Server 2003 Planning Network Infrastructure

MS-CHAP version 2 allows for a fairly strong level of security for remote access connections with regard to the authentication protocol that is to be used without the additional use of third-party hardware. It also provides for mutual authentication and does not allow LAN Manager encoded responses or password changes. It also supports Windows NT 4.0 and Microsoft Windows 98 clients on VPN connections using Microsoft Point-to-Point Encryption (MPPE).

[A: Password Authentication Protocol (PAP) uses clear-text passwords and provides almost no security.]

[B: As Shiva Password Authentication Protocol (SPAP) is an older, proprietary, two-way reversible encryption mechanism originally designed by Shiva which encrypts the password data that is sent between the client and server by use of additional proprietary hardware.]

[C: You cannot use Microsoft Point-to-Point Encryption (MPPE) if CHAP is used to authenticate the connection.]

[D: MS-CHAP version 1 allows LAN Manager encoded responses and password changes.]

Once you have obtained the policy elements, the next step is to create the policy itself by right-clicking in the right pane of the MMC and choosing click Create IP security policy.

[A: You cannot assign the policies when they have not been fully created yet.]

[B: You cannot test the policies when they have not been fully created yet.]

[C: This is one of the steps to be done as part of the Create the IPSec Policy step. After you have clicked "Add" to create a new rule and chosen the network to which to assign the policy, you would be asked to pick an authentication method such as Kerberos, Certificates, or shared secret.]

Pathping can be used to show the route taken to reach a remote system as does TRACERT. But PATHPING does so with more detail and allows for more functionality.

TRACERT can be used to verify that IP addressing has been correctly configured on a client. It shows the route taken to reach a remote host and return detailed information showing the route taken to reach a remote system or network gateway and return detailed statistics.

[B: This is incorrect because, although PING will show whether or not a remote system or gateway can be reached, it will not give you really any additional details other than the percentage of packet loss and approximate round trip times in milliseconds.]

[D: The ROUTE command-line tool is used to display the current IP routing table for the local system and it can be used to add or delete IP routes. It can also add persistent routes. It cannot be used to show the route taken to reach a remote host, nor will it return detailed information showing the route taken to reach a remote system or network gateway or return detailed statistics.]

[E: Netstat (Netstat.exe) is a command-line tool that displays TCP/IP protocol statistics and active connections to and from the local system. It can also display all connections and listening ports and there is an option to display the number of bytes sent and received, as well as network packets dropped (if applicable). It cannot be used to show the route taken to reach a remote host nor will it return detailed information showing the route taken to reach a remote system or network gateway or return detailed statistics.]

Windows Server 2003, Enterprise Edition supports up to eight-node clusters and support for up to 32 GB of memory.

Server clustering under Windows Server 2003 does not fail over the information that is held in the local nodes RAM.

[B: Although Windows Server 2003 Standard Edition does support up to 4 GB of memory, there is no clustering support available.]

[C: Server clustering under Windows Server 2003 does not fail over the information that is held in the local nodes RAM.]

[E: Although Server Clustering and Terminal Services can coexist on the same server or node, they cannot be combined to expand the capability of your Terminal Server to a high availability failover solution. Network Load Balancing could be used to a degree to do this.]

[F: Server Clustering and Terminal Services can coexist on the same server or node.]

The Terminal Server marks the client's session as disconnected when a client simply disconnects from a Terminal Server during a session or has a loss of network connectivity.

If the client has performed a proper log off, it will show the client's session as disconnected.

The best way to allow disconnected clients to connect to the same Terminal Server to recover from a disconnected session is to have the client computers use static IP addresses and configured WLBS to use Single Affinity.

[A: User information, system information, and common data should be stored in a single location so each Terminal Server can service all the users on the network.]

[B: WLBS relies on the client's IP address and port number when you are using No Affinity to determine which Terminal Server services a client. If you configure WLBS to use Affinity, the IP address used by the client is serviced by the same Terminal Server as long as you do not change the Terminal Server cluster.]

The number of Page Faults/sec is the overall rate at which the processor handles both hard and soft page faults

The Page Reads/sec is the number of times the disk was read to resolve hard page faults.

[B: Pages Input/sec is the total number of pages read from disk to resolve hard page faults. It would not be used to get information on the overall rate at which the processor handles both hard and soft page faults, as well as the number of times the disk was read to resolve hard page faults.]

[D: Pages Input/sec will be greater than or equal to Page Reads/sec and can give you a good idea of your hard page fault rate. If these numbers are low, your server should be responding to requests quickly. If they are high, it can be because you have dedicated too much memory to the caches, not leaving enough memory for the rest of the system. You might need to increase the amount of RAM on your server, although lowering cache sizes can also be effective.]

[E: Pool Paged Bytes and Pool Non-paged Bytes monitor the pool space for all processes on the server.]

The failed drives must be replaced and the data must be restored from the full backup and the last differential backup.

[A: Both of the failed drives must be replaced and the data must be restored from the full backup and the last differential backup.]

[C: If incremental backups were being used, it would be necessary to include all of the all of the incremental backups]

[D: If the online spare had the opportunity to fully rebuild, something that is not going to happen in 10 minutes, and then a second disk were to fail, the server would still be able to function off of the RAID 5 configuration. 10 minutes is not enough time for parity information to write to the online spare to rebuild the data and allow the system to continue to function.]

when a drive in a RAID 5 configuration fails, the system is able to continue to function normally from the stored parity information. With an online spare configuration, the data from parity is written to the online spare automatically when it comes online after a disk fails. The sudden failure of the online (hot) spare will not impact anything on the system with the exception of the rebuilding of the parity data to the online (hot) spare. The server will still be accessible and all of the data will be intact.

[A: Only the failed drives must be replaced. Nothing additional needs to be done because the RAID configuration with the online spare allows the system to continue to run.]

[B: Only the failed drives must be replaced. Nothing additional needs to be done because the RAID configuration with the online spare allows the system to continue to run. If a restoration from tape was needed, you would need to use the full backup and all of the incremental backups, not just the last incremental backup.]

[C: Only the failed drives must be replaced. Nothing additional needs to be done because the RAID configuration with the online spare allows the system to continue to run. If a restoration from tape was needed, this answer would be correct because you would need to use the full backup and all of the incremental backups to restore all of the data.]

The minimum amount of required disk space is 100MB. Maximum amount of required disk space is set to 10% of the total amount of space for the volume by default which includes used and free space. The storage area for the shadow copies is located on the same volume where shadow copy has been enabled and the volume must be formatted as NTFS.

[B: The minimum amount of required disk space is always 100MB.]

[C: The maximum amount of required disk space is set to 10% of the total amount of space for the volume by default which includes used and free space.]

