (for example an early model Palm Pilot). PAP is disabled by default as an authentication protocol on Windows Server 2003. This question asks the negative. As the other protocols do support the passing of encrypted passwords they should be allowed to stand. References: Windows Server 2003 Online Help, "Password Authentication Protocol (PAP)" 72. Rooslan gets a call from Yuri who tells him that whilst working on their Windows 2003 Domain, Yuri has accidentally deleted the CYBERDECK OU. Rooslan wants to recover this OU as quickly as possible. He checks the documentation and verifies that the System State Data was backed up on all of the 2003 DCs the previous evening. To recover the OU he selects a DC at random and restores the System State Data from the prior evening's backup. He then checks the Active Directory Users and Computers MMC and sees the CYBERDECK OU there. Rooslan waits for an hour and then logs into another DC via Terminal Services and opens the Active Directory Users and Computers MMC. The CYBERDECK OU is not present. He logs into the DC he restored the MMC on and checks the same MMC, again the CYBERDECK OU has dissapeared even though it was present an hour before. Why did this occur and what can Rooslan do to permanantly recover the CYBERDECK OU? A. Rooslan did not attempt to do an authoritative restore. He should do a restore of the System State Data and specify an authoritative restore using the NTDSUtil utility. B. Rooslan was not logged in as a member of the Enterprise Administrators group when attempting to perform the restore of the System State Data. He should log in as a member of the Enterprise Administrators group and perform the restore. C. Rooslan has attempted to do a restore within a period of time that was less than the Tombstone Interval of the objects that were deleted. He should manually change the length of the Tombstone Interval from the default of 60 days to one day and repeat the restore of the System State Data. D. Rooslan did not restore the System State Data from the domain controller holding the Operations Master role of PDC Emulator. He should perform a System State Data restore on the PDC Emulator. answer: aExplanation: Explanation: In Backup, distributed services such as the Active irectory directory service are contained in a collection known as the System State data. When you back up the System State data on a domain controller, you are backing up all Active Directory data that exists on that server (along with other system components such as the SYSVOL directory and the registry). In order to restore these distributed services to that server, you must restore the System State data. However, if you have more than one domain controller in your organization, and your Active Directory is replicated to any of these other servers, you will need to perform what is called an authoritative restore in order to ensure that your restored data gets replicated to all of your servers. To authoritatively restore Active Directory data, you need to run the Ntdsutil utility after you have restored the System State data but before you restart the server. The Ntdsutil utility lets you mark Active Directory objects for authoritative restore. When an object is marked for authoritative restore its update sequence number is changed so that it is higher than any other update sequence number in the Active Directory replication system. This will ensure that any replicated or distributed data that you restore is properly replicated or distributed throughout your organization. References: Windows Server 2003 Help, "Authoritative restore" 73. Mohareb has decided to enable secure communications for the Default Web Site on his new Windows 2003 Server. This server is the first at Mohareb's company and also serves as a Domain Controller. At present there is no CAInfrastructure at Mohareb's organization.Mohareb logs onto the console of this server with an account that has Administrative privileges. He goes to the Properties dialogue of this Web Site in the IIS MMC. He then selects the Directory Security tab and inthe Secure Communications area selects Server Certificate. He then clicks "Next" and is asked which method he wants to use to assign a certificate to  this web site. He selects "Create A New Certificate" (see exhibit) EXHIBIT He leaves all of the Defaults in place, only entering his Country, State and City in the required dialog boxes.Which of the following will have happened once this Wizard has executed?A. A file, c:\certreq.txt will be created. This file can be emailed to Mohareb's company's Certification Authority and they can respond by sending him a certificate that can be attached to the Default Web Site at a later date.B. None of the above.C. A new 512 bit SSL certificate will have been created. Mohareb needs to run this wizard again so that he can attach this newly created certificate to the Default Web Site.D. A new 1024 bit SSL certificate will have been created and secured to the Default Web site on Mohareb's Server. Mohareb needs to go back and edit the web site properties and ensure that Anonymous access is disabled so that all future communication will be encrypted around this certificate.E. A new 4096 bit SSL certificate will have been created and applied to the Default Web site on Mohareb's Server. All future communication to the website will be encrypted around this certificate.answer: aExplanation: The key to this question is realizing that Mohareb's organization at present does not have its own CA infrastructure - hence certificates are going to have to be generated elsewhere and then applied to the website to ensure secure communications.Reference: Windows 2003 server Online Help, Certificate Services.74. Beradio manages several stand alone Windows Server 2003 systems that are not members of a 2000 or a 2003 domain. Beradio wants to streamline these servers update process. Instead of contacting Microsoft's update servers, Beradio wants them to contact another server - updates.beradio.net, located on the same LAN, and download a list of approved updates from it. updates.beradio.net has been configured with SUS. What configuration process needs to be carried out on the Windows Server 2003 systems? A. Beradio needs to navigate to the System control panel. From the Automatic Updates Tab he needs to set the Update Server to updates.beradio.net B. Beradio needs to navigate to the Automatic Updates control panel and set the Update Server to updates.beradio.net C. Beradio needs to edit the site GPO and alter the WINDOWS UPDATE section in the COMPUTER CONFIGURATION | ADMINISTRATIVE TEMPLATES | WINDOWS COMPONENTS and set the SPECIFY INTRANET MICROSOFT UPDATE SERVICE LOCATION policy to point to updates.beradio.net D. Beradio needs to edit the Local GPO and alter the WINDOWS UPDATE section in the COMPUTER CONFIGURATION | ADMINISTRATIVE TEMPLATES | WINDOWS COMPONENTS and set the SPECIFY INTRANET MICROSOFT UPDATE SERVICE LOCATION policy to point to updates.beradio.net E. The automatic update server cannot be changed on a Windows Server 2003 system from the Microsoft update servers. answer: dExplanation: As these are stand alone Windows Server 2003 systems, hence making a GPO for the site in AD will have no effect on them as they are not part of the domain. The update server location can not be modified from the system control panel and there is no automatic updates control panel. Reference: http://www.microsoft.com/mspress/books/sampchap/5867a.asp 75. You are investigating different methods of achieving fault tolerance on your new set of Windows 2003 Member servers. You know that Windows 2003 supports several methods of fault-tolerance including parity striped intermittently across multiple physical disks, more commonly known as Software RAID-5.Which of the following are requirments of a Software RAID-5 volume on Windows Server 2003?A. All of the disks to be used in the Software RAID-5 volume must be formatted with the NTFS file system. B. Before the Software RAID-5 volume is set up, the RAIDCHECK utility must be run so that the disk speeds can be synchronized with the operating system.C. All of the disks in the Software RAID-5 volume must be configured as dynamic disks. D. The computer must be running Windows Server 2003, Windows Advanced Server 2003 or Windows Datacenter Server 2003. Software RAID-5 cannot be used out of the box on Windows XP.E. You must have three or more physical Hard Disk Drives to create a Software RAID-5 volume. answer: c,d,eExplanation: Explanation: Windows Server 2003 Software RAID-5 volumes: - Support FAT and NTFS. - Require a minimum of 3 hard disks. - Cannot be created on computers running Windows XP- Require dynamic disks. References: Windows Server 2003 Online Help76. The chairman of the New Zealand Space Agency has forwarded you the organization's new policy on the use of Encrypted Files. Because of some problems that have been experienced with users incorrectly using encrypted files, it has become agency policy that EFS is not to be used on any workstations withing the agency's domain. You have been instructed to disable EFS on all Windows XP Professional workstations in the agency's domain. At the moment no policy has been specified and the Windows 2003 default domain policies apply. Only the Default Domain Policy GPO is in effect. Which of the following actions will not accomplish the task of disabling EFS on the domain's workstations? (select all that apply) A. The default Windows 2003 Policy does not allow workstations in the domain to use EFS, so you don't have to do anything. B. Remove