Chapter 1: Lesson Review Answers Answers 845 c. Incorrect: The netsh interface ipv4 set address name=”Local Area Connection” static 192.168.10.1 255.255.255.0 192.168.10.10 command would set the IPv4 address to 192.168.10.1 and the default gateway to 192.168.10.10. D. Incorrect: You must put spaces between the settings, not commas. This command would return an Invalid IP Address error. Lesson 2 1. Correct Answer: B a. Incorrect: You use the start /w ocsetup DHCPServerCore command to install the DHCP server role on a Server Core installation of Windows Server 2008. B. Correct: The sc config dhcpserver start= auto command configures the DHCP Server service to start automatically on a Server Core installation of Windows Server 2008 when Windows starts. c. Incorrect: The servermanagercmd -install dhcp command installs the DHCP server role on a full installation of Windows Server 2008. You cannot use this command on a Server Core installation. D. Incorrect: The net start DHCPServer command starts the DHCP Server service after it is already installed. 2. Correct Answer: A a. Correct: This is 80 percent of the available addresses on VLAN1 plus 20 percent of the available addresses on VLAN2. B. Incorrect: This is 80 percent of the available addresses on VLAN2 plus 20 percent of the available addresses on VLAN1. These are the scopes that should be configured on VLAN2. c. Incorrect: This is 50 percent of the available addresses on VLAN1 plus 50 percent of the available addresses on VLAN2. This solution does not follow the 80:20 rule. D. Incorrect: These scopes overlap. 3. Correct Answer: C a. Incorrect: You can configure only one contiguous address range per scope. B. Incorrect: Configuring a scope option that assigns the DNS server address to clients does not prevent the scope from leasing out an address that is the same as the one statically configured on the DNS server. c. Correct: Creating an exclusion for the DNS server address is the simplest way to solve the problem. When you configure the exclusion, the DHCP server will not lease the 172.16.10.100 address, and the DNS server retains its static configuration. D. Incorrect: Microsoft recommends that you do not assign reservations to infrastructure servers such as DNS servers. DNS servers should be configured statically. 8 4 6 Answers Chapter 1: Case Scenario Answers Case Scenario 1: Implementing IPv6 Connectivity 1. Site-local IPv6 addresses are the direct equivalent of private IPv4 addresses and are routable between VLANs. However, you could also consider configuring every device on your network with an aggregatable global unicast IPv6 address. NAT and CIDR were introduced to address a lack of IPv4 address space, and this is not a problem in IPv6. You cannot use only link-local IPv6 addresses in this situation because they are not routable. 2. As with DHCP for IPv4, you should configure a dual-scope DHCPv6 server on each subnet. The scope for the local subnet on each server should include 80 percent of the full IPv6 address range for that subnet. The scope for the remote subnet on each server should include the remaining 20 percent of the full IPv6 address range for that subnet. Case Scenario 2: Configuring DHCP 1. DHCPv6 is implemented by default in Windows Server 2008, and DHCPv6 scopes can be cre- ated on the existing DHCP servers. No additional hardware is required to implement DHCPv6. Most of the features of DHCPv4 are implemented in DHCPv6, and IPv6 configurations can be automatically assigned to client computers. It remains good practice to configure infrastruc- ture servers statically. 2. Problems can occur if a virtual server in a Hyper-V cluster is also a DHCP server. If a vir- tual network is linked to a NIC, DHCP will not work on the LAN. The LAN NIC is effectively disabled in the parent partition, which is linked to the virtual network, not to the physical network. Microsoft recommends running nothing except the Hyper-V role in the parent partition. If you do not use DHCP to configure a Hyper-V virtual cluster, the Failover Cluster Management Wizard asks you to supply any IP address information manually. Chapter 2: Lesson Review Answers Lesson 1 1. Correct Answer: B a. Incorrect: This answer points to the router with the 10.0.0.11 address on the 10.0.0.0/24 subnet. This is currently the default router. To get to the 10.0.1.0/24 subnet, you must configure a route to the 