Re: Answers on practice exams wrong? question inside
- From: "Ivan Rufini" <ivan.rufini@xxxxxxxxx>
- Date: 13 Dec 2006 04:13:07 -0800
I should correct myself...
for the question number 3 I think it's correct open LDAP traffic...
when they say:"External users and partners from universities will have
access only to external resources. Under no circumstances will external
users be given access to internal resources"
the say that External users will have to access the external resources,
the resources inside the perimeter firewall but outside the internal
firewall. To access to these resources LDAP traffic must be allowed
because on these resources there are also DC and query to AD is
necessary to locate resources.
In the question number 1, I said that I didn't know why raising the
domain level is necessary, well, it is because the default domain level
is 2000 mixed, raising it to 2000 native or 2003 you will be able to
preserve sid history, feature necessary to migrate user accounts as
requested in the case.
Byeee
Ivan Rufini ha scritto:
Hi WingNut,
For the first question about forest trust, the option in the aswers is
to "change the DOMAIN functional level". To allow forest trusts you
need "FOREST LEVEL Windows2003", not domain level.
Maybe there's a reason to change do Domain level before migrating user
and computer accounts, honestly I don't remember. Anyway this could be
a trickly questions beacuse misleads in FOREST and DOMAIN funtional
level...
For the question about DNS (the second)."
In the question there is this phrase:
"An external DNS server will be required to perform only name
resolution for the namespace
treyresearch.com. It will not be allowed to resolve any other name for
external users, including
names of other Internet based hosts."
I answered to "Configure a root zone on the external DNS server"
because I thought that as the question says, names of other Internet
based hosts must not be resolves, so no forwarding to ISP DNS is
suggested, don't you think??
For the third question,
(LDAP, HTTPS, etc) I agree with you that LDAP should'n be selected.
I think that the only case when you must let LDAP traffic pass is if
you need to permit Exhange users to read the contact list when
connecting from outside (Gal is from Active Directory and a query to AD
is made trhough Ldap), but the question here refers to Exchange
only in these words "A Microsoft Exchange server 2003 deployment will
be implemented for internal users with a dedicated Exchange Server 2003
computer in each office.".
Anyway another point of the question is :" External users and partners
from universities will have access only to external resources. Under no
circumstances will external users be given access to internal
resources. This includes the external IT staff."
So I agree with you, LDAP should't be considered.
Waiting for any other considerations...
Ivan
Wingnut ha scritto:
I am studying for the AD Design exam 70-297 and I have a couple
practice exams here that I think are way off on a couple of thier
questions and I wanted to ask here to verify that. You will not have
the scenario but I think its pretty obvious without it.
----------------------------------
First one -
They want you to design a strategy for migrating an internal network,
in the scenario the internal and external networks are isolated
(separate forests) and the current internal is a win2000 domain that
was hashed together so needs to be completely redone. Thier steps are:
1)Create pristine forest
2)Establish an external trust
3)change the domain functional Level
4)Migrate Computer accounts
5)Migrate user accounts
First off...to create an external forest trust you must raise the
domain functional level and then raise the forest functional level both
to 2003 correct? So my thinking it would be errant to say that you can
create the external trust before changing the functional level since
2003 installs at a default of 2000-mixed. Is that correct?
Also Everywhere else I have read that you migrate users first, and then
computers and other objects, here they are saying computers first then
users? Is this wrong also?
----------------------------------
Second-
Question says you are designing the configuration of the external DNS
server to meet the business and technical requirements. The
requirements are that the external can not resolve anything on the
internal network. Internal must be able to resolve internal and
external. Also states that the name resolution of internet based
resources should be done in such a way to as to not generate excessive
and unneccesary traffic, which basically says disable recursion and use
a forwarder to ISP's DNS because if you use the default root hints it
will generate more traffic than forwarding.
The possible answers are
A) Configure a root zone on the external DNS server
B) configure a stub zone for .com on the external dns server
C) configure the external dns server to use default root hints
D)configure the external DNS server to use the ISP's DNS server as a
forwarder.
Obviously I answered D, however it is saying the correct answer is to
configure a root zone and gives no explaination. A root zone for a 2
forest 2 domain network would be excessive in itself and overcomplicate
administration, you are only supposed to use a root zone in situations
where the networks are complicated with many zones and a deep tree
which is not the case in this one. Am I correct in saying that D
should be the correct answer?
----------------------------------
Third and last question
It states you need to identify the types of inbound traffic to be
allowed through the perimeter firewall. In the scenario there is a
perimeter firewall that is connected to the internet and the external
network, on the external network is the external forest which contains
web, vpn, dns servers etc, there is then an internal firewall that is
connected to the external network and the internal network. The VPN
server has a direct connection to the internal network, bypassing the
firewall. You are supposed to specify which services should be allowed
while maintaining the security fo the network.
The options are
VPN, DNS, LDAP, HTTP, HTTPS, Traffic from network address of
192.168.10/24
They are saying you should allow - VPN, LDAP, HTTP and HTTPS
I disagree that LDAP should be allowed in from the internet because
that would not maintain security at all! I also argue that DNS should
be allowed in otherwise nothing will be able to be resolved from the
internet on the external network.
Thoughts?
Thanks very much for your comments and thoughts, I hate these practice
exams that are poorly edited and contain errors. For refernece I am
using the exams from Actualtests.com version 9.22.06.
Thanks!
.
- References:
- Re: Answers on practice exams wrong? question inside
- From: Ivan Rufini
- Re: Answers on practice exams wrong? question inside
- Prev by Date: RE: can't add anymore serveurs to domain, RID reference error
- Next by Date: Re: Office 2003 Folder Redirection and Denying Access to C
- Previous by thread: Re: Answers on practice exams wrong? question inside
- Next by thread: RE: Folder re-direction and "Offline files".
- Index(es):
Relevant Pages
|
