MCSE Braindumps - free tests - study guides and mcse simulations are available for download. Looking for mcse braindumps mcse brain dumps or mcsa braindumps? You will find many links...  
MCSE Braindumps Home Members area to download MCSE Braindumps Signup to become member of Download the most latest MCSE Braindumps Need more information?
MCSE Braindumps
Download MCSE braindumps
MCSE Exam Information
MCSE 2000 Braindumps Free Download
MCSE 2003 Braindumps Free Download link
MCSE dumps free
Free braindumps
MCSE Exam Tips
Pass Guaranteed
Update News
MCSE Braindumps are  updated on

Special Offer

All Exams
for $69

read more..



MCSE 70-297 Study Guide

Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure

The objectives for exam 70-297 focus it toward an MCSE candidate who is involved with the design of large networks. If focuses on two distinct categories that were tested separately under Windows 2000: network infrastructure and Active Directory design. The objectives for it are:

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements 

n        Analyze the impact of Active Directory on the existing technical environment.

o       Analyze hardware and software requirements.

o       Analyze interoperability requirements.

o       Analyze current level of service within an existing technical environment.

o       Analyze current network administration model.

o       Analyze network requirements.

n        Analyze DNS for Active Directory directory service implementation.

o       Analyze the current DNS infrastructure.

o       Analyze the current namespace.

n        Analyze existing network operating system implementation.

o       Identify the existing domain model.

o       Identify the number and location of domain controllers on the network.

o       Identify the configuration details of all servers on the network. Server types might include primary domain controllers, backup domain controllers, file servers, print servers, and Web servers.

n        Analyze security requirements for the Active Directory directory service.

o       Analyze current security policies, standards, and procedures.

o       Identify the impact of Active Directory on the current security infrastructure.

o       Identify the existing trust relationships.

n        Design the Active Directory infrastructure to meet business and technical requirements.

o       Design the envisioned administration model.

o       Create the conceptual design of the Active Directory forest structure.

o       Create the conceptual design of the Active Directory domain structure.

o       Design the Active Directory replication strategy.

o       Create the conceptual design of the organizational unit (OU) structure.

n        Design the network services infrastructure to meet business and technical requirements.

o       Create the conceptual design of the DNS infrastructure.

o       Create the conceptual design of the WINS infrastructure.

o       Create the conceptual design of the DHCP infrastructure.

o       Create the conceptual design of the remote access infrastructure.

n        Identify network topology and performance levels.

o       Identify constraints in the current network infrastructure.

o       Interpret current baseline performance requirements for each major subsystem.

n        Analyze the impact of the infrastructure design on the existing technical environment.

o       Analyze hardware and software requirements.

o       Analyze interoperability requirements.

o       Analyze current level of service within the existing technical environment.

o       Analyze network requirements.

Creating the Logical Design for an Active Directory Infrastructure 

n        Design an OU structure.

o       Identify the Group Policy requirements for the OU structure.

o       Design an OU structure for the purpose of delegating authority.

n        Design a security group strategy.

o       Define the scope of a security group to meet requirements.

o       Define resource access requirements.

o       Define administrative access requirements.

o       Define user roles.

n        Design a user and computer authentication strategy.

o       Identify common authentication requirements.

o       Select authentication mechanisms.

o       Optimize authentication by using shortcut trust relationships.

n        Design a user and computer account strategy.

o       Specify account policy requirements.

o       Specify account requirements for users, computers, administrators, and services.

n        Design an Active Directory naming strategy.

o       Identify Internet domain name registration requirements.

o       Specify the use of hierarchical namespace within Active Directory.

o       Identify NetBIOS naming requirements.

n        Design migration paths to Active Directory.

o       Define whether the migration will include an in-place upgrade, domain restructuring, or migration to a new Active Directory environment.

n        Design a strategy for Group Policy implementation.

o       Design the administration of Group Policy objects (GPOs).

o       Design the deployment strategy of GPOs.

o       Create a strategy for configuring the user environment with Group Policy.

o       Create a strategy for configuring the computer environment with Group Policy.

n        Design an Active Directory directory service site topology.

o       Design sites.

o       Identify site links.

Creating the Logical Design for a Network Services Infrastructure 

n        Design a DNS name resolution strategy.

o       Create the namespace design.

o       Identify DNS interoperability with Active Directory, WINS, and DHCP.

o       Specify zone requirements.

o       Specify DNS security.

o       Design a DNS strategy for interoperability with UNIX Berkeley Internet Name Domain (BIND) to support Active Directory.

n        Design a NetBIOS name resolution strategy.

o       Design a WINS replication strategy.

n        Design security for remote access users.

o       Identify security host requirements.

o       Identify the authentication and accounting provider.

o       Design remote access policies.

o       Specify logging and auditing settings.

n        Design a DNS service implementation.

o       Design a strategy for DNS zone storage.

o       Specify the use of DNS server options.

o       Identify the registration requirements of specific DNS records.

n        Design a remote access strategy.

o       Specify the remote access method.

o       Specify the authentication method for remote access.

n        Design an IP address assignment strategy.

o       Specify DHCP integration with DNS infrastructure.

o       Specify DHCP interoperability with client types.

