You have one chance-and one chance only-to prove your expertise on Windows 2000. Here's what you need to understand to make sure you get through 70-240 victoriously.

Your Guide to Victory: True North on Your 70-240 Quest

You have one chance—and one chance only—to prove your expertise on Windows 2000. Here's what you need to understand to make sure you get through 70-240 victoriously.

Tackling Microsoft’s Accelerated exam is like taking on any difficult endeavor you’ve never really tried. You’ll never be sure you’re absolutely ready beforehand, no matter how much preparation you put in. But at some point you have to set off. You have one chance—and one chance only—to prove your expertise in one fell swoop. If you fail, you’ll be like everybody else who wants to get the new MCSE—going at it one exam at a time. The intent of this article is to prepare you for the exam as rigorously as possible. Read it carefully. Do what it advises. Spend lots of time preparing. If you do all of that, the leap into the great unknown won’t be so mysterious after all.

Who Gets To Take It
Accelerated Exam 70-240 gives you an alternative to taking the four Win2K core exams, but it’s not a shortcut to Win2K certification. The test is every bit as challenging as the four core exams it replaces. You need to know the material covered by all four core exams (70-210, 70-215, 70-216, and 70-217) if you want to pass.

To be eligible for your voucher to take 70-240, you must have passed the following three Windows NT 4.0 exams:

  • Exam 70-067: Implementing and Supporting Microsoft Windows NT Server 4.0
  • Exam 70-068: Implementing and Supporting Microsoft Windows NT Server 4.0 in the Enterprise
  • Exam 70-073: Microsoft Windows NT Workstation 4.0

If you haven’t passed all three tests, you’re not eligible to take 70-240.

And remember: Passing Exam 70-240 isn’t enough to make you a Win2K MCSE. You also have to pass one design exam and have two current electives.

Accelerated Exam 70-240

Title
Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0.

Requirements
You have a one-time, free opportunity to take the Accelerated Exam if you’ve passed these three Windows NT 4.0 tests:

  • 70-067: NT Server 4.0
  • 70-068: NT Server 4.0, Enterprise
  • 70-073: NT Workstation 4.0

What 70-240 Replaces

  • 70-210: Installing, Configuring and Administering Microsoft Windows 2000 Professional
  • 70-215: Installing, Configuring and Administering Microsoft Windows 2000 Server
  • 70-216: Implementing and Administering a Microsoft Windows 2000 Network Infrastructure
  • 70-217: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

What Classes Prepare You
These classes aren’t required for the exams; but if you learn best with instructor-led training, here’s the roster of courses that will prepare you for the Accelerated Exam:

  • 1560: Updating Support Skills From Microsoft Windows NT 4.0 to Microsoft Windows 2000
  • 2151: Microsoft Windows 2000 Network and Operating System Essentials
  • 2152: Implementing Microsoft Windows 2000 Professional and Server
  • 2153: Implementing a Microsoft Windows 2000 Network Infrastructure
  • 2154: Implementing and Administering Microsoft Windows 2000 Directory Services

Deadline
This intensive exam, which will be available through Dec. 31, 2001, covers the core competencies of exams 70-210, 70-215, 70-216 and 70-217. Vouchers for the exam will only be distributed through Nov. 1, 2001. The test can be taken one time only. If you don’t pass the exam, you must take all four core exams.

Now for the good news. Exam 70-240 is free! You need to order your exam voucher on the MCP secure Web site at https://partnering.one.
microsoft.com/mcp. Exam 70-240 will be available until Dec. 31, 2001. However, you must request your voucher by Nov. 1. The voucher number will be e-mailed to you.

Remember how the test centers got jammed up with people trying to get their NT tests done before the February deadline? Microsoft expects the same high demand at test centers as the Dec. 31 deadline nears, and it doesn’t plan to extend the date. To get the time and date you want, register early. When you’re ready to use your voucher to register for the exam, simply contact Prometric or VUE and tell them you’re using the voucher to pay for the exam. (Their contact details are included in “Additional Information.”)

