Self Test Questions, Answers, and Explanations • Appendix A 963
 C.The problem your boss is describing is cache pollution. Although you can enable pro-
tection against cache pollution to mitigate this risk, you should try to stop the potential
risk at the firewall, if possible. By configuring the firewall to not allow any inbound traffic
that uses the DNS ports from reaching DNS-B, you are preventing any potentially mali-
cious traffic in the form of bogus DNS queries from reaching DNS-B in the first place.
You can’t use the same restriction for DNS-A, because it provides name resolution for
Internet hosts that wish to connect to your Web and mail servers. However, if recursion is
disabled on DNS-A, it will still answer queries for zones that it is authoritative for, but it
will send a negative response to recursive queries. Disabling recursion also has the added
benefit of providing a degree of protection against DoS attacks.
 A, B, D. Answer A is workable and provides additional security. However, the boss
wants the highest level of protection against multiple common attacks on DNS servers,
so this choice is not as good as Answer C. Answers B and D are wrong because they
compromise the ability of DNS-A to resolve the names of your Web and mail servers.
3. You are the administrator of a Windows network that consists of a mixture of Windows
NT 4,Windows 2000, and Windows Server 2003 servers, providing a mix of file, print,
messaging, and other services critical to your network.You are currently running WINS,
DNS, and DHCP services on your network.You have already enabled dynamic DNS on
your forward and reverse lookup zones, but you want to ensure that all of your client
computers can find the name-to-address mapping of all your servers using DNS.You want
to minimize the administrative effort for this project.What action should you take? (Select
the best answer.)
A. Place the DHCP servers in the DnsUpdateProxy group.
B. Enable DHCP to update forward and reverse lookup zones on behalf of all DHCP
clients.
C. Manually enter the records for servers that have static addresses.
D. Create a WINS resource record in the forward and reverse lookup zones.
 D.Windows NT 4 operating systems are not able to update static addresses in a
dynamic zone.You must either manually enter resource records for these servers or con-
figure the DNS to query the WINS server when it cannot resolve a name mapping.

Since the latter involves the least administrative effort, Answer D is the correct choice.
 A, B, C. Answer A is incorrect because it will not have an effect on whether resource
records for clients are created in the DNS zones.Answer B is incorrect because it is
unlikely a server is going to be configured as a DHCP client.Answer C would work,
but it involves more administrative effort than the correct response and has a greater
risk of introducing error.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 963
964 Appendix A • Self Test Questions, Answers, and Explanations
4. You are using ISA Server 2000 as a firewall and Web proxy server to protect your internal
AD network and provide Web proxy and caching services for HTTP requests.You cur-
rently are using three DNS servers to support the DNS queries. DNS-A is used for your
internal AD root. DNS-B is used to provide name resolution for Internet clients that want
to connect to your public Web and mail servers. DNS-C is used to provide Internet name
resolution. How should you configure the DNS and ISA Server access rules to provide
the maximum security and functionality for your DNS infrastructure?
A. On DNS-A, remove the root hints file and enable recursion. Configure ISA Server to
allow no traffic to or from this server. On DNS-B, remove the root hints file and dis-
able recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port
53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and
update the root hints file. Configure ISA Server to allow outbound traffic on TCP
and UDP port 53 with a source port of ANY.
B. On DNS-A, remove the root hints file and disable recursion. Configure ISA Server to
allow no traffic to or from this server. On DNS-B, remove the root hints file and dis-
able recursion. Configure ISA Server to allow inbound traffic on TCP and UDP port
53 to the DNS server with a source port of ANY. On DNS-C, enable recursion and
update the root hints file. Configure ISA Server to allow outbound traffic on TCP
and UDP port 53 with a source port of ANY.
C. On DNS-A, remove the root hints file and enable recursion. Configure ISA Server to
allow no traffic to or from this server. On DNS-B, remove the root hints file and dis-

able recursion. Configure ISA Server to allow outbound traffic on TCP and UDP
port 53 to the DNS server with a source port of ANY. On DNS-C, enable recursion
and update the root hints file. Configure ISA Server to allow inbound traffic on TCP
and UDP port 53 with a source port of ANY.
D. On DNS-A, remove the root hints file and disable recursion. Configure ISA Server to
allow no traffic to or from this server. On DNS-B, update the root hints file and
enable recursion. Configure ISA Server to allow inbound traffic on TCP and UDP
port 53 to the DNS server with a source port of ANY. On DNS-C, disable recursion
and update the root hints file. Configure ISA Server to allow outbound traffic on
TCP and UDP port 53 with a source port of ANY.
 A. DNS-A is used for internal DNS resolution.You do not want it to perform recursion
to the Internet or be accessible through the firewall.You need to remove the root hints
file and prevent ISA Server from forwarding Internet traffic to it. However, it should still
be able to perform recursion on your internal network. DNS-B is used to provide
authoritative responses to requests from Internet clients who wish to connect to Web and
mail servers, but it should not be able to perform recursion.You should disable recursion
and remove the root hints file on this server. ISA Server needs to be configured to allow
inbound traffic to this server on TCP and UDP port 53 with a source port of ANY.
DNS-C is used by ISA Server itself to provide name resolution for Web proxy requests. It
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 964
Self Test Questions, Answers, and Explanations • Appendix A 965
needs to be able to perform recursion. ISA Server should be configured to allow it to
communicate with external DNS servers using TCP and UDP port 53 with a source port
of ANY.
 B, C, D. The remaining responses are incorrect because they do not meet the require-
ments, as explained above.
5. You are the administrator of a Windows Server 2003 network.Your company has recently
merged with another company and you have set up trusts between the AD forests and
have set up conditional forwarding on your DNS servers to resolve names in the AD

forest of the newly merged company.You would like your users to be able to resolve
names in the newly merged company with the least possible effort and typing on their
part.You would like to implement a solution with the least possible effort on your part.
What should you do?
A. Using ADSI, create an msDS-AllowedDNSSuffixes attribute in the domain object
container and include the domain suffix of the newly merged AD forest in the list of
allowable suffixes.
B. Create a group policy that configures the DNS clients with a custom DNS suffix
search list.
C. Configure the DHCP server option 81 to supply the name of the domain suffix of
the newly merged AD forest to DHCP clients.
D. Configure a stub zone for a root domain of the newly merged company on your
DNS servers.
 B.To enable DNS clients to resolve unqualified names (single computer names that
require the least typing on the part of the client) in a disjointed namespace, you must
create a custom DNS suffix search list.You can manually configure this on the DNS
clients. However, Group Policy is the most efficient means of implementing this config-
uration on the client computers.
 A, C, D. Answer A would allow the primary computer name to be different from the
AD domain name the computer is a member of and is not a relevant solution. Answer
C is incorrect because DHCP option 81 allows you to specify only one domain name,
which should be the domain name used for your own AD domain. Answer D is incor-
rect because a stub zone would only accomplish what your conditional forwarding is
already doing.
6. You are a DNS administrator of a large, distributed Windows Server 2003 network.The
AD domain tree consists of a number of child domains that reflect the geographic loca-
tions of the different offices of the company.You are responsible for the DNS root domain
of the AD forest and the child domain of the office where you work.All administrative
responsibility for the remaining child domains is performed by locally based administrators
in their respective offices.The capacity of the WAN links connecting the various offices is

