Subject: Braindump for the 70-068 SITE exam

 

Well, I FAILED my first exam today, missing it by 3 questions.

I passed NT workstation, Server ans Net essentials the first time with

great scores, so imagine my dismay.

 

Before you say, " what a loser, I wont get anything out of this dump "

Please read this. I spent the night and next day scouring resources

for some correct answers to the questions I believe I got wrong. These

are the same questions where the answers in other dumps were also WRONG!

I think I have good answers to the ones under debate.

If you disagree and have references, feel free to email me.

 

I will not hit the easy ones, just the ones I feel sure I got wrong:

 

1. The 2 questions on Microsoft Encryption and RAS connection:

 

the first question's solution was "allow any authentication" where

the

remote PC's were running NT 4.0. There seems to be a big debate, and

the older

version of TRANSCE**r SCREWED you if you believed it!

 

the answer is if you allow any authentication, NT 3.x and up, WIn 95

and win 3.11

will negotiate DES encryption, which will encrypt the paswword but

WILL NOT encrypt the

data, therefore, it does not meet the option of encrypting data.

 

Data encryption is ONLY an option if you select the checkbox for MS

encryption

and check the box for ensuring data encryption. If you choose any

other choice,

you cannot guarantee data encryption under RAS on NT 4.0.

 

the second questions was the same, but the solution was to enable

microsoft

encryption, but they say nothing about checking the box to ensure

DATA

encryption. Therefore, once again, you do not meet the option of

encrypting the data,

only the password.

 

Don't believe me, believe the TechNet article I read: DO a search in

Technet on the

support / Knowledge Base, and read the article entitled:

 

Building a Marble OFX ... " - I couldnt remember the rest of the

article's name, but

it is the only one there like this. Go to remote connections section.

here is a cut

and paste from this article (see the****):

 

************************************************************************

*******************

 

Level of security Type of encryption RAS encryption protocol

High One-way CHAP, MD5

Medium Two-way SPAP

Low Clear-text PAP

 

CHAP allows different types of encryption algorithms to be used.

Specifically, RAS uses

DES and RSA Security Inc.'s MD5. Microsoft RAS uses DES encryption when

both the client

and the server are using RAS. **** DES encryption, the U.S. government

standard, was

designed to protect against password discovery and playback.

Windows NT 3.5 or later, Windows for Workgroups,and Windows 95 always

negotiate

DES-encrypted authentication when communicating with each other. When

connecting to

third-party remote access servers or client software, RAS can negotiate

SPAP or clear-text

authentication if the third party product does not support encrypted

authentication.

 

MD5, an encryption scheme used by various PPP vendors for encrypted

authentication,

can be negotiated by the Microsoft RAS client when connecting to other

vendors' remote

access servers. MD5 is not available in the RAS server.

 

The Shiva Password Authentication Protocol (SPAP) is a two-way

(reversible) encryption

mechanism employed by Shiva. Windows NT Workstation, when connecting to

a Shiva LAN Rover,

uses SPAP and so does a Shiva client connecting to a Windows NT Server.

This form of

authentication is more secure than clear-text, but less secure than

CHAP.

 

Password Authentication Protocol (PAP) uses clear-text passwords and is

the least

sophisticated

authentication protocol. It is typically negotiated if the remote

workstation and server

cannot

negotiate a more secure form of validation.

 

The Microsoft RAS server has an option that prevents clear-text

passwords from being

negotiated.

This option enables system administrators to enforce a high level of

security.

 

******************here is another cut and paste on security over RAS:

 

ANOTHER SEARCH:

 

Encryption on Windows NT RAS Server

When you enable the "Require Microsoft encrypted authentication"

selection, you can

optionally enable "Require data encryption". This option uses the RC4

algorithm to encrypt

data sent over the RAS session.

 

CHAP requires a challenge response with encryption on the response.

Windows NT RAS server

supports the following encryption algorithms in conjunction with CHAP

authentication:

 

RSA MD4 (or MS-CHAP)

 

MS-CHAP is Microsoft's version of the RSA MD4 standard. This is the

most

secure encryption algorithm supported by Windows NT. MS-CHAP

corresponds

to the "Require Microsoft encrypted authentication" encryption

setting

for the RAS server. Both Windows NT and Windows 95 RAS clients will

negotiate a PPP connection to a Windows NT RAS server using MS-CHAP

as

the encryption algorithm.

 

The "Require encrypted authentication" encryption setting authenticates

clients that request

the MS-CHAP, DES, or SPAP authentication methods.

The "Allow any authentication including clear text" encryption setting

authenticates clients

using any of the authentication methods requested by the client.

 

************************************************************************

********************

 

 

2. The question where you have 7 domains, CORP is master, you want to

audit changes to the

"Directory services database" and they give you a Bitmap of the audit

page.

