What should you do?
Your company has an Active Directory directory service domain. All servers run Windows Server 2003. Your network consists of an internal network and a perimeter network (also known as DMZ). A stand-alone Web server is located in the perimeter network. All other servers are located on the internal network and are members of the domain. No certification authority (CA) is available. An Active DirectoryCbased IPSec policy blocks all incoming traffic on the internal network. You need to ensure that the Web server can communicate with a database server on the internal network. What should you do?
Which two actions should you perform?
All servers in your company run Windows Server 2003. You have a secure network segment protected by a firewall. You configure a DHCP scope for the secure network segment on a DHCP server that is located outside the secure network segment. Client computers inside the secure network segment do not receive IP addressing information. You need to ensure that client computers inside the secure network segment receive IP addressing information.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
What should you do?
You are the systems engineer for Contoso, Ltd. The internal network consists of a Windows NT 4.0 domain. The company maintains a separate network that contains publicly accessible Web and mail servers. These Web and mail servers are members of a DNS domain named contoso.com. The contoso.com zone is hosted by a UNIX-based DNS server running BIND 4.8.1. Contoso, Ltd., is planning to migrate to a Windows Server 2003 Active Directory domain-based network. The migration plan states that all client computers will be upgraded to Windows XP Professional and that all servers will be replaced with new computers running Windows Server 2003. The migration plan specifies the following requirements for DNS in the new environment. Active Directory data must not be accessible from the Internet. The DNS namespace must be contiguous to minimize confusion for users and administrators.
Users must be able to connect to resources in the contoso.com domain. Users must be able to connect to resources located on the Internet. The existing UNIX-based DNS server will continue to host the contoso.com domain. The existing UNIX-based DNS server cannot be upgraded or replaced.You plan to install a Windows Server 2003 DNS server on the internal network.
You need to configure this Windows-based DNS server to meet the requirements specified in the migration plan. What should you do?
Which tool should you use?
Your company has a single Active Directory directory service domain. All servers in your environment run Windows Server 2003. You need to verify the DNS infrastructure and automatically generate an HTML report of the results. Which tool should you use?
What should you do?
You plan to deploy Windows Server 2003 member servers that must use specific IP addresses. You need to ensure that the member servers can use the required IP addresses and that their TCP/IP properties can be updated dynamically. What should you do?
What should you do?
You are the network administrator for Contoso Pharmaceuticals. The network consists of a single Active Directory forest. The forest contains Windows Server 2003 servers and Windows XP Professional computers. The forest consists of a forest root domain named contoso.com and two child domains named child1.contoso.com and child2.contoso.com. The child1.contoso.com domain contains a member server named Server1. You configure Server1 to be an enterprise certification authority (CA), and you configure a user certificate template. You enable the Publish certificate in Active Directory setting in the certificate template. You instruct users in both the child1.contoso.com and the child2.contoso.com domains to enroll for user certificates. You discover that the certificates for user accounts in the child1.contoso.com domain are being published to Active Directory, but the certificates for user accounts in the child2.contoso.com domain are not. You want certificates issued by Server1 to child2.contoso.com domain user accounts to be published in Active Directory. What should you do?
Which two settings in the Default Domain Policy should you plan to configure?
Your company has an Active Directory directory service domain. All servers run Windows Server 2003. You are creating a security monitoring plan. You need to audit all domain authentication attempts and write these events to an event log on the local computer and also to an event log on the domain controller.
Which two settings in the Default Domain Policy should you plan to configure? (Each correct answer presents part of the solution. Choose two.)
What should you do?
You are the network administrator for your company. The network contains 20 Windows Server 2003 database servers.The written security policy for your company requires that the following services must be disabled on all database server computers. Computer Browser File Replication Indexing Service Remote Registry Server Task SchedulerThe written security policy also requires that the database servers must be prohibited from having access to the Internet. You use a Windows XP Professional client
computer named Admin1 that has access to the Internet.You need to perform a weekly analysis of the hotfix level of the database servers compared with the latest available updates.
You need to minimize the amount of administrative effort.What should you do?
Which two actions should you take?
You are the security analyst for your company. The company’s written security policy does not allow direct dial-in connections to the network. During a routine security audit, you discover a Windows Server 2003 server named Server1 that has a modem installed and is connected to an outside analog phone line.
You investigate and discover that Server1 is also running Routing and Remote Access and is used by the sales department. The modem supports the caller ID service. This remote access connection is used by an application at a partner company to upload product and inventory information to Server1. Each day at midnight, the partner application connects to Server1 and uploads the information. The connection never lasts longer than 30 minutes. The application is currently using the sales manager’s domain user account to make the connection. The partner application does not support incoming connections. The partner company has no plans to update this application to support your written security policy, and the sales department requires this updated product and inventory information to be available each morning.
Company management directs you to design a solution that provides the highest level of security for this connection until a more secure solution can be developed by the two companies. You need to design and implement a solution that will ensure that only the partner’s application can connect to your network over the dial-up connection. Your solution must prevent the connection from being used by unauthorized users, and it must allow only the minimum amount of access to the network. Which two actions should you take?
(Each correct answer presents part of the solution. Choose two.)
What should you do?
All servers in your company run Windows Server 2003. You discover that your public IP address is listed on an SMTP blacklist, and that one of your servers is sending unsolicited commercial e-mail that originates from outside your network. You need to ensure that the server does not continue to send the unsolicited commercial e-mail messages. What should you do?