www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 965
966 Appendix A • Self Test Questions, Answers, and Explanations
showing signs of being insufficient.You want to ensure that DNS resolution for the child
domains outside your administrative control will work company-wide in a fault-tolerant
manner without adding additional strain to available resources.What should you do?
(Select the best answer.)
A. On the root DNS servers, configure conditional forwarding for the child domains.
B. On the DNS servers in the child domain under your control, configure secondary
zones for the other child domains.
C. On the root DNS servers, configure stub zones for the child domains.
D. On the DNS servers in the child domain under your control, configure secondary
zones for the other child domains.
 C.When you configure stub zones on the DNS servers responsible for the root, the
SOA, NS, and A records that indicate the authoritative servers for the child domains are
automatically updated whenever a local administrator makes changes to these records in
the primary zone.These DNS servers for these subdomains are not under your control,
so, if you were to configure conditional forwarding on the root DNS servers, the local
administrators would need to inform you so that you could manually make the required
configuration changes. Stub zones provide the most fault-tolerant solution. Configuring
secondary zones on the root DNS servers would also allow fault-tolerant name resolu-
tion, but would increase replication traffic across the WAN.
 A, B, D. Answers B and D are incorrect because the solution must ensure DNS reso-
lution for the entire company. If you were to implement these solutions in your child
domain, the scope of the solution would be limited to your domain and not the other
child domains. Of course, you and the other administrators may want to implement
such solutions to minimize the amount of DNS referral traffic that would occur if
DNS servers had to walk the tree to perform iterative queries in an attempt to resolve
names in the various child domains.
7. You are the enterprise administrator of a Windows network that comprises a number of

Windows 2000 and Window 2003 domain controllers.You want to use Active Directory-
integrated zones for your zone data to enhance security and optimize replication of zone
data.What should you choose as the replication scope? (Select the best answer.)
A. To all DNS servers in the forest
B. To all domain controllers in the AD domain
C. To all DNS servers in the AD domain
D. To all domain controllers specified in the scope of an application partition
 B. Because you still have Windows 2000 domain controllers in your environment, your
only choice is store the zone data in the domain partition.
 A, C, D.These answers are incorrect because they require the presence of an applica-
tion directory partition, which is not available on Windows 2000 domain controllers.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 966
Self Test Questions, Answers, and Explanations • Appendix A 967
Planning for NetBIOS Name Resolution
8. You are an administrator of a Windows Server 2003 network.You want to automate the
backups of the WINS database.You want this backup to occur at least once every 24
hours.What should you do? (Select the best answer.)
A. Configure the Windows Backup utility to back up the contents of the %system-
root%\System32\Wins folder once every 24 hours.
B. Using the AT command scheduler, create a batch file that temporarily stops the WINS
service, copies the WINS database to another location, and then restarts the service.
C. Use a third-party backup solution that is capable of backing up open files and con-
figure it to back up the contents of the %systemroot%\System32\Wins folder once
every 24 hours.
D. In the WINS server console, configure a path to store backups of the database and ini-
tiate a manual backup.
 D.The WINS service includes the ability to back up the WINS database automatically
once every 24 hours and on the WINS service shutdown, or to back it up manually.To
configure WINS to perform automatic backups of the database, you must specify a path

for the backup and perform at least one manual backup of the database.You can subse-
quently use Windows Backup or a third-party backup solution to back up the contents
of the WINS backup folder without needing to be concerned about the consequences
of backing up an open file.
 A, B, C. The remaining answers are partially viable to varying degrees, but do not rep-
resent the best solution.
9. You are the administrator of a Windows Server 2003 network.You are responsible for a
number of WINS servers that are set up as push/pull replication partners to each other.
You have a number of static mappings in your WINS database and want to remove one of
these mappings from the WINS database.You want to ensure that the record is deleted on
all servers with the least administrative effort. How should you delete the WINS static
mapping? (Select the best answer.)
A. On the owner server of the mapping, find the record and perform a simple deletion.
B. On the owner server of the mapping, find the record and perform a tombstone dele-
tion.
C. On all of the WINS servers, find the record and perform a simple deletion.
D. On all of the WINS servers, find the record and perform a tombstone deletion.
 B.When you perform a tombstone deletion, the record is marked with an attribute that
is replicated with the record to other WINS server.The attribute instructs other WINS
servers to remove the record through the scavenging process.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 967
968 Appendix A • Self Test Questions, Answers, and Explanations
 A, C, D. Answer A is incorrect because the record will still remain on the replication
partners and will eventually be replicated back to the owner WINS server.Answers C
and D are incorrect because they require unnecessary administrative effort to accom-
plish something that can be performed in one simple operation.
10. You are the administrator of a Windows Server 2003 network.You have five WINS servers
and need to reconfigure the replication topology as a result of some recent upgrades to
your WAN links.All of your WAN links connecting the head office and your four branch

offices now have ample bandwidth to handle additional traffic.You want to ensure the
shortest convergence time of replicated records, while at the same time keep the number
of replication partnership agreements to an absolute minimum.What replication topology
should you choose? (Select the best answer.)
A. Ring topology
B. Mesh topology
C. Hub-and-spoke topology
D. Hybrid of ring and hub-and-spoke topology
 C. A hub-and-spoke topology ensures the shortest convergence time with the fewest
replication partnerships to manage.The longest path from one server to any other is
two hops.The number of partnership agreements is eight. (You need to define a
push/pull partnership agreement on each side of the replication path between the hub
server and the spoke servers.)
 A, B, D. Answer A is incorrect because it would require 10 push/pull partnership
agreements to establish and would result in replication paths that were three hops in
distance. Answer B is incorrect because it is an overly complex replication topology and
would require 20 replication partnership agreements to manage.Answer D is an overly
complex topology for the number of WINS servers and not required by the design.
Troubleshooting Name Resolution Issues
11. You are an administrator of a Windows Server 2003 network.Your company, Syngress
Industries, manages its own DNS for its public Web and mail servers.The primary DNS
server for the syngress.com domain is located in a DMZ protected by ISA Server.Your
ISP is hosting secondary servers for the syngress.com domain on its BIND 9 servers.
While going through your performance logs, you notice a brief but sudden increase in the
number of AXFR requests received and AXFR success sent events. Previously, these coun-
ters had values of zero in your logs.You suspect your ISP has changed the configuration of
its BIND servers, but the ISP denies it and insists that the secondary zones are behaving
optimally.You are concerned by these values and decide to investigate the issue and cor-
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 968

