Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions weekly.
This week, we have three questions about Exam 70:216: Implementing and Administering a Microsoft Windows 2000 Network Infrastructure.
In Windows 2000, you can use either the Control Panel Network and Dial-up Connections applet's Internet Connection Sharing (ICS) feature or the Network Address Translation (NAT) routing protocol, which accompanies RRAS, to configure a translated connection to the Internet. Which of the following statements about ICS and NAT are correct? (Choose all that apply.)
- ICS offers one-checkbox configuration, but NAT requires manual configuration.
- ICS lets you use multiple public IP addresses, but NAT lets you use just one public IP address.
- You shouldn't use ICS in a network with existing DNS servers and DHCP servers, but you can use NAT in such an environment without problems.
- ICS gives you a configurable address range for hosts, but NAT gives you only a fixed address range for hosts.
As the administrator for a small network, you're configuring Active Directory (AD) for the first time. The network has no DNS configuration, but you want network clients to be able to perform forward- and reverse-lookup queries against a DNS server. The clients are Windows 2000 Professional machines that you have configured as DHCP clients.
You run DCPROMO to configure a server named WServer8 as a domain controller (DC). During the AD installation, you choose the option that installs the DNS service. After the DCPROMO process finishes, you make all your client machines members of the domain that you have created. What additional steps must you perform to let all clients perform forward- and reverse-lookup queries for the domain? (Choose all that apply.)
- Configure a DHCP server and create a DHCP scope, then configure the scope options to give the DHCP clients WServer8's IP address to use as the DNS server.
- Create a forward-lookup zone for the domain and configure the zone to accept dynamic updates.
- Create a reverse-lookup zone for the domain and configure the zone to accept dynamic updates.
- Convert the zones from standard primary zones to AD-integrated zones.
To enforce a greater degree of security for DNS records on the network, Sam wants to require that all dynamic updates be secure dynamic updates. Sam opens the DNS console and goes into a zone's properties but finds that the option to permit only secure dynamic updates isn't available. Which of the following explains why Sam can't require secure dynamic updates?
- The domain is running in mixed mode. You must convert a domain to native mode before it can accept secure dynamic updates.
- The zone isn't Active Directory (AD) -integrated. Only AD-integrated zones support secure dynamic updates.
- The network includes Windows 2000 DHCP servers that are members of the DnsUpdateProxyGroup. For security reasons, you must first remove any Win2K DHCP servers from this group before requiring secure dynamic updates.
- The network includes Win2K DHCP servers that you haven't configured as domain controllers (DCs). For security reasons, you must convert all Win2K DHCP servers to DCs before requiring secure dynamic updates.
Answer to Question 1
The correct answer is A—ICS offers one-checkbox configuration, but NAT requires manual configuration; and C—You shouldn't use ICS in a network with existing DNS servers and DHCP servers, but you can use NAT in such an environment without problems.
ICS gives you:
- One-checkbox configuration
- One public IP address
- A fixed address range for Small Office/Home Office (SOHO)
- One SOHO interface
NAT gives you:
- Manual configuration
- Multiple public IP addresses
- A configurable address range for SOHO
- Multiple SOHO interfaces
You shouldn't use ICS on a network that includes Win2K Server DCs, DNS server, gateways, DHCP servers, or systems configured with static IP addresses. If you run these components on your network, you should use NAT instead.
Answer to Question 2
The correct answer is A—Configure a DHCP server and create a DHCP scope, then configure the scope options to give the DHCP clients WServer8's IP address to use as the DNS server; and C—Create a reverse-lookup zone for the domain and configure the zone to accept dynamic updates.
When installing the DNS service as part of the AD installation process, you create a zone based on the AD domain. The installation automatically configures this zone to accept dynamic updates. However, the process doesn't create a reverse-lookup zone automatically, so you must create it manually if you want to support reverse-lookup queries. AD-integrated zones aren't necessary to support forward- and reverse-lookup queries from clients.
Answer to Question 3
The correct answer is B—The zone isn't Active Directory (AD) -integrated. Only AD-integrated zones support secure dynamic updates. For Win2K, DNS update security is available only for zones that you have integrated into AD. Once you integrate a zone, ACL editing features become available in the DNS console, so you can add or remove users or groups from the ACL for a specified zone or resource record.
If you use multiple Win2K DHCP servers on your network and also configure your zones to permit secure dynamic updates only, you need to use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to add your DHCP server computers to the built-in DnsUpdateProxyGroup. Doing so gives all your DHCP servers the secure rights to perform proxy updates for any of your DHCP clients.
Running a DHCP server on a DC when a Win2K DHCP server is configured to perform DNS record registrations for clients can compromise the use of secure dynamic updates. To avoid this issue, deploy DHCP servers and DCs on separate computers.