all user accounts from the Power Users group. Run the cipher utility on all of the client computers using the "d" and "s" switches. C. Delete the Default Domain Policy GPO. D. Set the Default Domain Policy GPO to Block Inheritance. E. From the properties sheet of the Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System node uncheck the "allow users to encrypt files using EFS" checkbox. answer: a,b,c,dExplanation: To stop users from utilizing EFS, from the properties sheet of the Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Encrypting File System node uncheck the "allow users to encrypt files using EFS" checkbox. This will stop all users in the domain from using EFS. 77. You are assigning a range of IP addresses to hosts on your Windows 2003 network. You would like to use the network ID of 137.72.32.0/20. What is the available range of IP addresses that you can use given the network ID specified above? A. 137.72.32.1 - 137.72.255.254 B. 137.72.32.1 - 137.72.47.254 C. 137.72.15.1 - 137.72.31.254 D. 137.72.1.1 - 137.72.255.254 E. 137.72.32.1 - 137.72.32.254 answer: bExplanation: Explanation: A network ID of 137.72.32.0/20 means that a subnet mask will be used that contain 20 1s in its binary form (The decimal equivalent of this will be a subnet mask of 255.255.240.0). The subnet mask will look like the following: 11111111 11111111 11110000 00000000 Therefore, the first 20 digits if IP addresses will represent the network ID and the last 12 digits will represent the host ID. In this case the network portion will be: 01110101 01001000 0010 The smallest host ID will be: 0000 00000001 which will yield an IP address of 137.72.32.1. Note that all zeros is not a valid host ID. The largest host ID will be: 1111 11111110 which will yield an IP address of 137.72.47.254. Note that ones is not a valid host ID. Therefore the available address range given a network ID of 137.72.32.0/20 will be 137.72.32.1 - 137.72.47.254 78. Bluerinse, a systems administrator at MOHAREBIA, will be taking a three week vacation to Far North Queensland. Bluerinse has chosen a member of his help desk staff, Agim, to take on the administrator role until he gets back so that he can perform routine sysadmin duties. Bluerinse adds Agim's account to the Administrators group. When Bluerinse returns he finds that Agim has added three other accounts to the Administrators group without authorization. Bluerinse decides that current administrators should be restricted from adding other users to the Administrators group. Bluerinse does not want to prevent fellow Administrators from adding users to other groups or restrict their abilities to perform other administrative functions. What can be done to accomplish this? A. Under "User Rights Assignment" in Group Policies, take the "Add Users to a Group" right away from the Administrators group. B. Remove all users from the Administrators group and add them to the Power Users group. C. Configure security for the Administrators group through Restricted Groups by listing only the user accounts in the node for Administrators who you want to be members of the group. D. Change the Active Directory permissions so that the Administrators group only has read access to all group objects. answer: cExplanation: The Restricted Groups feature acts as a governor over group membership and provides security memberships for default Windows 2003 groups that have predefined capabilities, such as Administrators, Power Users, Print Operators, Server Operators, and Domain Admins. There exists the ability to add additional groups whose membership is considered to be sensitive. When you configure a Restricted Group, you specify which user accounts you would like to be a member of that group. This information as stored as part of the Group Policy information. The next time the relevant policy is refreshed, any users who are not listed as members of the Restricted Group are removed. Configuring Restricted Groups ensures that group memberships are set as specified. References: http://www.microsoft.com/windows2000/en/professional/help/, "Restricted Groups" 79. Bluerinse is the network administrator for a network with four Windows 2003 servers and 180 clients workstations. 50 of the clients are newly installed XP Professional systems that have been configured with the default network settings. Bluerinse would like all 50 of these new XP clients to automatically register themselves with the DNS server. Bluerinse installs a domain controller named BOB for MOHAREB.COM but did not configure DNS as a part of the installation. After finishing the install of Active Directory, Bluerinse configured a standard primary zone for the MOHAREB.COM domain on the BOB domain controller. What additional setps must Bluerinse take to ensure that the XP clients will register themselves with the DNS server on BOB? Select all that apply. A. Enable the Windows XP Professional machines to dynamically update their DNS records in Active Directory. B. Configure the Windows XP Professional machines as DHCP clients. C. Configure the DHCP server with the "Enable updates for DNS clients that do not support dynamic updates" setting. D. Install a DHCP server, authorize it and configure the scope options so that the clients will use the new domain controller as their DNS server. E. Enable the zone for the MOHAREB.COM domain to accept dynamic updates. answer: d,eExplanation: Explanation: If you create a DNS zone after installing Active Directory, the zone must be configured for dynamic updates. This can be done through the DNS console by setting the "Allow dynamic updates?" of the zone to Yes. By default, all Windows XP clients are DHCP clients and will attempt to register their DNS records with the DNS server. You do not need to configure the DHCP server to enable updates for DNS clients that do not support dynamic updates unless you have pre-Windows 2000 clients that you would like to be automatically registered with the DNS server. 80.Clamberto is out on site installing some Windows XP Professional workstations. He gets a call on his mobile phone that he needs to reconfigure the IP address of a development Windows Server 2003 Member Server back at the office. Clamberto has configured this particular development Windows 2003 Server with the Web Based Administration tools. The required ports are open between the site LAN and the office LAN. The FQDN of the 2003 server is: clamtest2003.moharebia.comAssuming that the HTML Remote Administration tools have been installed with the default settings, Which of the following URLs should Clamberto use to connect to the 2003 server? A. https://clamtest2003.moharebia.com:26000 B. https://clamtest2003.moharebia.com:110 C. https://clamtest2003.moharebia.com:3724 D. http://clamtest2003.moharebia.com:8098 E. https://clamtest2003.moharebia.com/admin F. http://clamtest2003.moharebia.com/admin G. https://clamtest2003.moharebia.com:8098 H. http://clamtest2003.moharebia.com:110 answer: gExplanation: The trick to answering this question is knowing that the administrative port is 8098 and that it must be connected to by SSL. It is well worth installing this option and playing around with it so that you get a feel for what it is like to administrate a 2003 server via a web browser. The options are a little more limited - but it is definitely cool to check out. Some of the other ports listed you may recognize. Port 110 is POP3. Port 3724 is Blizzard Software's Battle Net (for all of the Diablo, Warcraft and Starcraft players out there) and port 26000 is dedicated to Quake servers. Reference: Windows Server 2003 Online Help, Remote Administration Tools, Using Web Interface for Remote Administration. http://www.iana.org/assignments/port-numbers 81. You have configured roaming profiles for several of the users in your company. Some of these users save large documents to their My Documents folder. Because the My Documents folder is part of a user's profile, these users tend to experience slow logon times due to the time it takes to download their profile. You would like to have the contents of the My Documents folder remain on a central Windows 2003 server rather than being downloaded to the user's desktop each time he or she logs on. Which would be correct way to achieve this? A. Set a disk quota on the My Documents folder on each user's desktop. Set a maximum limit on the amount of data that a user can save to that folder and check the box to "Redirect excess data to network server". Enter a UNC path with the location of the network share you would like the data to be redirected to. B. Configure the Desktop folder to be available offline through the Offline Files. Configure the folder to be synchronized when a users logs on or logs off. C. Create an empty folder on the network server. Share this folder out and configure it as a DFS root share. Configure the My Documents folder for each user to be a DFS link. D. Enable Folder Redirection through Group Policies and configure the My Documents folder to be redirected to a share on the centralized server. E. Change the roaming profile from a personal roaming profile to a mandatory roaming profile by changing the name of the ntuser.dat file to ntuser.man. answer: dExplanation: Explanation: You use the Folder Redirection extension to Group Policy to redirect certain Windows 2000 special folders to network locations. Special folders are those folders such as My Documents and My Pictures that are located under Documents and Settings. When roaming user profiles are used, only the network path to the My Documents folder is part of the roaming