Self Test Questions, Answers, and Explanations • Appendix A 969
rect it, if necessary.What is the likely cause of the problem and what should you do?
(Select the best answer.)
A. A rogue DNS server is attempting to pollute the cache on your DNS server by
sending bogus queries over TCP, rather then UDP.You should turn on debug logging
to determine the source IP address and block all traffic from this address on ISA
Server.You should also enable protection against cache pollution and inform the ISP.
B. A malicious user is issuing an nslookup –ls or equivalent command against your DNS
server.You should configure the DNS server to allow zone transfers only to the IP
addresses of the secondary servers at the ISP.You should also block all external requests
destined for the primary DNS server on TCP port 53 with a source port of ANY,
except for the external addresses of the secondary servers.You should inform the ISP
managers and ask them to confirm an equivalent level of security on their servers.
C. A malicious user is attempting to launch a DoS attack on your DNS.You should disable
recursion on the DNS server.You should also turn on debug logging to determine the
source IP address of the attack and block the IP address at ISA Server.You should
inform the ISP to be on the lookout for similar attacks against its DNS servers.
D. A malicious user is issuing an nslookup –ds or equivalent command against your
DNS server to get detailed information.You should turn on debug logging to deter-
mine the source IP address. Once you determine the IP address, you should block it
from all communication with your DNS servers at ISA Server.You should inform the
ISP managers and ask them to confirm an equivalent level of security on their servers.
 B. AXFR is the DNS protocol used for full zone transfers. Counters in your perfor-
mance logs indicate requests to do a full zone transfer have been received by and suc-
cessfully responded to by your DNS server.That means that someone has issued an
nslookup –ls or equivalent command against your DNS server. By default, BIND 9
servers will attempt to use IXFR to perform incremental zones transfers, unless this
option is explicitly disabled. Since you experienced only a brief event, it is likely the
user got what he or she wanted.You should, however, protect your server against future
occurrences of zone transfers to unauthorized IP addresses, which is also known as

footprinting or name dumping.TCP port 53 is used for zone transfers, and blocking
this port should not affect the DNS server’s ability to respond to name queries, which
should be taking place on UDP port 53.
 A, C, D. Answer A is incorrect because an attempt to pollute the cache would nor-
mally occur as a result of rogue DNS server replying with information that is super-
fluous to a query issued against it by the DNS.Answer C is incorrect because a DoS
attack is most effective if it ties up a DNS server with recursive query requests. It is no
doubt possible to tie up a DNS server with excessive zone transfer requests, but you
would expect this activity to be sustained over a period of time. Answer D is incorrect
because the nslookup –ds command requests detailed information on a particular record
and is used for debugging. It does not display the contents of the entire zone the way
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 969
970 Appendix A • Self Test Questions, Answers, and Explanations
an nslookup –ls command would. (Note that the –ls switch is available only in
NSLookup interactive mode; the nslookup –ds switch is available only in NSLookup
noninteractive mode.)
12. You are the administrator of a Windows Server 2003 network. Recently, a junior adminis-
trator has, on your instructions, rebuilt one of your WINS servers (WINS-A).You don’t
have a backup of the WINS database and need to restore the database through reregistra-
tions of WINS clients and replication with another WINS server,WINS-B. Both servers
are configured as push/pull replication partners of each other. As soon as WINS-A is
brought back online, users configured to use WINS-A as their WINS server immediately
start to complain that they can’t access file server shares on this server. By the time you
hear about the complaints and try to reproduce the results, you find that that the problem
has disappeared. However, you take the complaints seriously and investigate further.You
examine the WINS database on WINS-B and see some data that strikes you as odd. Based
on the data shown in the table here, what problem is indicated? (Select the best answer.)
Record Name Type IP Address Owner Version
WINS-A [00h] Workstation 192.168.100.20 192.168.179.5 20D

WINS-A [20h] File Server 192.168.100.20 192.168.179.5 20C
A. There is a problem with the order of service registration.The workstation service
needs to be registered before the file server service.
B. There is a problem with WINS replication that has caused the wrong owner to be
associated with WINS-A.
C. The TCP/IP stack on WINS-A is configured with the IP address of WINS-B as its
secondary WINS server.
D. The TCP/IP stack on WINS-B is not configured to register itself with a WINS
server.
 C.WINS-A is registering its NetBIOS names with WINS-B, rather than itself.A com-
parison of the IP Address and Owner fields show two different addresses.These should
match or problems with name resolution on the network can occur. In the scenario
described here, users who pointed to the WINS-B server would have no problem con-
necting to file server shares on WINS-A because the WINS-B server has a mapping for
the file server service on WINS-A. However, users pointing to WINS-A would not be
able to resolve this mapping until replication had merged the record from WINS-B,
hence the transient nature of the problem. A WINS server should always be configured
to register NetBIOS names only with itself.
 A, B, D. Answer A is incorrect because the order in which services register has nothing
to do with NetBIOS name resolution.There might be problems with replication, but
the evidence presented doesn’t point to this, so Answer B is incorrect.While you abso-
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 970
Self Test Questions, Answers, and Explanations • Appendix A 971
lutely should configure a WINS server to register its NetBIOS records with itself, it will
eventually do so even if the configuration is left blank (this could take some time), so
Answer D is incorrect.
13. You are the administrator of a Windows Server 2003 network using DNS and WINS to
provide name resolution services.You have two WINS servers that are set up with the
default push/pull configurations. Users have been complaining for days about problems

