Limited Sale 30% Off - Ends in 48:00:00

Microsoft 70-214 Exam Practice Test Questions

Unlimited Access

Try Unlimited Access to the ALL Exam-Labs PREMIUM VCE Files, Training Courses and Study Guides!

Take advantages of unlimited access to ALL Exam-Labs products & Get Certified Easily!

  • Guaranteed to have Latest Exam Questions
  • 100% Accurate & Verified Answers
  • Fast Free Updates to Cover Latest Pool of Questions
  • Instant Download
  • 98.4% Pass Rate

Subscription options

Please select your preferred subscription below:

Total Due: $89.99

Subscription options

Please select your preferred subscription below:

Total Due: $89.99

Questions & Answers for Microsoft 70-214

Showing 1-100 of 150 Questions

Question #1 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains 100 Windows 2000 Server computers,
5,000 Windows 2000 Professional computers, and 1,000 Windows XP Professional
computers.
The computer accounts for all servers are located in an organizational unit (OU) named
Servers. The computer accounts for all client computers are located in an OU named
Desktops. All user accounts are located in an OU named CorpUsers.
You download a new Windows 2000 service pack from the Microsoft Web site. The service
pack is distributed as a Microsoft Windows Installer package.
You need to ensure that all Windows 2000 Professional computers receive the service
pack. The service pack must not be deployed to any Windows XP Professional computers.
Which three actions should you take? (Each correct answer presents part of the solution.
Choose three.)

A. Create a child OU named WinXP under the Desktops OU. Move all Windows XP Professional computer accounts to the WinXP OU.
B. Create a child OU named Win2000 under the Desktops OU. Move all Windows 2000 Professional computer accounts to the Win2000 OU.
C. Create a Group Policy object (GPO) named W2KSP. In the user configuration section of W2KSP, publish the service pack installer file.
D. Create a Group Policy object (GPO) named W2KSP. In the computer configuration section of W2KSP, assign the service pack installer file.
E. Link W2KSP to the Desktops OU.
F. Link W2KSP to the CorpUsers OU.
G. Link W2KSP to the Win2000 OU.

Question #2 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The network contains two Windows 2000 Server computers
configured as domain controllers and 1,500 Windows 2000 Professional client computers.
You place three client computers in a public waiting area for guests. You create an
organizational unit (OU) named Public and move the three client computer accounts into it.
You create a Group Policy object (GPO) named Publock. You enable several restrictions
for the desktop, Start menu, and Taskbar in the Publock GPO.
You need to ensure that all settings in the Publock GPO are applied to any user who logs
on to the three client computers in the public waiting area. What should you do?

A. Configure Block Policy inheritance on the Public OU.
B. Configure the Publock GPO to enable User Group Policy loopback processing mode in Replace Mode .
C. Modify the DACL of the Publock GPO and give the Everyone group Read and Apply Group Policy permissions.
D. Select the Disable User Configuration settings option on the Publock GPO. Configure the Deny access to this computer from the network policy in the computer configuration section of the GPO.

Question #3 - Topic 0

You are the administrator of a Windows 2000 Active Directory domain. The domain
contains Windows 2000 Professional client computers and Windows 2000 Server
computers. The domain has five Windows 2000 domain controllers. All computers are in
the same site.
A user named Bruno reports that he receives an access-denied error message when he
attempts to connect from his Windows 2000 Professional client computer to a share named

A. Instruct Bruno to log off and log on to his Windows 2000 Professional client computer again.
B. On ServerA, run the net use command to delete all connections to Bruno's computer.
C. On ServerA, use the Computer Management console to disconnect all sessions that are connected from Bruno's computer.
D. Use the Active Directory Sites and Services console to force replication on the five domain controllers.

Question #4 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The Web developers in your company use portable
computers, which are members of the domain. These computers run Windows XP
Professional and Internet Information Services (IIS). The developers use IIS to create Web
applications for your company.
A developer reports that his computer becomes infected with a virus every time he uses the
computer at home. Your company's anti-virus software successfully removes the virus
each time the problem occurs.
You discover that the developer uses a USB network adapter to connect his computer to a
cable modem when he works at home. You also discover that the same virus infects the
computer each time by attacking IIS.
You need to prevent the virus from infecting the developer's computer and allow the
developer to use the computer normally while working at home.
How should you configure the developer's computer?

A. Modify the Remote Desktop permissions list so that only the local Administrator account is listed.
B. Disable Internet Connection Sharing for all network connections.
C. Enable the Internet Connection Firewall for the network connection used to connect to the developer's cable modem.
D. Create a Group Policy object (GPO) and link it to the organizational unit (OU) that contains the developer's computer. Configure the GPO to disable the World Wide Web Publishing service. In the GPO, select the No Override check box.

Question #5 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains computers that run Windows 2000
Server, Windows 2000 Professional, or Windows XP Professional.

A. Configure IIS to use Bruno's domain user account for anonymous access.
B. Configure the World Wide Web Publishing service to use Bruno's domain user account as the service account.
C. Create a security template that configures Bruno's domain user account as a user account that can stop and start the World Wide Web Publishing service. Apply the template to ServerA.
D. Create a custom administrative template that configures Bruno's domain user account as a user account that has security permissions to the folder containing the company Web site. Apply the template to ServerA.

Question #6 - Topic 0

You are the network administrator for your company. Your network consists of a Windows
2000 Active Directory domain. Your company has three departments: research, sales, and
operations. Each department has a separate organizational unit (OU) in the domain that
contains all user and group accounts for that department.
The network includes two Windows 2000 Server computers configured as domain
controllers. One Windows 2000 Server computer, named ServerC, is running Remote
Installation Services (RIS) and the DHCP service. The network also contains 1,500
Windows 2000 Professional client computers, which were installed from CD-based RIS
images stored on ServerC.
Your company receives 25 new computers of the same type that you are using for your
network client computers. You prepare to install 25 new Windows 2000 Professional client
computers. You must place the computer accounts for these client computers in the
Research OU. All these client computers require a custom set of applications and the latest
service pack.
You install Windows 2000 Professional on a client computer and name the computer
Client1. You install and configure all the custom applications and the latest service pack on
Client1.
You want to install the required applications and the service pack on the rest of the new
client computers with the least amount of administrative effort. What should you do?

A. Create new Group Policy objects (GPOs) and link them to the Research OU. Configure a GPO with an installation package for each required application and the service pack.
B. Create an unattended answer file based on the configuration of Client1. Save that answer file as Risetup.sif and associate it with the CD-based RIS image on ServerC. Use the CD-based RIS image to install the software on each new client computer.
C. Copy the contents of the Windows 2000 Professional CD-ROM to a folder on ServerC. Slipstream the latest service pack to that folder. Create a new RIS image from that folder. Run the riprep command on Client1 to create a new image on ServerC. Use the riprep image to install the new client computers.
D. Install the new client computers by using the existing CD-based RIS image on the RIS server. Install each required application on each client manually. Create a new Group Policy object (GPO) and link it to the domain. Configure the GPO with a software installation package for the latest service pack.

Question #7 - Topic 0

You are the administrator of your company's network. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows 2000 Server computer that
runs Internet Information Services (IIS) and hosts an extranet research Web site.
You establish the Certification Authority (CA) hierarchy shown in the exhibit to distribute
certificates to all computers and users in the company. (Click the Exhibit button.)
RootCA and PolicyCA are removed from the network. IssuingCA issues all certificates to
the users and computers in your network. IssuingCA publishes its Certificate Revocation
List (CRL) every seven days. Certificates issued by IssuingCA are associated with user
accounts in Active Directory by defining certificate mappings at the IIS server.
A user named Bruno in the research department leaves the company. You must ensure
that he can no longer access the network or connect to the extranet research Web site by

A. Delete the certificate mapping at the IIS server that hosts the Research Web site. Publish the latest version of the Root Certification Authority and Subordinate Certification Authority certificates to the Authority Information Access (AIA) of IssuingCA.
B. Delete the certificate mapping at the IIS server that hosts the Research Web site. Publish the latest version of the CRL to the CRL Distribution Points (CDPs) of IssuingCA.
C. Disable Bruno's domain user account. Revoke all certificates issued to Bruno by IssuingCA in the Certification Authority console. Publish the latest version of the Root Certification Authority and Subordinate Certification Authority certificates to the Authority Information Access (AIA) of IssuingCA.
D. Disable Bruno's domain user account. Revoke all certificates issued to Bruno by IssuingCA in the Certification Authority console. Publish the latest version of the CRL to the CRL Distribution Points (CDPs) of IssuingCA.

Question #8 - Topic 0

You are the network administrator for your company. The network contains four Windows
2000 Server computers: ServerA, ServerB, ServerC, and ServerD.
ServerA, ServerB, and ServerC run Routing and Remote Access and accept dial-up
connections from company users. Each server is connected to a modem bank, which
automatically directs an incoming phone number to the first free phone line.
ServerD runs Internet Authentication Service (IAS). ServerA, ServerB, and ServerC are
configured to use ServerD as a Remote Authentication Dial-in User Service (RADIUS)
server. ServerD is configured to accept ServerA, ServerB, and ServerC as RADIUS clients.
You configure remote access policies on ServerA as shown in the following table.

Members of the Domain Admins group report that they are sometimes able to connect on
weekends. However, they can also connect at any time during the week. Members of the
Domain Users group report that they are sometimes unable to connect during the week
and are sometimes able to connect on weekends.
You need to ensure that all members of the Domain Users group can dial in only between
5:00 P.M. and 11:00 P.M. on weekdays and that all members of the Domain Admins group
can dial in at any time. You also want to minimize the amount of time required to change or
add remote access policies in the future.
What should you do?

A. Configure ServerD to have the same remote access policies as ServerA.
B. Configure ServerB and ServerC to have the same remote access policies as ServerA.
C. On ServerA, move the Block_Weekend remote access policy to come before the Allow_Admins remote access policy.
D. On ServerA, move the Block_Weekend remote access policy to come before the Allow_DU_Night remote access policy.

Question #9 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain named nwtraders.msft. The network includes Windows 2000
Professional client computers. All consultants' portable computers run Windows 2000
Professional.
The relevant portion of the Active Directory structure is shown in the exhibit. (Click the
Exhibit button.)
Within the organizational unit (OU) structure, the consulting department user objects are
located in the Staff OU. The consultants' portable computer objects are located in the
Laptops OU.
Northwind Traders' written security policy requires that Encrypting File System (EFS) be
enabled for the consultants. The written policy requires that EFS encryption be disabled for
any other employees of the company.
You must ensure that the written policy is enforced.
What should you do?

A. Create a Group Policy object (GPO) and link it to the Staff OU. Configure the GPO to define an EFS Recovery Agent. Define an empty EFS Recovery Agent policy in the Default Domain Policy at the domain.
B. Create a Group Policy object (GPO) and link it to the Laptops OU. Configure the GPO to define an EFS Recovery Agent. Define an empty EFS Recovery Agent policy in the Default Domain Policy at the domain.
C. Create a Group Policy object (GPO) and link it to the Staff OU. Configure the GPO to define an EFS Recovery Agent. Define an empty EFS Recovery Agent policy in the Default Domain Controllers Policy at the Domain Controllers OU.
D. Create a Group Policy object (GPO) and link it to the Laptops OU. Configure the GPO to define an EFS Recovery Agent. Define an empty EFS Recovery Agent policy in the Default Domain Controllers Policy at the Domain Controllers OU.

Question #10 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All client computers run Windows 2000 Professional. All
servers run Windows 2000 Server. All company and user data is stored on servers.
Administrators perform remote administration by using Terminal Services connections to
the servers. Remote administration is performed from the internal network during business
hours and from remote locations after business hours. Users do not use Terminal Services
connections.
Users in the accounting department report that several confidential files have been
modified or deleted by an unknown user during the night. You discover that the files were
modified or deleted by the user account of a former employee in the accounting
department. You suspect that the former employee gained access to the data folders by
means of a Web-based Terminal Services connection from outside the network.
You disable the user account. You need to ensure that only authorized administrators can
connect to Terminal Services from outside the network. What should you do? (Each correct
answer presents part of the solution. Choose two.)

A. On the firewall server, disable inbound HTTP connections.
B. On the firewall server, disable inbound Terminal Services connections.
C. On all servers, disable Internet Information Services (IIS).
D. On all servers, configure Terminal Services to use a nonstandard port. Enable this port for inbound access on the firewall server.
E. Configure a Routing and Remote Access server as a virtual private network (VPN) server. Grant only administrators remote access permission and configure the firewall server to allow inbound VPN connections.

Question #11 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain.
Your company has several sales employees who travel with Windows XP portable
computers. To check their e-mail and upload data, the sales employees must dial in to the
company's network using a toll-free number.
The network includes a stand-alone Windows 2000 Server computer named ServerA,
which runs Routing and Remote Access. ServerA is configured to allow PPTP connections
to the network. ServerA is installed at the network perimeter. Employees who work from
home connect to ServerA to gain access to the company network.
Your company wants to reduce long-distance phone charges by finding a cheaper solution.
A national Internet service provider (ISP) has a calling plan that will provide local phone
number Internet access for all cities the sales employees work in. The same phone
numbers are used by all companies who subscribe to the service. Your company
purchases the plan, and you configure the portable computers to use a local phone number
and PPTP to connect to the corporate network.
You must develop a solution that allows users to use a single password when connecting
to the ISP and the corporate network. First you install the Internet Authentication Service
(IAS) on a server on the network of the company to act as a Remote Access Dial-in User
Service (RADIUS) server.
What else should you do?