Creating the Physical Design for an Active Directory and Network Infrastructure 

n        Design DNS service placement.  

n        Design an Active Directory implementation plan.

o       Design the placement of domain controllers and global catalog servers.

o       Plan the placement of flexible operations master roles.

o       Select the domain controller creation process.

n        Specify the server specifications to meet system requirements.  

n        Design Internet connectivity for a company.  

n        Design a network and routing topology for a company.

o       Design a TCP/IP addressing scheme through the use of IP subnets.

o       Specify the placement of routers.

o       Design IP address assignment by using DHCP.

o       Design a perimeter network.

n        Design the remote access infrastructure.

o       Plan capacity.

o       Ascertain network settings required to access resources.

o       Design for availability, redundancy, and survivability.

*********************** End of Objectives **********************

Analyzing Business Requirements

Identifying the business model is necessary because similar businesses often have similar needs and requirements. Knowing the geographic scope can help define the infrastructure employed by the IT department. The five possible geographic models are: Regional, National, International, Subsidiary, and Branch Office.

When implementing technologies that are within companies restricted to regional boundaries, you can often pay less attention to such things as international translations than you would with different models. The key to the Regional model is that all sites must be within a single, well-defined geographic area.

The scale of the National model is grander than that of the Regional model. You can still often overlook many factors such as international regulations, but you must consider time zones, local laws, and so forth. By definition, all sites within the National model must be contained within a single nation.

By definition, international boundaries are crossed in the International model. Importance must be paid to languages/translations, regulations, laws, and time zones. Representatives from all countries should be involved in IT decision-making processes.

Under the Subsidiary model, subsidiaries are part of a larger company, but function independently. When working with a subsidiary of a larger conglomerate, make certain that approval for the solution generated will be acceptable to the parent company if there is a complex relationship between the two.

Under the Branch Office model, you must go to lengths to verify that solutions implemented at the branch offices work with technologies employed throughout the rest of the company. Branch offices are wholly controlled by other entities (corporate offices).

All company processes should be documented and diagrammed. Of key importance are the processes related to information flow, communication flow, service/product lifecycles, and decision-making.

How information moves throughout the company is defined as Information Flow. This typically follows the organization chart, but can differ with geographic breaks.

Rather than being how the information is disseminated, Communication Flow focuses more on how the information is used. Does a customer hear something to make them want to buy more of your product, or less? Does a customer tell you something they heard about your company that makes you want to send out a resume? "Communication flow" differs from "information flow" in that it often lacks formal structure and comes about as a result of communication with others (customers, vendors, etc.).

The lifespan of the product is known as the "Service/product lifecycle". Services can have a lengthy or short lifespan and can encompass leases from DHCP, authentication from a domain controller, and so on.

Questions to ask regarding the "Decision-making process" are: Does the Chief Technology Officer need to approve all expenditures, or can they be signed-off on at a lower level? Decision-making can either follow the organizational chart or can be completely dispersed if the company practices empowerment (allowing the employees the power to make key decisions within structured guidelines).

When deciding business requirements, it's important to analyze existing and planned organizational structures. These categories can break down into the following key areas:

  1. management model
  2. company organization
  3. vendor
  4. partner relationships
  5. customer relationships; and
  6. acquisition plans.

Different risk models can be associated with different management models. One of the most common management models is departmental, in which each department is geared around a function (sales, research, etc.). Other models include project-based and cost center-based.

When analyzing the management model, determine whether you are dealing with a family-owned business, a privately held business, or a public company with a CEO and Board of Directors.

When identifying company organization, realize that some organizations are divided by products (transmissions in one division, four-wheel-drive axles in another, etc.), whereas other organizations divide operations and responsibilities purely on geographic terms.

When doing an analysis of vendor/partner/customer relationships, know the contact points and whether web presence is offered on an Internet, intranet, and/or extranet basis. Vendors can be external (the traditional model) or internal if each department acts as a cost center.

Acquisition plans should always be taken into account on any analysis. Is the company you are designing a solution for actively seeking acquisitions (meaning you must plan for future growth), or are they a likely acquisition target?

Never assume a company's priorities are constant. They can change with management teams, market shifts, etc. During the design process, find out what the priorities are and where interest lies.

Factors that can influence company strategies include company priorities, projected growth and strategy, relevant laws and regulations, the company's tolerance for risk, and the total cost of operations.

