Managing and Maintaining a Microsoft Windows
Server 2003 Environment for an MCSA Certified on Windows 2000
The objectives for exam 70-292 spread it across a number of
different topics as it strives to combine several standalone
exams into one. This is an upgrade exam focused toward
candidates who are already MCSA/MCSE certified on Windows
2000. The objectives for it are:
Managing Users, Computers, and Groups
n Create and manage groups
o Identify and modify the scope of a group
o Find domain groups in which a user is a member
o Manage group membership
o Create and modify groups by using the Active
Directory Users and Computers Microsoft Management Console (MMC)
o Create and modify groups by using automation
n Create and manage user accounts
o Create and modify user accounts by using the Active
Directory Users and Computers MMC snap-in
o Create and modify user accounts by using automation
o Import user accounts
n Troubleshoot user authentication issues
Managing and Maintaining Access to Resources
n Troubleshoot Terminal Services
o Diagnose and resolve issues related to Terminal
o Diagnose and resolve issues related to client
access to Terminal Services
Managing and Maintaining a Server Environment
n Manage software update infrastructure
n Manage servers remotely
o Manage a server by using Remote Assistance
o Manage a server by using Terminal Services remote
o Manage a server by using available support tools
n Manage a Web server
o Manage Internet Information Services (IIS)
o Manage security for IIS
Managing and Implementing Disaster Recovery
n Perform system recovery for a server
o Implement Automated System Recovery (ASR)
o Restore data from shadow copy volumes
o Back up files and System State data to media
o Configure security for backup operations
Implementing, Managing, and Maintaining Name Resolution
n Install and configure the DNS Server service
o Configure DNS server options
o Configure DNS zone options
o Configure DNS forwarding
n Manage DNS
o Manage DNS zone settings
o Manage DNS record settings
o Manage DNS server options
Implementing, Managing, and Maintaining Network
n Implement secure network administration procedures
o Implement security baseline settings and audit
security settings by using security templates
o Implement the principle of least privilege
n Install and configure software update
o Install and configure software update services
o Install and configure automatic client update
o Configure software updates on earlier operating
Users, Computers and Groups:
Profiles - can exist for users and hardware. While
every user should have their own profile, under most
circumstances, most desktop computers should have only one
hardware profile since the hardware connected to it will not
deviate greatly. The hardware connected to a laptop/mobile
computer CAN deviate from day to day - based on where it is
being used - and multiple hardware profiles should be
considered. If there are multiple hardware profiles on the
system, a menu of choices will appear during the boot process.
A "roaming profile" allows a user to have the same desktop
regardless of the machine he/she uses. A roaming profile can
be created from the Active Directory Users and Computers
console by a member of the Account Operators group, Domain Admins group, or Enterprise Admins group. A
profile" is a deviation on the roaming theme in which the user
cannot make any permanent changes to their settings. To create
a mandatory profile, the actual file's name is changed from NTUSER.DAT to NTUSER.MAN.
It is highly recommended to put users into groups and give
permissions to the groups. In Windows Server 2003, the
following types of groups exist:
n Machine local
n Domain local
- these are Domain local groups that
exists for compatibility with Windows NT. Be default, the
following groups are found on all Windows Server 2003 systems:
Administrators, Backup Operators, Guests, Network
Configuration Operators, Power Users, Print Operators, Remote
Desktop Users, Replicator, and Users. These built-in users and
groups cannot be deleted.
By default, the Everyone group is given read permission
when a file is shared. This differs from earlier operating
systems in which Everyone was assigned full control
permissions on all new shares.
Distribution groups are used for nonsecurity-related
purposes. Security groups are used to assign permissions to a
grouping of users for accessing one or more objects.
Account Policies are set at the domain level. The
Account Lockout Policy determines how many unsuccessful
attempts are allowed before an account is locked out and how
long it will remain locked out. There are three settings that
can be configured:
Lockout count - how many invalid attempts are
allowed before locking
Lockout reset time
- the amount of time that is
allowed between invalid attempts
- how long the account is locked
RSoP (Resultant Set of Policy) is a new tool included with
Windows Server 2003 that shows how permissions and policies
overlap. It factors in inheritance and other factors and shows
what the resulting policy will be that applies to the user or
computer in an Active Directory tree. Gpresult is a
command-line utility that can perform the same function as
Terminal Services has changed terminology.
- What was known
as Remote Administration Mode in Windows 2000 is now known
as Remote Desktop - it allows remote administration of
the server from a remote PC. Two-node concurrent access
does not require additional licensing.