10.0.0.21 router interface address. B. Correct: When using the route add command, you specify the destination network first— in this case, 10.0.1.0—and then the subnet mask. Finally, you specify the router interface address that will be used to access the remote network, in this case, 10.0.0.21. Chapter 2: Lesson Review Answers Answers 847 c. Incorrect: The route is to 10.0.1.0/24, not to 10.0.0.0/24. D. Incorrect: The destination network, not the router interface address, should be listed as the first parameter after route add. 2. Correct Answers: B, C, D, and E a. Incorrect: Both Windows Server 2003 and Windows Server 2008 support RIPv2. B. Correct: Windows Server 2008 does not support NWLink. c. Correct: Windows Server 2008 does not support Services for Macintosh. D. Correct: Windows Server 2008 replaces Basic Firewall with Windows Firewall. E. Correct: Windows Server 2008 does not support OSPF. F. Incorrect: Windows Server 2008 introduces SSTP. 3. Correct Answer: B a. Incorrect: Network Address Translation (NAT) enables clients with private IP addresses to connect to computers on the public Internet. NAT does not automatically configure routing. B. Correct: RIP is a routing protocol. It enables routers to broadcast or multicast a list of subnets to which each router provides access. If you enable RIP on a Windows Server 2008 server, it automatically identifies neighboring routers (assuming RIP is enabled on these routers) and forwards traffic to remote subnets. c. Incorrect: OSPF is a routing protocol and would meet your requirements. However, Windows Server 2008 does not support OSPF. D. Incorrect: You could use static routes to reach remote subnets. However, the question asks you to configure Windows Server 2008 to automatically identify remote networks. This requires a routing protocol. 4. Correct Answers: A and B a. Correct: Routes with a 128-bit prefix length are host routes for a specific IPv6 destination. B. Correct: Routes with a 128-bit prefix length are host routes for a specific IPv6 destination. c. Incorrect: Routes with a 64-bit prefix length are subnet routes for locally attached subnets. D. Incorrect: ff00::/8 routes are for multicast traffic. 5. Correct Answers: C and D a. Incorrect: Ping tests connectivity to a single destination. You cannot easily use ping to identify the routers in a path. B. Incorrect: Although you can use ipconfig to determine the default gateway, you cannot use it to determine all routers in a path. 8 4 8 Answers c. Correct: Pathping uses ICMP to detect routers between a host and a specified destination. D. Correct: Tracert uses ICMP to detect every router between a host and a specified destination. The main difference between tracert and pathping is that pathping com- putes accurate performance statistics over a period of time, whereas tracert sends only three packets to each router in the path and displays the latency for each of those three packets. Lesson 2 1. Correct Answer: B a. Incorrect: The netsh advfirewall context does not support the add rule command. You must use the netsh advfirewall consec context. B. Correct: The netsh advfirewall consec context enables you to specify configurations that are specific to IPsec. In this context, the add rule command adds an IPsec rule. c. Incorrect: The netsh firewall context is provided for backward compatibility, and its use on a Windows Server 2008 server is not recommended. This context does not support the add rule command. D. Incorrect: The netsh ipsec dynamic context is provided for backward compatibility, and its use on a Windows Server 2008 server is not recommended. This context does support the add rule command, but you would not be able to specify any of the new features that Windows Server 2008 introduces. 2. Correct Answer: D a. Incorrect: AH provides data authentication but not data encryption. B. Incorrect: Tunnel mode provides interoperability with routers, gateways, or end systems that do not support L2TP/IPsec or PPTP connections. It does not require network com- munications to be encrypted. c. Incorrect: This would work but is not the best answer because AH does not encrypt data. Using AH with ESP increases the processing overhead unnecessarily. D. Correct: The ESP protocol provides encryption for IPsec. 