Windows Server Exam 3

Which of the following best describes DNS? (Choose all that apply.)

a. Hierarchical database

b. Flat database

c. Monolithic database

d. Distributed database

a. Hierarchical database, d. Distributed database

DNS is a hierarchical database with multiple levels starting with the root, top-level domain name, second-level domain name, and so on. It is also a distributed database in that no one server holds all the DNS information on the Internet.

What type of zone should you create that contains records allowing a computer name to be resolved from

its IP address?

a. RLZ

b. FLZ

c. Stub

d. TLD

a. RLZ

A reverse lookup zone (RLZ) contains PTR records, which are IP addresses that point to hostnames so a hostname can be resolved given an IP address.

A resource record containing an alias for another record is which of the following record types?

a. A

b. CNAME

c. NS

d. PTR

b. CNAME

A CNAME (canonical name) record is also referred to as an alias. It is another name that a host can be referenced by, and it is resolved to the same IP addresses as the associated A or AAAA record.

What type of resource record is necessary to get a positive response from the command nslookup

192.168.100.10?

a. A

b. CNAME

c. NS

d. PTR

d. PTR

A PTR record is used in reverse lookup zones to resolve a given IP address to a hostname.

You have a DNS server outside your corporate firewall that’s a standalone Windows Server 2022 server. It hosts a primary zone for your public Internet domain name, which is different from your internal Active Directory domain names. You want one or more of your internal servers to be able to handle DNS queries for your public domain and to serve as a backup for the primary DNS server outside the firewall. Which configuration should you choose for internal DNS servers?

a. Configure a standard secondary zone.

b. Configure a standard stub zone.

c. Configure a forwarder to point to the primary DNS server.

d. Configure an Active Directory–integrated stub zone.

a. Configure a standard secondary zone.

A standard secondary zone is read-only and serves as a backup or secondary DNS server for a primary DNS zone. A standard secondary zone is not Active Directory–integrated; it retrieves updates from the primary zone periodically and when changes are made in the primary zone.

Which of the following is true about stub zones? (Choose all that apply.)

a. They’re authoritative for the zone.

b. Their records are updated by the primary server automatically.

c. They can’t be Active Directory–integrated.

d. They contain SOA and NS records.

b. Their records are updated by the primary server automatically.

d. They contain SOA and NS records.

Stub zones contain NS and SOA records from a primary zone so that queries made to the primary zone can be forwarded to the appropriate server(s). They differ from conditional forwarders in that the NS records are updated automatically if the primary zone’s name server IP address changes.

You’re in charge of a standard primary zone for a large network with frequent changes to the DNS database. You want changes to the zone to be transmitted as quickly as possible to all secondary servers. What should you configure and on which server?

a. Configure DNS notifications on the primary zone server.

b. Configure DNS recursion on the secondary zone servers.

c. Configure round robin on the primary zone server.

d. Configure a smaller default TTL for the primary zone server

a. Configure DNS notifications on the primary zone server.

Notifications allow a primary zone DNS server to inform a secondary zone server when changes are made to the zone so that changes get reflected in the secondary zone immediately.

You have a zone containing two A records for the same hostname, but each A record has a different IP address configured. The host records point to two servers hosting a high-traffic website, and you want the servers to share the load. After some testing, you find that you’re always accessing the same web server, so load sharing isn’t occurring. What can you do to solve the problem?

a. Enable the load-sharing option on the zone.

b. Enable the round-robin option on both A records.

c. Enable the load-sharing option on both A records.

d. Enable the round-robin option on the server.

d. Enable the round-robin option on the server.

The round-robin option causes the DNS server to return multiple IP addresses in a rotating order so that each server is accessed in subsequent queries, causing them to share the load.

Which is the correct order in which a DNS client tries to resolve a name?

a. Cache, DNS server, Hosts file

b. Hosts file, cache, DNS server

c. Cache, Hosts file, DNS server

d. DNS server, cache, Hosts file

c. Cache, Hosts file, DNS server

A DNS client checks its local cache first, then its Hosts file, then the configured DNS server.

Which of the following protects against DNS cache poisoning by enabling a DNS server to randomize the source port when performing DNS queries?

a. Zone signing

b. Data integrity

c. Socket pool

d. Cache locking

c. Socket pool

A socket pool prevents an attacker from sending a spoofed reply to a DNS server. If the attacker doesn’t use the correct port and transaction ID in the reply, the DNS server will reject the data sent from the attacker.

Which of the following is true about DHCP? (Choose two.)

a. There are eight message types.

b. DHCPDISCOVER messages sent by clients traverse routers.

c. It uses the UDP Transport layer protocol.

d. An initial address lease involves three packets

a. There are eight message types., c. It uses the UDP Transport layer protocol.

