You are the network administrator for Test King. The network consists of a single Active Directory domain named The domain contains Windows Server 2003 computers and Windows XP Professional computers. The Default Domain Policy has been modified by import

第1题：

Your network consists of a single Active Directory domain. All servers run Windows Server 2003 Service Pack 2 (SP2). All client computers run Windows XP Professional Service Pack 3 (SP3). You need to ensure that locked out user accounts remain locked out until an administrator unlocks the accounts. What should you do? （）

• A、In the Default Domain Policy, set the Account lockout duration to 0.
• B、In the Default Domain Policy, set the Account lockout duration to 99999.
• C、From Active Directory Users and Computers, select the Account is trusted for delegation option for all user accounts.
• D、From Active Directory Users and Computers, select the Account is sensitive and cannot be delegated option for all user accounts.

第2题：

Your network consists of a single Active Directory domain. All servers run Windows Server 2003 Service Pack 2 (SP2). All client computers run Windows XP Professional Service Pack 3 (SP3). You have a server named Server1 that has Windows Server Update Services (WSUS) 3.0 installed. You need to ensure that all WSUS clients download approved updates directly from the Windows Update site.  What should you do?（）

• A、From the Default Domain Policy, configure the Background Intelligence Transfer Service settings. 
• B、From the Default Domain Policy, configure the Windows Update settings. 
• C、From the Update Services console, create a new automatic approvals rule. 
• D、From the Update Services console, configure the Update Files and Languages settings. 

第3题：

You are the network administrator for Humongous Insurance. The network consists of a single Active Directory domain named humongous.com. The domain contains Windows Server 2003 computers and Windows XP Professional computers. You configure several Group Policy objects （GPOs） to enforce the use of IPSec for certain types of communication between specified computers.   A server named Server2 runs the Telnet service. A GPO is supposed to ensure that all Telnet connections to Server2 are encrypted by using IPSec. However， when you monitor network traffic， you notice that Telnet connections are not being encrypted.You need to view all of the IPSec settings that are applied to Server2 by GPOs. Which tool should you use？（）

• A、the IP Security Policy Management console
• B、the IP Security Monitor console
• C、the Resultant Set of Policy console
• D、Microsoft Baseline Security Analyzer （MBSA）

第4题：

You are the network administrator for your company. The network consists of a single Active Directory domain. The domain contains 35 Windows Server 2003 computers； 3，000 Windows XP Professional computers； and 2，200 Windows 2000 Professional computers.  The written company security policy states that all computers in the domain must be examined， with the following goals：  （1）to find out whether all available security updates are present   （2）to find out whether shared folders are present  to record the file system type on each hard disk   You need to provide this security assessment of every computer and verify that the requirementsof the written security policy are met.  What should you do？（）

• A、Open the Default Domain Policy and enable the Configure Automatic Updates policy.
• B、Open the Default Domain Policy and enable the Audit object access policy， the Audit account management policy， and the Audit system events policy.
• C、On a server， install and run mbsacli.exe with the appropriate configuration switches.
• D、On a server， install and run HFNetChk.exe with the appropriate configuration switches.

第5题：

You are the desktop administrator for one of your company's branch offices. The network in the branch office consists of a single network segment, which contains a domain controller, a DHCP server, 10 Windows 2000 Server computers, and 50 Windows 2000 Professional computers. All servers and client computers are members of the company's Active Directory domain. You purchase 50 new client computers for the branch office. Each new client computer contains a built-in PXE-compliant network adapter. You install and configure RIS on one of the Windows 2000 Server computers that is on the network in the branch office. You create a Windows XP Professional RIS image on the Windows 2000 Server computer. You connect the new client computers to the network in the office, and you turn on each computer. Each computer displays a message stating that it cannot contact a PXE boot server. You verify that the RIS server is connected to the network. You need to ensure that the new client computers can connect to the RIS server and can begin installing Windows XP Professional. What should you do?（）

• A、Ask a domain administrator to authorize the RIS server. 
• B、Grant the Everyone group Allow - Read NTFS permission on the RIS image.
• C、Install RIS on the domain controller. Copy the RIS image to the domain controller.
• D、Add a reservation for the RIS server to the DHCP server. 

