70-642 Config IP Addressing And Services

A. Install a DHCP Relay Agent on the user's local subnet. ------ In Windows Server 2008, the DHCP Relay Agent service is installed as a service of the RRAS server role. The DHCP Relay Agent allows DHCP broadcast messages to cross router interfaces.

B. Disable PXE on the user's computer. ------ The Preboot Execution Environment (PXE) represents an alternate way for a device to obtain an IP address lease from DHCP. However, PXE does not factor into this scenario.

C. Enable traffic on TCP 1542 as a Windows Firewall exception on the user's computer. ------ DHCP Relay is defined in Request for Comments (RFC) 1542. Traditional DHCP traffic is not blocked by Windows Firewall due to its mission-critical nature.

D. Install a WDS server on the user's local subnet. ------ Windows Deployment Service (WDS) is an operating system deployment technology that relies upon DHCP. However, the WDS service itself will not allow DHCP Discover packets to cross router interfaces.

A. Configure the users with IPv6 addresses. ------ We must be careful never to make assumptions on IT certification exams. Because the scenario says nothing about an IPv6 deployment, we can safely determine that we are using the current industry standard, which is IPv4.

B. Configure the users' computers with APIPA IP addresses. ------ Automatic Private IP Addressing (APIPA) addresses, which exist in the range 169.254.X.Y, are invoked automatically whenever a DHCP client is unable to reach a DHCP server. APIPA addresses won't work for the users when they are at home.

C. Use the Alternate Configuration feature to configure the laptop computers with static primary IP addresses. ------ The primary connection method for LAN adapters must be set for DHCP to have the ability to use a static configuration as an alternate configuration.

D. Use the Alternate Configuration feature to configure the laptop computers with a static secondary address. ------ If the primary (DHCP) configuration fails, then the alternate configuration (either APIPA or static addressing) takes over.

A. The network's DHCP server is offline. ------ The scenario does not state if these hosts are statically or dynamically assigned their IP addresses. However, if a DHCP server were unavailable then the default behavior would be for each machine to auto-generate APIPA addresses.

B. HostA and HostB are using an incorrect subnet mask. ------ The decimal subnet mask 255.255.252.0 (22 bits) is correct.

C. HostA and HostB reside on different IP subnets. ------ HostA belongs to subnet ID 172.16.8.0, and HostB belongs to subnet ID 172.16.12.0.

D. HostA and HostB are using different default gateway addresses. ------ These two hosts SHOULD be using different default gateway addresses, as their IP network addresses are different. Remember that routers typically discard NetBIOS broadcast traffic, which accounts for why the hosts are unable to communicate by using this method.

A. Verify that the authentication method in use in the domain is Kerberos V5. ------ With Connection Security Rules, you can mandate Kerberos, digital certificate, or default authentication options.

B. Ensure that the Connection Security Rule is associated with the Domain Profile. ------ Remember that Windows Firewall supports three profiles: Domain, Private, and Public. In domain networking we need to configure the Domain profile.

C. Ensure that the Connection Policy contains the Isolation rule. ------ You have much choice in the rules that govern whether an IPSec policy will proceed or not.

D. Verify that the policy requirement is set to the Require authentication for inbound and outbound connections. ------ While this is a good and effective policy requirement, it won't amount to a proverbial hill of beans unless the Connection Security Rule is attached to the proper Windows Firewall profile.

A. Ping the site-local address of the server. ------ You can ping the link-local address of the server, but not the site-local address.

B. Issue the command ping -426 fs01.birdco.com from your administrative workstation. ------ The -426 switch is invalid.

C. Ping the link-local address of the server. ------ You can ping IPv6 addresses by using the -6 flag or by specifying the link-local address of the target host.

D. Issue the command ping -6 fs01.birdco.lan from your administrative workstation. ------ The -6 flag of the ping.exe command enables you to lookup the AAAA record for the host in DNS and issue the ping.

A. Disable IPv6 by adding the DisabledComponents DWORD value to the Registry of the development workstations. ------ Although this option is technically correct, it is more cumbersome and prone to error than is modifying the LAN connection properties on the development workstations.

B. Uninstall Windows Meeting Space on the development workstations. ------ If you disable IPv6, then programs that use the Windows Peer-to-Peer networking protocols won't work anymore. However, simply uninstalling Meeting Space does not affect the running status of the IPv6 stack itself.

C. Disable IPv6 by configuring the Local Area Connection properties of the six development workstations. ------ The easiest way to disable IPv6 on a per-interface basis is to deselect the "Internet Protocol version 6" option in the appropriate computers' Local Area Connection properties.

