Planning, Implementing, and
Maintaining a Microsoft Windows Server 2003 Environment for an
MCSE Certified on Windows 2000
The objectives for exam 70-296 make it an exam that hits on
a large number of topics. It is an upgrade exam for MCSEs who
have certified on Windows 2000 and want to upgrade their
certification; as such, it merges into a single test a subset
of the objectives found on two standalone exams: 70-293
(Planning and Maintaining a Microsoft Windows Server 2003
Network Infrastructure) and 70-294 (Planning, Implementing,
and Maintaining a Microsoft Windows Active Directory
The objectives for this exam are:
Planning and Implementing Server Roles and Server
n Configure security for servers that are assigned
n Plan security for servers that are assigned
specific roles. Roles might include domain controllers, Web
servers, database servers, and mail servers.
o Deploy the security configuration for servers that
are assigned specific roles.
o Create custom security templates based on server
Planning, Implementing, and Maintaining a Network
n Plan a host name resolution strategy.
o Plan a DNS namespace design.
o Plan zone replication requirements.
o Plan a forwarding configuration.
o Plan for DNS security.
o Examine the interoperability of DNS with
third-party DNS solutions.
Planning, Implementing, and Maintaining Server
n Plan services for high availability.
o Plan a high availability solution that uses
o Plan a high availability solution that uses Network
n Plan a backup and recovery strategy.
o Identify appropriate backup types. Methods include
full, incremental, and differential.
o Plan a backup strategy that uses volume shadow
o Plan system recovery that uses Automated System
Planning and Maintaining Network Security
n Plan secure network administration methods.
o Create a plan to offer Remote Assistance to client
o Plan for remote administration by using Terminal
n Plan security for wireless networks.
n Plan security for data transmission.
o Secure data transmission between client computers
to meet security requirements.
o Secure data transmission by using IPSec.
Planning, Implementing, and Maintaining Security
n Configure Active Directory directory service for
n Plan a public key infrastructure (PKI) that uses
o Identify the appropriate type of certificate
authority to support certificate issuance requirements.
o Plan the enrollment and distribution of
o Plan for the use of smart cards for authentication.
n Plan a framework for planning and implementing
o Plan for security monitoring.
o Plan a change and configuration management
framework for security.
n Plan a security update infrastructure. Tools might
include Microsoft Baseline Security Analyzer and Microsoft
Software Update Services.
Planning and Implementing an Active Directory
n Plan a strategy for placing global catalog
o Evaluate network traffic considerations when
placing global catalog servers.
o Evaluate the need to enable universal group
n Implement an Active Directory directory service
forest and domain structure.
o Create the forest root domain.
o Create a child domain.
o Create and configure Application Data Partitions.
o Install and configure an Active Directory domain
o Set an Active Directory forest and domain
functional level based on requirements.
o Establish trust relationships. Types of trust
relationships might include external trusts, shortcut trusts,
and cross-forest trusts.
Managing and Maintaining an Active Directory
n Manage an Active Directory forest and domain
o Manage trust relationships.
o Manage schema modifications.
o Add or remove a UPN suffix.
n Restore Active Directory directory services.
o Perform an authoritative restore operation.
o Perform a nonauthoritative restore operation.
Planning and Implementing User, Computer, and Group
n Plan a user authentication strategy.
o Plan a smart card authentication strategy.
o Create a password policy for domain users.