user profile, not the My Documents folder itself. Therefore, its contents do not have to be copied back and forth between the client computer and the server each time the user logs on or off, and the process of logging on or off can be much faster than it was in Windows NT 4.0. References: Windows Server 2003 Help, Folder Redirection 82. Oksana is encountering intermittent faults on her Windows 2003 server. At present she does not have the Recovery Console installed on this system. She would, however, like to boot into the Recovery Console and replace some system files. Which of the following are methods which Oksana can take to boot this system into the Recovery Console from a position of it being powered up and her logged in with Administrator credentials? A. Run the Recovery Console from ther Windows 2003 CD by choosing the Repair option. B. From the command prompt, run the reccom.exe utility. C. Restart the Server. When the message "Please select the operating system to start" appears, press F8. Select Windows 2003 Recovery Console from the menu. D. Install the Recovery Console by running winnt32 /cmdcons on the computer. Restart the computer and choose the Recovery Console option from the boot selection menu. E. From Control Panel, choose Add/Remove Programs, select Add/Remove Windows Components and check the box for Recovery Console. Restart the computer and choose the Recovery Console option from the boot selection menu. answer: a,dExplanation: Explanation: The Windows 2003 Recovery Console is a command-line console that you can start from the Windows 2003 Setup program. Using the Recovery Console, you can start and stop services, format drives, read and write data on a local drive (including drives formatted to use NTFS), and perform many other administrative tasks. You may find the Recovery Console useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service that is preventing your computer from starting properly. You must be an administrator to use the Recovery Console. There are two ways to start the Recovery Console: 1. If you are unable to start your computer, you can run the Recovery Console from your Windows 2003 CD. 2. You can install the Recovery Console on your computer to make it available in case you are unable to restart Windows 2003. You can then select the Recovery Console option from the list of available operating systems. References: Windows Server 2003 Online Help Recovery Console. 83. When talking about Emergency Management Services, Microsoft uses specific terminology to describe particular ways of connecting to and managing a server. Different methodsare classified as "In Band" and "Out of Band". Windows.NET server supports Out of Band management via EMS (Emergency Management Services).Which of the following would be classified as "Out of Band" management?A. Connecting to and administering the server via serial port.B. Connecting to and administering the server via a remote MMC connection.C. Connecting to and administering the server via Terminal Services RDP client.D. Connecting to and administering the server via Keyboard, Mouse and Monitor. E. Connecting to and administering the server via telnet via the LAN.answer: aExplanation: Out of band management is generally done through the serial port when the server is in a condition that no other connections (including using the local Keyboard, Mouse andMonitor) seem to be working. Special hardware can also be puchased so that the server may be managed in this fashion even if it is powered down (at least, according to MSthis is the case). Using a standard terminal connection, such as HyperTerminal you can connect to and manage the server in a way similar to how you would manage a Cisco Router through its console interface.Reference:Windows.NET Server Help."Out-Of-Band Management".84. Which of the following commands, issued from the command prompt of a Windows Server 2003 domain controller in the rooslan.com.au domain will list all of the user objects in the domain? A. dsget user "DC=rooslan,DC=com,DC=au" B. dsrm user "DC=rooslan,DC=com,DC=au" C. dsquery user "DC=au,DC=com,DC=rooslan" D. dsget user "DC=au,DC=com,DC=rooslan" E. dsquery user "DC=rooslan,DC=com,DC=au" answer: eExplanation: DSQUERY is used to find objects based on search parameters. DSGET finds properties of objects. DSRM deletes objects from the directory. 85. Sandra is a new user at your company. After going through orientation, being given her login information and being assigned her cubicle, she logs into her workstation. About two hours later she finds the scanner and spends the next 45 minutes scanning pictures of her cat, Mr Buttons, into bitmap format. She then copies this bitmap file over to her Windows XP Professional workstation and sets one particular favorite picture of Mr Buttons as her desktop background, replacing what she considers to be the rather drab default background that displays the company's logo. Sandra continues working throughout the day, occasionally minimizing her Word Processing and Email Application to gaze lovingly at the desktop picture of Mr Buttons playing with his toy stuffed frog, before returning to work on whatever she was working on. At the end of the day, Sandra logs off her machine and shuts it down. When she comes into work the next morning, and powers up her workstation she logs in and finds that the picture of Mr Buttons has dissapeared. In its place is the drab default background that displays the company's logo. Sandra changes the desktop background again, finding the file she scanned of Mr Buttons yesterday, so that Mr Buttons and the toy stuffed frog are back in their rightful place. Later that morning Sandra is called to a meeting, so she logs out of her workstation. When she returns and logs back in, she again finds that the picture of Mr Buttons is gone and the drab default background that displays the company's logo has returned. You recieve a call from Sandra who would like to know why this keeps happening. Which of the following is the most likely explanation? EXHIBIT OF MR BUTTONS (SANS FROG TOY) A. Sandra does not have the appropriate permission to the bitmap file for the background he wishes to use. You must have at least Read permission to the file containing the background you wish to use. B. Sandra's account has been configured with a mandatory profile. In this case, the user can still modify the desktop, but the changes are not saved when the user logs off. C. Sandra's account is a member of the Guest Users group. Members of the Guest Users group automatically have their changes discarded upon logoff. D. Sandra is not a member of the Power Users group. In order to make permanent changes to user settings, you must be a member of this group. answer: bExplanation: A mandatory user profile is a preconfigured user profile. The user can still modify the desktop, but the changes are not saved when the user logs off. These profiles are stored on a Windows 20003 Server in the domain. The next time the user logs on, the mandatory user profile is downloaded again. User profiles become mandatory when you rename the NTuser.dat file on the server to NTuser.man. This extension makes the user profile read-only. Mandatory profiles are good ways of enforcing a consistent "look and feel" and are a neat way around the problem of people assigning themselves "innapropriate" desktop imagery. 86. You have a Windows Server 2003 File Server named Ulysseus that has a data storage volume that spans 3 20 GB dynamic SCSI Disks. This File Server is a member of the EGYPT domain. There are 80 users in this domain. On the file server itself this volume is designated E:. The domain and local administrators don't use this drive to store data. The following directories contain shares. The local path and the UNC path are shown below. E:\DATA \\ulysseus\data E:\TEMP \\ulysseus\temp E:\ACCT \\ulysseus\acct E:\DIST \\ulysseus\dist Quotas have been set up locally on each drive of the Windows Server 2003 File server with a default limit of 500 MB set (and a warning set at 450MB). Mohareb, a user in the EGYPT domain, notices that at the moment there are no files in the TEMP directory. The TEMP share is cleared out at the end of every week. Mohareb has about 200MB of data he needs to temporarily store there – however when he tries to put the data there he is denied access. Mohareb has stored data there before, and he has 200MB stored in a folder on the DATA share as well as 50MB stored on the DIST share as well as another 200MB he copied last week to the ACCNT share. Just two weeks ago Mohareb put another set of 200MB data in the TEMP share. Which of the following is the best explanation of why Mohareb has been denied the chance to put data in the TEMP share? A. The TEMP share is in the process of being cleaned. Mohareb simply has to wait half an hour and try again. B. Mohareb doesn't have the correct access permissions to the TEMP share. C. The drive hosting the TEMP share is full. No one can write files there. D. Mohareb has exceeded his quota for this drive. Even though there are multiple shares - his file usage is tracked across the volume itself. answer: dExplanation: Given that the Administrators don't store data there, that there are 80 users in the domain and the quota is 500MB per user - the drive won't be full (Drive size 60GB, Users * Quota = 40GB). Mohareb has accessed this share before so it is unlikely that he doesn't have access permissions now. Files being deleted from a drive shouldn't block him from putting them there - also as the share is empty, it indicates that the clean up has already taken place. (anyone who has syadmined a network knows that any available temp space on a network gets filled faster than a Wiggles Concert outside a Child Care center). If you add up the other Data that Mohareb has stored on these shares (450MB before the 200MB in the question) it is pretty clear that he is close to QUOTA already - so this is where you should be looking. 