pintukumar

Overview
A. Datum Corporation is a company that provides technical classes at locations across North America. The company primarily offers instructor­led courses, on a Monday­through­Friday schedule.
Physical Locations The company’s main office is located in Atlanta. The company has three branch offices in the following locations:
Chicago
Dallas
Seattle
In Addition to the main office in Atlanta, there are also 70-297
two satellite offices: Atlanta East and Atlanta West. There is no IT staff in the satellite offices
Planned Changes The company has evolved into a single business unit from four separate technical schools in each of the cities where the company’s offices are currently located.
The company recognizes that a cohesive administrative structure will better serve its employees and better secure critical resources.
Recently, the company has begun to offer classes from Atlanta that is available online via the Internet. The company wants to begin offering online content from all offices, not just from Atlanta.
Business Process
Currently, the offices of A. Datum Corporation operates as four independent business units: Atlanta, Chicago, Dallas, and Seattle.
The IT staff in each office functions independently. Network resource access is primarily localized to each office with the exception of the student records database and the current online courseware, which are hosted on servers in Atlanta only.
The student records database contains students’ personal data and their transcripts. Currently, the branch offices e­mail the students’ enrollment and transcript information to the Atlanta office for entryinto the student records database. The admissions department enters personal student data and the registrar’s department enters grades. The student records database currently cannot be updated from any other location.
The online course content is already developed and in use.
Directory Services
The servers are configured as shown in the Available Servers exhibit.

The Atlanta office currently has a Windows 2000 Active Directory domain.
The Chicago and Dallas branch offices are both running in workgroup configurations. each office manages its own users and groups.
Network Infrastructure
The existing network is shown in the Existing Network Infrastructure exhibit.

Wan connections between the Atlanta main office and Atlanta East can be unreliable. There are DHCP servers in Atlanta and the branch offices. All servers are Pentium III 550­MHz or greater processors with at least 512 MB of memory. All of the offices run various client operating systems, which include Windows 98, Windows NT
Workstation 4.0, Windows 2000 Professional, Windows XP Professional, and UNIX. The instructors run either Windows 2000 Professional or Windows XP Professional on their desktop computers at the office. UNIX instructors use a UNIX client computer to access the network when working from home.
Problem Statements
The following business problems must be considered:
The company recognizes that its biggest security vulnerability is the methodology that it uses to update the student records database in Atlanta. In the past, there have been problems with students gaining access to and altering their student records.
There has been reason to suspect that courseware has been compromised because of weak passwords on instructors’ computers.
Chief Executive Officer I am pleased with the performance of our staff at A. Datum Corporation. However, I am concerned about protecting our intellectual property. Both our online curriculum and the student records database need protection. Our primary focus must be that no one outside of the organization can view or modify this information.
Chief Information Officer We need to provide an adequate security structure for our network environment.
It is important that wecreate a centralized network operations team. I am confident in the ability of our IT staff in Atlanta to take a lead administrative role in our envisioned environment.
The practice of sending student information through e­mail must stop. I think our strategy of a single, centralized student records database is valid. We need to make this database directory­aware so that users who have the responsibility for updating the student records will need only a single set of credentials to make the necessary changes.
Additionally, instructors are not receiving updated teaching schedule information on a timely basis. The issue should be addressed by ensuring that our new scheduling program is installed on all instructor computers, including the computers that the instructors use when accessing our network remotely. Registrar, Atlanta Office
I am concerned about the network changes. The good news is that they will tell me that I will need only one logon name. However, the other news I am hearing is not good. I am told that the password I use cannot be a word. How am I going to remember a password that is not a word? I have a hard time remembering passwords as it is.
My other major concern is that I am being told that the instructors in each location will be able to enter grades. Recording grades should be my job exclusively.
Business Drivers
The following business requirements must be considered:
For its Web site, A. Datum Corporation is using the registered domain name adatum.com.
The company anticipates more focus on the online course offerings in the future.
Organizational Goals The following organizational requirements must be considered:
The student records database must be available to all offices from Atlanta during the hours of 9:00 A.M. to 8:00 P.M. Eastern Time, Monday through Friday.
The online courseware must be available 24 hours a day, seven days a week.
Security
The following security requirements must be considered:
The student records database server must be secured to allow only those with the appropriate authorization to modify or add data. These authorized personnel include both instructors and staff in each of the company’s offices.
Instructors will require the necessary permissions to modify the content for the online courseware for which they are responsible.
Instructors are required to make changes to the online courseware 70-297 dumps
and post grades from the LAN only.
Customer Requirements
The following customer requirements must be considered:
Remote access will be required for all instructors when they need to access their business offices from home. Some instructors will use UNIX client computers for remote access.
Instructors will need the new scheduling application to be installed both on their office and home computers that are members of the domain, even if using a dial­up connection.
Windows 98 is currently the operating system on the sales representatives’ computers. These computers will not be upgraded in the near future. However, the Active Directory client will be installed on these computers. There are sales representatives in all of the company’s offices.
Web access to the online curriculum is required by the students enrolled in the online classes, and must be limited to enrolled students only.
Active Directory
The following Active Directory requirements must be considered:
The goals of the new Active Directory structure are to provide a centralized method of service administration for supporting the administrative staff and provide secure access to student records.
Administration of the Active Directory service will be in Atlanta. Resource administration will occur in Atlanta and the branch offices.
Students must not have any permission to any resource other than the online courses.
Network InfrastructureThe following infrastructure requirements must be considered:
Because the company has a limited budget, it will need to continue working with the existing physical network.
For updating student grades, authorized computers in the registrar’s office will require smart card support.
The Atlanta, Chicago, Dallas, and Seattle offices will each host DNS subdomains to support the online courseware.
The amount of DNS zone transfer or replication must be minimized. Unauthorized updates of DNS records must be prevented.
All computers, including client computers, must have host (A) resource records in DNS.
UNIX instructors require support of pointer (PTR) resource records for several applications used from their home computers.
Network traffic needs to be minimized across the WAN links.
Remote access policies for Atlanta, Chicago, Dallas, and Seattle should be centralized.
Case Study #1 A. Datum Corporation
1. You are designing the new forest structure and migration strategy to meet the business and technical requirements. What should you do?
To answer, move the appropriate actions from the list of actions to the answer area, and arrange them in the appropriate order. (Use only actions that apply)

