Microsoft 70-291
Implementing, Managing, and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure
Q&A V3.28
English: www.TestInside.com
BIG5: www.Testinside.net
GB: www.Testinside.cn
TestInside,help you pass any IT exam!
TestInside 70-291
1. You are the network administrator for Blue Yonder Airlines. The company uses a single Active Directory
domain named blueyonderairlines.com.
The company network consists of three subnets. The subnets are connected by two hardware routers. Each subnet
contains one Windows Server 2003 computer with the Routing and Remote Access service enabled and
configured. The relevant portion of the network is configured as shown in the Network exhibit. (Click the Exhibit
button.)
Users on the 192.168.30.0/24 subnet report that they cannot access resources on Server1. You verify that Server1
and Server2 can connect to each other. You run the tracert command on Server3 and view the output shown in the
Tracert exhibit. (Click the Exhibit button.)
You need to ensure that users on all three segments of the network can access resources on Server1.
What should you do?
A. Modify the route to the 192.168.30.0 network in the routing table on Router1.
B. Modify the route to the 192.168.10.0 network in the routing table on Router2.
C. Modify the route to the 192.168.30.0 network in the routing table on Server1.
TestInside 70-291
D. Modify the route to the 192.168.10.0 network in the routing table on Server2.
E. Modify the route to the 192.168.10.0 network in the routing table on Server3.
Answer: B
2. You are the network administrator of your company. The company network contains two subnets that are
connected by a router. All servers run Windows Server 2003.
All network hosts are manually configured with TCP/IP information. The network is configured as shown in the
exhibit. (Click the Exhibit button.)
A developer uses a server named Workstation6 for testing. She reports that she cannot access resources on a server
named Server5. All other hosts on subnet A are able to access resources on Server5.
From Workstation6 you successfully ping the IP address of the router interface on the local subnet. However, you
cannot ping the IP address of Server5 or the IP address of the router interface on subnet B. You run the route print
command on Workstation6 and receive the output as shown in the following table.
TestInside 70-291
You need to ensure that Workstation6 can connect to Server5 and any other hosts on subnet B.
What should you do?
A. Change the IP address on Workstation6 to 131.107.142.128.
B. Change the subnet mask on Workstation6 to 255.255.0.0.
C. Change the default gateway on Workstation6 to 131.107.128.1.
D. Change the IP address of the router interface connecting to subnet A to 131.107.142.1.
E. Change the IP address on the router interface connecting to subnet B to 131.107.194.1.
Answer: C
3. You are the network administrator for a Web hosting company. All servers run Windows Server 2003. All client
computers run Windows XP Professional.
Your company is assigned the following IP address ranges by the ISP:
• 131.107.10.0 through 131.107.10.255
• 131.107.11.0 through 131.107.11.255
The company's data center contains 400 Windows Server 2003 computers and consists of two subnets named
subnet A and subnet B. Subnet A contains 200 servers and uses the 131.107.10.0 network address. Subnet B also
contains 200 servers and uses the 131.107.11.0 network address. All server IP addresses are assigned by DHCP.
All computers in the data center have valid Internet-accessible IP addresses.
As a result of a corporate acquisition, 200 additional servers will be added to your company's data center within
TestInside 70-291
one month. The new servers will be placed on the network segment that maps to subnet A. The existing router
does not have the capacity for an additional subnet, and the budget does not allow the purchase of a new router.
You will need to add the additional servers to the existing subnet A. The ISP assigns you the additional IP address
range 131.107.12.0 through 131.107.12.255.
You need to change the IP addressing scheme to accommodate all required servers in subnet A and subnet B. You
are authorized to make any necessary changes.
The diagram in the work area shows the network configuration and the planned number of servers for each subnet.
Which IP address should be assigned to each subnet?
To answer, drag the appropriate IP address or addresses to the correct locations in the work area.
Answer:
4. You are the network administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003.
The network contains two domain controllers and three file servers. The DHCP server for the network is named
Server2. All client computers are configured as DHCP clients.
Users report that they cannot connect to the file servers on the network. On one of the affected computers, you run
the ipconfig /all command. You receive the result shown in the IPconfig exhibit. (Click the Exhibit button.)
TestInside 70-291
You log on to the DHCP server and view the DHCP console as shown in the DHCP exhibit. (Click the Exhibit
button.)
You need to ensure that the users can connect to the network file servers.
What should you do?
A. Start the DHCP service on Server2.
B. Increase the number of addresses available in the scope on Server2.
C. Authorize the DHCP server in Active Directory.
D. Add the Server2 computer account to the DHCP Administrators domain local group.
Answer: A
5. You are the network administrator for your company. The network consists of a single Active Directory domain.
TestInside 70-291
All servers run Windows Server 2003.
The domain controllers in the domain are also configured as the DNS servers for the network. The DHCP server
for the network is named Server1.
You decide to move the DHCP service to a server named Server2. You stop the DHCP service on Server1. You log
on to Server2 by using the local Administrator account, and you install DHCP.
After you install DHCP on Server2, you create a new scope in DHCP. You activate the scope.
Users report that they cannot log on to the network. You discover that the client computers are not receiving an IP
address configuration from the DHCP server.
You open Event Viewer on Server2 and view the event shown in the exhibit. (Click the Exhibit button.)
You need to ensure that client computers on the network can receive an IP address configuration from Server2.
What should you do?
A. Restart the DHCP service on Server2.
B. Authorize the DHCP service on Server2 in Active Directory.
C. Uninstall the DHCP service on Server1.
D. Install DNS on Server2. Configure a secondary zone on Server2 for the Active Directory domain DNS zone.
Answer: B
TestInside 70-291
6. You are the network administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All servers are configured with static IP addresses.
All client computers run Windows XP Professional. All client computers are configured as DHCP clients. The
relevant portion of the network is configured as shown in the Network exhibit. (Click the Exhibit button.)
A user named Maria reports that she cannot access network resources by using her client computer. Her client
computer is named Client2. Maria reports that she received an error message about a duplicate address on the
network when she started her computer this morning.
You examine the DHCP scope properties on the DHCP server. The scope properties are shown in the DHCP
exhibit. (Click the Exhibit button.)
TestInside 70-291
You need to ensure that Maria can access the network by using her client computer. You also need to ensure that
this problem will not recur.
What should you do?
A. Exclude the IP addresses 192.168.10.10 to 192.168.10.15 from the DHCP scope. Restart Client2.
B. Add the additional IP addresses 192.168.10.201 to 192.168.10.250 to the DHCP scope. Restart Client2.
C. Configure the DHCP scope to detect IP address conflicts. Restart Client2.
D. Reconcile the DHCP scope on the DHCP server. Restart Client2.
Answer: A
7. You are the network administrator for your company. All servers run Windows Server 2003. All servers are
configured with static IP addresses. All client computers run Windows XP Professional. All client computers are
configured as DHCP clients.
The company has a main office and one branch office. The offices are separated by a router. A DHCP server is
deployed in each office.
One of the DHCP servers shuts down unexpectedly. It takes four hours to repair the server. During that time,
several mobile users connect their portable computers to the network and report that they cannot connect to shared
resources on the network.
After the server is repaired, you create a new scope on each DHCP server that includes IP addresses for the other
office. You activate the scopes.
You test the new DHCP configuration by shutting down the DHCP server in the main office. You find out that the
client computers in the main office are not receiving IP addresses from the DHCP server in the branch office.
You need to ensure that when the DHCP server in one office fails, the client computers will receive a correct IP
address configuration from the DHCP server in the other office.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the router between the offices to forward BOOTP broadcasts.
B. Configure the DHCP server in each office with a DHCP scope that includes the same IP addresses as the DHCP
server in the other office. Activate the scope.
C. Configure the DHCP server in each office with an additional network adapter. Connect each new network
adapter to the local network. Assign an IP address from the other office's network to each new network adapter.
D. Install and configure a DHCP relay agent in each office.
TestInside 70-291
Answer: D AND A
8. You are the network administrator for your company. All servers run Windows Server 2003. All servers are
configured with static IP addresses. All client computers run Windows XP Professional. All client computers are
configured as DHCP clients.
The company has a main office and one branch office. The offices are separated by a router. A DHCP server is
deployed in each office. The DHCP servers are named DHCP1 and DHCP2.
You configure scopes on the DHCP1 and DHCP2 as shown in the following table.
You shut down DHCP1 for scheduled maintenance. While DHCP1 is shut down, client computers in both offices
continue to receive correct IP address assignments from DHCP2.
You restart DHCP1. Several users report that when they restart their computers, they receive error messages
stating that a duplicate IP address exists on the network.
You need to ensure that these error messages do not appear when you shut down and restart a DHCP server. You
need to ensure that changes you make does not affect the current DHCP functionality.
What should you do?
A. On each DHCP server, configure a superscope that includes both DHCP scopes.
B. Configure the router between the offices to block all broadcasts.
C. Modify the Main scope on DHCP1 to include addresses 10.1.16.0 through 10.1.27.254. Modify the Branch
scope on DHCP2 to include addresses 10.2.16.0 through 10.2.27.254.
D. Modify the Main scope on DHCP2 to include addresses 10.1.16.0 through 10.1.31.254. Modify the Branch
scope on DHCP1 to include addresses 10.2.16.0 through 10.2.31.254.
Answer: C
TestInside 70-291
9. You are the network administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
Two of the servers on the network contain highly confidential documents. The company's written security policy
states that all network connections with these servers must be encrypted by using an IPSec policy.
You place the two servers in an organizational unit (OU) named SecureServers. You configure a Group Policy
object (GPO) that requires encryption for all connections. You assign the GPO to the SecureServers OU.
You need to verify that users are connecting to the two servers by using encrypted connections.
What should you do?
A. Run the net view command.
B. Run the gpresult command.
C. Use the IP Security Monitor console.
D. Use the IPSec Policy Management console.
Answer: C
10. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003.
One domain controller on the network is configured as a certification authority (CA). The network contains a Web
server that runs IIS 6.0 and hosts a secure intranet site. The server also hosts other sites that do not require
HTTPS.
You configure a server certificate on the IIS server by using a certificate from your internal CA. All users are
required to connect to the intranet site by using HTTPS.
Some users report that they cannot connect to the secure intranet site by using HTTPS. You confirm that all users
can connect to the nonsecure sites hosted on the Web server by using HTTP.
You want to view the failed HTTPS requests.
What should you do?
A. Review the log files created by IIS on the Web server.
B. Review the security log in Event Viewer on the Web server.
C. Review the security log in Event Viewer on the CA.
D. Review the contents of the Failed Requests folder on the CA.
Answer: A
TestInside 70-291
11. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003.
The network contains a Web server that runs IIS 6.0 and hosts a secure intranet site. All users are required to
connect to the intranet site by authenticating and using HTTPS. However, because an automated Web application
must connect to the Web site by using HTTP, you cannot configure the intranet site to require HTTPS.
You need to collect information about which users are connecting to the Web site by using HTTPS.
What should you do?
A. Check the application log on the Web server.
B. Use Network Monitor to capture network traffic on the Web server.
C. Review the log files created by IIS on the Web server.
D. Configure a performance log to capture all Web service counters. Review the performance log data.
Answer: C
12. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003.
The network contains a Web server named Server1 that runs IIS 6.0 and hosts a secure Web site. The Web site is
accessible from the intranet, as well as from the Internet. All users must authenticate when they connect to Server1.
All users on the Internet must use a secure protocol to connect to the Web site. Users on the intranet do not need to
use a secure protocol.
You need verify that all users are using a secure protocol to connect to Server1 from the Internet.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Monitor the events in the application log on Server1.
B. Monitor the events in the security log on Server1.
C. Monitor the Web server connections on Server1 by using a performance log.
D. Monitor network traffic to Server1 by using Network Monitor.
E. Monitor the IIS logs on Server1.
Answer: E AND D
13. You are the administrator of an Active Directory domain. All servers run Windows Server 2003. All client
TestInside 70-291
computers run Windows XP Professional. All computers are members of the domain.
The Secure Server (Require Security) IPSec policy is assigned to a file server named Server6. The policy is
configured as shown in the exhibit. (Click the Exhibit button.)
Users report that they cannot access shared folders on Server6. Users were able to access shared folders on
Server6 prior to the implementation of the IPSec policy.
You need to ensure that all client computers in the domain can access the shared folders on Server6. You must
ensure that all communications between client computers and Server6 be encrypted.
What should you do?
A. On Server6, enable the All ICMP Traffic IP Security rule in the properties of the Secure Server (Require
Security) IPSec policy.
B. On Server6, enable the
IPSec policy.
C. On all client computers, assign the Client (Respond Only) IPSec policy.
D. On all client computers, install an IPSec communication certificate in the local machine store.
Answer: C
TestInside 70-291
14. You are an administrator of a single Active Directory forest that contains one domain. All servers run
Windows Server 2003.
A server named VPN1 is configured with Routing and Remote Access. VPN1 is configured to allow only inbound
VPN connections that use L2TP. You assign the Server (Request Security) IPSec policy on VPN1. You configure
the policy to use Kerberos and certificates for authentication.
From a Windows XP Professional computer named Client1, which does not belong to the domain, you attempt to
establish a VPN connection to VPN1 and receive the error message shown in the exhibit. (Click the Exhibit
button.)
You verify that the VPN ports on VPN1 are not being blocked by any intermediate devices.
You need to configure Client1 to allow it to establish a VPN connection to VPN1.
What should you do?
A. Assign the Client (Respond Only) IPSec policy.
B. Assign the Server (Request Security) IPSec policy.
C. Install a valid IPSec certificate in the local machine store.
D. Configure the VPN connection so that only L2TP IPSec VPN is enabled.
Answer: C
15. You are the administrator of an Active Directory domain. All servers run Windows Server 2003. All client
computers run Windows XP Professional.
A server named Filesrv1 contains confidential data that is only available to users in the human resources (HR)
department.
