Dave’s
Notes on Exam 70-292
Managing and Maintaining a Microsoft
Windows Server 2003 Environment for an MCSA Certified on Windows 2000
I recently passed this exam, as I needed to upgrade my MCSE from 2000 to 2003. This is the first of two exams required to upgrade your certification. I found the exam to be moderately difficult. Some questions were quite lengthy, and some were hard to understand. But, fortunately there were enough clear questions and others that were simple to answer, that one should be able to pass their first time if they study well and have hands-on experience with the product.
Exam Overview
This exam, as of early February, 2004, consisted of 56 questions,
with Microsoft allotting 120 minutes in which to complete them.
Be prepared to use most of your time, as several questions are quite
lengthy, including scenarios and exhibits.
The exam interface has been greatly enhanced, and is much more easy on the eyes. The graphics in the Exhibits have been greatly improved as well. Microsoft has now incorporated several “drag and drop” type answers, in addition to several simulator-type questions. Hands-on experience, needless to say, is critical to helping you pass this one.
Several times you will be given scenarios that discuss the
“default installation” of this or the “default settings” for that.
It is important that you know what these defaults are (for example, with
the exception of Web Edition, all Server 2003 installs do NOT have IIS 6.0
installed). Sometimes the correct
answer involves modifying the default settings, or sometimes the correct answer
means you leave the default settings alone.
Be wise, and NEVER assume!
Managing Users,
Computers, and Groups
You will need to remember that SECURITY groups are the ones that are
granted access to resources. You
may find a question in which there is a problem because you have a distribution
global group.
Be familiar with the different tools you can use to manage users, computers, and groups. In addition to Active Directory Users and Computers, be familiar with the uses of dsadd and csvde as command-line methods of adding users. It is extremely important that you remember that csvde does NOT allow you to include passwords (you’ll thank me if you remember this).
A new feature of WS2003 is the ability to assign a manager to a group as a property of the group. Know how and when you would do this.
Another significant change with WS2003 is that the default NTFS permission is now Everyone READ (as opposed to Full Control in previous OS releases). Also, in WS2003, you can view the effective permissions on NTFS files and folders by going to the Advanced Security Settings dialog box in the Advanced tab of the Security tab in the file or folder’s properties.
You may say an example of screen shot/simulation of the Microsoft Baseline Security Analyzer. The focus will most likely be on vulnerability checks. Make sure you read carefully what TYPE of server is being discussed. For example, a file and print server would not be to be analyzed for SQL or IIS vulnerabilities.
In this category you may find several questions related to
Terminal services security. New to
WS2003 is the ability to configure many of the services’ settings using GPO.
You should see several questions related to Remote Desktop
for Administration. This has
replaced the administration mode of Terminal Services (you still are limited to
two connections per server).
Know the difference between Remote Desktop Connection and
Remote Desktop for Administration. RD
Connection can be run, as a client, on previous versions of Windows.
Like Terminal Services Client, you can access one server per window.
You will be connecting remotely, and will not be able to access the
console of server you are trying to reach.
RD for Administration, on the other hand, is a snap-in that allows you
manage multiple servers simultaneously in an MMC console.
You will be opening a CONSOLE session by default with RD for
Administration as well.
You will need to know how to enable a server to be remotely
accessed. It is enabled using a tab
called “Remote” in the System properties.
Without this enabled, remote clients will not be able to access your
server. Understand how timeout
settings work and that you use Terminal Services Configuration to change these
(by right-clicking RDP-Tcp).
You should see several questions related to IIS 6.0 and the
configuring of a web server. By
default, the only service installed with IIS 6.0 (which needs to be installed if
you want to use it on anything besides the Web Edition), is the WWW service.
You will need to remember which port to open on a firewall as well (80).
You also should several questions related to Software
Update Services (SUS). There are
two major ways that clients can receive software updates for critical updates
and security fixes: Windows Update
(the online version that interacts with Microsoft’s web site) and Automatic
Updates (that uses the SUS operating on an internal server).
It is the duty of the server running SUS to synchronize
with Microsoft’s web site to make sure it has the latest updates.
The administrator can either allow the server running SUS to
automatically approve each update, or require the administrator to manually
approve the updates (which provides an opportunity for the administrator to test
the update before rolling it out to the clients).
A typical scenario-based question you might see would involve a computer
getting regular updates but one critical one that you know was downloaded to the
SUS server. Why didn’t they get
it? Because it had to be manually
approved first.
The way you manage a SUS server is through a website on
that server. There are a couple of
xml logs that are viewable on the SUS administration web site: history-sync.xml (the synchronization log) and
History_Approve.xml (the approval log). Remember
that these are on the SERVER. You
might see a question related to a client problem.