You only have one chance to take exam 70-240. If you fail, you must take the four individual Win2K core exams. Microsoft wants to minimize unnecessary item exposure, so retaking a test that you’ve already passed is considered a violation of the non-disclosure agreement. That means if you pass all four core exams, you can’t take 70-240. Likewise, if you pass 70-240, you can’t then take each of the individual core exams. However, you can take some of the individual core exams and then try 70-240 (an important strategy, as I’ll soon explain).

About the Exam
The test is divided into four sections, one section or subtest for each of the individual core exams. Think of it as taking four not-so-long tests in one very long session. You’ll have four hours to complete the exam. There are about 100 questions, and they’re divided about equally between the four sections. Each section is about an hour long, with about 25 questions. You must finish one section before going on to the next.

Tip: There’s no set order in which to receive the four subtests, so don’t expect that your test will start with the Professional exam. The score is a simple pass/fail. You won’t receive a score, a description of how you did on each subtest, or a breakdown that corresponds to test objectives.

Microsoft offers both traditional and adaptive format exams. A traditional exam has a fixed number of questions. You can go back and forward in the exam, which means you can mark questions for review. An adaptive exam varies in length. The test starts with an easy to moderately difficult question. If you answer that one correctly, the next question is more difficult. If you answer the question incorrectly, the next question is easier. This process continues until the test determines your ability level. From the test-taker’s perspective, one of the most noticeable features of the adaptive exam is that you can’t go back to review questions. Once you answer a question, it’s graded and you go on to the next. At the time I took Exam 70-240, it was a traditional exam—meaning, non-adaptive—but Microsoft reserves the right to change the testing format at any time.

Tip
Four hours is a long time. If you think you’ll need a bathroom break during the exam, ask the staff at the testing center how they prefer to deal with this in a secure fashion. When I took the test, I asked the proctor before I was seated. I think she thought it was a weird question until I explained that the test was four hours long.

Two Philosophies
Given the size and difficulty of the exam, one of the first things everyone asks a trainer is: “Help! How do I study for this exam?” QuickStart Technologies Trainer Larry Passo passes on two different philosophies to his students:

  • I must pass! Study for all four core exams. When you think you’re ready, pay to take the one core exam that worries you the most. For most people this will probably be exam 70-216, Network Infrastructure, or exam 70-217, Directory Services. If you pass, sign up to take 70-240. You’re ready to go! If you fail the core exam, study more or think about the next approach.
  • I’m going to take the exam but I don’t want an ulcer. Study hard, then go take it. If you pass, celebrate! If not, you had a wonderful, free, practice exam. Use what you learned about your weak areas to get ready for the individual exams.

Which one is a better choice? It depends. If you need to keep your MCSE current when the end of this year arrives, then you probably want to take the first approach. In this situation, I’d also recommend taking 70-240 sooner rather than later. If you fail, you still have time to get your certification upgraded before the deadline. If you’re willing to let your certification lapse for a while, then the second approach is attractive. The test is free, so you might as well take it while you have the chance.

Once you’ve made that decision, it’s time to hit the books! Which are the best? Well, I started working with Win2K when it was still in beta, so I used the online help, pored over the Server Resource Kit (when it came out), and spent a lot of time playing with the product. In other words, I didn’t use any books. They weren’t available.

Of course, for you it’ll be easier. Scads of preparation guides exists. The materials—reviewed in these pages every month—can help give your study efforts a jumpstart.

My best advice for picking out a set of books is this: Go to your favorite bookstore with the huge technical section and grab a pile of Win2K Professional books. Spend time reading a little from each. Pick the one that makes sense to you. Writers have their own styles, and you’ll be more likely to read the book if you actually like the way it’s written. Make sure the book you pick has plenty of practice/step/how-to sections. Then, after you’ve bought your favorite selection, do each one of the practice labs. Then do this for each of the core topics.