A. Ask the ISP to configure a RADIUS client to forward authentication requests to the IAS server on your network. Configure ServerA to use Windows Authentication, with ServerA providing authentication.
B. Ask the ISP to configure a RADIUS proxy to forward authentication requests to the IAS server on your network. Configure ServerA to use Windows Authentication, with ServerA providing authentication.
C. Ask the ISP to configure a RADIUS client to forward authentication requests to the IAS server on your network. Configure ServerA to use RADIUS Authentication, with the IAS server on your network providing authentication.
D. Ask the ISP to configure a RADIUS proxy to forward authentication requests to the IAS server on your network. Configure ServerA to use RADIUS Authentication, with the IAS server on your network providing authentication.

Question #12 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
A Windows 2000 member server named ServerA hosts the corporate intranet Web site.
ServerA runs Internet Information Services (IIS) 5.0. Users on the network use an
anonymous connection to connect to the intranet Web site.
The corporate security department has given you a custom security template for the Web

A. Disable the local IUSR_SERVERA user account.
B. Reset the password for the AnonWeb user account.
C. Configure the AnonWeb user account to enable the User must change password at next logon option.
D. Grant the AnonWeb user account the Access this computer from the network user right on ServerA.

Question #13 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The network contains two Windows 2000 Server computers
configured as domain controllers and 1,500 Windows 2000 Professional client computers.
The company has three departments: research, sales, and operations. Each department
has a separate organizational unit (OU) in the domain that contains all user and group
accounts for that department.
The written security policy for your company concerning the Account Lockout Policy
specifies that users entering an invalid password more than three times in 24 hours must
be locked out until the administrator unlocks their account.
A user from the Research OU reports that he accidentally locked out his domain account
before he went on a week long vacation, but now he can log on using his domain account.
You learn that no administrator unlocked his account.
You review the Account Lockout Policy portion of the security template for the organization.
The relevant settings of the security template are shown in the following table.

You must ensure that the Account Lockout Policy complies with the written policy. What
should you do?

A. Set the Account lockout duration policy on the security template to 0 minutes . Import the template to the Domain Security Policy.
B. Configure the Account lockout duration policy on the security template as Not defined . Import the template to the Domain Security Policy.
C. Create a new Group Policy object (GPO) and link it to the Research OU. Set the Reset account lockout counter after policy on the security template to 0 minutes . Import the template to the new GPO.
D. Create a new Group Policy object (GPO) and link it to the Research OU. Configure the Reset account lockout counter after policy on the security template as Not defined . Import the template to the new GPO.

Question #14 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains five Windows 2000 Server domain
controllers and 20 Windows 2000 Professional computers. The computer accounts for all
client computers are contained in an organizational unit (OU) named Desktops.
Four Group Policy objects (GPOs) are linked to the Desktops OU. The Desktops OU
properties are configured as shown in the following exhibit.

The administrator of the Desktops OU customizes each GPO by using several settings and
a different security template, as shown in the following table.

On average, the security logs increase by 1,000 KB per day. When you inspect the logs on
one of the desktops, you find that approximately eight days of security logs are being
retained. You want to retain approximately 20 days of security log settings.
On average, the security logs increase by 1,000 KB per day. When you inspect the logs on
one of the desktops, you find that approximately eight days of security logs are being
retained. You want to retain approximately 20 days of security log settings.
What should you do?

A. Make GPO B the highest in the GPO list.
B. Make GPO B the lowest in the GPO list.
C. Create a new domain security group and add the users of the desktops to the new group. Grant the security group Read and Apply Group Policy permissions on GPO B.
D. Create a new domain security group and add the desktop computers to the new group. Grant the security group Read and Apply Group Policy permissions on GPO B.

Question #15 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 domain controllers and
Windows 2000 Professional computers. The network also includes Windows 98 computers.
You create an organizational unit (OU) named Client_Comps. You move all Windows 2000
client computer accounts to this OU. You create a Group Policy object (GPO) named
GPO1 and link it to the Client_Comps OU. You import the Securews.inf security template to
GPO1.
The Windows 98 computers contain security settings by means of a system policy. You
upgrade the Windows 98 computers to Windows 2000 Professional.
You discover that the upgraded client computers do not have the same security settings as
the other Windows 2000 Professional computers. You need to ensure that all client
computers have the same security settings.
What should you do?

A. Move the computer account for each upgraded computer to the Client_Comps OU.
B. Set No Override on the Default Domain Group Policy object (GPO).
C. Clear the Block Policy inheritance check box in the Client_Comps OU.
D. Perform a clean install of Windows 2000 Professional on each upgraded computer.

Question #16 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain is configured to audit logon events.
Maria is a user in the company sales department. On Monday, Maria goes on a one-week
vacation. The next day, you discover that the Security log on each domain controller in the
domain contains the following event.

This event appears more than 100 times on Tuesday, and the event repeats approximately
every minute.
You need to immediately prevent this security violation from occurring. You do not want to
affect other network users. What should you do?

A. Disable the domain computer account for Client1.
B. Disable the domain user account for Maria.
C. Stop the Net Logon service on all domain controllers.
D. Delete the domain user account that is used by the user of Client1.

Question #17 - Topic 0

You are the administrator of a Windows 2000 network. Users on the network use Windows
2000 Professional client computers. All client computers are part of the same domain.
Each quarter, users install updates for an accounting application. The updates are provided
in the form of a Microsoft Windows Installer package.
To increase the security of the network and the Windows 2000 Professional client
computers, you change several permissions on folders on the file system and in the
registry of the client computers. Users then report that they can no longer install the
quarterly Windows Installer packages. When they double-click a Windows Installer
package, they receive an "Access denied" error message halfway through the installation.
You want to ensure that the quarterly Windows Installer packages are installed successfully
on the client computers without lowering the level of system security. What should you do?

A. Configure the Default Domain Policy to direct Windows Installer to always install Windows Installer packages with elevated privileges.
B. Create a Group Policy object (GPO) and link it to the domain. Configure the GPO to assign the Windows Installer packages to the users.
C. Configure the Active Directory user accounts with a logon script. Use the msiexec.exe command in the logon script to install the Windows Installer packages.
D. Create a Group Policy object (GPO) and link it to the domain. Configure the GPO to specify a logon script. Use the msiexec.exe command in the logon script to install the Windows Installer packages.

Question #18 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
From a Windows 2000 Professional client computer in the domain, you want to use the
Microsoft Baseline Security Analyzer (MBSA) to verify the status of hotfixes and security-
related settings of computers in the domain. You have installed a copy of MBSA on the
Windows 2000 Professional computer.
The Windows 2000 Professional computer does not have access to the Internet. However,
you want to ensure that you can verify the latest hotfixes.
What should you do?

A. Copy the latest available version of Mssecure.cab to the %ProgramFiles%\Microsoft Baseline Security Analyzer folder, then run MBSA.
B. Copy the latest available version of Hfnetchk.exe to the %ProgramFiles%\Microsoft Baseline Security Analyzer folder, then run MBSA.
C. From another computer, download the latest available version of the MBSA tool. Install the tool on the Windows 2000 Professional computer, then run MBSA.
D. From another computer, download the latest available version of the Microsoft XML parser (MSXML). Install the parser on the Windows 2000 Professional computer, then run MBSA.

Question #19 - Topic 0

You are responsible for Public Key Infrastructure (PKI) management for the network of your
company. The network consists of a Windows 2000 Active Directory domain. The network
includes a Certification Authority (CA) named ServerA that was originally installed in

A. Perform a System State backup of ServerA. Remove Certificate Services from ServerA. Reinstall Certificate Services as an enterprise CA by using a new key pair and certificate. Restore the CA database from the System State backup.
B. Perform a System State backup of ServerA. Export the existing private key and certificate of the CA. Remove Certificate Services. Reinstall Certificate Services as an enterprise CA by using the existing key pair and certificate. Restore the CA database from the System State backup.
C. Back up the CA by using the Certification Authority console. Remove Certificate Services. Reinstall Certificate Services as an enterprise CA by using a new key pair and certificate. Restore the CA database in the Certification Authority console.
D. Back up the CA by using the Certification Authority console. Remove Certificate Services. Reinstall Certificate Services as an enterprise CA by using the existing key pair and certificate saved by the backup from the Certification Authority console. Restore the CA database in the Certification Authority console.

Question #20 - Topic 0

You are a network administrator for a branch office of your company. You are responsible
for 200 Windows 2000 Professional computers and one Windows 2000 Server computer
that functions as a file server. The systems you administer are configured for a single
internal IP subnet.
None of these computers has access to the Internet. Management has mandated that
remote networks, including your branch office, should not be exposed to the Internet.
You must verify that the latest hotfixes and service packs are applied to the computers in
your branch office. What should you do?

A. Run the netdiag /v command on the first domain controller installed on your domain.
B. Install a modem on the Windows 2000 Server. Implement Internet Connection Sharing. Use Windows Update to perform the updates.
C. Download the latest XML security update database from Microsoft on a computer that has Internet access. Copy the database to a share on the local network. Use hfnetchk with the XML security database to check service packs and hotfixes on your local segment.
D. Install a second Ethernet adapter on the Windows 2000 Server computer. Use the second adapter to connect to a network segment that has an Internet connection. Configure Network Address Translation (NAT) on the Windows 2000 Server computer. Use Windows Update to keep all the computers updated.

Question #21 - Topic 0

You are the administrator of a regional office LAN on your company network. The network
consists of a Windows 2000 Active Directory domain. All computers on your company's
network are using either Windows 2000 Professional or Windows 2000 Server.
Your company has one main office and several regional offices. Each regional office is
represented by an organizational unit (OU). The main office has two domain controllers.
Each regional office has a domain controller. All the computers at your regional office have
an IP address in the same subnet. Your user account has full administrative control over
every computer at your office.
You must find out whether the computers in your regional office have the latest hotfixes
and service packs applied. What should you do? (Each correct answer presents a
complete solution. Choose two.)

A. Run the netdom verify command for your domain from any domain computer attached to your regional office network.
B. Run the netdiag /v command for your domain from any domain computer attached to your regional office network.
C. Run the hfnetchk command for the local subnet of your regional office from any domain computer attached to your regional office network.
D. Run Microsoft Baseline Security Analyzer (MBSA) for the local subnet of your regional office from any domain computer attached to your regional office network.
E. Run the msicuu.exe command on all domain computers on the local subnet of your regional office network.

Question #22 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
You regularly check the hotfix status of computers on the network. For a Windows 2000
Server computer named ServerA, several error messages appear that report checksum
differences in third-party device driver files. However, the versions of the device driver files
on ServerA are the same. You suspect that a malicious administrator has replaced some of

A. Run the sfc.exe command to check the files.
B. Run the sigverif.exe command to check the files.
C. Use Device Manager to scan for hardware changes.
D. Configure the driver-signing options to prevent installation of unsigned files.

Question #23 - Topic 0

You are the network administrator for your company. The network consists of 12 Windows
2000 member servers, 40 Windows 2000 Professional client computers, and 60 Windows
NT Workstation 4.0 computers. All the computers are part of a Windows 2000 Active
Directory domain and have the latest service packs installed.
You want to ensure that file-sharing network packets between the client computers and the
servers will be rejected when an attacker on the network alters those packets. What should
you do?

A. Enable Server Message Block (SMB) signing on all computers in the domain.
B. Restrict access over anonymous connections on all computers in the domain.
C. Configure the LAN Manager Authentication Level on all computers in the domain to use NTLMv2 only.
D. Configure all computers in the domain to use IPSec Authentication Header (AH) for file share network communication.

Question #24 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory forest.
A Windows 2000 Server computer named ServerA runs Internet Information Services (IIS)
and hosts a Web site that allows customers to purchase your company's goods. To protect
the transactions, ServerA requires a Web server certificate and must implement SSL
encryption.
The written security policy for your company requires that all customers use certificate-
based authentication when they connect to a secured Web site. The application running on
the Web server requires the existence of a custom Object Identifier (OID) in the presented
certificate. You need to map the digital certificates to Active Directory user accounts by
using one-to-one certificate mapping.
You need to acquire a Web server certificate and user certificates that comply with the
written policy. What should you do?

A. Obtain the certificates from a commercial Certification Authority (CA).
B. Obtain the certificates from a private Certification Authority (CA) that is hosted on the company network.
C. Obtain the Web Server certificate from a commercial Certification Authority (CA) and the user certificates from a private CA that is hosted on the company network.
D. Obtain the user certificates from a commercial Certification Authority (CA) and the Web server certificate from a private CA that is hosted on the company network.

Question #25 - Topic 0

A. Configure an IIS bandwidth throttle of 512 Kbps.
B. Increase the amount of memory installed in ServerA.
C. Configure ServerA to accept connections only on port 80.
D. Modify the server's registry to decrease the SYN_ACK timeout.

Question #26 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
You want to track all events of users logging on to and logging off the network in the event
logs on the Windows 2000 domain controllers. All users use their domain user account to
log on to the network from Windows 2000 Professional client computers in the domain.
In the Default Domain Controllers Policy Group Policy object (GPO), you enable the Audit
logon events policy to log successful events. Two weeks later, you notice that no logon
events appear in the event logs on the Windows 2000 domain controllers. The logon
events are also not listed in the event logs on the Windows 2000 Professional client
computers.
You want to ensure that all logon and logoff events are recorded in the event logs on the
Windows 2000 domain controllers. What should you do?