3. Correct Answer: A a. Correct: You can use a certificate infrastructure, provided that both domains trust the certificates. Third-party certificates are often used for this purpose. B. Incorrect: The Kerberos protocol is built into Active Directory Domain Services to pro- vide authentication for IPsec communication. However, Kerberos requires both domains to be in the same Active Directory forest. Chapter 3: Lesson Review Answers Answers 849 c. Incorrect: A preshared key is the least secure authentication method, and you should use it only if no other method is available. Microsoft recommends that you do not use this method in a production environment. Using certificates is preferable in this scenario. D. Incorrect: ESP provides encryption, not authentication. Chapter 2: Case Scenario Answers Case Scenario 1: Adding a Second Default Gateway 1. Because computers are configured with static IP addresses, you should use the Advanced TCP/IP Settings dialog box to configure multiple default gateways. Clients will automatically detect a failed default gateway and send traffic through the second gateway. Case Scenario 2: Adding a New Subnet 1. You create a static route on the client computers specifying the router with IP address 10.0.1.2 as the path to the 10.0.2.0/24 network. Because 10.0.1.1 is the default gateway, all other communications will be sent to 10.0.1.1. 2. route -p add 10.0.2.0 MASK 255.255.255.0 10.0.1.2 Case Scenario 3: Implementing IPsec 1. You should use Kerberos because all IPsec communications are within the same Active Direc- tory forest. 2. Assign the Client (Respond Only) IPsec policy to the computers used by the appropriate users. In this way, you can ensure that the IPsec policy does not affect communications with other computers and servers that do not require security. Chapter 3: Lesson Review Answers Lesson 1 1. Correct Answers: B and E a. Incorrect: Many airport lounge and hotel firewalls block outbound traffic on all ports except common ones such as 80 and 443. SSTP was developed in part because many people found it impossible to establish VPN connections from airport lounges and their hotel rooms by using PPTP or L2TP/IPsec. 8 5 0 Answers B. Correct: VPNs based on the SSTP protocol are likely to work from behind airport lounge and hotel firewalls because these firewalls are unlikely to block the port used for secure Web traffic, 443, which also carries SSTP VPN traffic. c. Incorrect: Many airport lounge and hotel firewalls block outbound traffic on all ports except common ones such as 80 and 443. SSTP was developed in part because many people found it impossible to establish VPN connections from airport lounges and their hotel rooms by using PPTP or L2TP/IPsec. D. Incorrect: Windows XP SP3 does not support SSTP VPNs. E. Correct: Because Windows XP does not support SSTP VPNs, you must upgrade the lap- top computers’ operating systems to Windows Vista. 2. Correct Answer: B a. Incorrect: All traffic passing through the external firewall will be directed to the IP address of the VPN server, not to the internal network, so creating a rule here would not work. B. Correct: You can block VPN clients from accessing the sensitive subnet by creating a Routing and Remote Access filter on the VPN server. c. Incorrect: Creating an inbound rule on the VPN server would not work because the inbound traffic is bound for the VPN server, not for the sensitive subnet. D. Incorrect: An authentication exemption rule allows access where access might otherwise be blocked, which is not the problem in this case. 3. Correct Answer: A a. Correct: Authentication between RADIUS clients and RADIUS servers occurs through a shared secret. B. Incorrect: You cannot configure authentication between a RADIUS client and a RADIUS server by using a digital certificate. c. Incorrect: You cannot configure authentication between a RADIUS client and a RADIUS server by using NTLMv2. D. Incorrect: You cannot configure authentication between a RADIUS client and a RADIUS server by using EAP-TLS. 4. Correct Answers: A, B, and F a. Correct: You must configure GAMMA as a RADIUS server that authenticates against AD DS so that clients connecting can authenticate using their domain credentials. B. Correct: You must configure each dial-up access server appliance as a RADIUS client on GAMMA so that GAMMA responds to authentication traffic forwarded by the dial-up access servers. c. Incorrect: The dial-up access servers must forward authentication traffic to GAMMA, not to domain controllers, which do not respond to RADIUS traffic. Chapter 3: Lesson Review Answers Answers 851 D. Incorrect: GAMMA will function as the RADIUS server. The dial-up access servers must be configured as RADIUS clients. E. Incorrect: Dial-up access servers function as RADIUS clients, not as RADIUS proxies. RADIUS proxies forward authentication traffic from RADIUS clients to RADIUS servers. F. Correct: You must configure each dial-up access server to forward authentication requests to GAMMA, which functions as the RADIUS server. 