Questioning Success, Part III

Exam 70-216 is a bear, thoroughly testing your knowledge of Windows 2000 networking services. Analyzing questions and answers can help you slay the beast.

This is the third of a four-part series covering exam-question analysis for the Windows 2000 Core four exams: Win2K Professional, Win2K Server, Implementing and Administering a Win2K Network Infrastructure, and Implementing and Administering Win2K Directory Services. This month I take a look at 70-216, "Implementing and Administering a Windows 2000 Network Infrastructure."

Not Your Father's TCP/IP
If you're preparing for 70-216, you must have already passed the Win2K Professional and Server exams. Congratulations on your achievement. However, now isn't the time to be overly confident; the Implementing and Administering a Windows 2000 Network Infrastructure exam is much more difficult because you're tested in-depth on the myriad networking services built into Win2K. That includes everything from configuring DNS, WINS, DHCP, Radius and RRAS (with its multitude of configurations), to planning for and implementing IP subnetting.

If you're an NT4.0 MCSE, you probably remember the difficulties you may have had passing the Server in the Enterprise and TCP/IP exams. Imagine those tests combined and then supplemented by all the new networking bells and whistles that Win2K adds. Are you getting the idea? Let's take a look at some sample questions.

Question No. 1
You have installed and configured the DHCP Server service on a Windows 2000 Server. After creating a scope with a range of valid IP addresses, you then create an exclusion range as well as address reservations (using the MAC addresses) for three of your local Web servers so they'll always receive the same address. You configure the Web servers as DHCP clients, but find that they are not receiving addresses from the DHCP server.

What do you do to fix the problem?

  1. Enable the address conflict detection feature of the DHCP server service. .
  2. Remove the address reservations.
  3. When creating the reservations use the GUID instead of the MAC address.
  4. Remove the exclusion range for the addresses reserved for the Web servers.

Question No. 1 Analysis
To answer this question you need to know the intricacies of DHCP. You want to have all three Web servers receive an IP address from DHCP, but you want it to be the same IP address each time, rather than a random pick-from-the-address pool. Because clients will probably resolve the IP address of these Web servers through one or more name-resolution methods (Hosts files, DNS, WINS and so on.), it's important to have static IP addresses. So why not just plug in static addresses rather than have the Web servers configured through DHCP? Probably so you can manage all the Web server's IP protocol property options through the DHCP server. For example, if the default gateway of the Web servers has changed, you can configure the new gateway address on the DHCP server as a scope option, which will automatically refresh DHCP client configurations. This is better than having to manually change the option on the Web servers.

The central problem is that the Web servers aren't receiving addresses from the DHCP server. Why? Let's try and narrow down the correct answer by eliminating some of the incorrect answers. This common tactic can save you precious time on a test.

Answer A wouldn't fix the problem; it'll just let you know a problem exists. In address-conflict detection, the DHCP server pings an IP address before giving it to a client. If a ping response is received, the DHCP server knows the address is in use and doesn't give it out.

Answer B doesn't make sense. In order for a DHCP client to receive the same address every time from the DHCP server, a reservation is needed. Removing the reservations would mean the Web servers would receive any old address from DHCP.

Answer C is also wrong. When creating a reservation for a DHCP client, you must configure the reserved IP address with the MAC address of the client. The GUID is used by computers that want to download a Win2K Professional image from a RIS server; it has nothing to do with getting an IP address from DHCP.

That leaves D as the only possible choice. Addresses need to be excluded from the scope if they've already been statically assigned to other computers on the network, and you don't want DHCP to assign the same IP addresses.

Question No. 2
Dedicated T-1 lines connect your Miami headquarters with your New York and Seattle branch offices. Two additional branch offices use 128-Kbps ISDN lines and Routing and Remote Access over the Internet to connect to the company's network. You are designing your DNS name-resolution environment and want to accomplish the following goals:

DNS Name resolution traffic across the WAN links should be minimized.
DNS Zone transfers should be secure.
Host names should be added to the zone file dynamically.

You take the following actions:

Install the DNS Server service on one Domain Controller at each office.
Create an Active Directory-integrated zone on each DNS server at each office.
Configure client computers to query their local DNS server.
Configure the zones to allow dynamic updates.

What results do these actions produce? Choose all that apply.

  1. Name-resolution traffic is minimized.
  2. Zone Transfer is secure.
  3. The zone file is updated dynamically.

Question No.2 Analysis
You'll definitely need to beef up on your knowledge of how DNS works on a Win2K server before you attempt to answer this question. So here's a little primer. When you create a DNS zone (database) on a Win2K server, it makes the server authoritative and able to answer queries from DNS clients.

The zone file data can either be stored in a text file (Standard DNS) or stored in the Active Directory database (AD-integrated DNS). A server with a zone file can be configured as either Primary for that file (has Read/Write access to the data) or Secondary for that file (has Read-only access to the data). When implementing Standard DNS, where all zone files are text files, there can only be one Primary; all others must be Secondary. This is similar to the relationship between PDCs and BDCs in NT4.0.