DHCP uses the UDP Transport layer protocol and there are eight message types. DHCPDISCOVER messages are broadcasts and do not traverse routers. An initial address lease involves four packets: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK.

In the DHCP server’s statistics, you notice that a lot of DHCPNAK packets have been transmitted. What’s the most likely reason?

a. You changed the range of addresses in a scope recently.

b. The DHCP server has been taken offline.

c. The server is offering a lot of addresses that are already in use.

d. Client computers are getting multiple offers when they request an address.

a. You changed the range of addresses in a scope recently.

A change in the range of addresses in a scope can cause DHCPNAKs generated by the DHCP server because it will be responding to requests to renew IP address leases that are no longer part of the scope.

You have configured your computers with static IP addresses but want them to get the DNS server and default gateway settings via DHCP. What type of DHCP message do you see as a result?

a. DHCPREQUEST

b. DHCPRELEASE

c. DHCPNAK

d. DHCPINFORM

d. DHCPINFORM

DHCPINFORM messages are used to request scope options such as router/default gateway, DNS server, domain name, and so forth.

After you install the DHCP Server role on a member server, what must occur before the server can begin providing DHCP services?

a. Options must be configured.

b. The server must be restarted.

c. The server must be authorized.

d. Filters must be created.

c. The server must be authorized.

A DHCP server must be authorized before it can begin providing DHCP services. Options and filters are not required, and the server does not have to be restarted.

What should you define in a scope to prevent the DHCP server from leasing addresses that are already assigned to devices statically?

a. Reservation scope

b. Exclusion range

c. Deny filters

d. DHCP policy

b. Exclusion range

An exclusion range prevents the DHCP server from offering addresses specified in the range. Exclusions are typically used to block out a range of IP addresses that fall within the scope of addresses but are already statically assigned to devices.

You have four printers that are accessed via their IP addresses. You want to be able to use DHCP to assign addresses to the printers, but you want to make sure they always have the same address. What’s the best option?

a. Create reservations.

b. Create exclusions.

c. Configure filters.

d. Configure policies.

a. Create reservations.

A reservation reserves an address for a device based on the device’s MAC address. When a request from the device is seen by the server, it always uses the address in the reservation.

You want high availability for DHCP services, a primary server to handle most DHCP requests, and a secondary server to respond to client requests only if the primary server fails to respond promptly. The primary server has about 85 percent of the IP addresses to lease, leaving the secondary server with about 15 percent. You don’t want the servers to replicate with each other. What should you configure?

a. Multicast scope

b. Failover

c. Superscope

d. Split scope

d. Split scope

With a split scope, the pool of IP addresses is split between two servers. Typically, one server has the majority of IP addresses and is considered the primary server. The secondary server has a smaller portion of addresses and is configured for a delay, so its addresses are only used if the primary server is slow or not responding. A failover server has two servers providing DHCP services, but only one of them is active. They share the same scope information, which is replicated between them. If the primary server goes offline, the secondary server becomes active.

You have a DHCP server with two NICs: NIC1 and NIC2. NIC1 is connected to a subnet with computers that use DHCP for address assignment. NIC2 is connected to the datacenter subnet, where all computers should use static addressing. You want to prevent the DHCP server from listening for DHCP packets on NIC2. What should you do?

a. Configure bindings.

b. Disable the scope.

c. Create a filter for NIC2.

d. Configure failover.

a. Configure bindings.

Bindings allow you to configure an interface to respond or not respond to packets for a certain service, such as DHCP. When a binding for DHCP is disabled, it prevents the server from listening for DHCP messages on port UDP 67.

You’re reviewing DHCP server statistics and notice that the server has received many DHCPDECLINE messages. What should you configure on the server to reduce the number of DHCPDECLINE messages?

a. DHCP policies

b. Conflict detection

c. Connection bindings

d. DNS credentials

b. Conflict detection

Conflict detection causes the DHCP server to attempt to ping an IP address before it’s offered to a client to make sure the address isn’t already in use. Because most client computers perform conflict detection before accepting an offered address, conflict detection should be enabled on the DHCP server only if the server is receiving many DHCPDECLINE messages.

You have a network of 150 computers and notice that a computer you don’t recognize has been leasing an IP address. You want to make sure this computer can’t lease an address from your server. What’s the best

solution that takes the least administrative effort?

a. Create an allow filter.

b. Create a new policy.

c. Create a deny filter.

d. Create a Vendor Class.

c. Create a deny filter.

If you create an allow filter, only a device with a MAC address in the filter list can lease an IP address from the DHCP server. All other devices are denied. If you create a deny filter, all devices except those with a MAC address in the filter list can lease an address from the DHCP server.