connecting to a server called File_Server2.You ping File_Server2 and get a response from
the computer. However, when you issue a net view \\File_Server2 command, you get
an error message stating that a duplicate name exists on the network.What is the likely
cause of the problem? (Select the best answer.)
A. The underscore character cannot be used in a NetBIOS name. Rename the computer
and reboot it.
B. There is a problem with the replication of the records for File_Server2. Manually ini-
tiate replication with the WINS server that is the owner of the record of File_Server2.
C. The WINS database is corrupt. Manually initiate consistency checking to restore
database integrity.
D. The WINS server contains an incorrect name mapping for File_Server2.
 D.You can ping File_Server2, so the issue is related to the NetBIOS name resolution.
When you invoke the net view command, you force the use of the NetBIOS interface,
which will subsequently enforce the rules for NetBIOS names. Computer names are
exclusive and must be unique. Because host name resolution resolves the name to a dif-
ferent IP address than the IP address resolved by the NetBIOS name mapping, you will
get a duplicate name error message.We know the IP address returned by the ping is
correct and that host name resolution is working for this computer.
 A, B, C. Answer A is incorrect because underscores are valid characters for NetBIOS
names. Underscores are problematic in some implementations of DNS, but are not a
problem for Windows DNS.Answer B is a possibly correct answer because, if the WINS
record has not replicated throughout the environment, you might see a similar problem.
However, users have been complaining for some time—much longer than the default
replication interval. Answer C is incorrect because if there were problems with database
consistency, the problems would be more widespread.
14. You are the administrator of a WINS server.The WINS server has suffered a hardware
failure, and you have subsequently been forced to reinstall Windows Server 2003 and the
WINS service. Fortunately, you have a recent backup of the WINS database.You restore
the database, but notice that none of the former WINS configuration settings are present.
What should you do? (Select the best answer.)

A. You need to use the %systemroot%\system32\jetpack.exe file to restore the WINS
configuration after you restore the database.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 971
972 Appendix A • Self Test Questions, Answers, and Explanations
B. You need to restore the original system state from the backup to the Windows Server
2003 server.
C. You need to invoke database consistency checking on the database.
D. You need to set up replication with a WINS server that was a replication of the
former WINS server.
 B.WINS configuration settings are stored in the Registry.The WINS database contains
only NetBIOS registration data, not configuration information.You therefore need to
restore the Registry in order to restore the WINS configuration settings.You can do
this by restoring the system state backup or a backup of the Registry itself.
 A, C, D. Answer A is incorrect because the Jetpack utility does not have this function-
ality.Answers C and D are incorrect because the database does not contain any WINS
configuration information.
15. You are the administrator of a Windows Server 2003 network.After restoring the
Windows Server 2003 domain controller that you had taken off the network for a few
hours for maintenance, your Windows 95 and 98 users have begun complaining that they
are unable to access resources on this computer.You remember seeing a message about a
duplicate name on the network when you turned on the domain controller, but didn’t
think much of it at the time because you had changed the IP address of the domain con-
troller before you took it offline.What action should you take?
A. Create static mappings in the WINS database for the domain controller and disable
the migrate on setting.
B. Create static mappings in the WINS database for the domain controller and enable the
migrate on setting.
C. Have the users of Windows 95 and 98 computers issue an nbtstat –RR command.
D. Have the users of the Windows 95 and 98 computers issue an ipconfig /flushdns

command.
 A. It is likely that someone on your network has configured a computer with the same
name as the domain controller and hijacked the NetBIOS registration of the domain
controller, resulting in a redirection attack.Windows 95 and 98 clients will use NetBIOS
for logon services and to connect to file sharing resources. Given the circumstances, the
duplicate name message is clear evidence of this kind of attack. If another computer is
registered with the same name and is online, the WINS server will report a duplicate
name error message back to the computer that is trying to initialize with the same name.
For mission-critical servers, it is good idea to create static mappings that cannot be over-
written by dynamic registrations.This situation represents one of the few circumstances
that can justify the use of static mappings.
 B, C, D. Answer B is incorrect because enabling the migrate on setting would allow a
dynamic registration to overwrite a static registration. Answers C and D are incorrect
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 972
Self Test Questions, Answers, and Explanations • Appendix A 973
because flushing either of the resolver caches on the client would have no effect on the
ultimate results of having an incorrect record in the WINS server.
Chapter 7: Planning, Implementing,
and Maintaining a Remote Access Strategy
Planning the Remote Access Strategy
1. You are planning a remote access server and need to enable access for several employees.
All the employees are in the same city.The company LAN is not currently connected to
the Internet, and your security policy specifies that Internet connections should be
avoided.Which of the following is the best choice for the remote access solution?
A. Dial-in access
B. VPN access
C. Wireless access
D. Dedicated WAN links
 A. Dial-in access is a convenient way to offer access to employees within a city; there-

fore,Answer A is correct.
 Answer B is incorrect because VPN access requires Internet connections.Answer C is
incorrect because wireless access is typically not feasible over long distances.Answer D
is incorrect because dedicated links for each employee would add unnecessary expense.
2. You are configuring a remote access server on a Windows Server 2003 computer.The
same server is acting as a domain controller and DHCP server, assigning IP addresses to
clients.Which of the following is the simplest method of assigning IP addresses for remote
clients?
A. Manually configure each client with an IP address.
B. Configure the RRAS server to use DHCP.
C. Configure a static address pool.
D. Use APIPA.
 B. Because a DHCP server is already available, you can configure the RRAS server to
request addresses from DHCP and avoid the need for separate addressing for dial-up
clients; therefore, Answer B is correct.
 Answer A is incorrect because manual configuration is not the simplest method.Answer
C is incorrect because a static address pool would require additional configuration and
consideration of potential conflicts with the DHCP server’s address range.Answer D is
incorrect because APIPA is intended for small networks that do not have a DHCP
server available.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 973
974 Appendix A • Self Test Questions, Answers, and Explanations
Addressing Dial-In Access Design Considerations
3. You are configuring a dial-in remote access server on a Windows Server 2003 computer.
Employees will use remote access while traveling.You have ten employees with laptops
who will require access to the server, but typically only one is traveling at a time. A
telecommuting employee will also require access for eight hours a day. How many
modems would be the minimum to reliably serve these users?
A. 1