Planning and Implementing Group Policy
n Plan Group Policy strategy.
o Plan a Group Policy strategy by using Resultant Set
of Policy (RSoP) Planning mode.
o Plan a strategy for configuring the user
environment by using Group Policy.
o Plan a strategy for configuring the computer
environment by using Group Policy.
n Configure the user environment by using Group
o Distribute software by using Group Policy.
o Automatically enroll user certificates by using
o Redirect folders by using Group Policy.
o Configure user security settings by using Group
Managing and Maintaining Group Policy
n Troubleshoot issues related to Group Policy
application. deployment. Tools might include RSoP and the
n Troubleshoot the application of Group Policy
security settings. Tools might include RSoP and the gpresult
*********************** End of Objectives
There are four different versions of Windows Server 2003
1. Web edition - which supports one or two processors
2. Standard Edition - which supports two processors
3. Enterprise Edition - will support up to 8
4. Datacenter Edition - can work with up to 32
Each of these operating systems must be "activated" (with
the exception of volume license versions) in order to be
usable. This is intended to provide copy protection and
prevent piracy. Aside from the different versions, there are a
number of different roles that a server may play as well. The
"role" of the server is to offer a service (one or more) to
The role can be Active Directory related (Domain
controllers) or purely service-oriented. Within those that are
Active Directory related, there are five FSMOs (Flexible
Single Master Operations) roles:
1. PDC (Primary Domain Controller) emulator
- used for
2. RID (Relative ID) Master - holds the pool of ID
numbers to be used
3. Infrastructure Master - handles updates and name
4. Domain Naming Master - by default the first domain
controller in a forest
5. Schema Master - oversees all schema operations
The primary domain controller performing one of these roles
is known as the role master. Microsoft recommends the PDC
emulator and RID master be kept on the same domain controller,
and the Domain Naming Master be stored on a Global Catalog
Outside of Active Directory specific operations, server
roles can also include such things as:
n Web servers
n Database servers
n Mail servers
n DNS servers
n DHCP servers
And servers offering other services that your network
Event Viewer is the primary tool used for viewing log
files. In addition to the three log files that have always
existed (Application, System - which contains information
about services and drivers that fail to start - and
Security), there are now log files for: Directory Services,
File Replication Service, and DNS, if those services are in
It is highly recommended to put users into groups and give
permissions to the groups. In Windows Server 2003, the
following types of groups exist:
n Machine local
n Domain local
- these are Domain local groups that
exists for compatibility with Windows NT. Be default, the
following groups are found on all Windows Server 2003 systems:
Administrators, Backup Operators, Guests, Network
Configuration Operators, Power Users, Print Operators, Remote
Desktop Users, Replicator, and Users. These built-in users and
groups cannot be deleted.
Network Infrastructure: DNS
DNS is a server service consisting of a hierarchical,
distributed database with built-in redundancy and caching
capabilities. DNS translates domain names into IP addresses.
When a DNS server cannot resolve a query, it moves (escalates)
it up to a root server that is authoritative for a zone. DNS
queries can be either recursive or iterative.
DNS is installed as a service within Windows Server 2003
through the use of wizards. If you have installed Active
Directory (via the Active Directory Installation Wizard) but
cannot find a DNS server, the ADI wizard will attempt to
install the DNS service for you. DNS management can be
performed with the DNS Manager snap-in.
DNS monitoring can be done with the Performance tool on
counters such as Caching Memory, IXFR Counters, TCP/IP, and
Zone Transfer. DNS uses resource records to perform
translations. Resource records are entries in the zone
database file; each resource record identifies a particular
resource within the database.
If necessary, you can manually add resource records into
DNS through the DNS snap-in.
Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS.
Whenever a client interacts with DHCP (new lease, renewal,
etc.), the fully qualified domain name (FQDN) of the client is
registered with DNS through the DHCP server. This registration
can be done manually using the REGISTERDNS parameter with the
The DNS root name server of a domain is the name server
that is acting as the Start of Authority for that zone. The
first division of DNS is into domains. The InterNIC (Internet
Network Information Center) controls top-level domains (com,
edu, etc.). Stub zones contain SOA and NS records, as well as
A records for name servers.
A DNS client is any computer that can query a DNS
server (through a resolver). A resolver is the DNS
client program that is used to query DNS name information. A
DNS server is any computer running the DNS Server
service. DNS servers perform name-to-IP mapping and attempt to
resolve client queries.
