Question 1.
You work as a network administrator for ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. There are currently 120 Web servers running Windows 2000 Server and are contained in an Organizational Unit (OU) named ABC_WebServers ABC.com management took a decision to uABCrade all Web servers to Windows Server 2003. You disable all services on the Web servers that are not required. After running the IIS Lockdown Wizard on a recently deployed web server, you discover that services such as NNTP that are not required are still enabled on the Web server. 

How can you ensure that the services that are not required are forever disabled on the Web servers without affecting the other servers on the network? Choose two.

A. Set up a GPO that will change the startup type for the services to Automatic.
B. By linking the GPO to the ABC_WebServers OU.
C. Set up a GPO with the Hisecws.inf security template imported into the GPO.
D. By linking the GPO to the domain.
E. Set up a GPO in order to set the startup type of the redundant services to Disabled.
F. By linking the GPO to the Domain Controllers OU.
G. Set up a GPO in order to apply a startup script to stop the redundant services.

Answer: B, E

Explanation: 
Windows Server 2003 installs a great many services with the operating system, and configures a number of with the Automatic startup type, so that these services load automatically when the system starts. Many of these services are not needed in a typical member server configuration, and it is a good idea to disable the ones that the computer does not need. Services are programs that run continuously in the background, waiting for another application to call on them. Instead of controlling the services manually, using the Services console, you can configure service parameters as part of a GPO. Applying the GPO to a container object causes the services on all the computers in that container to be reconfigured. To configure service parameters in the Group Policy Object Editor console, you browse to the Computer Configuration\Windows Settings\Security Settings\System Services container and select the policies corresponding to the services you want to control.

Reference:
Jill Spealman, Kurt Hudson & Melissa Craft, MCSE Self-Paced Training Kit (Exam 70-294); Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure, Microsoft Press, Redmond, Washington, 2004, p. 13:1-6

Question 2.
You are working as the administrator at ABC.com. ABC.com has headquarters in London and branch offices in Berlin, Minsk, and Athens. The Berlin, Minsk and Athens branch offices each have a Windows Server 2003 domain controller named ABC-DC01, ABC-DC02 and ABC-DC03 respectively. All client computers on the ABC.com network run Windows XP Professional. One morning users at the Minsk branch office complain that they are experiencing intermittent problems authenticating to the domain. You believe that a specific client computer is the cause of this issue and so need to discover the IP address client computer.

How would you capture authentication event details on ABC-DC02 in the Minsk branch office?

A. By monitoring the logon events using the SysMon utility.
B. By recording the connections to the NETLOGON share using the SysMon utility.
C. By recording the authentication events with the NetMon utility.
D. By monitoring the authentication events using the Performance and Reliability Monitor.

Answer: C

Explanation: 
The question states that you need to find out the IP address of the client computer that is the source of the problem. Using Network Monitor to capture traffic is the only way to do this.

Reference:
http://support.microsoft.com/default.aspx?scid=kb;en-us;175062
Martin Grasdal, Laura E. Hunter, Michael Cross, Laura Hunter, Debra Littlejohn Shinder, and Dr.
Thomas W. Shinder, Planning and Maintaining a Windows Server 2003 Network Infrastructure:
Exam 70-293 Study Guide & DVD Training System, Syngress Publishing, Inc., Rockland, MA,
Chapter 11, p. 826

Question 3.
You are working as the administrator at ABC.com. Part of you job description includes the deployment of applications on the ABC.com network. To this end you operate by testing new application deployment in a test environment prior to deployment on the production network. The new application that should be tested requires 2 processors and 3 GB of RAM to run successfully. Further requirements of this application also include shared folders and installation of software on client computers. You install the application on a Windows Server 2003 Web Edition computer and install the application on 30 test client computers. During routine monitoring you discover that only a small amount of client computers are able to connect and run the application. You decide to turn off the computers that are able to make a connection and discover that the computers that failed to open the application can now run the application.

How would you ensure that all client computers can connect to the server and run the application?

A. By running a second instance of the application on the server.
B. By increasing the Request Queue Limit on the Default Application Pool.
C. By modifying the test server operating system to Window Server 2003 Standard Edition.
D. By increasing the amount of RAM in the server to 4GB.

Answer: C

Explanation: 
Although Windows Server 2003 Web Edition supports up to 2GB of RAM, it reserves 1GB of it for the operating system; only 1GB of RAM is available for the application. Therefore, we need to install Window Server 2003 Standard Edition or Enterprise Edition to support enough RAM.