87. Suresh is visiting the Wellington Mission Control Center for the New Zealand Space Agency. In one particular building the Operations and Telemetry Departments share the same printer - A HP 8000DN. Suresh has received complaints from some of the people in the Operations Department that people from Telemetry are sending large print jobs to the printer during the middle of the day and are tying up the printer for a long period of time. These print outs are important, but not time critical, as they provide a printed backup of monitored systems aboard the Rutherford Space Plane whilst it is in orbit. These systems are generally analyzed and monitored via software - the print outs are only used for record keeping purposes. Suresh would like to configure the printer so that members of the Telemetry Department cannot print between the hours of 10 AM and 2 PM Monday through Friday. However, there are three managers in the Telemetry Department that he would like to be able to print regardless of the time of day. Currently, all of the members of the Operations Department belong to the NZSAOperations group and all of the members of the Telemetry Department belong to the NZSATelemetry group. The printer has been installed and configured with the default permissions. Suresh performs the following actions: 1. Changes the permissions on the original printer so that only the NZSAOperations group can print to the printer. 2. Creates a second printer. Leaves the priority of the printer "1" for members of the Telemetry Department who he would like to prevent from accessing the printer between 10 AM and 2 PM Monday through Friday. 3. Creates a third printer. Changes the priority of the printer to "99" for the managers in the Telemetry Department who need access to the printer at all times. 4. Configures the desktops of the users so that members of the NZSAOperations group use the first printer, members of the NZSATelemetry group use the second printer and the managers in the Telemetry Department use the third printer. Which of the following objectives has Suresh achieved? Choose all that apply. A. All members of both the Telemetry Deparmtment and the Operations Department have access to a printer. B. Members of the Telemetry Department who are not managers do not have access to their printer between 10 AM and 2 PM Monday through Friday. C. Members of the Operations Department have access to their printer at all times. D. Managers in the Telemetry Department have access to their printer at all times. answer: a,c,dExplanation: By default all printers are configured to allow access to the printer at all hours during any day of the week. To restrict the time of day that a user can print to a printer, configure the schedule for the printer to only be available during certain hours. Setting priority for the printer does not prevent someone from using the printer during certain hours but rather allows users with higher priorities to print to the printer first. 88. Rooslan has a Windows Server 2003 system on which he has installed a printer named ColorPrint12. This member server has three volumes (C:, D: & E:) which have all been formatted with NTFS. The C: volume currently has 5 GB of free space and hosts the shared directory for the Stellar Cartography department. Quotas have been enforced on this volume. The D: volume hosts the shared directory of the Engineering department and has 4GB Free. The E: volume hosts the home directories of all of the users and has 10 GB free. The volume on E: also has quotas set for users. Several users who are members of the Stellar Cartography department have complained that when they attempt to print large A1 sized star maps to ColorPrint12 they are unable to do so. Interestingly enough not all members of the Stellar Cartography department are suffering from this problem, and none of the members of the Engineering department, who print large A1 Color schematics have encountered it either. How would you solve this problem with the least amount of administrative effort? A. Convert the disk from a basic disk to a dynamic disk. B. Move the spool folder to the D: drive. C. Delete the printer. Recreate a new printer on the D: drive of the server. D. Free up disk space on the C: drive by running Disk Cleanup. E. Change the default permissions on ColorPrint12 to give the Authenticated Users the Manage Printers permission. answer: bExplanation: Explanation: In the above scenario, it is likely that the users are unable to have their documents spooled due to the quota restrictions that are in place. If the spool folder is located on the C: drive it is subject to the quota limit that has been configured for the drive. If the users have other data on the drive, they may be prevented from saving additional data (e.g. large print jobs) on the drive. To fix the problem, move the location of the spool folder from the C: drive to the D: drive. This can be done from Server Properties in the File menu for Printers. References: Windows Server 2003 Help Print spooler 89. You have just finished installing a Windows Server 2003 member system in a forest running at Windows Server 2003 functional level. The server has been installed in the MOSCOW domain. You are configuring memberships for a new local group named SPARTAK. Which of the following can you add to the local group on the Windows Server 2003 member system under these conditions? A. Local Users B. Groups with Univeral Scope from any domain within the forest. C. Users from any domain within the forest D. Groups with Global Scope from any domain within the forest. E. Groups with Domain Local scope in the Moscow Domain F. Users from the MOSCOW Domain G. Local users from other member servers in the MOSCOW domain. answer: a,c,d,e,fExplanation: All but one of these objects can be added to a local group on a Windows Server 2003 member system. The key to this question is the functional level of the domain. This allows users and groups from other domains in the forest to be added to the local group on the member server. Local users on other member servers can not be members of any groups but local groups on their own system. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_AdunderstandGroups.asp 90. You have recently received the Technet CD for Windows Server 2003 Service Pack 1. Your Windows Server 2003 installation has a directory on the F drive called f:\i386 where you keep all of the installation files so that if you add, or remove a service you don't have to go hunting around for your CD-ROM when you want to make a change, nor go down to the server room to manually insert the CD so that you can do all of this from the office via RDP. You have mapped the server's F: drive to your own Z: drive. You install the service pack to a directory on the F: drive by running the command w2k3sp1.exe -xfrom the command line and specifying the F:\when it asks you where you want to put the files. When it has finished extracting you then switch to your terminal services window. You run another command prompt and change to the f:\w2k3sp1\i386\updatedirectory. You run update.exe and install SP1 on to your Windows Server 2003 Server. You then reboot the server and when it comes back up, you log back in via Terminal Services. You want the files in the f:\i386directory to also be updated so that you don't have to reapply the service pack every time you make changes by installing or removing services. The process by which the installation files are updated is called "slipstreaming". Which of the following commands, issued from the f:\w2k3sp1\i386\updatedirectory will allow you to slipstream your installation files without reinstalling the service pack? A. upgrade.exe -s:f:\i386 B. update.exe -s:f:\ C. upinst.exe -s:f:\i386 D. slipst.exe -s:f:\ E. slipstream.exe -s:f:\i386 answer: bExplanation: Explanation: The command to do a slipstream install of a service pack is update -s:[path to i386 directory].In this case the path to the i386 directory is f:\. If your i386 directory was in f:\installfiles\i386the install command would be update -s:f:\installfiles\This is a good sysadmin trick to learn. 