Study Guides and Actual Real Exam Questions For Oracle OCP, MCSE, MCSA, CCNA, CompTIA


Advertise

Submit Braindumps

Forum

Tell A Friend

    Contact Us

 Home

 Search

Latest Brain Dumps

 BrainDump List

 Certifications Dumps

 Microsoft

 CompTIA

 Oracle

  Cisco
  CIW
  Novell
  Linux
  Sun
  Certs Notes
  How-Tos & Practices 
  Free Online Demos
  Free Online Quizzes
  Free Study Guides
  Free Online Sims
  Material Submission
  Test Vouchers
  Users Submissions
  Site Links
  Submit Site

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Online Training Demos and Learning Tutorials for Windows XP, 2000, 2003.

 

 

 

 





Braindumps for "70-296" Exam

Great dump in itcertkeys

 Question 1.
You are a network administrator for ITCertKeys. The network contains two Windows Server 2003 computers named ITCertKeysA and ITCertKeysB. These servers host an intranet application. Currently, 40 users connect to ITCertKeysA and 44 users connect to ITCertKeysB.

The company is adding 35 employees who will need access to the intranet application. Testing shows that each server is capable of supporting approximately 50 users without adversely affecting the performance of the application.

You need to provide a solution for supporting the additional 35 employees. The solution must include providing server fault tolerance. You need to minimize the costs and administrative effort required by your solution.

You add a new server named ITCertKeysC to the network and install the intranet application on ITCertKeysC.
What else should you do?

A. Use Network Load Balancing Manager to configure ITCertKeysA, ITCertKeysB, and 
      ITCertKeysC as a Network Load Balancing cluster.
B. Use Cluster Administrator to configure ITCertKeysA, ITCertKeysB, and ITCertKeysC as a 
     three-node server cluster. Use the Majority Node Set option.
     Configure the cluster so that all three nodes are active.
C. Use Cluster Administrator to configure ITCertKeysA, ITCertKeysB, and ITCertKeysC as a 
    three-node server cluster.
    Configure the cluster so that two nodes are active and one node is a hot standby node.
D. Use DNS load balancing to utilize all three servers by using the same virtual server name.

Answer: A

Explanation: 
We can use Network Load Balancing to balance the load on the three web servers.

Reference: 
Deploying Network Load Balancing
Overview of the NLB Deployment Process

A Network Load Balancing cluster comprises multiple servers running any version of the Microsoft® Windows® Server 2003 family, including Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Datacenter Edition, and Windows Server 2003 Web Edition.

Clustering allows you to combine application servers to provide a level of scaling, availability, or security that is not possible with an individual server. Network Load Balancing distributes incoming client requests among. the servers in the cluster to more evenly balance the workload of each server and prevent overload on any one server. To client computers, the Network Load Balancing cluster appears as a single server that is highly scalable and fault tolerant. The Network Load Balancing deployment process assumes that your design team has completed the design of the Network Load Balancing solution for your organization and has performed limited
testing in a lab. After the design team tests the design in the lab, your deployment team implements the Network Load Balancing solution first in a pilot environment and then in your production environment.

Upon completing the deployment process presented here, your Network Load Balancing solution (the Network Load Balancing cluster and the applications and services running on the cluster) will be in place. For more information about the procedures for deploying Network Load Balancing on individual servers, see the appropriate Network Load Balancing topics in Help and Support Center for Windows Server 2003.

Incorrect Answers:
B: We already have three servers. A cluster would require different hardware and would thus be
     more expensive.
C: We already have three servers. A cluster would require different hardware and would thus be
    more expensive.
D: Round Robin DNS would load balance the servers, but if one server failed, clients would still
    be directed to the failed server.

Question 2.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named ITCertKeys.com. All domain controllers run Windows Server 2003. All application servers run Windows Server 2003.

Client computers in the accounting department run Windows XP Professional. Client computers in the engineering department run Windows 2000 Professional. Client computers in the sales department run either Windows NT Workstation 4.0 or Windows 98. All client computers access data files on the application server.

You need to plan the method of securing the data transmissions for the client computers. You want to ensure that the data is not modified while it is transmitted between the application servers and the client computers. You also want to protect the confidentiality of the data, if possible.
What should you do?

 

To answer, drag the appropriate method or methods to the correct department’s client computers.

