MCSE Braindumps - free tests - study guides and mcse simulations are available for download. Looking for mcse braindumps mcse brain dumps or mcsa braindumps? You will find many links...  
MCSE Braindumps Home Members area to download MCSE Braindumps Signup to become member of Download the most latest MCSE Braindumps Need more information?
MCSE Braindumps
Download MCSE braindumps
MCSE Exam Information
MCSE 2000 Braindumps Free Download
MCSE 2003 Braindumps Free Download link
MCSE dumps free
Free braindumps
MCSE Exam Tips
Pass Guaranteed
Update News
MCSE Braindumps are  updated on

Special Offer

All Exams
for $69

read more..



MCSE 70-296 Study Guide

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000

The objectives for exam 70-296 make it an exam that hits on a large number of topics. It is an upgrade exam for MCSEs who have certified on Windows 2000 and want to upgrade their certification; as such, it merges into a single test a subset of the objectives found on two standalone exams: 70-293 (Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure) and 70-294 (Planning, Implementing, and Maintaining a Microsoft Windows Active Directory Infrastructure).

The objectives for this exam are:

Planning and Implementing Server Roles and Server Security

n        Configure security for servers that are assigned specific roles.     

n        Plan security for servers that are assigned specific roles. Roles might include domain controllers, Web servers, database servers, and mail servers.

o       Deploy the security configuration for servers that are assigned specific roles.

o       Create custom security templates based on server roles.

Planning, Implementing, and Maintaining a Network Infrastructure

n        Plan a host name resolution strategy.

o       Plan a DNS namespace design.

o       Plan zone replication requirements.

o       Plan a forwarding configuration.

o       Plan for DNS security.

o       Examine the interoperability of DNS with third-party DNS solutions.

Planning, Implementing, and Maintaining Server Availability 

n        Plan services for high availability.

o       Plan a high availability solution that uses clustering services.

o       Plan a high availability solution that uses Network Load Balancing.

n        Plan a backup and recovery strategy.

o       Identify appropriate backup types. Methods include full, incremental, and differential.

o       Plan a backup strategy that uses volume shadow copy.

o       Plan system recovery that uses Automated System Recovery (ASR).

Planning and Maintaining Network Security

n        Plan secure network administration methods.

o       Create a plan to offer Remote Assistance to client computers.

o       Plan for remote administration by using Terminal Services.

n        Plan security for wireless networks.     

n        Plan security for data transmission.

o       Secure data transmission between client computers to meet security requirements.

o       Secure data transmission by using IPSec.

Planning, Implementing, and Maintaining Security Infrastructure.

n        Configure Active Directory directory service for certificate publication.    

n        Plan a public key infrastructure (PKI) that uses Certificate Services.

o       Identify the appropriate type of certificate authority to support certificate issuance requirements.

o       Plan the enrollment and distribution of certificates.

o       Plan for the use of smart cards for authentication.

n        Plan a framework for planning and implementing security.

o       Plan for security monitoring.

o       Plan a change and configuration management framework for security.

n        Plan a security update infrastructure. Tools might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services.

Planning and Implementing an Active Directory Infrastructure 

n        Plan a strategy for placing global catalog servers.

o       Evaluate network traffic considerations when placing global catalog servers.

o       Evaluate the need to enable universal group caching.

n        Implement an Active Directory directory service forest and domain structure.

o       Create the forest root domain.

o       Create a child domain.

o       Create and configure Application Data Partitions.

o       Install and configure an Active Directory domain controller.

o       Set an Active Directory forest and domain functional level based on requirements.

o       Establish trust relationships. Types of trust relationships might include external trusts, shortcut trusts, and cross-forest trusts.

Managing and Maintaining an Active Directory Infrastructure 

n        Manage an Active Directory forest and domain structure.

o       Manage trust relationships.

o       Manage schema modifications.

o       Add or remove a UPN suffix.

n        Restore Active Directory directory services.

o       Perform an authoritative restore operation.

o       Perform a nonauthoritative restore operation.

Planning and Implementing User, Computer, and Group Strategies 

n        Plan a user authentication strategy.

o       Plan a smart card authentication strategy.

o       Create a password policy for domain users.