91. As a method of ensuring security, all of the Windows 2003 servers at Mohareb Corporation are to be fitted with Smart Card readers. Rather than the traditional login, systems administrators will only be allowed to log in via Smart Card when they are performing server maintenance tasks. The use of restricted groups and Smart Cards that have to be signed out will mean that the use of Administrator Privileges will be highly controlled. Which of the following protocols must be enabled to support smart card logon? A. L2TP B. MS-CHAP C. MS-CHAPv2 D. BAP E. EAP F. PPTP answer: eExplanation: Explanation: If a certificate is installed either in the certificate store on your computer or on a smart card, and the Extensible Authentication Protocol (EAP) is enabled, you can use certificate-based authentication in a single network logon process, which provides tamper-resistant storage of authentication information. References: Smart Card Login Windows Server 2003 Help. 92. Bouillon has been investigating migrating his company's domain from Windows 2000 Server Domain controllers to Windows.NET Server domain controllers. He has readthat moving across to a Windows.NET Server AD infrastructure will bring more flexibility. Bouillon's company will also soon be undergoing a name change and already managementis making noises about renaming domain controllers and perhaps even the domain itself.Which of the following presents the best course of action for Bouillon to take?A. Bouillon should upgrade the current Windows 2000 Domain controllers to Windows.NET Server. Windows.NET server allows renaming of DCs "in place" as well as the abilityto rename the Domain.B. Bouillon should upgrade the current Windows 2000 Domain controllers to Windows.NET Server. Windows.NET server allows the renaming of Domains. To rename the DCs - heshould demote them individually to member servers, and then re-promote them to Domain Controller status.C. Bouillon should wait until the new company domain name and domain controller naming scheme are settled by management. He then should create a new separateforest of Windows.NET domain controllers using the new DC naming scheme. Finally he should remove each member of the previous domain and make it rejoin the new.NET server domain.D. Bouillon should create a new separate forest of Windows.NET domain controllers using the new company domain name. If changes to the DC names are required he can do that"in place" without having to demote them back to Member Server status.answer: aExplanation: Windows.NET server introduces several new features for Active Directory - two of these that may be of use to administrators are the ability to rename Domain Controllers (inWin2K you need to demote to member, rename, promote to DC) and the ability to rename Domains themselves. This was bought in so that integration when company A takes overcompany B (or renames itself company C) would be easier - something that is currently a headache for IT staff as the PHB's can't decide what they want to call their company.References:Windows.NET Server Help."Active Directory, New Features."93. Which of the following commands issued from the command line on a Windows Server 2003 system will add a user named Sharnak to the users container of the domain Clamberto.com? A. dsget user "CN=sharnak,CN=users,DC=clamberto,DC=com" B. dsadd user "CN=clamberto,CN=com,DC=users,DC=sharnak" C. dsquery user "CN=sharnak,CN=users,DC=clamberto,DC=com" D. dsadd user "CN=sharnak,CN=users,DC=clamberto,DC=com" answer: dExplanation: The command to add objects to the directory is dsadd. DSGET and DSQUERY are used to retrieve information from the directory. The domain name must be referred to as DC=clamberto,DC=com rather than CN=clamberto,CN=com. 94. You are one of the Systems Administrators at a company that runs a Windows 2003 functional level Domain. You would like to have all of the users in the Auditing department of your company to have Access 2003 installed on their computers. All members of the Auditing department currently reside in an organizational unit named Auditing and all use Windows XP Professional as their client operating system. You decide to use Group Policies to publish Access to the Finance organizational unit. When prompted, you enter \\server1\access where the path is the location of an .msi file that will install and configure Access on the users' desktops. The next morning the users log on to their computers but Access does not appear in their Programs menu. What is the best explanation for this behavior? A. You specified a network location as the location of the .msi file for Access. In order for Group Policies to function properly, you must specify a location on the local hard drive of the server containing the .msi file. B. You have not given the Auditing users the necessary permissions to install applications on their computers. When using an .msi file to install an application, the application will install in the security context of the user who is currently logged on. If a user does not have permissions to install an application, the application will not appear in his or her Programs menu. C. You published the application rather than assigning the application. By design, published applications will not appear in the Programs menu but rather can be installed through the Control Panel or through document invocation. D. You attempted to push the application to an organizational unit rather than a group. Group Policies can only be applied to users, groups and computers in a Windows 2003 Native Mode Domain. answer: cExplanation: Explanation: With Windows 2003 Software Installation and Maintenance capability, you can either assign or publish an application to a user. If you assign an application to a user it will be advertised on each user's computer in the Programs menu. It is not actually installed on the computer but only will be installed if you a user attempts to run the application. If you publish an application, the application will not be advertised on the user's desktop. The two methods of invoking the installation of a published application are either to use the Add/Remove programs in Control Panel or to click on a file for which you associated its file extension with the application. References: Windows Server 2003 Online Help. 95. Rooslan gets a call from a user named Bodgy who is unable to send jobs to a color laser printer on the forty third floor of the CertTutor.net Skyscraper. Like most staff on the forty third floor, Bodgy is restricted to logging into one single Workstation. Rooslan checks the print queue and sees that other users print jobs seem to be outputting normally. Rooslan then checks the permissions assigned to the printer. Only the ARTDEPT global group has permissions to this printer. Rooslan checks and finds that Bodgy's user account is not a member of the ARTDEPT group. After consulting with his manager about whether or not Bodgy should be given permission to use the printer, Rooslan adds Bodgy's user account to the ARTDEPT group. Then everyone goes to lunch and has a merry time at the pub. Later that afternoon Rooslan receives another call from Bodgy. He still can't print to the printer. Rooslan quickly checks the group membership and finds that Bodgy's account is a member of the ARTDEPT group. Which of the following things could Rooslan do to resolve this conundrum? A. Add Bodgy's workstation's computer account to the ARTDEPT group. B. Restart the print spool C. Delete Bodgy's account from the ARTDEPT group and then add it again. D. Force a group policy refresh on the domain. E. Tell Bodgy to reboot his workstation. answer: eExplanation: The most plausible explanation for what has happened to Bodgy's printing is that he hasn't logged out and logged back in, hence his security token has not been updated with his account's new membership. Getting him to reboot his workstation will force him to log on and log off, especially as he is restricted only to logging onto that particular workstation. 96. Beradio is monitoring an old Windows Server 2003 system that was upgraded from a Windows 2000 System 18 months ago. The Server has been performing poorly and Beradio is trying to determine if a particular hardware component is causing a bottleneck. Beradio gathers the following data from the Systems Monitor Utility: % Processor Time (Average): 67%Processor Queue Length (Average): 1Pages /sec (Average): 4Average Disk sec/Transfer: 0.8Disk Queue Length (Average): 9 Given this information, which of the following components is the most likely bottleneck? A. The RAM is the bottleneck. B. Network Adapter is the bottleneck. C. The Processor is the bottleneck. D. The Physical Disk is the bottleneck. answer: dExplanation: For the processor, if the % Processor Time is consistently high (greater than 80%) and disk and network counter values are low, it is an indication that the processor is a likely bottleneck. A sustained processor queue length of greater than 2 generally indicates a processor bottleneck. For pages /sec if the counter value is consistently greater than 5, suspect memory. A high value (values greater than 0.3 seconds) for Average Disk sec/Transfer may mean that the disk controller is continually retrying the disk because of failures. If the counter value for %Disk Time is consistently high and disk queue length is greater than 2, it is likely that the physical disk represents a bottleneck. 97. Clamberto is about to use the HTML Remote Administration tools to reconfigure the TCP/IP network settings of the test Windows 2003 Server clamtest2003.moharebia.com Clamberto draws up the following list of tasks: Task One: Add the following IP addresses to the first NIC installed on the server labelled CONNECTION_ONE 128.250.213.224 255.255.255.0128.250.213.225 255.255.255.0128.250.213.226 225.255.255.0Task Two: Add two other Gateway Addresses with a metric of 2 and 3 respectively to the second NIC installed on the Server labelled CONNECTION_TWO Task Three: Change the third NIC properties so that it recieves its networking configuration from DHCP rather than a statically assigned IP address.Task Four: Add three new addresses to the TCP/IP Hosts File 128.250.213.25 gateworld128.250.212.55 adhocalypse128.250.20.2 muwayeTask Five: Rename the first NIC installed on the server's connection from LAN CONNECTION to INTERNET Task Six: Configure the second NIC installed so that NetBIOS over TCP/IP is enabled.Task Seven: Configure the Internet Connection Firewall so that Internet Users can access the Web Server, FTP Server and Secure Web Server on the third NIC How many of the above tasks can Clamberto complete using the HTML Remote Administration Tools? You can see an example of the HTML Remote admin tools start page hereA. Four tasks can be completed. B. One task can be completed. C. Five tasks can be completed. D. Six tasks can be completed. E. Three tasks can be completed. F. Seven tasks can be completed. G. None of these tasks can be completed. Network settings can not be altered using the HTML Remote Administration tools. H. Two tasks can be completed. answer: cExplanation: The first five tasks on Clamberto's list can be completed using the new HTML Remote Administration tools that can be installed on Windows Server 2003. The tools are remarkably well provisioned and many day to day tasks, not just the network ones, can be completed using them. Reference: Windows Server 2003 Online Help, Remote Administration Tools, Using Web Interface for Remote Administration. 