21certify.com
Managing and Maintaining a Microsoft Windows
Server 2003 Environment for a W2K MCSA
070-292
Version 9.0
070-292
2
21certify.com
Study Tips
This product will provide you questions and answers along with detailed explanations carefully
compiled and written by our experts. Try to understand the concepts behind the questions instead of
cramming the questions. Go through the entire document at least twice so that you make sure that
you are not missing anything.
Latest Version
We are constantly reviewing our products. New material is added and old material is revised. Free
updates are available for 365 days after the purchase. You should check the products page on the
www.21certify.com
web site for an update 3-4 days before the scheduled exam date.
Important Note:
Please Read Carefully
This 21certify Exam has been carefully written and compiled by 21certify Exams experts. It is
designed to help you learn the concepts behind the questions rather than be a strict memorization tool.
Repeated readings will increase your comprehension.
We continually add to and update our 21certify Exams with new questions, so check that you have the
latest version of this 21certify Exam right before you take your exam.
For security purposes, each PDF file is encrypted with a unique serial number associated with your
21certify Exams account information. In accordance with International Copyright Law, 21certify
Exams reserves the right to take legal action against you should we find copies of this PDF file has
been distributed to other parties.
Please tell us what you think of this 21certify Exam. We appreciate both positive and critical
comments as your feedback helps us improve future versions.
We thank you for buying our 21certify Exams and look forward to supplying you with all your
Certification training needs.
Good studying!
21certify Exams Technical and Support Team
070-292
3
21certify.com
Q. 1 You are the network administrator for 21certify. The network consists of a single Active Directory
domain named contoso.com. The network contains 100 Windows 2000 Professional computers and
three Windows Server 2003 computers. Information about the three servers is shown in the following
table.
You add a network interface print device named 21certifyPrinter1 to the network. You manually
configure the IP address for 21certifyPrinter1. 21certifyPrinter1 is not currently registered on the DNS
server. The relevant portion of the network is shown in the exhibit.
You need to ensure that client computers can connect to 21certifyPrinter1 by using its name.
What should you do?
A. On 21certifySrvA, add an alias (CNAME) record that references
21certifyPrinter1.
B. In the Hosts file on 21certifySrvC, add a line that references
21certifyPrinter1.
C. On 21certifySrvA, add a service locator (SRV) record that reference 21certifyPrinter1.
D. On 21certifySrvA, add a host (A) record that references
21certifyPrinter1.
E. In the Hosts file on 21certifySrvB, add a line that references
21certifyPrinter1.
Answer: D
Q. 2
070-292
4
21certify.com
You are a network administrator for Fabrikam, Inc. A company named 21certify GmBh., recently
acquired Fabrikam, Inc., and another company named Proseware, Inc. Your team is responsible for
establishing connectivity between the companies.
Each of the three companies has its own Active Directory forest. The relevant portion of the network is
shown in the exhibit.
***MISSING***
21certify1, 21certify3, and 21certify5 runs Windows Server 2003. Each of these servers is the DNS
server for its respective domain. All three servers can currently resolve Internet host names. 21certify3 is
configured as a secondary zone server for fabrikam.com and proseware.com.
You need to configure 21certify5 to resolve host names for 21certify.com and proseware.com as quickly
as
possible, without adding new zones to 21certify5.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Forward requests for 21certify.com to 131.107.1.2.
B. Forward requests for 21certify.com to 131.107.3.2.
C. Forward requests for 21certify.com to 131.107.10.2.
D. Forward requests for proseware.com to 131.107.1.2.
E. Forward requests for proseware.com to 131.107.3.2.
F. Forward requests for proseware.com to 131.107.10.2.
Answer: ?
Note: Exhibit needed. Will be provided in later versions.
Q. 3 You are the network administrator for 21certify. The network consists of a single DNS domain
named 21certify.com.
You replace a UNIX server with a Windows Server 2003 computer named 21certify1.
21certify1 is the DNS server and start authority (SOA) for 21certify.com. A UNIX server
named 21certify2 is the mail server for 21certify.com.