FQDNs (fully qualified domain names) specify the host name,
the domain or subdomain to which the host belongs, and any
domains above that in the hierarchy until the root domain in
the organization is specified. The FQDN is read from left to
right, with each host name or domain name separated by a
Local subnets are prioritized within DNS by default. This
is done so that the client finds a local resource first rather
than a remote resource.
Delegated zones require that all queries on the existing
domain go to one server for resolution. In all cases, the
delegated domain must be a sub-domain of the domain performing
the delegation. DNS zones are created with the New Zone Wizard
and can be used for forward-lookup or reverse-lookup.
With Windows Server 2003, dnsaddp.exe runs, whenever a
domain controller is started, to create DNS application
partitions. Also with Windows Server 2003, conditional
forwarding can be used to let the name server select a
forwarder based on a domain implied in a client query.
The primary troubleshooting tool for working with DNS is
NSLOOKUP, although IPCONFIG and Event Viewer also can be
helpful. In addition to the DNS Management Console GUI, you
can also manage DNS from the command-line with the DNSCMD
Clustering is not available with the Standard edition or
Web edition of Windows Server 2003. The Enterprise edition
will support a cluster of up to four nodes, while the
Datacenter edition will support a cluster of up to eight
What was known as the Windows NT Load Balancing Service (WLBS)
in previous operating system versions is now known as Network
Load Balancing in Windows Server 2003. It allows you to
distribute incoming TCP/IP traffic to multiple servers for
The four tabs of the Windows Server 2003 Backup Utility
3. Restore and Manage Media
4. Schedule Jobs
An incremental backup includes up all files that
have the archive bit on, and then turns that bit off. A
normal/full backup gets all files, regardless of the
status of the archive bit, and then turns the bit off (if it
was on). A differential backup gets all files with the
archive bit on, and then leaves it on. A daily backup
is valid only for the day (as the name implies). A copy
backup backs up files and leaves the archive bit on.
A backup log can be configured from the options of the
Backup Utility. You can choose either "Detailed" or "Summary"
log files. A detailed file includes the name of every file
backed up, while a summary only offers a file count and
indicates any files that were skipped.
Common TCP ports to allow/deny include:
TCP/IP packet filters can be used to prevent types of
packets from reaching your network server. These are
configured through the Advanced button on the TCP/IP protocol
properties. Filters can be set for TCP, UDP, or IP protocol
numbers, and can be universal (for all adapters) or
individual. The filter can accept, deny, or accept within
specified conditions (always respond using IPSec, use Perfect
Forward Secrecy, etc.).
IPSec is used to negotiate the secure connection utilizing
DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES).
IPSec is used to secure packets between two hosts and cannot
be used locally, whereas EFS is used locally and does not
encrypt data on a network.
Only one IPSec policy can be in use at a time. All policy
settings can be made using wizards. IPSECMON.EXE can be used
to monitor and troubleshoot operations.
The IP Security Policy Management MMC console is used to
manage IPSec. To create a new policy, right-click the IP
Security Policies folder for the popup menu that contains the
New IP Security Policy option.
Public Key Encryption - Public Key Encryption uses a
2 key method to encrypt data. The Public Key is given out to
any user wishing to communicate with. The Private Key is kept
for decoding the public key transmission.
Public Key Authentication - Public Key Encryption
uses the same 2 key method for authentication. This is also
known as digital signatures. Digital signatures are very
common when visiting websites. The purpose of a digital
signature is to guarantee that data is from the user it is
supposed to be from, and that it has not been altered. Signing
uses encryption as its main tool but also adds origin and
authenticity information as well.
The Public Key is sent out to a user to authenticate the
sender. The Private key is used to encrypt data to be sent.
Within PKI are the following elements: certificate
authorities, which issue and revoke certificates, and
certificate publishers, which make what the CA has issued
CA (Certificate Authority) - A Certificate Authority
is responsible for assigning the keys for encryption,
decryption and authentication. There are 2 types of CA's.