Planning and Implementing Group Policy 

n        Plan Group Policy strategy.

o       Plan a Group Policy strategy by using Resultant Set of Policy (RSoP) Planning mode.

o       Plan a strategy for configuring the user environment by using Group Policy.

o       Plan a strategy for configuring the computer environment by using Group Policy.

n        Configure the user environment by using Group Policy.

o       Distribute software by using Group Policy.

o       Automatically enroll user certificates by using Group Policy.

o       Redirect folders by using Group Policy.

o       Configure user security settings by using Group Policy.

Managing and Maintaining Group Policy 

n        Troubleshoot issues related to Group Policy application. deployment. Tools might include RSoP and the gpresult command.  

n        Troubleshoot the application of Group Policy security settings. Tools might include RSoP and the gpresult command.

*********************** End of Objectives **********************

Server Roles:

There are four different versions of Windows Server 2003 available:

1.      Web edition - which supports one or two processors

2.      Standard Edition - which supports two processors

3.      Enterprise Edition - will support up to 8 processors

4.      Datacenter Edition - can work with up to 32 processors

Each of these operating systems must be "activated" (with the exception of volume license versions) in order to be usable. This is intended to provide copy protection and prevent piracy. Aside from the different versions, there are a number of different roles that a server may play as well. The "role" of the server is to offer a service (one or more) to the network.

The role can be Active Directory related (Domain controllers) or purely service-oriented. Within those that are Active Directory related, there are five FSMOs (Flexible Single Master Operations) roles:

1.      PDC (Primary Domain Controller) emulator - used for backward compatibility

2.      RID (Relative ID) Master  - holds the pool of ID numbers to be used

3.      Infrastructure Master - handles updates and name changes

4.      Domain Naming Master - by default the first domain controller in a forest

5.      Schema Master - oversees all schema operations

The primary domain controller performing one of these roles is known as the role master. Microsoft recommends the PDC emulator and RID master be kept on the same domain controller, and the Domain Naming Master be stored on a Global Catalog server.

Outside of Active Directory specific operations, server roles can also include such things as:

n        Web servers

n        Database servers

n        Mail servers

n        DNS servers

n        DHCP servers

And servers offering other services that your network benefits from.

Server Security:

Event Viewer is the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System - which contains information about services and drivers that fail to start -  and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.

It is highly recommended to put users into groups and give permissions to the groups.  In Windows Server 2003, the following types of groups exist:

n        Machine local

n        Domain local

n        Global

n        Universal

n        Builtin - these are Domain local groups that exists for compatibility with Windows NT. Be default, the following groups are found on all Windows Server 2003 systems: Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Print Operators, Remote Desktop Users, Replicator, and Users. These built-in users and groups cannot be deleted.

Network Infrastructure: DNS

DNS is a server service consisting of a hierarchical, distributed database with built-in redundancy and caching capabilities. DNS translates domain names into IP addresses. When a DNS server cannot resolve a query, it moves (escalates) it up to a root server that is authoritative for a zone. DNS queries can be either recursive or iterative.

DNS is installed as a service within Windows Server 2003 through the use of wizards. If you have installed Active Directory (via the Active Directory Installation Wizard) but cannot find a DNS server, the ADI wizard will attempt to install the DNS service for you. DNS management can be performed with the DNS Manager snap-in.

DNS monitoring can be done with the Performance tool on counters such as Caching Memory, IXFR Counters, TCP/IP, and Zone Transfer. DNS uses resource records to perform translations. Resource records are entries in the zone database file; each resource record identifies a particular resource within the database.

If necessary, you can manually add resource records into DNS through the DNS snap-in.

Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS. Whenever a client interacts with DHCP (new lease, renewal, etc.), the fully qualified domain name (FQDN) of the client is registered with DNS through the DHCP server. This registration can be done manually using the REGISTERDNS parameter with the IPCONFIG.EXE utility.

The DNS root name server of a domain is the name server that is acting as the Start of Authority for that zone. The first division of DNS is into domains. The InterNIC (Internet Network Information Center) controls top-level domains (com, edu, etc.). Stub zones contain SOA and NS records, as well as A records for name servers.