A. In the Default Domain Policy GPO, enable the Audit account management policy to log successful events.
B. In the Default Domain Policy GPO, enable the Audit account logon events policy to log successful events.
C. In the Default Domain Controllers Policy GPO, enable the Audit account logon events policy to log successful events.
D. In the Default Domain Controllers Policy GPO, enable the Enforce password history policy.

Question #27 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain.
Your company purchases 50 new client computers each month. These computers come
installed with Windows 2000 Professional. You add the computers to the domain as soon
as they arrive and place their computer accounts in an organizational unit (OU) named
Desktops.
You want to ensure that all new computers receive the latest service pack as soon as
possible. You want to accomplish this task by using the least amount of administrative
effort required to install service packs on new computers each month.
What should you do?

A. Install Critical Update Notification on each computer.
B. Create a Group Policy object (GPO) and link it to the Desktops OU. Configure the GPO to assign the latest service pack to computers.
C. For each new service pack, run its update.exe command on each domain controller.
D. For each new service pack, copy its files to a shared folder. On each new computer, connect to the shared folder and run the update.exe command.

Question #28 - Topic 0

You are the network administrator for your company. Your network consists of a Windows
2000 Active Directory domain. The domain contains three domain controllers, one
Windows 2000 Server computer configured as an intranet Web server, and 500 Windows
2000 Professional client computers.
You must install five hotfixes on your intranet Web server. Two of the hotfixes modify some
of the same files. Your manager wants you to minimize the time that the intranet Web
server is offline.
What should you do?

A. Apply the hotfixes to your intranet Web server with the switch that prevents a restart. Run the netdiag /v /fix command on the intranet Web server. Restart the intranet Web server.
B. Apply the hotfixes to your intranet Web server with the switch that prevents a restart. Run the qchain.exe command on the intranet Web server. Restart the intranet Web server.
C. Run the qchain.exe command on the intranet Web server. Apply the hotfixes to your intranet Web server with the switch that prevents a restart. Run the netdiag /v /fix command on the intranet Web server. Restart the intranet Web server.
D. Run the qfecheck.exe command on the intranet Web server. Apply the hotfixes to your intranet Web server with the switch that prevents a restart. Run the qfecheck.exe command on the intranet Web server. Restart the intranet Web server.

Question #29 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows 2000 Server computer

A. Install an IPSec certificate on ServerA and on each client computer that requires POP3 access. Then, on each client computer, create and assign an IPSec policy that applies Encapsulating Security Payload (ESP) encryption to all traffic sent to the POP3 port on ServerA.
B. Install an IPSec certificate on ServerA and on each client computer that requires POP3 access. Then, on each client computer, create and assign an IPSec policy that applies Encapsulating Security Payload (ESP) encryption to all traffic sent to the POP3/S port on ServerA.
C. Install a Web server certificate on ServerA. Configure Exchange Server 2000 to use the certificate to enable POP3 over SSL connections. Configure the POP3 client software to connect to ServerA by using the POP3/S port.
D. Install a Web server certificate on ServerA. Configure Exchange Server 2000 to use the certificate to enable POP3 over SSL connections. Configure the POP3 client software to use Secure Password Authentication (SPA).

Question #30 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain, a firewall, and a Windows 2000 Server computer named

A. Configure ServerA to accept only PPTP connections.
B. Configure ServerA to have a computer certificate.
C. Configure all portable computers to use only L2TP.
D. Configure all portable computers to have a Hosts file that contains the IP address used by ServerA.

Question #31 - Topic 0

You are the administrator of a Windows 2000 network. The network consists of two
Windows 2000 forests with five Windows 2000 domains. The two forests, the domains, and
domain relationships are shown in the exhibit. (Click the Exhibit button.)

You want to meet the following criteria:
Ensure that users from domain C can access resources in domains D and E. Create trust
relationships between the domains so that the necessary permissions and user rights can
be granted.
Create the least number of trust relationships.
What should you do?

A. Create a trust relationship from domain D to domain A, and create a trust relationship from domain A to domain D.
B. Create a trust relationship from domain D to domain C, and create a trust relationship from domain E to domain C.
C. Create a trust relationship from domain C to domain D, and create a trust relationship from domain C to domain E.
D. Create a trust relationship from domain A to domain D, and create a trust relationship from domain A to domain E.

Question #32 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The network also contains 1,500 Windows 2000
Professional client computers.
The written security policy for your company requires that failed domain logon attempts be
tracked. You enable failure auditing on the Audit logon events setting in the Domain
Controller Security Policy. You then use the Terminal Services client to connect to ServerA
to verify that an incorrect user name or password results in a logged event.
You attempt to log on from one of the client computers by using several incorrect user
names and passwords. You examine the Security log on ServerA and find that no new
events appear in the log.
You must ensure that the written policy regarding logon attempts is enforced. What should
you do?

A. Enable Failure auditing for the Audit object access policy in the Domain Security Policy.
B. Enable Failure auditing for the Audit account logon events policy in the Domain Controller Security Policy.
C. Enable Failure auditing for the Audit directory service access policy in the Domain Controller Security Policy.
D. Enable Failure auditing for the Audit process tracking policy in the Domain Security Policy.

Question #33 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains two domain controllers and two
Windows 2000 Server computers. One server is configured as a file server named
ServerA, and the other server is configured as an intranet Web server. In addition, the
network contains 50 Windows XP Professional client computers.
All but five of the client computers receive scheduled automatic updates. The five client
computers that are not updated automatically are on an isolated LAN segment that is not
connected to the Internet. The client computers on the isolated LAN have access to
ServerA and the intranet Web server.
You want to apply three security updates on these client computers. What should you do?

A. From a computer connected to the Internet, download and copy the security updates to a network share on ServerA. Run Windows Update on the client computers located on the isolated LAN.
B. From a computer connected to the Internet, download and copy the security updates to a network share on ServerA. Connect each client computer on the isolated LAN to the network share and apply each update individually.
C. From a computer connected to the Internet, download the XML security database from the Microsoft Web site. Share this database on the intranet Web server. Connect each client computer on the isolated LAN to the intranet Web server. Run the qchain.exe command on each client computer on the isolated LAN.
D. From a computer connected to the Internet, download the XML security database from the Microsoft Web site. Place the XML security database in the C:\Inetpub folder on the intranet Web server. Connect each client computer on the isolated LAN to the Default Web site on the intranet Web server. Run the Windows Update service on the client computers on the isolated LAN.

Question #34 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All client computers run Windows 2000 Professional.
Each department in the company is in a separate organizational unit (OU) in the domain.
Each departmental OU contains user, group, and computer accounts for that department.
The human resources (HR) department has one Windows 2000 Server computer named

A. Unassign the HRSec policy in the HRLockdown GPO. Create child OUs named Servers and Clients in the HR OU. Move the computer accounts for the client computers and for ServerA to the appropriate OUs. Create a GPO and link it to the Clients OU. Assign the Client (Respond Only) IPSec policy to that GPO. Create a GPO and link it to the Servers OU. Assign the Secure Server (Require Security) IPSec policy to that GPO.
B. Unassign the HRSec policy in the HRLockdown GPO. Create child OUs named Servers and Clients in the HR OU. Move the computer accounts for the client computers and for ServerA to the appropriate OUs. Create a GPO and link it to the Clients OU. Assign the Client (Respond Only) IPSec policy to that GPO. Create a GPO and link it to the Servers OU. Assign the Server (Request Security) IPSec policy to that GPO.
C. Create a child OU named Clients in the HR OU and move the client computer accounts to the OU. Create a GPO and link it to the Clients OU. Assign the Client (Respond Only) IPSec policy to the GPO. In the HRSec policy, specify the IP subnet address used by computers in the HR department as the source and destination addresses. In the HRSec policy, set the filter action property to Request security .
D. Create a child OU named Servers in the HR OU and move the computer account for ServerA to the OU. Create a GPO and link it to the Servers OU. Assign the Secure Server (Require Security) IPSec policy to the GPO. In the HRSec policy, specify the IP subnet address used by computers in the HR department as the source and destination addresses. In the HRSec policy, set the filter action property to Request security .

Question #35 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains two Windows 2000 domain controllers
and 500 Windows 2000 Professional computers.
The relevant portion of the Active Directory hierarchy is shown in the exhibit. (Click the
Exhibit button.)

The user accounts for all administrators are located in the IT_Users organizational unit
(OU). All other user accounts are located in the Employee_Users OU. The client computer
accounts for the administrators' computers are located in the IT_Computers OU. All other
client computers accounts are located in the Employee_Computers OU.
You create a Group Policy object (GPO) named GPO1 and link it to the Employee_Users
OU. You select the Block Policy inheritance check box in the Employee_Users OU. You
configure GPO1 as shown in the following table.

An employee named Bruno reports that another user's name was in the logon dialog box
when he attempted to log on to the network. You need to ensure that the name of the last
user to log on does not appear in the logon dialog box.
What should you do?

A. Link GPO1 to the Employee_Computers OU.
B. Clear the Disable User Configuration Settings check box in GPO1.
C. Clear the Block Policy inheritance check box in the Employee_Users OU.
D. Disable the Do not display last user name in logon screen policy in GPO1.

Question #36 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The forest is divided into two sites: East and West. The
domain contains 500 Windows 2000 Professional computers and two Windows 2000
domain controllers: ServerA and ServerB.
You configure ServerA in the East site and ServerB in the West site. ServerA holds the
PDC emulator and RID master Flexible Single Master Operation (FSMO) roles. ServerB
holds the other FSMO roles.
You create a Group Policy object (GPO) named GPO1 and link it to the domain. You
configure a security template and import it to GPO1. The security template configures the
message title and text for the message that appears when users log on to the network.
Bruno is a user in the East site, and Maria is a user in the West site. You ask Bruno and
Maria to restart their computers so that you can verify that GPO1 is applied. Bruno reports
that he can see the logon message, but Maria reports that she does not see the message.
You need to ensure that Maria receives the logon message as soon as possible. What
should you do?

A. Stop and start the File Replication service on both domain controllers. Instruct Maria to restart her client computer.
B. Restart the Net Logon service on each employee's client computer.
C. Ensure that both domain controllers are configured as global catalog servers. Run the secedit /refreshpolicy machine_policy command on Maria's client computer.
D. Force synchronization of the Active Directory database across site boundaries. Run the secedit /refreshpolicy machine_policy command on Maria's client computer.

Question #37 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional computers. All domain controllers run Windows 2000 Server.
The domain includes two organizational units (OU) named Sales and IT. The sales
department contains 50 users who have user accounts in the Sales OU. Bruno is an
administrator who resets passwords for all user accounts in the Sales OU when necessary.
Bruno's user account is located in the IT OU. You create a new group named Sales_pw
and place the group in the Users container. You add Bruno's user account to the Sales_pw
group.
You create a custom MMC console that includes a Taskpad view of the Sales OU. The
Taskpad view allows one task, which is the ability to reset passwords. You restrict the
console so that only the Sales OU can be seen and set the console mode to User mode .
You discover that Bruno is able to create an MMC console and include all of the Active
Directory tools. You want to ensure Bruno can access the snap-in only to reset passwords.
What should you do?

A. Add Bruno's user account to the Account Operators group.
B. Modify the DACL on the Sales OU so that the Sales_pw group has the Reset Password permission on the user object.
C. Create a Group Policy object (GPO) and link it to the IT OU. Configure an MMC restriction policy that allows Bruno only to open the Active Directory Users and Computers snap-in.
D. Create a Group Policy object (GPO) and link it to the Sales OU. Configure an MMC restriction policy that allows Bruno only to open the Active Directory Users and Computers snap-in.

Question #38 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All servers run Windows 2000 Server. All client computers
run Windows 2000 Professional. The relevant portion of the network is shown in the exhibit.
(Click the Exhibit button.)

ServerF runs Microsoft Internet Security and Acceleration (ISA) Server. ServerE is a
multihomed Microsoft SQL Server 2000 computer that has a connection to the company
intranet and the perimeter network (also known as the DMZ). ServerE hosts an order-
processing database. External users access this database by means of a Web application
that runs on ServerD.
The written security policy for your company does not allow external users to directly
access ServerE. However, the SQL Server logs on ServerE reveal that external users are
logging in to SQL Server and accessing data.
ServerE also hosts four other databases, which only internal users are allowed to access.
ServerE is administered from client computers that are located on the company intranet
and that are running SQL Enterprise Manager.
You need to configure ServerE to comply with the written policy, while maintaining its
connectivity to ServerD and internal client computers. What should you do?

A. Remove the second network adapter in ServerE. Move ServerE to the DMZ. Create a rule on ServerF that allows internal client computers to communicate with ServerE.
B. Remove the second network adapter in ServerE. Move ServerE to the company intranet. Create a rule on ServerF that allows ServerD to communicate with ServerE.
C. Change the server role for ServerE to a stand-alone server. Configure ServerE to use Windows Integrated authentication. Create a rule on ServerF that allows internal client computers to communicate with ServerE.
D. Change the server role for ServerE to a stand-alone server. Configure the MSSQLServer service account to use the local system account. Configure ServerD to use SSL when accessing ServerE.

