You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. The functional level of the domain is Windows Server 2003. The domain contains Windows Server 2003 computers and Windows XP Professional computers.

The domain consists of the containers shown in the exhibit.

All production server computer accounts are located in an organizational unit (OU) named Servers. All production client computer accounts are located in an OU named Desktops. There are Group Policy objects (GPOs) linked to the domain, to the Servers OU, and to the Desktops OU.

The company recently added new requirements to its written security policy. Some of the new requirements apply to all of the computers in the domain, some requirements apply to only servers, and some requirements apply to only client computers. You intend to implement the new requirements by making modifications to the existing GPOs.

You configure 10 new Windows XP Professional computers and 5 new Windows Server 2003 computers in order to test the deployment of settings that comply with the new security requirements by using GPOs. You use the Group Policy Management Console (GPMC) to duplicate the existing GPOs for use in testing. You need to decide where to place the test computer accounts in the domain.

You want to minimize the amount of administrative effort required to conduct the test while minimizing the impact of the test on production computers. You also want to avoid linking GPOs to multiple containers.

What should you do?

Exhibit:

You are a network administrator for your company. The network contains a Windows Server 2003 computer named Server1. Server1 has a single CPU, 512 MB of RAM, and a single 100-Mb network adapter.

All network users’ home folders are stored on Server1. Users access their home folders by using a mapped network drive that connects to a shared folder on Server1. After several weeks, users report that accessing home folders on Server1 is extremely slow at certain times during the day. You need to identify the resource bottleneck that is causing the poor performance.

What should you do?

You are a network administrator for your company. The network consists of two Active Directory domains. You are responsible for administering one domain, which contains users who work in the sales department. User objects for the users in the sales department are stored in an organizational unit (OU) named Sales in your domain.

Users in the sales department use a public key infrastructure (PKI) enabled application that requires users to present client authentication certificates before they are granted access. You install Certificate Services on two member servers running Windows Server 2003. You configure one server as an enterprise subordinate certification authority (CA) and the other server as a stand-alone root CA.

You need to issue certificates that support client authentication to sales users only. You need to achieve this goal by using the minimum amount of administrative effort.

What should you do?

You are the administrator of a new network at Contoso, Ltd. The network consists of a single Active Directory domain. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 98. All Windows 98 computers have the Active Directory Client Extensions software installed. The network consists of three physical subnets.

Each subnet contains a domain controller and a server that runs DHCP. Each subnet also contains a server that runs both the DNS Server service and the WINS service. All client computers receive their TCP/IP configuration information from the DHCP server that is located on their local subnet. All servers except the domain controllers, the DHCP servers, and the DNS and WINS servers also receive their TCP/IP configuration information from the DHCP server that is located on their local subnet. All of the Windows 98 computers are located on a single subnet. The DHCP scope on this subnet is configured with the options shown in the exhibit.

All DHCP servers are configured with similar options. Users of the Windows 98 computers report that they cannot connect to resources on the Windows Server 2003 computers located on any subnet. When they attempt to connect to a shared resource by using \\servername\sharename in the Run command, they receive the following error messag* “Server .” The users can successfully connect to Web-based resources located on the same servers. When you attempt to connect to the servers by using the ping command on an affected Windows 98 computer, you can connect successfully.

The users of the Windows XP Professional computers do not report the same problems. You need to ensure that the users of the Windows 98 computers can connect to shared resources on the Windows Server 2003 computers.

What should you do?

Exhibit:

You are the network administrator for Woodgrove Bank. The company has 20,000 users in 20 physical locations worldwide. The company is expecting to grow by 50 percent in the next five years. The company recently became a subsidiary of Humongous Insurance. Humongous Insurance has five other subsidiaries.

Humongous Insurance has 100,000 users in 100 physical locations worldwide. Humongous Insurance uses the 10.0.0.0/8 network and requires that all subsidiaries integrate into this network. The network design team at Woodgrove Bank provides you with a network design for integrating into the Humongous Insurance network.

The design specifies that Woodgrove Bank will use a single block of IP network numbers to assign IP addresses to its network. You need to plan the IP address space to meet the design specification. You need to request a block of IP addresses from Humongous Insurance that will accommodate all Woodgrove Bank users.

To reduce the difficulty of obtaining the addresses and to conserve the Humongous Insurance address space, you want to request the smallest block of IP addresses that meets the design specification.