A DNS client is any computer that can query a DNS server (through a resolver). A resolver is the DNS client program that is used to query DNS name information. A DNS server is any computer running the DNS Server service. DNS servers perform name-to-IP mapping and attempt to resolve client queries.

FQDNs (fully qualified domain names) specify the host name, the domain or subdomain to which the host belongs, and any domains above that in the hierarchy until the root domain in the organization is specified. The FQDN is read from left to right, with each host name or domain name separated by a period.

Local subnets are prioritized within DNS by default. This is done so that the client finds a local resource first rather than a remote resource.

Delegated zones require that all queries on the existing domain go to one server for resolution. In all cases, the delegated domain must be a sub-domain of the domain performing the delegation. DNS zones are created with the New Zone Wizard and can be used for forward-lookup or reverse-lookup.

With Windows Server 2003, dnsaddp.exe runs, whenever a domain controller is started, to create DNS application partitions. Also with Windows Server 2003, conditional forwarding can be used to let the name server select a forwarder based on a domain implied in a client query.

The primary troubleshooting tool for working with DNS is NSLOOKUP, although IPCONFIG and Event Viewer also can be helpful. In addition to the DNS Management Console GUI, you can also manage DNS from the command-line with the DNSCMD tool.

Server Availability:

Clustering is not available with the Standard edition or Web edition of Windows Server 2003. The Enterprise edition will support a cluster of up to four nodes, while the Datacenter edition will support a cluster of up to eight nodes.

What was known as the Windows NT Load Balancing Service (WLBS) in previous operating system versions is now known as Network Load Balancing in Windows Server 2003. It allows you to distribute incoming TCP/IP traffic to multiple servers for processing.

The four tabs of the Windows Server 2003 Backup Utility are:

1.      Welcome

2.      Backup

3.      Restore and Manage Media

4.      Schedule Jobs

An incremental backup includes up all files that have the archive bit on, and then turns that bit off. A normal/full backup gets all files, regardless of the status of the archive bit, and then turns the bit off (if it was on). A differential backup gets all files with the archive bit on, and then leaves it on. A daily backup is valid only for the day (as the name implies). A copy backup backs up files and leaves the archive bit on.

A backup log can be configured from the options of the Backup Utility. You can choose either "Detailed" or "Summary" log files. A detailed file includes the name of every file backed up, while a summary only offers a file count and indicates any files that were skipped.

Network Security:

Common TCP ports to allow/deny include:

         FTP (data)

         FTP (session)






TCP/IP packet filters can be used to prevent types of packets from reaching your network server. These are configured through the Advanced button on the TCP/IP protocol properties. Filters can be set for TCP, UDP, or IP protocol numbers, and can be universal (for all adapters) or individual. The filter can accept, deny, or accept within specified conditions (always respond using IPSec, use Perfect Forward Secrecy, etc.).

IPSec is used to negotiate the secure connection utilizing DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES). IPSec is used to secure packets between two hosts and cannot be used locally, whereas EFS is used locally and does not encrypt data on a network.

Only one IPSec policy can be in use at a time. All policy settings can be made using wizards. IPSECMON.EXE can be used to monitor and troubleshoot operations.

The IP Security Policy Management MMC console is used to manage IPSec. To create a new policy, right-click the IP Security Policies folder for the popup menu that contains the New IP Security Policy option.

Security Infrastructure:

Public Key Encryption - Public Key Encryption uses a 2 key method to encrypt data.  The Public Key is given out to any user wishing to communicate with. The Private Key is kept for decoding the public key transmission.


Public Key Authentication - Public Key Encryption uses the same 2 key method for authentication.  This is also known as digital signatures.  Digital signatures are very common when visiting websites. The purpose of a digital signature is to guarantee that data is from the user it is supposed to be from, and that it has not been altered. Signing uses encryption as its main tool but also adds origin and authenticity information as well.


The Public Key is sent out to a user to authenticate the sender. The Private key is used to encrypt data to be sent.


Within PKI are the following elements: certificate authorities, which issue and revoke certificates, and certificate publishers, which make what the CA has issued available.