Question #39 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains 50 Windows NT Workstation 4.0
computers and 50 Windows 2000 Professional computers. You replace all Windows NT
Workstation computers with Windows 2000 Professional computers.
You create an organizational unit (OU) named Workstations. You move all the Windows
2000 Professional computers into the Workstations OU.
You create a Group Policy object (GPO) named Software_settings and link it to the
Workstations OU.
You configure the Software_settings GPO to distribute an application that is not certified for
Windows 2000. Users report that they cannot save preferred settings in the application,
which uses the systemroot directory. However, this application functioned correctly when it
was installed on Windows NT Workstation computers.
You want to ensure that users can save the preferred settings of the application. What
should you do?

A. Edit the Software_settings GPO and import the Defltwk.inf security template.
B. Edit the Software_settings GPO and import the Compatws.inf security template.
C. Edit the Software_settings GPO and enable the Disable legacy run list policy.
D. Edit the Software_settings GPO and disable the Set Windows File Protection scanning policy.

Question #40 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All client computers are in an organizational unit (OU)
named Clients.
The network contains two Windows 2000 Server computers configured as domain
controllers. One Windows 2000 Server computer is configured as a file server. The network
also contains 1,500 Windows 2000 Professional client computers.
You use a Group Policy object (GPO) named SPDeploy to deploy a new service pack.
SPDeploy is linked to the Clients OU. All client computers receive the new service pack.
One network user reports problems after the installation of the new service pack. You
discover that this user's computer has hardware that is incompatible with the new service
pack. No other users on the network are experiencing difficulty.
You must remove the service pack from this user's computer but ensure that it remains on
the other computers. What should you do?

A. Remove the service pack from the user's computer by using Add/Remove Programs . Configure the DACL on SPDeploy to grant the user account Read and Apply Group Policy permissions.
B. Remove the service pack from the user's computer by using Add/Remove Programs . Configure the DACL on SPDeploy to deny the user account Read and Apply Group Policy permissions.
C. Create an OU named NoSP subordinate to the domain. Move the problem user's computer account into the NoSP OU. Remove the service pack from that user's computer by using Add/Remove Programs .
D. Create an OU named NoSP subordinate to the Clients OU. Move the problem user's computer account into the NoSP OU. Remove the service pack from that user's computer by using Add/Remove Programs .

Question #41 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
A Windows 2000 member server named ServerA hosts the corporate intranet Web site.
ServerA runs Internet Information Services (IIS) 5.0. You have configured the Web server
to require Basic authentication in combination with Secure Sockets Layer (SSL). All users
on the network use Internet Explorer as their default browser to connect to the intranet Web
site.
Users report that they receive a dialog box prompting them for authentication credentials
when they access the intranet Web site. You want to change the authentication method
used to access the intranet Web site to ensure that users no longer receive that dialog box.
You also want to ensure that you can track users' access to the intranet Web site, based
on user name.
What should you do?

A. Configure IIS to map exactly one client certificate to each user.
B. Configure IIS on ServerA to enable the Accept client certificates option.
C. Configure IIS on ServerA to enable the Enable client certificate mapping option.
D. Configure the IIS authentication methods on ServerA to require Integrated Windows authentication only.
E. Configure the IIS authentication methods on ServerA to require Digest authentication only.

Question #42 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain includes Windows 2000 Server computers,
Windows 2000 Professional client computers, and Windows NT Workstation 4.0 client
computers. All domain controllers run Windows 2000 Server.
ServerA is a Windows 2000 Server computer running Routing and Remote Access.
ServerA accepts dial-up connections from remote company employees. Currently, all
domain user accounts have dial-up access.
New written security policies for the company require that only remote company employees
be able to dial in to ServerA during company business hours. On weekends, only
administrators are permitted to dial in.
You configure the remote access policies on ServerA to comply with the written policies.
However, when you attempt to modify the domain user accounts to use the remote access
policies, the option is unavailable.
You need to ensure that the remote access policies on ServerA will be used to control dial-

A. Convert the domain to native mode.
B. Make ServerA a member of the RAS and IAS Servers group.
C. Add the Everyone group to the Pre-Windows 2000 Compatible Access group.
D. Install Internet Authentication Service (IAS) on ServerA. Configure Routing and Remote Access to use IAS for authentication.

Question #43 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain includes two Windows 2000 Server computers
running as domain controllers, five Windows 2000 Server computers running as file
servers, and 500 Windows 2000 Professional client computers.
All the domain controllers are in the Domain_Computers organizational unit (OU). The file
servers are in an OU named Servers. The client computers are in an OU named Clients.
The Domain_Computers OU is the parent OU to both the Servers OU and the Clients OU.
The written security policy for your company requires that you track attempts to log on to a
computer that use a local user account.
What should you do?

A. Create a security template that enables the Audit Account Logon Events policy for successful and failed attempts. Create a Group Policy object (GPO) and link it to the domain. Import the template into the new GPO.
B. Create a security template that enables the Audit Account Logon Events policy for successful and failed attempts. Create a Group Policy object (GPO) and link it to the Servers OU. Import the template into the new GPO.
C. Create a security template that enables the Audit Logon Events policy for successful and failed attempts. Create a Group Policy object (GPO) and link it to the Clients OU. Import the template into the new GPO.
D. Create a security template that enables the Audit Logon Events policy for successful and failed attempts. Create a Group Policy object (GPO) and link it to the Domain_Computers OU. Import the template to the new GPO.

Question #44 - Topic 0

A. Remove ServerA from your network. Create an exact image of ServerA's hard drive. Restore the image to a new file server.
B. Restore as many deleted files as possible from backup tape. Then, perform a full backup.
C. Configure the event logs so that they do not overwrite events. Then, stop the Server service.
D. Save the event logs to a file. Then, copy all files to another file server.

Question #45 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain includes five Windows 2000 domain controllers
and five Windows 2000 Server computers configured as file servers. The domain also
includes 750 Windows 2000 Professional computers.
User account policies are set to their default values on the domain. The Account logon
event policy is configured for failure auditing on the domain controllers and file servers.
While reviewing the audit logs, you notice more than 100 Event ID 529 (failed logon event)
and Event ID 681 (failed account logon event) entries in the Security log that contains the
same three user accounts. The users who use these accounts work on Windows 2000
Professional client computers. These users report that they have no difficulty logging on to
the network. You verify this statement by asking the users to log off and log on in your
presence.
You need to reduce the chance that the attacks shown in the event log will succeed. What
should you do?

A. Run the syskey command and set it to Password Startup on all domain controllers.
B. Run the syskey command and set it to Password Startup on all client computers in your domain.
C. Set the Account lockout threshold policy to 3 and accept the suggested settings for the other account lockout values.
D. Set the Account lockout threshold policy to 0 and accept the suggested settings for other account lockout values.

Question #46 - Topic 0

You are the network administrator for your company. The network consists of two Windows
2000 Active Directory forests: office.contoso.com and factory.contoso.com. Each forest
consists of a Windows 2000 Active Directory domain.
The two domains have a one-way external trust relationship in which office.contoso.com
trusts factory.contoso.com. The trust relationship is shown in the exhibit. (Click the Exhibit
button.)

The written security policy of your company requires that ServerA must use IPSec to
encrypt data to ServerB. You configure a custom IPSec policy in the Local Security Policy
on ServerA and on ServerB. The custom IPSec policy implements Encapsulating Security
Payload (ESP) for all data that is transmitted between ServerA and ServerB. You also
configure the IPSec security association to use Kerberos authentication.
After the IPSec security policies are assigned to ServerA and ServerB, you discover that IP
traffic between ServerA and ServerB is not encrypted.
What should you do?

A. Create a one-way external trust relationship in which factory.contoso.com trusts office.contoso.com.
B. Enable the Trust Computer for delegation option in the computer account properties on ServerA and on ServerB.
C. Modify the custom IPSec policies to use certificate-based authentication, and acquire IPSec certificates for ServerA and ServerB from a common root Certification Authority (CA).
D. Create a computer account for ServerA in factory.contoso.com and a computer account for ServerB in office.contoso.com. Configure the new accounts to use Kerberos name mapping to map the new account name to the existing computer account in the other forest.

Question #47 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain named nwtraders.msft.
The IT manager for the sales department wants to enforce a minimum password length of
eight characters. The IT managers for the remaining departments agree that they want a
minimum password length of six characters.
The network currently enforces a six-character minimum password length. You must
develop a solution that enforces the required eight character minimum password settings
for sales department users domain accounts.
What should you do?

A. Create an organizational unit (OU) named Sales and move sales department user accounts into the new OU. Create a Group Policy object (GPO) and link it to the Sales OU. Configure the GPO to enforce the eight-character minimum password length.
B. Create an organizational unit (OU) named Sales and move sales department computer accounts into the new OU. Create a Group Policy object (GPO) and link it to the Sales OU. Configure the GPO to enforce the eight-character minimum password length.
C. Create a new child domain named sales.nwtraders.msft and move all sales department user accounts to the sales.nwtraders.msft domain. Configure the Default Domain Policy in the sales.nwtraders.msft domain to enforce an eight-character password.
D. Create a new child domain named sales.nwtraders.msft and move all sales department computer accounts to the sales.nwtraders.msft domain. Configure the Default Domain Controllers Policy in the sales.nwtraders.msft domain to enforce an eight-character password.

Question #48 - Topic 0

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains three member servers that run
Windows 2000 Server. All three servers use Routing and Remote Access to accept dial-up
connections from remote company employees. You will soon add four more dial-up servers
to handle the demand for dial-up services.
The written security policy for your company requires the start and end time of all dial-up
connections to be logged. The logs must be maintained for at least six months.
You need to configure the existing dial-up servers to comply with the written policy. You
need to ensure that the configuration can support additional dial-up servers. You also want
to minimize the amount of time you spend maintaining dial-up logs.
What should you do?

A. Enable auditing on each dial-up server. Configure the Security log on each dial-up server to be 20 MB in size and to never overwrite events. Save each Security log to an archived location every day.
B. Use the Eventcomb utility to collect the security events from each dial-up server every day. Export the Security log from each dial-up server to a file every day.
C. Install Internet Authentication Service (IAS) on a new Windows 2000 Server computer. Configure each dial-up server to use IAS for authentication and accounting. Configure IAS to log authentication and accounting. Use Task Scheduler to archive the IAS log files every day.
D. Move the dial-up servers to a new organizational unit (OU). Create a Group Policy object (GPO) and link the GPO to the new OU. Configure the GPO to enable auditing for logon and logoff events.

Question #49 - Topic 0

You are the network administrator for your company. You manage three Windows 2000
Server computers. Two of these servers are configured as domain controllers, and the

A. On ServerA, change the CrashOnAuditFail registry value to 1 .
B. Deny the System group Full Control access of the Sysevent.evt file.
C. Remove the user account MariaA from all groups that allow administrative access to ServerA.
D. Configure Audit Policy of the GPO linked to Secure to Audit privilege use for the administrators group.
E. Configure the System group for Read only permission to Systemroot\System32\Config folder on ServerA.

Question #50 - Topic 0

You are a network administrator for Northwind Traders. The network consists of a Windows
2000 Active Directory domain named nwtraders.msft. The relevant portion of the Active
Directory structure is shown in the exhibit. (Click the Exhibit button.)

The written security policy of Northwind Traders requires that all communication between
the AccountData server and the computers in the accounting department be encrypted. To
implement IPSec communication between AccountData and the accounting department
client computers, you configure the network in the following way:
All user accounts in the accounting department are members of the
Accounting_Department global group.
All computer accounts in the accounting department are members of the
Accounting_Department_Computers global group.
The IPSec certificate template permissions are defined to grant the
Accounting_Department global group Read and Enroll permissions.
A Group Policy object (GPO) named GetCertificates is created and linked to the
Accounting organizational unit (OU) to issue the IPSec certificate template by using the
Automatic Certificate Request Settings option.
A GPO named AccountingServer is created and linked to the Accounting OU. The
AccountingServer GPO assigns the Secure Server (Require Security) IPSec policy.
A GPO named AccountingComputers is created and linked to the Computers OU.
The AccountingComputers GPO assigns the Client (Respond Only) IPSec policy. The
accounting department employees can connect to every computer on the network except
AccountData. You must ensure that the employees in the accounting department can
connect to AccountData under the written policy.
What should you do?
A. Change the AccountingServer GPO to assign the Secure Server (Request Security)
IPSec policy.
B. Change permissions on the IPSec certificate template to grant Read and Enroll
permissions to the Accounting_Department_Computers global group.
C. Change the AccountingComp

Question #51 - Topic 1

You are responsible for Public Key Infrastructure (PKI) management for the network of your
company. The network consists of a Windows 2000 Active Directory domain. A Group
Policy object (GPO) named GetCertificates implements automatic certificate request
settings to deploy IPSec certificates. Your manager wants to implement IPSec between all
Windows 2000 computers on the network. You must develop a method for deploying the
IPSec certificates that requires the least amount of user input during the certificate
enrollment process. What should you do?

A. Install an enterprise Certification Authority (CA). Grant Read and Enroll permissions for the IPSec certificate template to the Domain Users global group. Link the GetCertificates GPO to the domain.
B. Install a stand-alone Certification Authority (CA). Grant Read and Enroll permissions for the IPSec certificate template to the Domain Users global group. Link the GetCertificates GPO to the domain.
C. Install an enterprise Certification Authority (CA). Grant Read and Enroll permissions for the IPSec certificate template to the Domain Computers global group. Link the GetCertficates GPO to the domain.
D. Install a stand-alone Certification Authority (CA). Grant Read and Enroll permissions for the IPSec certificate template to the Domain Computers global group. Link the GetCertificates GPO to the domain.