Answer:

2. You are designing a DNS strategy to meet the business and technical requirements. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Create a dynamic reverse lookup zone for each subnet.
B. Create a dynamic forward lookup for each domain.
C. Install caching­only DNS servers in the branch offices.
D. Enable the BIND secondaries option for each DNS server.
Answer: A, B

3. You are designing a DNS and DHCP implementation strategy to support the new environment. What should you do?
A. Create a WINS resource record in the Active Directory DNS zone.
B. Create a WINS referral zone in the DNS zone that supports Active Directory.
C. Configure a DNS domain name on the DHCP server.
D. Configure the DHCP server to update DNS for DHCP clients that do not support dynamic updates.
Answer: D

4. You need to ensure that only authorized personnel are able to modify student grades. Which desktop environment or environments should you use? (Choose all that apply)
A. Windows XP Professional
B. Windows 2000 Professional
C. Windows 98 with Active Directory client installed
D. Windows NT Workstation 4.0 with the latest service pack and Active Directory client installed
Answer: A, B

5. You need to ensure that the sales representatives are provided with adequate NetBIOS name resolution.
What should you do?
A. Install WINS on the PDC emulator.
B. Install WINS on servers in Atlanta and Seattle.
C. Enable WINS lookup on the DNS server in Atlanta.
D. Enable WINS on one domain controller in each office.
Answer: D

6. You are designing a strategy to install the new scheduling application. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two)
A. Assign the scheduling application package to the Instructor OU.
B. Publish the scheduling application package to the Instructor OU.
C. Ensure that the scheduling application can install across slow WAN links.
D. Prevent the scheduling application from installing across slow WAN links.
Answer: A, C

7. You are designing a VPN authentication strategy to meet the business and technical requirements. What should you do?
A. Implement the RADIUS service in Atlanta.
B. Implement the RADIUS service in each branch office.
C. Configure network address translation (NAT) on all VPN servers.
D. Configure the Connection Manager Administration Kit (CMAK) on the PDC.
Answer: A

8. You are designing a DHCP strategy for the new 70-297 study guide
Active Directory environment.Which two groups have the necessary rights to authorize the DHCP servers? (Each correct answer presents part of the solution. Choose two)
A. IT staff in Atlanta
B. IT staff in Seattle
C. DHCP administrators in all offices
D. DHCP administrators in Atlanta only
E. Members of the Enterprise Admins group
Answer: A, E

9. You are designing the placement of operations master roles in the new environment. In which location or locations should a PDC emulator be designated? (Choose all that apply)
A. Atlanta
B. Chicago
C. Dallas
D. Seattle
Answer: A

1. Refer to the exhibit. Which statement accurately represents the characteristics of the core layer in this design?

A. QoS should be performed only in the core.
B. Load balancing should never be implemented or used in the core.
C. Access lists should be used in the core to perform packet manipulation.
D. It is acceptable to use a partial mesh in the core if it is connected to each device by multiple paths.
E. Policy­based traffic control is implemented in the core 640-863
to enable prioritization, ensuring the best performance for all time­critical applications.
Answer: D

2. Which statement accurately describes one difference between a small office and medium office topology?
A. Small offices commonly use Rapid PVST+ for Layer 3 deployments.
B. Medium offices commonly use integrated route and switching platforms.
C. Medium offices use integrated 10/100/1000 interfaces as Layer 2 trunks.
D. Medium offices use external access switches to support LAN connectivity. Answer: D
3. Which three factors best justify WAN link redundancy between geographically dispersed sites? (Choose three.)
A. important traffic flows
B. lack of speed
C. high link utilization
D. uncertain reliability
E. excessive packet transmission rate
F. high expense of transmitting data
Answer: A, B, D

4. Refer to the exhibit. Which two statements describe why Model A is the recommended design for routing between Building Distribution switches and Campus Core switches? (Choose two.)