- What was known
as Application Server mode in Windows 2000 is now just
called Terminal Services - Clients connect to the server
to run applications that are installed on the server. All
processing is done on the server and only screen shots are
passed to the client. This ensures that all clients are
using the same versions of software. It also makes for
easier upgrades as you only need to upgrade the software on
the server. Older systems that couldn't support modern
applications will be able to use them as they don't have to
do any of the processing. True implementation requires
either Enterprise edition or Datacenter edition.
Terminal Services utilizes RDP (Remote Desktop Protocol)
for communication between the client and the server. The new
built-in group Remote Desktop Users has only User Access and
Guest Access permissions by default, in order to increase
security. RDP uses TCP port 3389 and this port - or one that
you change the service to use - must be allowed through the
firewall in order for Terminal Services to be able to
Remote Assistance is a feature that first became
available with Windows XP and is now also available in Windows
Server 2003. A user at a Windows XP desktop must invite an
administrator or other user to connect to their console before
control can be taken. The "invitation" is actually a digitally
The Software Update Service (SUS) is used for centralized
distribution of hotfixes and security updates. Using SUS, a
client updates its software from a server within the internal
network instead of needing to access Microsoft to accomplish
this. This allows administrators to update clients that do not
access the Internet, as well as evaluate and test each update
before making it generally available. Group Policies can be
used to target update servers.
The four tabs of the Windows Server 2003 Backup Utility
3. Restore and Manage Media
4. Schedule Jobs
An incremental backup includes up all files that
have the archive bit on, and then turns that bit off. A
normal/full backup gets all files, regardless of the
status of the archive bit, and then turns the bit off (if it
was on). A differential backup gets all files with the
archive bit on, and then leaves it on. A daily backup
is valid only for the day (as the name implies). A copy
backup backs up files and leaves the archive bit on.
A backup log can be configured from the options of the
Backup Utility. You can choose either "Detailed" or "Summary"
log files. A detailed file includes the name of every file
backed up, while a summary only offers a file count and
indicates any files that were skipped.
To start Windows Server 2003 in Safe mode, press F8 when
the Please Select The Operating System To Start message
appears. Safe mode enables you to start the system with a
minimal set of device drivers and services. Choices appearing
on the option menu are:
n Safe mode
n Safe mode with networking
n Safe mode with command prompt
n Enable boot logging (which sends the output to
n Enable VGA mode
n Last Known Good configuration
n Debugging mode
n Directory Service Restore mode (on domain
Recovery Console - Windows Server 2003 has a
Recovery Console to help when you have trouble booting. The
Recovery Console is not installed by default. Install the
Recovery Console by booting from the Windows Server 2003 CD
and choosing Repair, or running winnt32.exe /cmdcons
from the I386 directory of the CD. This copies the files
locally and you will now see an option to enter the Recovery
Console at boot up.
The Recovery Console is limited to administrators, and you
must give the Administrator password when choosing it. This
utility will allow you to do such things as:
- Use, copy, rename
or replace operating system files and folders.
- Enable or disable
services or devices from starting when you next start your
- Repair the file
system boot sector or the Master Boot Record (MBR).
- Create and format partitions on
Several utilities can be used to assist with system
maintenance. These include:
AUTOCHK - a version of CHKDSK that can run during
Automatic System Recovery (ASR)
- acts as an easier
method of restoring after a failure by saving a catalog and
configuration information on a floppy
CHKDSK - looks for file system problems, such as
corruption, and corrects them
CHKNTFS - checks the NTFS file system
Disk Cleanup - this rids a system of temporary
files, Recycle Bin contents, and other old data
DNS is a server service consisting of a hierarchical,
distributed database with built-in redundancy and caching
capabilities. DNS translates domain names into IP addresses.
When a DNS server cannot resolve a query, it moves (escalates)
it up to a root server that is authoritative for a zone. DNS
queries can be either recursive or iterative.
DNS is installed as a service within Windows Server 2003
through the use of wizards. If you have installed Active
Directory (via the Active Directory Installation Wizard) but
cannot find a DNS server, the ADI wizard will attempt to
install the DNS service for you. DNS management can be
performed with the DNS Manager snap-in.
DNS monitoring can be done with the Performance tool on
counters such as Caching Memory, IXFR Counters, TCP/IP, and
Zone Transfer. DNS uses resource records to perform
translations. Resource records are entries in the zone
database file; each resource record identifies a particular
resource within the database.
If necessary, you can manually add resource records into
DNS through the DNS snap-in.
Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS.
