Planning and Maintaining a Microsoft Windows Server 2003
The objectives for exam 70-293 focus it more on the
theoretical aspects of network services that are available
within Windows Server 2003 and security than any other exam in
the new track. The objectives for it are:
Planning and Implementing Server Roles and Server
n Configure security for servers that are assigned
n Plan a secure baseline installation.
o Plan a strategy to enforce system default security
settings on new systems.
o Identify client operating system default security
o Identify all server operating system default
n Plan security for servers that are assigned
specific roles. Roles might include domain controllers, Web
servers, database servers, and mail servers.
o Deploy the security configuration for servers that
are assigned specific roles.
o Create custom security templates based on server
n Evaluate and select the operating system to
install on computers in an enterprise.
o Identify the minimum configuration to satisfy
Planning, Implementing, and Maintaining a Network
n Plan a TCP/IP network infrastructure strategy.
o Analyze IP addressing requirements.
o Plan an IP routing solution.
o Create an IP subnet scheme.
n Plan and modify a network topology.
o Plan the physical placement of network resources.
o Identify network protocols to be used.
n Plan an Internet connectivity strategy.
n Plan network traffic monitoring. Tools might
include Network Monitor and System Monitor.
n Troubleshoot connectivity to the Internet.
o Diagnose and resolve issues related to Network
Address Translation (NAT).
o Diagnose and resolve issues related to name
resolution cache information.
o Diagnose and resolve issues related to client
n Troubleshoot TCP/IP addressing.
o Diagnose and resolve issues related to client
o Diagnose and resolve issues related to DHCP server
n Plan a host name resolution strategy.
o Plan a DNS namespace design.
o Plan zone replication requirements.
o Plan a forwarding configuration.
o Plan for DNS security.
o Examine the interoperability of DNS with
third-party DNS solutions.
n Plan a NetBIOS name resolution strategy.
o Plan a WINS replication strategy.
o Plan NetBIOS name resolution by using the Lmhosts
n Troubleshoot host name resolution.
o Diagnose and resolve issues related to DNS
o Diagnose and resolve issues related to client
Planning, Implementing, and Maintaining Routing and
n Plan a routing strategy.
o Identify routing protocols to use in a specified
o Plan routing for IP multicast traffic.
n Plan security for remote access users.
o Plan remote access policies.
o Analyze protocol security requirements.
o Plan authentication methods for remote access
n Implement secure access between private networks.
o Create and implement an IPSec policy.
n Troubleshoot TCP/IP routing. Tools might include
the route, tracert, ping, pathping, and netsh commands and
Planning, Implementing, and Maintaining Server
n Plan services for high availability.
o Plan a high availability solution that uses
o Plan a high availability solution that uses Network
n Identify system bottlenecks, including memory,
processor, disk, and network related bottlenecks.
o Identify system bottlenecks by using System
n Implement a cluster server.
o Recover from cluster node failure.
n Manage Network Load Balancing. Tools might include
the Network Load Balancing Monitor Microsoft Management
Console (MMC) snap-in and the WLBS cluster control
n Plan a backup and recovery strategy.
o Identify appropriate backup types. Methods include
full, incremental, and differential.
o Plan a backup strategy that uses volume shadow
o Plan system recovery that uses Automated System
Planning and Maintaining Network Security
n Configure network protocol security.
o Configure protocol security in a heterogeneous
client computer environment.
o Configure protocol security by using IPSec
n Configure security for data transmission.
o Configure IPSec policy settings.
n Plan for network protocol security.
o Specify the required ports and protocols for
o Plan an IPSec policy for secure network
n Plan secure network administration methods.
o Create a plan to offer Remote Assistance to client
o Plan for remote administration by using Terminal
n Plan security for wireless networks.
n Plan security for data transmission.
o Secure data transmission between client computers
to meet security requirements.
o Secure data transmission by using IPSec.
n Troubleshoot security for data transmission. Tools
might include the IP Security Monitor MMC snap-in and the
Resultant Set of Policy (RSoP) MMC snap-in.