A. It uses timer­based non­deterministic convergence.
B. It is software­based, providing fast convergence to the remaining path.
C. Routes are not summarized from distribution to the core.
D. The Layer 3 redundant equal cost links support fast convergence.
E. A link or box failure does not require routing protocol convergence.
Answer: D,E

5. An organization needs a WAN Transport technology that meets these criteria: has a low initial cost provides low­to­medium BW has medium­to­high latency and jitter Which technology would you suggest?
A. DSL
B. X.25
C. ISDN
D. wireless
E. analog modem
Answer: A

6. Which two of these represent a best practice implementation of a Split MAC LWAPP deployment in a Cisco Unified Wireless Network? (Choose two.)
A. Each wireless client authentication type maps to a shared SSID which in turn maps to a common shared VLAN.
B. Each wireless client authentication type maps to a unique SSID which in turn maps to a unique VLAN.
C. Each wireless client authentication type maps to a unique SSID which in turn maps to a common shared VLAN.
D. 802.1Q trunking extends from the wired infrastructure to the access point for translation into SSID(s).
E. 802.1Q trunking extends from the wired infrastructure to a wireless LAN controller for translation into SSID(s).
F. 802.1Q trunking extends from the wired infrastructure to a wireless LAN controller. Then the 802.1Q packet is encapsulated in LWAPP and sent to the access point for transmission over the SSID(s).
Answer: B, E

7. Which two statements represent advantages that the top­down network design process has over the bottom­up network design process? (Choose two.)
A. is able to provide the big picture
B. utilizes previous experience
C. takes less time to design a network
D. identifies appropriate technologies first
E. provides a design for current and future development
Answer: A, E

8. Which two of these are required for wireless client mobility deployment when using a Cisco Unified
Wireless Network? (Choose two.) A. assigned master controller
B. matching mobility group name
C. matching RF group name
D. matching RF power
E. matching security
F. matching RF channel
Answer: B, E

9. Which two VoIP characteristics are affected most by codec choice? (Choose two.)
A. voice quality
B. silent packet handling
C. voice packet header size
D. bandwidth required for voice calls
Answer: A, D

10. Which H.323 protocol controls call setup between endpoints?
A. H.225
B. H.245
C. RAS
D. RTCP
Answer: A

11. A company is designing a worldwide IPv6 network with duplicated file servers at multiple locations.
Each file server contains identical reference information. Which IPv6 address type would be used to allow each end station to send a request to the nearest file server using the same destination address, regardless of the location of that end station?
A. unicast
B. anycast
C. multicast
D. broadcast
Answer: B

12. Given a VoIP network with these attributes: Codec: G.728 Bit rate: 16 Kbps WAN Bandwidth: 256
Kbps Packet Header: 6 bytes Payload: 40 bytes CRTP: Yes
How many calls can be made?
A. 7 calls
B. 8 calls
C. 13 calls
D. 14 calls
Answer: C

13. The topology map in the draft design document should cover which two layers of the OSI model? (Choose two.)
A. physical
B. data link
C. network
D. transport
E. session
F. application
Answer: A, C

14. Which two techniques can reduce voice packet transfer delay across a link of less than 512 kbps? (Choose two.)
A. deploy LFI
B. increase queue depth
C. increase link bandwidth
D. extend the trust boundary
E. deploy software compression
Answer: A, C

15. Your company’s Cisco routers are operating with EIGRP. You need to join networks with an
acquisition’s heterogeneous routers at 3 sites, operating with EIGRP and OSPF. Which describes the best practice for routing protocol deployment?
A. apply OSPF throughout both networks
B. apply one­way redistribution exclusively at each 640-863 dumps
location
C. apply two­way redistribution exclusively at each location
D. apply two­way redistribution at each location with a route filter at only one location
E. apply two­way redistribution at each location with a route filter at each location
F. apply EIGRP with the same autonomous system throughout both networks
Answer: E

16. A Cisco security mechanism has the following attributes: it is a sensor appliance it searches for potential attacks by capturing and analyzing traffic it is a “purpose­built device” it is installed passively it introduces no delay or overhead Which Cisco security mechanism is this?
A. IKE
B. PIX
C. HIPS
D. NIDS
E. HMAC A
nswer: D