 

"Directory services database" is another way of saying SAM database, so

you would choose

"success" on the "User and Group Mangement" events. They trick you into

choosing file and

Object since many people dont know what they are talking about.

 

here is a cut and paste of the article in technet:

 

Does Windows NT Server have a Directory Service?

 

Yes. Microsoft Windows NT Directory Service has been available since the

first release of

Windows NT Server in 1993. Windows NT Directory Service is used by 80%

of Windows NT Server

customers to simplify using and managing their corporate networks.

Windows NT Directory

Service provides the key functions of a modern directory service, namely

a single network

logon, with a single point of administration and replication.

 

Windows NT Directory Service is based on a secure directory database

containing user IDs,

passwords, access rights, and organizational information. The directory

database can be

automatically replicated to multiple locations for backup reliability,

load-balancing

performance, and reduced network impact. In addition, with one logon,

users can access a

globe-spanning network, even when dialing in remotely or accessing the

network over the

Internet.

 

What's new in Windows NT Server 4.0 Directory Service?

 

Windows NT Directory Service has been enhanced in version 4.0 to

accommodate a larger number

of objects. Previously, the recommended maximum number of trusted

domains was 128. In

Windows NT Server 4.0, the Local Security Authority component has been

enhanced to allow a

greater number of trusted domains and to allow that number to scale with

server memory.

 

Is Windows NT Server 4.0 Directory Service interoperable with NetWare

3.x and 4.x?

 

Yes. Windows NT Directory Service can manage Windows NT servers and

servers running Novell

NetWare 2.x or 3.x. The Directory Service Manager for NetWare extension

to Windows NT

Directory Service centrally manages user IDs and passwords, and

synchronizes NetWare

binderies to improve the productivity of both users and administrators.

 

How scaleable is the Windows NT Server 4.0 Directory Service?

 

Windows NT Server 4.0 Directory Service can manage up to 25,000 users in

a single

administrative unit called a domain, (or partition) or set up separate

domains that can be

managed independently by semi-autonomous business units. By combining

domains, there is no

practical limit to the number of users that can be managed. Directory

Service in Windows NT

5.0, called Active Directory, can scale up to millions of users (10

million total objects)

in a single domain, and even larger numbers in a domain tree.

 

 

** This sure sounds like SAM to me!

************************************************************************

********************

 

3. You are having trouble with NT and MS help desk wants a dump file.

Where do you set it up

to get this file?

Don't fall for the Dr. Watson choice. It is only a crash error for an

application, and

you arent having specific application problems, just system

problems. Go to My Computer

and select startup/shutdown, and select the stop events to be written

to the memory dump

file in %systemroot%/memory.dmp file.

 

4. Which of the follwing can be used to monitor system performance

(check all that apply)

 

a. excel

b. response probe

c. network monitor

d. performance monitor

 

b,c,d are all correct

 

Nobody knows what response probe is, but I found it in the Technet.

It is a tool in the

NT resource kit used to create "synthetic workloads" to provide a way

to determine

system limits under various stress conditions. Do a search on "

response Probe"

under support and look for the 3 tiered support structure article

under

system performance.

 

Here is a cut and paste of the article (see ****):

 

************************************************************************

*******************

3 tiered support

 

Data Logging Service and Workloads

To provide unattended logging of counters, the Data Logging Service is

available on every

server. Instructions

for installing the Data Logging Service can be found in Appendix A.

 

The Windows NT Server network counter are logged for real workloads

(end-users' network

messaging demands)

and synthetic ones (created for test purposes).

 

Synthetic workloads allow characterization of the system behavior under

various stress

conditions such as trying to determine the system's limits. ***The

Response Probe utility

in the Windows NT Resource Kit can generate certain types of synthetic

workloads for

Windows NT.

 

************************************************************************

********************

 

5. they ask you to show how to recover in the event 2 disks fail in a

stripe set.

Notice it doesnt say "stripe set with parity" or "stripe set without

parity". If they

dont say, assume without. Because the answers are "recreate stripe set

and restore from

Backup" and "recreate stripe set with parity and restore from Backup".

Which one do you

choose? The correct answer is recreate stripe set ands restore.

The next two questions seem straightforward, but they trick you. Please

read the question

carefully!!!!

 

6. If installing a BDC to a domain you are NOT connected to, stop what

you are doing until

you are connected to the domain. DO NOT install and promote.

 

7. If you are installing a member server to a domain you are NOT

connected to, make it a

workgroup member and when you get the connection, make it join the

domain then.

 

8. There was a question about how would you configure the rights so that

a person adding the

computer could add it to any domain in the single master domain model. I

wasnt sure and the

question is hard to remember. The answers had to do with configuring the

rights to add

computers to the domains and creating a global group to do this.

 

 

Hope this helps!!

 

 

Bobman