D. Uninstall IPv6 from the Programs and Features Control Panel item on the development workstations. ------ You cannot uninstall IPv6 in Windows Vista and Windows Server 2008; you can only disable the protocol stack.

A. Enable the Peer Name Resolution Protocol (PNRP) on all organizational firewalls. ------ PNRP is an IPv6-based discover technology that underpins Microsoft applications such as Meeting Space. However, without Teredo enabled on all firewalls, the firewalls will not let IPv6 packets traverse NAT.

B. Create at least one IPv6 scope on all DHCP servers. ------ This answer choice represents a classic "red herring." That is, we don't need to worry about IP addressing. There is nothing in the scenario that would lead us to believe there is a problem with addressing.

C. Create static NAT translation entries on all organizational firewalls. ------ Although this would solve the problem, it is almost mind-numbingly complex compared to enabling Teredo on all firewalls.

D. Enable Teredo on all organizational firewalls. ------ Teredo technology allows IPv6 packets to traverse IPv4 Network Address Translation (NAT) firewalls. The Teredo client is enabled by default in Windows Server 2008 and Windows Vista.

A. Reauthorize the DHCP server in Active Directory. ------ Deleting and recreating scopes is not an action that would unauthorize an already authorized DHCP server in Active Directory.

B. Reboot the DHCP server. ------ Simply rebooting the server won't ensure that IP address conflicts do not occur.

C. Enable conflict detection on the server. ------ Conflict detection involves the server sending out one or more ICMP ping messages to clients before leasing addresses to them. The purpose of this is to prevent IP address conflicts from occurring on the network.

D. Enable audit logging on the DHCP server. ------ While it is a terrific idea to audit DHCP for security and performance reasons, doing so in this case will not solve the stated problem.

A. Create a new exclusion range in DHCP. ------ An exclusion range removes one or more IP addresses from a DHCP scope, ensuring that DHCP will never offer those addresses to DHCP clients.

B. Configure the appropriate scope option in DHCP. ------ Scope and/or server options will not help us solve the problem that is outlined in this scenario.

C. Configure the appropriate server option in DHCP. ------ There exists no scope or server option that would prevent duplicate addresses from being delivered. We need to use either exclusions or client reservations.

D. Create reservations for the new servers in DHCP. ------ Because the scenario states that the new servers are configured with static IP addresses, client reservations will not work in this situation.

A. Configure one RRAS server as a WINS Proxy Agent. ------ WINS proxy is not the issue here because Request for Comments (RFC 1542) discusses how to route DHCP/BOOTP broadcast messages through router interfaces.

B. Configure all RRAS servers as DHCP Relay Agents. ------ This methodology ensures that BOOTP/DHCP broadcast traffic is routed to the network's single live DHCP server.

C. Configure all RRAS servers as WINS Proxy Agents. ------ We need DHCP Relay on this routed internetwork, not WINS Proxy.

D. Configure one RRAS server as a DHCP Relay Agent. ------ We need to ensure that DHCP messages can be captured and transmitted via IP unicast on all subnets. Therefore, we need DHCP relay on all subnets.

A. Deploy a NAP policy. ------ Network Access Protection (NAP) represents a method for ensuring system health in a network.

B. Define a Wired Network (IEEE 802.3) policy. ------ Wired Network policies enable IEEE 802.1X authentication to take place. These policies do not govern packet-level data encryption.

C. Define a Network List Manager policy. ------ These policies control which networks a domain member computer can associate with.

D. Define an IPSec policy. ------ IPSec policies are known as Connection Security Rules in Windows Server 2008 and Windows Vista.

A. Restart the DHCP server. ------ This option (a) would not solve the problem and (b) cause a disruption of service on the network.

B. Authorize the new network interface in Active Directory. ------ DHCP Server is authorized in Active Directory on a per-interface (IP address) basis.

C. Install Windows Deployment Services (WDS) on the DHCP server. ------ WDS interacts very closely with DHCP for obvious reasons; however, these are fundamentally two different technologies with two different purposes.

D. Restart the DHCP Server service. ------ The issue here is that the second NIC and its associated IP address are not authorized to perform DHCP Server services in Active Directory. Therefore, simply restarting the DHCP service will have no positive effect on this situation.

A. Anycast ------ IPv6 supports anycast data transmission.

A. Anycast ------ IPv6 supports anycast data transmission.

C. Unicast ------ IPv6 supports point-to-point (unicast) data transmission.

C. Unicast ------ IPv6 supports point-to-point (unicast) data transmission.

A. Change the server's IP address to 172.16.0.3. ------ The problem here is that the given IP address and the subnet mask do not match.