Question #52 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. Files are being deleted from several domain file servers.
You enable auditing on the servers. The audit logs indicate that the files are being deleted
by a domain account named XPSFCEC from a Windows XP Professional computer named
Client1. Usually, the XPSFCEC user account is used by several company applications that
run as services. However, written security policies for the company do not allow XPSFCEC
to be used on client computers.
You verify that the user of Client1 logs on by using a domain user account other than
XPSFCEC. You examine the Security log on Client1 and find the XPSFCEC account
referenced in the following event.

You need to ensure that the XPSFCEC user account will no longer be used by software
running on Client1. You need to ensure that the company applications using the XPSFCEC
account continue to operate.
What should you do?

A. Disable the XPSFCEC user account.
B. Change the password used by the XPSFCEC user account.
C. On Client1, configure Test.exe to log on by using a user account other than XPSFCEC.
D. Assign the Full Control - Deny permission to the XPSFCEC account for all files on each file server.
E. Modify the Default Domain Policy Group Policy object (GPO) so that the XPSFCEC account does not have permission to create process tokens.

Question #53 - Topic 1

You are the network administrator for a branch office of your company. Your company has
a main office network and a branch office network. All computers at your branch office are
configured with static IP addresses from the 10.168.1.0/24 subnet range. The relevant
portion of the network is shown in the exhibit. (Click the Exhibit button.)
The branch office has a Windows 2000 Server computer named ServerA running Routing
and Remote Access for Windows 2000. ServerA contains two network adapters that are
used to connect the branch office to the main office.
You have a portable computer with a dial-up connection and a network adapter. You use a
dial-up connection to connect the portable computer to the Windows Update Web site. The
portable computer also connects to your branch office by using the network adapter.
You replace the network adapter in ServerA for the main office connection. Now, ServerA
cannot connect to the main office or the Internet. You realize that ServerA requires a driver
and a security update that is available from the Windows Update site.
What should you do?

A. Enable Internet Connection Sharing on the portable computer. Use Windows Update on ServerA.
B. Enable Internet Connection Sharing on ServerA. Run the Microsoft Baseline Security Analyzer (MBSA) on ServerA.
C. Download the latest Microsoft security XML database to the portable computer. On the portable computer, create a share that contains the XML database. Run the Microsoft Baseline Security Analyzer (MBSA) on ServerA.
D. Use the Windows Update Catalog to download the new driver and security update to the portable computer. On the portable computer, create a share that contains the new driver and update. Use the share on the portable computer to update ServerA.

Question #54 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows 2000 Server computer
named ServerA that is running Microsoft SQL Server. The domain also contains an
organizational unit (OU) named North. ServerA is in the North OU. The written security
policy for your company requires that you create all Group Policy objects (GPOs) for the
domain.
The administrator for the North OU is named Bruno. Bruno is responsible for the user
accounts and computer accounts in the OU. Bruno submits a list of configurations that he
wants to be applied to ServerA in the North OU by means of a GPO. You create a GPO
that complies with Bruno's request.
You want to give Bruno the ability to link the GPO to the North OU, but you need to ensure
that Bruno cannot create GPOs. What should you do?

A. Add Bruno's user account to the Group Policy Creator Owners group.
B. Run the Delegation of Control wizard on the North OU and assign Bruno's user account the Manage Group Policy links task.
C. Move Bruno's user account to the North OU.
D. Configure the permissions on the GPO so that Bruno's user account has Read and Apply Group Policy permissions.

Question #55 - Topic 1

You are the administrator of a Windows 2000 network. Users on the network use Windows
2000 Professional client computers. All client computers are part of the same domain.
Each quarter, users install updates for an accounting application. The updates are provided
in the form of a Microsoft Windows Installer package.
To increase the security of the network and the Windows 2000 Professional client
computers, you change several permissions on folders on the file system and in the
registry of the client computers. Users then report that they can no longer install the
quarterly Windows Installer packages. When they double-click a Windows Installer
package, they receive an "Access denied" error message halfway through the installation.
You want to ensure that the quarterly Windows Installer packages are installed successfully
on the client computers without lowering the level of system security. What should you do?

A. Configure the Default Domain Policy to direct Windows Installer to always install Windows Installer packages with elevated privileges.
B. Create a Group Policy object (GPO) and link it to the domain. Configure the GPO to assign the Windows Installer packages to the users.
C. Configure the Active Directory user accounts with a logon script. Use the msiexec.exe command in the logon script to install the Windows Installer packages.
D. Create a Group Policy object (GPO) and link it to the domain. Configure the GPO to specify a logon script. Use the msiexec.exe command in the logon script to install the Windows Installer packages.

Question #56 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains five Windows 2000 Server domain
controllers, one Windows NT Server 4.0 BDC, 50 Windows NT Workstation 4.0 computers,
and 50 Windows 2000 Professional computers. The network also contains 50 Windows 98
computers.
You upgrade the BDC to Windows 2000 Server and configure it as a member server. You
perform a clean installation of Windows 2000 Server on nine new computers and configure
them as member servers.
You want to ensure that the upgraded computer and the newly installed computers have
the same security settings. How should you configure the upgraded computer?

A. Apply the Dcup.inf security template.
B. Apply the Basicsv.inf security template.
C. Analyze one of the cleanly installed Windows 2000 Server computers against the Dcup.inf security template. Copy the resulting security database to the windir\security\templates folder of the upgraded computer.
D. Analyze one of the cleanly installed Windows 2000 Server computers against the Basicsv.inf security template. Copy the resulting security database to the windir\security\templates folder of the upgraded computer.

Question #57 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains five Windows 2000 Server domain
controllers and 20 Windows 2000 Professional computers. The computer accounts for all
client computers are contained in an organizational unit (OU) named Desktops.
Four Group Policy objects (GPOs) are linked to the Desktops OU. The Desktops OU
properties are configured as shown in the following exhibit.

The administrator of the Desktops OU customizes each GPO by using several settings and
a different security template, as shown in the following table.

On average, the security logs increase by 1,000 KB per day. When you inspect the logs on
one of the desktops, you find that approximately eight days of security logs are being
retained. You want to retain approximately 20 days of security log settings.
What should you do?

A. Make GPO B the highest in the GPO list.
B. Make GPO B the lowest in the GPO list.
C. Create a new domain security group and add the users of the desktops to the new group. Grant the security group Read and Apply Group Policy permissions on GPO B.
D. Create a new domain security group and add the desktop computers to the new group. Grant the security group Read and Apply Group Policy permissions on GPO B.

Question #58 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain and includes 1,000 Windows XP Professional client
computers. All client computers are members of the domain. The domain accounts for all
client computers are located in the organizational units (OUs) of the departments that own
the computers. The domain also includes 100 Windows 2000 Server computers. The
computer accounts for all servers are located in an OU named Servers.
All client computers are configured with a single hard disk. The hard disk is configured as
two logical volumes named C and D. The C drive contains only the operating system files.
The D drive contains all user data and application files. Both drives are formatted to use
NTFS.
The written security policy for the company requires custom NTFS permissions on the root
of the D drive for all client computers. Previously, these permissions were manually applied
by an administrator before new computers were delivered to users. However, new
computers are now being added at a rate of 100 or more per month. Computers ordered
from the manufacturer contain different hardware.
You want to ensure that new client computers can be automatically configured with the
correct NTFS permissions for the root of drive D. However, you do not want your solution to
affect any of the servers in the domain. What should you do?

A. Create a Microsoft Visual Basic Scripting Edition (VBScript) script that assigns the correct NTFS permissions to the root of drive D. Create a new Group Policy object (GPO) and link it to the domain. Configure the GPO to run as a startup script.
B. Create a startup script that runs the cacls.exe command to apply the correct NTFS permissions to the root of drive D. Create a new Group Policy object (GPO) and link it to each departmental OU. Configure the GPO to run the startup script.
C. Create a security template that assigns the correct NTFS permissions to the root of drive
D. Analyze the template, configure the correct NTFS permissions for the root of drive D, and save the security database. Copy the security database to a folder named C:\Windows\Security on each new client computer.

Question #59 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain includes a Windows 2000 Server named
ServerA, which runs Routing and Remote Access. ServerA is configured to allow both dial-
up and virtual private network (VPN) connections.
Your company issues smart cards. The smart cards will be used for both dial-in and VPN
users.
All users who connect remotely to the network are issued Windows XP notebook
computers with PC Card-based smart card readers. The users are required to use smart
cards only when they connect to the network remotely. Smart card usage should not be
enforced for local network authentication.
You need to implement a remote access solution that will enforce smart card access for all
dial-up and VPN connections. What should you do?

A. Enable the Smart card is required for interactive logon account option for all user accounts in the domain.
B. Issue a computer certificate to ServerA. Configure the Remote Access Policy at ServerA to accept only EAP-MD5 authentication and use the computer certificate for authentication.
C. Issue a user certificate to the Administrator account on ServerA. Configure the Remote Access Policy to accept only EAP-MD5 authentication and use the Administrator's user certificate for authentication.
D. Issue a computer certificate to ServerA. Configure the Remote Access Policy to accept only EAP-TLS authentication and use the computer certificate for authentication.
E. Issue a user certificate to the Administrator account on ServerA. Configure the Remote Access Policy to accept only EAP-TLS authentication and use the Administrator's user certificate for authentication.

Question #60 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains two domain controllers, one Windows
2000 Server computer configured as an intranet Web server, and 500 Windows XP
Professional client computers.
All client computers remain on 24 hours a day, but business hours are from 8:00 A.M. to
5:00 P.M. Your supervisor wants you to automate the installation of security updates to all
client computers on the network.
What should you do? (Each correct answer presents part of the solution. Choose three.)

A. Install and configure Microsoft Software Update Services (SUS) on the intranet Web server to synchronize each night at midnight. Configure the service to automatically approve new updates.
B. Configure a Group Policy object (GPO) and link it to the domain. Configure the GPO with a software distribution package containing the Microsoft Automatic Updates installer. Assign this software to the computers.
C. Write a batch file to download all new security updates each night at midnight. Configure the batch file to place the new security updates in the Sysvol share of both domain controllers.
D. Configure client computers to receive automatic updates from the intranet Web server each night at midnight. Restart all client computers.
E. Configure client computers to receive automatic updates from either domain controller each night at midnight. Restart all client computers.
F. Run the Microsoft Baseline Security Analyzer (MBSA) for all segments on the domain from any domain computer each night at midnight.
G. Write a batch file that runs the qchain.exe command each night at midnight. Create a new Group Policy object (GPO) and link it to the domain. Configure the GPO to run the script as a logon script.

Question #61 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
Every night at 2:00 A.M., you automatically run the mbsacli.exe command on a Windows
2000 Server named ServerA to verify the status of hotfixes and security-related settings of
the computers in the domain. In the morning, you want to view the results that mbsacli.exe
has generated.
What should you do?

A. Run the qfecheck.exe command and specify that you want to display verbose output.
B. Run the hfnetchk.exe command and include the -history switch.
C. Run the Microsoft Baseline Security Analyzer (MBSA) and specify that you want to view existing reports.
D. Run the Eventcomb tool to collect reports from the computers in the domain.

Question #62 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows XP Professional computer
that is used by an employee named Bruno. Bruno logs on to his computer by using a
domain user account and accesses documents located on company file servers.
During a routine security audit, you examine the event logs on Bruno's computer and
discover that the Security log contains hundreds of events indicating failed logons for the
local Administrator account.
You refresh the Security log and notice that hundreds of additional identical events are
added to the log. You suspect that an unauthorized user is attempting to access Bruno's
computer by using the local Administrator account.
You need to protect Bruno's computer from this attack while ensuring that Bruno can
continue to work. What should you do first?

A. Instruct Bruno to log off. Disconnect Bruno's computer from the network and instruct him to log on again.
B. On Bruno's computer, change the name of the local Administrator account to XPLocalAdmin1.
C. On a domain controller, change the name of the domain Administrator account to CorpDomainAdmin1.
D. Instruct Bruno to log on. Log on to the computer as a domain administrator and disable Bruno's user account.

Question #63 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains two Windows 2000 domain controllers
and 500 Windows 2000 Professional computers.
The relevant portion of the Active Directory hierarchy is shown in the exhibit. (Click the
Exhibit button.)
The user accounts for all employees in the Technical Support department are located in the
HelpDesk_Users organizational unit (OU). The client computer accounts for these
employees' computers are located in the HelpDesk_Computers OU. All other user
accounts are located in the Research_Users OU. All other client computer accounts are
located in the Research_Computers OU.
You create a Group Policy object (GPO) named GPO1 and link it to the
Research_Computers OU. You configure the GPO1 as shown in the following table.

Another administrator moves a user account named Maria to the Research_Computers
OU. You notice that Maria's computer displays another user's name in the logon dialog
box. You need to ensure that the name of the last user to log on does not appear in the
logon dialog box when Maria logs on to her computer.
What should you do?

A. Move Maria's user account to the Research_Users OU.
B. Clear the Disable Computer Configuration Settings check box in GPO1.
C. Disable the Do not display last user name in logon screen policy in GPO1.
D. Run the secedit /refreshpolicy user_policy /enforce command on Maria's client computer.