Clients don’t synchronize with Microsoft’s web site and the updates
are not approved on them, but on the server.
You should see some questions related to a couple of new
features in WS2003: Automated
System Recovery (ASR) and Shadow Copies. ASR
has replaced the ERD and Shadow Copies are individual backups made on the fly
for Shared Folders that your users access through the course of their work day.
The ASR backup wizard does NOT back up data files; only the
System State data, system services, and all disks that are associated with the
OS components. The ASR also creates
floppy disk that contains information about your disk configures, the backup
itself, and the restore. Also this
sometimes called a Startup disk, it is NOT bootable. This disk is created using the Backup wizard (advanced mode).
Know the procedure for how to use ASR recover from a server
failure! You first boot with the CD-ROM that contains WS2003.
At the beginning of the text-only mode section of Setup, press F2 (you
may see this on the exam!) when prompted, and the insert the ASR floppy disk you
previously created.
Shadow Copies of Shared Folders are point-in-time, read
only copies of files on network shares. They
are created based on a schedule you set on the server, and they are only made if
a file has been modified. Each
shadow copy of a file is called a “version” (you can store up to 64 shadow
copies per volume). It is a great
feature that allows you to quickly recover files that have been accidentally
overwritten.
On the server side, you turn on Shadow Copies using
Computer Management (Local), right-clicking on Shared Folders, pointing to All
Tasks, and clicking “Configure Shadow Copies.”
You then enable an entire Volume (you can’t turn Shadow Copies on for
just one folder, but for an entire volume or partition).
To set a schedule for when Shadow Copies are made, you go to the same
place you went to turn them on at the Server, but this time you select
“Settings” and then click “Schedule.”
It is very important that you know to configure the clients
as well to utilize the Shadow Copies feature. You must install the Previous
Versions Client Software (you can use GPO to install it as well).
Once the software is installed, the client will see a Previous Versions
tab on the shared folder’s Properties box.
You will most likely see a scheduling question (which
previous version of Jane’s file will she have to restore if she wants to go
back to the way it was on such-and-such a day at such-and-such a time?).
Know the difference between the effect of restoring versus copying. If
you restore a previous version of a folder, the files in that folder that were
not in the previous version of the folder are overwritten.
The solution is to copy the previous version to a different location.
Related to Disaster Recovery, you’re sure to see a backup
question. In case you forgot,
remember the difference between a normal (full) backup, a differential backup,
and an incremental backup. A
combination of a normal backup and a differential backup, no matter how many
differentials you did, will always be two tapes when it comes time to restore
(provided each backup did fit on one tape).
Perhaps the bulk of the questions (about 25 percent) will
be related to DNS. WS2003 has added
some new features to DNS that you will need to know if you want to pass this
exam. Due to the volume of DNS
questions you can expect to see, having a good grasp of these new features and
changes is essential to your passing this exam.
First of all, Active Directory has added new partitions to
its database (remember the Schema, Configuration, and Domain partitions?).
These are called Application partitions.
DNS uses application partitions in order to configure replication to
other Active-Directory-integrated DNS servers.
Using the Application partition, you can specify replication to all DNS
servers in the AD forest, to all DNS servers in the AD domain, or to all domain
controllers in the AD domain. PLUS,
you can create specific Application partitions for specific DNS servers. You will most certainly see a question about this.
In WS2003, DNS has added a new zone type called a “stub
zone.” A stub zone does not
contain regular A records for hosts in a DNS domain.
Rather, it is designed to hold the SOA and NS records for the
authoritative DNS server for that zone. You
can think of stub zones as “bookmarks” that point to other DNS servers that
can perform name resolution for other domains.
It is similar to delegating authority to another domain, except that is
useful when you have disjointed name spaces.
Another new feature in DNS for WS2003 is the Conditional Forwarder. It is similar to forwarders used in Win2K (and is in fact configured with the same tool), but you can specify individual domains to which you want to forward DNS name resolution requests. This works great in situations where two companies merge, and you don’t want to use Internet DNS servers to resolve names between them. You can specify as many conditional forwarders as you want. You simply associate the IP address of a DNS Server (or servers) with a particular domain.
You will still need to remember from you Win2000 studies
the other different types of DNS zones. Plus,
you will still need to remember the major types of resource records (including
MX records).
You will probably see a question or two dealing with
security templates, which will be mostly a review from Windows 2000.
You should also see several questions dealing with auditing and security
logs, including a simulation or two in which you get to actually turn on
auditing in a policy.
Microsoft did not include a “miscellaneous” category in
their preparation guide, but you should be aware that they may ask you some
questions from topics not listed there. If
they do, the question(s) will most likely be answered from your Windows 2000
experience.
Good luck! Let
me know if you have found these notes helpful!