Projected growth and growth strategy: How is expansion accomplished (acquisition, divestiture, franchises, and so on). Do you need to include plans for growth, or will conditions be stagnant for a while? Are there seasonal variables? Is there a documented goal for growth?

Relevant laws and regulations are always subject to change and must be watched carefully. Is the company in a high-profile position to be greatly affected by new legislation? Does the company work with encryption? Do local laws or international laws affect the organization?

Company's tolerance for risk - how does the company weigh risk against profit: vulnerability against value? Do they employ basic security devices on sites? Do they employ physical security at the facility?

When computing the total costs of operations (TCO), consider the value of the company's data; of the IT staff's budget; of having server access 24 hours a day versus 8, etc.? Where does the funding come from?

Microsoft uses seven categories to group budgeted costs:

  1. Hardware and Software costs
  2. Management costs
  3. Development costs
  4. Support costs
  5. Communication costs
  6. End-user costs, and
  7. Downtime costs.

When undertaking a project, you should verify that there is a budget for any training that needs to be done and that all relevant decision-makers are in agreement on the need to support the existing support staff.

The structure of IT management should weigh heavily in the analysis of business requirements. Factors that help understand the management structure include administration type, funding model, outsourcing, decision-making process, and change management.

The administration type can be either centralized, decentralized, or hybrid. Hybrid administration has most of the functions performed at a central location, but one or more key contact people are on-site for handling lesser responsibilities.

Funding and the funding model employed can be crucial in implementing technologies. If the IT department is being run as a profit center, then the departments it administers are charged for the services provided.

Outsourcing is necessary when certain needs cannot be met internally. Although outsourcing is a good way to solve short-term issues, it can present problems down the road when you cannot find the group who implemented a solution because they have moved on, and the solution now has problems.

The first change management question to ask is: is there a structure in place or not? When changes occur, what is the procedure followed? If there is no procedure, chaos can result. If there is too much of a procedure, no change will ever occur. In most situations, small companies can change (and adapt to change) more readily than larger companies.

Analyzing Technical Requirements

When deciding whether to implement Active Directory in an existing or planned network, it is important to detail the possible impact of so doing.

Access patterns need to be taken into account during an analysis: Are all the resources centralized, or are they disbursed? When users need to access a resource, is it within their LAN 80% of the time, or only 20% (meaning they access the WAN 80% of the time)? What are the implications of the resources being centralized versus being disbursed? What are the implications of the resource being within the LAN 80% of the time versus 20%?

The geographic scope as well as the owner or organization responsible for the company fall beneath company size analysis.

When doing user and resource distribution analysis, the main question is: Where are the users? How are they serviced? How do they reach the resources (servers, printers, etc.)? Do they reach them via hubs, switches, routers, or bridges? Via modems or proxy servers?

Connectivity between sites must be factored in. What bandwidth is employed? Are there leased lines or dial-up connections (with or without multilink)?

Speeds employed on WANs differ by technologies. The most common technologies are modems (analog, ISDN, DSL, and cable) and leased lines (T1, T3, E1, E3). An analog/traditional modem requires a single phone line for a connection and is limited in speed to approximately 57,600bps. ISDN (Integrated Services Digital Network) requires two phone lines and can reach a speed of approximately 128,000bps. DSL (Digital Subscriber Line) uses existing phone lines (copper) and is available only in certain areas. You must be within a short distance of a switching station, and speeds can reach 9Mbps. The closer you are to the central office, the faster the speed which is possible (and the different the type of DSL available - ADSL, HDSL, etc.) Cable modems work with the coaxial from the cable television company. The speed, though reduced with the number of users, is approximately 2Mbps. T1 is a dedicated line that operates across 24 channels at 1.544Mbps. T3 is a dedicated line of 672 channels able to run at speeds of 43Mbps. E1 is the European counterpart to T1; it uses 32 channels and can run at 2.048Mbps. E3 is the European counterpart to T3.

Connectivity can include hubs, switches, bridges, routers. You must determine which topologies are employed (star versus mesh, etc.).

Network roles and responsibilities can be defined as administrative, or they can be associated with a user, a service, or other. Administrative roles are those predefined by the operating system with additional responsibilities above a user. Examples include Administrator, Backup Operator, etc.

User roles simply have the right to log on and use the network resources. Service roles run as services in the operating system. They require no user interaction.

Performance requirements questions entail: Are users connecting only for authentication, or for the entire session (such as with Terminal Server)? During performance analysis, it is important to identify any bottlenecks and create a baseline from which to judge future modifications. When computing performance requirements, find out the peak utilization, the type of circuits used, requirements of applications, and so on.

Security considerations should always start with: What are the needs of the organization, and what operating systems does the organization support? Can everything standardize upon TCP/IP, or must NetBEUI (insecure) be used, and so on? One of the most effective means of implementing security with Windows
clients is through the use of group policies.