Planning, Implementing, and Maintaining Security
n Configure Active Directory directory service for
n Plan a public key infrastructure (PKI) that uses
o Identify the appropriate type of certificate
authority to support certificate issuance requirements.
o Plan the enrollment and distribution of
o Plan for the use of smart cards for authentication.
n Plan a framework for planning and implementing
o Plan for security monitoring.
o Plan a change and configuration management
framework for security.
n Plan a security update infrastructure. Tools might
include Microsoft Baseline Security Analyzer and Microsoft
Software Update Services.
There are four different versions of Windows Server 2003
1. Web edition - which supports one or two processors
2. Standard Edition - which supports two processors
3. Enterprise Edition - will support up to 8
4. Datacenter Edition - can work with up to 32
Each of these operating systems must be “activated” (with
the exception of volume license versions) in order to be
usable. This is intended to provide copy protection and
prevent piracy. Aside from the different versions, there are a
number of different roles that a server may play as well. The
“role” of the server is to offer a service (one or more) to
The role can be Active Directory related (Domain
controllers) or purely service-oriented. Within those that are
Active Directory related, there are five FSMOs (Flexible
Single Master Operations) roles:
1. PDC (Primary Domain Controller) emulator
- used for
2. RID (Relative ID) Master - holds the pool of ID
numbers to be used
3. Infrastructure Master - handles updates and name
4. Domain Naming Master - by default the first domain
controller in a forest
5. Schema Master - oversees all schema operations
The primary domain controller performing one of these roles
is known as the role master. Microsoft recommends the PDC
emulator and RID master be kept on the same domain controller,
and the Domain Naming Master be stored on a Global Catalog
Event Viewer is the primary tool used for viewing log
files. In addition to the three log files that have always
existed (Application, System - which contains information
about services and drivers that fail to start - and
Security), there are now log files for: Directory Services,
File Replication Service, and DNS, if those services are in
It is highly recommended to put users into groups and give
permissions to the groups. In Windows Server 2003, the
following types of groups exist:
n Machine local
n Domain local
- these are Domain local groups that
exists for compatibility with Windows NT. Be default, the
following groups are found on all Windows Server 2003 systems:
Administrators, Backup Operators, Guests, Network
Configuration Operators, Power Users, Print Operators, Remote
Desktop Users, Replicator, and Users. These built-in users and
groups cannot be deleted.
Windows Server 2003 includes GPUPDATE - a new
utility that replaces SECEDIT switches for group policy
updates. SECEDIT still exists in 2003, but it is now used only
for applying changes and reporting on them.
NAT interfaces define connection properties for network
address translation. They define what constitutes the internal
network and what constitutes the external network. NAT
translates between two different networks, allowing you to
have a private scope internally and still communicate with the
Internet. Windows Server 2003 includes the following NAT
editors: FTP, ICMP, and PPTP.
Internet Connection Sharing (ICS) is a service that allows
you to provide automated demand-dial capabilities on a small
network, such as a home office. This can be used for any
number of processes, including DNS Proxy, DHCP, and NAT.
System Monitor is an ActiveX tool that can
graphically display performance of various real-time
statistics. Within it, the workstation is divided into a
number of different objects, and each object is divided into
one or more counters. System Monitor appears on the
Performance tool (Start - Programs - Administrative Tools -
Performance) and it is the primary performance tool for the
system. Performance Logs and Alerts enables you to record data
to create and compare with a baseline (to get a long-term look
at how the system is operating) or send administrative alerts
when thresholds are reached.
Optimal performance from a system is what you are always
striving for. Optimal performance is attained when a system is
running (processing, responding, and so on) as fast as it
possibly can, given the resources available to it.
TCP/IP addresses can be assigned manually to each host, or
leased to them through the use of a DHCP server. The addresses
must be unique within the realm the host communicates. If the
host only communicates locally, then the address need only be
unique locally; if it directly communicates across the
Internet, then the address must be unique within the world.