Answer: Sales

 
Explanation
We can use IPSEC on Windows 2000 and Windows XP but we cannot use IPSEC for Legacy clients except for VPNs.

Sales contains Windows NT 4.0 and Windows 98; in this case we use SMB signing.
With Windows 2000 and Windows XP both methods are supported in this case and for security reasons we will use IPSEC rules.

SMB signed is supported by Windows 2000 an XP by local policies or domain policies to be enforced To be supported in legacy clients you must modify the registry in Windows 98 and Windows NT

SMB on Windows 98 KB article 230545
Windows 98 includes an updated version of the SMB authentication protocol. However, using SMB signing slows down performance when it is enabled. This setting should be used only when network security is a concern. The performance decrease usually averages between 10-15 percent. SMB signing requires that every packet is signed for and every packet must be verified.

SMB on Windows NT KB article 161372
Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol

IPSEC
The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos
service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used.

IPSEC is not supported on legacy clients just is supported for VPN
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp

Microsoft L2TP/IPSec VPN Client is a free download that allows computers running Windows 98, Windows Millennium Edition (Me), or Windows NT® Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol security (IPSec).

•	Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking version 1.4 upgrade.

•	Windows Me with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later)
•	Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later)

Question 3.
You are the systems engineer for ITCertKeys. The network consists of a single Active Directory domain named ITCertKeys.com. All servers run Windows Server 2003. A Windows Server 2003 computer named ITCERTKEYSDNS1 functions as the internal DNS server and has zone configured as shown in the exhibit.


The network is not currently connected to the Internet. ITCertKeys maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named ITCertKeys.com. The ITCertKeys.com zone is hosted by a UNIX-based DNS server named UNIXDNS, which is running the latest version of BIND.

The company plans to allow users of the internal network to access Internet-based resources. The company’s written security policy states that resources located on the internal network must never be exposed to the Internet. The written security policy states that the internal network’s DNS namespace must never be exposed to the Internet. To meet these requirements, the design specifies that all name resolution requests for Internet-based resources from computers on the internal network must be sent from ITCERTKEYSDNS1. The current design also specified that UNIXDNS must attempt to resolve any name resolution requests before sending them to name servers on the Internet.

You need to plan a name resolution strategy for Internet access. You need to configure ITCERTKEYSDNS1 so that it compiles with company requirements and restrictions.
What should you do?

A. Delete the root zone form ITCERTKEYSDNS1.
    Configure ITCERTKEYSDNS1 to forward requests to UNIXDNS.
B. Copy the Cache.dns file from the Windows Server 2003 installation CD-ROM to the
    C:\Windows\System32\Dns folder on ITCERTKEYSDNS1.
    C. Add a name server (NS) resource record for UNIXDNS to your zone.
    Configure UNIXDNS with current root hints.
D. On ITCERTKEYSDNS1, configure a secondary zone named ITCertKeys.com that uses 
     UNIXDNS as the master server.
    Configure UNIXDNS to forward requests to your ISP’s DNS servers.

Answer: A

Explanation: 
We need to delete the root zone from the internal DNS server. This will enable us to configure
the server to forward internet name resolution requests to the external DNS server (UNIXDNS).

A DNS server configured to use a forwarder will behave differently than a DNS server that is not 
    configured to use a forwarder. A DNS server configured to use a forwarder behaves as follows:
1. When the DNS server receives a query, it attempts to resolve this query using the primary and 
    secondary zones that it hosts and its cache.
2. If the query cannot be resolved using this local data, then it will forward the query to the DNS 
    server designated as a forwarder.
3. The DNS server will wait briefly for an answer from the forwarder before attempting to contact 
    the DNS servers specified in its root hints.

Incorrect Answers:
B: The Cache.dns file contains the IP addresses of the internet root DNS servers. We don’t want
     the internal DNS server to query the root DNS servers, so we don’t need the cache.dns file.
C: Unixdns already has root hints. An NS record on the internal DNS server won’t fulfil the
     requirements of the question.
D: We don’t need a secondary zone on the internal DNS server. All external resolution requests 
     must be forwarded to the external DNS server.

Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

Question 4.
You are the system engineer for ITCertKeys. The network consists of a single Active Directory domain named ITCertKeys.com. All servers run Windows Server 2003. The network is connected to the Internet by a dedicated T3 line.