You want all computers in the HR department to connect to Filesrv1 by using an IPSec policy. You assign the
Server (Request Security) IPSec policy to Filesrv1. Using Network Monitor, you notice that some computers in
the HR department connect to Filesrv1 without using the IPSec policy.
You need to configure Filesrv1 to ensure that all computers connect to it by using the IPSec policy.
TestInside 70-291
What should you do?
A. Assign the Secure Server (Require Security) IPSec policy.
B. Assign the Client (Respond Only) IPSec policy.
C. Unassign the Server (Request Security) IPSec policy.
D. Restart the IPSec Services service.
Answer: A
16. You are the network administrator for your company. All servers run Windows Server 2003.
You configure the Routing and Remote Access service on a server named Server2. Server2 is connected to a
modem pool and supports eight simultaneous inbound connections. You instruct remote users to dial in to Server2
from their home computers.
The company's written business policy states that the only client computer operating systems that should be
supported for dial-up access are Windows 95, Windows 98, Windows 2000 Professional, and Windows XP
Professional.
You need to configure the remote access policy to support the most secure authentication methods possible. You
want to enable only the necessary authentication methods based on the supported client computers that will be
connecting.
Which authentication method or methods should you enable? (Choose all that apply.)
A. PAP
B. SPAP
C. CHAP
D. MS-CHAP Version 1
E. MS-CHAP Version 2
Answer: E AND D
17. You are a network administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003.
The company has a main office and one branch office. The perimeter networks for each office are configured as
shown in the exhibit. (Click the Exhibit button.)
TestInside 70-291
You configure an L2TP/IPSec VPN tunnel between Server1 and Server2. You also configure and assign an IPSec
policy named RASIPSec that requires secure communications.
You need to ensure that no unsecured traffic from the Internet reaches the internal network through this VPN. You
also need to ensure that access to the VPN servers from their respective internal networks is not disrupted.
What should you do?
A. Configure input and output L2TP/IPSec packet filters on the internal interfaces of Server1 and Server2.
B. Configure input and output L2TP/IPSec packet filters on the external interfaces of Server1 and Server2.
C. In the properties of RASIPSec, edit the All IP Traffic IP Filter list to include the IP addresses for only Server1
and Server2.
D. In the properties of RASIPSec, edit the All ICMP Traffic IP Filter list to include the IP addresses for only
Server1 and Server2.
Answer: B
18. You are the administrator of a Windows Server 2003 computer named Server1. The network contains another
Windows Server 2003 computer named Server2 that has the DNS and WINS services installed. Two hundred
Windows 2000 Professional computers regularly connect to Server1 to access file and print resources.
Administrators report that network traffic has increased and that response times for requests for network resources
on Server1 have increased.
You need to identify whether Server1 is receiving requests for resources through NetBIOS broadcasts.
What should you do?
A. Use Network Monitor to capture traffic between Server1 and all client computers.
B. Use Network Monitor to capture traffic between Server1 and Server2.
C. Monitor Event Viewer for Net Logon error or warning events.
D. Run the tracert command on Server1.
Answer: A
TestInside 70-291
19. You are the administrator of a Windows Server 2003 computer named Server1. Server1 is an FTP server
located in the company's internal network.
Administrators report an increased amount of FTP traffic to Server1.
You need to configure Server1 to achieve the following goals:
Identify the media access control (MAC) address of any computer that is performing FTP transfers from Server1.
Find out the exact FTP commands that were executed.
Ensure that you do not disrupt the operation of Server1.
What should you do?
A. Configure a performance alert to write an event to the application event log whenever the number of
established FTP connections exceeds 1.
B. Use a Network Monitor filter to capture IP traffic from any computer to Server1.
C. Run the finger command on Server1 to identify the source of the FTP requests.
D. Run the arp command on Server1 to identify the source of the FTP requests.
Answer: B
20. You are the administrator of an Active Directory domain. The domain contains a Windows Server 2003
computer named Server1. Server1 functions as a domain controller and a DNS server. The domain also contains a
Windows XP Professional client computer named Client1.
You need to establish a detailed record of all of the communications that occur when a typical member of the
Domain Users group named User1 logs on to the Active Directory domain from Client1. You might need to use
this information as a troubleshooting tool if communications between Client1 and Server1 are disrupted or
degraded. You want to use Network Monitor to obtain this baseline information.
What should you do?
To answer, move the appropriate actions from the list of actions to the answer area, and arrange them in the
correct order.
A. Start a capture.
B. Enable TCP/IP filtering on Client1.
C. Start Network Monitor on Server1 and select Local Area Network.
D. Configure a capture filter to capture all traffic between Server1 and Client1.
E. Configure a display filter to display all traffic between Server1 and Client1.
TestInside 70-291
F. Configure a capture filter to capture all traffic between Server1 and *ANY.
G. Configure a display filter to display all traffic between Server1 and *ANY.
H. Log on to Client1 as User1 and allow the logon process to complete.
I. Log on to Server1 as User1 and allow the logon process to complete.
J. Stop the capture and save it in a secure, reliable location.
Answer: C Start Network Monitor on Server1 and select Local Area Network.
D Configure a capture filter to capture all traffic between Server1 and Client1.
A Start a capture.
H Log on to Client1 as User1 and allow the logon process to complete.
J Stop the capture and save it in a secure, reliable location.
(H BEFORE J) AND (A BEFORE H) AND (D BEFORE A) AND (C BEFORE D)
21. You are the administrator of an Active Directory domain. The network contains a Windows Server 2003
domain controller named Server1.
Users report that they experience intermittent delays when they log on to Server1. Administrators report that
replication attempts between Server1 and other domain controllers are occasionally delayed.
You need to verify the cause of the intermittent connection delays to Server1. You also need to find out whether
the problem is related to a hardware deficiency on Server1. You need to track these delays over a period of one
day.
What should you do first?
A. Run the netdiag /verbose command to perform a network diagnostic test on Server1.
B. Run the replmon command to view the Active Directory replication status on Server1.
C. Use Network Monitor to view the network traffic packet contents between Server1 and all other computers.
D. Create a System Monitor counter to track the queue lengths on the network adapter on Server1.
Answer: D
22. You are the administrator of an Active Directory domain. All servers run Windows Server 2003. All client
computers run Windows XP Professional and are members of the domain.
The domain contains a single DNS server named Server1. Root hints are enabled on Server1. Internet access for
the company is provided by a Network Address Translation (NAT) server named Server2. Server2 is connected to
TestInside 70-291
the Internet by means of a permanent connection to the company's ISP.
Users report that they can no longer connect to http://www.adatum.com. Users can connect to internal resources
and to other Internet Web sites. You can successfully access http://www.adatum.com from a computer outside of
the corporate network.
You need to ensure that the users can access http://www.adatum.com. You must also ensure that users retain their
ability to access internal resources.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Disable Routing and Remote Access on Server2.
B. Create a root zone on Server1.
C. On all affected users' computers, run the ipconfig /flushdns command.
D. Configure all affected users' computers to use the ISP's DNS server.
E. Use the DNS console on Server1 to clear the DNS cache.
Answer: C AND E
23. You are the network administrator for your company. All servers run Windows Server 2003.
Twenty company employees connect to a terminal server named Server2 to run applications and to gain access to
the Internet.
The 20 employees report that they receive security messages while browsing Internet Web sites. The employees
report that they cannot modify the Internet Explorer security settings on their client computers while connected to
Server2.
You need to allow these 20 employees to modify the Internet Explorer security settings on their client computers
while connected to Server2.
What should you do?
A. Log on to Server2 as Administrator and add http:// to the list of trusted sites in Internet Explorer.
B. Instruct the 20 employees to add http:// to the list of trusted sites in Internet Explorer on their client computers.
C. Instruct the 20 employees to change the Internet Explorer privacy settings on their client computers to Low.
D. Uninstall Internet Explorer Enhanced Security Configuration on Server2.
Answer: D
TestInside 70-291
24. You are the administrator of an Active Directory domain. All servers run Windows Server 2003.
You configure a server named Server3 as the DNS server for the domain.
The company recently started using a new ISP. Since the change to the new ISP occurred, users report that they
cannot access Internet Web sites by using their fully qualified domain names (FQDNs).
You manually configure a test computer to use the DNS server address of the new ISP. The test computer can
successfully access Internet Web sites by using their FQDNs.
You need to ensure that network users can access Internet Web sites by using their FQDNs, while ensuring that
user access to internal resources is not disrupted.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Create a root zone on Server3.
B. Configure Server3 to use the default root hints.
C. Configure a forwarder on Server3 to the new ISP's DNS server.
D. Configure all computers on your network to use the new ISP's DNS server.
Answer: B AND C
25. You are the administrator of an Active Directory domain. All servers run Windows Server 2003. All client
computers run Windows XP Professional. The network is configured as shown in the exhibit. (Click the Exhibit
button.)
DC1 is configured as a DNS server for the domain named contoso.com. DC1 is configured to use ISP-DNS as a
TestInside 70-291
forwarder.
A computer named NAT1 is a Network Address Translation (NAT) server. NAT1 provides Internet access for the
entire company. You recently created a subnet named Subnet 10.
You are configuring a DHCP server to support Subnet 10. You need to configure the DHCP server options for
Subnet 10 to ensure that all users can access the Internet and internal resources.
What should you do?
To answer, drag the appropriate IP address or addresses to the correct location or locations in the work area.
Answer:
26. You are the network administrator for your company. All servers run Windows Server 2003.
The company is setting up a sales booth at a large trade show. Twelve company sales representatives will be
working in the booth. The sales representatives each have a portable computer that runs Windows XP
Professional.
You configure a server named Server2 with a LAN connection and a dial-up connection to the Internet. All of the
sales representatives' computers are also connected to the LAN.
The 12 sales representatives report that they cannot connect to the Internet. You view the IP configuration on one
of the portable computers as shown in the exhibit. (Click the Exhibit button.)
TestInside 70-291
You need to provide the 12 sales representatives' portable computers with Internet access.
What should you do?
A. Configure Internet Connection Sharing (ICS) on Server2.
B. Install the DHCP service on Server2. Create a scope for subnet 169.254.0.0/16.
C. Modify the Internet Explorer properties on the 12 sales representatives' computers to specify 169.254.0.1 as the
proxy server.
D. Install the Connection Manager Administration Kit (CMAK) on Server2.
Answer: A
27. You are the network administrator for your company. All servers run Windows Server 2003.
You configure a server named Server2 as a Network Address Translation (NAT) server. Server2 has a single
network adapter and a modem. Server2 connects to the Internet through a demand-dial connection.
Users report that when they attempt to connect to Internet Web sites, they intermittently receive the following
error message: "Page not found." After waiting for several minutes, they can connect to the Web sites. These
errors occur throughout the day.
You need to configure Server2 to allow users to always connect to Internet Web sites.
What should you do?
A. Set the demand-dial connection to Persistent.
B. Set the dial-out hours on the demand-dial connection to any day and any time.
C. Set a demand-dial filter. Configure the filter for Only allow the following traffic. Specify a new filter for
outbound port 80.
TestInside 70-291
D. Configure the demand-dial interface as the private interface.
Answer: A
28. You are the network administrator for your company. All servers run Windows Server 2003.
The company's main office is located in New York City, and four branch offices are located in various North
American cities. The network is configured as shown in the exhibit. (Click the Exhibit button.)
Access to the Internet is provided by a Network Address Translation (NAT) server located in the Montreal office.
The IP address of the NAT server is 192.168.10.254.
Users in the Los Angeles office report that they cannot connect to the Internet. Users in the New York office report
that they can successfully connect to the Internet. From a computer in the Los Angeles office, you cannot connect
to servers located in the Montreal office by using their IP address.
You want to find out where the communication failure resides by running a command prompt on a computer in the
Los Angeles office.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the pathping 192.168.10.254 command.
B. Run the net view \\192.168.10.254 command.
C. Run the tracert 192.168.10.254 command.
D. Run the nslookup 192.168.10.254 command.
Answer: A AND C
29. You are the administrator of a Windows Server 2003 computer named Server1. The LAN connection TCP/IP
properties on Server1 are configured to use a static IP address.
TestInside 70-291
An administrator reports that Server1 is receiving incorrect results to a query for server2.fourthcoffee.com. You
log on to Server1 and run the ipconfig /flushdns command. You receive the following error message.
You need to start the appropriate service or services to ensure that Server1 can correctly resolve name resolution
queries. You want to achieve this goal by using the minimum amount of administrative effort.
Which service or services should you start?
To answer, select the appropriate service or services in the work area.
Answer:
30. You are the network administrator for your company. The network contains a third-party application that runs
as a service. The application service is secured with a domain-level service account. The properties of the service
account are displayed in the work area.
Users report that the application is no longer available. The application service is stopped.
An administrator reports that the password of the service account had expired and was changed. You reset the
TestInside 70-291
password on the service to match the new password of the service account. You unsuccessfully attempt to restart
the service.
You need to ensure that the service will start. You need to prevent this problem from happening again while
retaining administrative control over the service account password.
What should you do?
To answer, configure the appropriate option or options in the dialog box in the work area.
Answer:
31. You are the administrator of a Windows Server 2003 computer named Server1. Server1 has a third-party
application installed on it. The third-party application runs as a service that is named Service1. Service1 fails
periodically.
You need to configure the recovery options for Service1 to meet the following requirements:
If Service1 runs successfully for a day or more, you need to ensure that only the service is immediately restarted
upon failure.
If, after this failure, Service1 does not run successfully for another day, you must ensure the entire server is
immediately restarted.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. Configure the Reset fail count after value for Service1 to 1 day.
B. Configure the Restart service after value for Service1 to 1,440 minutes.
C. Configure the response to the first failure to be to restart Service1.
D. Configure the response to the first failure to be to restart Server1.
E. Configure the response to the second failure to be to restart Service1.
F. Configure the response to the second failure to be to restart Server1.
Answer: F AND C AND A
TestInside 70-291
32. You are the network administrator for Fabrikam, Inc. The network contains a DNS server named Server1.
Server1 is configured to resolve queries for external internet resources. Server1 also hosts the fabrikam.com
internal zone for Active Directory.