B. 11
C. 2
D. 3
 C.Two modems should be sufficient: one for the telecommuting employee and one for
any traveling employee who requires access; therefore, Answer C is correct.
 Answer A is incorrect because one modem would be busy for eight hours a day and
traveling employees would not be able to dial in. Answers B and D are incorrect
because two modems should be sufficient.
4. You have several users who dial in to a remote access server using multilink connections,
combining two modems into a single link.Although this provides a higher bandwidth to the
users, you find the server runs out of modem lines frequently, and most users are not using
their connections to their full potential.Which of the following is a solution to this issue?
A. Disable multilink connections.
B. Set the maximum number of multilink ports to one.
C. Use VPN instead of dial-in access.
D. Enable Bandwidth Allocation Protocol (BAP).
 D. Bandwidth Allocation Protocol (BAP) can reduce a multilink connection by one
line when it is not used to its full capacity, freeing the modem for other users; therefore,
Answer D is correct.
 Answer A is incorrect because disabling multilink entirely would unnecessarily reduce
bandwidth for users that required it.Answer B is incorrect because setting the max-
imum number of ports to one would effectively disable multilink.Answer C is incorrect
because using VPN access is not an immediate solution to this issue.
Addressing VPN Design Considerations
5. You are configuring a Windows XP client machine to access a VPN server that supports
L2TP over IPSec.You need to obtain a computer certificate for the client and wish to do
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 974
Self Test Questions, Answers, and Explanations • Appendix A 975
so from the client machine. A CA is present on the local network.Which application can

you use to request a certificate?
A. A Web browser
B. The Certificates MMC snap-in
C. The Certification Authority MMC snap-in
D. Connection Manager
 A.You can request a certificate by connecting to the CA using a Web browser; there-
fore,Answer A is correct.
 Answer B is incorrect because you can use the Certificates MMC snap-in to request a
certificate, but MMC is not usually installed on Windows XP. Answer C is incorrect
because the Certification Authority snap-in is available only for the CA. Answer D is
incorrect because Connection Manager can be used to make a VPN connection, but
not to request a certificate.
6. You have configured a VPN server running Windows Server 2003 and RRAS. Most
clients are able to access the server, but clients running Windows 98 are reporting that
they are unable to connect.Which of the following is most likely the cause of this
problem?
A. Computer certificates are not installed.
B. L2TP is not enabled on the server.
C. PPTP is not enabled on the server.
D. Windows 98 does not support VPN client access.
 C.The likely problem is that PPTP is not enabled on the server, since Windows 98
clients do not support L2TP; therefore,Answer C is correct.
 Answer A is incorrect because computer certificates are used with L2TP, which is not
supported by Windows 98. Answer B is incorrect because L2TP support would not
work with Windows 98 clients. Answer D is incorrect because Windows 98 does sup-
port VPN access, but requires the PPTP protocol.
Addressing Wireless Remote Access Design Considerations
7. You are setting up wireless access to the network with two WAPs.You want to use a cen-
tralized authentication source for both access points.You have an existing IAS server on
the network.Which of the following tasks are necessary to support wireless access?

(Choose all that apply.)
A. Create a remote access policy.
B. Configure the WAPs to use RADIUS authentication.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 975
976 Appendix A • Self Test Questions, Answers, and Explanations
C. Install a RADIUS server.
D. Add the WAPs as clients in the IAS server’s configuration.
 A, B, and D.You will need to create a remote access policy, configure the WAPs to use
RADIUS authentication, and add them as clients of the IAS server; therefore, Answers
A, B, and D are correct.
 Answer C is incorrect because the existing IAS server will act as the RADIUS server.
8. You have configured a WAP using the EAP-TLS protocol.The WAP is connected to a
LAN with a Windows Server 2003 server.Which of the following additional tasks may be
necessary to ensure that wireless clients can connect? (Choose all that apply.)
A. Enable PPP authentication.
B. Issue computer certificates to clients.
C. Issue user certificates or smart cards to users.
D. Install and configure IAS.
 B and C. For wireless access to work, each client needs a computer certificate and
either a user certificate or smart card; therefore, Answers B and C are correct.
 Answer A is incorrect because PPP authentication is not used with wireless access.
Answer D is incorrect because IAS is not needed for wireless access, although it can be
used to improve security and to centralize authentication.
Planning Remote Access Security
9. You are planning security for your network and have determined that the domain func-
tional level is Windows 2000 Mixed mode.You have a combination of Windows Server
2003 and Windows 2000 Server domain controllers.Which of the following actions may
be necessary to enable all of Windows Server 2003’s security features? (Choose all that
apply.)

A. Eliminate or upgrade the Windows 2000 Server domain controllers.
B. Eliminate all Windows 2000 clients.
C. Raise the functional level to Windows Server 2003.
D. Raise the functional level to Windows Server 2003 Interim.
 A and C.To enable all security features, you can raise the functional level to Windows
Server 2003.This will no longer enable Windows 2000 machines to act as domain con-
trollers; therefore, Answers A and C are correct.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 976
Self Test Questions, Answers, and Explanations • Appendix A 977
 Answer B is incorrect because only the domain controllers must be running Windows
Server 2003. Answer D is incorrect because the Windows Server 2003 Interim function
level does not enable all security features.
10. You have a network with two Windows Server 2003 servers.You have raised the domain
function level to Windows Server 2003.You need to install an additional domain con-
troller and are considering an existing Windows 2000 Server.Which of the following tasks
is necessary before using this machine as a domain controller?
A. Lower the function level to Windows 2000 Mixed mode.
B. Lower the function level to Windows Server 2003 Interim.
C. Upgrade the Windows 2000 Server to Windows Server 2003.
D. Demote the existing domain controller to a member server.
 C. Once the domain function level is raised, it cannot be lowered, so the only solution
is to upgrade the server to Windows Server 2003; therefore, Answer C is correct.
 Answers A and B are incorrect because the domain function level cannot be lowered.
Answer D is incorrect because the existing domain controller does not need to be
changed.
Creating Remote Access Policies
11. You have an RRAS server and have configured two remote access policies.The first
policy on the list allows access for all members of the Power Users group.The second
policy on the list denies access to clients that connect during evening hours. After testing

your configuration, you determine that clients in the Power Users group are able to con-
nect at any time.Which of the following actions would correct this problem?
A. Delete the first policy in the list.
B. Change user account properties to deny remote access.
C. Change the order of the policies.
D. Install an IAS server.
 C. Because the first policy that matches a client is used, the policy to deny access for
evening hours should be first on the list; therefore,Answer C is correct.
 Answer A is incorrect because the first policy is necessary to grant access to the group.
Answer B is incorrect because user accounts set to deny access will be denied remote
access regardless of the policy.Answer D is incorrect because installing IAS is unneces-
sary to solve this problem.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 977
978 Appendix A • Self Test Questions, Answers, and Explanations
12. You are operating a remote access server and currently allow VPN access and dial-in
access.You have decided to disallow dial-in access after configuring all the clients for VPN
access.Which of the following attributes can you check in a remote access policy to deny
access to modem users?
A. Authentication-Type
B. NAS-Port-Type
C. Framed-Protocol
D. NAS-Identifier
 B.The NAS-Port-Type attribute can be used to check whether dial-in access is in use;
therefore, Answer B is correct.
 Answer A is incorrect because the Authentication-Type option is used to check the
authentication method in use. Answer C is incorrect because the Framed-Protocol
attribute specifies the protocol used to connect. Answer D is incorrect because the
NAS-Identifier attribute is a string that identifies an RRAS server.
Creating a Plan to offer Remote