B. Configure the server to use a /20 subnet mask. ------ The given IP address is invalid with a 19-bit subnet mask. Here we need to use a /20 (255.255.240.0 in decimal) subnet mask.

C. Change the server's IP address to 172.16.32.3. ------ The problem here is in the subnet mask.

D. Configure the server to use the subnet mask 255.255.128.0. ------ This subnet mask masks only 17 bits, which continues to render the server's IP address as invalid.

A. Set the interface metric of LAN1 to 2 and the interface metric of LAN2 to 1. ------ Because, in this case, the LAN1 interface has a higher metric, the server will prefer the wrong interface.

B. Set the interface metric of LAN1 to 1 and the interface metric of LAN2 to 2. ------ Higher metric numbers denote higher-priority network adapters. Therefore, in this case, the server will favor the LAN2 interface to the LAN1 interface.

C. Install the Microsoft Loopback Adapter and set its interface metric to 2. ------ We can be very certain that we don't want to use the Loopback Adapter on a production server-ever.

D. Install the Microsoft Loopback Adapter and set its interface metric to 1. ------ We never want to use the Loopback Adapter on a production server.

A. Issue the command route print 192.168.1.0 on the server. ------ The Route Print command simply displays all or part of the server's routing table.

B. Issue the command route -p add 0.0.0.0 mask 0.0.0.0 192.168.1.1 on the server. ------ The -p flag of the route command makes the static route persistent across server reboots.

C. Issue the command route -persistent 192.168.1.0 on the server. ------ The -p flag of the route command is used, not the word "persistent." Besides, the syntax of this statement is incorrect.

D. Issue the command route -p add 255.255.255.255 mask 255.255.255.255 192.168.1.1 on the server. ------ We need to use decimal 0, not decimal 255, in our route statement.

A. Upgrade the Windows Server 2003 servers to Windows Server 2008. ------ Windows Server 2003 natively supports IPv6; however, you have to install the component from the Network Connections Control Panel item.

B. Install IPv6 by downloading the component from the Microsoft Web site. ------ You do not need to do this because Windows Server 2003 includes IPv6 as an optional, installable component.

C. Install IPv6 by using the Network Connections Control Panel item. ------ You can use this method to install IPv6 as an additional network component for the appropriate network adapter(s) on the Windows Server 2003 computer.

D. Install IPv6 by using the Server Manager application. ------ Remember that Windows Server 2003 does not include a Server Manager tool like Windows Server 2008 does.

A. Enable UDP ports 67 and 68 in Windows Firewall for both network interfaces. ------ When you install the DHCP server role in Windows Server 2008, the operating system creates the appropriate Windows Firewall rules automatically. Incidentally, DHCP does use User Datagram Protocol (UDP) ports 67 and 68.

B. Modify the server bindings in the DHCP console. ------ In the DHCP Manager console, you can adjust the network interface card (NIC) bindings such that the server will service DHCP client requests on all, or only selected, network interfaces.

C. Disable IPv6 on the server. ------ Remember that Windows Server 2008 DHCP can seamlessly service IPv6 requests as easily as it can service IPv4 requests.

D. Set the WINS/NBT Node Type as a Server Option in the DHCP console. ------ DHCP server or scope options have absolutely nothing to do with this situation.

A. Create a domain DFS in the forest. ------ Here, we are concerned with IP address configuration (DHCP), not making filesystem resources available in a redundant way (Distributed File System or DFS).

B. Create a reservation for the workgroup printers on both DHCP servers. ------ When you have multiple DHCP servers in an enterprise, you need to be careful to plan and create scopes, keeping in mind that the servers never synchronize their scope data. The configurations must be manually duplicated on all servers.

C. Create a reservation for the workgroup printers on one DHCP server. ------ If we perform this action, there exists the possibility that the workgroup printers, which are configured as DHCP clients, may pick up a different IP address from the other DHCP server.

D. Create an exclusion for the workgroup printers on both DHCP servers. ------ An exclusion removes one or more IP addresses from a DHCP scope. The scenario in this case states explicitly that the workgroup printers are DHCP clients.

A. Install Service Pack 3 on the client computers. ------ Windows XP SP3 is required in order for Windows XP domain workstations to participate in NAP health policy screens. However, Windows XP computers are unable to participate in IPSec Connection Security Rules that are created in Windows Server 2008.

B. Install the NAP client software on the client computers. ------ The Network Access Protection (NAP) client is included in Windows XP Service Pack 3, not as a separate download. Besides, NAP client is not what is needed in this scenario.

C. Install the Network Policy Server role on all member servers. ------ This scenario can be accomplished by using simple Group Policy in Active Directory Domain Services (AD DS).