[F: the storage area for the shadow copies is located on the same volume where shadow copy has been enabled and the volume must be formatted as NTFS.]

ASR does not include data files. You must make sure that there is a known good back up the data files to restore them after the system is brought back to a known good working state. Automated System Recovery supports FAT16 volumes up to 2.1 GB only. ASR does not support 4 GB FAT16 partitions that use a cluster size of 64K. Automated System Recovery is also supported on NTFS partitions as well. The way to access Automated System Recovery is to press F2 when prompted in the text mode portion of setup.

[A: ASR does not include data files. You must make sure that there is a known good back up the data files to restore them after the system is brought back to a known good working state.]

[D: Automated System Recovery supports FAT16 volumes up to 2.1 GB only. ASR does not support 4 GB FAT16 partitions that use a cluster size of 64K. Automated System Recovery is also supported on NTFS partitions as well.]

[F: The way to access Automated System Recovery is to press F2 when prompted in the text mode portion of setup. During text-mode setup, Windows pauses briefly and prompts you to press F6 when you need to install additional drivers for the system.]

After you go to the Addressing tab, click My IP Address in the Source address box, and then click Any IP Address in the Destination address box, the filter is applied to outbound packets.

[A: After you go to the Addressing tab, click My IP Address in the Source address box, and then click Any IP Address in the Destination address box, the filter is applied to outbound packets. If you need to configure a packet filter to match inbound packets in the same manner, you can either create an inbound one (which is additional administrative effort but it is allowed) or you can simply check the Mirrored check box is selected for the original filter.]

[C: After you go to the Addressing tab, click My IP Address in the Source address box, and then click Any IP Address in the Destination address box, the filter is applied to outbound packets. If you need to configure a packet filter to match inbound packets in the same manner, you can either create an inbound one (which is additional administrative effort but it is allowed) or you can simply check the Mirrored check box is selected for the original filter.]

[D: All IPSec-secured communications must be protected in both directions; you cannot have unidirectional IPSec security.]

To offer Remote Assistance to a user who has not sent an explicit invitation, the Offer Remote Assistance setting in Group Policy must be enabled and configured for the system in question.

You must be listed as an assistant under the Offer Remote Assistance policy or be a member of the Administrators group on the computer where you are offering the Remote Assistance. In a domain this would usually include the Domain Administrators as well.

The user must give explicit permission before the person making the Remote Assistance offer can control the user's computer. For this to happen, the feature for doing this will need to be enabled as well.

[C: Offer Remote Assistance will not work unless the Solicited Remote Assistance policy is enabled.]

[D: The user must give permission before the offer of Remote Assistance will be successful.]

Terminal Services in Remote Administration mode must be configured on the Windows Server 2000 Advanced Server system and Remote Desktop for Administration can be used on the Windows Server 2003 Standard Edition systems.

[A: Terminal Services in Remote Administration mode is available only on the Windows Server 2000 Advanced Server system. Remote Desktop for Administration has replaced Terminal Services in Remote Administration and is available on Windows Server 2003 systems.]

[B: Installing Terminal Services in Application mode is not the least amount of administrative effort nor is it the least expensive option.]

[C: Although the correct step is to install Terminal Services in Remote Administration on the Windows Server 2000 Advanced Server system, Remote Assistance requires that someone give explicit permission before the person making the Remote Assistance offer can control the user's computer and that would include a server.]

For Windows 98 systems using the Dial-up Networking version 1.4 upgrade to make the connections to the VPN server individually, they need the Microsoft L2TP/IPSec VPN Client installed.

[B: The RRAS server itself would be making the connection and the security association; the clients themselves would pass through the tunnel created by the RRAS server.]

[C: The implementation of IPSec in Microsoft L2TP/IPSec VPN Client only provides IPSec protection for L2TP traffic; it will not offer any protection for any other connections that are made.]

[D: The Microsoft L2TP/IPSec VPN Client must be installed on all Windows 98 systems making the connections to the VPN server individually by way of the Microsoft L2TP/IPSec VPN Adapter. The PPTP adapter would be available for MPPE (Microsoft Point-to Point Encryption) secured transmissions.]

To provide the necessary auditing, you would need to Audit logon events and the logging should be set to log all success and failures.

To provide the necessary auditing, you would need to Audit object access and the logging should be set to log all success and failures.

[B: It would not provide all of the necessary detail needed. To provide the necessary auditing, you would need to Audit logon events and the logging should be set to log all success and failures.]

[C: It would not provide all of the necessary detail needed. To provide the necessary auditing, you would need to Audit logon events and the logging should be set to log all success and failures.]

[E: It would not provide all of the necessary detail needed. To provide the necessary auditing, you would need to Audit object access and the logging should be set to log all success and failures.]

[F: Would not provide all of the necessary detail needed. To provide the necessary auditing, you would need to Audit object access and the logging should be set to log all success and failures.]

You did allow for meeting the objective of providing a solution for retrieval of the key in the event of its loss by keeping the key stored on a Zip disk and locking the disk in a fire proof safe and keeping one duplicate copy of the Zip disk held off site at the same location where your off site backup tapes are kept.

[A: The full primary objective was to not allow the key to be left on any networked system and this was voided as soon as it was emailed to the lead engineer because it was now on the corporate email system and possibly the engineer's computer if he created a local file for his mail. This also voided one of the other requirements, which was to maintain a high level of security for the key because it was now on a networked system.]

[C: You ended up getting the key back on to a networked system by emailing it to the lead engineer.]

[D: You did allow for meeting the objective of providing a solution for retrieval of the key in the event of its loss by keeping the key stored on a Zip disk and locking the disk in a fire proof safe and keeping one duplicate copy of the Zip disk held off site at the same location where your off site backup tapes are kept.]

Begin the process of setting up this configuration, you would need to start in the Event Viewer. You need to verify that there is no way for the log files to be overwritten. This configuration would force an Administrator to clear the logs manually.

[B: The Startup and Recovery options settings allow you to configure how system start ups and any subsequent failures are handled; it will not allow you to configure the system so that users cannot log on it the logs cannot be written to.]

[D: This configuration would allow logs older than 30 days to eventually be overwritten when the available space for the logs was used up.]

The Windows Update client will not be present on Windows 2000 servers and desktops systems prior to SP3, so you would either need to install SP3 or 4 as either would get the client installed. By putting on SP4, you'll also be installing many of the additional security fixes all rolled up in the SP. The Windows Update client will not be present on Windows XP clients prior to SP1, so you would either need to install SP1 or the client separately. By applying SP1, you'll also be installing many of the additional security fixes all rolled up in the SP rather than having to download them separately. Installing the Windows Update client separately is an additional administrative step and is not necessary as SP1 does this for you. This would be necessary for you to point the clients to the SUS server rather than the public Windows Update site.