The first octet identifies the class of network, with the
following being valid entries:
|1 - 126
|128 - 191
|192 - 223
|224 - 239
||Class D (multicast)
Addresses cannot consist of all zeros, or all ones, and the
entire 127 domain is reserved because 127.0.0.1 is set aside
as the “loopback” address.
To configure TCP/IP on a host, you need only three values
with one being that of default gateway (the other two are IP
address and subnet mask). The default gateway is the IP
address of the router all data not intended for this network
should go to.
A subnet mask divides the total number of hosts available
for one network into a smaller number available for a number
of networks. The subnet mask value is based upon the class of
network you have. Default values by class, and the maximum
number of hosts are:
||Default Subnet Mask
||Total number of Hosts for
||> 16 million
DHCP (Dynamic Host Configuration Protocol) allows you to
dynamically distribute IP addresses and all associated
configuration data through an open standard. DHCP clients are
given leases to define the amount of time their address
information is valid. Every client automatically attempts to
extend the lease when half the time of the lease has expired.
If it fails, it keeps trying for the duration of the lease.
DHCP does not only issue addresses from the address
pool/scope, but also issues lease information and other IP
configuration data (default gateway, subnet mask, etc.). DHCP
is installed as a service on Windows Server 2003 through the
use of wizards that follow the networking services
subcomponent of the Add/Remove Programs applet.
A scope is a range of IP addresses that can be
issued to DHCP clients on a single subnet by the DHCP server.
Only one scope can be created for each subnet, and a single
DHCP server can manage several scopes.
TCP/IP utilities to know:
ARP - Address Resolution Protocol - displays a cache of
locally resolved IP addresses to Media Access Control (MAC)
Finger - Retrieves system info from a remote computer
that supports the TCP/IP finger service.
FTP - File Transfer Protocol - provides file transfers
between TCP/IP hosts with one running FTP software.
Hostname - returns the local computers host name.
IPCONFIG - Verifies TCP/IP information. with the
“/all” switch, it will give DHCP, DNS and WINS addresses.
WINIPCFG is the utility used in place of IPCONGIG on Win9.x
workstations. The /DISPLAYDNS, /FLUSHDNS, and /REGISTERDNS
options are used to directly interact with Domain Name Service
LPD - Line Printer Daemon - Services LPR requests and
submits print jobs to a printer device.
LPQ - Line Printer Queue - Obtain status of a print
queue on a host running the LPD Service.
LPR - Line Printer Remote - Prints a file to a host
running the LPD Service.
NBTstat - Checks the state of current NetBIOS over
TCP/IP connections, updates LMHOSTS cache, determines
Netdiag - Tests the network functions and provides a
report of the results.
Netsh - Network Shell. This utility can be used to
interact with most services from the command-line.
Netstat - Displays Protocol statistics and the
current state of TCP/IP connections. The -a option is used to
see all information.
NSlookup - examines entries in the DNS database
pertaining to a particular host or domain.
Pathping - acts as combination of ping and tracert. It
sends echoes requests out and identifies the host that hears
PING - Packet Internet Groper - Verifies that TCP/IP
is configured correctly and that another host is available.
REXEC - Remote Execution - Runs a process on a remote
Route - views or modifies the local routing table.
RSH - Remote Shell - runs commands on a UNIX host.
Telnet - Provides Terminal Emulation to a TCP/IP host
running Telnet server software.
Tracert - verifies the route used from the local host
to the remote host. This is superior to PING in that it also
shows the route taken to reach the remote host.
DNS is a server service consisting of a hierarchical,
distributed database with built-in redundancy and caching
capabilities. DNS translates domain names into IP addresses.
When a DNS server cannot resolve a query, it moves (escalates)
it up to a root server that is authoritative for a zone. DNS
queries can be either recursive or iterative.
DNS is installed as a service within Windows Server 2003
through the use of wizards. If you have installed Active
Directory (via the Active Directory Installation Wizard) but
cannot find a DNS server, the ADI wizard will attempt to
install the DNS service for you. DNS management can be
performed with the DNS Manager snap-in.
