(Sample) MCSE 2003 Remote Access Exam Questions and Answers
70-291 level questions
Q: N/A
A:
For Windows Server 2003, a new NetBIOS over TCP/IP (NetBT) proxy is incorporated
in Routing and Remote Access. The NetBT proxy allows remote dial-in client computers
to resolve names on the network without requiring a Domain Name Service (DNS)
server or a Windows Internet Name Service (WINS) server. This is desirable for
small businesses or home offices that do not want to deploy DNS or WINS, but
instead want to use NetBIOS for name resolution.
Q:
You connect to the Internet from your home office with a modem on your Windows
XP Professional computer. Your Internet Service Provider (ISP) recently notified
you about one of the new service offerings available from the ISP - support
for multilinking. You install a second modem with the appropriate driver onto
your computer so you can use this service.
What step should you take to set up a connection to your ISP that will use both
modems?
A: N/A
Q:
You are a network administrator for your company. The computers on your network
are joined to an Active Directory domain whose functional level is set to Windows
2000 native. The administrator who used the Active Directory Installation Wizard
to create the domain selected the option "Permissions compatible only with
Windows 2000 servers." The domain contains two domain controllers running
Windows 2000 Server and two domain controllers running Windows Server 2003.
You are working with another administrator to set up a router-to-router virtual
private network (VPN) between a computer named Server10, which is running Windows
NT 4.0 Server, and a computer named Router5, which is running Windows Server
2003. Neither of these computers is a domain controller. Server10 has the most
recent service pack for Windows NT applied, and it is running the Routing and
Remote Access (RRAS) service. You have created the appropriate demand-dial interface
on each computer, and you have both verified that the credentials to be used
for the router-to-router VPN are properly defined. When you attempt to establish
a connection from Router5 to Server10, Server10 rejects the connection.
What is the most likely reason that Server10 rejects the connection attempt
from Router5?
The functional level of the domain is not Windows 2000 mixed.
The Everyone group is not a member of the Pre-Windows 2000 Compatible Access
group.
The computer account of Server10 is not a member of the RAS and IAS Servers
group.
Router5 is using Layer Two Tunneling Protocol (L2TP) for the connection.
A:
The most likely reason that Server10 rejects the connection attempt from Router5
is that the Everyone group is not a member of the Pre-Windows 2000 Compatible
Access group. A computer running Windows NT 4.0 that is configured as an RRAS
server uses a null session to communicate with a domain controller to determine
if the user or computer attempting to establish a VPN connection has been granted
the remote access permission.
A null session establishment is done in the context of the Anonymous account,
and the null session can be established only if the Anonymous account has Read
access to user and computer objects in Active Directory. You can enable this
access by adding the Everyone group to the Pre-Windows 2000 Compatible Access
security group. In this scenario, since the administrator who used the Active
Directory Installation Wizard to create the domain selected the option "Permissions
compatible only with Windows 2000 servers," the Everyone group is not a
member of the Pre-Windows 2000 Compatible Access group.
It is not likely that Server10 rejects the connection attempt from Router5 because
the computer account of Server10 is not a member of the RAS and IAS Servers
group. Even if a computer account is a member of this group, the computer account
will not be able to establish a null session to a domain controller if the Everyone
group is not a member of the Pre-Windows 2000 Compatible Access group. Note
that both the Pre-Windows 2000 Compatible Access group and the RAS and IAS Servers
group are granted Read permission by default on the Active Directory object
named "RAS and IAS Servers Access Check."
It is not likely that Server10 rejects the connection attempt from Router5 because
Router5 is using Layer Two Tunneling Protocol (L2TP) for the connection. Although
a Windows NT 4.0 server running RRAS can only use the Point-to-Point Tunneling
Protocol (PPTP) for a VPN connection, the default server type option for a demand-dial
interface for a Windows Server 2003 computer running Routing and Remote Access
is Automatic. An interface for which the server type option is Automatic attempts
to establish a connection using PPTP first, and only attempts to use L2TP if
PPTP is not enabled on the destination (answering) router.
It is not likely that Server10 rejects the connection attempt from Router5 because
the functional level of the domain is not Windows 2000 mixed. Although a domain
whose functional level is Windows 2000 native does not support Windows NT 4.0
backup domain controllers (BDCs), it does support computers running Windows
NT Server 4.0.
Q:
You configure a computer running Windows Server 2003 as a virtual private network
(VPN) router at your corporate office. The server name is CorpRouter. You create
a demand-dial interface named CorpRt on the server. You create a user account
named Corp and add it to the domain local group RAS and IAS Servers. Your administrator
account is CorpAdmin. You also configure a computer running Windows Server 2003
at a branch office as a VPN router. The computer accounts for both VPN routers
are members of the security group RAS and IAS Servers.
When you configure the dial-out credentials on the branch office VPN router
for the demand-dial interface to CorpRouter, which user name should you use?
CorpRt
Corp
CorpRouter
CorpAdmin
A:
You should use CorpRt, which is the name assigned to the demand-dial interface
you created on CorpRouter. The user name configured in the dial-out credentials
for a demand-dial interface should be the name assigned to the demand-dial interface
on the destination router. On the destination router, you can configure a password
to be used for remote router connections by defining the password in the dial-in
credentials.
The group RAS and IAS Servers is a domain local security group that is, by default,
given permission to read remote access-related properties of user objects. When
you enable Routing and Remote Access on a computer running Windows Server 2003,
the computer account of that server is added to the RAS and IAS Servers group.
You should not use the name of the remote router computer, an administrative
account, or the name of a user account that belongs to RAS and IAS Servers as
the user name for the dial-out credentials. If a VPN router receives a connection
attempt from another VPN router that uses credentials other than the name of
the answering router's demand-dial interface, the answering router treats the
connection as a remote access client, not as a router-to-router connection.
· (1x) What (two?) protocols for point to point VPN tunnel with mutual authentication and encryption?