Assistance to Client Computers
13. One of your users is having problems getting a productivity application to work correctly.
You suspect that he is performing the steps involved in using the application incorrectly,
but the application interface is complex and it’s difficult for you to explain, over the
phone, what he needs to do.The user is running Windows XP, and you want to connect
to his PC and show him how to perform the task in question so that he can actually see
you go through the steps. How would you arrange to do this?
A. Send the user a Remote Assistance Request.
B. Get the user to send a Remote Assistance Invitation.
C. Connect to the user’s PC using Remote Desktop.
D. Connect to the user’s PC using the Web Interface for Remote Administration.
 B. By getting the user to send you a Remote Assistance Invitation, you can connect to
the user’s desktop and the user can follow what you are doing.
 Answer A is incorrect, because sending the user a Remote Assistance Request is the
wrong way and it is also not called a Request. Answer C is incorrect, because con-
necting to a user’s PC using Remote Desktop logs off anyone at the PC and he will
not be able to see what you are doing. Answer D is incorrect, because Remote
Administration is not available on Windows XP computers.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 978
Self Test Questions, Answers, and Explanations • Appendix A 979
14. You are attempting to describe the remote assistance process to a co-worker.The co-
worker asks what the correct terms are for the person requesting assistance and the person
providing assistance so that he can look them up in Windows Help.Which of the fol-
lowing do you reply with? (Select two.)
A. Administrator
B. Novice
C. Expert
D. End user
 B, C. In relation to a remote assistance session, Microsoft refers to the person requesting

help as the Novice and the person providing it as the Expert.
 A, D. Although valid terms in computer networking circles,Administrator and End user
are not the terms Microsoft uses to officially refer to roles involved in using Remote
Assistance.
Planning for Remote Administration
by using Terminal Services
15. You are attempting to describe the remote assistance process to a co-worker.The co-
worker asks what the correct terms are for the person requesting assistance and the person
providing assistance so that he can look them up in Windows Help.Which of the fol-
lowing do you reply with? (Select two.)
A. Administrator
B. Novice
C. Expert
D. End user
 B, C. In relation to a remote assistance session, Microsoft refers to the person requesting
help as the Novice and the person providing it as the Expert.
 A, D. Although valid terms in computer networking circles,Administrator and End user
are not the terms Microsoft uses to officially refer to roles involved in using Remote
Assistance.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 979
980 Appendix A • Self Test Questions, Answers, and Explanations
Chapter 8: Planning, Implementing,
and Maintaining a High-Availability Strategy
Understanding Performance Bottlenecks
1. You have been tasked with the implementation of enhancing the security of your network
and have been allocated a modest budget to accomplish the task.You decide to implement
IP Security (IPSec) between your three Windows Server 2003 servers and your Windows
2000 Professional and Windows XP Professional workstations. As the implementation pro-
ceeds, you begin hearing reports that the network does not seem as responsive.You con-

firm that performance has decreased.What can you do to return performance to the
previous level and still accomplish your objectives?
A. Remove IPSec from the workstations, leaving the servers configured with IPSec.
B. Remove IPSec from the servers, leaving the workstations configured with IPSec.
C. Add NICs to your servers and configure the cards for load balancing.
D. Purchase new NICs that support IPSec on the NIC.
 D. IPSec is computer-intensive, and NICs that remove this load from the system’s main
CPU can significantly boost communication performance.
 A, B, C. Neither Answer A nor Answer B addresses the real issue. Removing IPSec
from either the servers or the workstations may actually stop communications alto-
gether or allow your network to run unsecured. Answer C may actually decrease per-
formance because now multiple network interfaces will require IPSec calculations to be
performed by the system CPU.
2. You have inherited the responsibility of supporting a server from a previous administrator.
The system has dual 1 GHz CPUs, 2048MB of RAM, and a dual-channel caching hard-
ware RAID controller with sixteen 18GB hard drives configured as a RAID 5 array.The
system has been running an important SQL database for some time, but over the last few
weeks, responsiveness has decreased as more people have been accessing the SQL
databases.Your part-time SQL administrator has told you that recent database growth is
not the case.The databases have been consistently using between 40 and 45 percent of the
available disk space.You have been asked to resolve this problem.What can you do to
increase the responsiveness of the SQL database?
A. Install more RAM in the server.
B. Change the RAID array to a RAID 0+1 configuration.
C. Change the RAID array to a RAID 0 configuration.
D. Increase the cache size on the array controller.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 980
Self Test Questions, Answers, and Explanations • Appendix A 981
 B.The SQL databases are on a RAID 5 array, which incurs heavy performance hits on

disk writes. Since less than half of the disk space is in use, you can reconfigure the array
into a RAID 0+1 configuration, which will boost performance and keep the data pro-
tected from drive failures.
 A, C, D. Answer A is wrong because, while adding RAM to a server is a frequent fix
of performance issues, there is likely enough RAM already to adequately run the SQL
server. Implementing Answer C would solve the performance issues but would make
the system susceptible to a drive failure. Answer D may provide some performance
boost, but the underlying problem of the RAID array structure would remain, making
this answer a stopgap measure at best.
3. You have recently purchased a new single-CPU, Intel Xeon-based server.This hardware
will be used to run a multithreaded CPU-intensive application. How can you ensure that
the application performs at its best on the hardware provided?
A. Turn on hyperthreading.
B. Add a second CPU.
C. Boost the processing priority of the applications threads.
D. Disable hyperthreading.
 A. A recently purchased Xeon server will support hyperthreading.Turning on hyper-
threading should yield a performance increase for the multithreaded application.
 B, C, D. Answer B is incorrect because you would need to purchase additional hard-
ware.Answer C is incorrect because, although performance may improve, hyper-
threading will yield a higher performance boost.Answer D is incorrect because
disabling hyperthreading will actually have a negative impact on performance.
4. Your server seems slow to respond to file requests from drive D: at times.You have exam-
ined the system with Performance Monitor, and the counter LogicalDisk:Current Disk
Queue Length for the D: instance consistently varies between 8 and 20 during these
periods of slow response. Drive D: resides on an external, 14-slot disk array with 4 slots
populated with hard drives. How should you resolve this problem?
A. Defragment drive D:.
B. Add more memory to the system to increase file-caching efficiency.
C. Add more physical drives to the external array; either expand drive D: across the new