DNS monitoring can be done with the Performance tool on
counters such as Caching Memory, IXFR Counters, TCP/IP, and
Zone Transfer. DNS uses resource records to perform
translations. Resource records are entries in the zone
database file; each resource record identifies a particular
resource within the database.
Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS.
Whenever a client interacts with DHCP (new lease, renewal,
etc.), the fully qualified domain name (FQDN) of the client is
registered with DNS through the DHCP server. This registration
can be done manually using the REGISTERDNS parameter with the
Configuring a zone for dynamic updates within the zone
properties dialog box (obtainable from the DNS Management
Console) allows DNS clients to update their resource records
dynamically with the server anytime a change occurs. This can
be enabled or disabled on a per-zone basis. With an Active
Directory Integrated zone, you can store DNS resource records
in AD naming contexts to simplify zone replication.
The DNS root name server of a domain is the name server
that is acting as the Start of Authority for that zone. The
first division of DNS is into domains. The InterNIC (Internet
Network Information Center) controls top-level domains (com,
edu, etc.). Stub zones contain SOA and NS records, as well as
A records for name servers.
A DNS client is any computer that can query a DNS
server (through a resolver). A resolver is the DNS
client program that is used to query DNS name information. A
DNS server is any computer running the DNS Server
service. DNS servers perform name-to-IP mapping and attempt to
resolve client queries.
FQDNs (fully qualified domain names) specify the host name,
the domain or subdomain to which the host belongs, and any
domains above that in the hierarchy until the root domain in
the organization is specified. The FQDN is read from left to
right, with each host name or domain name separated by a
Local subnets are prioritized within DNS by default. This
is done so that the client finds a local resource first rather
than a remote resource.
Delegated zones require that all queries on the existing
domain go to one server for resolution. In all cases, the
delegated domain must be a sub-domain of the domain performing
the delegation. DNS zones are created with the New Zone Wizard
and can be used for forward-lookup or reverse-lookup.
With Windows Server 2003, dnsaddp.exe runs, whenever a
domain controller is started, to create DNS application
partitions. Also with Windows Server 2003, conditional
forwarding can be used to let the name server select a
forwarder based on a domain implied in a client query.
The primary troubleshooting tool for working with DNS is
NSLOOKUP, although IPCONFIG and Event Viewer also can be
helpful. In addition to the DNS Management Console GUI, you
can also manage DNS from the command-line with the DNSCMD
WINS continues to persist in Windows Server 2003, with no
real changes in operation between now and with Windows 2000.
WINS (Windows Internet Naming Service) is responsible for
resolving NetBIOS names to IP addresses. When a WINS client
boots up it announces itself to the WINS server. The WINS
server stores the name and IP of the client in the database to
hand out on future requests. This enables you to connect to a
server named Appserver by name instead of having to remember
Appserver’s IP address. The WINS database is dynamic.
WINS servers are required to have static IP addresses.
Name Resolution Nodes
B-Node (broadcast) - uses broadcasts to resolve names (not
recommended for larger networks, and mostly used by older
P-Node (peer to peer) - uses WINS only, no broadcasts. No
WINS server, no resolution. This is the mode typically used
by newer clients
M-Node (mixed) - Broadcast first, then WINS (this is not
recommended as you want to attempt to minimize broadcasts).
H-Node (hybrid) - uses WINS first, then broadcast (this is
recommended as it cuts down broadcasts by trying WINS first
but will resort to broadcast as last resort.)
The LMhosts file is a text file that you can manually
update that holds NetBIOS name and IP combinations.
WINS Replication - You should have multiple WINS servers
for fault tolerance. These servers can be set up to replicate
the data to each other. WINS replicates changes only (data is
replicated at the record level using an incremental version
ID) instead of the whole database. Persistent connections
between WINS servers increase replication efficiency by not
needing to establish temporary connections for every update.
Push Partner - WINS will replicate after a certain number of
changes to the database.