Users report that they are directed to the wrong Web site when browsing for well-known Internet Web sites.
You need to minimize the occurrence of unexpected results when users browse the Internet in the future. You also
need to minimize disruption to users.
What should you do?
A. Enable the Disable recursion setting in the advanced properties of Server1.
B. Enable Fail on load if bad zone data setting in the advanced properties of Server1.
C. Enable the Secure cache against pollution setting in the advanced properties of Server1.
D. Enable the Enable automatic scavenging of stale resource records setting in the advanced properties of Server1
and set it to 7 days.
Answer: C
33. You are the administrator of a Windows Server 2003 computer named Server1. Server1 is a domain member
server that has the DNS service installed.
Server1 is configured with two network interfaces named NIC1 and NIC2. Routing is not enabled between the
two network interfaces. NIC1 and NIC2 are configured as shown in the following table.
Resources on the preproduction network segment use the same fully qualified domain names (FQDNs) as
resources in the production network. The TCP/IP properties on client computers in the preproduction environment
are controlled by individual testers.
You need to ensure that the users in the preproduction environment cannot resolve FQDNs from the production
network. You want to accomplish this goal by using the DNS console on Server1.
What should you do?
A. Configure the interfaces properties on Server1 to listen on 192.168.2.10 only.
TestInside 70-291
B. Configure the forwarders on Server1 to refer requests to 192.168.3.2.
C. Configure Server1 to disable recursion.
D. Configure Server1 to disable round robin.
Answer: A
34. You are a network administrator for A. Datum Corporation. The network consists of a single Active Directory
domain named adatum.net.
Users regularly browse the internal network and the Internet from their client computers. All Web and e-mail
hosting for a separate DNS domain named adatum.com is outsourced to an ISP. All name resolution requests for
adatum.com are resolved by the ISP. You have no administrative control over the DNS servers at the ISP. You
cannot list the contents of adatum.com by using the nslookup command on the DNS servers at the ISP.
A Windows Server 2003 computer named Server1 is configured with a primary zone for adatum.net. All root hints
have been removed from Server1. All client computers refer to this DNS server for name resolution.
You need to configure DNS resolution to ensure that all client computers can locate and access resources in
adatum.net, adatum.com, and the Internet.
What should you do?
A. Configure a secondary zone for adatum.com on Server1.
B. Configure a primary zone for adatum.com on Server1.
C. Configure conditional forwarding for adatum.com with the IP address of the DNS server at the ISP.
D. Configure simple forwarding with the default settings with the IP address of the DNS server at the ISP.
Answer: D
35. You are a network administrator for Coho Winery. The network consists of a single Active Directory domain
named cohowinery.net. All domain controllers are configured as DNS servers and host an Active
Directory-integrated zone for cohowinery.net.
A local ISP provides users with access to the Internet. All Web sites for cohowinery.com are located on the
perimeter network. A secondary DNS zone for cohowinery.com is located on the internal network on a Windows
Server 2003 computer named Server1. All client computers refer only to this DNS server for name resolution.
You need to configure DNS resolution to ensure that all client computers can log on to the network, access the
Web sites, and browse the Internet. You must also ensure that the cohowinery.net zone is stored as securely as
TestInside 70-291
possible.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure a secondary DNS zone for cohowinery.net on Server1.
B. Configure a primary DNS zone for cohowinery.net on Server1.
C. Configure conditional forwarding for cohowinery.net to point to the IP addresses of the domain controllers.
D. Configure conditional forwarding for all other DNS domains to point to the IP address of the ISP DNS server.
Answer: D AND C
36. You are a network administrator for the School of Fine Art. The network contains five Windows Server 2003
computers that also function as DNS servers. The servers are configured as shown in the work area.
The Caracas and Santiago branches of the school each have five client computers. The Lima branch has 5,000
client computers. The Sao Paulo branch has 2,500 client computers.
Server1 is located in the school's main office in Bogota. Server1 is the authoritative server for a zone named
fineartschool.net. School management plans to update the network infrastructure in the main office. During these
upgrades, there will be frequent changes to the name server (NS) resource records for fineartschool.net.
You need to ensure that each DNS server on the WAN has a dynamically updated list of NS records for
fineartschool.net. You also need to minimize zone replication traffic across the slow connections and minimize
DNS lookups on Server1.
How should you configure the DNS servers in the school's branches?
Answer:
TestInside 70-291
37. You are a network administrator for the Graphic Design Institute. The network contains five Windows Server
2003 computers that also function as DNS servers. The servers are configured as shown in the work area.
The Lagos and Nairobi branches of the school each have five Windows XP Professional client computers. The
Tangier branch has 5,000 Windows XP Professional client computers, and the Cape Town branch has 2,500
Windows XP Professional client computers.
Server1 is located in the school's main office in Cairo. Server1 is the authoritative server for a zone named
graphicdesigninstitute.com. No changes are planned for the name server (NS) resource records for
graphicdesigninstitute.com.
The DNS servers in the Nairobi and Lagos branches are multiuse servers that are configured with the minimum
hardware necessary to run Windows Server 2003. The DNS servers in the Cape Town and Tangier branches are
configured as dedicated servers with hardware that is sufficient to sustain multiple DNS zones.
You need to ensure that the following requirements are met:
Each client computer can resolve names on the network as quickly as possible by using a fully qualified domain
name (FQDN).
Prevent zone replication traffic from occurring on the slow network connections.
Minimize hard disk utilization on the DNS servers in the Lagos and Nairobi branches as much as possible.
Ensure that DNS queries in Tangier and Cape Town are resolved locally.
How should you configure the remote DNS servers?
Answer:
TestInside 70-291
38. You are a network administrator for Trey Research. The company's main office is in Tokyo, and it has a branch
office in Seoul.
The network consists of a single Active Directory forest that contains two domains as shown in the exhibit. (Click
the Exhibit button.)
Server1 and Server2 each have the DNS service installed as shown in the following table.
TestInside 70-291
You need to configure the primary and secondary DNS address referrals on the client computers in the Seoul
office by using the minimum amount of administrative effort. You need to ensure that users have access to the
Internet with as few network hops as possible. You also need to ensure that users can access resources on the
internal network in Seoul only as quickly as possible, and that DNS lookup traffic over the WAN does not occur if
the local DNS server is available.
What should you do?
A. Configure 131.107.0.1 as the primary DNS server. Configure 192.168.2.1 as the secondary DNS server.
B. Configure 192.168.2.1 as the primary DNS server. Configure 131.107.0.1 as the secondary DNS server.
C. Configure 192.168.2.1 as the primary DNS server. Configure 192.168.3.1 as the secondary DNS server.
D. Configure 192.168.3.1 as the primary DNS server. Configure 192.168.2.1 as the secondary DNS server.
Answer: D
39. You are the network administrator for your company. The network consists of a single Active Directory
domain. The functional level of the domain is Windows Server 2003. All client computers in the domain run
Windows XP Professional.
An application named Inventory.exe is installed on all computers in the domain to remotely gather software
inventory information. The application runs as a service in the security context of the Local System. The startup
type of the service is set to Automatic.
In the Default Domain Policy Group Policy object (GPO), the security administrator has configured a software
restriction policy that is applied to all computers in the domain. The policy contains a hash rule for the
Inventory.exe application, and the hash rule is configured with a security level of Unrestricted.
The client computers on the network are attacked by a worm that is distributed by e-mail messages received over
the Internet. The worm detects the presence of Inventory.exe on a computer, then starts a new instance of the
application in the security context of the logged-on user. The worm exploits a bug in the application to cause the
computer to fail.
You need to ensure that Inventory.exe cannot be started by the worm, while still allowing the application to run as
a service.
What should you do?
A. In the computer settings section of the Default Domain Policy GPO, configure a software restriction policy that
contains a zone rule for the Internet zone. Configure the zone rule with a security level of Disallowed.
TestInside 70-291
B. In the user settings section of the Default Domain Policy GPO, configure a software restriction policy that
contains a zone rule for the Internet zone. Configure the zone rule with a security level of Disallowed.
C. In the user settings section of the Default Domain Policy GPO, configure a software restriction policy that
contains a hash rule for the Inventory.exe application. Configure the hash rule with a security level of Disallowed.
D. In the computer settings section of the Default Domain Policy GPO, modify the existing software restriction
policy hash rule for the Inventory.exe application so that the hash rule has a security level of Disallowed.
Answer: C
40. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest.
The forest contains two domains named contoso.com and corp.contoso.com. The functional level of the forest and
the two domains is Windows Server 2003.
The corp.contoso.com zone is configured as an Active Directory-integrated zone. The corp.contoso.com zone is
also configured to replicate to all domain controllers in the domain.
The servers are configured as shown in the following table.
You plan to remove Server1 from the network. You need to install DNS to host the corp.contoso.com zone. Your
TestInside 70-291
solution must be fault-tolerant.
On which server or servers should you install DNS?
41. You are the network administrator for your company. The network consists of a single Active Directory
domain.
The domain contains an organizational unit (OU) named Webservers. The Webservers OU contains the computer
accounts of 12 Windows Server 2003 computers that function as intranet Web servers. A Group Policy object
(GPO) named WebserversPolicy is linked to the Webservers OU. The GPO is used to configure various settings on
the computers in the OU. A global group named WebserverAdmins is a member of the Administrators local group
on each intranet Web server.
You plan to install a security scanning application on each intranet Web server. The documentation for the
application states that it uses a service account, which must be able to modify the
HKEY_LOCAL_MACHINE\SYSTEM key in the registry of every computer on which the application is
installed.
You create the service account in the domain. The company's written security policy states that service accounts
must be assigned only the minimum rights and permissions that they require to function.
You need to configure the intranet Web servers so that they comply with the installation requirements of the
security scanning application. You also need to comply with the company's security policy. You want to achieve
this goal by using the minimum amount of administrative effort.
TestInside 70-291
What should you do?
A. Add the service account to the WebserverAdmins global group.
B. Configure the required permissions as registry security settings in the WebserversPolicy GPO.
C. Run the regedit.exe command to add the required permissions to the registry of each intranet Web server.
D. Run the explorer.exe command to modify NTFS permissions on the Systemroot\System32\Config\System file.
Assign the service account the Allow - Change permission.
E. Configure file system security settings in the WebserversPolicy GPO to modify NTFS permissions on the
Systemroot\System32\Config\System file. Assign the service account the Allow - Change permission.
Answer: B
42. You are the network administrator for your company. The network contains a Windows Server 2003 computer
named Server1.
Three administrators are members of the Administrators local group on Server1. Twelve other administrators are
members of the Domain Admins group. The Domain Admins group is also a member of the Administrators local
group on Server1.
Someone makes an unauthorized change to the HKEY_LOCAL_MACHINE\SYSTEM key in the registry on
Server1, which causes the computer to fail. You fix the problem.
You need to log all attempts to access the HKEY_LOCAL_MACHINE\SYSTEM key in the registry on Server1.
You decide to enable auditing in the local security policy on Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Enable auditing in the local security policy on Server1. Select the Audit object access (success and failure)
option in the audit policy.
B. Enable auditing in the local security policy on Server1. Select the Audit privilege use (success and failure)
option in the audit policy.
C. Enable auditing in the local security policy on Server1. Select the Audit system events (success and failure)
option in the audit policy.
D. Configure the SACL on the HKEY_LOCAL_MACHINE\SYSTEM key in the registry. Specify auditing of the
Full Control permission for Everyone.
E. Configure the SACL on the HKEY_LOCAL_MACHINE\SYSTEM key in the registry. Specify auditing of the
Set Value permission for Everyone.
TestInside 70-291
Answer: D AND A
43. You are the network administrator for your company. The network contains 25 servers and 1,000 client
computers.
The network architect has designed a software update infrastructure. You need to configure the software update
infrastructure. The configuration must meet the following requirements:
Client computers must receive critical updates from a Windows Server Update Services (WSUS) server.
Three WSUS servers must be available for critical updates.
Only servers in the perimeter network must be able to connect to the Internet.
Client computers must not be able to connect to servers in the perimeter network.
You install WSUS on four servers on the network.
Which configuration should you apply to the four WSUS servers?
Answer:
TestInside 70-291
44. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
The company has 16 sales representatives, who are mobile users. All 16 mobile users are members of the Power
Users local group on their computers. From 5:00 P.M. until 9:00 A.M., the sales representatives' portable
computers are usually turned off and disconnected from the corporate network.
The company's written security policy states that all portable computers that are used by the mobile sales
representatives must receive software updates from the Windows Update servers every day. User interaction with
the update process must be minimized.
On a portable computer named Client2, you verify the recent updates and notice that updates from the Windows
Update servers were not applied.
You need to ensure that software updates are applied to Client2 in compliance with company policy.
What should you do?
Answer:
TestInside 70-291
45. You are the network administrator for your company. The network consists of a single Active Directory
domain. The domain contains 35 Windows Server 2003 computers; 3,000 Windows XP Professional computers;
and 2,000 Windows 2000 Professional computers.
Windows Server Update Services (WSUS) is installed on a server named Server1. The necessary Group Policy
object (GPO) is configured.
You need to confirm whether all computers in the domain have received all approved updates from Server1.
What should you do on Server1?
A. Install and configure Urlscan.exe.
B. At the command prompt, type gpresult /scope COMPUTER.
C. Open the WSUS console. Run the Status of Computers report.
D. Open the WSUS console. Run the Synchronization Results report.
Answer: C
TestInside 70-291
46. You are the network administrator for your company. The network consists of a single Active Directory
domain. The domain contains 15 Windows Server 2003 computers and 3,000 Windows XP Professional client
computers. All computers are running the most recent service pack.