[C: This is unnecessary administrative effort. The Windows Update client will not be present on Windows XP clients prior to SP1 so you would either need to install SP1 or the client separately. By applying SP1, you'll also be installing many of the additional security fixes all rolled up in the SP rather than having to download them separately. Installing the Windows Update client separately is an additional administrative step and is not necessary as SP1 does this for you.]

[D: This is unnecessary administrative effort. The Windows Update client will not be present on Windows 2000 servers and desktops systems prior to SP3 so you would either need to install SP3 or 4 as either would get the client installed. By applying SP4, you'll also be installing many of the additional security fixes all rolled up in the SP. Installing the Windows Update client separately is an additional administrative step and is not necessary as installing SP3 or 4 does this for you.]

[F: This setting would cause the updates to occur at 11AM. To specify 11PM, you must choose setting 4 - Auto download, and schedule the install and choose 0 - every day 23:00.]

MBSA Version 1.1.1 can perform a local or an over the network scan of systems running Windows Server 2003, Windows 2000, or Windows XP. In addition, MBSA can scan Windows NT 4.0 SP4 and above systems over the network. There were 281 Windows NT4 Workstations running SP6a, 592 Windows 2000 Professional systems, and 192 Windows XP Professional systems on the network that could be scanned which totals 1065 clients. All of the other systems were either server systems which were not part of the required scan or Windows 98 and/or ME systems that could not be scanned.

This is the best solution. Remote Desktop for Administration is included with the operating system and can be configured and used at no additional cost. The only limitation is that it supports only two concurrent connections.

[A: Although the server can be configured to use Remote Desktop for Administration, it cannot be installed as Terminal Server. Even if it could, the licenses have an additional cost and the question stated that there were no additional funds for it. Also, in Windows Server 2003, there are no longer different options for remote administrative mode or application mode for Terminal Services.9

[B: Although the server can be configured to use Remote Desktop for Administration, it cannot be installed as a Terminal Server. Also, in Windows Server 2003 there are no longer different options for remote administrative mode or application mode for terminal services. Terminal server is used for applications and Remote Desktop is used for remote administration.]

[D: This would, if nothing else, cost money and would therefore not be the best and least expensive option.]

[E: Although Telnet may allow you the remote access you might need via a command shell, it would not allow you the same access to the system as sitting at the GUI console.]

The Setup security.inf template is the initial template created that is applied to any Windows Server 2003 system during installation and it can also be used at a later time via the Security Configuration and Analysis tool to reapply default security settings to Windows Server 2003 and Windows 2000 systems.

[B: Basicsv.inf provides a basic level of security for file and print servers on the Windows 2000 platform but it should not be used on Windows Server 2003 systems. Also, applying it at the domain level would affect all of the workstations in the domain.]

[C: Applying the Setup security.inf at the domain level would affect all of the workstations in the domain.]

[D & E: The Defltsv.inf template is used on Windows 2000 Server systems that are not configured as domain controllers to restore the default NTFS file system permissions in Windows 2000.]

[F: This is not the least amount of administrative effort; you would have to configure three systems as opposed to two OUs. Also, settings from local policies will most likely be overwritten by domain level and OU level GPOs.]

Secedit can be used to analyze and configure the security settings of computers by comparing your current configuration to at least one template from the command line. Using this tool as part of a script allows you to run it against the 16 systems with less effort than most GUI tools.

[A: Although the Security Configuration and Analysis is a tool for analyzing and configuring local system security settings, it is a GUI based tool and would not be the easiest way to accomplish the required task because it would require you to run the tool on each system one at a time.]

[B: MBSA is a GUI tool (it can also be run from the command line) that allows an administrator to perform local or remote scans of Windows systems in an effort to scan for missing security updates and service packs for Windows, IE, IIS, SQL, Exchange, and Windows Media Player. It would not allow you to compare your standard desktop build's security settings against the default configuration security settings that are applied.]

[C: The File Signature Verification tool, SIGVERIF.exe, can be used to identify unsigned drivers on your system. It would not allow you to compare your standard desktop build's security settings against the default configuration security settings that are applied.]

[D: The System File Checker tool (SFC.exe) allows an administrator to scan all of the protected files on a computer to verify if they are the correct versions. It would not allow you to compare your standard desktop build's security settings against the default configuration security settings that are applied.]

The Security Configuration and Analysis is a tool for analyzing and configuring local system security settings. Secedit can be used to analyze and configure the security settings of computers by comparing your current configuration to at least one template from the command line.

[B: MBSA is a GUI tool (it can also be run from the command line) that allows an administrator to perform local or remote scans of Windows systems in an effort to scan for missing security updates and service packs for Windows, IE, IIS, SQL, Exchange, and Windows Media Player. It would not allow you to compare your standard desktop build's security settings against the default configuration security settings that are applied.]

[C: The File Signature Verification tool, SIGVERIF.exe, can be used to identify unsigned drivers on your system. It would not allow you to compare your standard desktop build's security settings against the default configuration security settings that are applied.]

[D: The System File Checker tool (SFC.exe) allows an administrator to scan all of the protected files on a computer to verify if they are the correct versions. It would not allow you to compare your standard desktop build's security settings against the default configuration security settings that are applied.]

Charles can configure an audit policy by accessing the Group Policy Object Editor snap-in for the appropriate GPO and navigating to the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy node. This node contains a series of events that can be audited for either success or failure. In this case, he needs Account Management events, which include items such as the creation, change, or deletion of a user or group account, and also the renaming, disabling, or enabling of a user account or change of password.

The Securews.inf security template can be used on member servers and workstations and would not need any editing because all of the required security settings as listed in this scenario are enabled by default. The template needs to be linked at the domain level to be effective.

Creating a custom template does allow you to set all of the necessary settings. Linking the template to the northamerica.gunderville.com Domain Controllers OU would allow the necessary settings to be applied to the domain controllers and also not impact the client systems.

[A: The Securedc.inf security template can be used on domain controllers but it would need editing to meet the required security settings as listed in this scenario. Linking the template at the gunderville.com domain level would impact the client systems in gunderville.com and it would not give you the desired results in the northamerica.gunderville.com domain.]

[B: Linking the Securedc.inf security template at the gunderville.com Domain Controllers OU would have no impact to the client systems in gunderville.com but it would not give you the desired results in the northamerica.gunderville.com domain, because it would need editing to meet the required security settings as listed in this scenario.]

[C: The Securedc.inf security template can be used on domain controllers but it would need editing to meet the required security settings as listed in this scenario. Linking the template at the northamerica.gunderville.com Domain Controllers OU would have no impact to the client systems in gunderville.com but it would not give you the desired results in the northamerica.gunderville.com domain because the settings are not correct for the scenario by default.]