Pull Partner - WINS will replicate at a certain time period
regardless of the number of changes.
Push/Pull Partner - WINS will replicate at a certain number of
changes or at a specified time interval regardless of the
number of changes.
For automatic configuration, every WINS server announces
its presence with broadcasts. If one is found without a
push/pull partner, it gets added into the replication list of
an existing server. For manual configuration, choose the New
Replication Partner option from the Replication Partners node
of the server.
While WINS replication occurs on a regular basis, it can be
forced at any time by right-clicking a partner and sending an
immediate trigger to the partner. WINS-R records can be used
in DNS to configure reverse lookups for WINS resolution.
Tombstoned WINS records are not immediately removed, but
instead are flagged for later deletion (via an extinction
interval) and replicated. Even manually tombstoned WINS
records remain in the database until a scavenge operation is
Routing and Remote Access:
RRAS routing is installed/configured through the RRAS MMC
snap-in by right-clicking on the server and choosing Configure
and Enable Routing and Remote Access on the popup menu. This
starts the RRAS Setup Wizard.
The three types of remote access permissions available to a
Control access through Remote Access Policy
When a user dials in, you can choose to verify caller-ID,
assign a static IP address to the connection, and/or apply
RRAS includes support for RIP for IPX and SAP for IPX. RRAS
supports the following protocols: AppleTalk, IPX, NetBEUI, and
An individual host can have its data packet sent in one of
the following three ways:
- By looking
at the default gateway address in the IP configuration
- By using
Internet Control Message Protocol (ICMP) redirects to find a
route to a destination host
listening to traffic between routers utilizing RIP (Routing
Information Protocol) or Open Shortest Path First (OSPF)-known
as dynamic routing.
Monitoring remote access is done through counters in the
Performance utility; the RRAS MMC console can be used to
configure incoming connections and other features.
Remote Access Dial-in Profiles allow you to define the
IP Address Assignment Policy
Multilink (aggregation of multiple analog phone
lines through multiple modems for greater bandwidth)
Encryption (No Encryption, Basic or Strong)
Remote Access Dial-in Profiles can be configured and govern
security in much the same way group policies do.
A remote access policy defines actions that can be
undertaken for a user or group of users who connect remotely.
They can employ specific authentication and encryption
IAS (Internet Authentication Service) can be used to
enforce (through policies) issues such as: RADIUS clients
allowed, incoming phone numbers to accept, the type of media
used to establish the connection, user membership in security
groups, and the time of allowed access (day, hour, etc.). With
RADIUS, all authentication requests heard by a server are sent
to a RADIUS server for approval/denial. RADIUS is an open
IAS is used for centralized administration and to enforce
access policies. It works with PAP, CHAP, MS-CHAP, and EAP.
IAS is useful for centralized auditing, scaling systems for
growing demand, monitoring usage remotely, and working with a
graphical interface through an MMC snap-in.
Clustering is not available with the Standard edition or
Web edition of Windows Server 2003. The Enterprise edition
will support a cluster of up to four nodes, while the
Datacenter edition will support a cluster of up to eight
What was known as the Windows NT Load Balancing Service (WLBS)
in previous operating system versions is now known as Network
Load Balancing in Windows Server 2003. It allows you to
distribute incoming TCP/IP traffic to multiple servers for
The four tabs of the Windows Server 2003 Backup Utility
3. Restore and Manage Media
4. Schedule Jobs
An incremental backup includes up all files that
have the archive bit on, and then turns that bit off. A
normal/full backup gets all files, regardless of the
status of the archive bit, and then turns the bit off (if it
was on). A differential backup gets all files with the
archive bit on, and then leaves it on. A daily backup
is valid only for the day (as the name implies). A copy
backup backs up files and leaves the archive bit on.
A backup log can be configured from the options of the
Backup Utility. You can choose either “Detailed” or “Summary”
log files. A detailed file includes the name of every file
backed up, while a summary only offers a file count and
indicates any files that were skipped.