Question #64 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain and a Windows 2000 Server computer named ServerA.
ServerA runs Routing and Remote Access and accepts PPTP connections.
Two hundred company employees use portable computers that are running Windows XP
Professional. These employees use PPTP connections to connect to ServerA by means of
the Internet.
You reconfigure ServerA to accept only L2TP connections. You install a user and an IPSec
computer certificate on each portable computer and configure the computers to use the

A. Reset the domain user account passwords of the employees who use portable computers.
B. On the portable computers, disable automatic protocol selection, and then configure the computers to use only L2TP connections.
C. On ServerA, install a computer certificate that is issued by the same Certification Authority (CA) that issued the user certificates installed on the portable computers.
D. On ServerA, add the Certification Authority (CA) that issued the user certificates to a Certificate Trust List (CTL). Stop and restart the Routing and Remote Access service.

Question #65 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains 100 Windows 2000 Server computers
and 5,000 Windows 2000 Professional computers.
The computer accounts for all servers are located in an organizational unit (OU) named
Servers. The computer accounts for 4,000 client computers are located in an OU named
Desktops. The computer accounts for the remaining client computers are located in an OU
named Research, which is a child of the Desktops OU.
Your company uses Group Policy objects (GPOs) to configure client computers. However,
the written security policy for your company permits alternate configurations for client
computers in the research department. The Research OU is configured to block Group
Policy inheritance.
You download a new Windows 2000 service pack from the Microsoft Web site. The service
pack is distributed as a Microsoft Windows Installer package.
You need to ensure that all Windows 2000 servers and client computers receive the
service pack. You want to accomplish this task in the least amount of administrative time.
Which three actions should you take? (Each correct answer presents part of the solution.
Choose three.)

A. Configure a GPO named SvcPack that assigns the service pack to users.
B. Configure a GPO named SvcPack that assigns the service pack to computers.
C. Configure the SvcPack GPO to use the No Override option.
D. Configure the SvcPack GPO to use loopback processing.
E. Link the SvcPack GPO to the domain.
F. Link the SvcPack GPO to the Desktops OU.

Question #66 - Topic 1

You are the network administrator for your company. The network consists of two Windows
2000 Active Directory forests: office.contoso.com and factory.contoso.com. Each forest
consists of a Windows 2000 Active Directory domain. The two domains have a one-way
external trust relationship in which office.contoso.com trusts factory.contoso.com. The trust
relationship is shown in the exhibit. (Click the Exhibit button.)
The written security policy of your company requires that ServerA must use IPSec to
encrypt data to ServerB. You configure a custom IPSec policy in the Local Security Policy
on ServerA and on ServerB. The custom IPSec policy implements Encapsulating Security
Payload (ESP) for all data that is transmitted between ServerA and ServerB. You also
configure the IPSec security association to use Kerberos authentication.
After the IPSec security policies are assigned to ServerA and ServerB, you discover that IP
traffic between ServerA and ServerB is not encrypted. What should you do?

A. Create a one-way external trust relationship in which factory.contoso.com trusts office.contoso.com.
B. Enable the Trust Computer for delegation option in the computer account properties on ServerA and on ServerB.
C. Modify the custom IPSec policies to use certificate-based authentication, and acquire IPSec certificates for ServerA and ServerB from a common root Certification Authority (CA).
D. Create a computer account for ServerA in factory.contoso.com and a computer account for ServerB in office.contoso.com. Configure the new accounts to use Kerberos name mapping to map the new account name to the existing computer account in the other forest.

Question #67 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All client computers run Windows 2000 Professional. The
network uses TCP/IP as its only transport protocol. All servers use static IP configuration
settings. All client computers use DHCP to obtain their TCP/IP configuration. Each
company department has a dedicated subnet, and the network DHCP server contains a
scope for each subnet.
Users in the company's research department report that they cannot connect to the
network. No users in other departments are reporting similar problems.
You view the System logs on each affected computer in the research department. In each
case, the affected computer reports an IP address conflict with a computer in the network
named Client1. Client1 belonged to a user who recently left the company. You examine
Client1 and discover that the user had manually assigned all available IP addresses for the
research department subnet to Client1. You shut down Client1, but when users attempt to
renew their addresses, the renewal does not complete successfully.
You need to restore connectivity for the users in the research department, while minimizing
the impact on users in other departments. What should you do?

A. On the DHCP server, delete each BAD_ADDRESS lease entry from the Address Leases list. Instruct all research users to run the ipconfig /renew command on their computers.
B. On the DHCP server, delete the DHCP database and disable IP address conflict detection. Instruct all research users to run the ipconfig /renew command on their computers.
C. On the DHCP server, stop and restart the DHCP Server service, and then disable support for BOOTP clients. Instruct all research users to run the ipconfig /renew command on their computers.
D. On the DHCP server and on all client computers, disable gratuitous Address Resolution Protocol (ARP). Instruct all research users to run the ipconfig /renew command on their computers.

Question #68 - Topic 1

You are the network administrator for your company. The network consists of a Windows
NT 4.0 domain named NWTRADERS. The domain contains five Windows NT Server 4.0
computers that are configured as domain controllers. The PDC in the NWTRADERS
domain is named ServerC. The domain also includes a Windows NT Server 4.0 computer

A. Add the Everyone group to the Pre-Windows 2000 Compatible Access group.
B. Add ServerB to the DNSUpdateProxy group.
C. Import the Dcup.inf security template to the Local Security Policy on ServerB.
D. Import the Defltdc.inf security template to the Local Security Policy on ServerB.

Question #69 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain and does not implement a Public Key Infrastructure (PKI).
Several consultants participate in the network and use Windows 2000 Professional
portable computers that are not members of the Active Directory domain. You maintain
accounting software that only domain members can access. A Windows 2000 Server
computer named ServerA runs the accounting software. You must create a solution that

A. Configure the custom IPSec policy to implement Encapsulating Security Payload (ESP) for all IP traffic connecting to ServerA. Configure the IPSec policy to use certificate-based authentication to authenticate domain member computers connecting to ServerA.
B. Configure the custom IPSec policy to implement Encapsulating Security Payload (ESP) for all IP traffic connecting to ServerA. Configure the IPSec policy to use Kerberos authentication to authenticate domain member computers connecting to ServerA.
C. Configure the custom IPSec policy to implement Authentication Header (AH) for all IP traffic connecting to ServerA. Configure the IPSec policy to use certificate-based authentication to authenticate domain member computers connecting to ServerA.
D. Configure the custom IPSec policy to implement Authentication Header (AH) for all IP traffic connecting to ServerA. Configure the IPSec policy to use Kerberos authentication to authenticate domain member computers connecting to ServerA.
E. In the Local Security Policy of ServerA, enable the Digitally sign server communications (always) security policy.
F. Create a new Group Policy object (GPO) and link it to the domain. Configure the GPO to which enable the Digitally sign client communications (always) security policy.

Question #70 - Topic 1

You are the network administrator for your company. The research department employees

A. In the Active Directory Users and Computers console, modify the properties of ServerA to enable the Trust computer for delegation attribute.
B. In the Active Directory Users and Computers console, modify the properties of all research department user accounts to enable the Account is trusted for delegation attribute.
C. Modify the process so that research department users save the files to a different share on ServerA that does not implement EFS encryption. At ServerA, configure a batch file that copies the files into the encrypted Research share on ServerA.
D. Modify the process so that research department users save the files locally to an EFS encryption-enabled folder. Instruct the research department users to move their encrypted file to the Research share on ServerA.

Question #71 - Topic 1

You are a network administrator for your company. The network consists of a Windows
2000 Active Directory domain. You deploy the Windows 2000 Certification Authority (CA)
hierarchy shown in the exhibit. (Click the Exhibit button.)

RootCA and PolicyCA are removed from the network to increase the security of the CA
hierarchy. CorpCA issues computer and user certificates for company-wide applications,
including Encrypting File System (EFS) and IPSec. MailCA issues certificates for Microsoft
Exchange Server 2000. ProjectCA issues certificates to users and computers involved in
several Public Key Infrastructure (PKI) pilot projects. These certificates are issued with
short lifetimes to ensure that the certificates are not used when a PKI project moves to a
production application. Multiple projects utilize ProjectCA simultaneously. At the conclusion
of a pilot project, you discover that the pilot project users continue to use the certificates

A. Revoke the CA certificate of ProjectCA at ProjectCA.
B. Revoke the CA certificate of ProjectCA at PolicyCA.
C. Revoke the individual certificates issued to the users and computers participating in the pilot project at ProjectCA.
D. Export the certificates issued by ProjectCA for the pilot project and publish an updated Certificate Revocation List (CRL).

Question #72 - Topic 1

You are the administrator of a Windows 2000 Active Directory domain. The domain
contains 3,000 Windows 2000 Professional client computers and 250 Windows 2000
Server computers. Administration of the domain is delegated to a group named
DomainManagers. The DomainManagers group has 12 user accounts in an organizational
unit (OU) named Managers.
You need to ensure that the 12 user accounts in the DomainManagers group cannot be
used by applications. What should you do?

A. Change the properties of the 12 user accounts to enable the Account is trusted for delegation option.
B. Change the properties of the 12 user accounts to enable the Account is sensitive and cannot be delegated option.
C. Create a new Group Policy object (GPO) and link it to the Managers OU. Configure the GPO to configure the Kerberos Maximum lifetime for service tickets and the Maximum lifetime for user tickets policies to 30 minutes . Assign the Apply Group Policy permission on the GPO to only the DomainManagers group.
D. Create a new Group Policy object (GPO) and link it to the Managers OU. Configure the GPO to enable the Kerberos Enforce user logon restrictions policy. Assign the Apply Group Policy permission on the GPO to only the DomainManagers group.

Question #73 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows 2000 Server computer

A. Delete and then re-create the computer account.
B. Restore the Systemroot \Sysvol\Domain\Policies folder.
C. Ensure that the Key Distribution Center service is started.
D. Use a Windows 2000 Server CD-ROM to perform a Repair of the installation.

Question #74 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The network contains two Windows 2000 Server computers
configured as domain controllers, 100 Windows 2000 Professional client computers, and
100 Windows 98 client computers. All Windows 98 Second Edition client computers have
the Microsoft Directory Services Client installed and are configured with the appropriate
LMCompatibilityLevel registry value.
The company has three departments: research, sales, and operations. Each department
has a separate organizational unit (OU) in the domain that contains all user and group
accounts for that department.
The written security policy for your company requires that domain controllers authenticate
user logons only by using the most secure Microsoft authentication method available to all
clients on the network. You review the Security Options portion of the security template for
the domain. The following table shows the relevant Security Options settings in the
template.

You must ensure that no Windows 98 client computer can authenticate with the domain
controller by using anything less than the most secure authentication method available.
What should you do?

A. Configure the LAN Manager Authentication Level on the security template to Not defined . Import the template into the Domain Controllers Security Policy.
B. Configure the LAN Manager Authentication Level on the security template to Send NTLMv2 response only\refuse LM & NTLM . Import the template into the Domain Security Policy.
C. Configure the Default Domain Policy Group Policy object (GPO) to enable the Digitally encrypt secure channel data (when possible) setting in the Secure Options policy.
D. Configure the Default Domain Controllers Policy Group Policy object (GPO) to enable the Digitally encrypt or sign secure channel data (always) setting in the Secure Options policy.

Question #75 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
From a Windows 2000 Professional client computer in the domain, you want to find out
whether the local user accounts on the Windows 2000 member servers and Windows 2000
Professional client computers in the domain use a blank password or a common simple
password, such as "password" or "admin."
What should you do?

A. Run Microsoft Baseline Security Analyzer (MBSA) for the computers in the domain. Ensure that you are a local administrator on the scanned computers.
B. Run the hfnetchk.exe command for the computers in the domain. Ensure that no account lockout policy is defined on the scanned computers.
C. Run the sigverif.exe command on the computers in the domain. Ensure that Account Management auditing is turned off on the scanned computers.
D. Run the qfecheck.exe command on the computers in the domain. Ensure that you have the Log on as a batch job user right on the scanned computers.

Question #76 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains 10 Windows 2000 domain controllers,
100 Windows 2000 Professional client computers, and 500 Windows NT Workstation 4.0
computers.
You create an organizational unit (OU) named Client_Comps. You move all the client
computer accounts in the network to this OU. Then, you create a Group Policy object
(GPO) named GPO1 and link it to the Client_Comps OU. You import the Securews.inf
security template to GPO1.
You install Windows 2000 Professional on all client computers. You verify that each client
computer applies GPO1.
Users report that an application does not run on the Windows 2000 Professional
computers. You discover that the application stores user data in the program files folder
structure. This application used to run on the Windows NT Workstation 4.0 computers.
You need to ensure that the application can run on Windows 2000 Professional computers
while maintaining the security settings in Securews.inf. You also need to maintain security
on the other computers and domain controllers in the domain.
What should you do?

A. Import the Compatws.inf security template to GPO1.
B. Configure GPO1 so that it applies only the settings from the Defltwk.inf security template.
C. Create a new GPO and link it to the domain. Import the Defltwk.inf security template to the new GPO.
D. Create a new security template that merges the Securews.inf template and the Compatws.inf template. Import the new template to the Default Domain Policy GPO.

Question #77 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains three member servers that run
Windows 2000 Server. All three servers use Routing and Remote Access to accept dial-up
connections from remote company employees. You will soon add four more dial-up servers
to handle the demand for dial-up services.
The written security policy for your company requires the start and end time of all dial-up
connections to be logged. The logs must be maintained for at least six months.
You need to configure the existing dial-up servers to comply with the written policy. You
need to ensure that the configuration can support additional dial-up servers. You also want
to minimize the amount of time you spend maintaining dial-up logs.
What should you do?