[D: Creating a custom template allows you to set all of the necessary settings. Linking the template to the northamerica.gunderville.com domain object would allow the necessary settings to be applied to the domain controllers but it would also impact the client systems.]

[E: Creating a custom template allows you to set all of the necessary settings. Linking the template to the gunderville.com domain object would not allow the necessary settings to be applied to the domain controllers in the northamerica.gunderville.com domain and it would also impact the client systems.]

The minimum supported CPU speed for Windows Server 2003 Web Edition version of the operating system on the Microsoft Web site is listed as 133MHz. The question called for you to use the recommended requirements as the minimums for use in your production environment. This would mean that the correct answer is 550MHz.

This is the correct answer. Because the clients will attempt to contact a DHCP server in an effort to obtain an IP address (and be unsuccessful because one cannot be reached) they will automatically assign themselves an IP address using APIPA. The DHCP client auto-configures its IP address and subnet mask using the reserved Class B network address 169.254.0.0 and the subnet mask 255.255.0.0. No default gateway is used, so systems that use APIPA are not routable, but that is acceptable in this scenario given the segmented subnet design

[A: An ISA server will not dole out IP addressing for client systems, so this answer is incorrect.]

[B: DHCP manual address assignment dynamically assigns the same specific IP address from a scope of addresses to a specific DHCP client each time the client starts up by using the DHCP service and it is something that is configured on the DHCP server not on the client. Because this still requires the use of the DHCP server and one is not available, this answer is incorrect.]

[D: Although this would allow all of the systems to have an IP address, it is not the least amount of administrative effort.]

[E: This option would allow all of the clients to communicate with one another, it would not allow for the clients to successfully use the ISA server to access the Internet; this is because ISA requires IP connectivity on the network.]

You need to size the subnets for 450 clients per subnet currently and also allow for an anticipated growth of 40% for the client systems. This means that the subnet would need to be able to host 630 clients and therefore would need to use the 255.255.252.0 subnet mask to allow for 1022 clients on a possible 64 subnets. Although this answer technically gives you too many subnet possibilities, it is the lowest number configuration of host per subnet that works for the scenario.

[A: Using 255.255.240.0 would allow for only 16 subnets, which is not enough for the requirements in this scenario. You need to size the subnets for 450 clients per subnet currently and also allow for an anticipated growth of 40% for the client systems. This means that the subnet would need to be able to host 630 clients and therefore would need to use the 255.255.252.0 subnet mask to allow for 1022 clients on a possible 64 subnets.]

[B: Using 255.255.248.0 would allow for 32 subnets, which is enough for the requirements in this scenario; however, this would yield 2046 hosts per subnet, which is more than needed. Although it would work in the real world, it does not fit the requirements of the scenario. You need to size the subnets for 450 clients per subnet currently and also allow for an anticipated growth of 40% for the client systems. This means that the subnet would need to be able to host 630 clients and therefore would need to use the 255.255.252.0 subnet mask to allow for 1022 clients on a possible 64 subnets.]

[D: Using 255.255.254.0 would allow for 128 subnets and that is more than enough for the requirements in this scenario. This would yield 510 hosts per subnet, which on the surface appears to be correct; however, you need to size the subnets for 450 clients per subnet currently and also allow for an anticipated growth of 40% for the client systems. This means that the subnet would need to be able to host 630 clients and therefore would need to use the 255.255.252.0 subnet mask to allow for 1022 clients on a possible 64 subnets.]

[E: Using 255.255.255.0 would allow for 256 subnets and that is more than enough for the requirements in this scenario; however, this would yield only 254 hosts per subnet, which is not enough for the scenario. You need to size the subnets for 450 clients per subnet currently and also allow for an anticipated growth of 40% for the client systems. This means that the subnet would need to be able to host 630 clients and therefore would need to use the 255.255.252.0 subnet mask to allow for 1022 clients on a possible 64 subnets.]

The OSPF protocol is a better choice than either version of RIP when the network is designed with redundant paths between different locations or when the number of subnets in the overall design is more than 50 routers or farther than 16 hops away.

[A: The 255.255.252.0 subnet mask is being used to allow for 1022 clients on a possible 64 subnets. This means that any dynamically updating update protocol will need to support Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv1 does not allow for this. Also RIP versions 1 and 2 are best used on medium-sized networks with about 50 routers maximum, and the maximum number of routers (hops) that any IP packet must cross is less than 16. destination addresses that are 16 or more hops away are unreachable from RIP routers.]

[B: The 255.255.252.0 subnet mask is being used to allow for 1022 clients on a possible 64 subnets. This means that any dynamically updating update protocol will need to support Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv2 does allow for this, but because the maximum number of routers (hops) that any IP packet must cross is more than 16, all of the destination addresses that are 16 or more hops away are unreachable from the RIP routers, making this answer incorrect.]

[D: Interior Gateway Protocols (IGP), such as RIP or OSPF, is used to exchange routing information within their networks. IGP is not something that could be used per se in the place of RIP or OSPF]

[E: This is not correct because OSPF is available.]

The 190.185.55.127 IP address is the default broadcast address for this subnet. To allow for 50 hosts per subnet currently and also allow for an anticipated growth of 30% for the client systems, the subnets would have to be designed to accommodate 65 hosts; this requires the subnet mask to be 255.255.255.128. (255.255.255.192 would allow for only 62 hosts per subnet which are too few and 255.255.255.0 would allow for 254 hosts, which is too many).

[B: The 190.185.55.255 IP address is the default broadcast address for a subnet where the supplied mask is 255.255.255.0. To allow for 50 hosts per subnet currently and also allow for an anticipated growth of 30% for the client systems, the subnets would have to be designed to accommodate 65 hosts; this requires the subnet mask to be 255.255.255.128. 255.255.255.0 would allow for 254 hosts, which is too many).]

[C: The 190.185.55.63 IP address is the default broadcast address for a subnet where the supplied mask is 255.255.255.192. To allow for 50 hosts per subnet currently and also allow for an anticipated growth of 30% for the client systems, the subnets would have to be designed to accommodate 65 hosts; this requires the subnet mask to be 255.255.255.128. 255.255.255.192 would allow for only 62 hosts per subnet, which is too few.]

[D: The 190.185.55.31 IP address is the default broadcast address for a subnet where the supplied mask is 255.255.255.224. To allow for 50 hosts per subnet currently and also allow for an anticipated growth of 30% for the client systems, the subnets would have to be designed to accommodate 65 hosts; this requires the subnet mask to be 255.255.255.128. 255.255.255.224 would allow for only 30 hosts per subnet, which is too few.]