When evaluating the company's technical environment, always factor in both the existing environment and the planned environment, and differences between the two.

The impact of going to Active Directory should be calculated in terms of: existing systems and applications; existing and planned upgrades and rollouts; technical support structure; existing and planned network and systems management; and client needs.

Active Directory Structure:

Active Directory is a database that stores information about objects in the network-such as users, computers, printers, and shared folders-in a central location. The Active Directory naming scheme follows the path: forest, tree(s), domains. Active Directory depends on DNS (Domain Name System) for it to work. In the absence of DNS, there is - effectively - no Active Directory. Active Directory is created to be scalable and interoperate with other name services. 

Active Directory names are equivalent to DNS names and use the SRV records of DNS to store information about services, thereby creating "dynamic DNS." To refer to a host in a domain, you use a fully qualified domain name (FQDN). It is recommended that the registered DNS name your company already has, if they are connected to the Internet, be used as the Active Directory root domain.

A forest can consist of either a single domain or multiple domains. (Therefore, by definition, a single domain can also be a tree). A tree is a contiguous namespace, meaning the child has the parent as part of its name. Each tree has its own identity within the forest. Domains are partitions; that is, entities that can be combined into trees and forests, but that operate with some autonomy. Domains contain objects, and/or organizational units (OUs). An OU is a container for organizing objects within a domain into logical sub-groupings. A domain is an administrative as well as security boundary since administrative privileges do not extend past domain boundaries. The Active Directory root domain has to be unique within the DNS realm it works with.

Reasons for creating OUs (organizational units) include: to control access to resources, to create group policy objects, to delegate administration, and/or to group common objects.

The simplest network is a network with one domain. Reasons for creating additional domains include: to isolate replication traffic, to retain existing NT domain structures, to support decentralized administration, to support international boundaries, and/or to support more than one domain policy. Factors to consider when deciding to create more than one domain include replication, security, and overhead.

Objects are organized in a hierarchical structure rather than physical location and can include:




        Shared resources

        Security information

Active Directory key concepts to focus on are:

        Objects: Object classes such as users, groups, computers, services, printers, security policies, etc. are a collection of object attributes.

        Schema: A database structure made up of attribute definitions and object definitions known as schema objects or metadata (data about data). Adding new attributes can extend a schema, however once an object is created it can be disabled but not deleted. Write access to the schema is restricted to the Administrators group.

A forest is a collection of Active Directory domains. All trees within a forest have different naming structures but share common schema.

Trees are groupings of domains that share contiguous namespaces and a hierarchical naming structure.

         Single Domain: One domain that is the first and only tree's root domain as well as the forest's root. OU's are used to build Active Directory and should be kept to a minimum.

         Tree with Multiple Domains: Used when implementing different security policies in remote offices, or limit administrative control between different locations.

        Forest with Multiple Trees: Each tree has its own unique namespace and are all part of the same Active Directory. Its root domain DNS name identifies each tree. The trees share a common schema, configuration information and Global Catalog

Naming of objects in Active Directory is a critical issue.

         Each Active Directory object must be uniquely identified.

         Domain Name System (DNS) is required for Active Directory. NETLOGON.DNS is the file that holds DNS entries for Active Directory. It resides beneath the System32\Config folder.

         Object names must follow an established naming convention.

The following are common name formats:

         LDAP Distinguished Name (DN). A DN exists for every object in Active Directory. The values cannot be duplicates; they must be unique.

         LDAP Relative Distinguished Name (RDN). RDNs need not be unique if they exist in separate OUs.

         User Principal Name (UPN). These are often referred to as "friendly names."

LDAP functionality is a key component of Active Directory, employing similar naming standards. LDAP functionality makes Active Directory compatible with other naming strategies (such as BIND). LDAP is a derivative of X.500. LDAP uses four different name types: 1) Distinguished name, 2) Relative Distinguished name, 3) User Principal name, and 4) Canonical name.

The Distinguished name, in LDAP, is the full path, including containers, of the object. The Relative Distinguished name (RDN), in LDAP, is the portion of the name that's unique within its container. The User Principal name, in LDAP, is the user-friendly name. The Canonical name, in LDAP, is a top-down notation of the Distinguished name.

Real-time LDAP is now supported, also known as LDAPv3, and security for digest authentication is now available for secure queries to a domain controller.


            Groups of subnets and domain controllers  connected through a reliable high-speed connection used to partition Active Directory into logical groups.