ITCertKeys enters into a partnership with another company for a new project. The partner company’s network consists of a single Active Directory forest that contains two domains. All servers in the network run Windows 2003 Server. The partner network is also connected to the Internet by a dedicated T3 line.
The partner network is accessible by a VPN connection that was established between the two networks.

The VPN connection was tested and was verified to provide a functional connection between the two networks. Users from both companies need to connect to resources located on another network. A forest trust relationship exists between the two companies’ forests to allow user access to resources. Users in your company report that they can access resources on the partner network, but that it can take up to several minutes for the connection to be established. This problem is most pronounced during the morning.

You verify that there is sufficient available bandwidth on the connection between the two networks to provide access. You also verify that both network’s routing tables are configured correctly to route requests to the appropriate destinations. When you attempt to connect to a server in the partner network by host name by using the ping command, the connection times out. However, when you attempt to connect to the server a second time by IP address by using the ping command, you receive a response within a few seconds. You need to improve the performance of the network connection between the two networks.
What should you do?

A. Add the partner network’s domain names and DNS server addresses to the forwarders list on 
     your DNS servers.
B. Update the root hints list on your DNS servers to include the host names and IP addresses of 
     the partner network’s DNS servers.
C. Disable recursion on the DNS servers in both companies’ networks.
D. Add the partner network’s DNS server addresses to the 006 DNS Servers scope option in your 
    DHCP scope.

Answer: A

Explanation: 
It is taking a long time to locate resources on the other network. This is because name resolution
requests are being passed to the internet root servers, then down through the internet DNS hierarchy before the request finally reaches the appropriate DNS server. We can speed up this process by using conditional forwarding. This would enable resolution requests for resources in the partner network to be forwarded directly to the partner’s DNS server.

Conditional forwarders
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Incorrect Answers:
B: The root hints are used to locate internet root DNS servers.
C: This won’t help. It would mean that the internal DNS servers wouldn’t forward external
     resolution requests to other DNS servers such as the root servers.
D: The partner network’s DNS servers would never be used unless the local DNS server failed.

Question 5.
You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory forest. The functional level of the forest is Windows Server 2003. The forest root domain is contoso.net. Contoso, Ltd,. recently merged with another company named ITCertKeys, whose network consists of a single Active Directory forest. The functional level of the ITCertKeys forest is Windows Server 2003.

The forest root domain for ITCertKeys is ITCertKeys.com. You need to create a forest trust relationship between the two forests. Each company has dedicated connections to the Internet.

You need to configure DNS to support the forest trust relationship. You want to maintain Internet name resolution capability for each company’s network.
What should you do?

A. Configure the contoso.net DNS servers to forward to the ITCertKeys.com DNS servers.
    Configure the ITCertKeys.com DNS servers to forward to the contoso.net DNS servers.
B. Configure conditional forwarding of ITCertKeys.com on the contoso.net DNS servers to the 
     ITCertKeys.com DNS servers.
    Configure conditional forwarding of contoso.net on the ITCertKeys.com DNS servers to the  
     contoso.net DNS servers.
C. Configure a standard primary zone for ITCertKeys.com on one of the contoso.net DNS  
     servers. Configure a standard primary zone for contoso.net on one of the ITCertKeys.com 
     DNS servers.
D. Configure an Active Directory-integrated zone for ITCertKeys.com on the contoso.net DNS  
     servers. Configure an Active Directory-integrated zone for contoso.net on the ITCertKeys.com 
     DNS servers.

Answer: B

Explanation: 
This is a typical scenario for conditional forwarding

Conditional forwarders. 
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Incorrect Answers:
A: We don’t want ALL resolution requests to be forwarded to the other DNS servers.
C: We can’t host primary zones on multiple servers.
D: We can’t host AD integrates zones on DNS servers in a different forest.

Question 6.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory forest that contains three domains. Each domain contains domain controllers that run Windows 2000 Server and domain controllers that run Windows Server 2003. The DNS Server service is installed on all domain controllers. All client computers run Windows XP Professional.

You need to add an additional DNS zone that is hosted on at least one DNS server on each domain. You want to configure the zone to allow secure updates only.
What should you do?