[E: The 190.185.55.255 IP address is the default broadcast address for a subnet where the supplied mask is 255.255.254.0. To allow for 50 hosts per subnet currently and also allow for an anticipated growth of 30% for the client systems, the subnets would have to be designed to accommodate 65 hosts; this requires the subnet mask to be 255.255.255.128. 255.255.254.0 would allow for 510 hosts, which is too many.]

RIPv2 network routers can broadcast their routing tables to other RIPv2 routers at predefined intervals via broadcast or multicast. RIPv1 uses broadcast only, so this answer is correct.

RIPv1 supports the main classes of IP addresses only and cannot use Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv2 is not limited in this manner and can use these addressing schemes.

RIP versions 1 and 2 are best used on medium-sized networks with about 50 routers maximum, and the maximum number of routers (hops) that any IP packet must cross is less than 16. Destination addresses that are 16 or more hops away are unreachable from RIP routers. Because the most distant subnets in your environment are 15 hops from one another, this routing solution is fine.

[B: RIPv2 network routers can broadcast their routing tables to other RIPv2 routers at predefined intervals via broadcast or multicast RIPv1 uses broadcast only, so this answer is incorrect.]

D: RIPv1 supports the main classes of IP addresses only and cannot use Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv2 is not limited in this manner and can use these addressing schemes, making this answer incorrect.]

[E: RIP versions 1 and 2 are best used on medium-sized networks with about 50 routers maximum, and the maximum number of routers (hops) that any IP packet must cross is less than 16. Destination addresses that are 16 or more hops away are unreachable from RIP routers. Because the most distant subnets in your environment are 15 hops from one another, this routing solution is fine making this answer incorrect.]

Physical design phase of the network design process outlines the required services and technologies that will be needed to service the company and end user needs, such as how the physical sites will be designed and where network resources will be placed throughout the environment.

[B: The Conceptual design phase of the network design process takes into consideration all of the requirements of a company and all of the end user needs, which makes it an incorrect answer for this scenario.]

[C: The Logical design phase of the network design process is where the ideas that are being drafted are put into fairly defined scopes and begins to outline the particular distinctions of the solution for the company's needs, which makes it an incorrect answer for this scenario.]

[D: The Overview design phase is the introduction to the design review and may include some of the business requirements needed in the design, but it is done at a very high level and does not necessarily get down into some of the details, such as how the physical sites will be designed and where network resources will be placed throughout the environment. For these reasons, this option is not the best one for the scenario.]

The DLC protocol not available in Windows XP by default during its installation on systems. It is available for download from the Microsoft Web site but it is not supported on the XP platform.

The DLC protocol is used by 3270 terminal emulators to communicate with IBM mainframes.

Depending on your network communication and configuration, the DLC protocol can be used to print to Hewlett-Packard (HP) network printers.

[B: The DLC protocol is available on Windows 2000 installations.]

[E: The NWLink protocol is not used by 3270 terminal emulators to communicate with IBM mainframes, such communications are performed via DLC.]

[F: The DLC protocol is available in Windows NT4 Workstation by default.]

A is a correct choice as you would either need to configure the IP address of ISA server as the proxy server in Internet Explorer on each client manually or configure the browser to detect these settings automatically.

B is a correct choice as you would want to install the ISA server in integrated mode which provides a firewall solution and acts as a Web cache server simultaneously by allowing both services to run in order to provide a moderate level of security for all of the systems on the network and this also allows you to use the least amount of administrative effort and overall cost.

C is also correct as you would need to provide some level of connection to the Internet. The current configuration as stated in the scenario does not allow for this connection currently.

[D: This option will not work as enabling Internet Connection Sharing on one of the servers and manually configuring all of the clients' default gateway with the IP address of this server would not allow them access to the Internet. Even if it did it is not the least amount of administrative effort.]

[E: By installing ISA server running in firewall mode you will set up the configuration as a secure gateway between the Internet and internal clients but installing ISA on one server and running it in integrated mode is the better option.]

[F: This answer is also not correct as this would not allow the clients to connect to the Internet with the current network configuration and even if it did it is not the least amount of administrative effort.]

For the sequence of events listed here, the second step would be to go to the Select Counters dialog box, click Select counters from computer, and then type the name of the computer that you want to monitor in the Computer box.

Choise D is the first step of the process after starting the System Monitor from the Performance MMC.

Provided you wanted to log everything, this would be the next step of the process. If you did not want to log all of these options, you could pare down to just the options you wanted to gather performance information on.

[A & C: This is not an available step to set up the System Monitor to capture performance data from a remote system.]

You need to configure a static IP address and subnet mask for the NIC that is attached to the internal network and you need to leave the leave this default gateway blank. ISA Server needs only one default gateway: the one that is configured on the external interface or interfaces and adding a default gateway on the internal adapter will often cause ISA to malfunction.

[A: Using IP addressing from different classful IP address ranges alone would not cause an issue with the ISA configuration as described within the scenario.]

[C: Each network, the internal and the external, may or may not use different DNS or WINS servers for name resolution but the use of different DNS servers alone would not cause an issue with the ISA configuration as described within the scenario.]

[D: You need to configure a static IP address and subnet mask for the NIC that is attached to the internal network and you need to leave the leave this default gateway blank. The ISA Server needs only one default gateway: the one that is configured on the external interface or interfaces and adding a default gateway on the internal adapter will often cause ISA to malfunction. Having both of the default gateways set to the same IP address would not help.]

[E: Routers and Layer 3 switches function more or less in the same manner and this is not where the issue lies. If it were, clients would never have had any type of connectivity between the different branch offices and the main office branch would be able to connect to the Internet because the clients there sit on the same subnet.]

[F: Although Layer 2 and Layer 3 switches function differently, this is not where the issue lies. If it were, clients would never have had any type of connectivity between the different branch offices and the main office branch would be able to connect to the Internet because the clients there sit on the same subnet.]

There are only two ways to successfully configure client systems to use ICF. One way is to go to the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP address automatically, and then click OK. The only other way is to manually configure a unique static IP address in the range of 192.168.0.2 to 192.168.0.254. Any other IP address configuration will disrupt the clients' ability to use the ICF system to connect to the Internet.

[A: The client systems could be manually configured with IP addresses from part of the reserved private IP address range of Class C addresses (addresses 192.168.0.2 to 192.168.0.254 are applicable) and be able to use the ICF system to connect to the Internet, but the Class A range would not work by default.]

[B: Manually configuring the clients with IP addresses from the reserved range that APIPA utilizes (169.254.0.1 through 169.254.255.254) with a subnet mask of 255.255.0.0 will not allow the systems to connect to the Internet via the ICF configured system.]