You receive reports that Internet users cannot send e-mail to the 21certify.com domain. The host
addresses are shown in the following window.
070-292
5
21certify.com
You need to ensure that Internet users can send e-mail to the 21certify.com
domain. What should you do?
A. Add an _smtp service locator (SRV) DNS record for 21certify2.
B. Add a mail exchange (MX) DNS record for 21certify2.
C. Add an alias (CNAME) record for mail.21certify.com.
D. Enable the SMTP service on 21certify1.
Answer: B
Q. 4 You are the network administrator for 21certify. The network contains Windows Server 2003
computers and Windows XP Professional computers. You are configuring Automatic Update on the
servers.
The written company network security policy states that all updates must be reviewed and approved
before they are installed. All updates are received from the Microsoft Windows Update servers.
You want to automate the updates as much as possible.
What should you do?
To answer, configure the appropriate option or options in the dialog box.
070-292
6
21certify.com
Answer: Check "Keep my computer...", and click "Download..."
Q. 5 You are the network administrator for 21certify. The network consists of a single Active Directory
domain 21certify.com. The domain contains 35 Windows Server 2003 computers; 3,000 Windows XP
Professional computers; 2,200 Windows 2000 Professional computers.
The written company security policy states that all computers in the domain must be examined, with the
following goals:
. • To find out whether all available security updates are present.
. • To find out whether shared folders are present.
. • To record the file system type on each hard disk.
You need to provide this security assessment of every computer and verify that the requirements of the
written security policy are met.
What should you do?
A. Open the Default Domain Policy and enable the Configure Automatic Updates policy.
B. Open the Default Domain Policy and enable the Audit object access policy, the Audit
account management policy, and the Audit system events policy.
C. On a server, install and run mbsacli.exe with the appropriate configuration switches.
D. On a server, install and run HFNetChk.exe with the appropriate configuration switches.
Answer: C
Q. 6 You are the network administrator for 21certify. The network contains Windows Server 2003
computers and Windows XP Professional computers.
You install Software Update Services on a server named 21certify
A. You create a new Group Policy
object (GPO) at the domain level.
070-292
7
21certify.com
You need to properly configure the GPO so that all computers receive their updates from 21certify
A.
How should you configure the GPO?
To answer, configure the appropriate option or options in the dialog box.
Answer: Check "Enabled", Choose "http:// 21certifyA" in the "Set the intranet..." and choose the same in
"Set the intranet stat.."
Q. 7 You are the regional network administrator for the Boston branch office of 21certify's network. The
company network consists of a single Active Directory domain 21certify.com. All computers in the
Boston office run Windows XP Professional.
The domain contains an organizational unit (OU) named BostonClientsOU, which contains all the
computer objects for the Boston office. A Group Policy object (GPO) named BClientsGPO is linked
to BostonClientsOU. You have been granted the right to modify the GPO.
BClientsGPO contains a software restriction policy that prevents the execution of any file that has
a .vbs file extension. All other applications are allowed to run.
You want to use a script file named maintenance.vbs, which you will schedule to run every night on
the computers in the Boston office. The maintenance.vbs file is located in the Scripts shared folder on
a server named 21certifySrvC. The contents of maintenance.vbs will frequently change based on the
maintenance tasks you want to perform.
You need to modify the software restriction policy to prevent unauthorized .vbs scripts from running on
the computers in the Boston office, while allowing maintenance.vbs to run. You want to ensure that no
other applications are affected by your solution. You want to implement a solution that you can
configure once, without requiring additional administration in the future, when maintenance.vbs changes.
What should you do?
070-292
8
21certify.com
A. Obtain a digital certificate.
Create a new certificate rule.
Set the security level of the rule to Unrestricted.
Digitally sign maintenance.vbs.
B. Create a new path rule.
Set the security level on the rule to Unrestricted.
Set the path to \\21certifySrvC\Scripts\*.vbs.
C. Create a new path rule.
Set the security level on the rule to Unrestricted.
Set the path to \\21certifySrvC\Scripts\maintenance.vbs.
