MCSE 70-292 Study Guide

The objectives for exam 70-292 spread it across a number of different topics as it strives to combine several standalone exams into one. This is an upgrade exam focused toward candidates who are already MCSA/MCSE certified on Windows 2000. The objectives for it are:

Managing Users, Computers, and Groups 

n        Create and manage groups

o       Identify and modify the scope of a group

o       Find domain groups in which a user is a member

o       Manage group membership

o       Create and modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in

o       Create and modify groups by using automation

n        Create and manage user accounts

o       Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in

o       Create and modify user accounts by using automation

o       Import user accounts

n        Troubleshoot user authentication issues  

Managing and Maintaining Access to Resources 

n        Troubleshoot Terminal Services

o       Diagnose and resolve issues related to Terminal Services security

o       Diagnose and resolve issues related to client access to Terminal Services

Managing and Maintaining a Server Environment 

n        Manage software update infrastructure  

n        Manage servers remotely

o       Manage a server by using Remote Assistance

o       Manage a server by using Terminal Services remote administration mode

o       Manage a server by using available support tools

n        Manage a Web server

o       Manage Internet Information Services (IIS)

o       Manage security for IIS

Managing and Implementing Disaster Recovery 

n        Perform system recovery for a server

o       Implement Automated System Recovery (ASR)

o       Restore data from shadow copy volumes

o       Back up files and System State data to media

o       Configure security for backup operations

Implementing, Managing, and Maintaining Name Resolution 

n        Install and configure the DNS Server service

o       Configure DNS server options

o       Configure DNS zone options

o       Configure DNS forwarding

n        Manage DNS

o       Manage DNS zone settings

o       Manage DNS record settings

o       Manage DNS server options

Implementing, Managing, and Maintaining Network Security 

n        Implement secure network administration procedures

o       Implement security baseline settings and audit security settings by using security templates

o       Implement the principle of least privilege

n        Install and configure software update infrastructure

o       Install and configure software update services

o       Install and configure automatic client update settings

o       Configure software updates on earlier operating systems

Users, Computers and Groups:

Profiles - can exist for users and hardware. While every user should have their own profile, under most circumstances, most desktop computers should have only one hardware profile since the hardware connected to it will not deviate greatly. The hardware connected to a laptop/mobile computer CAN deviate from day to day - based on where it is being used - and multiple hardware profiles should be considered. If there are multiple hardware profiles on the system, a menu of choices will appear during the boot process.

A "roaming profile" allows a user to have the same desktop regardless of the machine he/she uses.  A roaming profile can be created from the Active Directory Users and Computers console by a member of the Account Operators group, Domain Admins group, or Enterprise Admins group. A "mandatory profile" is a deviation on the roaming theme in which the user cannot make any permanent changes to their settings. To create a mandatory profile, the actual file's name is changed from NTUSER.DAT to NTUSER.MAN.

It is highly recommended to put users into groups and give permissions to the groups.  In Windows Server 2003, the following types of groups exist:

n        Machine local

n        Domain local

n        Global

n        Universal

n        Builtin - these are Domain local groups that exists for compatibility with Windows NT. Be default, the following groups are found on all Windows Server 2003 systems: Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Print Operators, Remote Desktop Users, Replicator, and Users. These built-in users and groups cannot be deleted.

By default, the Everyone group is given read permission when a file is shared.  This differs from earlier operating systems in which Everyone was assigned full control permissions on all new shares.

Distribution groups are used for nonsecurity-related purposes. Security groups are used to assign permissions to a grouping of users for accessing one or more objects.

Account Policies are set at the domain level.  The Account Lockout Policy determines how many unsuccessful attempts are allowed before an account is locked out and how long it will remain locked out. There are three settings that can be configured:

        Lockout count - how many invalid attempts are allowed before locking

        Lockout reset time - the amount of time that is allowed between invalid attempts

        Lockout duration - how long the account is locked for.

RSoP (Resultant Set of Policy) is a new tool included with Windows Server 2003 that shows how permissions and policies overlap. It factors in inheritance and other factors and shows what the resulting policy will be that applies to the user or computer in an Active Directory tree. Gpresult is a command-line utility that can perform the same function as RSoP.

Terminal Services:

Terminal Services has changed terminology.