[D: DHCP will not allow the clients to successfully connect to the Internet via the ICF system unless they specifically hand out addresses from the Class C private range of 192.168.0.2 to 192.168.0.254. There are only two ways to successfully configure client systems to use ICF; one way is to go to the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP address automatically, and then click OK. The only other way is to manually configure a unique static IP address in the Class C private range of 192.168.0.2 to 192.168.0.254. Any other IP address configuration will disrupt the clients' ability to use the ICF system to connect to the Internet.]

{E: Routers and Layer 3 switches function more or less in the same manner and this is not where the issue lies. If it were, clients would never have had any type of connectivity between the different branch offices and the main office branch would be able to connect to the Internet because the clients there sit on the same subnet.]

[F: Although Layer 2 and Layer 3 switches function differently, this is not where the issue lies. If it were, clients would never have had any type of connectivity between the different branch offices and the main office branch would be able to connect to the Internet as the clients there sit on the same subnet.]

IPCONFIG /FlushDNS must be run at a command prompt on all of the client systems to purge the DNS Resolver cache on the local system. This forces the local systems to make new name resolution lookups to DNS to connect to other systems, because the cache is always checked first. With the cache empty, the client systems are forced to request a new name resolution.

[A: Although this action will flush the DNS Resolver cache on the local DNS system, it will do nothing for the individual client systems.]

[C & D: The complete command that should be run on the client systems is IPCONFIG /FlushDNS.]

[E: The complete command that should be run on the client systems is IPCONFIG /FlushDNS. Running this on the WINS server will not force client systems to re-register their names with WINS or DNS.]

There are only two ways to successfully configure client systems to use ICF. One way is to go to the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP address automatically, and then click OK. The only other way is to manually configure a unique static IP address in the range of 192.168.0.2 to 192.168.0.254, which is already in use in the main office. Any other IP address configuration will disrupt the clients' ability to use the ICF system to connect to the Internet.

[A: Manually configuring the clients with IP addresses from the reserved range used by APIPA (169.254.0.1 through 169.254.255.254 with a subnet mask of 255.255.0.0) will not allow the systems to connect to the Internet via the ICF configured system.]

[C: DHCP will not allow the clients to successfully connect to the Internet via the ICF system unless they specifically hand out addresses from the Class C private range of 192.168.0.2 to 192.168.0.254. There are only two ways to successfully configure client systems to use ICF. One way is to go to the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP address automatically, and then click OK. The only other way is to manually configure a unique static IP address in the Class C private range of 192.168.0.2 to 192.168.0.254. Any other IP address configuration will disrupt the clients' ability to use the ICF system to connect to the Internet.]

[D: Routers and Layer 3 switches function more or less in the same manner and this is not where the issue lies. If it were, clients would never have had any type of connectivity between the different branch offices and the main office branch would be able to connect to the Internet as the clients that sit on the same subnet.]

[E: Although Layer 2 and Layer 3 switches function differently, this is not where the issue lies. If it were, clients would never have had any type of connectivity between the different branch offices and the main office branch would be able to connect to the Internet as the clients that sit on the same subnet.]

For the DNS servers to be located in this subnet for use, they would have to have an address from 189.17.144.1 through 189.17.145.254. They have addresses of 189.17.143.1 and 189.17.143.2 which, at the very least, put them outside of this subnet. One way to prove this in the real world would be to get the IP resolution of sales.gunderville.com from a system that could resolve the name and PING the IP address from SERVER12, which would have returned a response. This would have also proved that the default gateway was correct as the server would have been reachable. The issue with SERVER12 is that it cannot resolve DNS names.

[A: For the 189.17.144.0 range of IP addresses with a subnet mask of 255.255.254.0, you can use any available addresses from 189.17.144.1 through 189.17.145.254 as a default gateway. There is nothing here to prove that this address is not correct and it is in the correct range of available addresses to be correct.]

[B: If this were the case, the server would not be able to contact the systems on the subnet nor, in most cases, would other clients local and remote, be able to contact the server.]

[C: If this were the case, there would be trouble reaching other systems in this subnet and not just this one server.]

[E: This is not the case, as has been proven by SERVER12's ability to PING SERVER01 on the local subnet.]

For the 189.17.144.0 range of IP addresses with a subnet mask of 255.255.254.0, you can use any available addresses from 189.17.144.1 through 189.17.145.254 as a default gateway. Because the IP address of the gateway is 189.17.143.99, this would be incorrect for systems on this subnet.

[B: If this were the case, the server would not be able to contact the systems on the subnet nor, in most cases, would other clients local and remote, be able to contact the server.]

[C: If this were the case, there would be trouble reaching other systems in this subnet and not just this one server.]

[D: For the DNS servers to be located in this subnet for use, they would have to have an address from 189.17.144.1 through 189.17.145.254 which is the case. One way that this was proven in the question is that DNS resolved the sales.gunderville.com name to its IP address of 189.17.143.12.]

[E: This is not the case, as has been proven by SERVER12's ability to PING SERVER01 on the local subnet.]

Because there is only one domain controller at each location, this does represent a single point of failure. If the WAN link was unavailable and the DC went offline for some reason, there would a loss of this network resource at this one site.

Although there are two DHCP servers at the main location with the proper division of all of the scopes, this does represent a single point of failure. If the WAN link was unavailable, there would a loss of this network resource at all of the remaining sites.

Answer D is also a single point of failure between the sites. If any of the connections between the branch offices goes down, those offices are segmented from the other parts of the network.

[A: There are two DNS servers at each location. The WAN link and one DNS server could go offline and the clients would still be able to resolve DNS locally.]

[E: Because there are two WINS servers at each location, the loss of a single WINS server and the WAN link would not prevent clients at the branch office from resolving NetBIOS names.]

This would need to be considered, but mainly as an afterthought. The plans call for a local DNS server at each remote location and there are already redundant network paths back to the main office but further consideration is needed.

Backup schedules and types need to be considered for the DNS servers that will be deployed.

You need to plan which DNS servers will forward requests to the ISP DNS servers or to the Internet root servers for resolution. In certain designs, this may be one particular DNS server or any may be allowed to forward external requests directly.

[A: At this point, you would not need to consider the number of DNS zones that the DNS server is expected to host as this has already been done.]

[C: At this point, you would not need to consider the placement of DNS servers as this has already been done.]

A zone replication scope setting of all domain controllers in the Active Directory domain is needed when there are Windows 2000 DNS servers in use. This setting will replicate the zone data to all domain controllers in the Active Directory domain.

[A: A zone replication scope setting of all DNS servers in the Active Directory forest would replicate the data to all DNS servers running on domain controllers in the Active Directory forest.]

[B: A zone replication scope setting of all DNS servers in the Active Directory domain would force the replication of zone data to all DNS servers running on domain controllers in the Active Directory domain and is the default setting for Active Directory-integrated DNS zone replication in the Windows Server 2003 family. This is not the correct choice for this question because there are Windows 2000 Server domain controllers/DNS servers in use on this network.]