You install and configure Windows Server Update Services (WSUS) on a server named Server1. All client
computer accounts are in the Clients organizational unit (OU). You create a Group Policy object (GPO) named
WSUS.
Currently all client computers obtain their Windows security updates from Microsoft Update. You want all client
computers, and no other computers, to obtain their updates from Server1.
You need to configure all client computers to obtain Windows security updates from Server1. You need to
accomplish this task with the minimum amount of administrative effort.
What should you do?
A. Link the WSUS GPO to the domain. Configure the GPO to point to Server1 for automatic updates.
B. Link the WSUS GPO to the Clients OU. Configure the GPO to point to Server1 for automatic updates.
C. Link the WSUS GPO to the domain. Specify Clients as the target computer group in WSUS.
D. Link the WSUS GPO to the Clients OU. Specify Clients as the target computer group in WSUS.
Answer: B
47. You are the network administrator for your company. All client computers run Windows XP Professional. All
servers run Windows Server 2003.
The company has offices in Los Angeles, San Francisco, and Seattle. Each office is configured as a separate IP
subnet. DNS is the only method of name resolution used on the network.
You need to implement a software update infrastructure on the network. You install Windows Server Update
Services (WSUS) on a computer named Server1 in the Los Angeles office. You install WSUS on Server1 with all
default settings. You create a Group Policy object (GPO) named WSUS. You have no plans to install additional
WSUS servers.
You need to ensure that client computers can successfully connect to the WSUS server.
What should you do?
A. Configure the Internet browser home page on all client computers to point to http:
//windowsupdate.microsoft.com.
B. In the WSUS GPO, specify the Server Name property to be the server's fully qualified domain name (FQDN).
TestInside 70-291
C. On the WSUS server, configure the IIS Manager to require HTTP over SSL.
D. Enable communication over port 443 between all client computers and the WSUS server.
Answer: B
48. You are the network administrator for your company. The network consists of a single IP subnet. All servers
run Windows Server 2003. All client computers run Windows XP Professional.
You need to install Windows Server Update Services (WSUS) on a computer named Server1. Server1 has limited
hard disk space. Server1 stores a minimal amount of information locally. Client computers must install Microsoft
critical updates.
You need to ensure that client computers download updates directly from Microsoft Update. Only approved
updates should be downloaded.
What should you do?
A. Open the WSUS console. Specify the Update Source as Synchronize from Microsoft Update.
B. Open the WSUS console. Modify the synchronization option to not store updates locally.
C. Modify the default home page for all client computers to https: //windowsupdate.microsoft.com.
D. Configure the client Group Policy object (GPO) to use Microsoft Update as its update source.
Answer: B
49. You are the network administrator for your company. All servers run Windows Server 2003. All client
computers run Windows XP Professional.
You install Windows Software Update Services (WSUS) on a computer named Server1. This WSUS installation
must meet the following requirements:
Use the least amount of disk space on Server1.
All updates must be tested before being deployed to the client computers.
You clear the Automatically Approve Updates for Installation checkbox. You open the WSUS console.
You need to complete the installation and meet the requirements.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Change the Advanced Synchronization Options dialog box so that updates are not stored locally.
B. Change the Revisions to Updates setting so that new versions of previously approved updates are not
TestInside 70-291
automatically approved.
C. Change the Revisions to Updates setting to automatically approve all updates.
D. Remove the Critical Updates option from Updates Classifications.
Answer:A AND B
50. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
You need to implement a new software update infrastructure. You discover that security patches, critical updates,
and service packs have never been installed on any client computer on the network.
You install Windows Server Update Services (WSUS) on a Windows Server 2003 computer named Server5. You
synchronize and approve all of the current security patches, critical updates, and service packs.
You need to ensure that all client computers receive all Microsoft security patches, critical updates, and service
packs.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Open the WSUS console. Select the option to automatically approve WSUS updates.
B. Install the Automatic Updates client on all client computers.
C. Modify the Microsoft Update settings of the Default Domain Controller organizational unit (OU) Group Policy
object (GPO) to point client computers to http ://server5.
D. Modify the Microsoft Update settings of the Default Domain Policy Group Policy object (GPO) to point client
computers to http: //server5.
E. Open the WSUS console. Create a target group and assign all client computers to the group.
Answer:B AND D
51. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run either Windows 2000 Professional with
Service Pack 4 or Windows XP Professional.
You install Windows Server Update Services (WSUS) on a computer named Server2. You create a Group Policy
object (GPO) that configures all client computers to receive software updates from Server2.
One week later, you run Microsoft Baseline Security Analyzer (MBSA) on all client computers to find out
whether all updates are being applied. You discover that all of the Windows 2000 Professional client computers
TestInside 70-291
receive updates, but the Windows XP Professional client computers do not receive updates.
You verify that the GPO setting was applied on all Windows XP Professional computers.
You need to ensure that the Windows XP Professional client computers receive their updates from Server2.
What should you do?
A. Make all users of Windows XP Professional client computers members of the Administrators local group.
B. On all Windows XP Professional client computers, install the latest service pack.
C. On all Windows XP Professional client computers, use the gpupdate /force command.
D. On all Windows XP Professional client computers, delete the NoAutoUpdate value under
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU.
Answer:B
52. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
You install Windows Server Update Services (WSUS) on a network server named Server1. When you attempt to
synchronize Server1 with the Windows Update servers, you receive an error message. You open Internet Explorer
and verify that you can communicate with an external Web site by using the proxy server.
You need to ensure that Server1 can communicate with the Windows Update servers.
What should you do on Server1?
A. Restart the IIS administration tool.
B. Configure the Internet Explorer settings to bypass the proxy server.
C. In the WSUS options, configure authentication to the proxy server.
D. Install the ISA Firewall Client.
Answer:C
53. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
A new low-priority update, Q318138, is released and is synchronized with the Windows Server Update Services
(WSUS) server on the network. You decide to approve the update without testing.
After the update is applied to client computers, users report that they can no longer run an accounting application.
TestInside 70-291
You need to remove the update from all client computers until you can test the update.
What should you do?
A. Clear the Automatically approve new versions of previously approved updates option on the WSUS server.
Resynchronize the server with the Windows Update server.
B. Clear the update for approval on the WSUS server. Resynchronize the server with the Windows Update servers.
C. Clear the update for approval on the WSUS server. Run the spuninst command from the
Systemroot\$NtUninstallQ318138$\spuninst directory on each client computer.
D. Clear the Automatically approve new versions of previously approved updates option on the WSUS server.
Delete the Systemroot\$NtUninstallQ318138$ directory on each client computer.
Answer: C
54. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional.
You install and configure a single server to run Windows Server Update Services (WSUS). You configure the
appropriate Group Policy settings to specify separate WSUS target groups for client and server computers.
You need to ensure that computers automatically assign themselves to the correct computer group.
What should you do?
A. In the WSUS console, configure Computer Options so that Use group policy or registry settings on computers
is selected.
B. In the WSUS console, configure Computer Options so that Use the Move Computers Task in Windows Server
Update Services is selected.
C. In the WSUS console, create the appropriate computer groups.
D. Create organizational units (OUs) for each group.
Answer: A AND C
55. You are the network administrator for your company. The company has offices in Seattle and Chicago. The
network consists of a single Active Directory forest. All servers run Windows Server 2003. All client computers
run Windows XP Professional with the latest service pack installed.
There is a Windows Server Update Services (WSUS) Server named Server1 in the Seattle office. Server1 is
configured to store updates locally.
You need to configure a WSUS server named Server2 in the Chicago office. The installation must meet the
TestInside 70-291
following requirements:
Client computers in Chicago must automatically receive the same updates as client computers in Seattle.
Client computers in Chicago must get updates from Server2.
What should you do?
A. Configure Server2 to inherit all settings from Server1. Assign all client computers in Chicago to a new Group
Policy object (GPO).
B. Configure Server2 to synchronize content from Server1. Assign all client computers in Chicago to a new Group
Policy object (GPO).
C. Configure Server2 to synchronize content from Microsoft Update. Assign the Chicago client computers to the
same Group Policy object (GPO) as the Seattle client computers.
D. Configure Server2 to synchronize content from Microsoft Update. Assign all client computers in Chicago to a
new Group Policy object (GPO).
Answer: A
56. You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003.
You need to update six high-visibility servers with critical updates by using Windows Server Update Services
(WSUS). You approve all of the updates.
You need to ensure that the updates are applied within one hour.
What should you do?
A. On the WSUS server, type the gpupdate /force command at the command prompt.
B. On the WSUS server, type the wuauclt /detectnow command at the command prompt.
C. On each of the six servers, type the gpupdate /force command at the command prompt.
D. On each of the six servers, type the wuauclt /detectnow command at the command prompt.
Answer: D
57. You are the network administrator for your company. The network consists of a single subnet. The network
contains 150 client computers and 16 servers. All computers on the network use the 10.10.0.0/16 addressing
scheme.
TestInside 70-291
Your manager instructs you to place the 16 servers into a separate subnet that uses the 192.168.1.0 public
addressing scheme. You must plan for a maximum of 30 servers in the future.
You need to configure a new subnet mask. The subnet mask must allow a sufficient number of IP addresses for the
existing servers and for future server growth. However, you want to conserve addresses as much as possible.
Which subnet mask should you use?
To answer, drag the appropriate subnet mask to the correct location in the dialog box.
58. You are a network administrator for City Power & Light. The network consists of a single Active Directory
domain named cpandl.com.
You install a new client-server application on a Windows Server 2003 computer named Server1. Server1 is not a
member of the domain. Server1 has static IP address 192.168.6.23. You install the client software on two
Windows XP Professional domain computers in order to test access to the application on Server1. You plan to
install the client software on 270 additional Windows XP Professional computers.
The client software must be able to resolve to Server1 by using the fully qualified domain name (FQDN)
server1.cpandl.com. A Windows Server 2003 computer named Server2 is the DNS server and has the IP address
192.168.6.1. The cpandl.com zone is configured to accept only secure updates.
When you run the ping command to 192.168.6.23, you receive valid replies. When you attempt to run the client
software on the two test computers, the software cannot locate Server1 and terminates. You need to correct this
problem with the minimum amount of administrative effort.
TestInside 70-291
What should you do?
A. From a command prompt on Server1, run the ipconfig /registerdns command.
B. On each of the two test computers, type the following line in the Hosts file:
server1.cpandl.com 192.168.6.23 #pre
C. Create an organizational unit (OU) named ApplicationServersOU.
Create a computer account named Server1 in ApplicationServersOU.
Set the Primary DNS Suffix Group Policy setting on an ApplicationServersOU Group Policy object (GPO) to
cpandl.com.
Restart Server1.
D. On Server2, enter a host (A) record for Server1 that displays Server1's IP address as 192.168.6.23.
On Server1, in the Computer Name Changes dialog box in System Properties, enter cpandl.com as the primary
DNS suffix of the computer.
Restart Server1.
E. On Server1 in the Internet Protocol (TCP/IP) Properties dialog box, in the Preferred DNS server field, type
192.168.6.1.
Answer: D
59. You are the network administrator for your company. The network consists of a single Active Directory
domain. The relevant portion of the network is shown in the exhibit. (Click the Exhibit button.)
TestInside 70-291
You need to configure a server named Server1 to use a valid static IP configuration. You need to enable Server1
to communicate with all hosts on the network and on the Internet. You want Server1 to query the DNS server on
the local subnet for name resolution. You also want to configure redundancy for name resolution.
What should you do?
Answer:
TestInside 70-291
60. You are the network administrator for City Power & Light. The network consists of a single Active Directory
domain named cpandl.com. The domain contains Windows Server 2003 computers and Windows XP Professional
computers.
A server named Server1 functions as a DHCP server, and a server named Server2 functions as a DNS server. The
relevant portion of the network is shown in the Network exhibit. (Click the Exhibit button.)
TestInside 70-291
You configure Server1 to distribute IP addresses to all of the client computers on the 10.9.7.0 subnet. The DHCP
server scope settings are shown in the DHCP exhibit. (Click the Exhibit button.)
All users of client computers on the 10.9.7.0 subnet report that they can see each other's computers in My
Network Places but cannot access the Internet or the 10.9.8.0 subnet. Users of client computers in the 10.9.7.0
network cannot access servers on either subnet.
Users of client computers on the 10.9.8.0 subnet can access servers on both subnets and can access the Internet.
All servers use static IP addresses.
You need ensure that all client computers can access the Internet.
What should you do?
A. On Server2, configure the DHCP Relay Agent.
B. On Server2, add a host (A) record for Server1 at address 10.9.8.91.
TestInside 70-291
C. On Server1, authorize DHCP.
D. On Server1, activate the 10.9.7.0 scope.
E. On Server1, disable the 001 Microsoft Disable Netbios Option option.
Answer: A
61. You are the network administrator for your company. The network consists of a single subnet. A Windows
Server 2003 computer named Server1 functions as a DHCP server.
Server1 leases IP addresses in the 10.1.1.0/24 range to desktop client computers. There are 12 client reservations
for other servers and network printers. You have configured several detailed scope and server options.
If Server1 fails, you want to have a contingency plan that will allow you to use a domain controller named DC2 as
a DHCP server as quickly as possible. You install DHCP on DC2 without any configuration and stop the DHCP
Server service.
You want to list the tasks that are required to back up Server1 and the tasks that are required to restore the backup
to DC2. A backup age of 24 hours or less is acceptable.
If Server1 fails, which set of tasks is required to enable DC2 to replace Server1 as the DHCP server?
A. On Server1: Schedule the Backup utility to back up the System State data to tape every 24 hours.
On DC2: Perform a non-authoritative System State restore. Using the Services console, start the DHCP Server
service. Authorize DHCP. Reconcile the database.
B. On Server1: Use the Backup utility to schedule a tape backup of the DHCP database every 24 hours.
On DC2: Restore the tape backup of the DHCP database to a folder. Using the DHCP console, restore the backup
from the same folder. From the command prompt, type net start dhcpserver. Authorize DHCP.
