Questioning Success, Part III
Exam 70-216 is a bear, thoroughly testing your
knowledge of Windows 2000 networking services.
Analyzing questions and answers can help you slay
the beast.
- By James Carrion
- 09/01/2001
This is the third of a four-part series covering
exam-question analysis for the Windows 2000 Core
four exams: Win2K Professional, Win2K Server,
Implementing and Administering a Win2K Network
Infrastructure, and Implementing and Administering
Win2K Directory Services. This month I take a
look at 70-216, "Implementing and Administering
a Windows 2000 Network Infrastructure."
Not Your Father's TCP/IP
If you're preparing for 70-216, you must
have already passed the Win2K Professional and
Server exams. Congratulations on your achievement.
However, now isn't the time to be overly confident;
the Implementing and Administering a Windows 2000
Network Infrastructure exam is much more difficult
because you're tested in-depth on the myriad networking
services built into Win2K. That includes everything
from configuring DNS, WINS, DHCP, Radius and RRAS
(with its multitude of configurations), to planning
for and implementing IP subnetting.
If you're an NT4.0 MCSE, you probably remember
the difficulties you may have had passing the
Server in the Enterprise and TCP/IP exams. Imagine
those tests combined and then supplemented by
all the new networking bells and whistles that
Win2K adds. Are you getting the idea? Let's take
a look at some sample questions.
Question No. 1
You have installed and configured the
DHCP Server service on a Windows 2000 Server.
After creating a scope with a range of valid IP
addresses, you then create an exclusion range
as well as address reservations (using the MAC
addresses) for three of your local Web servers
so they'll always receive the same address. You
configure the Web servers as DHCP clients, but
find that they are not receiving addresses from
the DHCP server.
What do you do to fix the problem?
- Enable the address conflict detection feature
of the DHCP server service. .
- Remove the address reservations.
- When creating the reservations use the GUID
instead of the MAC address.
- Remove the exclusion range for the addresses
reserved for the Web servers.
Question No. 1 Analysis
To answer this question you need to know
the intricacies of DHCP. You want to have all
three Web servers receive an IP address from DHCP,
but you want it to be the same IP address each
time, rather than a random pick-from-the-address
pool. Because clients will probably resolve the
IP address of these Web servers through one or
more name-resolution methods (Hosts files, DNS,
WINS and so on.), it's important to have static
IP addresses. So why not just plug in static addresses
rather than have the Web servers configured through
DHCP? Probably so you can manage all the Web server's
IP protocol property options through the DHCP
server. For example, if the default gateway of
the Web servers has changed, you can configure
the new gateway address on the DHCP server as
a scope option, which will automatically refresh
DHCP client configurations. This is better than
having to manually change the option on the Web
servers.
The central problem is that the Web servers aren't
receiving addresses from the DHCP server. Why?
Let's try and narrow down the correct answer by
eliminating some of the incorrect answers. This
common tactic can save you precious time on a
test.
Answer A wouldn't fix the problem; it'll just
let you know a problem exists. In address-conflict
detection, the DHCP server pings an IP address
before giving it to a client. If a ping response
is received, the DHCP server knows the address
is in use and doesn't give it out.
Answer B doesn't make sense. In order for a DHCP
client to receive the same address every time
from the DHCP server, a reservation is needed.
Removing the reservations would mean the Web servers
would receive any old address from DHCP.
Answer C is also wrong. When creating a reservation
for a DHCP client, you must configure the reserved
IP address with the MAC address of the client.
The GUID is used by computers that want to download
a Win2K Professional image from a RIS server;
it has nothing to do with getting an IP address
from DHCP.
That leaves D as the only possible choice. Addresses
need to be excluded from the scope if they've
already been statically assigned to other computers
on the network, and you don't want DHCP to assign
the same IP addresses.
Question No. 2
Dedicated T-1 lines connect your Miami
headquarters with your New York and Seattle branch
offices. Two additional branch offices use 128-Kbps
ISDN lines and Routing and Remote Access over
the Internet to connect to the company's network.
You are designing your DNS name-resolution environment
and want to accomplish the following goals:
DNS Name resolution traffic across the WAN links
should be minimized.
DNS Zone transfers should be secure.
Host names should be added to the zone file dynamically.
You take the following actions:
Install the DNS Server service on one Domain
Controller at each office.
Create an Active Directory-integrated zone on
each DNS server at each office.
Configure client computers to query their local
DNS server.
Configure the zones to allow dynamic updates.
What results do these actions produce? Choose
all that apply.
- Name-resolution traffic is minimized.
- Zone Transfer is secure.
- The zone file is updated dynamically.
Question No.2 Analysis
You'll definitely need to beef up on your
knowledge of how DNS works on a Win2K server before
you attempt to answer this question. So here's
a little primer. When you create a DNS zone (database)
on a Win2K server, it makes the server authoritative
and able to answer queries from DNS clients.
The zone file data can either be stored in a
text file (Standard DNS) or stored in the Active
Directory database (AD-integrated DNS). A server
with a zone file can be configured as either Primary
for that file (has Read/Write access to the data)
or Secondary for that file (has Read-only access
to the data). When implementing Standard DNS,
where all zone files are text files, there can
only be one Primary; all others must be Secondary.