98. Windows Server 2003 comes in several different flavors. These are as follows: Standard Server.Enterprise Server.Datacenter Server.Web Server.64-Bit Server.Some features that are available to some of the flavors are not available to other. Which of the following are features that are included in the Enterprise Server product but not the Standard Server product? A. Network Load Balancing Clusters. B. Hot Add Memory C. 32 Gigabyte RAM Support D. 32 Way Symmetric multiprocessing Support E. FAT32 on DVD-RAM. F. 8 Way Symmetric multiprocessing support. answer: c,e,fExplanation: 32 Way SMP support is only available on the 64 bit OS - hence isn't a valid answer to this question. NLB is available on both versions as is FAT32 on DVD-RAM. References: http://www.microsoft.com/windowsserver2003/evaluation/features/featuresorterresults.aspx 99. Bouillon has telnetted across to one of the Windows 2003 POP3/SMTP servers in his domain to do some maintenance work and wants to get a list off all of the mailboxesthat currently reside in the bouillon.net domain. Which of the following command line commands would enable him to do this?A. showbox -all bouillon.netB. listbox -all bouillon.netC. This cannot be done from the command line.D. mailbox list bouillon.netE. winpop list bouillon.netanswer: eExplanation: winpop is the command line utility that you can use to do all of the administrative tasks (such as add, delete mailboxes, change passwords and so on). This utility is located inthe %winnt%/system32/pop3server directory. In the case where someone has telnetted in they have command line access - and hence would be using the command. Telnet could beuseful say if you are connecting to the server via a mobile phone modem connection and don't have sufficient bandwidth to allocate to terminal services client on a Pocket PC.100. Oksana is the website administrator for a company that hosts three separate websites off a single Windows Server 2003 system running Internet Information Services. Each website has its own individual IP address and Fully Qualified Domain Names. These sites and IPs are as follows: www.chocolatekoala.com 203.164.20.146 www.talkpretzels.net 203.164.20.147 www.donutdelirium.org 203.164.20.148 Each site is configured separately and accepts only traffic on its specific IP address. Host headers using the particular site domain names have also been configured. Oksana would like to limit traffic to the chocolatekoala website to hosts from the dialup.com and broadband.com domains. She would like to restrict all hosts from 128.250.212.1 through to 128.250.213.254 from accessing the talkpretzels.net website but to allow all other hosts access. She would also like to allow everyone but hosts from the dialup.com domain and all hosts from 128.250.212.0 through to 128.250.213.255 to access the donutdelirium.org site. Which of the following steps should Oksana take? (select 3) A. On the directory security tab of the website properties for talkpretzels.net she should edit the IP address and Domain Name restrictions so that all computers will be allowed access except those from the 128.250.212.0 Network ID and 255.255.254.0 subnet. B. On the directory security tab of the website properties for talkpretzels.net she should edit the IP address and Domain Name restrictions so that all computers will be allowed access except those from the 128.250.212.0 Network ID and 255.255.252.0 subnet. C. On the directory security tab of the website properties for chocolatecoala.com she should edit the IP address and Domain Name restrictions so that all computers will be allowed access except those from the dialup.com and broadband.com domains. D. On the directory security tab of the website properties for chocolatecoala.com she should edit the IP address and Domain Name restrictions so that all computers will be denied access except those from the dialup.com and broadband.com domains. E. On the directory security tab of the website properties for the donutdelirium.org site she should edit the IP address and Domain Name restrictions so that all computers will be allowed access except those from the dialup.com domain and those from the 128.250.212.0 Network ID and 255.255.252.0 subnet. F. On the directory security tab of the website properties for the donutdelirium.org site she should edit the IP address and Domain Name restrictions so that all computers will be allowed access except those from the dialup.com domain and those from the 128.250.212.0 Network ID and 255.255.254.0 subnet. answer: a,d,fExplanation: The first part of this question is straightforward enough to answer - simply limiting traffic to the two domains in question. Answer A does this whilst answer B does the opposite. The next part of the question relies upon subnetting skills and determining the correct subnet mask for the range of IP addresses 128.250.212.1 through to 128.250.213.254 The correct subnet mask in this case is 255.255.254.0 which creates a network of 510 hosts. The alternate subnet mask offered, 255.255.252.0 would exclude the range 128.250.212.1 through to 128.250.215.254 cutting out over 500 hosts that should have access to the site. Once the correct subnet mask is determined, answers D and E fall into place, also excluding answers C and F. References: Windows Server 2003 Online Help. 101. The DEMOSTHENES global group is a member of the LOCKE global group. The MELBOURNE domain local group is a member of the VICTORIA domain local group. The LOCKE group is not a member of any groups. The Victoria group is not a member of any groups. The MELBOURNE domain local group has no members which are themselves groups. Which of these groups can be converted to a UNIVERSAL group in a Windows Server 2003 functional level domain? A. DEMOSTHENES B. VICTORIA C. MELBOURNE D. LOCKE answer: c,dExplanation: Global groups can only be converted to Universal groups if they aren't members of other Global groups. This means that DEMOSTHENES can not be coverted but LOCKE can be. Domain Local groups can be converted to Universal groups as long as they don't have other Domain Local groups as members. 102. Bluerinse wants to convert some distribution groups to security groups in a Windows Server 2003 domain. At which levels of domain functionality can he perform this operation? A. Windows 2000 Native B. Windows Server 2003 C. Windows 2000 Mixed D. Windows Server 2003 Interim answer: a,bExplanation: Mixed and Interim domains (which can contain NT4 servers) can not perform a conversion of a distribution group to a security group. This can only occur when there are no NT4 domain controllers present. 103. Rooslan is the Systems Administrator for a company with a small single-domain Windows 2003 network. Comprising this network are 5 Windows 2003 servers (2 of which are DC), 40 Windows XP Clients and 80 Windows 2000 Pro clients. Barry from accounts rings Rooslan and complains that he can not access the AUDITOR share on the server "NYserver1". He tells Rooslan that he receives an error message reading that "the share name is not accessible and that access is denied." Realizing that this is likely a case of incorrectly configured permissions, Rooslan would like to remotely view the permissions of the share from his workstation running Windows XP Professional with the Administrative Tools installed. Which of the following is the correct way to do this? A. Connect to NYServer1 using a path of \\NYServer1\AUDITOR From the File menu, select Properties and view the permissions for the share. B. Connect to NYServer1 using a path of \\NYServer1\C$ where "C" is the drive letter that the AUDITOR share is located on. Right-click the AUDITOR folder name and choosing "Sharing". View the properties of the share in question. C. From the Administrative Tools menu choose Server Manager. Select NYServer1 from the list of computers and click the Shares button. View the properties of the AUDITOR share. D. From the Administrative Tools menu choose Computer Management and change to focus to NYServer1. Expand Shared Folders, display the shares and view the properties of the AUDITOR share. answer: dExplanation: Explanation: Using Shared Folders, you can view a summary of connections and resource use for local and remote computers. With Shared Folders, you can perform the following tasks: Create, view, and set permissions for shares, including shares on computers running Windows NT 4.0 and Windows 2000. View a list of all users who are connected to the computer over a network and disconnect one or all of them. View a list of files opened by remote users and close one or all of the open files. Viewing the properties via the Administrative Share (C$) will not work. 104. Rooslan is logged into a Windows Server 2003 domain controller that hosts the primary DNS zone for certtutor.net. Rooslan runs a command prompt and issues the following command: dnscmd /recordadd certtutor.net clamberto A 192.168.20.2Rooslan wishes to use the dnscmd utility to create a reverse record. Which of the following commands should he use? A.dnscmd /recordadd 20.168.192.in-addr.arpa 2 PTR clamberto.certtutor.netB.dnscmd /recordadd 192.168.20 2 PTR clamberto.certtutor.netC.dnscmd /recordadd 192.168.20.2 PTR net.certtutor.clamberto.in-addr.arpaD.dnscmd /recordadd certtutor.net clamberto PTR 192.168.20.2answer: aExplanation: When using the dnscmd /recordadd you must use the correct zone name in which the record is going to be added. For a reverse lookup zone (as indicated by the original address that Clamberto's record was going to) you must use the x.y.z.in-addr.arpa notation. In this case 20.168.192.in-addr.arpa. As only one answer uses that notation ocrrectly, the answer is a bit of a giveaway. 