CA (Certificate Authority) - A Certificate Authority is responsible for assigning the keys for encryption, decryption and authentication.  There are 2 types of CA's.  Enterprise and Stand-Alone.  Each of these types can have a root CA and Subordinate CA's.

Enterprise Root CA Top Level CA - An Enterprise CA requires Active directory so should be used in your internal 2000 network
Enterprise Subordinate CA Obtains its CA certificate from the Enterprise root. -  An Enterprise CA requires Active directory so should be used in your internal 2000 network
Stand-Alone Root CA Top Level CA - A Stand-Alone CA can use but does not require Active Directory, thus it can be used for people connecting from outside your network (i.e.. the Internet or an Extranet.)
Stand-Alone Subordinate CA Obtains its CA certificate from the Stand-Alone root.  A Stand-Alone CA does not require Active Directory thus can be used for people connecting from outside your network (i.e.. the Internet or an Extranet.)

The Certificate Revocation List (CRL) can be published automatically or manually through the appropriate MMC snap-in.

Active Directory Structure:

Active Directory is a database that stores information about objects in the network-such as users, computers, printers, and shared folders-in a central location. The Active Directory naming scheme follows the path: forest, tree(s), domains. Active Directory depends on DNS (Domain Name System) for it to work. In the absence of DNS, there is - effectively - no Active Directory. Active Directory is created to be scalable and interoperate with other name services. 

Active Directory names are equivalent to DNS names and use the SRV records of DNS to store information about services, thereby creating "dynamic DNS." To refer to a host in a domain, you use a fully qualified domain name (FQDN). It is recommended that the registered DNS name your company already has, if they are connected to the Internet, be used as the Active Directory root domain.

A forest can consist of either a single domain or multiple domains. (Therefore, by definition, a single domain can also be a tree). A tree is a contiguous namespace, meaning the child has the parent as part of its name. Each tree has its own identity within the forest. Domains are partitions; that is, entities that can be combined into trees and forests, but that operate with some autonomy. Domains contain objects, and/or organizational units (OUs). An OU is a container for organizing objects within a domain into logical sub-groupings. A domain is an administrative as well as security boundary since administrative privileges do not extend past domain boundaries. The Active Directory root domain has to be unique within the DNS realm it works with.

Reasons for creating OUs (organizational units) include: to control access to resources, to create group policy objects, to delegate administration, and/or to group common objects.

The simplest network is a network with one domain. Reasons for creating additional domains include: to isolate replication traffic, to retain existing NT domain structures, to support decentralized administration, to support international boundaries, and/or to support more than one domain policy. Factors to consider when deciding to create more than one domain include replication, security, and overhead.

Objects are organized in a hierarchical structure rather than physical location and can include:




        Shared resources

        Security information

Active Directory key concepts to focus on are:

        Objects: Object classes such as users, groups, computers, services, printers, security policies, etc. are a collection of object attributes.

        Schema: A database structure made up of attribute definitions and object definitions known as schema objects or metadata (data about data). Adding new attributes can extend a schema, however once an object is created it can be disabled but not deleted. Write access to the schema is restricted to the Administrators group.

More about the Schema:

          Schema enforces the rules that govern both the structure and the content of the directory.

         Throughout the forest, there is only one write-able copy of the schema, which is held by the Schema operations master.  There is only one schema per forest, and it is maintained forest-wide by virtue of being stored on every domain controller.

         The schema container holds all the definitions required to view the objects in the directory, and each is identified by a globally unique number known as the Object Identifier (OID).

         Schema consists of a set of classes, attributes, and syntaxes that represent an instance of one or more classes in the schema


        a category of objects that share a set of common characteristics

        a formal description of a discrete, identifiable type of object that can be stored in the directory.


        describes the characteristics of some aspect of an object

        define the types of information that an object can hold.

        for each class, the schema specifies the mandatory attributes and optional attributes that constitute the set of shared characteristics of the class.

        values assigned to attributes define specific characteristics.


        data type of a particular attribute

        determine what data type an attribute can have

        predefined syntaxes do not actually appear in the directory

        cannot add new syntaxes

New to Windows Server 2003 is the ability for attributes and object classes to be declared defunct. It is also possible now to dynamically associate an auxiliary schema class to an individual object, or objects. Before, they would have to be associated with an entire class of objects.