17. You are designing a small branch office that requires these attributes:
support for 60 users the growth capacity to add another 15 users soon
redundant access higher bandwidth between the Layer 2 switch and routing to the WAN Which branch office topology or technology must be used?
A. two­tier
B. loop­free
C. three­tier
D. EtherChannel
E. integrated routing and switching
Answer: D

18. Which two of these best describe the implementation of a WAN Backup design over the Internet? (Choose two.)
A. a best­effort method
B. requires no ISP coordination or involvement
C. bandwidth guaranteed based on interface configuration
D. designed as an alternative to a failed WAN connection
E. implemented with a point­to­point logical link using a Layer 2 tunnel
Answer: A, D

19. Given a VoIP network with these attributes: Codec: G.711 WAN bandwidth: 768Kbps Packet Header:
6 bytes Payload: 160 bytes CRTP: No
How many calls can be made?
A. 7 calls
B. 8 calls
C. 9 calls
D. 11 calls
E. 13 calls
Answer: C

20. RST Corporation is planning to upgrade its current network. The chief technology officer has supplied a topology diagram and an IP addressing scheme of the current network during an interview. RST has been growing at about twenty percent per year. It has been difficult to maintain customer support at a
satisfactory level. Therefore, the RST board has met with and directed the chief technology officer to look into network improvements. Which two items are most relevant in documenting RST’s business requirements? (Choose two.)
A. projected growth estimates
B. network performance requirements
C. existing network topologies
D. improved customer support requirements
E. the IP addresses assigned by the ISP
Answer: A, D

21. The Cisco Data Center Network Architecture comprises which two Cisco SONA layers? (Choose two.)
A. Interactive Services
B. Business Applications
C. Network Infrastructure
D. Collaboration Applications
E. WAN/Internet
Answer: A, C

22. A lightweight access point is added to a working network. Which sequence will it use to associate itself with a wireless LAN controller?
A. master, primary, secondary, tertiary, greatest AP capacity
B. greatest AP capacity, primary, secondary, tertiary, master
C. primary, secondary, tertiary, master, greatest AP capacity
D. primary, secondary, tertiary, greatest AP capacity, master
Answer: C

23. What are the two most likely driving forces motivating businesses to integrate voice and data into converged networks? (Choose two.)
A. Voice has become the primary traffic on networks.
B. WAN costs can be reduced by migrating to converged networks.
C. Their PSTNs cannot deploy features quickly enough.
D. Data, voice, and video cannot converge on their current PSTN structures.
E. Voice networks cannot carry data unless the PRI circuits aggregate the BRI circuits.
Answer: D, E

24. Which Cisco security solution offers protection against “day zero” attacks?
A. Cisco Adaptive Security Appliance
B. Cisco Security Agent
C. Cisco IOS Firewall
D. Cisco IOS IPS
E. Cisco Traffic Anomaly Detector
Answer: B

25. A customer has the following Enterprise Campus design requirements:
at least 10 Gbps of bandwidth network runs of up to 40km no concern for transmission medium cost
Which transmission medium should you recommend to this customer?
A. shielded twisted pair
B. unshielded twisted pair
C. multimode fiber
D. single­mode fiber
E. wireless
Answer: D

26. Which two routing protocols operate over NBMA point­to­multipoint networks without the use of point­to­point subinterfaces? (Choose two.)
A. RIPv1
B. RIPv2
C. IGRP
D. EIGRP
E. OSPF
F. IS­IS
Answer: D, E

27. Which two of the following statements represent a preferred wireless LWAPP implementation? (Choose two.)
A. verify open ports for: Layer 2 LWAPP on ethertype OxABAB Layer 3 LWAPP on TCP 12222 and TCP 12223
B. verify open ports for: Layer 2 LWAPP on ethertype OxBBBB Layer 3 LWAPP on UDP 12222 and UDP 12223
C. verify open ports for: Layer 2 LWAPP on ethertype OxBABA Layer 3 LWAPP on UDP 12222 and TCP 12223
D. use of Layer 3 LWAPP is preferred over Layer 2 LWAPP E. use of Layer 2 LWAPP is preferred over Layer 3 LWAPP
Answer: B, D

28. What are three valid methods of gathering information about an existing data network? (Choose three.)
A. Use organizational input. B. Perform a traffic analysis.
C. Analyze the user­mapping of a running application.
D. Perform a packet­level audit to verify carrier service guarantees.
E. Perform a network audit to gather more detail about the network.
F. Use reports that analyze the metrics of the customer’s existing network.
Answer: A, B, E