第6题：

You are a network administrator for your company. The network consists of a single Active Directory domain. The domain contains three Windows Server 2003 domain controllers， 20 Windows Server 2003 member servers， and 750 Windows XP Professional computers. The domain is configured to use only Kerberos authentication for all server connections.A user reports that she receives an "Access denied" error message when she attempts to connect to one of the member servers. You want to test the functionality of Kerberos authentication on the user’s client computer.  Which command should you run from the command prompt on the user’s computer？（）

• A、netsh
• B、netdiag
• C、ktpass
• D、ksetup

第7题：

You are the network administrator for . The network consists of single Active directory domain. The domain contains a Windows Server 2003 domain controller named TestKing3. The securews.inf security policy has been applied to the domain. A network application requires a service account. The network application runs constantly. You create and configure a service account named SrvAcct for the network application. The software functions properly using the new account and service. You discover an ongoing brute force attack against the SrvAcct account. The intruder appears to be attempting a distributed attack from several Windows XP Professional domain member computers on the LAN. The account has not been compromised and you are able to stop the attack, you restart Server6 and attempt to run the network application, but the application does not respond.（）

• A、Reset the SrvAcct password,
• B、Configure the default Domain Controllers policy to assign the SrvAcct account the right to log on locally.
• C、Unlock the SrvAcct account.
• D、Restart the NetAppService service.

第8题：

You are the network administrator for Humongous Insurance. The network consists of a single Active Directory domain named humongous.com. The domain contains Windows Server 2003 computers and Windows XP Professional computers.You configure several Group Policy objects （GPOs） to enforce the use of IPSec for certain types of communication between specified computers.   A server named Server2 runs the Telnet service. A GPO is supposed to ensure that all Telnet connections to Server2 are encrypted by using IPSec. However， when you monitor network traffic， you notice that Telnet connections are not being encrypted.You need to view all of the IPSec settings that are applied to Server2 by GPOs.   Which tool should you use？（）

• A、the IP Security Policy Management console
• B、the IP Security Monitor console
• C、the Resultant Set of Policy console
• D、Microsoft Baseline Security Analyzer （MBSA）

第9题：

You are a security administrator for your company. The network consists of a single Active Directory domain. All client computers run Windows XP Professional. All servers run Windows Server 2003. All computers on the network are members of the domain.    Traffic on the network is encrypted by IPSec. The domain contains a custom IPSec policy named Lan Security that applies to all computers in the domain. The Lan Security policy does not allow unsecured communication with non-lPSec-aware computers. The company’s written security policy states that the configuration of the domain and the configuration of the Lan Security policy must not be changed. The domain contains a multihomed server named Server1. Server1 isconnected to the company network， and Server1 is also connected to a test network. Currently， the Lan Security IPSec policy applies to network traffic on both network adapters in Server1. You need to configure Server1 so that it communicates on the test network without IPSec security. Server1 must still use the Lan Security policy when it communicates on the company network.  How should you configure Server1？（）

• A、 Configure a packet filter for the network adapter on the test network to block the Internet Key Exchange （IKE） port.
• B、 Configure the network adapter on the test network to disable IEEE 802.1x authentication.
• C、 Configure the network adapter on the test network to enable TCP/IP filtering， and then permit all traffic.
• D、 Use the netsh command to assign a persistent IPSec policy that permits all traffic on the network adapter on the test.
• E、 Assign an IPSec policy in the local computer policy that permits all traffic on the network adapter on the test.

第10题：

第11题：

第12题：

You are the network administrator for .Your network consists of a single Active Directory domain named . The Default Domain Group Policy object (GPO) uses all default settings. The network contains five servers running Windows Server 2003 and 800 client computers. Half of the client computers are portable computers. The other half are desktop computers. Users of portable computers often work offline, but users of desktop computers do not. You install Windows XP Professional on all client computers with default settings. Then you configure user profiles and store them on the network. Some users of portable computers now report that they cannot log on to their computers. Other users of portable computers do not experience this problem. You need to ensure that all users of portable computers can log on successfully,whether they are working online or offline. What should you do?（）

• A、Configure all portable computers to cache user credentials locally.
• B、Ensure that all users of portable computers log on to the network at least once before working offline.
• C、In all portable computers, rename Ntuser.dat to Ntuser.man.
• D、For all portable computers, configure the Loopback policy setting.

第13题：

You are the network administrator for your company. The network consists of a single Active Directory domain. The domain contains 35 Windows Server 2003 computers； 3，000 Windows XP Professional computers； and 2，000 Windows 2000 Professional computers. Windows Server Update Services （WSUS） is installed on a server named Server1. The necessary Group Policy object （GPO） is configured.You need to confirm whether all computers in the domain have received all approved updates from Server1. What should you do on Server1？（）

• A、Install and configure Urlscan.exe.
• B、At the command prompt， type gpresult /scope COMPUTER.
• C、Open the WSUS console. Run the Status of Computers report.
• D、Open the WSUS console. Run the Synchronization Results report.

第14题：

You are a network administrator for your company. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers， 300 Windows 2000 Professional computers， and 150 Windows XP Professional computers.   According to the network design specification， the Kerberos version 5 authentication protocol must be used for all client computers on the internal network.   You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network.   What should you do？  （）

• A、 On each domain controller， disable Server Message Block （SMB） signing and encryption of the secure channel traffic.
• B、 Replace all Windows 98 computers with new Windows XP Professional computers.
• C、 Install the Active Directory Client Extensions software on the Windows 98 computers.
• D、 Upgrade all Windows 98 computers to Windows NT Workstation 4.0.