Active Directory Schema Objects

          stored in Active Directory

          arranged in a logical hierarchy - Directory Information Tree (DIT)

          includes a preconfigured database - base DIT - that contains the information that is required to install and run the operating system and Active Directory

          one section of the base DIT holds the base schema.

          schema objects are located in the Schema container

Active Directory Schema Container

          a special purpose object class

          the topmost object of the schema directory partition.

          (cn=schema,cn=configuration,dc=< forest root domainName>)

          contains all of the class and attribute definitions that are required to locate objects in Active Directory and to create new objects

Active Directory DIT and partition

          DIT = Directory Information Tree

          divided into directory partitions

          directory partition is a tree of directory objects

          directory partition forms a unit of replication in Active Directory.

Site link bridges are used to connect sites together and to model the routing behavior of a network. Within a site, replication traffic is carried out via Remote Procedure Calls over IP, while between sites it is done through either RPC or SMTP.

The purpose of the Knowledge Consistency Checker (KCC) is to generate a replication topology for both intra-site and inter-site replication.  Windows Server 2003 uses a different calculation that was used with Windows 2000 in order to speed intersite replication.

A forest is a collection of Active Directory domains. All trees within a forest have different naming structures but share common schema.

Trees are groupings of domains that share contiguous namespaces and a hierarchical naming structure.

         Single Domain: One domain that is the first and only tree's root domain as well as the forest's root. OU's are used to build Active Directory and should be kept to a minimum.

         Tree with Multiple Domains: Used when implementing different security policies in remote offices, or limit administrative control between different locations.

        Forest with Multiple Trees: Each tree has its own unique namespace and are all part of the same Active Directory. Its root domain DNS name identifies each tree. The trees share a common schema, configuration information and Global Catalog

Naming of objects in Active Directory is a critical issue.

         Each Active Directory object must be uniquely identified.

         Domain Name System (DNS) is required for Active Directory. NETLOGON.DNS is the file that holds DNS entries for Active Directory. It resides beneath the System32\Config folder.

         Object names must follow an established naming convention.

The following are common name formats:

         LDAP Distinguished Name (DN). A DN exists for every object in Active Directory. The values cannot be duplicates; they must be unique.

         LDAP Relative Distinguished Name (RDN). RDNs need not be unique if they exist in separate OUs.

         User Principal Name (UPN). These are often referred to as "friendly names."

LDAP functionality is a key component of Active Directory, employing similar naming standards. LDAP functionality makes Active Directory compatible with other naming strategies (such as BIND). LDAP is a derivative of X.500. LDAP uses four different name types: 1) Distinguished name, 2) Relative Distinguished name, 3) User Principal name, and 4) Canonical name.

The Distinguished name, in LDAP, is the full path, including containers, of the object. The Relative Distinguished name (RDN), in LDAP, is the portion of the name that's unique within its container. The User Principal name, in LDAP, is the user-friendly name. The Canonical name, in LDAP, is a top-down notation of the Distinguished name.

Real-time LDAP is now supported, also known as LDAPv3, and security for digest authentication is now available for secure queries to a domain controller.


            Groups of subnets and domain controllers  connected through a reliable high-speed connection used to partition Active Directory into logical groups.

            A set of one or more IP Subnetwork addresses

            Controls how replication is managed, logon traffic and DFS topology

Active Directory Sites

            Domain controllers get added to Default-First-Site-Name object which is automatically created

            Intersite replication occurs between two or more sites over manually created links based on a replication schedule

            To minimize network traffic data is compressed to about 10-15% of its volume before intersite replication is transmitted

            Active Directory domains are defined by the network's logical structure

            Sites are based on the network's physical structure

            Sites can include:

o        All Active Directory domain controllers

o        Some of Active Directory domain controllers

o        Domain controllers from different Active Directory domains

Site Links

Site links specify how Active Directory will connect sites within the network and inform Active Directory of favorable replication links. "Active Directory Sites and Services" is used to create sites and site links.