A. Configure the new zone on DNS servers in the root domain.
    Configure stub zones that refer to DNS servers in another two domains.
B. Configure the new zone as a primary zone on one DNS server.
    Configure other DNS servers in the three domains as secondary servers for this zone.
    Enable the DNS Security Extensions (DNSSEC) protocol.
C. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three    
    domains. Store the zone data in the DNS directory partition named DomainDNSZones.
D. Configure the new zone as an Active Directory-integrated zone on DNS servers in the three 
    domains. Store the zone data in the DNS directory partition named ForestDNSZones.

Answer: D

Explanation: 
To enable secure updates, we need an Active Directory integrated zone. To replicate to the DNS
servers in the other domains, the zone must be installed on a Windows 2003 domain controller in each domain. During the configuration of the zone, you can select the option to replicate the zone information to all domain controllers in the forest; this will store the zone data in the DNS directory partition named Forest DNS Zones.

Incorrect Answers:
A: We need Active Directory integrated zones, not stub zones.
B: Secondary zones are not writeable and so cannot accept updates.
C: If we store the zone data in the DNS directory partition named Domain DNS Zones, it will only
    be replicated in a single domain, not the entire forest.

Question 7.
You are the systems engineer for ITCertKeys GmBh. The network consists of three Windows NT 4.0 domains in a master domain model configuration. The servers on the network run either Windows NT Server 4.0 or Windows 2000 Server. All domain controllers run Windows NT Server 4.0.

The network also contains 10 UNIX-based application servers. All host name resolution services are provided by a UNIX-based server running the latest version of BIND, which currently hosts the zone for the ITCertKeys.com domain. All NetBIOS name resolution services are provided by two Windows 2000 Server WINS servers.

The company is in the process of migrating to a single Windows Server 2003 Active Directory domainbased network. The new domain is named ITCertKeys-ad.com, and it will be hosted in an Active Directory-integrated zone that is stored on the domain controllers. Servers that are not domain controllers will not be updated at this time. The migration plan requires that all computers must use DNS to resolve host names and computer redundancy for the Windows-based DNS servers.

You upgrade the domain controllers in the master domain to Windows Server 2003. You also migrate all user and computer accounts to the new Active Directory domain. The DNS zone on the Windows Server 2003 computers is configured as shown in the exhibit.

 

You now need to configure the required redundancy between the Windows-based DNS servers and the UNIX-based DNS server. You need to ensure that there will be no service interruption on any of the DNS server computers.
Which two actions should you take? (Each correct answer presents part of the solution. 
Choose two)

A. On a Windows Server 2003 DNS server, create a secondary zone that uses the UNIX-based   
     DNS server as the master server.
B. On the UNIX-based DNS server, create a secondary zone that uses a Windows-based DNS 
    server as the master server.
C. On a Windows Server 2003 DNS server, create a stub zone that uses the UNIX-based DNS 
     server as the master server.
D. Add a delegation in the ITCertKeys.com zone that delegates authority of the ITCertKeys-
     ad.com zone to a Windows Server 2003 DNS server.
E. Configure the ITCertKeys-ad.com zone to not replicate WINS-specific resource records during 
     zone transfers.

Answer: B, E

Explanation: 
This is a trick question because it is asking for redundancy for the Windows 2003 DNS servers.
We can provide this by configuring the UNIX DNS server to resolve names in the ITCertKeys-ad.com domain.
With a secondary zone on the UNIX DNS server, the UNIX DNS server will be able to resolve host name resolutions requests in the ITCertKeys-ad.com domain. The ITCertKeys-ad.com DNS is configured to query WINS if required. When configuring a UNIX DNS server with a secondary zone, we should configure the zone to not replicate WINS-specific resource records during zone transfers.

Incorrect Answers:
A: This would provide redundancy for the UNIX server; the question isn’t asking for that.
C: This won’t provide any redundancy.
D: ITCertKeys-ad.com isn’t a sub domain of ITCertKeys.com so no delegation is required.

Reference:
William Boswell; Inside Windows Server 2003.

Question 8.
You are the network administrator for ITCertKeys. The network consists of an internal network and a perimeter network. The internal network is protected by a firewall. The perimeter network is exposed to the Internet.

You are deploying 10 Windows Server 2003 computers as Web servers. The servers will be located in the perimeter network. The servers will host only publicly available Web pages.