C. On Server1: Schedule the Backup utility to back up the System State data to tape every 24 hours.
On DC2: Perform an authoritative System State restore. Manually re-create the server and scope options that were
on Server1. From a command prompt, type net start dhcpserver. Authorize DHCP.
D. On Server1: Use the DHCP console to perform a DHCP backup every 24 hours. Copy the backup on a network
share that is accessible by DC2.
On DC2: Copy the backup to a local folder. Using the DHCP console, restore the backup from the local folder.
From a command line, type net start dhcp. Authorize DHCP. Re-create the 12 client reservations.
Answer: B
TestInside 70-291
62. You are the network administrator for your company. The network contains 1,300 Windows XP Professional
computers. All client computers receive their IP addresses from a DHCP server.
You are configuring a DHCP scope to assign addresses to the client computers. You need to place all the client
computers in the same subnet.
You need to reserve 100 addresses for servers and printers that will not receive IP address assignments
automatically. To allow for future growth, you need to configure the scope to host 3,800 client computers.
How should you configure the scope?
Answer:
TestInside 70-291
63. You are a network administrator for Alpine Ski House. The network consists of a single Active Directory
domain named alpineskihouse.com.
Your company acquires a company named Adventure Works. The Adventure Works network consists of a single
Active Directory domain named adventure-works.com.
A server named Server32 is a network-management application server in the adventure-works.com domain.
Server32 accesses all of the desktop client computers to perform automated software upgrades and hardware
inventory. The network-management software on Server32 references desktop computers by unqualified host
names, which are resolved to clientname.adventure-works.com by using a DNS server.
You join Server32 to your domain to become server32.alpineskihouse.com. The Server32 IP address is
10.10.10.90.
You are gradually migrating all adventure-works.com desktop client computers to your domain to become
clientname.alpineskihouse.com. You do not have access to the adventure-works.com DNS server. When Server32
attempts to apply an update to the client computers, the network-management software returns many alerts that
say that desktop computers cannot be found.
You want to allow the network-management software on Server32 to resolve unqualified client computer host
names in adventure-works.com or alpineskihouse.com, and you want to use the minimum amount of
administrative effort.
What should you do?
A. On the DNS server for alpineskihouse.com, add a zone for adventure-works.com. Create a host (A) record for
server32.adventure-works.com that points to 10.10.10.90.
B. On Server32, in System Properties, type adventure-works.com in the Primary DNS suffix of this computer field
in the DNS Suffix and Netbios Computer Name setting.
C. On Server32, configure a Hosts file that contains the name and IP address of every network computer.
D. On Server32, in Advanced TCP/IP Settings, add adventure-works.com and alpineskihouse.com to the Append
these DNS suffixes (in order) setting.
Answer: D
64. You are the network administrator for A. Datum Corporation. The company uses the adatum.com namespace
for its internal network.
The company network consists of two networks that are connected by a WAN link. The 10.9.9.0 network uses the
TestInside 70-291
10.9.9.0/24 address. The 10.9.8.0 network uses the 10.9.8.0/24 address.
The relevant portion of the network is shown in the exhibit. (Click the Exhibit button.)
The network contains the DNS servers that are configured as shown in the following table.
In the 10.9.9.0/24 network, a server named Server1 frequently needs to resolve names in the adatum.com
namespace and on the Internet. You need to configure the TCP/IP properties of Server1 to use the most efficient
server as its preferred DNS server.
The number of hops required to resolve any name must be kept to a minimum. You also need to minimize the
amount of network traffic that is caused by name resolution.
On Server1, which DNS server should you configure as the preferred DNS server?
A. DNS1
B. DNS2
C. DNS3
D. 131.107.5.1
TestInside 70-291
Answer: C
65. You are the network administrator for Contoso, Ltd. The network contains two Windows Server 2003
computers and 220 Windows XP Professional computers. You plan to add 75 Windows XP Professional computers
to a new subnet on the network.
A server named Server1 hosts the DNS services for the network. You place Server1 in the new subnet. A server
named Server2 hosts the DHCP services for the network. The router is configured as a DHCP relay agent.
You place a client computer named Client1 in the new subnet. The relevant portion of the network is shown in the
Network exhibit. (Click the Exhibit button.)
You configure the DHCP server with two scopes. One scope leases IP addresses to client computers on the
192.168.0.0 subnet. The other scope leases IP addresses to the 192.168.5.0 subnet.
You test the new configuration with Client1. Client1 can ping Server2 by its IP address, but not by the name
Server2.contoso.com. Client1 can ping Server1 by both its name and its IP address. You run the ipconfig
command to verify the IP configuration of Client1. The results are shown in the IP Configuration exhibit. (Click
the Exhibit button.)
TestInside 70-291
You need to configure Client1 so that it can address all the hosts on the network by their names.
How should you configure the DHCP service for the 192.168.0.0 scope on Server2?
A. Set the default gateway as 192.168.0.100.
B. Set the subnet mask to 255.255.0.0.
C. Set the primary DNS suffix to contoso.com.
D. Set the IP address of the DNS server to 192.168.0.100.
Answer: D
66. You are a network administrator for your company's main office in Chicago. The main office contains 3,000
desktop computers.
A Windows Server 2003 computer named Server14 is the DHCP server for the network. The hardware
configuration of Server14 is shown in the following table.
Server14 is capable of supporting two processors.
Nine hundred users from a branch office relocate to the main office in Chicago. The help desk reports that client
computer IP addresses take an unusually long time to renew. You confirm that network utilization is within
TestInside 70-291
acceptable limits. You notice that in the DHCP Server performance object, the milliseconds per packet (Avg.)
counter is 40 percent higher than the baseline.
You run System Monitor to baseline Server14 during normal business hours. You observe the performance results
shown in the following table.
You want to improve the performance of Server14.
What should you do on Server14?
A. Move the database path to drive E.
B. Move the database path to drive D.
C. Increase RAM to 1024 MB.
D. Add an additional processor.
Answer: A
67. You are a network administrator for your company. The network consists of a single Active Directory domain.
You manage the 10.10.0.0 subnet and the 10.9.0.0 subnet. The relevant portion of the network is shown in the
exhibit. (Click the Exhibit button.)
TestInside 70-291
The DHCP server for the domain is a member server named Server9. Server9 successfully leases IP addresses to
600 desktop client computers and 200 portable computers. The portable computers connect to one subnet or the
other during each day. Desktop client computers and portable computers run Windows XP Professional.
Several portable computer users on the 10.10.0.0 subnet report that they receive error messages indicating
duplicate IP addresses. Users with these errors cannot be authenticated by the domain controllers. You examine
the DHCP log file on Server9 and notice several NACK messages.
What is the most likely cause of these errors?
A. Server9 is not authorized.
B. The DHCP scope is not activated.
C. The router is not a BOOTP router.
D. A Windows NT Server 4.0 DHCP server is on the network.
E. A Windows Server 2003 DHCP server with workgroup membership and an activated 10.10.0.0 scope is on the
network.
Answer: D
68. You are a network administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. Client computers run Windows XP Professional, Windows 2000
TestInside 70-291
Professional, or Windows NT Workstation. All client computers are configured with default settings.
A server named Server1 functions as a DHCP and DNS server. All client computers are configured to use Server1
for name resolution. All DNS zones on Server1 are enabled for DNS dynamic updates. The company's written
security policy states that, when possible, the computer account for each client computer should be the owner of
its own DNS host record.
A server named Server18 contains antivirus server software. Server18 must be able to contact client computers by
using fully qualified domain names (FQDNs) to propagate virus definition updates.
You need to ensure that Server18 can resolve FQDNs for all client computers on the network.
Which option should you modify on Server1?
A. the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box
B. the Always dynamically update DNS A and PTR records check box
C. the Discard A and PTR records when lease is deleted check box
D. the Dynamically update DNS A and PTR records for DHCP clients that do not request dynamic updates (for
example, clients running Windows NT 4.0) check box
Answer: D
69. You are the network administrator for your company. The network consists of a single Active Directory
domain and two subnets. The network contains a Windows Server 2003 computer named Server2. On Server2,
Routing and Remote Access is enabled and is configured as a dial-up server. A Windows Server 2003 computer
named Server3 functions as a DHCP server.
Server3 is authorized in the domain and leases 192.168.1.0/24 addresses to desktop client computers on the LAN
and to Server2 for dial-up user connections.
On Thursday, several dial-up users report that they cannot connect to Server2. You open DhcpSrvLog-Thu.log and
notice several lines that are partially shown in the following list.
15,...NACK,192.168.1.107,server2
15,...NACK,192.168.1.103,server2
15,...NACK,192.168.1.104,server2
15,...NACK,192.168.1.105,server2
15,...NACK,192.168.1.106,server2
15,...NACK,192.168.1.108,server2
TestInside 70-291
15,...NACK,192.168.1.110,server2
You want the dial-up users to have successful connections, and you want to avoid disrupting the LAN.
What should you do?
A. Delete the scope and create a new one in the 10.10.0.0 class.
B. On Server3, configure the Conflict detection attempts setting to 2.
C. For the default Routing and Remote Access Class, create a 051 Lease scope option lease duration that uses a
longer lease duration than the LAN.
D. Configure a static address pool on Server2 for the dial-up client computers.
Answer: D
70. You are the network administrator for the Paris branch office of Fourth Coffee.
The Paris office has a Windows Server 2003 DNS server named Server10. Server10 hosts a DNS primary zone
named fourthcoffee.com. All computers in the Paris office are configured to use Server10 as their preferred DNS
server.
The Berlin branch office of Fourth Coffee has a UNIX DNS server named Server11. Server11 hosts a primary
zone named engineering.fourthcoffee.com. The refresh interval of the engineering.fourthcoffee.com zone is set to
24 hours.
In the Berlin office, a firewall filters all incoming network traffic from other offices. A rule on this firewall
prevents all computers from the Paris office network, except Server10, from performing DNS lookups against
Server11.
There is a business requirement that no delay should occur between the time that a new record is created in the
engineering.fourthcoffee.com zone and the time that the record can be resolved from any computers in the Paris
office. All computers in the Paris office must be able to resolve names in the engineering.fourthcoffee.com
namespace.
You need to configure DNS on Server10 to meet the requirements.
What should you do?
A. Set up a stub zone named engineering.fourthcoffee.com.
B. Set up conditional forwarding to Server11 for the engineering.fourthcoffee.com namespace.
C. In the fourthcoffee.com zone, set up a delegation to the engineering.fourthcoffee.com zone on Server11.
D. Set up a secondary zone named engineering.fourthcoffee.com that has Server11 as master.
TestInside 70-291
Answer: B
71. You are the network administrator for A. Datum Corporation. The company registers the DNS domain name
adatum.com. The adatum.com DNS domain will contain the host name records for three servers in the company
that are accessible from the Internet. One of these servers functions as a Web server, one functions as an FTP
server, and one functions as a mail server.
The primary name server for the adatum.com zone is a Windows Server 2003 computer named DNS01. DNS01 is
on a network segment that is accessible from the Internet.
The company also wants to use the DNS namespace adatum.com to register hosts from the internal network. The
internal network is protected by a firewall that filters traffic from the Internet. The written company security
policy states that host names on the internal network must not be resolved by queries from the Internet.
You install Windows Server 2003 on a computer named DNS02. DNS02 will be used to allow computers on the
internal network to resolve host names in the adatum.com namespace. All computers on the internal network will
be configured to use DNS02 as their DNS server. The company network is configured as shown in the exhibit.
(Click the Exhibit button.)
You need to configure DNS01 and DNS02 so that all computers on the internal network can resolve the host
names of
other computers on the internal network, and
TestInside 70-291
the three servers that are accessible from the Internet.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a primary DNS zone named adatum.com on DNS02.
B. Create a secondary DNS zone named adatum.com on DNS02.
C. Configure DNS forwarding from DNS02 to DNS01.
D. Configure DNS forwarding from DNS01 to DNS02.
E. Manually add a host (A) record for each computer on the internal network to the adatum.com zone on DNS01.
F. Manually add a host (A) record for each Internet-accessible computer to the adatum.com zone on DNS02.
Answer: A AND F
72. You are the network administrator for Margie¡’s Travel. The network consists of a single Active Directory
forest that contains two domains named europe.margiestravel.com and namerica.margiestravel.com.
The network contains Windows Server 2003 computers and Windows XP Professional computers. All client
computers and 25 servers are dynamically assigned IP addresses by DHCP.
All company computers are registered in either the europe.margiestravel.com DNS zone or the
namerica.margiestravel.com DNS zone. All DNS servers contain copies of all zones. The written company
network management policy states that computers cannot have duplicate host names. Client computers always
connect to other computers by specifying only the name of the target computer. A fully qualified domain name
(FQDN) is not required.
You need to configure the client computers to ensure that all computer names can be resolved by using DNS
without the domain name being specified. The configuration of client computers must be automated so that they
do not need to be manually reconfigured if an additional domain is added to the forest.
What should you do?
A. Configure the Append these DNS suffixes option in the DNS client configuration of each client computer.
B. Configure the 015 DNS Domain Name option on all DHCP scopes.
C. Configure the Default Domain Policy Group Policy object (GPO) in each domain. Enable the DNS Suffix
Search List policy setting in the GPO.
D. Configure the Default Domain Policy Group Policy object (GPO) in each domain. Enable the Primary DNS
Suffix policy setting in the GPO.
Answer: C
TestInside 70-291
73. You are a network administrator for Tailspin Toys. The network consists of three Active Directory domains
named tailspintoys.com, asia.tailspintoys.com, and pacific.tailspintoys.com.
An Active Directory application partition named asiapacificregion.tailspintoys.com has replicas on all domain
controllers in the asia.tailspintoys.com and pacific.tailspintoys.com domains. Another Active Directory
application partition named asiapacificdns.tailspintoys.com has been created on one of the DNS servers in the
asia.tailspintoys.com domain.