29. Which two statements best describe Cisco Wireless 640-863 study guide
LAN Guest Access in a Cisco Unified Wireless Network? (Choose two.)
A. Dedicated guest VLANs are extended throughout the network to the access points for path isolation.
B. Dedicated guest VLANs are only extended to the wireless controllers in the network to ensure path isolation.
C. Dedicated guest access in the DMZ extends from the origination to the termination controllers without dedicated guest VLANs.
D. Guest tunnels can originate and terminate on any wireless controller platform.
E. Guest tunnels have limitations on which wireless controllers can originate the tunnel.
F. Guest tunnels have limitations on which wireless controllers can terminate the tunnel.
Answer: C, F

1. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
Eight Windows Server 2003 computers are members of the domain. These computers are used to store confidential files. They reside in a data center that only IT administration personnel have physical access to.
You need to restrict members of a group named Contractors 70-299
from connecting to the file server computers. Allother employees require access to these computers.
What should you do?
A. Apply a security template to the file server computers that assigns the Access this computer from the network right to the Domain Users group.
B. Apply a security template to the file server computers that assigns the Deny access to this computer from the net work right to the Contractors group.
C. Apply a security template to the file server computers that assigns the Allow log on locally right to the
Domain Users group.
D. Apply a security template to the file server computers that assigns the Deny log on locally right to the Contractors group.
Answer: B

2. You are a security administrator for your company. The network consists of a single Active Directory domain.
Four Windows Server 2003 computers run IIS and serve as Web servers on the Internet.
The company’s written security policy states that computers that are accessible from the Internet must be hardened against attacks. The procedure for hardening computers includes disabling unnecessary services. You evaluate which services are necessary by using the following information about the Web servers: Customers and business partners access Web content on the Web servers after they authenticate by using a user name and password. To access certain parts of the site, some of these connections use the SSL protocol.
All software is installed locally on the Web servers by using removable media, except for service packs and security patches.
The Web servers automatically download service packs and security patches from an internal computer that runs Software Update Services (SUS).
The Web servers are not functioning as any other roles.
You need to create a security template for the Web servers that disables unnecessary services and allows necessary services to operate.
What should you do?
To answer, drag the appropriate service startup types to the correct locations in the work area.

Answer:

3. You are a security administrator for your company. The network consists of a single Active Directory domain.
Servers run either Windows Server 2003 or Windows 2000 Server. All client computers run Windows 2000 Professional. The latest operating system service pack is installed on each computer.
Thirty Windows Server 2003 computers are members of the domain and function as file servers. Client computers access files on these file servers over the network by using the Server Message Block (SMB) protocol. You are concerned about the possible occurrence of man­in­the­middle attacks during SMB communications.
You need to ensure that SMB communications between the Windows Server 2003 file servers and the client computers are cryptographically signed. The file servers must not communicate with client computers if the client computers cannot sign SMB communications. Client computers must be able to use unsigned SMB communications with all other computers in the domain. What should you do to configure the file servers?
A. Apply a security template that enables the Microsoft network server: Digitally sign communications (always) setting.
B. Apply a security template that enables the Microsoft network server: Digitally sign communications (if client agrees) setting.
C. Apply a security template that enables the Domain member: Digitally sign secure channel data (when possible)setting.
D. Apply a security template that enables the Domain member: Digitally encrypt or sign secure channel data(always) setting.
Answer: A

4. You are a security administrator for your company. The network consists of two Active Directory domains that are in separate Active Directory forests. No Active Directory trust relationships exist between the domains. All servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows 2000Professional. All domain controllers run Windows Server 2003.
You discover that users in one domain can obtain a list of account names for users in the other domain. This capability allows unauthorized users to guess passwords and to access confidential data.
You need to ensure that account names can be obtained only by users of the domain in which the accounts reside.
Which two actions should you perform on the domain controllers? (Each correct answer presents part of the solution. Choose two.)
A. Apply a security template that disables the Network access: Allow anonymous SID/Name translation setting.
B. Apply a security template that enables the Network access: Do not allow anonymous enumeration of SAM accounts setting.
C. Apply a security template that enables the Network security: Do not store LAN Manager hash value on next password change setting.
D. Apply a security template that sets the Domain controller: LDAP server signing requirements setting to Require signing.
Answer: A, B