I tend to prefer four individual books instead of a single upgrade book. Buying four books will, of course, repeat some information, but that never hurts when you’re studying. I find that this approach focuses the reader on the objectives for a specific exam. Remember: Exam 70-240 is actually four different tests in one sitting. I think it helps to drill down on a specific set of test objectives when you study because that’s the way the exam is presented. However, if you like the single-book approach, then hit those shelves and yank out the all-in-one-volumes. Be sure to check the content if you buy a single upgrade book. To cut down the size of the book, the publisher might skip some topics or only cover them on an accompanying CD.

I also recommend that you supplement whatever books you read with the Windows 2000 Server Resource Kit. If there’s a topic not covered in much detail in one of your books, odds are good it’s in the Kit. Use it as a reference. As an added bonus, it’s also a great guide for the design exams (and a useful real-life administrative resource).

In the lists throughout this article, I suggest tasks that you should complete as you study for the exam. In the rest of the story, I’ll take you on a tour of the new technologies emphasized in each exam.

Additional Information
You’ll find links to the preparation guidelines for each exam encompassed by the 70-240 test at www.microsoft.com/
trainingandservices/exams/examasearch.asp?PageID=70-240. MCP Magazine reviewed each of the four core exams in a special supplement that went out with the July 2000 issue. You can find those reviews online at www.mcpmag.com. Choose the Windows 2000 button in the left menu bar.

Contributing Editor Greg Neilson offers an article on tips for passing the Accelerated exam on CertCities.com at www.certcities.com/editorial/tips/story.asp?EditorialsID=8.

A list of frequently asked questions about Windows 2000 MCSE certification is located at www.microsoft.com/
trainingandservices/default.asp? PageID=mcp&PageCall=
faq& SubSite=cert/mcse&AnnMenu=mcse#2title.

The home for Windows 2000 on Microsoft’s Web site resides at www.microsoft.com/windows2000.

You’ll find Windows 2000 Online Help at www.microsoft.com/
windows2000/library/resources/onlinehelp.asp.

The Windows 2000 Technical Library is located at www.microsoft.com/windows2000/library/default.asp. Pay special attention to the Operations and Step-by-Step Guides in this area, for example, the Step-by-Step Guide to Distributed File System (Dfs).

You’ll find the Windows 2000 Server Resource Kit and Windows 2000 Professional Resource Kit home page—which includes dozens of free tool downloads—at www.microsoft.com/windows2000/
library/resources/reskit/default.asp.

You’ll find information about the Microsoft Press certification titles at http://mspress.microsoft.com/certification. Request your exam voucher at https://partnering.one.microsoft.com/mcp.

Contact Prometric to schedule your exam at www.2test.com or call 800-755-3926 or 612-820-5707.

Contact VUE to schedule your exam at www.vue.com/ms or call 800-837-8734.

Knowing Win2K Professional
As you’ve probably noticed by studying the exam guidelines that Microsoft makes available on this test, the Win2K Professional Exam has seven major content areas. They include installation, resource administration, hardware administration, system performance, desktop management, networking and security. Let’s drill down on each.

Win2K allows you to boot from the installation CD-ROM, which really speeds up an attended installation. If your computer doesn’t support booting from the CD-ROM, you need to make boot disks with makeboot.exe or makebt32.exe. Remote Installation Services (RIS) is new to Win2K. You need to set up the RIS server, which requires Active Directory (AD), DNS and DHCP. Be aware that DHCP broadcasts aren’t necessarily routed, so you need to make sure DHCP clients can contact the DHCP server. RFC 1542-compliant routers can send on DHCP requests. If your routers don’t support this, you can install a DHCP Relay Agent on the network segments without local DHCP servers.

Make sure to understand how you can run Win2K service packs against your shared network copies of the Win2K installation files by invoking update.exe with the –s option. In this way, after installing new Win2K features, you no longer have to reapply the service pack. Also be familiar with the WINNT32/ checkupgradeonly option and also the downloadable CHKUPGRD.EXE tool to verify the compatibility of the machine to be upgraded.

