40.You are the Exchange administrator for A. Datum Corporation. The network contains two Exchange Server 2003 computers named Mail1 and Mail2. Mail1 contains all user mailboxes and is not accessible from the Internet. Mail2 is configured as a front-end server and is used for all Microsoft Outlook Web Access client connections from the Internet. Mail2 is also used as a relay for all incoming and outgoing SMTP messages. The company uses the domain name suffix adatum.com for all SMTP addresses. Users report that they do not receive non-delivery reports (NDRs) when e-mail messages cannot be delivered. You discover this only occurs when Mail2 cannot deliver e-mail messages addressed to Internet recipients. You need to ensure that users receive NDRs when delivery of Internet e-mail messages fails. Users must still be able to use Outlook Web Access from the Internet. What should you do on Mail2?

A: Configure the default SMTP virtual server to forward all mail with unresolved recipients to Mail1.
B: Configure the default SMTP virtual server to send a copy of the NDRs to the e-mail address of administrator@adatum.com.
C: Start the Microsoft Exchange Information Store service and mount the default mailbox store.
D: Create an SMTP connector and associate the connector with the namespace of adatum.com. Specify Mail1 as a smart host.

=============================================
14.You are the Exchange administrator for your company. The Exchange organization contains a single server that runs Exchange Server 2003. The Exchange server contains one storage group and one mailbox store. You discover that the mailbox store is corrupted and will not mount. You need to ensure that you restore the most current data possible. What should you do?

A: Create the Recovery Storage Group. Set the path to be the same as the path for the existing mailbox store.
B: Create the Recovery Storage Group. Set the database path to C:\Program Files\Exchsrvr\Recovery Storage Group.
C: Restore the mailbox store and then mount the mailbox store.
D: Delete the database and transaction log files. Then mount the mailbox store.

35.You are the Exchange administrator for Fabrikam, Inc. The network consists of a single Active Directory domain named fabrikam.com. All Exchange servers run Exchange Server 2003. Microsoft Outlook 2003 is the only e-mail client in use. New written security policies require encryption for all e-mail messages that contain confidential information. A domain member named Irene tries to send an encrypted e-mail message to an external user named Peter. However, Outlook displays the following message:  You confirm that Peter has a digital encryption certificate suitable for sending secure e-mail messages. You need to ensure that Irene can send encrypted e-mail messages to Peter. What should you do?

A: Instruct Peter to send a digitally encrypted e-mail message to Irene.
B: Instruct Peter to send a digitally signed e-mail message to Irene.
C: Install and configure Microsoft Certificate Services. Instruct Irene to request a personal encryption certificate from the Certificate Services server.
D: Install and configure a server encryption certificate on the Exchange server that contains Irene’s mailbox.

 

Correct Answers:  B
A: Incorrect: To encrypt the mail, firstly, Peter need get Irene’s public key.
B: Correct:  Peter’s public key would be transfer to Irene with the digitally signed mail. We can save the public key in the contact about Peter in Irene mail client software.
C: Incorrect
D: Incorrect: Irene’s public key must match with the private key stored in Irene’s computer.

11.You are the Exchange administrator for your company. The network currently consists of a two-node Exchange Server 2003 active/passive cluster. Three hundred HTTP client computers connect to the Exchange servers by using SSL. Users report that the response time of their Microsoft Outlook Web Access screen refreshes is unacceptably slow. You add two more servers to the existing Exchange environment. You need to ensure that your HTTP client computers have redundancy and acceptable client response times. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A:Join the new servers to the existing cluster.
B:Select the option to configure the new servers as front-end servers.
C:Configure the new servers so that they use Network Load Balancing.
D:Create an Exchange System Attendant cluster resource for each front-end server on the existing cluster.
 =========================================================================

The topology

A: Incorrect: To add a new server cannot make significant change for slow mail access.
B: Correct: Front-End server can free up the processor on the Back-End servers while processing clients SSL connection.

C: Correct: Enabling NLB (Network Load Balance) to evenly spread client requests across multiple front-end servers, can accelerate OWA clients access.

D: Incorrect: Exchange System Attendant services should be enabled, allows for administration and IIS metabase update. The service is not use to improve Exchange performance of reducing client response time.

33.You are the Exchange administrator for your company. The Exchange organization contains a single Exchange Server 2003 computer named Exch1. The company employs 1,000 users. Six hundred of the users are remote users who access Exch1 by using POP3 and IMAP4 clients over the company Internet connection. On Monday morning, the company ISP informs you that 1 million unsolicited e-mail messages were sent from your network over the preceding two days. Such activity violates the terms of service of your ISP. The problem must be resolved immediately. You verify that the e-mail messages were not sent by any users on your network. You suspect that an external intruder used Exch1 to send the e-mail messages. You need to ensure that this problem cannot happen again. Your solution must not affect the ability of company users to send and receive legitimate e-mail messages. What should you do?
A: Configure Exch1 to prohibit SMTP relaying.
B: Configure Exch1 and Active Directory to permit only authenticated users to send e-mail messages to user groups and distribution lists in the domain.
C: Configure Exch1 to permit SMTP relaying only for authenticated users. Instruct all remote users to configure their e-mail clients to authenticate when they send e-mail messages.
D: Configure the network so that only outgoing SMTP traffic and replies to incoming SMTP traffic are allowed to leave the network.