You want to reduce the possibility that users can gain unauthorized access to the servers. You are concerned that a user will probe the Web servers and find ports or services to attack.
What should you do?

A. Disable File and Printer Sharing on the servers.
B. Disable the IIS Admin service on the servers.
C. Enable Server Message Block (SMB) signing on the servers.
D. Assign the Secure Server (Require Security) IPSec policy to the servers.

Answer: A

Explanation: 
We can secure the web servers by disabling File and Printer sharing.

File and Printer Sharing for Microsoft Networks
The File and Printer Sharing for Microsoft Networks component allows other computers on a network to access resources on your computer by using a Microsoft network. This component is installed and enabled by default for all VPN connections. However, this component needs to
be enabled for PPPoE and dial-up connections. It is enabled per connection and is necessary to share local folders. The File and Printer Sharing for Microsoft Networks component is the equivalent of the Server service in Windows NT 4.0. File and Printer sharing is not required on web servers because the web pages are accesses over web protocols such as http or https, and not over a Microsoft LAN.

Incorrect Answers:
B: This is needed to administer the web servers. Whilst it could be disabled, disabling File and
     Printer sharing will secure the servers more.
C: SMB signing is used to verify, that the data has not been changed during the transit through
     the network. It will not help in reducing the possibility that users can gain unauthorized access
     to the servers.
D: This will prevent computers on the internet accessing the web pages.

Reference:
James Chellis, Paul Robichaux, and Matthew Sheltz; MCSA/MCSE: 
Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide393 394

Question 9.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named ITCertKeys.com. ITCertKeys’s perimeter network contains 50 Web servers that host the company’s public Internet site. The Web servers are not members of the domain. The network design team completed a new design specification for the security of servers in specific roles.

The network design requires that security settings must be applied to Web servers. These settings include password restrictions, audit settings, and automatic update settings.

You need to comply with the design requirements for securing the Web servers. You also want to be able to verify the security settings and generate a report during routine maintenance. You want to achieve these goals by using the minimum amount of administrative effort.
What should you do?

A. Create a custom security template named Web.inf that contains the required security settings.
    Create a new organizational unit (OU) named WebServers and move the Web servers into the 
     new OU. Apply Web.inf to the WebServers OU.
B. Create a custom security template named Web.inf that contains the required security settings, 
    and deploy Web.inf to each Web server by using Security Configuration and Analysis.
C. Create an image of a Web server that has the required security settings, and replicate the 
     image to each Web server.
D. Manually configure the required security settings on each Web server.

Answer: B

Explanation: 
The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a
security template with all the required settings and import the settings using the Security Configuration and Analysis tool.

Incorrect Answers:
A: The web servers aren’t members of the domain. Therefore they cannot be moved to an OU in
    Active Directory.
C: We cannot use imaging in this way.
D: This is a long way of doing it. A security template would simply the task.

Reference:
Craig Zacker; MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure.

Question 10.
You are the network administrator for ITCertKeys. The network contains a Windows Server 2003 Web server that hosts the company intranet. The human resources department uses the server to publish information relating to vacations and public holidays. This information does not need to be secure.

The finance department wants to publish payroll information on the server. The payroll information will be published in a virtual directory named Payroll, which was created under the default Web site on the server. The company’s written security policy states that all payroll-related information must be encrypted on the network.

You need to ensure that all payroll-related information is encrypted on the network. To preserve performance, you need to ensure that other information is not encrypted unnecessarily. You obtain and install a server certificate.
What else should you do?

A. Select the Require secure channel (SSL) check box for the default Web site.
B. Assign the Secure Server (Require Security) IPSec policy option for the server.
C. Select the Encrypt contents to secure data check box for the Payroll folder.
D. Select the Require secure channel (SSL) check box for the Payroll virtual directory.

Answer: D

Explanation: 
Short for Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http:

Incorrect Answers:
A: This will encrypt all data from the web server. We only need to encrypt the payroll data.
B: This will encrypt all data from the web server. We only need to encrypt the payroll data.
C: This will encrypt the data on the hard disk using EFS. It won’t encrypt the data as it is
     transferred over the network.

Question 11.
You are a network administrator for ITCertKeys Inc. The network consists of a single Active Directory forest as shown in the exhibit.
 

Your company’s written security policy requires that all domain controllers in the child1.ITCertKeys.com domain must accept a LAN Manager authentication level of only NTLMv2. You also want to restrict the ability to start a domain controller to the Domain Admins group.