When using AD-integrated zones, there can be multiple Primaries, since the data is stored in the AD database on DCs. All Win2K DCs have Read/Write access to the AD database and, therefore, Read/Write access to the zone data.

When a Primary server writes an update to the zone file, Secondary servers receive the update through a process called zone transfer. In the case of AD-integrated zones, all the DCs for that domain receive the zone transfer data through standard AD replication.

Another neat feature supported by Win2K DNS is dynamic updates, the ability for clients to update their own records in the DNS zone file. This is similar to the way WINS works. It doesn't matter whether the zone file is a text file or AD-integrated-you can enable dynamic updates as long as you're using Win2K DNS. Clients must update their records on a Primary DNS server, as the server needs Read/Write access to perform the update.

Back to the question. What exactly did you accomplish? Let's start with the DNS name-resolution traffic being minimized. You configured a DNS server for each office and configured the local clients to use that server for name resolution. This will minimize the name-resolution traffic across the WAN links, as the local DNS server can resolve the query.

Zone transfers, however, aren't secured just by creating an AD-integrated zone. Any hacker on the Internet can install DNS on a local computer and make it secondary for your zone data. The only way to ensure that zone transfer is secure is to set up a list of servers authorized to perform a zone transfer.

The zone files are being updated dynamically because all your DNS servers are DCs with an AD-integrated zone, and you enabled dynamic updates. Clients are updating their local DNS server's copy of the zone data.

Question No.3
You manage a small network that consists of a Windows 2000 Server computer named COMP1 and 10 Windows 2000 Professional computers. COMP1 has a dial-up connection to a local ISP for access to the Internet. COMP1 is sharing out the ISP connection through Internet Connection Sharing (ICS).

The 10 Windows 2000 Professional computers are configured for static TCP/IP addressing. The IP addresses are 192.168.0 1 through 192.168.0.10, with a subnet mask of 255.255.255.0. The 10 Windows 2000 Professional computers have no default gateway configured. None of the Windows 2000 Professional computers can surf the Internet, even though they are configured statically with the IP address of the ISP's DNS server.

How do you fix this problem? Choose all that apply.

  1. On the Windows 2000 Professional computer with IP address 192.168.0.1, change the IP address to 192.168.0.11
  2. Change the default gateway on all 10 Windows 2000 Professional computers to 169.254.0.1
  3. Change the subnet mask on all 10 Windows 2000 Professional computers to 255.255.0.0.
  4. Change the IP address on all 12 Windows 2000 Professional computers to 169.254.0.2 through 169.254.0.11
  5. Change the default gateway on all 12 Windows 2000 Professional computers to 192.168.0 1

Question No.3 Analysis
Again, your knowledge of how Win2K network services (in this case ICS) works will make the difference in answering this question correctly. When you enable ICS, a simple process of checking a checkbox within your dial-up connection properties, multiple things occur. First, the local network card of the computer is assigned an IP address of 192.168.0.1. Second, the ICS computer starts behaving like a DHCP server and will assign out addresses from the 192.168.0.x range to DHCP clients. It will also configure these clients with the IP address of a default gateway and a DNS server, with both of these addresses configured as 192.168.0.1. The end result is that a DHCP client on the same network as the ICS computer will be able to access the Internet by having its packets destined for the Internet translated by ICS.

The first problem in this scenario is that your clients are configured with static addresses. When ICS is enabled and tries to assign itself the address of 192.168.0.1, it won't be able to because this has already been statically assigned to another computer on the local network. It won't assign itself another address. So the first step in fixing the problem is removing the address 192.168.0.1 from the offending computer so ICS can use that address. This is accomplished by answer A.

Also, your local clients should really be configured as DHCP clients so they can receive their entire IP configuration from ICS. Since reconfiguring them as DHCP clients isn't one of the possible choices, we'll have to look for an alternate solution.

For a computer to connect to the Internet, it only needs a valid IP address, local default gateway configured from the same address range, the ability to route or translate its packets onto the Internet, and a DNS server for name resolution. The local clients already have static addresses from the same range as the ICS computer. They're already configured to talk to the ISP's DNS server for name resolution. The only thing missing is to make sure they have the right Default Gateway configured. This should be the address assigned to the local network interface on the ICS computer, which is 192.168.0.1.

Answers A and E are correct. B and D have the wrong address range specified. These 169.254.x.x. addresses are from the Automatic Private IP Address Range (APIPA), and are default addresses assigned by the service when the client can't receive an address from DHCP. Answer C is wrong because 192 is a private Class C address range, and the mask should be 255.255.255.0.

Get Ready
With so many networking services and their nuances to learn, you'll need to give yourself plenty of time to prepare for this exam. Configure each of the major networking services like DHCP, DNS, WINS, RRAS, RADIUS and so on in your home or office lab and make sure you understand the various configuration options for each of the services. Microsoft is mighty proud of the networking prowess of Win2K, but don't let the test intimidate you. With adequate preparation you can pass this exam.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.