This is similar to the relationship between PDCs
and BDCs in NT4.0.
When using AD-integrated zones, there can be
multiple Primaries, since the data is stored in
the AD database on DCs. All Win2K DCs have Read/Write
access to the AD database and, therefore, Read/Write
access to the zone data.
When a Primary server writes an update to the
zone file, Secondary servers receive the update
through a process called zone transfer. In the
case of AD-integrated zones, all the DCs for that
domain receive the zone transfer data through
standard AD replication.
Another neat feature supported by Win2K DNS is
dynamic updates, the ability for clients to update
their own records in the DNS zone file. This is
similar to the way WINS works. It doesn't matter
whether the zone file is a text file or AD-integrated-you
can enable dynamic updates as long as you're using
Win2K DNS. Clients must update their records on
a Primary DNS server, as the server needs Read/Write
access to perform the update.
Back to the question. What exactly did you accomplish?
Let's start with the DNS name-resolution traffic
being minimized. You configured a DNS server for
each office and configured the local clients to
use that server for name resolution. This will
minimize the name-resolution traffic across the
WAN links, as the local DNS server can resolve
the query.
Zone transfers, however, aren't secured just
by creating an AD-integrated zone. Any hacker
on the Internet can install DNS on a local computer
and make it secondary for your zone data. The
only way to ensure that zone transfer is secure
is to set up a list of servers authorized to perform
a zone transfer.
The zone files are being updated dynamically
because all your DNS servers are DCs with an AD-integrated
zone, and you enabled dynamic updates. Clients
are updating their local DNS server's copy of
the zone data.
Question No.3
You manage a small network that consists
of a Windows 2000 Server computer named COMP1
and 10 Windows 2000 Professional computers. COMP1
has a dial-up connection to a local ISP for access
to the Internet. COMP1 is sharing out the ISP
connection through Internet Connection Sharing
(ICS).
The 10 Windows 2000 Professional computers are
configured for static TCP/IP addressing. The IP
addresses are 192.168.0 1 through 192.168.0.10,
with a subnet mask of 255.255.255.0. The 10 Windows
2000 Professional computers have no default gateway
configured. None of the Windows 2000 Professional
computers can surf the Internet, even though they
are configured statically with the IP address
of the ISP's DNS server.
How do you fix this problem? Choose all that
apply.
- On the Windows 2000 Professional computer
with IP address 192.168.0.1, change the IP address
to 192.168.0.11
- Change the default gateway on all 10 Windows
2000 Professional computers to 169.254.0.1
- Change the subnet mask on all 10 Windows
2000 Professional computers to 255.255.0.0.
- Change the IP address on all 12 Windows 2000
Professional computers to 169.254.0.2 through
169.254.0.11
- Change the default gateway on all 12 Windows
2000 Professional computers to 192.168.0 1
Question No.3 Analysis
Again, your knowledge of how Win2K network
services (in this case ICS) works will make the
difference in answering this question correctly.
When you enable ICS, a simple process of checking
a checkbox within your dial-up connection properties,
multiple things occur. First, the local network
card of the computer is assigned an IP address
of 192.168.0.1. Second, the ICS computer starts
behaving like a DHCP server and will assign out
addresses from the 192.168.0.x range to DHCP clients.
It will also configure these clients with the
IP address of a default gateway and a DNS server,
with both of these addresses configured as 192.168.0.1.
The end result is that a DHCP client on the same
network as the ICS computer will be able to access
the Internet by having its packets destined for
the Internet translated by ICS.
The first problem in this scenario is that your
clients are configured with static addresses.
When ICS is enabled and tries to assign itself
the address of 192.168.0.1, it won't be able to
because this has already been statically assigned
to another computer on the local network. It won't
assign itself another address. So the first step
in fixing the problem is removing the address
192.168.0.1 from the offending computer so ICS
can use that address. This is accomplished by
answer A.
Also, your local clients should really be configured
as DHCP clients so they can receive their entire
IP configuration from ICS. Since reconfiguring
them as DHCP clients isn't one of the possible
choices, we'll have to look for an alternate solution.
For a computer to connect to the Internet, it
only needs a valid IP address, local default gateway
configured from the same address range, the ability
to route or translate its packets onto the Internet,
and a DNS server for name resolution. The local
clients already have static addresses from the
same range as the ICS computer. They're already
configured to talk to the ISP's DNS server for
name resolution. The only thing missing is to
make sure they have the right Default Gateway
configured. This should be the address assigned
to the local network interface on the ICS computer,
which is 192.168.0.1.
Answers A and E are correct. B and D have the
wrong address range specified. These 169.254.x.x.
addresses are from the Automatic Private IP Address
Range (APIPA), and are default addresses assigned
by the service when the client can't receive an
address from DHCP. Answer C is wrong because 192
is a private Class C address range, and the mask
should be 255.255.255.0.
Get Ready
With so many networking services and their
nuances to learn, you'll need to give yourself
plenty of time to prepare for this exam. Configure
each of the major networking services like DHCP,
DNS, WINS, RRAS, RADIUS and so on in your home
or office lab and make sure you understand the
various configuration options for each of the
services. Microsoft is mighty proud of the networking
prowess of Win2K, but don't let the test intimidate
you. With adequate preparation you can pass this
exam.