drives or create another drive and move some heavily accessed files from drive D: to
the new logical drive.
D. Add processors or turn on hyperthreading.
 C.The problem is that the disk array is not responding to disk requests quick enough
and requests are being queued. Adding drives and expanding drive D: to encompass the
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 981
982 Appendix A • Self Test Questions, Answers, and Explanations
new drives will add more “spindles” to service disk requests. Creating a new logical
drive on top of the new physical drives and relocating files to the new logical drive can
produce the same effect.
 A, B, D. Answer A is incorrect because the Current Disk Queue Length counter is
consistently over two. File system fragmentation does not produce this effect. Answer B
is incorrect because adding more memory to increase the cache will likely not increase
disk responsiveness.Answer D is incorrect because adding more processors may actually
produce more disk requests and increase the queue length even more.
5. You have recently purchased and installed two new name-brand servers.The servers are
identical in all respects, except that one server has a single CPU and the other has two.
The single-CPU system will be used for basic file and print services, and the dual-CPU
system will be used for running Microsoft Exchange Server. Both systems respond ade-
quately.While developing a performance baseline, you notice that the dual-CPU system
seems to be experiencing more interrupts per second than the other server.What should
you do to resolve this increased level of interrupts?
A. Do nothing.This is a peculiarity of Microsoft Exchange Server.
B. Increase the communication buffers on the multiple-CPU server’s NIC.
C. Remove the second CPU from the dual-CPU system.
D. Do nothing.This is normal for a multi-CPU system.
 D. An increased level of interrupts on a multi-CPU system is normal.
 A, B, C. Answer A is incorrect because any multiprocessor-capable application will
generate interrupt activity, not just Microsoft Exchange Server. Answer B is incorrect

because, although this may reduce the number of interrupts, the majority of the inter-
rupts are a result of having multiple CPUs.Answer C is incorrect because, even though
the high number of interrupts will cease, performance will be greatly reduced.
Planning a Backup and Recovery Strategy
6. You have been asked to develop a backup strategy for your company’s three Windows
Server 2003 servers.You have been told that the primary objective is to have the systems
up and running again as quickly as possible should a disaster occur.To accomplish this
goal, initial funds have been allocated and, if necessary, ongoing funds will be made avail-
able.What backup strategy should you adopt?
A. Full backups nightly to a tape drive installed in each server
B. Full backups nightly to a single, centralized tape drive
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 982
Self Test Questions, Answers, and Explanations • Appendix A 983
C. Full backups weekly, with daily differential backups to a tape drive installed in each
server
D. Full ASR backups nightly
 A. Answer A is correct because only a single tape set will be needed to restore a server
and, with a tape drive in each server, a restore can be performed on each server simulta-
neously and quickly.
 B, C, D. Answer B is incorrect because, although only a single tape set would be
needed to do a restore, multiple restores could not occur simultaneously. Answer C is
incorrect because multiple tape sets would be required to perform a restore, increasing
restore time. Answer D is incorrect because an ASR backup does not back up data on
partitions and volumes that do not contain Windows components.
7. You have been asked to develop a backup strategy for your company’s three Windows
Server 2003 servers.You have been told that the primary objective is to minimize the
ongoing cost of performing backups.To accomplish this goal, you have been given a
modest budget.What backup strategy should you adopt?
A. Full backups monthly, differential backups on the weekends, and incremental backups

daily to a tape drive installed in each server
B. Full backups monthly, differential backups on the weekends, and incremental backups
daily to a single, centralized tape drive
C. Incremental backups daily to a single, centralized tape drive
D. Periodic full backups and daily incremental backups to a single, centralized tape drive
 D. Answer D provides for the lowest number of tapes to be used for backups, while still
maintaining good restore capability and lowest cost for purchase of hardware.
 A, B, C. Answer A is incorrect because this scenario would require more tapes.This is
a good scenario for balancing the cost of tapes and backup/restore performance. Answer
B is incorrect because, although this would reduce the cost of equipment (fewer tape
drives), more tapes would be required.This is a good scenario for reducing the impact
of tape media failures and lowering the cost of hardware. Answer C is incorrect because,
although this is the lowest cost option, it does not provide a point from which restores
can be started.
8. You have been asked to develop a backup strategy for your company’s three Windows
Server 2003 servers.You have been told that the primary objective is to minimize the time
required for performing backups on regular business days.You do not have the use of any
advanced storage technology, and an older application on the server requires you to shut
down the application and disable Volume Shadow Copy to get a successful backup.To
accomplish this goal, you have been given a sufficient budget.What backup strategy
should you adopt?
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 983
984 Appendix A • Self Test Questions, Answers, and Explanations
A. Full backups on the weekends and incremental backups daily to a tape drive installed
in each server
B. Full backups monthly and differential backups daily to a single, centralized tape drive
C. Incremental backups daily to a single, centralized tape drive
D. Periodic full backups and daily incremental backups to a single, centralized tape drive
 A. Answer A is correct because an incremental backup to an internal, dedicated tape

drive minimizes the time required to perform the backup.
 B, C, D. Answer B is incorrect because the downtime required for the backups during
the working week would likely increase on a daily basis. Answer C is incorrect because
it could take longer than Answer A to back up to a central location. It also has the error
of not providing a starting point for restores. Answer D is incorrect because the central-
ized tape drive could again be a performance bottleneck.
9. Your company uses a well-known and respected third-party backup utility for all of its
servers.You are adopting Windows Server 2003 early after its release and have upgraded a
number of servers to the operating system.You have high hopes about improving backup
performance on some of your higher volume file servers (including the ability to back up
open files) and have installed the third-party client agent software on your servers. After a
few days, you notice that the speed of backups has not increased.What is the most likely
reason that backup performance has not increased?
A. Volume Shadow Copy has not been turned on for the appropriate volumes.
B. The third-party backup software does not use the new features present in Windows
Server 2003.
C. An ASR backup needs to be performed before the third-party utility will show
increased performance.
D. The drives hosting the files need to be defragmented for performance to improve.
 B. As with any new operating system, it takes a while for the rest of the market to catch
up. It is likely that the third-party backup software does not recognize the new features
of Windows Server 2003 and therefore is backing it up as it would an older operating
system client.The solution would be to obtain the updated Windows Server 2003 com-
patible agent and use it on your servers.
 A, C, D. Answer A is incorrect because, even if Volume Shadow Copy were turned on,
it is unlikely that the third-party backup utility will be able to use it. Answer C is incor-
rect because performing an ASR backup, while always a good idea, cannot affect
ongoing backup performance.Answer D is incorrect because, although defragmenting
the drives may yield a performance improvement, it will not solve the problem of the
third-party software limitations.

