Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions weekly.

Questions (October 19, 2001)
Answers (October 19, 2001)

This week's questions cover topics for Exam 70-216: Implementing and Administering a Windows 2000 Network Infrastructure.

Questions (October 19, 2001)

Question 1
You want to install a VPN server on one of your organization's Windows 2000 Server machines. The server has an Ethernet card connected to a cable modem, which is connected to the Internet through an ISP. Another Ethernet card is connected to your local intranet. You want to secure the VPN server so that it can't use its Internet interface to send or receive any traffic except PPTP or Layer 2 Tunneling Protocol (L2TP) over IPSecurity (IPSec) traffic from branch office routers or remote access clients. Which of the following steps should you take? (Choose the best answer.)

  1. Configure a remote access policy that authenticates only Internet traffic that conforms to specific IP ranges.
  2. Configure a remote access policy that lets only members of a specific group called "VPN Users" use the Internet interface.
  3. Configure PPTP and L2TP over IPSec input and output filters on the Internet interface.
  4. Configure PPTP and L2TP over IPSec input and output filters on the intranet interface.

Question 2

You want to set up a Certificate Authority (CA) on a Windows 2000 Server machine on your company network. You decide to create an Enterprise Root CA for one of your domains. When creating an Enterprise Root CA, which of the following limitations don't apply? (Choose all that don't apply.)

  1. All users requesting certificates must have an Active Directory (AD) account.
  2. BIND 8.1.2 must be installed.
  3. The person installing the Enterprise Root CA must have Enterprise Administrator privileges.
  4. Users outside the domain may not receive certificates from the CA.
  5. AD must be installed.
  6. Windows 2000 DNS must be installed.

Question 3
You are responsible for a RAS server in a Windows 2000 native mode domain. You have set the remote access permission for all user accounts to "Control access through remote-access policy." One of your users, Suresh, is a member of the Canadians group and the Tutors group. A remote-access policy, Policy1, grants remote-access permission to the Tutors group. However, another remote-access policy, Policy2, denies remote-access permission to the Canadians group.

Policy1 precedes Policy2, so the RAS server lets Suresh connect. Another user, Mike, is a member of the Canadians group only and therefore can't access the RAS server. Mike asks you to modify the configuration so that members of the Canadians group can dial in to the server. What should you do to satisfy Mike's request? (Choose the best answer.)

  1. Using RRAS, change the permission for Policy2 from "Deny remote-access permission" to "Grant remote-access permission."
  2. Using RRAS, drag the Canadians group from the "Denied Access" box to the "Allow Access" box.
  3. Using RRAS, right-click the Canadians group, select Properties, and check the "Allow Access" box.
  4. Using RRAS, right-click the Canadians group, select Properties, and clear the "Deny Access" box.

Answers (October 19, 2001)

Answer to Question 1
The correct answer is C—Configure PPTP and L2TP over IPSec input and output filters on the Internet interface. You can't use a remote access policy to perform this filtering, and configuring these filters on the intranet interface won't secure the Internet interface from other Internet traffic.

For more information, see "Windows 2000 Virtual Private Networking Scenario" at the Microsoft Web site.

Answer to Question 2
The correct answer is B—BIND 8.1.2 must be installed. An Enterprise Root CA is the root of a Win2K-based CA hierarchy. Therefore, all the limitations apply except for answer B. BIND is irrelevant to the creation of an Enterprise Root CA.

For more information, see "Step-by-Step Guide to Setting up a Certification Authority" at the Microsoft Web site.

Answer to Question 3
The correct answer is A—Using RRAS, change the permission for Policy2 from "Deny remote-access permission" to "Grant remote-access permission." To enable users from specific groups to log on, perform the following steps:

  1. Create a new policy.
  2. Add the Windows-Groups condition to the new policy, then add the groups that you want to have remote access.
  3. Select the "Grant remote-access permission" option for the new policy.