Question 4.
You are an Enterprise administrator for ABC.com. All servers on the corporate network run Windows Server 2003 and all client computers run Windows XP. The network contains a server named ABC-SR01 that has Routing and Remote Access service and a modem installed which connects to an external phone line. A partner company uses a dial-up connection to connect to ABC-SR01 to upload product and inventory information. This connection happens between the hours of 1:00am and 2:00am every morning and uses a domain user account to log on to ABC-SR01. You have been asked by the security officer to secure the connection.

How can you ensure that the dial-up connection is initiated only from the partner company and that access is restricted to just ABC-SR01? Choose three.

A. Set up the log on hours restriction for the domain user account to restrict the log on to between 
    the hours of 1:00am and 2:00am.
B. Set up a local user account on ABC-SR01. Have the dial-up connection configured to log on  
    with this account.
C. Set up the remote access policy on ABC-SR01 to allow the connection for the specified user 
    account between the hours of 1:00am and 2:00am.
D. Set up the remote access policy with the Verify Caller ID option to only allow calling from the 
    phone number of the partner company modem.
E. Set up the remote access policy to allow access to the domain user account only.

Answer: B, C, D

Explanation: 
To allow only the minimum amount of access to the network, ensure that only the partner's application can connect to your network over the dial-up connection, you need to first create a local account named on ABC-SR01. You need to then add this account to the local Users group and direct the partner company to use this account for remote access. You can use a local account to provide remote access to users. The user account for a standalone server or server running Active Directory contains a set of dial-in properties that are used when allowing or denying a connection attempt made by a user. You can use the Remote Access Permission (Dial-in or VPN) property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. Next, you need to configure a remote access policy on ABC-SR01 to allow the connection for only the specified user account between 1 AM and 2 AM. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. You need to then configure the policy to allow only the specific calling station identifier of the partner company's computer. When the Verify Caller ID property is enabled, the server verifies the caller's phone number. If the caller's phone number does not match the configured phone number, the connection attempt is denied.

Reference: 
Dial-in properties of a user account http://technet.microsoft.com/en-us/library/cc738142.aspx

Question 5.
You are an Enterprise administrator for ABC.com. The company consists of an Active Directory domain called ad.ABC.com. All servers on the corporate network run Windows Server 2003. At present there is no provision was made for Internet connectivity. A server named ABC2 has the DNS server service role installed. The DNS zones on ABC2 are shown below:
 

The corporate network also contains a UNIX-based DNS A server named ABC-SR25 hosts a separate DNS zone on a separate network called ABC.com. ABC-SR25 provides DNS services to the UNIX-based computers and is configured to run the latest version of BIND and the ABC.com contains publicly accessible Web and mail servers.
 
The company has a security policy set, according to which, the resources located on the internal network and the internal network's DNS namespace should never be exposed to the Internet. Besides this, according to the current network design, ABC-SR25 must attempt to resolve any name resolution requests before sending them to name servers on the Internet. The company plans to allow users of the internal network to access Internet-based resources. To implement the security policy of the company, you decided to send all name resolution requests for Internet-based resources from internal network computers through ABC2. You thus need to devise a name resolution strategy for Internet access as well as configuring ABC2 so that it will comply with the set criteria and restrictions.

Which two of the following options should you perform?

A. Have the Cache.dns file copied from ABC2 to ABC-SR25.
B. Have the root zone removed from ABC2.
C. ABC2 should be set up to forward requests to ABC-SR25.
D. Install Services for Unix on ABC2.
E. The root zone should be configured on ABC-SR25.
F. Disable recursion on ABC-SR25.

Answer: B, C

Explanation: 
To plan a name resolution strategy for Internet access and configure ABC2 so that it sends all name resolution requests for Internet-based resources from internal network computers through ABC2, you need to delete the root zone from ABC2. Configure ABC2 to forward requests to ABC-SR25 A DNS server running Windows Server 2003 follows specific steps in its name-resolution process. A DNS server first queries its cache, it checks its zone records, it sends requests to forwarders, and then it tries resolution by using root servers. The root zone indicates to your DNS server that it is a root Internet server. Therefore, your DNS server does not use forwarders or root hints in the name-resolution process. Deleting the root zone from ABC2 will allow you to first send requests to ABC2 and then forward requests to ABCSR25 by configuring forward lookup zone. If the root zone is configured, you will not be able to use the DNS server to resolve queries for hosts in zones for which the server is not authoritative and will not be able to use this DNS Server to resolve queries on the Internet. 

Reference: 

	Web www.certsbraindumps.com