D. Upgrade all client computers to Windows Vista. ------ Only Windows Server 2008 and Windows Vista can participate in Connection Security Rules.

A. Change the server connection bindings on the server. ------ The server connection binding option enables you to scope the DHCP listener service to a particular network interface.

B. Create a superscope on the DHCP server. ------ A superscope involves IP addresses from more than one subnet being distributed over the same LAN segment. This has nothing to do with the issue under consideration.

C. Restart the DHCP Server service on the server. ------ Simply restarting the DHCP Server service on the computer is not enough. We need to use the Conflict Detection feature to ensure that ready-to-lease IP addresses are not already in use on the network.

D. Increase the conflict detection attempts in the DHCP server properties. ------ The conflict detection feature in Windows Server DHCP uses PING to ensure that an IP address is not in use on the network before the server offers a lease to a client.

A. Unauthorized and reauthorize the DHCP server in Active Directory. ------ There is utterly no need to perform this action to fix inconsistencies in a DHCP scope database.

B. Enable conflict detection on IP01. ------ Conflict detection uses ICMP ping messages to ensure that an IP address is not already in use on the network before a lease is granted to a requesting host.

C. Reconcile the scopes on IP01. ------ Reconciling scopes is an online action in which inconsistencies in scope data are fixed.

D. Restart the DHCP Server service on IP01. ------ Restarting the service, much less the DHCP server, will not automatically repair inconsistencies in the scope data.

A. 2001:cgba::3257:9654 ------ This IPv6 address is invalid because g is an illegal character in hexadecimal notation.

B. 2001:cdba::3257:9651 ------ This is a valid IPv6 address.

C. 2001:cdba:0000:0000:0000:0000:3257:9656 ------ This is a valid IPv6 address.

D. 2001:cdba:0:0:0:0:3257:9655 ------ This is a valid IPv6 address.

A. Configure the DHCP server to use DHCPv6 Stateful mode. ------ In DHCPv6 Stateful mode, clients receive both an IPv6 address as well as all other addresses/parameters from the DHCPv6 server.

B. Configure all client computers to support PNRP. ------ Windows Vista supports the Peer Name Resolution Protocol (PNRP) by default. Besides, that protocol is only tangentially related to the subject that is under consideration in this item.

C. Configure the DHCP server to use DHCPv6 Stateless mode. ------ In DHCPv6 Stateless mode, clients auto-assign their IP addresses and receive additional parameters (default gateway address, DNS server address, etc.) from the DHCPv6 server.

D. Configure all client computers to use DHCPv6 Client mode. ------ In DHCPv6 Client mode, no IPv6 information is given to the client; this simply determines the relationship between the client devices and routers that may lie between the client and the DHCPv6 server.

A. Deploy the subnet mask 255.255.255.224 in the network. ------ A 27-bit mask will yield 8 subnets with 30 hosts per subnet.

B. Deploy the subnet mask 255.255.255.240 in the network. ------ A 28-bit mask will yield 16 subnets, but with only 14 host IDs per subnet.

C. Deploy the subnet mask 255.255.255.128 in the network. ------ A 25-bit mask will yield only two subnets with 126 host ID available on each subnet.

D. Deploy the subnet mask 255.255.255.248 in the network. ------ A 29-bit mask yields 32 subnets with only 6 hosts per subnet.

A. Create a DHCP exclusion for FS01. ------ If we created an IP address exclusion in DHCP, then again we would have to configure FS01 with a static IP address. This is not what the scenario asks us to do.

B. Configure FS01 with a static IPv4 address. ------ Although this option would allow reliable connections from users, the scenario states that we want to make FS01 a DHCP client.

C. Create a Connection Security Rule in a Group Policy Object (GPO). Scope the GPO to apply to FS01. ------ Connection Security Rules used to be called IPSec policies in Windows Server 2003. We are not concerned with providing packet-level security in this item.

D. Create a DHCP reservation for FS01. ------ We can reserve an IP configuration for FS01 based upon the Media Access Control (MAC) address of the network interface card (NIC) in FS01.

A. Ensure that both DHCP servers are configured with the Active Directory Domain Services role as well. ------ Again, this is a preposterous action. In a best case scenario, we want two Server Core machines that are largely dedicated to their DHCP server duties.

B. Disable IPv6 on both DHCP servers. ------ Quite the contrary! IPv6 is considered to be a far more secure protocol than its predecessor, IPv4.

C. Install the Network Policy Server (NPS) role on both DHCP servers. ------ The scenario states no requirement for NAP and/or remote access services. Hardening a server means that we DO NOT install any unnecessary services and applications.