www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 984
Self Test Questions, Answers, and Explanations • Appendix A 985
Planning System Recovery with ASR
10. You have inherited the responsibility for supporting an important server recently
upgraded from Windows NT 4 to Windows Server 2003.When the server was upgraded,
it met the hardware requirements, but not by much. Increasing demand on the system has
led to lower than desirable performance. Company management has authorized the pur-
chase of new server hardware and would like you to upgrade the server as quickly as pos-
sible with the least amount of risk and additional expense.What is the best way to
accomplish the upgrade in the fastest possible time, with the lowest risk, and no additional
cost?
A. Use a third-party product to duplicate the server onto the new hardware.
B. Create an ASR backup of the existing server. Use the ASR backup on the new hard-
ware. Back up the existing server. Restore the backup to the new hardware.
C. Install Windows Server 2003 onto the new hardware. Back up the existing server.
Restore the backup to the new hardware.
D. Shut down the existing server and move the existing hard drives to the new server.
Boot the new server with the old hard drives.
 B.This method accomplishes the upgrade with the least risk (the existing server is pre-
served), least expense (all the tools needed are present in Windows Server 2003), and as
quickly as possible (as fast as the backup and restore can be done).
 A, C, D. Answer A is incorrect because you would need to purchase the third-party
utility, incurring additional expense. Answer C is incorrect because it would take longer
to get the new operating system installed and configured to operate in the same way as
the original system. Answer D is incorrect because the risk factor is too high. Moving
hard drives might be technically possible, but the drives (containing the only copy of
the original server) could be dropped or corrupted in the process.
11. A few weeks ago, you installed a new server.You have been performing regular full and
incremental backups for all files on the system.You did not perform an initial ASR

backup.When you arrived this morning, you discovered that the hard drive failed some-
time last night after the backup completed, and the server will no longer boot.You
replaced the failed hard drive with an identical one you had on hand.What is the quickest
way to get the server back to its previous operational state?
A. Start an ASR restore. Since the hard drive is new and identical to the failed drive,
ASR will automatically re-create the previous configuration.
B. You cannot restore the server. It is permanently lost.
C. Reinstall Windows Server 2003 in a minimal configuration, restore the most recent
full backup, and then restore all of the incremental backups in sequence.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 985
986 Appendix A • Self Test Questions, Answers, and Explanations
D. Reinstall Windows Server 2003 in a minimal configuration, perform an ASR backup,
perform an ASR restore, restore the most recent full backup, and then restore all of
the incremental backups in sequence.
 C. Answer C is correct because you cannot directly re-create the operational state
without an ASR backup. Assuming the system state was backed up with the regular
backups, you can re-create the previous operational state from the backups after you
have reinstalled the operating system.
 A, B, D. Answer A is incorrect because you must have the ASR media set in order to
perform an ASR restore. ASR does not automatically re-create a previous configura-
tion. Answer B is incorrect because you can re-create the server from the backups; it
will simply take longer and be more difficult than if you had an ASR backup available.
Answer D is incorrect because you do not have an ASR set.
12. You are working on an existing server.The NIC manufacturer has notified you of an
updated driver for your card that will greatly improve performance.You download and
install the new driver. Before you reboot the system, you perform an ASR backup.When
you reboot the system, it reaches the graphical portion of the boot process and presents a
STOP message.What is the proper process for recovering from this problem?
A. Perform an ASR restore from the ASR backup set you created before the reboot.

B. Reboot the system, press F8 when prompted during the boot process, select Last
Known Good Configuration, and press Enter.
C. Reinstall the operating system and do a restore of the system from tape backup.
D. Reboot the system, press F8 when prompted during the boot process, select Safe
Mode, and press Enter.
 B.The Last Known Good Configuration option will load the drivers that were used
during the boot process prior to the last successful logon, provided that they are not
missing or corrupt.The new driver that you installed during your last logon session will
not be loaded, and the previous one assigned to the NIC will be loaded.
 A, C, D. Answer A is incorrect because the ASR backup set you created before the
reboot would contain the newer driver, and it would be configured for use on next
boot. Answer C is incorrect because this would destroy your existing operating system
and take much longer to fix.Answer D is incorrect because, although Safe Mode may
(or may not) allow you to boot successfully, the new driver is still present.
Planning for Fault Tolerance
13. You are responsible for administering a Windows Server 2003 system.The system has a
Pentium III 800 MHz CPU, 1024MB of RAM, and four hard drives configured in a
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 986
Self Test Questions, Answers, and Explanations • Appendix A 987
RAID 5 array that reside in an external seven-slot chassis.The array is controlled by a
modern, high-performance hardware RAID controller and presents the array to the oper-
ating system as a single drive.You arrive on a Monday morning to find your server has
crashed. On investigation, you find that two of the hard drives failed.The server has a
built-in display that tells you that one drive failed late Friday night and the second drive
failed Sunday afternoon.What should you have done to prevent the second drive failure
from causing the server to crash?
A. Ensure that backups complete during business hours.
B. Use Volume Shadow Copy to automatically create a backup on the remaining good
drive.

C. Install a second hardware RAID controller and distribute the drives evenly on the
controllers.
D. Purchase another hard drive and configure it as a hot spare drive.
 D. A hot spare drive would most likely have prevented the outage, and there is an avail-
able slot for the spare drive.When the first drive failed, the controller would have
brought the spare drive online and re-created the missing data on it.When the second
drive failed, the array would be in a nonredundant state but would have continued to
function.
 A, B, C. Answer A is incorrect because the time that the backups would complete
would not have affected the failure or operation of the drives. Answer B is incorrect
because the operating system saw the array as a single drive and would not be able to
have performed any operation on a specific disk.Answer C is incorrect because this
would have protected against controller or cable failure but not a drive failure.
14. You are replacing a single-port NIC in your server with a new four-port NIC.Your
switches support 100 Mbps full-duplex operation.Your switches also support either load-
balancing or failover configurations.Which configuration choice is best for increased per-
formance and availability?
A. Configure the card for two-way load balancing with failover to the remaining two
ports.
B. Configure the card for four separate links to the switch.Windows Server 2003 auto-
matically determines that the ports connect to the same switch and enables failover.
C. Configure the card for four-way load balancing.
D. Leave the old NIC in the server and add the new four-port card into an empty slot
on the server. Configure the new card as a failover backup for the existing card.
 C. Answer C is correct because a multiport load-balancing configuration automatically
includes failover redundancy.
www.syngress.com
255_70-293_Appx.qxd 9/10/03 6:17 PM Page 987