Whenever a client interacts with DHCP (new lease, renewal,
etc.), the fully qualified domain name (FQDN) of the client is
registered with DNS through the DHCP server. This registration
can be done manually using the REGISTERDNS parameter with the
DNS zone transfers can be all (AXFR), or incremental (IXFR).
The caching-only server does not have a copy of the zone table
and is used merely to speed up client queries by storing the
results of cached queries.
Round robin is a method of load-balancing DNS servers by
rotating type A resource records.
Configuring a zone for dynamic updates within the zone
properties dialog box (obtainable from the DNS Management
Console) allows DNS clients to update their resource records
dynamically with the server anytime a change occurs. This can
be enabled or disabled on a per-zone basis. With an Active
Directory Integrated zone, you can store DNS resource records
in AD naming contexts to simplify zone replication.
The DNS root name server of a domain is the name server
that is acting as the Start of Authority for that zone. The
first division of DNS is into domains. The InterNIC (Internet
Network Information Center) controls top-level domains (com,
edu, etc.). Stub zones contain SOA and NS records, as well as
A records for name servers.
A DNS client is any computer that can query a DNS
server (through a resolver). A resolver is the DNS
client program that is used to query DNS name information. A
DNS server is any computer running the DNS Server
service. DNS servers perform name-to-IP mapping and attempt to
resolve client queries.
FQDNs (fully qualified domain names) specify the host name,
the domain or subdomain to which the host belongs, and any
domains above that in the hierarchy until the root domain in
the organization is specified. The FQDN is read from left to
right, with each host name or domain name separated by a
Local subnets are prioritized within DNS by default. This
is done so that the client finds a local resource first rather
than a remote resource.
Delegated zones require that all queries on the existing
domain go to one server for resolution. In all cases, the
delegated domain must be a sub-domain of the domain performing
the delegation. DNS zones are created with the New Zone Wizard
and can be used for forward-lookup or reverse-lookup.
With Windows Server 2003, dnsaddp.exe runs, whenever a
domain controller is started, to create DNS application
partitions. Also with Windows Server 2003, conditional
forwarding can be used to let the name server select a
forwarder based on a domain implied in a client query.
The primary troubleshooting tool for working with DNS is
NSLOOKUP, although IPCONFIG and Event Viewer also can be
helpful. In addition to the DNS Management Console GUI, you
can also manage DNS from the command-line with the DNSCMD
Event Viewer is the primary tool used for viewing log
files. In addition to the three log files that have always
existed (Application, System - which contains information
about services and drivers that fail to start - and
Security), there are now log files for: Directory Services,
File Replication Service, and DNS, if those services are in
Windows Server 2003 includes GPUPDATE - a new
utility that replaces SECEDIT switches for group policy
updates. SECEDIT still exists in 2003, but it is now used only
for applying changes and reporting on them.
EFS file encryption now remains on files in offline
storage. EFS files can now also be shared across the network
and warnings are given when a user attempts to copy a file to
a device that will not protect the file. The CIPHER utility is
used to interact with encrypted files from the command-line.
Common TCP ports to allow/deny include:
TCP/IP packet filters can be used to prevent types of
packets from reaching your network server. These are
configured through the Advanced button on the TCP/IP protocol
properties. Filters can be set for TCP, UDP, or IP protocol
numbers, and can be universal (for all adapters) or
individual. The filter can accept, deny, or accept within
specified conditions (always respond using IPSec, use Perfect
Forward Secrecy, etc.).
IPSec is used to negotiate the secure connection utilizing
DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES).
IPSec is used to secure packets between two hosts and cannot
be used locally, whereas EFS is used locally and does not
encrypt data on a network.
Only one IPSec policy can be in use at a time. All policy
settings can be made using wizards. IPSECMON.EXE can be used
to monitor and troubleshoot operations.
The IP Security Policy Management MMC console is used to
manage IPSec. To create a new policy, right-click the IP
Security Policies folder for the popup menu that contains the
New IP Security Policy option.
Public Key Encryption uses a 2 key method to encrypt data.
The Public Key is given out to any user wishing to communicate
with. The Private Key is kept for decoding the public key
Public Key Encryption uses the same two-key method for
authentication. This is also known as digital signatures.
Digital signatures are very common when visiting websites. The
purpose of a digital signature is to guarantee that data is
from the user it is supposed to be from, and that it has not
been altered. Signing uses encryption as its main tool but
also adds origin and authenticity information as well.
The Public Key is sent out to a user to authenticate the
sender. The Private key is used to encrypt data to be sent.
Within PKI are the following elements: certificate
authorities, which issue and revoke certificates, and
certificate publishers, which make what the CA has issued