A. Enable auditing on each dial-up server. Configure the Security log on each dial-up server to be 20 MB in size and to never overwrite events. Save each Security log to an archived location every day.
B. Use the Eventcomb utility to collect the security events from each dial-up server every day. Export the Security log from each dial-up server to a file every day.
C. Install Internet Authentication Service (IAS) on a new Windows 2000 Server computer. Configure each dial-up server to use IAS for authentication and accounting. Configure IAS to log authentication and accounting. Use Task Scheduler to archive the IAS log files every day.
D. Move the dial-up servers to a new organizational unit (OU). Create a Group Policy object (GPO) and link the GPO to the new OU. Configure the GPO to enable auditing for logon and logoff events.

Question #78 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain is configured to audit logon events.
The company's written security policy prohibits remote access to the company network. All
network services are in compliance with the written policy.
Bruno is a user in the research department. On Friday, Bruno leaves on a two-week
vacation. The following Monday, you discover that the Security log on each domain
controller in the domain contains the following event.

The event appears throughout the weekend in groups of three with 30-minute gaps
between each appearance. As you are examining the log, the event occurs again three
times in rapid succession.
You need to immediately prevent this security violation from succeeding. You do not want
to affect other network users. What should you do?

A. Disable the domain computer account for Client1.
B. Disable the domain user account for Bruno.
C. Stop the Net Logon service on all domain controllers.
D. Delete the domain user account that is used by the user of Client1.

Question #79 - Topic 1

You are the administrator of a Windows 2000 network. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers. The client computers are in an organizational
unit (OU) named Clients. You use Group Policy objects (GPOs) to administer the
configuration of the Windows 2000 Professional client computers.
To increase the security of the client computers, you want to ensure that the configuration
settings on the client computers are always corrected whenever a user changes these
settings manually. What should you do?

A. Configure the Task Scheduler on the client computers to periodically run the secedit /refreshpolicy machine_policy and the secedit /refreshpolicy user_policy commands.
B. Configure the Default Domain Group Policy object (GPO) to enable a Group Policy refresh interval for computers setting and a Group Policy refresh interval for users setting.
C. Create a GPO and link it to the Domain Controllers OU. Configure the GPO to enable the User Group Policy loopback processing mode in merge mode.
D. Create a GPO and link it to the Clients OU. Configure the GPO to enable the settings to process policies even if the GPOs have not changed.
E. Create a GPO and link it to the Clients OU. Configure the GPO to disable the Enforce Show Policies Only setting.

Question #80 - Topic 1

You are one of two administrators for your company. The network structure contains a
Windows 2000 Active Directory domain named contoso.com. The network infrastructure is
divided into two sites: SiteA and SiteB.
The other administrator, named Bruno, is responsible for ensuring that security updates are

A. Configure a script to retrieve the OS build number and return the results to a centralized database.
B. Rewrite Bruno's script to place the files on the Netlogon share of the domain controllers. Configure auditing on the domain ontrollers to record success and failure of Account Logon.
C. Run Microsoft Baseline Security Analyzer (MBSA) on the subnets that make up SiteB.
D. Write a script that runs both the qfecheck and winver commands on each computer in SiteB.
E. Modify Bruno's script to apply all updates except the conflicting update. Create a Group Policy object (GPO) and link it to the domain that runs the script as a logon script.

Question #81 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows 2000 Server computer

A. On ServerA, install a Web server certificate. Then, implement SSL security for the Default Web site, enforce 128-bit encryption, and enable only Basic authentication.
B. On ServerA, install a Web server certificate. Then, implement SSL security for the Payroll Web site, enforce 128-bit encryption, and enable only Integrated Windows authentication.
C. On each client computer in the accounting department, install a computer certificate. On Server A, implement SSL security for the Default Web site, enforce 128-bit encryption, and enable only Basic authentication.
D. On each client computer in the accounting department, install a computer certificate. On Server A, implement SSL security for the Payroll Web site, enforce 128-bit encryption, and enable only Integrated Windows authentication.

Question #82 - Topic 1

You are the network administrator for a branch office of your company. All computers on
the network are members of a Windows 2000 Active Directory domain. The company has
one domain administrator at the main office. An organizational unit (OU) named Branch1
corresponds to your branch office.
An OU named Files is under the Branch1 OU. All user accounts, computer accounts,
printer objects, and shared resources of your branch office are in the Branch1 OU.
Three Windows 2000 Server computers are configured as file servers named ServerA,
ServerB, and ServerC. The computer accounts for these servers are in the Files OU. The
domain administrator has delegated to you full control of Branch1 and all its subordinate
OUs. You are granted the ability to create and link Group Policy objects (GPOs).
An Audit Policy is not defined for any GPO that is linked to the domain. Auditing of Read
permissions, both success and failure, is enabled for the Everyone group on all folders and
files on the file servers to which users have access.
You configure the SACL on each folder that your manager is concerned about to audit
success and failure of Read access for the Everyone group. Corporate management wants
you to log all user access to files or folders on only the file servers in your branch office.
What should you do?

A. Create a Group Policy object (GPO) and link it to the Files OU. Configure the GPO to enable both the success and failure of the Audit logon events policy.
B. Create a Group Policy object (GPO) and link it to the Files OU. Configure the GPO to enable both the success and failure of the Audit object access policy.
C. Ask the domain administrator to create a Group Policy object (GPO) and link it to the domain. Configure the GPO to enable both the success and failure of the Audit logon events policy.
D. Ask the domain administrator to create a Group Policy object (GPO) and link it to the domain. Configure the GPO to enable both the success and failure of the Audit object access policy.

Question #83 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain named contoso.com. The domain contains 10 Windows 2000
Server computers that run Internet Information Services (IIS) 5.0. These servers host the
company's public Web site. Only the computer accounts for these Web servers are in an
organizational unit (OU) named Web.
According to the written security policy for your company, the World Wide Web Publishing
service on each Web server must always have a startup type of Automatic, and the FTP
service on each Web server must always have a startup type of Disabled . Only the
members of the Domain Admins group are allowed to stop and start these services.
You need to configure the Web servers to comply with the written policy. What should you
do?

A. On each Web server, configure the startup types for the World Wide Web Publishing service and the FTP service to comply with the written policy. For both services, configure the Log on as account as CONTOSO\Domain Admins.
B. On each Web server, configure the startup types for the World Wide Web Publishing service and the FTP service to comply with the written policy. Add the Domain Admins group to the Power Users group on each Web server.
C. Create a Group Policy object (GPO) and link it to the Web OU. Create a security template that configures the startup types for the World Wide Web Publishing service and the FTP service to comply with the written policy. Configure the Domain Admins group as the only group that can stop and start these services. Import the security template into the new GPO.
D. Install a new Windows 2000 Server computer that is running IIS 5.0, then place the new server in the Web OU. Create a Microsoft Windows Installer package that includes the correct configuration for the World Wide Web Publishing service and FTP service startup types. For both services, configure the Log on as account as CONTOSO\Domain Admins. Create a Group Policy object (GPO) and link it to the Web OU. Assign the installer package to the computer configuration section in the new GPO.

Question #84 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains a Windows 2000 Server computer

A. Install an IPSec certificate on ServerA and on each client computer that requires POP3 access. Then, on each client computer, create and assign an IPSec policy that applies Encapsulating Security Payload (ESP) encryption to all traffic sent to the POP3 port on ServerA.
B. Install an IPSec certificate on ServerA and on each client computer that requires POP3 access. Then, on each client computer, create and assign an IPSec policy that applies Encapsulating Security Payload (ESP) encryption to all traffic sent to the POP3/S port on ServerA.
C. Install a Web server certificate on ServerA. Configure Exchange Server 2000 to use the certificate to enable POP3 over SSL connections. Configure the POP3 client software to connect to ServerA by using the POP3/S port.
D. Install a Web server certificate on ServerA. Configure Exchange Server 2000 to use the certificate to enable POP3 over SSL connections. Configure the POP3 client software to use Secure Password Authentication (SPA).

Question #85 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
Currently, five Windows 2000 member servers host the corporate Internet Web site. These
servers run Internet Information Services (IIS) 5.0.
You plan to enable authentication to access the Web site. Some customers who connect to
the Web site use a certificate that you distribute to them. Other customers who do not have
a valid certificate need to be prompted for a user name and password.
You have already installed a Web server certificate on the Web servers, and you have
mapped all issued certificates to the correct user accounts. You want to ensure that users
both with and without certificates are authenticated.
How should you configure each of the Web servers? (Each correct answer presents part of
the solution. Choose two.)

A. Change the authentication methods to disable Anonymous access .
B. Change the application protection level to High (Isolated) .
C. Enable the Accept client certificates option.
D. Enable the Require client certificates option.
E. Enable the Require secure channel (SSL) option.

Question #86 - Topic 1

You are the administrator of a Windows 2000 network. The network consists of two
Windows 2000 forests with five Windows 2000 domains. The two forests, the domains, and
domain relationships are shown in the exhibit. (Click the Exhibit button.)
You want to meet the following criteria:
Ensure that users from domain C can access resources in domains D and E. Create trust
relationships between the domains so that the necessary permissions and user rights can
be granted.
Create the least number of trust relationships.
What should you do?

A. Create a trust relationship from domain D to domain A, and create a trust relationship from domain A to domain D.
B. Create a trust relationship from domain D to domain C, and create a trust relationship from domain E to domain C.
C. Create a trust relationship from domain C to domain D, and create a trust relationship from domain C to domain E.
D. Create a trust relationship from domain A to domain D, and create a trust relationship from domain A to domain E.

Question #87 - Topic 1

You are the network administrator for your company. The network contains a Windows
2000 Active Directory domain and a Windows 2000 Server computer named ServerA.
ServerA runs Routing and Remote Access and is configured to accept virtual private
network (VPN) connections by means of the Internet.
Bruno is a member of the sales department. When he works from home, Bruno uses a
portable computer running Windows 2000 Professional. Bruno asks you to configure his
portable computer so that he can log on directly to the domain from home. You verify that
Bruno's Internet service provider (ISP) is configured to allow VPN traffic to the company
network.
You create a new dial-up connection named Corp-VPN on Bruno's computer. You

A. Add Bruno's domain user account to the local Power Users group.
B. Log on by using the local Administrator account. Create a new Corp-VPN connection that is available for all users.
C. Install a user certificate. Configure the computer's Certificate Trust List (CTL) to include the Certification Authority (CA) that issued the certificate.
D. Instruct Bruno to log on by using his domain user account. Then, instruct Bruno to create a new connection named Corp-VPN2. Provide Bruno with the TCP/IP address for ServerA, and instruct him to accept the defaults for all other settings.

Question #88 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional computers. All domain controllers run Windows 2000 Server.
The relevant portion of the Active Directory hierarchy is shown in the exhibit. (Click the
Exhibit button.)
The written security policy for your company requires that only network administrators have
administrative capabilities on the domain controllers and member servers in the domain. An
administrator's user account must not have administrative capabilities on any client
computer in the domain, including the administrator's own client computer.
A Group Policy object (GPO) named Secure_lockdown is linked to the IT_Users OU and
the Employee_Users OU. The Secure_lockdown GPO removes many Start menu options
and does not give the users access to Control Panel utilities. Administrators report that they
cannot view all Start menu options when they log on to their client computers by using their
domain user accounts.
You need to ensure that the administrators have access to all Start menu options and
Control Panel utilities on their client computers but not on other client computers in the
company.
What should you do?

A. Create a group named IT_staff. Add each administrator's user account to the IT_staff group. In the Default Domain Policy GPO, add the Administrators group under the Restricted Groups policy. Add the IT_staff group to the member list in the Administrators group.
B. Create a group named IT_staff. Add each administrator's user account to the IT_staff group. Run the Delegation of Control wizard for the IT_Computers OU. Grant the IT_staff group Full Control permission for the Computer objects.
C. Create a GPO and link it to the IT_Users OU. In the computer configuration section of the GPO, set the loopback processing policy to Replace . In the user configuration section of the GPO, configure Start menu options and Control Panel utilities to be accessible.
D. Create a GPO and link it to the IT_Computers OU. In the computer configuration section of the GPO, set the loopback processing policy to Replace . In the user configuration section, configure Start menu options and Control Panel utilities to be accessible.

Question #89 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
A Windows 2000 member server named ServerA hosts the corporate intranet Web site.
ServerA runs Internet Information Services (IIS) 5.0. All files on ServerA are protected by
NTFS permissions.
You want to allow users to use client certificates for authentication to the intranet Web site.
You issue a certificate to all users and map each certificate to the correct domain user
account. However, you cannot enable the Accept client certificates option for the intranet
Web site.
What should you do?

A. Install a Certification Authority (CA) on ServerA.
B. Install a Web server certificate on the intranet Web site.
C. Configure the authentication methods of the intranet Web site to disable Anonymous access .
D. Configure the local Group Policy on ServerA to assign the Store password using reversible encryption for all users in the domain policy.

Question #90 - Topic 1

You are the network administrator for your company. The network consists of a native
mode Windows 2000 Active Directory domain. All client computers run Windows 2000
Professional or Windows NT Workstation 4.0. All Windows NT Workstation 4.0 client
computers have the Microsoft Directory Services client installed. The written security policy
for your company requires all communications between computers in the network to be
encrypted where possible.
You install Certificate Services on a Windows 2000 Server computer and configure the
server to act as an enterprise root Certification Authority (CA) for the domain. You
configure the CA to issue IPSec certificates. You configure the Default Domain Policy
Group Policy object (GPO) to issue IPSec certificates to all member computers
automatically.
You create two new organizational units (OUs) in the domain: Desktops and Servers. The
Desktops OU contains the computer accounts for all client computers. The Servers OU
contains the computer accounts for all server computers.
In each OU, you create and configure a GPO to apply IPSec policies to the computers as
shown in the following table.