5. Correct Answer: C a. Incorrect: IMAP4 uses port 443; the command in question relates to the POP3 port, port 110. B. Incorrect: HTTP uses port 80; the command in question relates to the POP3 port, port 110. c. Correct: The netsh routing IP NAT add portmapping name=”Public” tcp 0.0.0.0 110 10.100.0.101 110 command forwards incoming POP3 traffic directed to the NAT server’s public interface to the POP3 port on host 10.100.0.101. TCP port 110 is the POP3 port. D. Incorrect: SSTP uses port 443; the command in question relates to the POP3 port, port 110. Lesson 2 1. Correct Answer: A a. Correct: When you have an NPS perform authentication for 802.1x-compliant switches, it is necessary to configure each 802.1x-compliant switch as a RADIUS client on the NPS. B. Incorrect: 802.1x-compliant switches do not function as RADIUS servers because they forward authentication to an NPS. c. Incorrect: 802.1x-compliant switches do not function as RADIUS servers because they do not forward authentication from other RADIUS clients to a RADIUS server. D. Incorrect: Only the 802.1x-compliant switches need to be configured as RADIUS clients because it is they, not the computers, that will forward authentication traffic to the NPS. 2. Correct Answer: B a. Incorrect: EAP-TLS requires the deployment of digital certificates to clients. B. Correct: PEAP-MS-CHAPv2 is a password-based authentication mechanism you can deploy to authenticate 802.1x wired connections without having to deploy certificate services. Although you must install a certificate on the authenticating server, this can be a self-signed certificate or one obtained from a commercial CA. c. Incorrect: PEAP-TLS requires the deployment of digital certificates to clients. D. Incorrect: NTLMv2 cannot be used to authenticate 802.1x wired access. 8 5 2 Answers 3. Correct Answer: A a. Correct: PEAP-MS-CHAPv2 requires the NPS to have been issued a certificate that is trusted by all client computers. Certificates issued by enterprise root CAs in a domain are trusted by all client computers in the domain. B. Incorrect: Authenticating switches do not require certificates when deploying PEAP-MS- CHAPv2. c. Incorrect: Client computers do not require certificates when deploying PEAP-MS- CHAPv2. D. Incorrect: The NPS requires a certificate. 4. Correct Answer: D a. Incorrect: Authmode=useronly will not always work with preLogon, depending whether credentials have been cached. B. Incorrect: The ssomode=postLogon parameter indicates that 802.1x wired authentication occurs after the user has logged on to the computer. c. Incorrect: The ssomode=postLogon parameter indicates that 802.1x wired authentication occurs after the user has logged on to the computer. D. Correct: The netsh lan set profileparameter authmode=machineonly ssomode=preLogon command configures an 802.1x wired network profile so that authentication occurs using the computer’s credentials prior to the user logging on. 5. Correct Answer: A a. Correct: Configuring Wired Network (IEEE 802.3) policies enables you to provide authentication data automatically to 802.1x-compatible switches. You can configure these switches to require a host to authenticate before the switch forwards any traffic to the network. B. Incorrect: Wireless Network (IEEE 802.11) policies are similar to Wired Network policies except that they automate authentication with wireless access points. c. Incorrect: IPsec policies can limit access to other hosts but cannot limit access to the network. D. Incorrect: Network Access Protection policies can deny or allow access to the network, based on the health status of a computer but do not require the host to authenticate itself to the switch prior to undergoing the NAP process. 