            A set of one or more IP Subnetwork addresses

            Controls how replication is managed, logon traffic and DFS topology

Active Directory Sites

            Domain controllers get added to Default-First-Site-Name object which is automatically created

            Intersite replication occurs between two or more sites over manually created links based on a replication schedule

            To minimize network traffic data is compressed to about 10-15% of its volume before intersite replication is transmitted

            Active Directory domains are defined by the network's logical structure

            Sites are based on the network's physical structure

            Sites can include:

o        All Active Directory domain controllers

o        Some of Active Directory domain controllers

o        Domain controllers from different Active Directory domains


DNS is a server service consisting of a hierarchical, distributed database with built-in redundancy and caching capabilities. DNS translates domain names into IP addresses. When a DNS server cannot resolve a query, it moves (escalates) it up to a root server that is authoritative for a zone. DNS queries can be either recursive or iterative.

DNS is installed as a service within Windows Server 2003 through the use of wizards. If you have installed Active Directory (via the Active Directory Installation Wizard) but cannot find a DNS server, the ADI wizard will attempt to install the DNS service for you. DNS management can be performed with the DNS Manager snap-in.

DNS monitoring can be done with the Performance tool on counters such as Caching Memory, IXFR Counters, TCP/IP, and Zone Transfer. DNS uses resource records to perform translations. Resource records are entries in the zone database file; each resource record identifies a particular resource within the database.


Special roles can be assigned to domain controllers to act as single master roles. A single master role is not permitted to occur simultaneously at different locations on the network.

The role can be Active Directory related (Domain controllers) or purely service-oriented. Within those that are Active Directory related, there are five FSMOs (Flexible Single Master Operations) roles:

1.      PDC (Primary Domain Controller) emulator - used for backward compatibility

2.      RID (Relative ID) Master  - holds the pool of ID numbers to be used

3.      Infrastructure Master - handles updates and name changes

4.      Domain Naming Master - by default the first domain controller in a forest

5.      Schema Master - oversees all schema operations

The primary domain controller performing one of these roles is known as the role master. Microsoft recommends the PDC emulator and RID master be kept on the same domain controller, and the Domain Naming Master be stored on a Global Catalog server.

The five operations master roles are responsible for keeping track of and originating replication and are divided into two categories: forestwide and domainwide.


Note: Both Schema and Domain naming should be the same domain controller

Schema master

         Only one schema master in forest (can have standbys)

         Controls schema updates and modifications

         Failure of the schema master can go unnoticed until a change is made to the schema

         If schema master role is seized permanently the server must not be brought back online without formatting it and reinstalling the operating system

Domain naming master

         Only one domain naming master in forest (can have standbys)

         The only server responsible for controlling the addition or removal of domains to the forest

         Failure of the domain naming master can go unnoticed until a domain is added or removed from the forest

         If the current Domain Naming Master server is to become unavailable, its role should be seized. If domain naming master role is seized permanently the server must not be brought back online without formatting it and reinstalling the operating system


Relative ID (RID) master

         Each domain will have one relative ID master

         Responsible for management of relative ID's (object security)

         RID will be generated for each domain object that includes the domain security ID (same for all domain objects) and a unique relative ID

         Responsible for initiating the move when moving objects between domains (MOVETREE is a utility used to move objects between domains).

         Failure of the relative ID master can go unnoticed until an administrator attempts to create domain objects and the domain runs out of available relative identifiers.

         If relative ID master role is seized permanently the server must not be brought back online without formatting it and reinstalling the operating system

Primary Domain Controller PDC emulator

         Each domain will have only one PDC emulator

         Provides support for client systems

         Receives preferential replication of any password changes

         If logon authentication fails at any domain controller, the request is forwarded to the PDC emulator

         Acts as a Windows NT PDC providing updates to any Windows NT BDCs during a migration to Active Directory

         Failure of PDC emulator can immediately affect network users.

         If PDC emulator role is seized permanently the server can be brought back online and returned to the PDC emulator role

Infrastructure master

         Each domain will have only one infrastructure master

         Updates group or user references when supporting group members from a different domain and group membership changes 

         If placed on a Global Catalog server infrastructure master will not be able to do its job properly because out-of-date data will not be detected, therefore replication will not occur; because of this, the Infrastructure Master should not be located on a global catalog server.

         Failure of the infrastructure master can go unnoticed unless a number of changes have been made.

         If infrastructure master is seized the server can be returned to the original infrastructure master when brought back online

The Domain Naming master allows additions, removals, and some modifications of all domains in the forest. It also generates the unique SID for every domain in the forest. The Infrastructure master updates group-to-user references when changes occur. It is recommended that the Infrastructure master be placed on a domain controller that is not the global catalog server to even the load and separate the burden of each role.

The PDC Emulator master is used for interoperability with older clients. The RID master and PDC Emulator roles should be placed on the same domain controller (if it is not overloaded)-or, if not, on separate primary operations master domain controllers (making sure they both have direct connection objects to the standby PDC emulator and RID master servers).

The RID (Relative ID) master issues IDs to domain controllers, as needed (10,000 at a time). The Schema master controls all updates to the schema. The Schema master and Domain Naming master are forest-wide in nature, whereas the RID, Infrastructure, and PDC Emulator masters are domain-based. (Only one server in each domain is needed for these operations.)