All the DNS servers run Windows Server 2003 and are configured as domain controllers. The DNS zones named
tailspintoys.com, asia.tailspintoys.com, and pacific.tailspintoys.com are Active Directory-integrated zones.
Company DNS management standards specify that all DNS zones must be replicated by using Active Directory.
The intranet administrator of the Asia-Pacific regional division of the company wants a separate DNS zone to be
created. This zone will be used to register host names for a regional intranet implementation. This zone must be
replicated to all domain controllers in only the asia.tailspintoys.com and pacific.tailspintoys.com domains. The
new zone will be named asiapacific.tailspintoys.com.
You must create the asiapacific.tailspintoys.com zone. You need to choose the appropriate configuration settings
to meet the requirements.
How should you configure the asiapacific.tailspintoys.com zone?
Answer:
74. You are the network administrator for Blue Yonder Airlines. All network servers run either Windows Server
TestInside 70-291
2003, Windows 2000 Server, or Windows NT Server 4.0. All client computers run either Windows XP
Professional, Windows 2000 Professional, Windows NT Workstation 4.0, or Windows 98.
The network consists of an Active Directory domain named blueyonderairlines.com. All domain controllers in the
domain run Windows Server 2003. All domain controllers also have the DNS service installed and host an Active
Directory-integrated zone named blueyonderairlines.com. A Windows Server 2003 member server assigns IP
addresses to all computers in the company. All IP addresses are assigned from the 10.1.0.0/24 scope.
All computers in the company must always be registered automatically in the blueyonderairlines.com zone,
regardless of the local TCP/IP configuration settings. Only computers that have valid computer accounts in the
Active Directory domain must be able to register host (A) records in the zone. If a computer is removed from the
network, the associated name registration must be removed from DNS.
You are configuring the blueyonderairlines.com DNS zone and the 10.1.0.0/24 DHCP scope to comply with the
stated requirements.
Which configuration settings should you use?
Answer:
TestInside 70-291
75. You are the network administrator for Trey Research.
Trey Research uses a DNS namespace named treyresearch.com on the company intranet. Three hundred records
have been manually created in the treyresearch.com zone for hosts that do not support dynamic updates. The
treyresearch.com primary zone is currently located on a Windows Server 2003 computer named DNS01. No
secondary zone is currently configured.
The company purchases a new computer to function as the primary name server for the treyresearch.com zone.
The new computer will be named DNS02. When DNS02 is configured, DNS01 must be reconfigured to host
treyresearch.com as a secondary zone.
You install Windows Server 2003 on DNS02 and add the DNS service. You need to configure DNS02 to host the
primary zone for the treyresearch.com namespace. The records that are currently in the treyresearch.com zone
must be retained. You want to ensure that all host names can be resolved immediately after DNS02 becomes the
new primary name server for the zone.
What should you do?
A. On DNS02, set up a primary zone named treyresearch.com.
Copy the file %systemroot%\system32\dns\treyresearch.com.dns from DNS01 to the same location on DNS02.
On DNS01, delete the treyresearch.com primary zone.
On DNS01, set up a secondary zone named treyresearch.com.
B.On DNS02, set up a primary zone named treyresearch.com.
TestInside 70-291
Enable dynamic updates on the zone.
On DNS01, delete the treyresearch.com primary zone.
On DNS01, set up a secondary zone named treyresearch.com.
C.On DNS02, set up a secondary zone named treyresearch.com.
Add a name server (NS) record for DNS02 to the treyresearch.com primary zone.
On DNS02, change the zone type of the treyresearch.com secondary zone to a primary zone.
On DNS01, delete the treyresearch.com primary zone.
On DNS01, set up a secondary zone named treyresearch.com.
D.On DNS02, set up a stub zone named treyresearch.com.
Add a name server (NS) record for DNS02 to the treyresearch.com primary zone.
On DNS02, change the zone type of the treyresearch.com stub zone to a primary zone.
On DNS01, delete the treyresearch.com primary zone.
On DNS01, set up a secondary zone named treyresearch.com.
Answer: C
76. You are the network administrator for Wingtip Toys. The network consists of a single Active Directory domain
named wingtiptoys.com. The Active Directory-integrated DNS zone named wingtiptoys.com is replicated to all
domain controllers. Only domain controllers have the DNS service installed.
The network management department requires all hosts in the manufacturing division to be registered in the DNS
namespace manufacturing.wingtiptoys.com. The manufacturing.wingtiptoys.com namespace does not exist on any
of the DNS servers.
You need to add support for the manufacturing.wingtiptoys.com namespace to all the existing DNS servers. To
reduce administrative overhead, you want to find a solution that will not require reconfiguration if DNS servers
are added to the domain in the future.
What should you do?
A. Create a subdomain named manufacturing in the wingtiptoys.com zone.
B. Create a delegation named manufacturing in the wingtiptoys.com zone.
C. Create a stub zone for manufacturing.wingtiptoys.com.
D. Create a primary zone for manufacturing.wingtiptoys.com that is not Active Directory-integrated.
Answer: A
TestInside 70-291
77. You are the network administrator for The Phone Company. The network consists of a single Active Directory
domain. All servers run either Windows Server 2003 or Windows 2000 Server. All client computers run either
Windows 2000 Professional or Windows XP Professional. The DNS service is installed on three Windows Server
2003 computers that are configured as domain controllers.
The company's network management standards state that a DNS domain must be created for each regional
division in the company.
A new regional division named South America is added to the company. You need to create a corresponding DNS
zone named samerica.thephone-company.com.
The network management standards contain the following additional requirements.
All hosts must be registered in DNS.
All DNS records must be kept up-to-date at all times, and any changes to the host name or IP address must be
updated on the DNS record.
When hosts are removed from the network, the corresponding DNS records must be deleted.
To prevent problems caused by duplicate computer names, one host must not be able to overwrite another host¡¯s
entry in DNS.
To reduce administrative effort, all possible administrative tasks should be automated.
To allow for different requirements between departments, configuration changes should, where possible, be
applied only to individual zones.
You must configure the samerica.thephone-company.com zone to meet the stated requirements.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. Create a primary zone named samerica.thephone-company.com, and ensure that the Store the zone in Active
Directory option is disabled.
B. Create a primary zone named samerica.thephone-company.com, and ensure that the Store the zone in Active
Directory option is enabled.
C. Enable automatic scavenging of stale resource records on all the DNS servers, and configure the scavenging
options on the samerica.thephone-company.com zone.
D. Configure the Expires after setting on the samerica.thephone-company.com zone to be 1 days.
E. Configure the Dynamic updates setting on the samerica.thephone-company.com zone to be Secure only.
F. Configure the Dynamic updates setting on the samerica.thephone-company.com zone to be Secure and
nonsecure.
Answer: B AND C AND E
TestInside 70-291
78. You are the network administrator for Litware, Inc. The network consists of a single Active Directory domain
named litwareinc.com. The domain DNS servers are configured as shown in the following table.
You uninstall DNS from Server2 and reconfigure Server2 as a file server. Then you reconfigure Server4 as a
caching-only server. Next, you reconfigure the domain controllers to use Active Directory-integrated DNS zones.
You need to eliminate unnecessary zone transfer activity on the network.
What should you change in the Notify dialog box?
Answer:
79. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain
named contoso.com. The network topology is shown in the exhibit. (Click the Exhibit button.)
TestInside 70-291
The configurations of the DNS servers that host the zone named contoso.com are shown in the following table.
The refresh interval for the zone is one hour. The zone contains 10,000 records.
The network connection to Caracas is operating at 90 percent of capacity.
You remove Server3 from the network to perform hardware maintenance. Two hours later, you bring Server3 back
on the network.
You need to ensure that Server3 can immediately provide accurate responses to client computer requests for data.
You also need to ensure that no unnecessary network traffic is generated by the DNS servers.
What should you do on Server3?
A. Transfer the zone from the master server.
B. Reload the zone from the master server.
C. Update server data files.
D. Scavenge stale resource records.
Answer: A
80. You are the network administrator for Contoso, Ltd. The network consists of a single Windows Server 2003
DNS zone named contoso.com. The network topology is shown in the exhibit. (Click the Exhibit button.)
TestInside 70-291
All network servers run Windows Server 2003. All IP addresses are statically assigned. The primary DNS zone for
contoso.com is hosted on a server at the company's main office in Cairo. Secondary zones for contoso.com are
hosted on servers in the branch offices.
Another administrator reports that network utilization is at 90 percent of capacity. You reconfigure the refresh
interval and the minimum default Time to Live (TTL) interval for the contoso.com zone, as shown in the
following table.
You need to configure the start of authority (SOA) resource record properties for the contoso.com zone. You also
need to ensure that the server in the Cairo office will continue to attempt zone transfers if an initial attempt fails.
What should you do?
A. Configure the contoso.com zone to expire after 1 hour.
B. Configure the contoso.com zone to expire after 4 hours.
C. Configure the contoso.com zone to expire after 20 seconds.
D. Configure the retry interval to be 1 hour.
E. Configure the retry interval to be 4 hours.
F. Configure the retry interval to be 20 seconds.
Answer: D
81. You are a network administrator for Litware, Inc. The company's main office is located in Lima, and branch
offices are located in five other cities. The network consists of a single DNS domain named litwareinc.com. The
TestInside 70-291
network configuration is shown in the exhibit. (Click the Exhibit button.)
All network servers run Windows Server 2003. All client computer IP addresses are assigned by using a DHCP
server that is located in each office. Client computers are reimaged often and are assigned new names each time
they are reimaged. All client computers are configured to reference their local DNS server as the preferred DNS
server and to reference the central DNS server as the alternate DNS server.
A primary zone for litwareinc.com is configured on a server in the Lima office. Secondary zones are configured
on a server in each branch office. The retry interval, the refresh interval, the expiration interval, and the default
minimum Time to Live (TTL) interval are configured with the default settings.
Network bandwidth utilization averages 40 percent. The network connection between the Lima office and the
Bogota office fails an average of twice per day.
Users in the Bogota office occasionally receive incorrect responses to queries against the local DNS server when
the network connection is interrupted during a zone transfer.
You need to change the configuration of the start of authority (SOA) resource record for litwareinc.com. In
addition, you need to reduce the possibility that users can query local DNS zones before successful zone transfers
occur.
What should you do?
A. Change the retry interval to 12 hours.
B. Change the default minimum Time to Live (TTL) to 2 days.
C. Change the refresh interval to 2 days.
D. Change the expiration interval to 12 hours.
Answer: D
TestInside 70-291
82. You are the network administrator for Contoso, Ltd. The network consists of two Active Directory domains
named contoso.com and corp.contoso.com. All DNS zones are configured to be Active Directory-integrated zones.
You create a global security group named ConsoleAdmins in corp.contoso.com. You add a member of the Domain
Users global group named Anne to ConsoleAdmins.
Anne logs on to her Windows XP Professional computer named Computer1. Anne runs the nslookup command
and receives the output shown in the exhibit. (Click the Exhibit button.)
You need to configure the zone properties to ensure that Anne can list the contents of corp.contoso.com from
Computer1.
What should you do?
A. Allow zone transfers to 192.168.2.47.
B. Allow zone transfers to 192.168.2.45.
C. Allow zone transfers to 192.168.2.27.
D. Allow zone transfers to 169.254.25.142.
E. Assign the ConsoleAdmins group the Allow - Full Control permisson.
F. Assign the ConsoleAdmins group the Allow - List Contents permission.
Answer: C
83. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain
named contoso.com. The domain contains 10 Windows Server 2003 computers.
TestInside 70-291
The domain controllers are also configured as DNS servers. Each DNS server hosts an Active Directory-integrated
forward lookup zone named contoso.com. The DNS servers are also configured with a reverse lookup zone named
192.168.1.x Subnet.
The DHCP server is configured with a scope that has the following properties:
an IP address range from 192.168.1.1 - 192.168.1.254
a subnet mask of 255.255.255.0
an exclusion range from 192.168.1.1 - 192.168.1.55
scope options that include the assignment of a DNS server and a WINS server
The existing servers have static IP addresses within the range of 192.168.1.1 - 192.168.1.10.
You assign a static IP address to a new UNIX server named Server1.
You need to create a new host (A) resource record for Server1. In addition, you need to ensure that the DNS
servers will respond to reverse lookup queries against the IP address for Server1. You also need to maximize the
security and availability of the A record for Server1.
What should you do?
Answer:
84. You are the network administrator for Margie¡¯s Travel. The network consists of an Active Directory forest
named margiestravel.com. The IT department manages the forest root domain, which is named margiestravel.com.
TestInside 70-291
The root domain contains three Windows Server 2003 domain controllers named DC01, DC02, and DC03. These
three domain controllers have the DNS service installed. The configuration of the margiestravel.com zone is
shown in the exhibit. (Click the Exhibit button.)
You view the event logs of the domain controllers. You notice that there are frequent failures of Active Directory
transactions, which are caused by DNS lookup failures against the margiestravel.com zone. You discover that the
data in the DNS zones on DC03 is out of date.
You need to find out why the DNS data on DC03 is out of date.
What should you do on DC03?
A. Use the Replmon utility to look for Active Directory replication errors.
B. Use Event Viewer to examine the DNS Server log for zone transfer errors.
C. Enable debug logging and examine the log file for transfer packets.
D. Use System Monitor to monitor the DNS\Zone Transfer Failure counter.
Answer: A
85. You are the DNS administrator for Adventure Works.
TestInside 70-291
Adventure Works is an Internet service provider (ISP) that hosts Web sites for many companies. Each Adventure
Works DNS server hosts multiple DNS zones for customers. Several Adventure Works administrators are allowed
to add DNS zones.
You want to produce a weekly report that will list all the zones that are hosted on each DNS server.
What should you do?