6. Correct Answer: C a. Incorrect: You cannot create PSOs by using the Group Policy Management console. B. Incorrect: You cannot create PSOs by using ntdsutil. c. Correct: You can create Password Settings Objects (PSOs) by using ADSI Edit or ldifde. D. Incorrect: You cannot create PSOs by using Active Directory Users and Computers. Chapter 4: Lesson Review Answers Answers 853 Chapter 3: Case Scenario Answers Case Scenario 1: Configuring a VPN Solution at Fabrikam, Inc. 1. You must open TCP port 443 to support SSTP. You must open UDP ports 1701, 500, and 4500 to support L2TP/IPsec. 2. MS-CHAPv2 is the only password-based authentication protocol you can use with Windows XP that is supported by Windows Server 2008 VPN servers. EAP-MS-CHAPv2 and PEAP-MS- CHAPv2 are supported only by Windows Server 2008 and Windows Vista VPN clients and not by Windows XP. 3. You can configure filters on the VPN server to ensure that VPN clients are unable to access the accounting database server. Case Scenario 2: Network Access at Contoso, Ltd. 1. PEAP-MS-CHAPv2 is the only authentication protocol that enables passwords to be used for 802.1x authentication. 2. Computer certificates must be deployed on the RADIUS servers when using PEAP-MS- CHAPv2. 3. You must configure the Windows Wired AutoConfig service to start automatically and then configure authentication settings through the Authentication tab of the network interface properties dialog box. Chapter 4: Lesson Review Answers Lesson 1 1. Correct Answer: A a. Correct: WPA2-Enterprise uses a RADIUS server for authentication. All other methods listed use a preshared key, B. Incorrect: WEP uses a preshared key to authenticate clients. c. Incorrect: WPA-PSK uses a preshared key to authenticate clients. D. Incorrect: WPA2-Personal (also known as WPA2-PSK) uses a preshared key to authenti- cate clients. 2. Correct Answer: C a. Incorrect: Although it is possible to use RADIUS proxies, you should configure wireless access points as RADIUS clients rather than as RADIUS servers. 8 5 4 Answers B. Incorrect: You should configure the wireless access points, rather than the wireless cli- ents, as RADIUS clients. c. Correct: You should configure wireless access points as RADIUS clients because this will allow the Network Policy and Access Services server to authenticate traffic. D. Incorrect: You should not configure wireless clients as RADIUS proxies. 3. Correct Answer: C a. Incorrect: For this method of authentication to work, the clients must trust the CA that issued the computer certificate to the NPS server. B. Incorrect: For this method of authentication to work, the clients must trust the CA that issued the computer certificate to the NPS server. c. Correct: The CA that issued the computer certificate to the NPS server must be trusted by the wireless clients. D. Incorrect: For this method of authentication to work, the clients must trust the CA that issued the computer certificate to the NPS server. 4. Correct Answer: D a. Incorrect: Allowing users to view denied networks will not allow connections to ad hoc networks created by Windows Meeting Space. B. Incorrect: Infrastructure networks require wireless access points. There are no wireless access points present in this scenario. c. Incorrect: Clients must be able to connect to ad hoc networks. The wireless policy to allow everyone to create wireless profiles allows users to create wireless profiles that apply to all users of the computer. D. Correct: Clients need to be able to connect to ad hoc networks for the executives to use Windows Meeting Space where there is no wireless access point. 5. Correct Answer: D a. Incorrect: WEP uses a preshared key, so no network authentication is required. B. Incorrect: WPA2-Personal uses a preshared key, so no network authentication is required. c. Incorrect: The Open authentication method does not use any authentication. D. Correct: The WPA2-Enterprise access point authentication method requires you to spec- ify a network authentication method for when authentication occurs against the RADIUS server. Lesson 2 1. Correct Answer: C a. Incorrect: Inbound firewall rules allow traffic based on program or port. B. Incorrect: Outbound firewall rules allow traffic based on program or port. [...]