[D: A zone replication scope setting of all domain controllers in a specified application directory partition allows the DNS zone data to be replicated with a specified application directory partition. For a DNS zone to be stored in the specified application directory partition, the DNS server hosting the zone must be enlisted in the specified application directory partition.]

[B: You would not be able to access the necessary properties pages of the DNS servers from Active Directory Users and Computers.]

[C: You cannot enable a DNS zone to use a forwarder; only the specific DNS server can be configured to forward requests. Zones cannot do this.]

[F: There is nowhere on the Start of Authority tab for you to perform this action. You cannot enable a DNS zone to use a forwarder or to forward external requests; this can be done only via the DNS server.]

[B: You would not be able to access the necessary properties pages of the DNS server from Active Directory Users and Computers.]

[C: You cannot enable logging of a DNS zone by way of the DNS MMC; only the specific DNS server can be configured for logging.]

[D: Although this action can be completed on the Event Logging tab of the DNS server's property pages it cannot be done on the Start of Authority tab of the DNS zone.]

[F: The Security tab is where you set administrative access permissions for the DNS server itself, not where you would enable additional logging.]

Windows Server 2003 DNS Server and Client services have been tested with 4.9.7, 8.1.2, 8.2, and 9.1.0 versions of Berkeley Internet Name Domain (BIND) DNS server implementations and they are compatible to interoperate in a Windows Server 2003 DNS configuration. Version 4.9.7 does support SRV records.

BIND 4.9.7 supports fast zone transfer. When transferring DNS zone updates between two Windows DNS servers, the DNS server service always uses a fast transfer method that uses compression and this is actually different that incremental zone transfers which just sends the zone change information. Windows Server 2003 DNS servers can be configured to update zone information in the uncompressed transfer format for BIND servers prior to version 4.9.4 which do not support fast zone transfers.

[B: Windows Server 2003 DNS Server and Client services have been tested with 4.9.7, 8.1.2, 8.2, and 9.1.0 versions of Berkeley Internet Name Domain (BIND) DNS server implementations and they are compatible to interoperate in a Windows Server 2003 DNS configuration. Version 4.9.7 does not support dynamic updates.]

[C: Windows Server 2003 DNS Server and Client services have been tested with 4.9.7, 8.1.2, 8.2, and 9.1.0 versions of Berkeley Internet Name Domain (BIND) DNS server implementations and they are compatible to interoperate in a Windows Server 2003 DNS configuration. None of the versions of BIND support WINS and WINS-R records.]

[D: Windows Server 2003 DNS Server and Client services have been tested with 4.9.7, 8.1.2, 8.2, and 9.1.0 versions of Berkeley Internet Name Domain (BIND) DNS server implementations and they are compatible to interoperate in a Windows Server 2003 DNS configuration. Although all the other versions of BIND support incremental zone transfer, versions 8.2 and 4.9.7 do not.]

For server systems with manually assigned IP addresses, you must manually set the preferred primary and secondary WINS servers on the TCP/IP Properties pages. These servers would default to H-node resolution type, which means they would start off using P-node (peer-to-peer) and attempt to resolve the NetBIOS name via the WINS server; however, in the event the WINS server could not resolve the name, the H-node would attempt a B-node resolution (broadcast) as a second attempt.

By using the DHCP server advanced options to configure the client systems with the Primary and Secondary WINS servers that should be used by identifying option 044 for the WINS server and option 046 for the WINS node type, you will have accomplished this task with the least amount of administrative effort for your client systems in the domain.

[A: This could be done, but it is not the least amount of administrative effort. Also, this would not allow you to set the WINS node type on the system; (it will default to hybrid, sometimes referred to as H-node or by its 0x8 setting, for manually configured systems) it would allow you only to manually configure the IP addresses of the WINS servers.]

[C & D: The entire reason for using a WINS server is to work out the issues with resolving NetBIOS names through IP broadcasts and static mappings kept in LMHOSTS and HOSTS files. You would not want to use this file to identify the IP address of the preferred WINS server for the clients and the mappings would in no way force the clients to use the WINS servers over broadcasts.]

[F: This would allow your DNS server to use WINS forward lookups and although this may help cut back on some WINS traffic from some of your newer client systems, such as Windows 2000 and XP Professional, it will not resolve your issues with legacy systems such as NT4 and 9x.]

This configuration is called a hub-and-spoke replication topology where all of the WINS servers replicate their data via push/pull configuration with one central WINS server (in this example WINSMAIN1). This is the fastest replication topology configuration that can be set up in an effort to minimize convergence times.

[A: It will take longer for all of the updates to go around to WINS3 and then to WINSMAIN2 for it to push/pull with WINSMAIN1.]

[B: It will take longer for all of the updates to go around to WINS3 and then to WINSMAIN2 for it to push updates to WINSMAIN1. Also with push updates only if the name registrations do not reach the fixed execution number they will not be sent.]

[C: It will take longer for all of the updates to go around to WINS3 and then to WINSMAIN2 for it to push updates to WINSMAIN1. Also with push updates only, if the name registrations do not reach the fixed execution number, they will not be sent. So WINS3 would push updates only when the predetermined number of updates was reached; if this number was 100 and there were only 50 updates, WINSMAIN2 would not receive the information in a timely manner.]

[D & F: A full hub and spoke push pull configuration is best.]

The #DOM keyword can be used in LMHOSTS files to distinguish a domain controller from other servers on the network by inputting the IP address of the domain controller and the NetBIOS name in the LMHOSTS file with the #DOM keyword, a colon, and the domain name. #DOM entries need to be preloaded in the cache by using the #PRE keyword.

[A: The #PRE keyword is not present. #DOM entries need to be preloaded in the cache by using the #PRE keyword.]

[C: The NetBIOS name and IP address information has been reversed.]

[D: The NetBIOS name and IP address information has been reversed and the #PRE keyword is not present. #DOM entries need to be preloaded in the cache by using the #PRE keyword.]

[E: The #DOM keyword is missing.]

When dynamic resource records (RRs) are not properly updated in a DNS zone, this will often cause name resolution issues with the DNS server that is still maintaining the older information.

Just as with any manual entry made by a person, there is always the chance the incorrect information is entered.

DNS servers will sometimes reference their own cache information to resolve a DNS query for a zone they are not authoritative for but have previously resolved. If this networked resource has had its IP addressing information changed and the DNS cache is still alive but has the wrong IP address information the DNS server will often resolve that the server is no longer available when it actually is just at a new IP address.

[B: If the IP address of the DNS server was updated and clients were not made aware of the update, they would not be able to use the DNS server at all.]