第15题：

You are the network administrator for . The network consists of a single Active Directory domain named All network servers run Windows Server 2003. All client computers run Windows XP Professional. Multiple users share the same client computer. A server named TestKing2 functions as a file and print server. You set the profile path for all user accounts to //TestKing2/Profiles/username. Some domain users were added to the local Administrators group on the Windows XP Professional computers. A user reports that other users can log on to client computers that he has previously used and gain access to files stored in his My Documents folder on the local hard disk. You need to permanently prevent users from being able to access the My Documents folder of other domain users on the client computers. What should you do?（）

• A、In Active Directory, modify the Default Domain Policy. Disable the Do not check for user ownership of Roaming Profile Folders setting.
• B、In Active Directory, modify the Default Domain Policy. Enable the Delete cached copies of roaming profiles setting.
• C、Log on to all client computers and delete all user profiles from the local hard disks.
• D、Log on to all client computers and configure the Number of previous logons to cache setting to 0.

第16题：

You are the network administrator for your company. The network consists of a single Active Directory domain. The domain contains 35 Windows Server 2003 computers; 3,000 Windows XP Professional computers; and 2,000 Windows 2000 Professional computers.Windows Server Update Services (WSUS) is installed on a server named Server1. The necessary Group Policy object (GPO)is configured.You need to confirm whether all computers in the domain have received all approved updates from Server1.  What should you do on Server1?（）

• A、Install and configure Urlscan.exe.
• B、At the command prompt， type gpresult /scope COMPUTER.
• C、Open the WSUS console. Run the Status of Computers report.
• D、Open the WSUS console. Run the Synchronization Results report.

第17题：

You are the network administrator for your company. The network consists of a single Active Directory domain. The domain contains 35 Windows Server 2003 computers； 3，000 Windows XP Professional computers； and 2，000 Windows 2000 Professional computers.Windows Server Update Services （WSUS） is installed on a server named Server1. The necessary Group Policy object （GPO） is configured.You need to confirm whether all computers in the domain have received all approved updates fromServer1. What should you do on Server1？（）

• A、Install and configure Urlscan.exe.
• B、At the command prompt， type gpresult /scope COMPUTER.
• C、Open the WSUS console. Run the Status of Computers report.
• D、Open the WSUS console. Run the Synchronization Results report.

第18题：

You are the network administrator for The network consists of a single Active Directory domain named Servers run either Windows 2000 Server or Windows Server 2003. Client computers run either Windows 2000 Professional Service Pack 2 or Windows XP Professional. You need to implement a new software update infrastructure. You discover that security patches, critical updates, and service packs have never been installed on any client computer on the network. You install Software Update Services (SUS) on a Windows Server 2003 computer named Testking5. You must ensure that all client computers receive all Microsoft security patches, critical updates, and service packs. You want to achieve this goal as quickly as possible. Which three actions should you perform? （）(Each correct answer presents part of the solution. Choose three)

• A、Install the Automatic Updates client on all Windows 2000 Professional client computers.
• B、Install the Automatic Updates client on all Windows XP Professional client computers.
• C、Install SUS on a Windows 2000 Server computer.
• D、Modify the Windows Update settings of the Default Domain Controller organizational unit (OU) Group Policy object (GPO) to point client computers to http://testking5.
• E、Modify the Windows Update settings of the Default Domain Policy Group Policy object (GPO) to point client computers to http://testking5.
• F、Upgrade all Windows 2000 Professional client computers to Windows XP Professional.

第19题：

You are the network administrator for The network consists of a sing Active Directory domain named All domain controllers run Windows Server 2003. All client computers run Windows XP Professional with default settings. Some users have portable computers, and the rest have desktop computers. You need to ensure that all users are authenticated by a domain controller whenthey log on. How should you modify the local security policy?（）

• A、Require authentication by a domain controller to unlock the client computer.
• B、Cache zero interactive logons.
• C、Cache 50 interactive logons.
• D、Grant the Log on locally user right to the Users group.

第20题：

You are a network administrator for your company. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers， 300 Windows 2000 Professional computers， and 150 Windows XP Professional computers.   According to the network design specification， the Kerberos version 5 authentication protocol must be used for all client computers on the internal network.   You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network.  What should you do？ （）

• A、 On each domain controller, disable Server Message Block (SMB) signing and encryption of the secure channel traffic.  
• B、 Replace all Windows 98 computers with new Windows XP Professional computers.  
• C、 Install the Active Directory Client Extensions software on the Windows 98 computers. 
• D、 Upgrade all Windows 98 computers to Windows NT Workstation 4.0.

第21题：