Active Directory Infrastructure:

LDAP is the main access protocol for Active Directory.   LDAP is an Internet standard used to exchange information between applications and directories.

n        Replication: automatic updates of active directory between servers. The Knowledge Consistency Checker (KCC) is responsible for generating replication information within a forest. The KCC runs on each domain controller automatically. REPLMON is used to show replication topology and monitor status. It can also be used to force replication or KCC recalculation.


         Replication to all domain controllers occurs every 15 minutes by default but can be forced through Active Directory Sites and Services.

         When the domain controller is expanded under Sites\Default-First-Site-Name\Servers, select NTDS Settings. Right-click and select Replicate Now.

Compression is used when replication is between sites. Multimaster replication is employed by Active Directory to keep all domain controllers as peers.

Active Directory Connector (ADC) is used for replication between Exchange and Active Directory.

Active Directory Replication

    Changes made to Active Directory need to be propagated to all Domain Controllers

    Uses a multiple-master replication model whereby all domain controllers are equal

Intrasite Replication

              Automatic replication between domain controllers in the same site

              Uses Remote Procedure Calls (RPC) communication to control notification

RPC is used for replication traffic within a site, and the data it sends is uncompressed.

o        Replication latency is the delay between when a change is made to one domain controller then replicated to other domain controllers.

o        Replication convergence occurs after replication has taken place, all domain controllers are up to date and no new changes are to be sent.

Replication Monitor (replmon.exe) can be used to show the Active Directory replication topology. It can also be used for troubleshooting replication, and seeing when the last successful replication took place.

Event Viewer is the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System - which contains information about services and drivers that fail to start -  and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.


WINS continues to persist in Windows Server 2003, with no real changes in operation between now and with Windows 2000. WINS (Windows Internet Naming Service) is responsible for resolving NetBIOS names to IP addresses. When a WINS client boots up it announces itself to the WINS server. The WINS server stores the name and IP of the client in the database to hand out on future requests. This enables you to connect to a server named Appserver by name instead of having to remember Appserver's IP address. The WINS database is dynamic.

WINS servers are required to have static IP addresses.

Name Resolution Nodes
B-Node (broadcast) - uses broadcasts to resolve names (not recommended for larger networks, and mostly used by older clients)
P-Node (peer to peer) - uses WINS only, no broadcasts.  No WINS server, no resolution.  This is the mode typically used by newer clients
M-Node (mixed) - Broadcast first, then WINS (this is not recommended as you want to attempt to minimize broadcasts).
H-Node (hybrid) - uses WINS first, then broadcast  (this is recommended as it cuts down broadcasts by trying WINS first but will resort to broadcast as last resort.)

The LMhosts file is a text file that you can manually update that holds NetBIOS name and IP combinations.

WINS Replication - You should have multiple WINS servers for fault tolerance.  These servers can be set up to replicate the data to each other.  WINS replicates changes only (data is replicated at the record level using an incremental version ID) instead of the whole database.  Persistent connections between WINS servers increase replication efficiency by not needing to establish temporary connections for every update.
Push Partner - WINS will replicate after a certain number of changes to the database.  
Pull Partner - WINS will replicate at a certain time period regardless of the number of changes.
Push/Pull Partner - WINS will replicate at a certain number of changes or at a specified time interval regardless of the number of changes.

For automatic configuration, every WINS server announces its presence with broadcasts. If one is found without a push/pull partner, it gets added into the replication list of an existing server. For manual configuration, choose the New Replication Partner option from the Replication Partners node of the server.

While WINS replication occurs on a regular basis, it can be forced at any time by right-clicking a partner and sending an immediate trigger to the partner. WINS-R records can be used in DNS to configure reverse lookups for WINS resolution.

Tombstoned WINS records are not immediately removed, but instead are flagged for later deletion (via an extinction interval) and replicated. Even manually tombstoned WINS records remain in the database until a scavenge operation is undertaken.


DHCP (Dynamic Host Configuration Protocol) allows you to dynamically distribute IP addresses and all associated configuration data through an open standard. DHCP clients are given leases to define the amount of time their address information is valid. Every client automatically attempts to extend the lease when half the time of the lease has expired. If it fails, it keeps trying for the duration of the lease.

DHCP does not only issue addresses from the address pool/scope, but also issues lease information and other IP configuration data (default gateway, subnet mask, etc.). DHCP is installed as a service on Windows Server 2003 through the use of wizards that follow the networking services subcomponent of the Add/Remove Programs applet.

A scope is a range of IP addresses that can be issued to DHCP clients on a single subnet by the DHCP server. Only one scope can be created for each subnet, and a single DHCP server can manage several scopes.