[E: There are going to be very few instances where SRV records on the DNS server have been manually updated, but even if they are, this will normally not be the cause of incorrect domain name resolution on the DNS server.]

For the DNS servers to be located in this subnet for use, they need an address from 189.17.144.1 through 189.17.145.254. They have addresses of 189.17.143.1 and 189.17.143.2 which at the very least put them outside of this subnet. One way to prove this in the real world would have been to get the IP resolution of sales.gunderville.com from a system that could resolve the name and PING the IP address from FILEPRINT06 which would have returned a response. This would have also proved that the default gateway was correct as the server would have been reachable. This issue with FILEPRINT06 is that it cannot resolve DNS names.

[A: This is not the case as has been proven by FILEPRINT06's ability to PING SYS67 on the local subnet.]

[C: For the 189.17.144.0 range of IP addresses with a subnet mask of 255.255.254.0, you can use any available addresses from 189.17.144.1 through 189.17.145.254 as a default gateway. There is nothing here to prove that this address is not correct and it is in the correct range of available addresses to be correct.]

[D: If this were the case, the server would not be able to contact the systems on the subnet nor, in most cases, would other clients local and remote, be able to contact the server.]

[E: If this were the case, there would be trouble reaching other systems in this subnet and not just this one server.]

The 255.255.255.128 subnet mask is being used to allow for 126 clients on a possible 512 subnets because 60 hosts per subnet are needed for now and the plans call for assuming growth of up to 69 to 70 hosts in total per subnet. This means that any dynamically updating update protocol will need to support Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv2 does allow for this. RIP versions 1 and 2 are best used on medium-sized networks with about 50 routers maximum, and the maximum number of routers (hops) that any IP packet must cross is less than 16. Destination addresses that are 16 or more hops away are unreachable from RIP routers. Because there are only 14 hops at the most and 45 routers in total RIPv2 can be used.

OSPF protocol is a better choice than either version of RIP when the network is designed with redundant paths between different locations or when the number of subnets in the overall design has more than 50 routers in use or when remote locations are farther than 16 hops away but it can be used in this scenario as well.

[A: The 255.255.255.128 subnet mask is being used to allow for 126 clients on a possible 512 subnets because 60 hosts per subnet are needed for now and the plans call for assuming growth of up to 69 to 70 hosts in total per subnet. This means that any dynamically updating update protocol will need to support Classless Inter-Domain Routing (CIDR) or Variable Length Subnet Masks (VLSM). RIPv1 does not allow for this. Also RIP versions 1 and 2 are best used on medium-sized networks with about 50 routers maximum, and the maximum number of routers (hops) that any IP packet must cross is less than 16. Destination addresses that are 16 or more hops away are unreachable from RIP routers. Although there are only 14 hops at the most and 45 routers in total RIPv1 cannot be used.]

[D: Interior Gateway Protocols (IGP), such as RIP or OSPF, are used to exchange routing information within their networks. IGP is not something that could be used per se in the place of RIP or OSPF.]

TTL boundaries prevent the forwarding of IP multicast traffic with a TTL less than a specified value and they apply to all multicast packets regardless of the multicast group. A TTL setting of 15 for a scope prevents the forwarding of IP multicast traffic that is intended to be restricted to the site. A higher time to live such as 63 for regional or 127 for worldwide for example would be routed forward.

[B & C: TTL setting of 1 or 63 restricts the multicast traffic to the same subnet.]

[D: TTL setting of 127 forwards the multicast traffic worldwide.]

[E: TTL setting of 191 forwards the multicast traffic worldwide with limited bandwidth.]

[F: TTL setting of 255 forwards the multicast traffic totally unrestricted in scope.]

You would need to access a specific server where the Remote Access Policy is to be enabled.

If remote access has not been previously configured on the system, you will need to click Configure and Enable Routing and Remote Access on the Action menu and then follow the steps in the Routing and Remote Access Server Setup Wizard. If this has already been done, the next step is to go to Remote Access Policies in the tree pane and either right click it or go to Action to create a new Remote Access Policy.

Once you have started the process of creating a new policy, you can either set up a custom policy or allow the wizard to continue configuring a typical policy for a common scenario.

[B: This would not allow you to access the Remote Access Policies from the available object subcategories.]

[C: You will not be able to go to Action to create a new Remote Access Policy from the Active Directory Users and Computers MMC.]

[F: You are not required to manually enter all of the specific information for the policy only because you can either setup a custom policy or allow the wizard to continue configuring a typical policy for a common scenario.]

The Resource Reservation Protocol (RSVP) uses IP protocol 46 and is used to provide Quality Of Service (QoS) and it cannot be secured via IPSec because RSVP needs to allow QOS markings for traffic that may be secured by IPSec.

Broadcast IP traffic from one host system to many hosts that are unknown to the sender cannot be secured by IPSec.

IPSec tunnel-mode filters cannot process multicast or broadcast packets but they can handle unicast traffic.

[B: One thing to remember about IPSec tunnels is that they can secure unicast IP traffic. IPSec tunnel-mode filters cannot process multicast or broadcast packets but they can handle unicast traffic.]

[D: DNS can be successfully encrypted by using IPSec tunnel-mode filters which makes this choice incorrect.]

[F: You cannot use IPSec to encrypt traffic to a DHCP server. When clients first come online and attempt to get an IP address they broadcast to the DHCP server which cannot handle the broadcast packets. Packet filtering to a DHCP server is possible but not encryption for the broadcast reason.]

By default, Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators all have the Allow log on locally user right.

Because there is only one domain controller at each location, this does represent a single point of failure. If the WAN link was unavailable and the DC went offline for some reason, there would a loss of this network resource at this one site.

Although there are two DHCP servers at the main location with the proper division of all of the scopes, this does represent a single point of failure. If the WAN link was unavailable, there would a loss of this network resource at all of the remaining sites.

WAN link is also a single point of failure between the sites. If any of the connections between the branch offices goes down, those offices are segmented from the other parts of the network.

[A: There are two DNS servers at each location. The WAN link and one DNS server could go offline and the clients would still be able to resolve DNS locally.]

[E: Because there are two WINS servers at each location, the loss of a single WINS server and the WAN link would not prevent clients at the branch office from resolving NetBIOS names.]

Having a trusted public entity authorize your certificates for public use is the best way to handle the entire scope of needs for this scenario.

[A: Although it may be better to run and control your own PKI to issue and manage your digital certificates, if you plan to use your certificates outside of you organization, setting up and maintaining an internal PKI can be a difficult undertaking.]

[B: It would not necessarily meet all of the needs for your environment.]

[C: You would not be able to add a third-party authentication service to your Windows Server 2003 system that is configured as a CA to issue and manage your digital certificates.]