D. Create a new hash rule.
Set the security level on the rule to Unrestricted.
Create a file hash of maintenance.vbs.
Answer: C
Q. 8 You are the network administrator for 21certify. 21certify has offices in three countries. The
network contains Windows Server 2003 computers and Windows XP Professional computers. The
network is configured as shown in the exhibit.
Software Update Services (SUS) is installed on one server in each office. Each SUS server is configured
to synchronize by using the default settings.
070-292
9
21certify.com
Because bandwidth at each office is limited, you want to ensure that updates require the
minimum amount of time.
What should you do?
A. Synchronize the updates with an SUS server at another office.
B. Select only the locales that are needed.
C. Configure Background Intelligent Transfer Service (BITS) to limit file transfer size to 9 MB.
D. Configure Background Intelligent Transfer Service (BITS) to delete incomplete jobs after 20
minutes.
Answer: C
Q. 9 You are the file server administrator for 21certify. The company network consists of a single
Active Directory domain named 21certify.com. The domain contains 12 Windows Server 2003
computers and 1,500 Windows XP Professional computers.
You manage three servers named 21certify1, 21certify2, and 21certify3. You need to update the driver
for the network adapater that is installed in Serve1.
You log on to 21certify1 by using a nonadministrative domain user account named King. You open the
Computer Management console. When you select Device Manager, you receive the following error
message: “You do not have sufficient security privileges to uninstall devices or to change device
properties or device drivers”.
You need to be able to run the Computer Management console by using the local administrator account.
The local administrator account on 21certify1, 21certify2, and 21certify3 has been renamed Tess. Tess’s
password is kY74X.
In Control Panel, you open Administrative Tools. You right-click the Computer Management shortcut
and click Run ass on the shortcut menu.
What should you do next?
070-292
10
21certify.com
Answer:
Explanation:
Choose "The following User", Enter "21certify1\Tess" in the User Name field, enter kY74X" in the
password field.
Q. 10
You are the network administrator for 21certify. The network consists of a single Active Directory
domain named 21certify.com. The domain contains Windows Server 2003 computers and Windows
XP
Professional computers.
All confidential company files are stored on a file server named 21certify1. The written company
security
states that all confidential data must be stored and transmitted in a secure manner. To comply with the
security policy, you enable Encrypting File System (EFS) on the confidential files. You also add EFS
certificates to the data decryption field (DDF) of the confidential files for the users who need to access
them.
While performing network monitoring, you notice that the confidential files that are stored on 21certify1
are being transmitted over the network without encryption.
You must ensure that encryption is always used when the confidential files on 21certify1 are stored
and
transmitted over the network.
What are two possible ways to accomplish this goal? (Each correct answer presents a complete
solution.
070-292
11
21certify.com
Choose two)
A. Enable offline files for the confidential files that are stored on 21certify1, and select the Encrypt
offline files to secure data check box on the client computers of the users who need to access the
files.
B. Use IPSec encryption between 21certify1 and the client computers of the users who need to
access the confidential files.
C. Use Server Message Block (SMB) signing between 21certify1 and the client computers of the
users who need to access the confidential files.
D. Disable all LM and NTLM authentication methods on 21certify1.
E. Use IIS to publish the confidential files.
Enable SSL on the IIS server.
Open the files as a Web folder.
Answer: B, C
Q. 11 You are the network administrator in the New York office of 21certify. The company network
consists of a single Active Directory domain 21certify.com. The New York office currently contains one
Windows Server 2003 file server named 21certify
A.
All file servers in the New York office are in an organizational unit (OU) named New York Servers.
You have been assigned the Allow – Change permission for a Group Policy object (GPO) named
NYServersGPO, which is linked to the New York Servers OU.
The written company security policy states that all new servers must be configured with
specified predefined security settings when the servers join the domain. These settings differ
slightly for the various company offices.
You plan to install Windows Sever 2003, on 15 new computers, which all functions as file servers.
You will need to configure the specified security settings on the new file servers.