105. Rooslan has configured a Windows 2003 server at a small branch office with an Cable Modem connection to the internet. The 2003 server is connected to the rest of the LAN at the branch office. Rooslan would like to allow the 2003 server to share the ISDN connection with other hosts in the branch office via the Internet Connection Sharing (ICS) feature of Windows 2003. How can Rooslan enable ICS to do this? A. Open Network and Dial-up Connections, right-click the ISDN connection choose properties and select the "Allow other network users to connect through this computers internet connection" check box from the ADVANCED tab. B. Reconifigure the TCP/IP properties for the internal network interface. Set the IP address to an address in the 192.168.x.y range. Configure a DHCP scope on the machine and assign it IP addresses from the same range. Exclude the statically-assigned IP address from the previous step. C. In Control Panel, double-click ICS. Configure ICS through the Internet Connection Sharing Setup wizard. D. Open Routing and Remote Access, click ICS, right- click ICS and add a New Interface. answer: aExplanation: Explanation: To enable Internet connection sharing on a network connection: 1. Open Network and Dial-up Connections2. Right-click the dial-up, VPN, or incoming connection you want to share, and then click Properties.3. Select the "Allow other network users to connect through this computers internet connection" check box from the ADVANCED tab. 106. Correct Answer: C 10.10.32.1 - 10.10.47.254 -------------------------------------------------------------------------------- Explanation: A network ID of 10.10.32.0/20 means that a subnet mask will be used that contain 20 1s in its binary form (The decimal equivalent of this will be a subnet mask of 255.255.240.0). The subnet mask will look like the following: 11111111 11111111 11110000 00000000 Therefore, the first 20 digits if IP addresses will represent the network ID and the last 12 digits will represent the host ID. In this case the network portion will be: 00001010 00001010 0010 The smallest host ID will be: (the | used to space network portion from host portion in the third octet) 00001010 00001010 0010 | 0000 00000001 which will yield an IP address of 10.10.32.1. Note that all zeros is not a valid host ID. The largest host ID will be: (the | used to space network portion from host portion in the third octet) 00001010 00001010 0010 | 1111 11111110 which will yield an IP address of 10.10.47.254. Note that "all ones" is not a valid host ID. Therefore the available address range given a network ID of 117.72.32.0/20 will be 10.10.32.1 - 10.10.47.254. The ability to Subnet is an assumed skill on all MCSE 2000 Exams. A. 10.10.32.1 - 10.10.255.254 B. 10.10.32.1 - 10.10.32.254 C. 10.10.15.1 - 10.10.31.254 D. 10.10.32.1 - 10.10.47.254 E. 10.10.1.1 - 10.10.255.254 answer: dExplanation: Explanation: A network ID of 10.10.32.0/20 means that a subnet mask will be used that contain 20 1s in its binary form (The decimal equivalent of this will be a subnet mask of 255.255.240.0). The subnet mask will look like the following: 11111111 11111111 11110000 00000000 Therefore, the first 20 digits if IP addresses will represent the network ID and the last 12 digits will represent the host ID. In this case the network portion will be: 00001010 00001010 0010 The smallest host ID will be: (the | used to space network portion from host portion in the third octet) 00001010 00001010 0010 | 0000 00000001 which will yield an IP address of 10.10.32.1. Note that all zeros is not a valid host ID. The largest host ID will be: (the | used to space network portion from host portion in the third octet) 00001010 00001010 0010 | 1111 11111110 which will yield an IP address of 10.10.47.254. Note that "all ones" is not a valid host ID. Therefore the available address range given a network ID of 117.72.32.0/20 will be 10.10.32.1 - 10.10.47.254. The ability to Subnet is an assumed skill on all MCSE Exams. 107. There are five domains in Windows Server 2003 Active Directory Forest. CLAMBERTO.COM (Forest Root) BLUERINSE.CLAMBERTO.COM TAZ69.CLAMBERTO.COM GARYENG.CLAMBERTO.COM FLEX22.CLAMBERTO.COM The forest is running at the functionality level of Windows Server 2003. A group with universal scope is created in the domain FLEX22.CLAMBERTO.COM Which of the following statements are true? A. Groups of Global Scope from the BLUERINSE.CLAMBERTO.COM domain can be added to this group. B. Groups of Universal Scope from the TAZ69.CLAMBERTO.COM domain can be added to this group. C. Local accounts from the member servers in the FLEX22.CLAMBERTO.COM domain can be added to this group. D. Accounts from the domain GARYENG.CLAMBERTO.COM can be added to this group. E. Accounts from the domain CLAMBERTO.COM can be added to this group. answer: a,b,d,eExplanation: Only local accounts from member servers can not be added to a Universal group, even when they are in the same domain. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_AdunderstandGroups.asp 108. Rooslan has been an Administrator of Windows NT and 2000 servers for some years. He has set up a test laboratory of Windows Server 2003 systems prior to deploying them on site. His primary interest this week is performance monitoring. With prior Windows technologies he has had to run a command line executable to enable Logical Disk performance monitoring. What is the name of the command that Rooslan needs to run to enable Logical Disk performance monitoring on Windows Server 2003? A. diskperf B. sysmondisk C. diskcount D. Logical Disk performance monitoring is enabled by default on Windows Server 2003. E. logicount answer: dExplanation: From Windows Server 2003 and on, Logical Disk performance monitoring will be automatically enabled. This contrasts with Windows 2000 and NT where logical disk performance monitoring needed to be enabled via the command diskperf. Reference: New Ways to Do Old Tasks. Windows Server 2003 Online Help 109. Clamberto, Bouillon and Beradio all have user accounts within a Windows Server 2003 Domain. They all use a shared folder on the 2003 Member Server DEMOSTHENES named LOCKE. Clamberto is a member of three groups that have been assigned permissions to this share. Bouillon is a member of two groups that have been assigned permissions to this share. Beradio is a member of two groups that have been assigned permissions to this share. There are four groups in total that have been assigned permissions to this share - they are ENGINEERING, MARKETING, MANAGERS and ACCOUNTANTS. Bouillon and Beradio are not members of the same groups. Clamberto is a member of Beradio's groups. Bouillon and Clamberto are members of the Managers group. Beradio is not a member of the Accountants group. The share permissions for LOCKE are as follows. Clamberto - Full Control (ALLOW)Bouillon - Full Control (ALLOW)Beradio - Full Control (ALLOW)Managers - Full Control (DENY)Accountants - Full Control (DENY)Engineering - Read (ALLOW)Marketing - Read (ALLOW)NTFS permissions for the folder hosting the LOCKE share and its subfolders are: Clamberto - Full Control (ALLOW)Bouillon - Full Control (ALLOW)Beradio - Full Control (ALLOW)Managers - Full Control (ALLOW)Accountants - Full Control (DENY)Engineering - Read (ALLOW)Marketing - Read (DENY)What will Bouillon's effective permissions be to files on the LOCKE share if he is attempting to access it from a workstation on the network? A. Full Control B. Read C. No Access D. Change (Read, Write, Execute and Delete) answer: cExplanation: First step is to decipher the group memberships. They come out as. GROUP MEMBERSHIPS. ENGINEERING - BERADIO, CLAMBERTOMARKETING - BERADIO, CLAMBERTOMANAGERS - BOUILLON, CLAMBERTOACCOUNTANTS - BOUILLONNext, the appropriate way to determine effective permissions to a resource is illustrated in the three steps below: 1. Determine the effective share-level permission. The effective share-level permission will be the least restrictive permission of all of those assigned to a user or to groups that the user is a member of. The exception is the No Access permission which will override all other permissions. 2. Determine the effective NTFS permission. The effective NTFS permission will be the cumulative of all of the NTFS permissions assigned to the user and to groups that the user is a member of. The exception is if there are any Deny permissions assigned. Deny permissions will override Allow permissions. 