You need to configure the domain controllers in the child1.ITCertKeys.com domain to meet the new security requirements.
Which two actions should you take? (Each correct answer presents part of the solution. Choose two)

A. Import the Rootsec.inf security template into the Default Domain Controllers Policy Group 
     Policy object (GPO) on the child1.ITCertKeys.com domain.
B. Import the Rootsec.inf security template into the Default Domain Policy Group Policy object 
    (GPO) in the child1.ITCertKeys.com domain.
C. Import the Securedc.inf security template into the Default Domain Controllers Policy Group 
    Policy object (GPO) in the child1.ITCertKeys.com domain.
D. Import the Securedc.inf security template into the Default Domain Policy Group Policy object 
    (GPO) in the child1.ITCertKeys.com domain.
E. Run the system key utility (syskey) on each domain controller in the child1.ITCertKeys.com 
    domain. In the Account Database Key dialog box, select the Password Startup option.
F. Run the system key utility (syskey) on each domain controller in the child1.ITCertKeys.com 
    domain. In the Account Database Key dialog box, select the Store Startup Key Locally  
    option.

Answer: C, E

Explanation:
Secure (Secure*.inf) Template
The Secure templates define enhanced security settings that are least likely to impact application compatibility.
For example, the Secure templates define stronger password, lockout, and audit settings. Additionally, the Secure templates limit the use of LAN Manager and NTLM authentication protocols by configuring clients to send only NTLMv2 responses and configuring servers to refuse LAN Manager responses.

• In order to apply Securews.inf to a member computer, all of the domain controllers that contain
  the accounts of all users that log on to the client must run Windows NT 4.0 Service Pack 4 or
  higher.

The system key utility (SYSKEY)
A security measure used to restrict logon names to user accounts and access to computer systems and resources.
By running the syskey utility with the Password startup option, the account information in the directory services is encrypted and a password needs to be entered during system start. The start of the Domain Controllers is therefore restricted to everybody with this password.

Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/s yskey_concept.asp
 

System key option	Relative security level	Description
System Generated
Password, Store
Startup Key Locally	Secure	Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. This option provides strong encryption of password information in the registry, and it enables the user to restart the computer without the need for an administrator to enter a password or insert a disk.
Administrator generated password, Password Startup	More secure	Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. The key is also protected by an administrator-chosen password. Users are prompted for the system key password when the computer is in the initial startup sequence. The system key password is not stored anywhere on the computer.
System Generated
Password, Store
Startup Key on Floppy Disk	Most secure	Uses a computer-generated random key and stores the key on a floppy disk. The floppy disk that contains the system key is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer.

Incorrect Answers:
A: The Rootsec.inf security template defines permissions for the root of the system drive. This
     template can be used to reapply the root directory permissions to other volumes.
B: The Rootsec.inf security template defines permissions for the root of the system drive. This
     template can be used to reapply the root directory permissions to other volumes.
D: We need to apply the policy to the domain controllers container, not the entire domain.
F: The System Key Utility (syskey) is used to encrypt the account password information that is
    stored in the SAM database or in the directory services. By selecting "Store Key locally" the 
    computer stores an encrypted version of the key on the local computer. This doesn’t help in
    controlling the start of the Domain Controllers.

Reference:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/syskey_concept.asp 

Question 12.
You are a network administrator for ITCertKeys. The network consist of a single Active Directory domain. The domain name is ITCertKeys.com. The network contains three Windows Server 2003 domain controllers.

You are creating the recovery plan for the company. According to the existing backup plan, domain controllers are backed up by using normal backups each night. The normal backups of the domain controllers include the system state of each domain controller.

Your recovery plan must incorporate the following organization requirements:

• Active Directory objects that are accidentally or maliciously deleted must be recoverable.
• Active Directory must be restored to its most recent state of quickly as possible.
• Active Directory database replication must be minimized.

You need to create a plan to restore a deleted organizational unit (OU).
Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two)

A. Restart a domain controller in Directory Services Restore Mode.
B. Restart a domain controller in Safe Mode.
C. Use the Ntdsutil to perform an authoritative restore operation of the Active Directory database.
D. Restore the system state by using the Always replace the file on my computer option.
E. Use the Ntdsutil utility to perform an authoritative restore operation of the appropriate subtree.