What should you do?

You are the systems engineer for your company. The network consists of three physical networks connected by hardware-based routers. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. Each physical network contains at least one domain controller and at least one DNS server. One physical network contains a Microsoft Internet Security and Acceleration (ISA) Server array that provides Internet access for the entire company. The network also contains a certificate server.

Company management wants to ensure that all data is encrypted on the network and that all computers transmitting data on the network are authenticated. You decide to implement IPSec on all computers on the network. You edit the Default Domain Policy Group Policy object (GPO) to apply the Secure Server (Require Security) IPSec policy.

Users immediately report that they cannot access resources located in remote networks. You investigate and discover that all packets are being dropped by the routers. You also discover that Active Directory replication is not functioning between domain controllers in different networks. You need to revise your design and implementation to allow computers to communicate across the entire network. You also need to ensure that the authentication keys are stored encrypted.

Which two actions should you take? (Each correct answer presents part of the solution. Choose two.)

You are the network administrator for your company. The network consists of a single Active Directory domain. The company’s written security policy requires that computers in a file server role must have a minimum file size for event log settings. In the past, logged events were lost because the size of the event log files was too small. You want to ensure that the event log files are large enough to hold history. You also want the security event log to be cleared manually to ensure that no security information is lost. The application log must clear events as needed.

You create a security template named Fileserver.inf to meet the requirements. You need to test each file server and take the appropriate corrective action if needed. You audit a file server by using Fileserver.inf and receive the results shown in the exhibit.

You want to make only the changes that are required to meet the requirements.

Which two actions should you take? (Each correct answer presents part of the solution. Choose two.)

Exhibit:

You are a network administrator for Alpine Ski House. The network consists of a single Active Directory domain. The domain name is alpineskihouse.com. The network contains three Windows Server 2003 domain controllers. You are creating the recovery plan for the company. According to the existing backup plan, domain controllers are backed up by using normal backups each night. The normal backups of the domain controllers include the system state of each domain controller.

Your recovery plan must incorporate the following organizational requirements:

Active Directory objects that are accidentally or maliciously deleted must be recoverable.

Active Directory must be restored to its most recent state as quickly as possible.

Active Directory database replication must be minimized.

You need to create a plan to restore a deleted organizational unit (OU). Which two actions should you include in your plan? (Each correct answer presents part of the solution. Choose two.)

You are the systems engineer for your company. The network consists of a single Active Directory domain. The company has a main office and two branch offices. All servers run Windows Server 2003. All client computers run either Windows XP Professional or Windows 2000 Professional. Each branch office maintains a dedicated 256-Kbps connection to the main office.

Each office also maintains a T1 connection to the Internet. Each office has a Microsoft Internet Security and Acceleration (ISA) Server 2000 computer, which provides firewall and proxy services on the Internet connection. Each branch office contains one domain controller and five servers that are not domain controllers. There is minimal administrative staff at the branch offices.

A new company policy states that all servers must now be remotely administered by administrators in the main office. The policy states that all remote administration connections must be authenticated by the domain and that all traffic must be encrypted. The policy also states that the remote administration traffic must never be carried in clear text across the Internet.

You choose to implement remote administration by enabling Remote Desktop connections on all servers on the network. You decide to use the Internet-connected T1 lines for remote administration connectivity between offices.

Because administrative tasks might require simultaneous connections to multiple servers across the network, you need to ensure that administrators do not lose connections to servers in one office when they attempt to connect to servers in another office.

What should you do?

You are a network administrator for your company. The network consists of a single Active Directory domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. The Active Directory domain contains three organizational units (OUs): Payroll Users, Payroll Servers, and Finance Servers.

The Windows XP Professional computers used by the users in the payroll department are in the Payroll Users OU. The Windows Server 2003 computers used by the payroll department are in the Payroll Servers OU. The Windows Server 2003 computers used by the finance department are in the Finance Servers OU.

You are planning the baseline security configuration for the payroll department. The company’s written security policy requires that all network communications with servers in the Payroll Servers OU must be secured by using IPsec. The written security policy states that IPSec must not be used on any other servers in the company.

You need to ensure that the baseline security configuration for the payroll department complies with the written security policy. You also need to ensure that members of the Payroll Users OU can access resources in the Payroll Servers OU and in the Finance Servers OU.

What should you do?