            When Active Directory is installed a default site link (DEFAULTIPSITELINK) is created

            The transport used for transferring data between sites:

o        Remote Procedure Call (RPC) over TCP/IP [seen as IP] - required for File Replication Services

o        Simple Mail Transfer Protocol (SMTP) - used for schema partition, configuration partition and Global Catalog replication. Does not support replication between domain controllers in the same domain. SMTP is asynchronous, whereas RPC is synchronous.

            Cost value determines which site link to use when multiple paths are available

o        Lower the cost, higher the priority

o        Based on bandwidth and priority

o        Default cost is 100

            Scheduling controls when replication occurs

o        Set through the link schedule

o        Replicate every property determines how long a connection waits before checking for updates (15-10,080 minutes)

o        By default a link is always available

Preferred bridgehead server

Bridgehead servers replicate changes to all domain controllers in the site.

            Preferred domain controller for receiving intersite replication information and updates other domain controllers

            The first choice for sending information to other sites

            A firewall proxy server is required to be a preferred bridgehead server

            Multiple bridgehead servers can be specified to add fault tolerance to the replication design

User Authentication:

Security groups are groups listed in DACLs (Discretionary Access Control Lists) for the purpose of setting permissions for access to resources and objects.  According to AccessingResources_Domains.asp in TechNet:

It is important to understand the following security group concepts before you begin the planning process:
  • Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a resource.
  • Group nesting. The ability to nest security groups is dependent on group scopes and domain functionality.
  • Group scope. Group scope helps determine the domain-wide and forest-wide access boundaries of security groups.
  • Domain functionality. The domain functional level of the trusting and trusted domains can affect group functionality such as group nesting.
Once you have gained a thorough understanding of security group concepts, determine the resource needs of each department and geographical division to assist you with the planning effort.

Best practices for controlling access to shared resources across domains

By carefully using domain local, global, and universal groups, administrators can more effectively control access to resources located in other domains. Consider the following best practices:

  • Organize domain users based on administrative needs, such as their locations or departments, and then create a global group, and add the appropriate user accounts as members.
  • Create a domain local group, and add all global groups from the other domain that need the same access to a resource in your domain.
  • Assign the required permissions on the shared resource to the domain local group.

Group Policy:

RSoP (Resultant Set of Policy) is a new tool included with Windows Server 2003 that shows how permissions and policies overlap. It factors in inheritance and other factors and shows what the resulting policy will be that applies to the user or computer in an Active Directory tree. Gpresult is a command-line utility that can perform the same function as RSoP.

Group Policy

Group Policy is a component of Active Directory used to restrict users and enforce limitations. Operating systems prior to Windows 2000 must utilize system policies, created with the POLEDIT utility.

         Reduces Total Cost of Ownership (TCO)

         Implemented through Group Policy Objects (GPOs) and applied to User and Computer Configurations

         Three possible settings for policies include Not Configured, Enable and Disabled

Group Policies can be used to assign and publish software. Assigning software causes the software to be installed regardless of whether it is used. Published software is available to the users/machines, but it is not installed automatically. Software can be assigned to a user or computer, but published only to users (not computers).

Disk quotas can be assigned via group policies to restrict how much space a user is allowed to have in specific folders.

Group policies are implemented by Site, Domain, and then Organizational Unit (OU).

Creating and Modifying Group Policies

         Group policy settings are refreshed throughout the network, on average every 90 minutes

         Domain Controllers refresh on average every 5 minutes

         Refresh interval for Domain Controllers can be modified through Group Policy settings

         When deleting a GPO any links are automatically dropped without warning

         Filtering GPO's allows Group Policies to be applied to individual users rather than all users and computers in an OU

Disclaimer: Sure2Pass Tests and MCSE Braindumps are based solely on published objectives of various exams, which cover concepts that are necessary for various networking professional certification designations. Links to other sites are published for the benefit/information of our visitors and we are not responsible for their contents. Our MCSE Study Guides, practice tests, and/or material is not sponsored by, endorsed by or affiliated with Microsoft. Microsoft, MCSE, MCSA, MCSD, the Microsoft logo are trademarks or registered trademarks of Microsoft in the United States and certain other countries. All other trademarks are trademarks of their respective owners