Enterprise and Stand-Alone. Each of these types can have a
root CA and Subordinate CA's.
|Enterprise Root CA
||Top Level CA - An Enterprise CA requires Active
directory so should be used in your internal 2000 network
|Enterprise Subordinate CA
||Obtains its CA certificate from the Enterprise root.
- An Enterprise CA requires Active directory so should be
used in your internal 2000 network
|Stand-Alone Root CA
||Top Level CA - A Stand-Alone CA can use but does not
require Active Directory, thus it can be used for people
connecting from outside your network (i.e.. the Internet
or an Extranet.)
|Stand-Alone Subordinate CA
||Obtains its CA certificate from the Stand-Alone root.
A Stand-Alone CA does not require Active Directory thus
can be used for people connecting from outside your
network (i.e.. the Internet or an Extranet.)
The Certificate Revocation List (CRL) can be published
automatically or manually through the appropriate MMC snap-in.
Active Directory Structure:
Active Directory is a database that stores information
about objects in the network-such as users, computers,
printers, and shared folders-in a central location. The Active
Directory naming scheme follows the path: forest, tree(s),
domains. Active Directory depends on DNS (Domain Name System)
for it to work. In the absence of DNS, there is - effectively
- no Active Directory. Active Directory is created to be
scalable and interoperate with other name services.
Active Directory names are equivalent to DNS names and use
the SRV records of DNS to store information about services,
thereby creating "dynamic DNS." To refer to a host in a
domain, you use a fully qualified domain name (FQDN). It is
recommended that the registered DNS name your company already
has, if they are connected to the Internet, be used as the
Active Directory root domain.
A forest can consist of either a single domain or multiple
domains. (Therefore, by definition, a single domain can also
be a tree). A tree is a contiguous namespace, meaning the
child has the parent as part of its name. Each tree has its
own identity within the forest. Domains are partitions; that
is, entities that can be combined into trees and forests, but
that operate with some autonomy. Domains contain objects,
and/or organizational units (OUs). An OU is a container for
organizing objects within a domain into logical sub-groupings.
A domain is an administrative as well as security boundary
since administrative privileges do not extend past domain
boundaries. The Active Directory root domain has to be unique
within the DNS realm it works with.
Reasons for creating OUs (organizational units) include: to
control access to resources, to create group policy objects,
to delegate administration, and/or to group common objects.
The simplest network is a network with one domain. Reasons
for creating additional domains include: to isolate
replication traffic, to retain existing NT domain structures,
to support decentralized administration, to support
international boundaries, and/or to support more than one
domain policy. Factors to consider when deciding to create
more than one domain include replication, security, and
Objects are organized in a hierarchical structure rather
than physical location and can include:
Active Directory key concepts to focus on are:
Objects: Object classes such as users,
groups, computers, services, printers, security policies, etc.
are a collection of object attributes.
Schema: A database structure made up of
attribute definitions and object definitions known as schema
objects or metadata (data about data). Adding new attributes
can extend a schema, however once an object is created it can
be disabled but not deleted. Write access to the schema is
restricted to the Administrators group.
More about the Schema:
Schema enforces the rules that govern both the
structure and the content of the directory.
Throughout the forest, there is only one
write-able copy of the schema, which is held by the Schema
operations master. There is only one schema per forest, and
it is maintained forest-wide by virtue of being stored on
every domain controller.
The schema container holds all the definitions
required to view the objects in the directory, and each is
identified by a globally unique number known as the Object
Schema consists of a set of classes, attributes,
and syntaxes that represent an instance of one or more classes
in the schema
a category of objects that share a set of common
a formal description of a discrete, identifiable
type of object that can be stored in the directory.
describes the characteristics of some aspect of an
define the types of information that an object can
for each class, the schema specifies the mandatory
attributes and optional attributes that constitute the set of
shared characteristics of the class.
values assigned to attributes define specific
data type of a particular attribute
determine what data type an attribute can have
predefined syntaxes do not actually appear in the
cannot add new syntaxes
New to Windows Server 2003 is the ability for attributes
and object classes to be declared defunct. It is also possible
now to dynamically associate an auxiliary schema class to an
individual object, or objects. Before, they would have to be
associated with an entire class of objects.