You want to deploy IPAM in your network. You have four servers running and need to decide on which server you should install the IPAM Server feature. Which of the following server configurations is the best solution?

a. Windows Server 2022 domain controller

b. Windows Server 2022 standalone server running DHCP

c. Windows Server 2022 member server running Web Server

d. Windows Server 2022 member server running DHCP

c. Windows Server 2022 member server running Web Server

An IPAM server must be a domain member and cannot be a domain controller. Also, the IPAM server should not be a DHCP server because DHCP discovery will be disabled.

Which of the following is a service provided by the Remote Access server role? (Choose all that apply.)

a. Network Address Translation

b. Web Application Proxy

c. Windows Server Update Services

d. Internet Information Services

a. Network Address Translation, b. Web Application Proxy

The Remote Access server role provides Network Address Translation, Web Application Proxy, routing, VPN, and dial-up services.

Which VPN tunnel type requires the firewall to allow TCP port 443?

a. PPTP

b. SSTP

c. L2TP/IPsec

d. PPP

b. SSTP

The Secure Socket Tunneling Protocol uses digital certificates for authentication and encryption key exchange. By default, it uses the same port as HTTPS: port 443.

Which remote access configuration option should you choose if you want mobile users to be able to make a secure connection to the main network and allow computers on the private network to access the Internet with a public IP address?

a. Remote access (dial-up or VPN)

b. Network Address Translation

c. VPN access and NAT

d. Secure connection between two private networks

c. VPN access and NAT

VPN allows a secure connection for mobile users to the organization’s network, while Network Address Translation (NAT) is required to allow devices with private IP addresses to access the Internet.

When you create a VPN connection on a client computer, what’s the default tunnel type?

a. SSTP

b. PPTP

c. Automatic

d. L2TP/IPsec

c. Automatic

The default tunnel type is automatic, which means the client will attempt to connect using each tunnel type until a connection is successful.

What should you configure if you want only users who are members of particular groups to be able to connect to the VPN?

a. Connection request policy

b. Network policy

c. Remote authentication rule

d. Network access rule

b. Network policy

The groups a user belongs to can control VPN access based on the network policy’s access permission setting. With user groups and IP filters, you can create policies that restrict users to using specific protocols and specific servers.

Which of the following are options for configuring NPS? (Choose two.)

a. As a RADIUS server

b. As a RADIUS client

c. As a RADIUS proxy

d. As both a RADIUS client and server

a. As a RADIUS server, c. As a RADIUS proxy

After NPS is installed, you can configure the server to be a RADIUS server, RADIUS proxy, or both.

What do network policies specify?

a. Which RADIUS servers handle connection requests from RADIUS clients

b. Which users and groups can connect, what times they can access the network, and what conditions

apply

c. Both a and b

d. None of these

c. Both a and b

Network policies specify who can connect to the network and under what conditions. You use network connection policies to specify which RADIUS servers handle connection requests from RADIUS clients.

RADIUS proxies distribute requests equally between servers when which of the following is true?

a. The load balancing attribute is set.

b. The servers have the same priority.

c. Each server has a different weight.

d. The servers have the same weight and priority.

d. The servers have the same weight and priority.

To distribute the load between two servers evenly, you could assign each a priority of 1 and a weight of 50 so that each server gets 50 percent of the connection requests. Setting just the priority doesn’t result in load balancing because the lowest-priority server continues getting requests unless it becomes unavailable. However, a priority of 1 can be assigned to multiple servers, and the Weight setting can be used to force load balancing.

Which of the following is an authentication type for EAP and is a cryptographic protocol used to encrypt network messages?

a. System Extensible Protocol

b. Transport Layer Security

c. Protected Extensible Authentication Protocol

d. Password Authentication Protocol

b. Transport Layer Security

The authentication type for EAP is Transport Layer Security (TLS), which is a cryptographic protocol used to encrypt network messages. TLS provides privacy (data encryption), data integrity (which detects unauthorized changes in the data), and authentication.

When a certificate is used for authentication, the certification authority (CA) must be trusted by the client or server. To be trusted, the CA must have which of the following in the Trusted Root Certification Authorities certificate store?

a. Trusted CA

b. CA certificate

c. Client certificate

d. Authenticated certificate

b. CA certificate

For a certificate to be used for authentication, the CA must be trusted by the client or server. To be trusted, the CA must have a root certificate (also called the “CA certificate”) in the Trusted Root Certification Authorities certificate store.

When a RADIUS server receives a RADIUS Access-Request message from a RADIUS client, which of the following are checked against the connection request policy’s conditions?

a. Client’s permissions

b. Radius server’s attributes

c. Group policies

d. Client’s attributes

d. Client’s attributes

When a RADIUS server receives a RADIUS Access-Request message from a RADIUS client, the client’s attributes are checked against the connection request policy’s conditions. The attributes in the Access-Request message must match at least one of the conditions in the policy before the NPS server acts as a RADIUS server or RADIUS proxy.