5. You are a security administrator for your company. The network consists of a single Active Directory domain.
All client computers run Windows XP Professional. All servers run Windows Server 2003. All computers on the network are members of the domain.
Traffic on the network is encrypted by IPSec. The domain contains a custom IPSec policy named Lan Security that applies to all computers in the domain. The Lan Security policy does not allow unsecured communication with non­IPSec­aware computers.
The company’s written security policy states that the configuration of the domain and the configuration of the Lan Security policy must not be changed.
The domain contains a multihomed server named Server1. Server1 is connected to the company network, and Server1 is also connected to a test network. Currently, the Lan Security IPSec policy applies to network traffic on both network adapters in Server1.
You need to configure Server1 so that it communicates on the test network without IPSec security. Server1 must still use the Lan Security policy when it communicates on the company network.
How should you configure Server1?
A. Configure a packet filter for the network adapter on the test network to block the Internet Key Exchange (IKE) port.
B. Configure the network adapter on the test network to disable IEEE 802.1x authentication.
C. Configure the network adapter on the test network to enable TCP/IP filtering, and then permit all traffic.
D. Use the netsh command to assign a persistent IPSec policy that permits all traffic on the network adapter on the test network.
E. Assign an IPSec policy in the local computer policy that permits all traffic on the network adapter on the test network.
Answer: D

6. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional. A server named Server1 is not a member of the domain. All other computers are members of the domain.
The network contains an enterprise certification authority (CA). All computers on the network trust the CA. The company’s written security policy states that all network traffic from the computers in the domain to Server1 must be encrypted. Server1 must not be added to the domain.
You configure a Group Policy object (GPO) that assigns the predefined IPSec policy named Client (Respond Only). You link the GPO to the domain. You configure Server1 to use the predefined IPSec policy named Secure Server (Require Security).
When you test this configuration, you cannot connect to Server1 from the computers in the domain.You need to implement the written security policy.
What should you do?
A. Disable the default exemptions to IPSec filtering on all computers in the domain.
B. Disable the default response rule in the Client (Respond Only) IPSec policy in the domain.
C. Configure Server1 so that it uses the predefined IPSec policy named Server (Request Security).
D. Configure the security options of the local computer policy on Server1 to always digitally sign communications.
E. Configure the assigned IPSec policies on Server1 and in the domain to use certificate­based authentication.
Answer: E

7. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows 2000 Professional. The company’s written security policy states the following requirements:
All access to files must be audited.
File servers must be able to record all security events.
You create a new Group Policy object (GPO) and filter it to apply to only file servers. You configure an audit policy to audit files and folders on file servers. You configure a system access control list (SACL) to audit the appropriate files.
You need to ensure that the GPO enforces the written security policy.
Which two additional actions should you perform to configure the GPO? (Each correct answer presents part of the solution. Choose two.)
A. Set a manual retention method for the security log.
B. Set the security log to retain entries for 7 days.
C. Set the maximum security log size to the maximum allowed size.
D. Configure the GPO to shut down the computer if it is unable to log security audits.
E. Ensure that users who are responsible for reviewing audit log data are granted the right to manage the securitylog.
Answer: A, D

8. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional. Administrators in your company use scripts to perform administrative tasks when they troubleshoot problems on client computers. They connect to the Telnet service on client computers when they run these scripts. For security reasons, all Telnet traffic is encrypted by using an IPSec policy. In addition, the Telnet service is configured for manual startup on all client 70-299 dumps
computers. Administrators manually start and stop the Telnet service when they perform administrative tasks.
Administrators report that they sometimes cannot start the Telnet service on client computers. You examine several client computers and discover that the Telnet service is disabled.
You need to ensure that administrators can troubleshoot problems on client computers at all times. What should you do?
A. Use a Restricted Groups policy in a new Group Policy object (GPO) to add the Domain Admins group to the Power Users group on each client computer.
B. Use a Restricted Groups policy in a new Group Policy object (GPO) to ensure that the Power Users group on each client computer contains no members.
C. Use a System Services policy in a new Group Policy object (GPO) to ensure that only Domain Admins can manage the Telnet service.
D. Use an Administrative Template setting to prevent local users from starting the Services snap­in.
Answer: C

9. You are a security administrator for your company. The company consists of two divisions. One division is named Coho Winery and is located in San Francisco. The other division is named Coho Vineyard and is located in Paris. Each division is connected to the Internet by a 1.544 Mbps WAN connection.
Coho Winery consists of a single Active Directory forest named cohowinery.com. All servers run Windows Server 2003. All client computers run Windows XP Professional. Coho Winery has a Microsoft SQL Server 2000 database that contains customer information. The SQL Server 2000 database is hosted on a Windows Server 2003 computer named Server1.
Coho Vineyard consists of a single Active Directory forest named cohovineyard.com. All servers run Windows 2000 Server. All client computers run Windows 2000 Professional or Windows NT Workstation.
All computers run the latest service packs.
To enable data replication, you configure a new Windows Server 2003 computer named Server2 in the cohovineyard.com forest. You install SQL Server 2000 on Server2. Your database administrator configures the database on Server1 to replicate to Server2 every night.
Management reports that a competitor acquired confidential customer data. You determine that the competitor intercepted customer data as it replicated from Server1 to Server2. You decide to use IPSec to protect customer data as it replicates.
You need to configure an IPSec policy to protect customer data as it replicates. What should you do?
A. Configure the IPSec policy to use Authentication Header (AH) in transport mode with Kerberos authentication.
B. Configure the IPSec policy to use Encapsulating Security Payload (ESP) with certificate­based authentication in tunnel mode.
C. Configure the IPSec policy to use Authentication Header (AH) with certificate­based authentication in transport mode.
D. Configure the IPSec policy to use Encapsulating Security Payload (ESP) with Kerberos authentication in tunnel mode.
Answer: B