A. Use the dnslint utility to query each DNS server.
B. Use the dnscmd utility to query each DNS server.
C. Use the nslookup utility to query each DNS server.
D. Use the adsiedit utility to query Active Directory for a list of DNS zones.
Answer: B
86. You are the network administrator for Fabrikam, Inc. The network consists of a single Active Directory
domain named fabrikam.com. A Windows Server 2003 computer named Server1 functions as the DNS server for
the domain.
Wingtip Toys is a division of Fabrikam, Inc. The Wingtip Toys network consists of a single Active Directory
domain named wingtiptoys.com. Server1 is a secondary zone server for wingtiptoys.com.
You are monitoring notification traffic between the two domains. You need to keep a record of when the primary
DNS server for wingtiptoys.com informs Server1 of available changes in the wingtiptoys.com zone.
What should you do?
A. Use the Performance console to create a log of the DNS performance counter Notification Received on
Server1.
B. Enable debug logging on Server1. Configure the log to record Notification events.
C. Run the replmon command to monitor replication events on Server1.
D. Run the dcdiag command to check DNS registration on Server1.
Answer: B
87. You are the network administrator for Fabrikam, Inc. The network consists of a single Active Directory
domain named fabrikam.com.
A Windows Server 2003 computer named Server1 is the only DNS server in the domain. It hosts no other zones.
TestInside 70-291
Users report that connecting to computers within the fabrikam.com domain is slow.
You need to find out whether DNS client traffic on Server1 is causing this problem.
What should you do?
A. Use System Monitor to create a log of the DNS counters Dynamic updates/sec and Total queries/sec.
B. Use System Monitor to create a log of the NetworkInterface counter Total bytes/sec.
C. Enable debug logging on Server1. Configure the log to capture Notification events.
D. Enable debug logging on Server1. Configure the log to capture Update events.
Answer: A
88. You are the network administrator for Contoso, Ltd. The network consists of two DNS domains named
contoso.com and south.contoso.com.
A Windows Server 2003 computer named Server1 is a domain controller and DNS server for contoso.com.
Server1 is also a secondary zone server for south.contoso.com.
A Windows 2000 Server computer named Server2 is a domain controller and the DNS server for
south.contoso.com.
The two DNS domains are connected through an ISDN line.
You need to monitor the successful incremental zone transfers from south.contoso.com to contoso.com.
What should you do?
To answer, configure the appropriate option or options in the dialog box, and drag the appropriate computer and
counter to the correct locations. (Not all parts of the dialog box are active.)
Answer:
TestInside 70-291
89. You are the network administrator for your company. The network consists of a single Active Directory
domain. The domain contains 35 Windows Server 2003 computers; 3,000 Windows XP Professional computers;
and 2,200 Windows 2000 Professional computers.
The written company security policy states that all computers in the domain must be examined, with the following
goals:
to find out whether all available security updates are present
to find out whether shared folders are present
to record the file system type on each hard disk
You need to provide this security assessment of every computer and verify that the requirements of the written
security policy are met.
What should you do?
A. Open the Default Domain Policy and enable the Configure Automatic Updates policy.
B. Open the Default Domain Policy and enable the Audit object access policy, the Audit account management
policy, and the Audit system events policy.
C. On a server, install and run mbsacli.exe with the appropriate configuration switches.
D. On a server, install and run HFNetChk.exe with the appropriate configuration switches.
Answer: C
TestInside 70-291
90. You are a network administrator for your company. The network consists of a single Active Directory domain.
The domain contains three Windows Server 2003 domain controllers, 20 Windows Server 2003 member servers,
and 750 Windows XP Professional computers. The domain is configured to use only Kerberos authentication for
all server connections.
A user reports that she receives an "Access denied" error message when she attempts to connect to one of the
member servers. You want to test the functionality of Kerberos authentication on the user's client computer.
Which command should you run from the command prompt on the user's computer?
A. netsh
B. netdiag
C. ktpass
D. ksetup
Answer: B
91. You are the network administrator for Humongous Insurance. The network consists of a single Active
Directory domain named humongous.com. The domain contains Windows Server 2003 computers and Windows
XP Professional computers.
You configure several Group Policy objects (GPOs) to enforce the use of IPSec for certain types of
communication between specified computers.
A server named Server2 runs the Telnet service. A GPO is supposed to ensure that all Telnet connections to
Server2 are encrypted by using IPSec. However, when you monitor network traffic, you notice that Telnet
connections are not being encrypted.
You need to view all of the IPSec settings that are applied to Server2 by GPOs.
Which tool should you use?
A. the IP Security Policy Management console
B. the IP Security Monitor console
C. the Resultant Set of Policy console
D. Microsoft Baseline Security Analyzer (MBSA)
Answer: C
TestInside 70-291
92. You are the network administrator for your company. The network consists of a single Active Directory
domain. The domain contains Windows Server 2003 computers and Windows XP Professional computers.
On a server named Server1, you configure Routing and Remote Access to be a remote access server. All remote
access client computers obtain an IP address from a DHCP server. You create remote access policies and verify
that users can establish dial-up connections to Server1.
Users report that they cannot access other computers on the network while dialed in to Server1.
You need to ensure that remote access users can connect to all computers on the company network while dialed in
to Server1. In the Routing and Remote Access console, you select the properties page for Server1.
What should you do next?
To answer, configure the appropriate option or options in the Server1 properties.
Answer:
93. You are a network administrator for your company.
A Windows Server 2003 computer named Server1 is exhibiting connectivity problems. You monitor Server1 by
using System Monitor and Network Monitor. While monitoring, you notice that Server1 has approximately 4 MB
TestInside 70-291
of available memory, and the average CPU utilization is running at 95 percent. When you investigate the Network
Monitor capture, you notice that some network packets sent to Server1 during the capture have not been captured.
You need to ensure that the impact of monitoring on Server1 is reduced and that all packets sent to the computer
are captured.
What should you do?
A. From a command prompt, run the diskperf command.
B. Run Network Monitor in dedicated capture mode.
C. Configure a Network Monitor capture filter.
D. Increase the buffer size in Network Monitor.
Answer: B
94. You are the network administrator for your company. The Denver office is currently connected to the corporate
WAN by using a Windows Server 2003 computer named Server23.
Server23 is configured as a dial-up router. Server23 has two network adapters. One network adapter connects to
the Ethernet LAN. The other network adapter is a broadband networking device.
The company plans to increase the number of employees in the Denver office by at least 25 percent. You need to
confirm that the current network bandwidth of the broadband connection will be sufficient for the future
expansion of the Denver office.
You want to use System Monitor on Server23 to find out the current utilization of the broadband network
connection.
What should you do?
A. Monitor the Bytes Total/sec counter on the Network Interface object.
B. Monitor the Bytes Total/sec counter on the Server object.
C. Monitor the Server\\Packets/sec counter on the Server object.
D. Monitor the Current Bandwidth counter on the Network Interface object.
Answer: A
95. You are the network administrator for your company. The network contains 12 Windows Server 2003
computers and 300 Windows XP Professional computers.
TestInside 70-291
Three servers named Server4, Server5, and Server6 run a critical business application. When performing
performance baselining on these three servers, you notice that Server6 has a larger number of concurrently
connected users at any given moment than Server4 or Server5. The additional workload is causing performance
problems on Server6. You need to identify which client computers are connecting to Server6.
You plan to run Network Monitor on Server6 to capture all packets sent to Server6. The capture task must be
configured to meet the following requirements.
To reduce the size of the captured data, you want to capture only the packet headers.
If a large number of packets are captured, the packets must be retained on the server. Captured packets must not
overwrite previously captured packets.
Which two tasks should you perform to configure Network Monitor? (Each correct answer presents part of the
solution. Choose two.)
A. Configure the Network Monitor display filters.
B. Configure the Network Monitor capture filters.
C. Increase the Network Monitor buffer size setting.
D. Decrease the Network Monitor buffer size setting.
E. Increase the Network Monitor frame size setting.
F. Decrease the Network Monitor frame size setting.
Answer: C AND F
96. You are the network administrator for your company. The network contains a Windows Server 2003 Web
server named WebServer1. WebServer1 is connected to the Internet by means of a dedicated link.
You are responsible for monitoring the bandwidth utilization of WebServer1. You run a System Monitor log on
WebServer1, which monitors the Bytes Total/sec counter on the Network Interface object. The sample rate for the
counter is set to 15 seconds. The log is archived once each day.
The size of the System Monitor log is becoming too large for the available disk space. You need to reconfigure the
System Monitor log settings to reduce the amount of data that is captured.
What should you do?
A. Retain the current counter, but set the sample rate to 5 seconds.
B. Retain the current counter, but set the sample rate to 60 seconds.
C. Change the counter to Total Bytes, and set the sample rate to 15 seconds.
TestInside 70-291
D. Change the counter to Current Bandwidth, and set the sample rate to 60 seconds.
Answer: B
97. You are the network administrator for your company. A Windows Server 2003 computer named Router11 is
used to connect the network to the Internet.
You find out that some computers on the network are infected with a worm, which occasionally sends out traffic
to various hosts on the Internet. This traffic always uses a certain source TCP port number.
You need to identify which computers are infected with the worm. You need to configure a solution on Router11
that will perform the following two tasks:
Detect and identify traffic that is sent by the worm.
Immediately send a notification to a network administrator that the infected computer needs to be repaired.
What should you do?
A. Configure a WMI event trigger.
B. Configure a Network Monitor capture filter.
C. Configure a Network Monitor trigger.
D. Configure a System Monitor alert.
Answer: C
98. You are the network administrator for your company. The network consists of a single Active Directory
domain. The domain contains Windows Server 2003 computers and Windows XP Professional computers.
You configure a server named Server1 to be a file server. The written company security policy states that you must
analyze network traffic that is sent to and from all file servers.
You need to capture file-transfer network traffic that is being sent to and from Server1. You install Network
Monitor Tools from a Windows Server 2003 product CD-ROM on a server named Server2, which is on the same
network segment as Server1.
You run Network Monitor on Server2. However, Network Monitor captures only network traffic that is sent to and
from Server2. You need to capture all network traffic that is sent to and from Server1.
What should you do?
A. Install the Network Monitor driver on Server1. Run Network Monitor on Server2 to capture network traffic.
TestInside 70-291
B. Open Network Monitor on Server2 and create a capture filter to enable the capture of all protocols. Run
Network Monitor to capture network traffic.
C. Install Network Monitor Tools on Server1. Run Network Monitor to capture network traffic.
D. Open Network Monitor on Server2 and increase the capture buffer from 1 MB to 20 MB in size. Run Network
Monitor to capture network traffic.
Answer: C
99. You are the network administrator for your company. The network consists of a single Active Directory
domain. The domain contains 25 Windows Server 2003 computers and 6,000 Windows XP Professional
computers.
The written company security policy states that network traffic to Web servers must be audited on a regular basis.
A server named Server1 is configured as a Web server on the company's intranet. You install Network Monitor
Tools from a Windows Server 2003 product CD-ROM on Server1.
You run Network Monitor on Server1 for three hours. When you stop the network capture, you see that Network
Monitor captured over 40,000 frames. As you look at the captured frames, you notice that an extremely large
number of TCP connection requests have all come from the 131.107.0.1 IP address.
In Network Monitor, you need to view only the frames for network traffic that are captured between Server1 and
the 131.107.0.1 IP address.
What should you do?
A. Create an Address Capture filter for all network traffic between Server1 and the 131.107.0.1 IP address.
B. Create a Find Frame Expression filter for network traffic captured between Server1 and the 131.107.0.1 IP
address.
C. Create an Address Display filter for all network traffic captured between Server1 and the 131.107.0.1 IP
address.
D. Create a Pattern Match capture trigger for the 131.107.0.1 IP address.
Answer: C
100. You are the network administrator for Alpine Ski House. The network consists of a single Active Directory
domain named alpineskihouse.com.
TestInside 70-291
A supplier named Adventure Works allows Alpine Ski House to directly view the Adventure Works inventory.
Adventure Works hosts a Web site that buyers can access through a VPN connection.
Users in the purchasing department at Alpine Ski House access the Adventure Works Web site every day. During
each visit to http://inventory.adventure-works.com, users click on up to six hyperlinks to access the desired data.
In conversation with Adventure Works network administrators, you find out that the
http://inventory.adventure-works.com Web site should cause cookies to be created on the purchasing department
users' computers. The cookies cause the Web page to display the "Your last search results" hyperlink. This
hyperlink would be very useful for users in your purchasing department, because they usually search for the same
data during each visit to the Web site. However, none of your users see this hyperlink.
You view the Internet Explorer Internet options on one of the purchasing department user's Windows XP
Professional computers. The Privacy tab indicates a setting of High. Your company places a high priority on
protecting user privacy and confidential data.
You want to allow cookies that will cause http://inventory.adventure-works.com to display the last search results
for each purchasing department user.
How should you configure the Internet options on purchasing department computers?
A. In the Privacy tab, use the Edit button to allow http://inventory.adventure-works.com.
B. In the Privacy tab, change the privacy setting to Medium.
C. Set the advanced privacy settings to Override automatic cookie handling. Block first-party cookies and accept
third-party cookies.
D. Set the advanced privacy settings to Override automatic cookie handling. Accept first-party cookies and block
third-party cookies.
Answer: A
101. You are the network administrator for City Power & Light.
A new Windows Server 2003 computer named Server1 is located in a small branch office. Server1 runs third-party
update software and needs to connect to the Internet to download software updates. Server1 distributes the updates
to Windows XP Professional client computers in the branch office.
You configure Server1 so that when you double-click the Internet Explorer icon, a VPN dial-up connection to the
main office automatically starts. You want Server1 to access the Internet through a Microsoft Internet Security and
Acceleration (ISA) Server computer named ISA1 in the main office.
TestInside 70-291
ISA1 uses IP address 131.107.68.92 on the Internet and is also the Routing and Remote Access server to the LAN.