 

================================================== 

Technical Knowledge
Open-Relay
The process of relaying occurs when a user sends mail from another mail server through our mail server. The result is that the mail appears to have originated from the relayed mail server instead of where it truly came from. Open-Relay is always used by Spammer to send junk mail (Also known as SPAM or UCE). Having an Open Relay is one of the quickest ways for a mail server to be listed on RBL which many organizations use to filter out potential SPAM messages. 
When SMTP Relay are prohibited for any computers without valid authentication credentials, mail clients (Such as Outlook Express or Foxmail) will be denied to submit mail through SMTP protocol to other organization mail server for less Relay permission by default.(As shown in the following figure)
 

Figure: Configuration for SMTP Relay restrictions and for permissions of mail submitting and relaying.

 Correct Answers:  C
A:Incorrect: Prohibiting SMTP relaying can avoid to be listed in RBL, but make Outlook Express clients using SMTP protocol have no relay permission to submit mail to other organization mail server. 
B: Incorrect: Sending a message to users or groups located in same domain only need Submit Permission, by default Authenticated users have already owned the Submit permission.(As shown in the upper figure)
C: Correct: Users need relay mail to other organization, for this, we should do the following two steps:
    1.  On Exchange server, grant Relay permission to Authenticated users.
    2.  On clients, select the checkbox of “My server requires authentication” during configuring SMTP clients. (As shown in the following figure)

D: Incorrect: Outgoing SMTP and Incoming SMTP traffics must be set to allowed at network Firewall server, but in this case, it is not enough for a SMTP client to relay a mail to other organization.

27.You are the Exchange administrator for Fabrikam , Inc. The network consists of a single Active Directory forest. The forest root domain is named domain.root . The domain structure is shown in the work area. You plan to implement Exchange Server 2003 as the companywide messaging system. Exchange servers must be deployed only in the Fabrikam.com and london.fabrikam.com domains. Each domain in the fabrikam.com tree must contain mailbox-enabled users and mail-enabled groups. You need to run the appropriate command or commands to ensure that the Active Directory infrastructure is prepared to support this implementation. Your solution must require the minimum amount of administrative effort. Which setup command or commands should you run, and in which domains? To answer, drag the appropriate setup command or commands to the correct domain or domains in the work area.

Drag and drop question. Drag the items to the proper locations.
 

======================================================================== 

Technical Knowledge
The steps of Exchange2003 installation: running ForestPrep, running DomainPrep and installing Exchange2003 system.  
ForestPrep
ForestPrep extends the schema with more AD classes and attributes, and also creates a container within AD for exchange2003 organization.
To prepare the AD (Active Directory) for Exchange2003 installation, ForestPrep must be run in the domain in which Schema Master resides. ForestPrep only needs run once at Schema  in a forest. Generally, Schema Master is the first DC (Domain Controller) in a forest.
DomainPrep
After Forestprep has been run to add the necessary extentions to AD schema, DomainPrep must be run in each domain that will use Exchange in the forest. DomainPrep works within a domain to create the necessary groups and permissions that Exchange2003 server use to read and modify users attributes.
So correct Answers:

 

42. You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1, which is configured as a remote access VPN server. You configure ISA1 to accept both PPTP and L2TP over IPSec VPN connections from remote access clients. Several users report that they cannot connect to the network. You review the log files on ISA1 and discover that the users with failed connection attempts are all using L2TP over IPSec. You need to ensure that the users can connect to the network. What should you do?
A: Disable IP fragment blocking.
B: Disable IP routing.
C: Disable IP options filtering.
D: Disable verification of incoming client certificates.
 

========================================================================================

Technical Knowledge
There are two additional options, including Intrusion Detection and IP Preferences, which are used to configure how ISA2004 will respond to various attacks or malformed IP packets.
IP preferences are used to block normal packets that may or may not be used by attackers. As shown in the following figure, we can configure the following IP preferences on ISA 2004:
IP option:
We can configure ISA2004 to refuse all packets that have the IP options flag set in the header.  
The IP options flags that are most commonly used by attackers are the source routing options. The source route option in the IP header allows the sender to override routing decisions that are normally made by the routers between the source and destination machines. An attacker can use source routing to reach addresses on the internal network that normally are not reachable from other networks, by routing the traffic through another computer that is reachable from both the other network and the internal network.
IP fragments
We can also configure ISA Server to drop all IP fragments. A single IP datagram can be separated into multiple datagrams of smaller sizes known as IP fragments. In the teardrop attack, multiple IP fragments are sent to a server. When the destination computer tries to reassemble these packets, it is unable to do so. It may fail, stop responding, or restart. If we enable this option, then all fragmented packets are dropped. Enabling IP fragment filtering can interfere with streaming audio and video. In addition, Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be established successfully because packet fragmentation may take place during certificate exchange.
 IP routing
When IP routing is enabled, ISA Server sends the original network packet from one network to another. ISA Server can filter the network packet. When IP routing is disabled, ISA Server sends only the data (and not the original network packet) to the destination. Also, when IP routing is disabled, ISA Server sends each packet through the firewall in user mode. Disabling IP routing is more secure, but can also decrease router performance.
Correct Answers:  A
A: Correct: Enabling IP fragment filtering can interfere with L2TP over IPSec connections because packet fragmentation may take place during certificate exchange.
B: Incorrect
C: Incorrect
D: Incorrect