10. You are a security administrator for your company. The network consists of a single Active Directory domain.
All domain controllers and servers run Windows Server 2003. All computers are members of the domain. The domain contains 12 database servers. The database servers are in an organizational unit (OU)
named DBServers. The domain controllers and the database servers are in the same Active Directory site.
You receive a security report that requires you to apply a security template named Lockdown.inf to all database servers as quickly as possible. You import Lockdown.inf into a Group Policy object (GPO) that is linked to the DBServers OU.
You need to ensure that the settings in the Lockdown.inf security template are applied to all database servers as quickly as possible.
What should you do?
A. On each database server, run the repadmin /replicate command.
B. On each database server, run the gpupdate command.
C. On each database server, run the secedit /refreshpolicy command.
D. On each database server, open Local Computer Policy, select Security Settings, and then use the Reload command.
E. On each database server, open Resultant Set of Policy, and then use the Refresh Query command.
Answer: B

11. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All computers are members of the domain.
The company’s written security policy states that all servers must have the security settings that are specified in a security template named Verify.inf. TheVerify.inf security template is copied to the Systemroot\Security\Templates folder on each server.
You need to verify that the servers on the network meet the requirements in the written security policy. What should you do?
A. On each server, run the gpresult command and save the results.
B. On each server, run the secedit.exe /analyze command for the Verify.inf security template and save the results.
C. On each server, run Microsoft Baseline Security Analyzer (MBSA) and save the results.
D. On a domain controller, import the Verify.inf security template into Security Configuration and Analysis, and then start the Resultant Set of Policy Provider service.
E. On a domain controller, import the Verify.inf security template into the Default Domain Policy Group Policy object (GPO), and then run the gpupdate command.
Answer: B

12. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All servers are members of the domain.
The company plans to deploy a new application named App1. The application runs on servers. To test the compatibility between App1 and other applications that run on the servers, you need to change several file and registry permissions in the Windows folder on the servers. A security template named TestPerms contains the file and registry permissions that need to be set for the application testing.
You create a new Group Policy object (GPO) named TestApp. You import the TestPerms security template into the TestApp GPO. You link the TestApp GPO to an organizational unit (OU) that contains only the servers that are used for the test.
You need to ensure that the file and registry permissions are set to the permissions in the TestPerms security template only during application testing.
What should you do when the application testing ends?
A. Disable the computer configuration settings in the TestApp GPO.
B. Disable the TestApp GPO link to the OU.
C. Unlink the TestApp GPO from the OU.
D. Delete the TestApp GPO, and then run the gpupdate.exe /sync command.
E. Delete the TestApp GPO, and then apply a security template that contains the original permissions.
Answer: E

13. You are a security administrator for your company. The network consists of a single Active Directory domain.
All servers run Windows Server 2003. All client computers run Windows XP Professional.
One hundred users in your company are currently using an application named App1. App1 is stored in a folder onthe hard disk of each user’s client computer. To secure App1, you create a new Group Policy
object (GPO) named App1 Policy. The App1 Policy GPO contains a file system security policy that applies a custom DACL to App1.
You configure the DACL to assign all users only the Allow ­ Read permission. You filter the App1 Policy GPO to apply only to computers that have App1 installed.
After you apply the App1 GPO, users immediately report that they 70-299 study guide
receive an error message when they attempt to use App1. You delete the entry for App1 in the file system security policy. Users continue to report that they receive the same error message when they attempt to use App1.
You need to configure the network so that users can use App1. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Delete the App1 Policy GPO. Restart all client computers.
B. Create a new file system security policy in the App1 Policy GPO that assigns default permissions to App1.
C. Import the Setup security.inf security template into the App1 Policy GPO.
D. Disable the App1 Policy GPO.
Answer: B

14. You are the security administrator for your company. The network consists of two segments named Segment A and Segment B. The client computers on the network run Windows XP Professional. The servers run Windows Server 2003.
Segment A contains a single server named Server1. Segment B contains all other computers, including a server named Server2.
The company’s written security policy states that Segment B must not be connected to the Internet.
Segment A is allowed to connect to the Internet. There is no network connection between Segment A and Segment B. You can copy files from Segment A to Segment B only by using a CD­ROM to transport the files between the two segments. The network topology is displayed in the exhibit. (Click the Exhibit button.)