21certifyA currently has the specified security settings configured in its local security policy. You need
to ensure that the security configuration of the new file servers is identical to that of 21certify
A. You export a copy of 21certifyA’s local security policy settings to a template file.
You need to configure the security settings of the new servers, and you want to use the minimum
amount of administrative effort.
What should you do?
A. Use the Security Configuration and Analysis tool on one of the new servers to import the template
file.
B. Use the default Domain Security Policy console on one of the new servers to import the template
file.
C. Use the Group Policy Editor console to open NYServersGPO and import the template file.
D. Use the default Local Security Policy console on one of the new servers to import the template
file.
Answer: C
070-292
12
21certify.com
Q. 12 You are the network administrator for 21certify. The network consists of a single Active Directory
domain named 21certify.com. The network contains Windows Server 2003 member servers, Windows
Server 2003 domain controllers, and Windows XP Professional computers. The relevant portion of the
Active Directory structure is in the work area below.
The written company security policy allows users to use Encryption File System (EFS) on only
portable computers. The network security administrator creates a separate domain account as the data
recover agent (DRA). The Default Domain Policy contains the Internet Explorer security settings that
are required on all computers in the domain.
Users are currently able to use EFS on any computer that will support EFS.
You need to configure Group Policy to ensure compliance with the company security policy. You want
to link the minimum number of GPOs to accomplish this goal. All other domain GPOs must remain.
How should you configure Group Policy to ensure that users can use EFS on only portable computers?
To answer, drag the appropriate Group Policy setting or settings to the correct organizational unit (OU)
or OUs.
Answer:
070-292
13
21certify.com
Q. 13 You are a network administrator for 21certify. The network consists of a single Active Directory
domain named 21certify.com. The domain contains Windows Server 2003 domain controllers, Windows
Server 2003 member servers, and Windows XP Professional computers.
All company network administrators need to have the remote administrative tools available on any
computer that they log on to. All network administrators are members of the domain Administrators
group. The network administrator accounts are located in multiple organizational units (OUs).
You need to ensure that the administrative tools are available to network administrators. You also need
to ensure that the administrative tools are always installed on computers that have 100 MB or more free
disks space.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose
three)
A. Create a Group Policy object (GPO) that will apply adminpak.msi at the domain level.
B. Create a Group Policy object (GPO) that will link adminpak.msi to the Domain Controllers OU.
C. Ensure that only the domain Administrators group is assigned the Allow – Read permission
and the Allow – Apply Group Policy permission for the new Group Policy object (GPO).
D. Assign the domain Users group the Deny – Read permission on the Deny – Apply Group
Policy permission for the new Group Policy object (GPO).
E. Create a WMI filter that queries the Win32_LogicalDisk object for more than 100 MB of free
space.
F. Create a WMI filter that queries the Win32_LogicalDisk object for less than 100 MB of free space.
Answer: A, C, D
070-292
14
21certify.com
Q. 14 You are the network administrator for 21certify. The network consists of a single Active Directory
forest named 21certify.com. The forest contains two domains named 21certify.com and
corp.21certify.com. The network consists of 15 subnets.
The domain controllers are configured as shown in the following table.
21certifySrvA and 21certifySrvB are registered in 21certify.com. All other computers are registered in
corp.21certify.com.
You create reverse lookup zones for all subnets.
The corp.21certify.com domain contains a Windows NT Server 4.0 file and print server named Server5.
You change the static IP address for 21certifySrvE.
You need to ensure that this change is reflected in DNS.
Which two resource records should you modify? (Each correct answer presents part of the solution.
Choose two)
A. The pointer (PTR) record in the corp.21certify.com zone.
B. The host (A) record in the corp.21certify.com zone.
C. The alias (CNAME) record in the corp.21certify.com zone.
D. The pointer (PTR) record in the stub zone.
E. The host (A) record in the stub zone.
F. The alias (CNAME) record in the stub zone.
Answer: A, C
Q. 15 You are the network administrator for the Tokyo office of 21certify. The company network
consists of a single Active Directory domain 21certify.com. The network in your office contains 20
Windows XP Professional computers.