Figure: The properties of IP preferences

35.You are a network administrator for Contoso, Ltd. Client computers on the internal network are divided among several subnets by using routers. You install an ISA Server 2004 computer named ISA1. ISA1 will be used to allow users to access Web sites on the Internet. You configure TCP/IP on ISA1 as shown in the exhibit. (Click the Exhibit button.) After ISA1 is installed, users report that they cannot access Web sites on the Internet. You need to ensure that users can access Web sites on the Internet. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A:Configure the internal default gateway to match the external default gateway.
B:Configure a static route to each subnet.
C:Add the IP address of the internal default gateway to the Remote Management Computers computer set.
D:Configure the internal network adapter with a blank default gateway.
E:Create a network set for each subnet.

============================================================================ 

The topology

 

Correct Answers:  B, D
A: Incorrect: Only one of several Gateway addresses of a computer is available. So we make external Default gateway of ISA to be unique available by configuring the internal network adapter with a blank default gateway.
B: Correct: see the topology
C: Incorrect
D: Correct
E: Incorrect

34.You are a network administrator for your company. You plan to implement ISA Server 2004 as a SecureNAT firewall for client computers on the network. The implementation will consist of a Windows Server 2003 Network Load Balancing cluster. External client computers that connect to resources published by ISA Server must be load balanced across the Network Load Balancing cluster when they connect by using DNS. You need to plan the external DNS implementation before you deploy ISA Server 2004. What should you do?
A: Create three service locator (SRV) resource records. Configure each record to use the _HTTP service and to reference the IP address of one of the internal interfaces of the Network Load Balancing cluster nodes.
B: Create three host (A) resource records. Configure each record with the IP address of one of the external interfaces of the Network Load Balancing cluster nodes.
C: Create one host (A) resource record. Configure the record with the virtual IP address that is assigned to the external interface of the Network Load Balancing cluster.
D: Create one host (A) resource record. Configure the record with the virtual IP address that is assigned to the internal interface of the Network Load Balancing cluster.
Correct Answers:  C
 

==================================================== 

The Topology

 

A: Incorrect: SRV records are not used for External users to access resources, but used to support Active Directory to work properly. SO A records should be taken.
B: Incorrect: The IP of ISA for External users accessing should be configured to use the virtual IP of the ISA array if NLB is enabled, or the IP of one of the array members if NLB is not enabled.
C: correct
D: Incorrect: Internal virtual IP of ISA array cannot be connected by External users.

33.You are a network administrator for your company. The network is configured as shown in the exhibit. (Click the Exhibit button.) You are upgrading the Routing and Remote Access servers to ISA Server 2004. You need to configure the Internal network. You need to create access rules that are specific for each subnet. Which three IP address ranges should you use? (Each correct answer presents part of the solution. Choose three.)

A: 10.0.25.1     - 10.0.25.255
B: 172.16.1.0   - 172.16.1.255
C: 172.16.2.0   - 172.16.2.255
D: 172.16.10.0 - 172.16.10.255
E: 192.168.1.0 - 192.168.255.255
 

============================================================================= 

Technical knowledge
ISA server supports 3 types of network: Internal, External and perimeter network, but unlimited number of networks.   
The servers that are accessible from Internet are usually isolated on their own network, such as a Perimeter network (also known as Demilitarized zone, or DMZs). The servers and client computers that are not accessible from Internet are located in an Internal network.
According to the topic, we need define an Internal network address ranges. As shown in the topic picture, client computers and servers that are located in the network of 172.16.0.0/16 are not accessible from Internet, so
Correct Answers:  B, C, D

3.You are the network administrator for your company. The network contains an ISA Server 2004 array. The array contains six members. You enable Cache Array Routing Protocol (CARP) so that outbound Web requests are resolved within the array. Soon after you enable CARP on the array, Web users on the corporate network report that Internet access is slower than normal.  You use Network Monitor to check network traffic patterns on each of the ISA Server 2004 array members. You discover that there is very high network utilization on the intra-array network. You need to reduce the amount of intra-array traffic. What should you do?
A: Enable Network Load Balancing on the intra-array network.
B: Configure the client computers as SecureNAT clients.
C: Use automatic discovery to configure the client computers as Web Proxy clients.
D: Enable CARP on the intra-array network.

 

=================================================== 

Technical knowledge
When CARP is enabled, the cache drives on all the servers in the array are treated as a single logical cache drive. In this way, cached objects can be efficiently distributed among the member servers.
For the client setting, Web Proxy client is a good choice, because the Web Proxy clients connect to the array using the array DNS name to download the CARP script. The clients use the script to determine which array member to connect to when accessing Web content. Consequently, it can reduce the amount of intra-array traffic.
 
So the Correct Answers is C.