You also configure the IPSec policies to use only IPSec certificates issued by the root CA
for authentication.
Users with computers running Windows NT Workstation 4.0 report that they cannot access
resources located on any network server. However, these users access resources located
on other client computers. Users with computers running Windows 2000 Professional do
not report similar problems.
You need to ensure that all client computers can access server-based resources. What
should you do?

A. Configure all IPSec policies in all OUs to use Kerberos as the authentication protocol.
B. Configure the Secure Server (Require Security) IPSec policy to use a preshared key for key exchange.
C. Assign the Server (Request Security) IPSec policy in the Security-DC GPO and in the Security-SRV GPO.
D. Use the Web-based Certificate Enrollment tool to request and install computer certificates on the Windows NT Workstation 4.0 computers.

Question #91 - Topic 1

You and Bruno are the network administrators for your company. The network consists of a
Windows 2000 Active Directory domain. All client computers are in an organizational unit
(OU) named Clients.
The network contains two Windows 2000 Server computers configured as domain
controllers and three Windows 2000 Server computers configured as file servers. The
network also contains 1,500 Windows 2000 Professional client computers.
You and Bruno are responsible for deploying a service pack to all Windows 2000
Professional client computers. Bruno creates a Group Policy object (GPO) named
SPDeploy and links it to the Clients OU. He configures SPDeploy with a software package
that installs the service pack.
You initiate an automatic restart of all client computers. After the client computers restart,
none of the client computers you check have the service pack. Bruno asks you to review
the software deployment package configuration, which the following exhibit shows.

You confirm that these client computers receive other GPOs that are linked to the Clients
OU. You must ensure that SPDeploy is correctly deployed.
What should you do?

A. Change the Deployment state to Assign . Select the Redeploy Application menu option on the software deployment package. Restart the client computers.
B. Remove all service packs from the client computers. Select the Redeploy Application menu option on the software deployment package. Restart the client computers.
C. Remove the existing installation package. Add update.msi as a new software installation package under the user configuration section of SPDeploy. Restart the client computers.
D. Remove the existing installation package. Add update.msi as a new software installation package under the computer configuration section of SPDeploy. Restart the client computers.

Question #92 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
From a Windows 2000 Professional client computer in the domain, you want to find out the
hotfix status of other computers in the domain. When you use Microsoft Baseline Security
Analyzer (MBSA) to scan a Windows 2000 Server computer named ServerA, you receive
the error message that you are not an administrator on the scanned computer.
You want to ensure that you can find out the hotfix status of ServerA from the Windows
2000 Professional computer. What should you do?

A. Run the runas command to start MBSA and specify local administrator credentials for ServerA.
B. Run the net use command to specify local administrator credentials for a connection to ServerA, then run MBSA.
C. Run the hfnetchk command and specify local administrator credentials for ServerA to connect to and scan ServerA.
D. Run the mbsacli command to connect to and scan ServerA.

Question #93 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain that contains 5,000 Windows 2000 Professional client
computers. All client computer accounts are located in an organizational unit (OU) named
ClientComputers. All company employees log on to their computers by using domain user
accounts.
All client computers are installed by using a standard Windows 2000 Professional image,
which includes Internet Information Services (IIS). However, only three software developers
use IIS on their client computers.
These developers report that their client computers are infected with a virus. You discover
that the virus infects computers by attacking IIS. You estimate that one-third of the client
computers are infected with the virus, and the virus is slowly spreading to other computers.
Your anti-virus software does not currently detect this virus, although an update will be
available in three business days. The developers can work normally without IIS for several
days, if necessary.
Until the anti-virus update is available, you need to prevent the virus from spreading to
additional client computers. What should you do?

A. On each developer's client computer, configure the World Wide Web Publishing service to have a startup type of Disabled .
B. On each computer infected by the virus, configure the properties of the LAN connection so that IP filters prevent inbound network traffic on TCP port 80.
C. On each computer not infected by the virus, configure the properties of the default Web site so that only Integrated Windows authentication is enabled. Then, stop the default Web site.
D. On a domain controller, create a Group Policy object (GPO) and link it to the ClientComputers OU. Configure the GPO to disable the World Wide Web Publishing service. In the GPO, select the No Override check box. Restart all client computers.

Question #94 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain includes two organizational units (OU) named
Manufacturing and Sales. The network contains two Windows 2000 Server computers
configured as domain controllers and 1,500 Windows 2000 Professional client computers.
All user accounts are located in the Manufacturing OU and Sales OU.
Your manager wants you to ensure that the domain Account Policies are no less secure
than the Account Policies in the Securedc.inf template. You run the Security Configuration
and Analysis console on a network domain controller, and you use Securedc.inf to analyze
the computer.
You review the Password Policy portion of the analysis, which the following table shows.

Your manager does not want to reduce the existing security level. You must increase the
security of the Password Policy in all areas in which it is less restrictive than the
Securedc.inf template. What should you do?

A. Import the Securedc.inf template into the Domain Security Policy.
B. Create a new Group Policy object (GPO) and link it to the Sales and Manufacturing OUs. Import the Securedc.inf template into the new GPO.
C. Create a new security template. Set Enforce password history to 24 passwords , Maximum password age to 42 days , and Minimum password age to 4 days . Import the new template to the Domain Security Policy.
D. Create a new Group Policy object (GPO) and link it to the Sales and Manufacturing OUs. Create a new security template. Set Enforce password history to 24 passwords , Maximum password age to 0 , and Minimum password age to 4 days . Import the new template to the new GPO.

Question #95 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. The domain contains Windows 2000 Server computers and
Windows 2000 Professional client computers.
The finance department uses a Windows 2000 member server named ServerA to store
confidential files. The files are in a folder named Budget, which is shared as Budget. All
users in the finance department are members of a group named Finance.
The NTFS permissions on the Budget folder and the files in that folder allow access only to
the Administrators group and the Finance group. The NTFS permissions are configured to
allow full control. The share permissions are the default permissions.
You want to track which users attempt to gain access to files in the Budget folder on

A. Configure the auditing entries to apply to the Administrators group and the Finance group, instead of the Everyone group.
B. Configure the auditing entries to include both failed and successful access for all access types.
C. Enable the Audit object access option for failed attempts in a new Group Policy object (GPO) that applies only to ServerA.
D. Grant the ServerA computer account the Generate security audits right.
E. Add NTFS permission access control entries to the Budget folder and all files in the folder that specify Deny - Full Control permission for the Everyone group.

Question #96 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All client computers run Windows XP Professional.
You are deploying an 802.11b wireless LAN in the network. The wireless LAN will use
Wired Equivalent Privacy (WEP) for all connections.
The written security policy for your company states that company computers must be able
to connect automatically to the wireless LAN. Unauthorized computers must not be able to
connect to or view the wireless LAN in the list of available wireless networks.
You need to configure all wireless access points and client computers to comply with the
written policy. What should you do?

A. Set the authentication type for the wireless LAN to Shared Key . Enable SSID Broadcast and MAC Filtering on all wireless access points. On each client computer, add the SSID for the wireless LAN as an available network.
B. Set the authentication type for the wireless LAN to Shared Key . Disable SSID Broadcast and enable MAC Filtering on all wireless access points. On each client computer, add the SSID for the wireless LAN as a preferred network.
C. Set the authentication type for the wireless LAN to Open System . Enable SSID Broadcast and disable MAC Filtering on all wireless access points. On each client computer, add the SSID for the wireless LAN as an available network.
D. Set the authentication type for the wireless LAN to Open System . Disable SSID Broadcast and MAC Filtering on all wireless access points. On each client computer, add the SSID for the wireless LAN as a preferred network.

Question #97 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain named contoso.com. Your company's Active Directory
organizational unit (OU) structure is based on the defined server roles. The relevant portion
of the Active Directory structure is shown in the exhibit. (Click the Exhibit button.)
The IT manager wants you to develop a standardized security baseline that implements
NTFS and registry permissions that conform with the written security policy of your
company for servers. The servers that require the security baseline settings include
application servers, file servers, and infrastructure servers.
You decide to use security templates to define the baseline security settings. You define
the following security templates:
A security template named Default.inf that includes the required NTFS and registry
permissions for Windows 2000-based servers in the company.
Individual security templates that define role-specific security settings.
There is one security template for each server role in the company. What strategy should
you use to deploy the security templates?

A. Create a Group Policy object (GPO) and link it to the domain. Import the Default.inf security template to the new GPO. Import the role-specific security templates to individual GPOs linked to the Servers OU.
B. Create a Group Policy object (GPO) and link it to the Servers OU. Import the Default.inf security template to the new GPO. Import the role-specific security templates to individual GPOs linked to the Servers OU.
C. Create a Group Policy object (GPO) and link it to the domain. Import the Default.inf security template to the new GPO. Import the role-specific security templates to GPOs linked to each role-specific OU.
D. Create a Group Policy object (GPO) and link it to the Servers OU. Import the Default.inf security template to the new GPO. Import the role-specific security templates to GPOs linked to each role-specific OU.

Question #98 - Topic 1

You are the network administrator for your company. The company network contains 1,000
Windows XP Professional computers and 2,500 Windows 2000 Professional computers.
The network is connected to the Internet by means of a 512-Kbps connection. All
computers use Internet Explorer as their default browser.
Ten new security updates are released for Windows XP Professional and Windows 2000
Professional. The updates are available on http://windowsupdate.microsoft.com for both
operating systems. However, you decide to deploy the updates internally so that each user
does not have to connect to the Web site.
You use Internet Explorer on a Windows XP Professional computer to connect to
windowsupdate.microsoft.com. However, the Web site offers only the option to apply the
updates to the local computer.
You want to download the updates so that you can deploy them to each client computer.
What should you do?

A. On each Windows XP Professional computer, enable Automatic Updates. On each Windows 2000 Professional computer, enable Critical Update Notification.
B. Use the Web site to download and install the updates on the local computer. After the update completes, locate the downloaded files on the computer's hard disk and copy them to a shared folder.
C. Use the Web site to download and install the updates on the local computer. Before the computer restarts, locate the downloaded files on the computer's hard disk and copy them to a shared folder.
D. On the Web site, select the option to personalize the site. Then, select the option to display the Windows Update Catalog and download the updates to a shared folder.

Question #99 - Topic 1

You are the network administrator for your company. The network consists of a Windows

A. On ServerA, disable Bruno's local user account.
B. On ServerA, increase the size of the Security log to 1,024 KB.
C. On a domain controller, disable Bruno's domain user account.
D. On ServerA, save the contents of the Security log to a file named ServerALog.evt.
E. On ServerA, stop Routing and Remote Access and set the startup mode to Disabled .

Question #100 - Topic 1

You are the network administrator for your company. The network consists of a Windows
2000 Active Directory domain. All client computers are in an organizational unit (OU)
named Clients.
The network includes three Windows 2000 Server computers configured as domain
controllers and one Windows 2000 Server computer, named ServerA, configured as a file
server. ServerA has a distribution share folder that holds the contents of the Windows 2000
Professional installation CD-ROM and the latest service pack slipstreamed into the
installation files. The network contains1,500 Windows 95 client computers.
Bruno, the desktop administrator, manages the client computers in your network. Bruno
has full administrative rights to all client computers.
You upgrade the Windows 95 client computers from the distribution share on ServerA.
Three of the upgraded Windows 2000 Professional client computers (Client1, Client2, and
Client3) must run software that is incompatible with the service pack.
You need to ensure that the service pack is removed from Client1, Client2, and Client3.
What should you do?
A. Instruct Bruno to use the Windows 2000 Professional CD-ROM distribution media to
reinstall the operating system of Client1, Client2, and Client3. Reinstall the required
applications and security updates.
B. Instruct Bruno to reinstall the operating system of Client1, Client2, and Client3 by using
the distribution share on ServerA. Reinstall the required applications and security updates.
C. Instruct Bruno to boot Client1, Client2, and Client3 from the Windows 2000 Professional
CD-ROM and use the Repair Installation option.
D. Instruct Bruno to boot Client1, Client2, and Client3 from the Windows 2000 Professional
CD-ROM and use the Recovery Console.


Pass with Microsoft 70-214 exam practice test questions, study guide & training course. After studying all these free questions you can be confident on Microsoft 70-214 practice test questions and answers from Exam-Labs. Apart from these online questions you can also study Microsoft 70-214 exam practice test questions and answers in VCE file format which can be opened with Avanset VCE exam simulator.

How It Works

Download Exam
Step 1. Choose Exam
on Exam-Labs
Download IT Exams Questions & Answers
Download Avanset Simulator
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates latest exam environment
Study
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!

AUTUMN SALE: 30% DISCOUNT . This is ONE TIME OFFER

You save
30%
Save
Exam-Labs Special Discount

Enter Your Email Address to Receive Your 30% Discount Code

A confirmation link will be sent to this email address to verify your login

* We value your privacy. We will not rent or sell your email address.

AUTUMN SALE: 30% DISCOUNT

You save
30%
Save
Exam-Labs Special Discount

USE DISCOUNT CODE:

A confirmation link was sent to your email.

Please check your mailbox for a message from support@exam-labs.com and follow the directions.