Active Directory Schema
stored in Active Directory
arranged in a logical hierarchy - Directory
Information Tree (DIT)
includes a preconfigured database
- base DIT -
that contains the information that is required to install and
run the operating system and Active Directory
one section of the base DIT holds the base
schema objects are located in the Schema
Active Directory Schema
a special purpose object class
the topmost object of the schema directory
(cn=schema,cn=configuration,dc=< forest root
contains all of the class and attribute
definitions that are required to locate objects in Active
Directory and to create new objects
Active Directory DIT and
DIT = Directory Information Tree
divided into directory partitions
directory partition is a tree of directory
directory partition forms a unit of replication
in Active Directory.
Site link bridges are used to connect sites together and to
model the routing behavior of a network. Within a site,
replication traffic is carried out via Remote Procedure Calls
over IP, while between sites it is done through either RPC or
The purpose of the Knowledge Consistency Checker (KCC)
is to generate a replication topology for both intra-site and
inter-site replication. Windows Server 2003 uses a different
calculation that was used with Windows 2000 in order to speed
A forest is a collection of Active Directory domains. All
trees within a forest have different naming structures but
share common schema.
Trees are groupings of domains that share contiguous
namespaces and a hierarchical naming structure.
Single Domain: One domain that is the first and
only tree's root domain as well as the forest's root. OU's are
used to build Active Directory and should be kept to a
Tree with Multiple Domains: Used when implementing
different security policies in remote offices, or limit
administrative control between different locations.
Forest with Multiple Trees: Each tree has its own
unique namespace and are all part of the same Active
Directory. Its root domain DNS name identifies each tree. The
trees share a common schema, configuration information and
Naming of objects in Active Directory is a critical issue.
Each Active Directory object must be uniquely
Domain Name System (DNS) is required for Active
Directory. NETLOGON.DNS is the file that holds DNS entries for
Active Directory. It resides beneath the System32\Config
Object names must follow an established naming
The following are common name formats:
LDAP Distinguished Name (DN). A DN exists for
every object in Active Directory. The values cannot be
duplicates; they must be unique.
LDAP Relative Distinguished Name (RDN). RDNs need
not be unique if they exist in separate OUs.
User Principal Name (UPN). These are often
referred to as "friendly names."
LDAP functionality is a key component of Active Directory,
employing similar naming standards. LDAP functionality makes
Active Directory compatible with other naming strategies (such
as BIND). LDAP is a derivative of X.500. LDAP uses four
different name types: 1) Distinguished name, 2) Relative
Distinguished name, 3) User Principal name, and 4) Canonical
The Distinguished name, in LDAP, is the full path,
including containers, of the object. The Relative
Distinguished name (RDN), in LDAP, is the portion of the name
that's unique within its container. The User Principal name,
in LDAP, is the user-friendly name. The Canonical name, in
LDAP, is a top-down notation of the Distinguished name.
Real-time LDAP is now supported, also known as LDAPv3, and
security for digest authentication is now available for secure
queries to a domain controller.
Groups of subnets and domain controllers
connected through a reliable high-speed connection used to
partition Active Directory into logical groups.
A set of one or more IP Subnetwork addresses
Controls how replication is managed, logon
traffic and DFS topology
Active Directory Sites
Domain controllers get added to
Default-First-Site-Name object which is automatically created
Intersite replication occurs between two or
more sites over manually created links based on a replication
To minimize network traffic data is compressed
to about 10-15% of its volume before intersite replication is
Active Directory domains are defined by the
network's logical structure
Sites are based on the network's physical
Sites can include:
o All Active Directory domain controllers
o Some of Active Directory domain controllers
o Domain controllers from different Active Directory
Site links specify how Active Directory will connect sites
within the network and inform Active Directory of favorable
replication links. "Active Directory Sites and Services" is
used to create sites and site links.