The domain contains an organizational unit (OU) named TokyoOU, which contains all the computer
objects for your office. You have been granted the right to create and link Group Policy objects (GPOs)
on the TokyoOU.
070-292
15
21certify.com
You need to prevent the computers in your office from executing unauthorized scripts that are written in
the Microsoft Visual Basic, Scripting Edition (VBScript) language. However, you want to be able to use
VBScript files as startup scripts on all computers in your office. You need to implement a solution that
will not affect any other applications.
You plan to implement software restriction policies, by using a GPO on TokyoOU. You will set
the default security level Unrestricted.
Which two actions should you perform to configure software restriction polices? (Each correct answer
presents part of the solution. Choose two)
A. Create a new certificate rule.
Set the security level on the rule to Unrestricted.
Digitally sign all the .vbs files that you want to use.
B. Create a new certificate rule.
Set the security level on the rule to Restricted.
Digitally sign all the .vbs files that you want to use.
C. Create a new path rule.
Set the security level on the rule to Unrestricted.
Set the path to *.vbs.
D. Create a new path rule.
Set the security level on the rule to Restricted.
Set the path to *.vbs.
E. Create a new Internet zone rule.
Set the security level on the rule to Unrestricted.
Set the Internet zone to Local computer.
F. Create a new Internet zone rule.
Set the security level on the rule to Restricted.
Set the Internet zone to Local computer.
Answer: B, D
Q. 16 You are the network administrator for Test King. The network consists of a single Active
Directory domain named 21certify.com. The domain contains Windows Server 2003 computers and
Windows XP Professional computers.
The Default Domain Policy has been modified by importing a security template file, which
contain several security settings.
A server named 21certify1 cannot run a program that us functioning on other similarly configured
servers. You need to find out whether additional security settings have been added to the local
security policy on 21certify1.
To troubleshoot, you want to use a tool to compare the current security settings on 21certify1 against the
security template file in order to automatically identify any settings that might have been added to the
local security policy.
070-292
16
21certify.com
Which tool should you run on 21certify1?
A. Microsoft Baseline Security Analyzer (MBSA)
B. Security Configuration and Analysis console
C. gpresult.exe
D. Resultant Set of Policy console in planning mode
Answer: D
Q. 17 You are the network administrator for 21certify. The network consists of a single Active Directory
domain named 21certify.com. All network servers run Windows Server 2003.
You are responsible for defining the procedures for backing up and restoring all servers. Your company
uses the Backup utility. To enhance security, The IT department deploys certificates to all network users.
Smart cards will be required to log on to the domain. A domain controller named 21certifyDC1 is
configured as the certificate server.
You need to create a backup plan for 21certifyDC1. The backup must include only the minimum amount
of data needed to restore Active Directory and the certificate server.
Which action or actions should you perform? (Choose all that apply)
A. Back up the System State dat
A.
B. Back up C:\windows\ntds.
C. Back up C:\windows\sysvol.
D. Back up C:\windows\system32\certsrv.
Answer: A, D
Q. 18 You are the network administrator for 21certify. Your network consists of a single Active
Directory domain named 21certify.com. All network servers run Windows Server 2003. Each domain
controller contains one disk that is configured with both the system partition and the boot partition.
Every day, you use custom software to perform a fall backup of user profiles and user dat
A. The custom backup software provides a bootable floppy disk that includes the drivers for the
backup medi
A.
Every Sunday, you run the Automated System Recovery (ASR) wizard on your domain controllers
in conjunction with removable backup medi
A. Data is backed up in a file named Backup1.bkf.
One Monday morning, you install a new application on a domain controller named
21CERTIFYDC1. When you restart 21CERTIFYDC1, you receive the following error:
“NTLDR is missing. Pres any key to restart.”
You need to bring 21CERTIFYDC1 back online as quickly as possible.
What should you do?
A. Restart 21CERTIFYDC1 by using the installation CD-ROM. Reinstall the operating system and
restore the contents of the latest full backup by using the Restore wizard. Restart
21CERTIFYDC1.