• What was known as Remote Administration Mode in Windows 2000 is now known as Remote Desktop - it allows remote administration of the server from a remote PC.  Two-node concurrent access does not require additional licensing.
• What was known as Application Server mode in Windows 2000 is now just called Terminal Services - Clients connect to the server to run applications that are installed on the server.  All processing is done on the server and only screen shots are passed to the client.  This ensures that all clients are using the same versions of software.  It also makes for easier upgrades as you only need to upgrade the software on the server.  Older systems that couldn't support modern applications will be able to use them as they don't have to do any of the processing.  True implementation requires either Enterprise edition or Datacenter edition.

Terminal Services utilizes RDP (Remote Desktop Protocol) for communication between the client and the server.  The new built-in group Remote Desktop Users has only User Access and Guest Access permissions by default, in order to increase security. RDP uses TCP port 3389 and this port - or one that you change the service to use - must be allowed through the firewall in order for Terminal Services to be able to function.

Remote Assistance is a feature that first became available with Windows XP and is now also available in Windows Server 2003.  A user at a Windows XP desktop must invite an administrator or other user to connect to their console before control can be taken. The "invitation" is actually a digitally signed file.

Server Environment:

The Software Update Service (SUS) is used for centralized distribution of hotfixes and security updates. Using SUS, a client updates its software from a server within the internal network instead of needing to access Microsoft to accomplish this. This allows administrators to update clients that do not access the Internet, as well as evaluate and test each update before making it generally available. Group Policies can be used to target update servers.

Disaster Recovery:

The four tabs of the Windows Server 2003 Backup Utility are:

1.      Welcome

2.      Backup

3.      Restore and Manage Media

4.      Schedule Jobs

An incremental backup includes up all files that have the archive bit on, and then turns that bit off. A normal/full backup gets all files, regardless of the status of the archive bit, and then turns the bit off (if it was on). A differential backup gets all files with the archive bit on, and then leaves it on. A daily backup is valid only for the day (as the name implies). A copy backup backs up files and leaves the archive bit on.

A backup log can be configured from the options of the Backup Utility. You can choose either "Detailed" or "Summary" log files. A detailed file includes the name of every file backed up, while a summary only offers a file count and indicates any files that were skipped.

To start Windows Server 2003 in Safe mode, press F8 when the Please Select The Operating System To Start message appears. Safe mode enables you to start the system with a minimal set of device drivers and services.  Choices appearing on the option menu are:

n        Safe mode

n        Safe mode with networking

n        Safe mode with command prompt

n        Enable boot logging (which sends the output to ntbtlog.txt)

n        Enable VGA mode

n        Last Known Good configuration

n        Debugging mode

n        Directory Service Restore mode (on domain controllers only)

Recovery Console - Windows Server 2003 has a Recovery Console to help when you have trouble booting.  The Recovery Console is not installed by default.  Install the Recovery Console by booting from the Windows Server 2003 CD and choosing Repair, or running winnt32.exe /cmdcons from the I386 directory of the CD.  This copies the files locally and you will now see an option to enter the Recovery Console at boot up.

The Recovery Console is limited to administrators, and you must give the Administrator password when choosing it. This utility will allow you to do such things as:

• Use, copy, rename or replace operating system files and folders.
• Enable or disable services or devices from starting when you next start your computer.
• Repair the file system boot sector or the Master Boot Record (MBR).
• Create and format partitions on drives. 

Several utilities can be used to assist with system maintenance. These include:

        AUTOCHK - a version of CHKDSK that can run during startup

        Automatic System Recovery (ASR) - acts as an easier method of restoring after a failure by saving a catalog and configuration information on a floppy

        CHKDSK - looks for file system problems, such as corruption, and corrects them

        CHKNTFS - checks the NTFS file system

        Disk Cleanup - this rids a system of temporary files, Recycle Bin contents, and other old data

DNS:

DNS is a server service consisting of a hierarchical, distributed database with built-in redundancy and caching capabilities. DNS translates domain names into IP addresses. When a DNS server cannot resolve a query, it moves (escalates) it up to a root server that is authoritative for a zone. DNS queries can be either recursive or iterative.

DNS is installed as a service within Windows Server 2003 through the use of wizards. If you have installed Active Directory (via the Active Directory Installation Wizard) but cannot find a DNS server, the ADI wizard will attempt to install the DNS service for you. DNS management can be performed with the DNS Manager snap-in.

DNS monitoring can be done with the Performance tool on counters such as Caching Memory, IXFR Counters, TCP/IP, and Zone Transfer. DNS uses resource records to perform translations. Resource records are entries in the zone database file; each resource record identifies a particular resource within the database.

If necessary, you can manually add resource records into DNS through the DNS snap-in.

Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS. Whenever a client interacts with DHCP (new lease, renewal, etc.), the fully qualified domain name (FQDN) of the client is registered with DNS through the DHCP server. This registration can be done manually using the REGISTERDNS parameter with the IPCONFIG.EXE utility.

DNS zone transfers can be all (AXFR), or incremental (IXFR). The caching-only server does not have a copy of the zone table and is used merely to speed up client queries by storing the results of cached queries.

Round robin is a method of load-balancing DNS servers by rotating type A resource records.

Configuring a zone for dynamic updates within the zone properties dialog box (obtainable from the DNS Management Console) allows DNS clients to update their resource records dynamically with the server anytime a change occurs. This can be enabled or disabled on a per-zone basis. With an Active Directory Integrated zone, you can store DNS resource records in AD naming contexts to simplify zone replication.

The DNS root name server of a domain is the name server that is acting as the Start of Authority for that zone. The first division of DNS is into domains. The InterNIC (Internet Network Information Center) controls top-level domains (com, edu, etc.). Stub zones contain SOA and NS records, as well as A records for name servers.

A DNS client is any computer that can query a DNS server (through a resolver). A resolver is the DNS client program that is used to query DNS name information. A DNS server is any computer running the DNS Server service. DNS servers perform name-to-IP mapping and attempt to resolve client queries.

FQDNs (fully qualified domain names) specify the host name, the domain or subdomain to which the host belongs, and any domains above that in the hierarchy until the root domain in the organization is specified. The FQDN is read from left to right, with each host name or domain name separated by a period.

Local subnets are prioritized within DNS by default. This is done so that the client finds a local resource first rather than a remote resource.

Delegated zones require that all queries on the existing domain go to one server for resolution. In all cases, the delegated domain must be a sub-domain of the domain performing the delegation. DNS zones are created with the New Zone Wizard and can be used for forward-lookup or reverse-lookup.

With Windows Server 2003, dnsaddp.exe runs, whenever a domain controller is started, to create DNS application partitions. Also with Windows Server 2003, conditional forwarding can be used to let the name server select a forwarder based on a domain implied in a client query.

The primary troubleshooting tool for working with DNS is NSLOOKUP, although IPCONFIG and Event Viewer also can be helpful. In addition to the DNS Management Console GUI, you can also manage DNS from the command-line with the DNSCMD tool.

Security:

Event Viewer is the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System - which contains information about services and drivers that fail to start -  and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.

Windows Server 2003 includes GPUPDATE - a new utility that replaces SECEDIT switches for group policy updates. SECEDIT still exists in 2003, but it is now used only for applying changes and reporting on them.

EFS file encryption now remains on files in offline storage. EFS files can now also be shared across the network and warnings are given when a user attempts to copy a file to a device that will not protect the file. The CIPHER utility is used to interact with encrypted files from the command-line.

Common TCP ports to allow/deny include:

         FTP (data)

         FTP (session)

         Telnet

         SMTP

         HTTP

         POP3

         IMAP

TCP/IP packet filters can be used to prevent types of packets from reaching your network server. These are configured through the Advanced button on the TCP/IP protocol properties. Filters can be set for TCP, UDP, or IP protocol numbers, and can be universal (for all adapters) or individual. The filter can accept, deny, or accept within specified conditions (always respond using IPSec, use Perfect Forward Secrecy, etc.).

IPSec is used to negotiate the secure connection utilizing DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES). IPSec is used to secure packets between two hosts and cannot be used locally, whereas EFS is used locally and does not encrypt data on a network.

Only one IPSec policy can be in use at a time. All policy settings can be made using wizards. IPSECMON.EXE can be used to monitor and troubleshoot operations.

The IP Security Policy Management MMC console is used to manage IPSec. To create a new policy, right-click the IP Security Policies folder for the popup menu that contains the New IP Security Policy option.

Public Key Encryption uses a 2 key method to encrypt data.  The Public Key is given out to any user wishing to communicate with. The Private Key is kept for decoding the public key transmission.

 

Public Key Encryption uses the same two-key method for authentication.  This is also known as digital signatures.  Digital signatures are very common when visiting websites. The purpose of a digital signature is to guarantee that data is from the user it is supposed to be from, and that it has not been altered. Signing uses encryption as its main tool but also adds origin and authenticity information as well.

 

The Public Key is sent out to a user to authenticate the sender. The Private key is used to encrypt data to be sent.

 

Within PKI are the following elements: certificate authorities, which issue and revoke certificates, and certificate publishers, which make what the CA has issued available.