The ISA1 LAN interface uses IP address 10.10.0.1. Inbound VPN connections receive 10.10.0.0 IP addresses.
Client computers can connect to the internet only through ISA1.
ISA1 has dynamically updated host (A) resource records for both ISA1 interfaces.
On Server1, you double-click the Internet Explorer icon to initiate an Internet connection. Server1 successfully
establishes a VPN connection to ISA1, but cannot connect to the Internet. The Internet Explorer settings for the
VPN dial-up connection are shown in the exhibit. (Click the Exhibit button.)
Some users on other VPN connections to ISA1 report that they can connect to the Internet, and other users report
that they cannot.
You want Server1 and all other VPN connections to ISA1 to consistently connect to the Internet.
What should you do?
A. In the Internet Explorer settings for the VPN dial-up connection on Server1, select the Bypass proxy server for
local addresses check box.
B. In the Internet Explorer settings for the VPN dial-up connection on Server1, enter 10.10.0.1 for the the proxy
server address.
C. In the Internet Explorer settings for the VPN dial-up connection on Server1, select the Automatically detect
TestInside 70-291
settings check box.
D. On the network properties for the 131.107.68.92 connection on ISA1, clear the Register this connection's
addresses in DNS check box.
Answer: D
102. You are the network administrator for your company. The network consists of two subnets: 10.10.10.0/24 and
10.10.11.0/24.
On a nonbusiness day, you replace previous DNS servers with Windows Server 2003 DNS servers. The BIND
servers used IP addresses 10.10.10.10 and 10.10.11.10. The Windows Server 2003 DNS server named DNS1 will
use IP address 10.10.10.20. The Windows Server 2003 DNS server named DNS2 will use IP address 10.10.11.20.
The IP configuration of DNS1 is shown in the IP Configuration exhibit. (Click the Exhibit button.)
A router has IP addresses 10.10.10.1, 10.10.11.1, and 131.107.68.1. The router routes traffic between both LAN
subnets and between the LAN and the Internet as shown in the Network exhibit. (Click the Exhibit button.)
TestInside 70-291
The router blocks outbound UDP port 53 traffic to all addresses except 131.107.68.1.
A DHCP server named DHCP1 has two scopes to provide IP address configuration to 600 Windows XP
Professional computers on the two subnets.
On the next business day, users report that they can access all LAN hosts and the intranet, but they cannot access
Internet Web sites. You can access the intranet and public Internet Web sites from the DNS servers.
You want to allow all users to access public Internet Web sites and the intranet. You want to log all DNS queries
from the LAN on the two new Windows Server 2003 DNS servers.
What should you do?
A. Configure both DHCP server scope options to use 10.10.10.20, 10.10.11.20, and 131.107.68.93 for DNS IP
addresses.
B. Configure both DNS servers to use 131.107.68.93 as a forwarder.
C. Add the Internet service provider's (ISP) DNS server to the name servers list in your zone.
D. Configure both DNS servers to allow zone transfers to 131.107.68.93.
Answer: B
103. You are the network administrator for A. Datum Corporation. The network consists of a single Active
TestInside 70-291
Directory domain named adatum.com. The domain contains a Microsoft Internet Security and Acceleration (ISA)
Server computer named ISACorp and a DNS server named DNS1. Both servers are Windows Server 2003
computers.
The company redesigns network addressing, and you change the static IP addresses for ISACorp to the addresses
shown in the Network exhibit. (Click the Exhibit button.)
DNS1 contains the new host (A) resource records for ISACorp.
A Windows Server 2003 file server named Server1 is on the 10.10.11.0 subnet. Server1 has antivirus software
installed that checks hourly for new virus definitions on a central antivirus server named WWW in the perimeter
network. WWW is a Web server, and you can also access it through a Web page to perform manual virus
definition updates.
You find out about a new virus threat and want to immediately download the new update to Server1.
You cannot access the WWW virus update Web site when you attempt to download a new virus update. The static
TCP/IP configuration on Server1 uses DNS1 as the preferred DNS server.
You confirm that ISACorp is configured properly. On Server1, you view the Internet Explorer LAN settings that
are shown in the LAN Settings exhibit. (Click the Exhibit button.)
TestInside 70-291
You want to allow Server1 to connect to WWW.
What should you do?
A. On Server1, from a command prompt, run the ipconfig /flushdns command.
B. On Server1, in the LAN settings in Internet Explorer, select the Automatically detect settings check box.
C. On ISACorp, from a command prompt, run the ipconfig /flushdns command.
D. On ISACorp, from a command prompt, run the ipconfig /registerdns command.
Answer: A
104. You are the network administrator for Alpine Ski House. The network consists of two Active Directory
domains. One domain is named alpineskihouse.com. A subsidiary company named Adventure Works has a domain
named adventure-works.com. Both domains are in a single forest.
A primary DNS server for alpineskihouse.com is located in the company's Seattle office. A primary DNS server
for adventure-works.com is located in the company's Portland office. Both DNS servers are Windows Server 2003
computers.
Each domain has three regional offices. Each regional office contains the following computers:
a secondary DNS server in its respective domain
a DHCP server
a recently installed Microsoft Internet Security and Acceleration (ISA) Server computer that connects the LAN to
the Internet
TestInside 70-291
Company sales representatives visit the Seattle office, the Portland office, and all regional offices several times
each month. All sales representatives use Windows XP Professional portable computers that are members of the
alpineskihouse.com domain.
You create an appropriate wpad.dat script file on each of the ISA servers in each regional office. On each DHCP
server, you configure the 252 Proxy Autodiscovery option and the corresponding http://ISAServerName/wpad.dat
string value.
Sales representatives report that they cannot access the Internet by using Internet Explorer when they visit an
office that is in the adventure-works.com domain. You need to ensure that all users can access the Internet at all
times. You want to use the minimum amount of administrative effort.
What should you do?
A. Configure Windows XP Professional portable computers with the primary DNS suffix of
adventure-works.com.
B. Configure the Advanced TCP/IP Settings setting on the Windows XP Professional portable computers with a
DNS suffix for this connection setting of adventure-works.com.
C. On each DHCP server that is a member of the adventure-works.com domain, configure the 15 DNS Domain
Name option to be adventure-works.com.
D. On the primary DNS server for the adventure-works.com domain, add an _http service service locator (SRV)
resource record for each ISA server in the adventure-works.com domain.
Answer: C
105. You are the network administrator for your company. The network contains 100 Windows XP Professional
computers.
You configure a Windows Server 2003 computer named Dev1 as a DNS server. Dev1 has the IP address
192.168.1.2 and contains host (A) resource records for all network client computers that are located in the branch
office.
You install a Windows Server 2003 computer named Dev2 as a DHCP server. Dev2 is configured as shown in the
following table.
TestInside 70-291
You install a DSL connection for Internet access. You configure a server named Dev3 as an Internet Connection
Sharing (ICS) host with two network adapters. The network adapter that has the IP address 131.107.96.21
connects to the DSL modem, and the network adapter that has the IP address 192.168.0.1 connects to the LAN.
The ISP's DNS server has the IP address 131.107.62.9.
Your users report that they cannot access the Internet. You need to ensure that all users in the company can access
the Internet through the ICS host.
What should you do?
A. Remove DHCP from Dev2.
B. Replace the DHCP scope on Dev2 with one that has a subnet mask of 255.255.255.192.
C. Change the DHCP scope option 003 Default Gateway on Dev2 to 131.107.96.21.
D. Install the DNS service on Dev3, and configure 131.107.62.9 as a forwarder.
Answer: A
106. You are the network administrator for your company.
You work in the company's branch office in Chicago. The network in your office consists of 40 Windows XP
Professional desktop computers and one Windows Server 2003 computer named Server1. Server1 connects to the
Internet through a 512-Kbps leased line. The main office of the company is in Seattle.
Users of the desktop computers in the Chicago office are developers who are developing a new software product.
You want these users to place daily builds of the product in a shared folder on Server1. You want developers in the
Seattle office to be able to download the daily builds from Server1 by using FTP.
You install IIS on Server1 and configure the FTP site so that it is available to the developers in the Seattle office.
However, when you monitor inbound Internet connection attempts to Server1, you notice many attempted HTTP
connections.
You want to secure Server1 so that it is not susceptible to malicious Internet users. Server1 must also connect to
the Internet to use Windows Update and to download virus definition updates. You do not want to purchase
additional hardware or software.
TestInside 70-291
What should you do on Server1?
A. Enable Internet Connection Sharing (ICS).
B. Configure port filtering on the network adapter to allow only TCP port 80 and TCP port 21.
C. Enable Internet Connection Firewall (ICF) and create a service setting in the Internet Connection Firewall
settings that allows
internal and external TCP port 21 to Server1
internal and external TCP port 80 to Server1
D. Enable Internet Connection Firewall (ICF) and select the FTP Server check box in the Services tab. Enter
Server1 as the server hosting the FTP services.
Answer: D
107. You are a network administrator for your company. The network consists of five Windows Server 2003
computers and 50 Windows XP Professional computers on a single subnet.
On Sunday, another administrator installs a new firewall between the LAN and the company's T1 Internet
connection. The network is configured as shown in the exhibit. (Click the Exhibit button.)
Local host names are resolved on the network by using a WINS server. All client computers are configured to use
ISP1 for DNS name resolution.
On Monday morning, users report that they are no longer able to access secure and nonsecure Internet Web sites.
TestInside 70-291
From a Windows XP Professional computer, you are able to succesfully perform the following tasks:
Ping the IP addresses of Web servers on the Internet.
Use Internet Explorer to open both secure and nonsecure Web sites by using an IP address in place of the URL.
You run the nslookup command and attempt to resolve an Internet fully qualified domain name (FQDN). You
receive the following error message:
*** [131.107.100.200] can't find www.microsoft.com: No response from server >
You need to use the minimum amount of administrative effort to provide users with the ability to browse Web
sites on the Internet.
What should you do?
A. Configure the firewall to allow traffic on TCP ports 80 and 443.
B. Configure the firewall to allow traffic on TCP port 53 and UDP port 53.
C. Install and configure the DNS service on one of the local servers.
D. Install and configure Microsoft Internet Security and Acceleration (ISA) Server on one of the local servers.
Answer: B
108. You are the network administrator for your company.
On a Windows Server 2003 computer named Server3, you use the Backup program to automatically back up eight
servers. You use a scheduled task named AutoBack. The task runs in the security context of a domain account
named NightBackup.
The Default Domain Policy Group Policy object (GPO) is configured with the following account policies settings:
Minimum password length: 8 characters
Password expiration: 30 days
Enforce password history: 12 passwords remembered
Account lockout threshold: 3 invalid logon attempts
Account lockout duration: 30 minutes
The Backup program runs successfully for four weeks. After four weeks, you notice that nightly backups no
longer occur. A successful backup occurs when you log on to Server3 with your own user account and perform a
local backup. Your user account is a member of the Domain Admins group.
You want the AutoBack scheduled task to perform unattended backups every night at 11:00 P.M.
Which two actions should you perform in order to resume the nightly backups by using the AutoBack scheduled
TestInside 70-291
task? (Each correct answer presents part of the solution. Choose two.)
A. Unlock the NightBackup user account.
B. Enable the NightBackup user account.
C. On the properties sheet for the AutoBack.job scheduled task, reset the password.
D. Reset the password for the NightBackup user account.
E. Configure the local security policy on Server3 to grant the service account the Logon locally right.
F. Configure the local security policy on Server3 to grant the service account the Logon as a service right.
Answer: D AND C
109. You are the administrator of a Windows Server 2003 computer named Server1. Server1 functions as a DNS
server.
Your company is named Fabrikam, Inc. The company's Active Directory domain is named fabrikam.com. The
domain contains Windows Server 2003 computers named ComputerA, ComputerB and ComputerC.
You need to perform the following administrative tasks on Server1:
Create a mail exchanger (MX) resource record for ComputerC.fabrikam.com with a priority of 10.
Modify the MX records for ComputerA.fabrikam.com and ComputerB.fabrikam.com so that incoming mail will
be delivered to ComputerC on first attempt, then to ComputerB if ComputerC is not available, and lastly to
ComputerA if ComputerB and ComputerC are not available.
What should you do?
To answer, click the Simulation button and then perform the appropriate actions.
TestInside 70-291
click the:
Start -> Settings -> Control Panel
double click the Administrative Tools--> DNS
choose the Forward Lookup Zones--> farikam.com
new Mail Exchange (MX)
TestInside 70-291
--> Browse -->Server1-->Forward Lookup..-->fabrikam.com--ComputerC
the ComputerC's Mail server priority set to 10
TestInside 70-291
modify the ComputerB's Mail server priority to : 20
TestInside 70-291
modify the ComputerA's Mail server priority to : 30
TestInside 70-291
110. You are an enterprise administrator for your company, which is named Fabrikam, Inc. The network consists
of a single Active Directory domain named fabrikam.com.
You need to create a dedicated domain administrator account to use when you perform domain administration
tasks. The account name must be configured as shown in the following table.
You need to assign the account a temporary password that must be changed on first logon.
You also need to assign the minimum administrative rights to perform the following tasks to the specified groups:
TestInside 70-291
What should you do?
To answer, click the Simulation button and then perform the appropriate actions.
Answer:
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
111. You are the administrator of a Windows Server 2003 computer named Server1. Routing and Remote Access
is installed on Server1.
You need to perform the following administrative tasks:
Modify the Connections to Microsoft Routing and Remote Access server policy to allow remote access for
members of the Domain Admins group.
Add a static route for the 192.168.3.0/24 network, and configure 192.168.4.254 to be the gateway for that
network.
Configure an inbound packet filter to prevent all traffic from the 192.168.5.0 network on Local Area Connection
2.
What should you do?
TestInside 70-291
To answer, click the Simulation button and then perform the appropriate actions.
Answer:
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
TestInside 70-291
No comments:
Post a Comment