D. Install Windows Server 2008 in the Server Core configuration on both servers. ------ The Server Core installation type supports the DHCP Server server role. The Server Core installation reduces the attack surface by eliminating the explorer.exe shell and most unnecessary services, drivers, and applications.

A. Configure inbound and outbound rules in the Windows Firewall with Advanced Security node in Group Policy. ------ While these nodes do exist, IPSec policies are now categorized as Connection Security Rules in Windows Server 2008 and Windows Vista.

B. Configure the IPSec Enforcement Client in the Nework Access Protection (NAP) node in Group Policy. ------ IPSec security policies and NAP are related, however, we need to configure the IPSec rules themselves in the Windows Firewall with Advanced Security node in Group Policy.

C. Specify a cryptographic service provider in the Health Registration Settings node in Group Policy. ------ This item is concerned with protecting network traffic with Internet Protocol Security (IPSec), not NAP-based computer health policies.

D. Configure Connection Security Rules in the Windows Firewall with Advanced Security node in Group Policy. ------ IPSec policies are now configured as Connection Security Rules in the Windows Firewall with Advanced Security utility.

A. Install the Routing and Remote Access Service server role. ------ You need to provide the physical capability of routing packets to different IP subnetworks on the server before you configure the server role.

B. Install Active Directory Domain Services on the member server. ------ It is not a recommended best practice to install the RRAS server role on a domain controller. This step is certainly not necessary to the process.

C. Create the appropriate exceptions in Windows Firewall. ------ Whenever you install a server role in Windows Server 2008, the operating system automatically creates the appropriate traffic access rules in Windows Firewall.

D. Configure the member server as a multihomed host. ------ In order for a Windows Server computer to serve as an IP router and/or remote access server, the server must have more than one network interface card (NIC) installed. This configuration is referred to as multihomed.

A. Ensure that the IPv6 protocol is enabled in the network card properties of all client workstations. ------ This should be an obvious first step. If we disable IPv6 in the network card properties, then the IPv6 protocol is completely unusable.

B. Run the command netsh interface ipv6 set teredo on all client workstations. ------ The Teredo protocol is what allows Windows Vista and Windows Server 2008 computers to use IPv6 in environments that consist of Network Address Translation (NAT)-enabled firewalls and routers and an IPv4 addressing infrastructure.

C. Ensure that at least one IPv6 scope is created on the network's DHCP server. ------ The scenario does not state whether DHCP or static addressing is being used on the network.

D. Run the command netsh interface ipv6 set state on all client workstations. ------ The set state context of the netsh int command is used to enable or disable IPv4 compatibility. In this case, since NAT is involved as well, we need to be concerned, at least principally, with Teredo settings.

A. Use the NTDSUTIL utility. ------ We use this utility to perform operations on the Active Directory Domain Services database.

B. Use the WDSUTIL utility. The WDSUTIL command-line tool is used to manage Windows Deployment Services (WDS) from a command-prompt environment.

C. Use the jetpack.exe utility. ------ The jetpack.exe command-line tool can be used to compress and optimize WINS and DHCP databases, both of which use the Microsoft Access-based JET database engine.

D. Use the NETSH utility. ------ While the NETSH utility contains many operations that are useful for DHCP administration, we cannot compact the DHCP database by using this command.

A. Configure IPSec policy in Windows Firewall. ------ This policy affects only the local server. We need to deploy RRAS packet filters to affect traffic that is not directly associated with the RRAS server.

B. Configure packet filtering in Windows Firewall. ------ Windows Firewall will only screen packets that are directly addressed to the local server. We need to use RRAS packet filters to filter traffic that is destined for remote networks.

C. Install a RADIUS server on the network. ------ RADIUS is not relevant in this scenario.

D. Deploy RRAS packet filters. ------ The filtering that Windows Firewall provides governs only traffic that originates from or is directly addresses to the RRAS server itself. We need to use RRAS packet filters in this case.

A. Create a multicast scope on the DHCP server. ------ In contrast to unicast IP, which is a one-to-one proposition, multicast scopes, which use Class D IPv4 addresses, enable multiple target hosts to "share" a single virtual IP address to save on network bandwidth.

B. Install the MADCAP protocol on the DHCP server. ------ Multicast DHCP does indeed use the MADCAP protocol; however, there is nothing to configure concerning the protocol in particular. We simply need to define a multicast scope by using the DHCP MMC console.

C. Create a DHCP vendor class on the server. ------ DHCP vendor classes and user classes are cool ways to target specific IP configurations to computers that match a particular vendor requirement, or users who meet class membership or location criteria.

D. Create a superscope on the DHCP server. ------ A superscope is a single scope that contains IP addresses from more than one subnet.