To start Windows Server 2003 in Safe mode, press F8 when
the Please Select The Operating System To Start message
appears. Safe mode enables you to start the system with a
minimal set of device drivers and services. Choices appearing
on the option menu are:
n Safe mode
n Safe mode with networking
n Safe mode with command prompt
n Enable boot logging (which sends the output to
n Enable VGA mode
n Last Known Good configuration
n Debugging mode
n Directory Service Restore mode (on domain
Recovery Console - Windows Server 2003 has a
Recovery Console to help when you have trouble booting. The
Recovery Console is not installed by default. Install the
Recovery Console by booting from the Windows Server 2003 CD
and choosing Repair, or running winnt32.exe /cmdcons
from the I386 directory of the CD. This copies the files
locally and you will now see an option to enter the Recovery
Console at boot up.
The Recovery Console is limited to administrators, and you
must give the Administrator password when choosing it. This
utility will allow you to do such things as:
- Use, copy, rename
or replace operating system files and folders.
- Enable or disable
services or devices from starting when you next start your
- Repair the file
system boot sector or the Master Boot Record (MBR).
- Create and format partitions on
Emergency Management Services (EMS) allow a server
to be accessed across a serial line to perform recovery
Common TCP ports to allow/deny include:
TCP/IP packet filters can be used to prevent types of
packets from reaching your network server. These are
configured through the Advanced button on the TCP/IP protocol
properties. Filters can be set for TCP, UDP, or IP protocol
numbers, and can be universal (for all adapters) or
individual. The filter can accept, deny, or accept within
specified conditions (always respond using IPSec, use Perfect
Forward Secrecy, etc.).
IPSec is used to negotiate the secure connection utilizing
DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES).
IPSec is used to secure packets between two hosts and cannot
be used locally, whereas EFS is used locally and does not
encrypt data on a network.
Only one IPSec policy can be in use at a time. All policy
settings can be made using wizards. IPSECMON.EXE can be used
to monitor and troubleshoot operations.
The IP Security Policy Management MMC console is used to
manage IPSec. To create a new policy, right-click the IP
Security Policies folder for the popup menu that contains the
New IP Security Policy option.
Public Key Encryption - Public Key Encryption uses a
2 key method to encrypt data. The Public Key is given out to
any user wishing to communicate with. The Private Key is kept
for decoding the public key transmission.
Public Key Authentication - Public Key Encryption
uses the same 2 key method for authentication. This is also
known as digital signatures. Digital signatures are very
common when visiting websites. The purpose of a digital
signature is to guarantee that data is from the user it is
supposed to be from, and that it has not been altered. Signing
uses encryption as its main tool but also adds origin and
authenticity information as well.
The Public Key is sent out to a user to authenticate the
sender. The Private key is used to encrypt data to be sent.
Within PKI are the following elements: certificate
authorities, which issue and revoke certificates, and
certificate publishers, which make what the CA has issued
CA (Certificate Authority) - A Certificate Authority
is responsible for assigning the keys for encryption,
decryption and authentication. There are 2 types of CA's.
Enterprise and Stand-Alone. Each of these types can have a
root CA and Subordinate CA's.
|Enterprise Root CA
||Top Level CA - An Enterprise CA requires Active
directory so should be used in your internal 2000 network
|Enterprise Subordinate CA
||Obtains its CA certificate from the Enterprise root.
- An Enterprise CA requires Active directory so should be
used in your internal 2000 network
|Stand-Alone Root CA
||Top Level CA - A Stand-Alone CA can use but does not
require Active Directory, thus it can be used for people
connecting from outside your network (i.e.. the Internet
or an Extranet.)
|Stand-Alone Subordinate CA
||Obtains its CA certificate from the Stand-Alone root.
A Stand-Alone CA does not require Active Directory thus
can be used for people connecting from outside your
network (i.e.. the Internet or an Extranet.)
The Certificate Revocation List (CRL) can be published
automatically or manually through the appropriate MMC snap-in.