When Active Directory is installed a default
site link (DEFAULTIPSITELINK) is created
The transport used for transferring data
o Remote Procedure Call (RPC) over TCP/IP [seen
as IP] - required for File Replication Services
o Simple Mail Transfer Protocol (SMTP)
- used for
schema partition, configuration partition and Global Catalog
replication. Does not support replication between domain
controllers in the same domain. SMTP is asynchronous, whereas RPC is synchronous.
Cost value determines which site link to use
when multiple paths are available
o Lower the cost, higher the priority
o Based on bandwidth and priority
o Default cost is 100
Scheduling controls when replication occurs
o Set through the link schedule
o Replicate every property determines how
long a connection waits before checking for updates (15-10,080
o By default a link is always available
Preferred bridgehead server
Bridgehead servers replicate changes to all domain
controllers in the site.
Preferred domain controller for receiving
intersite replication information and updates other domain
The first choice for sending information to
A firewall proxy server is required to be a
preferred bridgehead server
Multiple bridgehead servers can be specified to
add fault tolerance to the replication design
Security groups are groups listed in DACLs (Discretionary
Access Control Lists) for the purpose of setting permissions
for access to resources and objects. According to
AccessingResources_Domains.asp in TechNet:
It is important to understand the following security group
concepts before you begin the planning process:
Security groups. User rights can be applied to groups in
Active Directory while permissions can be assigned to
security groups on member servers hosting a resource.
Group nesting. The ability to nest security groups is
dependent on group scopes and domain functionality.
Group scope. Group scope helps determine the domain-wide
and forest-wide access boundaries of security groups.
Domain functionality. The domain functional level of the
trusting and trusted domains can affect group
functionality such as group nesting.
Once you have gained a thorough understanding of security
group concepts, determine the resource needs of each
department and geographical division to assist you with the
Best practices for controlling access to shared resources
By carefully using domain local, global, and universal
groups, administrators can more effectively control access
to resources located in other domains. Consider the
following best practices:
Organize domain users based on administrative needs, such
as their locations or departments, and then create a
global group, and add the appropriate user accounts as
Create a domain local group, and add all global groups
from the other domain that need the same access to a
resource in your domain.
Assign the required permissions on the shared resource to
the domain local group.
RSoP (Resultant Set of Policy) is a new tool included with
Windows Server 2003 that shows how permissions and policies
overlap. It factors in inheritance and other factors and shows
what the resulting policy will be that applies to the user or
computer in an Active Directory tree. Gpresult is a
command-line utility that can perform the same function as
Group Policy is a component of Active Directory used to
restrict users and enforce limitations. Operating systems
prior to Windows 2000 must utilize system policies, created
with the POLEDIT utility.
Reduces Total Cost of Ownership (TCO)
Implemented through Group Policy Objects (GPOs)
and applied to User and Computer Configurations
Three possible settings for policies include
Not Configured, Enable and Disabled
Group Policies can be used to assign and publish
software. Assigning software causes the software to be
installed regardless of whether it is used. Published software
is available to the users/machines, but it is not installed
automatically. Software can be assigned to a user or computer,
but published only to users (not computers).
Disk quotas can be assigned via group policies to restrict
how much space a user is allowed to have in specific folders.
Group policies are implemented by Site, Domain, and then
Organizational Unit (OU).
Creating and Modifying Group Policies
Group policy settings are refreshed throughout the
network, on average every 90 minutes
Domain Controllers refresh on average every 5
Refresh interval for Domain Controllers can be
modified through Group Policy settings
When deleting a GPO any links are automatically
dropped without warning
Filtering GPO's allows Group Policies to be
applied to individual users rather than all users and
computers in an OU