You are planning a patch management infrastructure. On Segment B, you install Software Update Services (SUS) on Server2. You configure Automatic Updates on all computers in Segment B to use http://Server2 and to install security patches.
You need to ensure that all computers in Segment B automatically install security patches. What should you do?
A. Install SUS on Server1. Periodically copy the files in the Content folder and in the SUS root folder from Server1 to Server2.
B. Install SUS on Server1. Periodically copy the files in the Content folder from Server1 to Server2. Copy the Approveditems.txt file from Server1 to the Windows folder on Server2.
C. On Server1, periodically connect to the Microsoft Windows Update Catalog Web site and download new security patches. Copy the files to the Content folder on Server2.
D. On Server1, configure Automatic Updates to use the URL of the Microsoft Windows Update Web site. Periodically copy the downloaded files and the Mssecure.xml file to the Content folder on Server2.
Answer: A

15. You are a security administrator for your company.
Your company uses an accounting and payroll application. Twenty payroll clerks use the application to input data from their client computers to a database running on a Microsoft SQL Server 2000 computer named Server1.
You need to prevent unauthorized interception of the data as it travels over the company network.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure SQL Server 2000 on Server1 to use SSL.
B. Configure an IPSec policy to require Authentication Headers (AHs) between the payroll client computers and Server1.
C. Configure an IPSec policy to require Encapsulating Security Payload (ESP) between the payroll client computers and Server1.
D. Configure Server1 to require Server Message Block (SMB) signing.
Answer: A, C

1.What is the purpose of the qos pre-classify command?
A. to enable the IOS to copy the ToS field from the original IP header to the outer tunnel IP header
B. to enable the IOS to copy the ToS field from the outer tunnel IP header back into the original IP header
C. to enable the IOS to classify the packet based on the original IP header instead of the tunnel IP header
D. to enable the IOS to classify the packet based on 642-642
the outer tunnel IP header instead of the original IP header
E. to enable class-based marking on tunnel interface
F. to enable class-based marking on IPSec crypto maps
Answer: C

2.What are two benefits of WFQ? (Choose two.)
A. WFQ is very easy to configure, and no manual traffic classification is necessary.
B. WFQ can provide fixed-bandwidth and fixed-delay guarantees. C. WFQ can provide fixed-bandwidth guarantees.
D. WFQ can provide fixed-delay guarantees.
E. WFQ prevents the large-volume flows with large packet size from starving out the low-volume flows with small packet size.
F. Based on DSCP, WFQ allows weighted, random dropping of packets when the WFQ system is full.
Answer: A, E

3.Based on the configuration, which two of the following statements are true? (Choose two.)

A. This configuration will use a single token bucket.
B. This configuration will drop all exceeding traffic.
C. This is a dual-rate, class-based policing example.
D. This is a percentage-based policing example.
E. This is a multi-action, class-based policing example.
Answer: C, D

4.Based on the configuration, which two statements are true? (Choose two.)

A. The interactive traffic class will have a minimum bandwidth guarantee of 256 kbps.
B. The interactive traffic class will have a maximum bandwidth guarantee of 256 kbps.
C. If the interactive traffic class exceeds an average rate of 256 kbps, the traffic rate will be throttled down to 128 kbps.
D. This configuration allows class-based traffic shaping to lower the traffic rate in response to the BECN bit.
E. The interactive traffic class will have a min-rate (min-cir) of 128 kbps.
Answer: D, E

5.Which technology is required when configuring FRF.12 on a Cisco device?
A. FRF11.c
B. FRF.8
C. VoFR
D. MLP with interleaving
E. FRTS
F. WRED
Answer: E

6.What are three methods of reducing delay for critical 642-642 dumps
applications in a converged network? (Choose three.)
A. Apply payload compression.
B. Increase link capacities.
C. Apply header compression.
D. Increase LFI fragment size.
E. Reduce inter-packet gaps.
F. Increase all queue depths.
Answer: A, B, C

7.At the network layer, IP packets are typically classified based on which three items? (Choose three.)
A. packet length
B. VLAN Identifier
C. flow control bits
D. source and destination IP addresses
E. content of the ToS byte
Answer: A, D, E

8.What are three reasons link efficiency mechanisms are deployed on WAN links? (Choose three.)
A. decrease delay
B. decrease jitter
C. increase link speed
D. increase throughput
E. decrease propagation delay
Answer: A, B, D

9.Which mechanism is used for the prioritizing, protection, and isolation of traffic based on marking?
A. classification and marking
B. congestion management
C. congestion avoidance
D. metering
E. policing
F. shaping
Answer: B

10. Click and drag each statement on the left to 642-642 study guide
the proper traffic policing method on the right.