Answer: A, E

Explanation: 
If an OU gets deleted from the Active Directory, we can restore it from a backup of the system
state data. Directory Services Restore Mode is a sort of safe mode in which we can boot a domain controller without loading the Active Directory. This will enable us to restore all or part of the Active Directory database. To ensure that the deleted OU isn’t deleted again by replication from another domain controller, we must use the Ntdsutil utility to mark the restored subtree as authoritative.

Incorrect Answers:
B: To restore part of the Active Directory, we must start a domain controller in Directory Services
     Restore Mode, not safe mode.
C: We don’t need to restore the entire Active Directory database; we can just restore part of it.
D: This will overwrite the existing Active Directory database.

Question 13.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named ITCertKeys.com. The network contains 10 domain controllers and 50 servers in application server roles. All servers run Windows Server 2003. The application servers are configured with custom security settings that are specific to their roles as application servers. Application servers are required to audit account logon events, object access events, and system events. Application servers are required to have passwords that meet complexity requirements, to enforce password history, and to enforce password aging. Application servers must also be protected against man-in-the-middle attacks during authentication.

You need to deploy and refresh the custom security settings on a routine basis. You also need to be able to verify the custom security settings during audits.
What should you do?

A. Create a custom security template and apply it by using Group Policy.
B. Create a custom IPSec policy and assign it by using Group Policy.
C. Create and apply a custom Administrative Template.
D. Create a custom application server image and deploy it by using RIS.

Answer: A

Explanation:
The easiest way to deploy multiple security settings to a Windows 2003 computer is to create a
security template with all the required settings and import the settings into a group policy. We can also use secedit to analyse the current security settings to verify that the required security settings are in place.

Incorrect Answers:
B: An IPSec policy will not configure the required auditing policy.
C: We need a security template, not an administrative template.
D: This will create multiple identical machines. We cannot use RIS images in this scenario.

Question 14.
You are the network administrator for ITCertKeys. The network consists of a single Active Directory domain named ITCertKeys.com. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named ITCertKeys5. You are planning a public key infrastructure (PKI) for the company. You want to deploy a certification authority (CA) on ITCertKeys5.

You create a new global security group named Cert Administrators. You need to delegate the tasks to issue, approve, and revoke certificates to members of the Cert Administrators group. What should you do?

A. Add the Cert Administrators group to the Cert Publishers group in the domain.
B. Configure the Certificates Templates container in the Active Directory configuration naming 
     context to assign the Cert Administrators group the Allow – Write permission.
C. Configure the CertSrv virtual directory on ITCertKeys5 to assign the Cert Administrators 
     group the Allow – Modify permission.
D. Assign the Certificate Managers role to the Cert Administrators group.

Answer: D

Explanation: 
To be able to issue, approve and revoke certificates, the Cert Administrators group needs to be
assigned the role of Certificate Manager. The following table describes different roles and their associated permissions.

Roles and groups	Security permission	Description
CA Administrator	Manage CA permission	Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate.
Certificate Manager	Issue and Manage Certificates permission	Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA Officer.
Backup Operator	Back up file and directories and Restore file and directories permissions	Perform system backup and recovery. This is an operating system role
Auditor	Manage auditing and security log permission	Configure, view, and maintain audit logs. This is an operating system role.
Enrollees	Authenticated Users	Enrollees are clients who are authorized to request certificates from the CA. This is not a CA role.

Incorrect Answers:
A, B, C: Only the Certificate Manager can perform the required tasks.

Reference:
Craig Zacker, MCSE Self-Paced Training Kit (Exam 70-293): Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, pp. 11-4 to 11-8.

Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr. Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA, Chapter 12, p. 890

Question 15.
You are a network administrator for ITCertKeys. The network contains a perimeter network. The perimeter network contains four Windows Server 2003, Web Edition computers that are configured as a Network Load Balancing cluster.

The cluster hosts an e-commerce Web site that must be available 24 hours per day. The cluster is located in a physically secure data center and uses an Internet-addressable virtual IP address. All servers in the cluster are configured with Hisecws.inf templates.
You need to implement protective measures against the cluster’s most significant security vulnerability. What should you do?