Automatic Private IP Addressing (APIPA) is used if TCP/IP values are not manually entered, and no DHCP server is found. This assigns values in the 169.254.x.x range with a subnet of Turning this feature off requires editing the Registry.

Routing and Remote Access:

RRAS routing is installed/configured through the RRAS MMC snap-in by right-clicking on the server and choosing Configure and Enable Routing and Remote Access on the popup menu. This starts the RRAS Setup Wizard.

The three types of remote access permissions available to a user are:

         Allow access

         Deny access

         Control access through Remote Access Policy

When a user dials in, you can choose to verify caller-ID, assign a static IP address to the connection, and/or apply static routes.

RRAS includes support for RIP for IPX and SAP for IPX. RRAS supports the following protocols: AppleTalk, IPX, NetBEUI, and TCP/IP.

An individual host can have its data packet sent in one of the following three ways:

  • By looking at the default gateway address in the IP configuration
  • By using Internet Control Message Protocol (ICMP) redirects to find a route to a destination host
  • By listening to traffic between routers utilizing RIP (Routing Information Protocol) or Open Shortest Path First (OSPF)-known as dynamic routing.

Monitoring remote access is done through counters in the Performance utility; the RRAS MMC console can be used to configure incoming connections and other features.

Remote Access Dial-in Profiles allow you to define the following:

         Dial-in Constraints

         IP Address Assignment Policy

         Multilink (aggregation of multiple analog phone lines through multiple modems for greater bandwidth)


         Encryption (No Encryption, Basic or Strong)

Remote Access Dial-in Profiles can be configured and govern security in much the same way group policies do.

A remote access policy defines actions that can be undertaken for a user or group of users who connect remotely. They can employ specific authentication and encryption methods.

IAS (Internet Authentication Service) can be used to enforce (through policies) issues such as: RADIUS clients allowed, incoming phone numbers to accept, the type of media used to establish the connection, user membership in security groups, and the time of allowed access (day, hour, etc.). With RADIUS, all authentication requests heard by a server are sent to a RADIUS server for approval/denial. RADIUS is an open standard.

IAS is used for centralized administration and to enforce access policies. It works with PAP, CHAP, MS-CHAP, and EAP. IAS is useful for centralized auditing, scaling systems for growing demand, monitoring usage remotely, and working with a graphical interface through an MMC snap-in.

Remote Access Authentication Protocols:

CHAP - (Challenge Handshake Authentication Protocol) - uses the industry standard MD5 1-way encryption scheme to encrypt the response.  Highly Secure.

EAP (Extensible Authentication Protocol) - Client and server negotiate the Authentication method to include MD5 username and password encryption, smart-cards, token cards, retina or fingerprint scanners and other third party authentication technologies.

MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)- 1-way encrypted password.  This is enabled by default on a Windows Server 2003 running RAS.  Highly Secure. This differs from CHAP in that client communication must be between two Microsoft operating systems.

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol v2)- Strong encryption.  Windows clients use this by default for dialup networking (also known as DUN).  Windows 2000,NT4 and Win98 clients use this by default for VPN.  Highly Secure. Version 2 differs from version 1 primarily in that two-way (mutual) authentication is implemented in version 2.

PAP (Password Authentication Protocol) - uses clear text passwords. Provides little security.

SPAP - (Shiva Password Authentication Protocol) - more secure than PAP, it is uses to connect to Shiva LANRover. Medium Security.

A virtual private network (VPN) is an extension of the physical network. Rather than restricting the network to local cabling, it uses a public network (i.e. the Internet) as a segment backbone.

Windows Server 2003 uses two main encryption protocols with VPNs (virtual private networks): MPPE is used with PPTP, and IPSec, an open protocol suite that relies on L2TP, is used to encrypt user names, passwords, and data. Connections are configured to use MPPE (running with PPTP) or IPSec (running with L2TP) through the Network and Dial-up Connections applet.

PPPoE (Point to Point Protocol over Ethernet) support is built into Windows Server 2003, as is an integrated firewall, 802.1x (wireless security) and IPv6 support.

Demand-dial routing (also known as dial-on-demand routing) is used to send packets across a dial-up link between two routers that have Routing and Remote Access Services (RRAS) installed. The connection can be made through a modem, ISDN line, or direct (serial/parallel) connection.

Demand-dial security allows the administrator to add features such as authentication, encryption, callback, caller ID, etc.

Static routing uses a routing table that does not change. It is configured by the administrator and must be manually updated, as needed. The route command is used to configure static routes and for troubleshooting. The route -p command lists all the routes the computer knows about.

Dynamic routing can use either distance-vector routing protocols or link-state routing protocols. Link-state routing protocols differ from distance-vector protocols in that they send information only about routes that have changed via link-state advertisements (also known as flooding). With link-state routing protocols, knowledge is obtained first hand, not passed on through other routers.