... command restores the Boston computer account to the ­ indows_ W Server_ 2008_ Servers OU in the contoso.internal domain D Incorrect: You need use the Restore Object command to restore an object such as a user or computer account You cannot use Restore Computer 5 Correct Answer: D A Incorrect: You cannot restore a deleted GPO by using an authoritative restore You need to use the GPMC to restore GPOs... restore a deleted GPO by using the Restore Wizard You need to use the GPMC to restore GPOs C Incorrect: You cannot restore a deleted GPO by using the Restore Wizard You need to use the GPMC to restore GPOs D Correct: You use the GPMC to restore deleted GPOs by opening the GPMC, right-clicking the Group Policy Objects container, and then selecting Manage Backups Browse to where backed up GPOs are stored... restore C Correct: You need to restore the OU and all its contents You therefore need to use restore subtree rather than restore object D Incorrect: You need to specify an authoritative restore by using ntdsutil authoritative restore Also, you need to use restore subtree rather than restore object 4 Correct Answer: C A Incorrect: You can use wbadmin.exe to configure backups It does not recover tomb-... need to obtain a certificate from a third-party trusted CA to use as the root of your AD CS deployment so all certificates are trusted Case Scenario 2: Implementing an External AD RMS Cluster 1 You use cross-certificate publication based on trusted publishing domains To do this, you export your SLC and its private key and then ask your counterpart at Contoso to import it into Contoso’s AD RMS root Your. .. recover tomb- stoned AD DS objects B Incorrect: You can use ntdsutil.exe to mark restored AD DS objects as authoritative It does not recover tombstoned AD DS objects C Correct: You can use ldp.exe to recover tombstoned AD DS objects D Incorrect: The net.exe utility has many uses For example, you can use net start and net stop to start and stop a service However, it does not recover tombstoned AD DS... would stop when the user who created them logged off C Incorrect: An expiration date does not cause a collector set to stop It stops new collec- tions from starting after it has been reached D Correct: You must set a stop condition on each collector set to ensure that it stops E Correct: You must set a duration limit on the collector set when you schedule it to run; otherwise, it will not stop 3... Incorrect: You use oclist | more to check that the AD LDS service is installed C Incorrect: The service name for AD LDS is DirectoryServices-ADAM-ServerCore, not DirectoryServices-ADLDS-ServerCore D Incorrect: You use the ocsetup command, not the oclist command, to install AD LDS on Server Core 4 Correct Answer: D A Incorrect: You can use the LDIF files and the ldifde.exe command to modify the instance,... you need access to a directory W store You should install the AD FS ­ indows token-based agent to support identity federaW tion and AD FS-enable the Web-based applications by installing the AD FS claims-aware agent To gain access to the applications, partner organizations and internal users will use AD FS, and the general public will use instances of AD LDS 6 You should use AD CS to manage the certificates... already existed in your AD DS forest, installation would not have proceeded without any errors C Correct: During the installation, your account is added to the AD RMS Enterprise Admin- istrators group on the local computer However, you must log off and then log on again to ensure that your account has the required access rights to configure AD RMS D Incorrect: To install AD RMS, your server must be a... Web Server W 2008 B Incorrect: You cannot install an enterprise subordinate CA on ­ indows Server 2008 W Standard Windows Server 2008 Standard supports only standalone CAs ­ C Correct: You can install an enterprise subordinate CA on ­ indows Server 2008 W Enterprise D Correct: You can install an enterprise subordinate CA on ­ indows Server 2008 W Datacenter 3 Correct Answer: A A Correct: To be recognized . that is supported by Windows Server 2008 VPN servers. EAP-MS-CHAPv2 and PEAP-MS- CHAPv2 are supported only by Windows Server 2008 and Windows Vista VPN clients and not by Windows XP. 3. You. name=”Public” tcp 0.0.0.0 110 10. 100.0 .101 110 command forwards incoming POP3 traffic directed to the NAT server s public interface to the POP3 port on host 10. 100.0 .101 . TCP port 110 is the POP3 port. . Both Windows Server 2003 and Windows Server 2008 support RIPv2. B. Correct: Windows Server 2008 does not support NWLink. c. Correct: Windows Server 2008 does not support Services for Macintosh.