A. Use Encrypting File System (EFS) for all files that contain confidential data stored on the 
     cluster.
B. Use packet filtering on all inbound traffic to the cluster.
C. Use Security Configuration and Analysis regularly to compare the security settings on all 
     servers in the cluster with the baseline settings.
D. Use intrusion detection on the perimeter network.

Answer: B

Explanation: 
The most sensitive element in this case is the network card that uses an Internet-addressable
virtual IP address. The question doesn’t mention a firewall implementation or and intrusion detection system (Usually Hardware). Therefore, we should set up packet filtering.

REF: Deploying Network Services (Windows Server 2003 Reskit) Using a Perimeter Network

IP packet filtering
You can configure packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted because the port numbers are encrypted and therefore cannot be examined.
In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection.

Incorrect Answers:
A: In the case of EFS, you can't use it on cluster storage.
C: Security Configuration and Analysis enables you to work with security templates in a database, where you can analyze them before applying them to your computers.
D: IDS will (if properly maintained and updated with new signatures) look for certain activity on the network and check this against a signature database it carries. If a match occurs, then an alert is sent to an administrator or logged.

Reference:
Deploying Network Services (Windows Server 2003 Reskit) Using a Perimeter Network Robert J. Shimonski; Windows Server 2003 Clustering & Load Balancing.


Google
 
Web www.certsbraindumps.com


Braindumps: Dumps for HP0-M18 Exam Brain Dump

Study Guides and Actual Real Exam Questions For Oracle OCP, MCSE, MCSA, CCNA, CompTIA


Advertise

Submit Braindumps

Forum

Tell A Friend

    Contact Us





Braindumps for "HP0-M18" Exam

HP LoadRunner Software

 Question 1.
What is an example of a stress test?

A. purchasing at anE.commerce site
B. updating orders on a client/server system
C. viewing upcoming flight itineraries on a flight reservation application
D. displaying the home page immediately after a marketing promotion has been run

Answer: D

Question 2.
When scheduling a scenario, which run modes are available in the Controller? (Select two.)

A. Group
B. Scenario
C. Duration
D. Global Schedule
E. Real-Life schedule
F. Run Until Complete

Answer: E, F

Question 3.
You want to control the delay between iterations. Where do you set this in the Run-time settings?

A. General: Pacing
B. General: Think Time
C. Network: Speed Simulation
D. Browser: Browser Emulation

Answer: A

Question 4.
Which level of concurrency identifies how many users are currently in the process of buying a ticket?

A. system
B. application
C. transaction
D. business process

Answer: D

Question 5.
What is the appropriate scenario outline if your quantitative goal is to attain 2,500 concurrent users for the Update transaction during peak time?

A. Load test should achieve 2,500 users only.
B. Script should define the Update transaction only.
C. Script should define the Update transaction, and the load test should achieve 2,500 users.
D. Script should define the Update transaction, and the load test should achieve 2.500 concurrent 
    users.

Answer: D

Question 6.
Which option in the Analysis tool allows you to see the results of two graphs from the same load test scenario in a single graph?

A. Drill Down
B. Apply Filter
C. Merge Graphs
D. Auto Correlate

Answer: C

Question 7.
What is the LoadRunner term for varying values defined in a placeholder that replaces the hard. coded values?

A. variable
B. constant
C. parameter
D. correlation

Answer: C

Question 8.
Which scenario run is recommended to set the Run-time setting to Standard Logging?

A. Debug
B. Full Load
C. Top Time
D. Scalability

Answer: C

Question 9.
What is the first indication of a performance problem?

A. The network delay time is above 15ms.
B. The DMG is not resolving the machine name.
C. The Web server's available memory drops below 1 GB.
D. The end userexpenences higherthan expected response times.

Answer: D

Question 10.
How can you validate that the LoadRunner Agent is running on the load generator?

A. Port 443 will be open.
B. The MlFW.exe process will be running.
C. The radar dish will appear in the system tray.
D. The load generator will be pinged using the name/DNS/IP.

Answer: C



Google
 
Web www.certsbraindumps.com


Study Guides and Real Exam Questions For Oracle OCP, MCSE, MCSA, CCNA, CompTIA





              Privacy Policy                   Disclaimer                    Feedback                    Term & Conditions

www.helpline4IT.com

ITCertKeys.com

Copyright © 2004 CertsBraindumps.com Inc. All rights reserved.