RIP is a distance-vector protocol using hop count as the metric for measuring the number of routers that must be crossed to reach a network. The maximum number of hops in a path is 15. RIPv2 can use multicasting of routing tables and supports variable-length subnet masks.

OSPF is a link state routing protocol that uses link state advertisements (LSAs) to communicate. OSPF has more features and functionality than RIP and is considered "loop-free," with a maximum metric limit of 65,535.

Network Infrastructure:

NAT interfaces define connection properties for network address translation. They define what constitutes the internal network and what constitutes the external network. NAT translates between two different networks, allowing you to have a private scope internally and still communicate with the Internet. Windows Server 2003 includes the following NAT editors: FTP, ICMP, and PPTP.

Internet Connection Sharing (ICS) is a service that allows you to provide automated demand-dial capabilities on a small network, such as a home office. This can be used for any number of processes, including DNS Proxy, DHCP, and NAT.

Network Monitor is a subset of the fuller version in SMS. It can be used to capture real-time activity, to create filters, and to view and save data to a file.

System Monitor is an ActiveX tool that can graphically display performance of various real-time statistics. Within it, the workstation is divided into a number of different objects, and each object is divided into one or more counters. System Monitor appears on the Performance tool (Start - Programs - Administrative Tools - Performance) and it is the primary performance tool for the system. Performance Logs and Alerts enables you to record data to create and compare with a baseline (to get a long-term look at how the system is operating) or send administrative alerts when thresholds are reached.

Optimal performance from a system is what you are always striving for. Optimal performance is attained when a system is running (processing, responding, and so on) as fast as it possibly can, given the resources available to it.

Group Policy:

RSoP (Resultant Set of Policy) is a new tool included with Windows Server 2003 that shows how permissions and policies overlap. It factors in inheritance and other factors and shows what the resulting policy will be that applies to the user or computer in an Active Directory tree. Gpresult is a command-line utility that can perform the same function as RSoP.

Windows Server 2003 includes GPUPDATE - a new utility that replaces SECEDIT switches for group policy updates. SECEDIT still exists in 2003, but it is now used only for applying changes and reporting on them.

Group Policy

Group Policy is a component of Active Directory used to restrict users and enforce limitations. Operating systems prior to Windows 2000 must utilize system policies, created with the POLEDIT utility.

         Reduces Total Cost of Ownership (TCO)

         Implemented through Group Policy Objects (GPOs) and applied to User and Computer Configurations

         Three possible settings for policies include Not Configured, Enable and Disabled

Group Policies can be used to assign and publish software. Assigning software causes the software to be installed regardless of whether it is used. Published software is available to the users/machines, but it is not installed automatically. Software can be assigned to a user or computer, but published only to users (not computers).

Disk quotas can be assigned via group policies to restrict how much space a user is allowed to have in specific folders.

Group policies are implemented by Site, Domain, and then Organizational Unit (OU).

Creating and Modifying Group Policies

         Group policy settings are refreshed throughout the network, on average every 90 minutes

         Domain Controllers refresh on average every 5 minutes

         Refresh interval for Domain Controllers can be modified through Group Policy settings

         When deleting a GPO any links are automatically dropped without warning

         Filtering GPO's allows Group Policies to be applied to individual users rather than all users and computers in an OU


TCP/IP addresses can be assigned manually to each host, or leased to them through the use of a DHCP server. The addresses must be unique within the realm the host communicates. If the host only communicates locally, then the address need only be unique locally; if it directly communicates across the Internet, then the address must be unique within the world.

The first octet identifies the class of network, with the following being valid entries:

1 - 126 Class A
128 - 191 Class B
192 - 223 Class C
224 - 239 Class D (multicast)

Addresses cannot consist of all zeros, or all ones, and the entire 127 domain is reserved because is set aside as the "loopback" address.

To configure TCP/IP on a host, you need only three values with one being that of default gateway (the other two are IP address and subnet mask). The default gateway is the IP address of the router all data not intended for this network should go to.

A subnet mask divides the total number of hosts available for one network into a smaller number available for a number of networks. The subnet mask value is based upon the class of  network you have. Default values by class, and the maximum number of hosts are:

Class Default Subnet Mask Total number of Hosts for Network
A > 16 million
B >65,000
C 254
Disclaimer: Sure2Pass Tests and MCSE Braindumps are based solely on published objectives of various exams, which cover concepts that are necessary for various networking professional certification designations. Links to other sites are published for the benefit/information of our visitors and we are not responsible for their contents. Our MCSE Study Guides, practice tests, and/or material is not sponsored by, endorsed by or affiliated with Microsoft. Microsoft, MCSE, MCSA, MCSD, the Microsoft logo are trademarks or registered trademarks of Microsoft in the United States and certain other countries. All other trademarks are trademarks of their respective owners