Welcome to Certifiable, your exam-prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams.

Questions (August 9, 2002)
Answers (August 9, 2002)

This week's questions cover topics for Exam 70-216: Implementing and Administering a Microsoft Windows 2000 Network Infrastructure.

Questions (August 9, 2002)

Question 1


You work as the systems administrator at the Flower Mound Organic Farm Collective and are in the process of upgrading the organization's network from Windows NT 4.0 to Windows 2000. You don't have the funds to upgrade your DNS server from NT 4.0 to Win2K, and you wondering whether you can use the NT 4.0 DNS server to support Active Directory (AD). Which of the following steps should you take to configure the NT 4.0 DNS server to support AD? (Choose all that apply.)

  1. Configure the DNS Server to support Dynamic Updates.
  2. Upgrade the server to Service Pack 4 (SP4) or a more recent service pack.
  3. Make sure that the NT 4.0 DNS server is authorized in AD.
  4. Make sure that the primary DNS server authoritative for the Netlogon service names can support SRV records.
  5. NT 4.0 DNS Servers can't support AD; you must install a Win2K DNS server.

Question 2


You want to use your corporate intranet to set up an IP Security (IPSec) connection for two computers located on different sides of the city. Each computer is connected to a local Cisco Systems 2501 router, which is connected to your ISP's router. Traffic travels across three routers on the ISP's network, then to the corresponding router on the other side, and finally to the other PC. These routers are all part of the intranet, although one routes traffic out to the Internet as well.

You've outsourced most of your WAN infrastructure, so you're only responsible for the LAN up to the 2501 routers. Which of the following do you need to do to set up an IPSec connection between these two locations?

  1. Set up IPSec on each end-node computer, then have your ISP configure the routers to let TCP traffic pass through on port 108.
  2. Configure the end-node computers with IPSec; you don't need to configure the routers to pass this encrypted traffic across your WAN.
  3. Set up IPSec on each end-node computer, then have your ISP configure the routers to let traffic pass through on port 31337.
  4. Set up IPSec on each-end node computer, then have your ISP configure the routers to let traffic pass through on port 1138.

Question 3


Enrious and his manager, Petal, are discussing the administration of the RAS servers at the Flower Mound Organic Farm Collective.

Petal: "I want you to set up the remote access policy so that the system locks users out if they enter the wrong password several times when they're dialing into our server."

Enrious: "How about if we lock users out for 48 hours if they enter the wrong password five consecutive times when using a dial-up connection?"

Petal: "That sounds good. Now, can you explain to me how you set up the RAS server?"

Enrious: "I've configured the server with default settings. I created a new group called flowerrasusers, and it contains users who require the ability to access our network over a dial-up connection."

Petal: "I'm still concerned that people who aren't members of this group are somehow gaining dial-up access. Also, can you limit access to non-business hours?"

Enrious: "Yes, that should be possible."

After the meeting, Petal hands Enrious the following goals for the RAS servers:

Primary Goal:

  • Deny users access for 48 hours if they enter the incorrect password five times.

Secondary Goals:

  • Limit access to RAS to members of the flowerrasusers group.
  • Restrict RAS access to between 5:00 P.M. and 8:00 A.M. for normal users.
  • Give Administrators unlimited access to the RAS server at all times.

Which of the following achieves the primary goal but doesn't achieve any of the secondary goals?

  1. Run regedit, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\RemoteAccess\Parameters\ AccountLockout subkey, and change the entry for MaxDenials from 0 to 5.
  2. Run the RRAS utility, expand the Current Server, right-click the Remote Access Policies Node, then select "New Remote Access Policy." Select Add, select Windows-Groups, select flowerrasusers, then select Close. Right-click flowerusers, select "login between 5:00 P.M. and 8:00 A.M.," then select Close. Next, select Add, select Windows-Groups, select Administrators, then select Close. Right-click Administrators, select "no logon restriction," and give the Policy the name "flower-lockout." Select Next, select Add, and select "Lockout after 5 attempts," then set the "reset lockout after" box to 48 hours. Click Close.
  3. Run the RRAS utility, expand the Current Server, right-click the Remote Access Policies Node, then select "New Remote Access Policy." Give the Policy the name "flower-lockout." Select Next, then select Add. Select "Lockout after 5 attempts," then set the "reset lockout after" box to 48 hours. Click Close. Select Add, select Windows-Groups, then select flowerrasusers. Select Close. Right-click flowerusers, select "login between 5pm and 8am," then select Close. Select Add, select Windows-Groups, select Administrators, then select Close. Right-click Administrators, select "no logon restriction". Select Close.
  4. Run the RRAS utility, expand the Current Server, right-click the Remote Access Policies Node, then select "New Remote Access Policy." Give the Policy the name "flower-lockout," then select next, select Add, select Windows-Groups, select Administrators, then select Close. Right-click Administrators and select "no logon restriction". Select Add, select "Lockout after 5 attempts" and set the "reset lockout after" box to 48 hours. Select Add, select Windows-Groups, select flowerrasusers, and click close.

Answers (August 9, 2002)

Answer to Question 1


The correct answers are B—Upgrade the server to Service Pack 4 (SP4) or a more recent service pack; and D—Make sure that the primary DNS server authoritative for the Netlogon service names can support SRV records. SP4 or later is required on the NT 4.0 DNS server. The NT 4.0 DNS server must be the primary DNS server authoritative for Netlogon service names and support the SRV records. SP4 introduced this capability. Dynamic updates of DNS records aren't required for AD, although Microsoft recommends it. DHCP servers and Remote Installation Services (RIS) servers must not be authorized in AD, but a server running NT 4.0 can't be (nor does it need to be) authorized as a DC in AD.

Answer to Question 2


The correct answer is B—Configure the end-node computers with IPSec; you don't need to configure the routers to pass this encrypted traffic across your WAN. You must activate IPSec on the clients only. A tunnel activates between the two endpoints that use encrypted IP communication. One end encrypts the communication, and the other end decrypts it. Routers and switches don't need to be IPSec-aware.

Answer to Question 3


The correct answer is A—Run regedit, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\RemoteAccess\Parameters\ AccountLockout subkey, and change the entry for MaxDenials from 0 to 5. The default lockout period is 48 hours, which the registry represents in hexadecimal as b40. If that doesn't make any sense to you, translate the value back to decimal and divide by 60. If you want to change the value to 24 hours, simply multiply 24 by 60 and translate the result into hexadecimal. The subkey to change is in the same area and is called ResetTime.