3. The effective overall permission will be the most restrictive of the effective share-level permission and the effective NTFS permission. References: File and Folder Permissions, Windows Server 2003 Online Help. 110. Oksana has decided to use Windows Server 2003's RIS to remotely deploy Windows Longhorn clients to a laboratory of 40 workstations. The target systems are all of the same hardware configuration. Oksana has learned, going through the documentation, that the network cards in these machines do not meet the PXE standards required by the 2003 RIS service. There is a utility, however, that can be used to make boot disks that will allow Windows Longhorn to be deployed via RIS. Which of the following is this utility? A. remoteboot.sif B. rbfg.exe C. Client Creator D. makeboot.exe E. Network Client Administrator answer: bExplanation: Explanation: You use the Remote Installation Services boot disk with client computers that do not contain a remote boot-enabled ROM. The boot disk simulates the PXE boot process for machines lacking a formal remote boot ROM. For more information on the PXE boot process, see PXE architecture The boot disk is analogous to a boot ROM, which uses the floppy drive to install the operating system from the remote installation server. The remote boot disk- generating utility (Rbfg.exe) included with Windows 2003 Server is located in the following folder: \\Server name\Share name\REMINST\Admin\I386\Rbfg.exe References: Windows Server 2003 Help "Create A Remote Boot Disk". 111. Clamberto has lost the ASR diskette that goes with the Automated System Recovery backup on a particularly important Windows Server 2003 system. Which of the following methods will allow Clamberto to create a new ASR diskette with a minimum of time and effort so that he can perform the ASR process on the server should it become necessary? A. Clamberto will need to restore the ASR.SIF and ASRPNP.SIF files from the ASR backup set for this server and transfer them across to a new floppy diskette. B. Clamberto can use the ASR diskette from another server. ASR diskettes are simply boot disks and one disk can service all Windows Server 2003 systems in an organization. C. Clamberto will need to scrap the original ASR set and create a new ASR set via the Windows Server 2003 backup utility. D. From the Windows Server 2003 backup utility, Clamberto should use the "create ASR disks" option from the tools menu. answer: aExplanation: An Automated System Recovery Disk, which is inserted after booting off the Windows Server 2003 CD-ROM, contains two "Server Unique" files - ASR.SIF and ASRPNP.SIF. An ASR diskette will only be the same as one from another server if that other server is an exact duplicate. ASR.SIF and ASRPNP.SIF are stored within the backup set, so a new diskette can be recreated if the old one is lost or damaged. Reference http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_backtrouble.asp 112. Because it has inherited prior Microsoft nomenclature, Windows Server 2003 calls the volume that contains the operating system files the boot volume. It is important to understand the limitations of what can, and can not be done to or reside upon a Windows Server 2003 boot volume.Which of the following statements about a Windows Server 2003 boot volume are correct?A. A Software RAID-5 volume cannot contain the boot volume. B. A software striped volume cannot contain the boot volume. C. A mirrored volume cannot contain the boot volume. D. The volume that you install the Active Directory Database to cannot be the boot volume. E. The volume that you install the Certificate Services Database to cannot be the boot volume. F. The volume that you install Remote Installation Services (RIS) to cannot be the boot volume. answer: a,b,fExplanation: Explanation: Software RAID-5 Volumes and Striped Volumes cannot contain the boot volume. However Mirrored Volumes can contain the boot volume. Remote Installation Services (RIS) must be installed to a different volume than the one that contains the operating system files - this was a limitation in Windows 2000 and is a limitation in Windows 2003. The Certificate Services Database may be installed on the boot volume. The Active Directory Database may also be installed on the boot volume. However, it is a good idea to place the Active Directory Database on a separate volume from the one contain the Active Directory log files to improve performance. References: Windows Server 2003 Help.RIS - [System Requirements]113. You are one of the Systems Administrators at a medium sized company that runs a Windows 2003 functional level domain. A request has been forwarded to you asking that Microsoft Excel 2003 be installed on the computers of all of the users in the Human Resources department. The accounts for all of the members of the Human Resources department currently reside in the HR OU. All computers used by Human Resources staff run Windows XP Professional as the client operating system. To fulfill this request you decide to use Group Policy to publish Microsoft Excel 2003 to the HR organizational Unit. When prompted, you enter \\softdist\excel2003 which is the network path to the .msi file that will install and configure Excel 2003 on the users' computers. You complete these changes at 5:30pm on Tuesday evening and inform the manager of the HR department that Excel should appear in their Programs menu when they turn on their computers and log in tomorrow morning. At 10:00am on Wednesday you receive a call from the manager of the HR department who tells you that not one user in her department has Excel 2003 in their Programs menu this morning. You ask the manager to reboot her computer and log in again. After this has completed Excel 2003 still has not appeared. What is the best explanation for this behavior? A. You have not given the Human Resources users the necessary permissions to install applications on their computers. When using an .msi file to install an application, the application will install in the security context of the user who is currently logged on. If a user does not have permissions to install an application, the application will not appear in his or her Programs menu.B. You specified a network location as the location of the .msi file for Excel 2003. In order for Group Policies to function properly, you must specify a location on the local hard drive of the server containing the .msi file. C. You published the application rather than assigning the application. By design, published applications will not appear in the Programs menu but rather can be installed through the Control Panel or through document invocation. D. You attempted to push the application to an organizational unit rather than a group. Group Policies can only be applied to users, groups and computers in a Windows 2003 Native Mode Domain. answer: cExplanation: With Windows 2003 Software Installation and Maintenance capability, you can either assign or publish an application to a user. If you assign an application to a user it will be advertised on each user's computer in the Programs menu. It is not actually installed on the computer but only will be installed if you a user attempts to run the application. If you publish an application, the application will not be advertised on the user's desktop. The two methods of invoking the installation of a published application are either to use the Add/Remove programs in Control Panel or to click on a file for a file extension is associated with the application. References: Windows Server 2003 Online Help. 114.  Michael, a member of the Marketing group and the Managers group, is attempting to access a file that is stored on one of his company's Windows 2003 servers. The file is shared out on a volume that has been formatted with the NTFS file system. The share permissions and NTFS permissions are as follows: Share Permissions: Michael - ChangeManagers - Full ControlMarketing - ReadNTFS Permissions (for the folder and all contents of the folder): Managers - ReadFinance - No AccessWhat will Michael's effective permission be to the folder and its contents when he attempts to access it over the network from his Windows XP Professional Workstation? A. No Access B. Read C. Full Control D. Change (Read, Write, Execute and Delete) answer: bExplanation: Explanation: The appropriate way to determine effective permissions to a resource is illustrated in the three steps below: 1. Determine the effective share-level permission. The effective share-level permission will be the least restrictive permission of all of those assigned to a user or to groups that the user is a member of. The exception is the No Access permission which will override all other permissions. 2. Determine the effective NTFS permission. The effective NTFS permission will be the cumulative of all of the NTFS permissions assigned to the user and to groups that the user is a member of. The exception is if there are any Deny permissions assigned. Deny permissions will override Allow permissions. 3. The effective overall permission will be the most restrictive of the effective share-level permission and the effective NTFS permission. In the above question, the effective share-level permission would be Full Control for Michael. The effective NTFS permission would be Read for Michael. The most restrictive of Full Control and Read would be Read which is Michael's effective permission to the resource. 115. Phil created a new snap in for the MMC on his domain controller. He wants to save the new console so that it can be reused by other members of his admin team. He knows that the file can be emailed, or stored in a shared folder. But what extension should he save the file under?A)   .msc B)   .msi C)   mst D)   .zap answer: a