For resource management, make sure you know your NTFS and share permissions inside and out. Compression is an NTFS attribute, so when you copy and move files, it behaves like NTFS permissions. However, there are a couple gotchas. Encryption and compression are mutually exclusive. You can’t compress an encrypted file and you can’t encrypt a compressed file. Also, it’s an NTFS attribute, so when you try to copy a compressed file to a FAT partition, it’ll be uncompressed. Encryption is a little different from compression in that when an encrypted file is copied or moved to a different Win2K NTFS drive, it always remains encrypted. This is even the case when copying to an NTFS drive on a remote Win2K machine.

Printing hasn’t changed much from NT 4.0. You still need to know the basics of printer management, such as printer installation, how to set permissions, configuration options such as printer priorities, and how to change the location of the spool folder. One new feature is Internet printing. The print server must be running IIS, then you can connect to a printer via a URL. Use http://servername/printers to see a list of all printers on that server. Use http://servername/ printersharename to go directly to the page for that printer.

Win2K supports FAT, FAT32 and NTFS. Keep in mind that the Windows 9x platform doesn’t support NTFS. So if you’re setting up a dual-boot system, use FAT or FAT32 for any partition that needs to be visible to both operating systems.

The hardware management section of the objectives really relies on experience. If you’ve set up your share of computers, exam questions that cover these objectives will be pretty straightforward. If you haven’t, get your hands on some hardware.

Tip
As a new feature, Win2K supports multiple monitors.

Know how to configure offline files. By default, Win2K Professional is enabled to use offline files while Win2K Server isn’t. Even though your computer is enabled to use offline files, you still need to select the folders and files that you want to make available offline. Use Synchronization Manager to control how those files are synchronized with the network. You can synchronize files at log on or log off, when your computer is idle, or according to a specific schedule. You can also create different synchronization rules, depending on the network connection the computer is currently using.

Optimizing your computer’s performance is similar to NT 4.0. System Monitor and is essentially Performance Monitor in new clothes—the MMC or Microsoft Management Console. Understand when you need an additional CPU or just more memory. Hardware profiles are also similar to NT. They’re most often used with laptop computers to manage a docked vs. undocked environment. Generally, you disable devices you don’t need under a specific profile.

Windows Backup is your basic tool for backing up data and the system state data. The system state data on a Win2K Professional computer includes the registry, boot files and COM objects. Be aware that you can back up and restore data locally or remotely. Backup or restore of the system state data, however, must be done locally.

You should also know what comprises system state data for servers. For Win2K servers, it includes the same information as Win2K Professional along with the certificate services database, if it exists. Also, for Win2K domain controllers (DCs), this includes the same information for Win2K servers, plus AD and the Sysvol folder.

You have new options for troubleshooting boot problems. Safe mode loads a minimal driver set during start up. You can also boot to the command-line Recovery Console. The Recovery Console can be used to start and stop services, read and write data on a local drive and format disks.

Tip
New desktop options include Regional Options, Faxing and Accessibility Options.

Windows Installer packages is another important topic for the knowledgeable MCSE. Make sure you understand the difference between assigning an application to a user or a computer and publishing an application to a user. When you publish an application, it appears in Add/ Remove Programs in Control Panel, and the application will automatically install if the user tries to open a document supported by that application (document invocation). What’s the difference between assigning an application to a user and publishing an application to a user? Assigning creates shortcuts to the application in the user’s Start menu, which will automatically install the application the first time a user attempts to use it; publishing doesn’t. Also, applications that don’t support the new Windows Installer format can’t be assigned; they can only be published. Applications assigned to computers are automatically installed the next time the computer boots.

For TCP/IP, of course, you need to know the basics for configuration and troubleshooting. Much of what you need to understand here will be covered in detail when you study for the Network Infrastructure section of the exam.

Dial-up networking is alphabet soup. You need to know authentication protocols backward and forward, including EAP (extensible authentication protocol), MS CHAP v.2 (Microsoft challenge-handshake protocol), MS CHAP v.1, CHAP, SPAP (Shiva password authentication protocol) and PAP. Also know your VPN protocols, PPTP (point-to-point tunneling protocol) and L2TP (layer 2 tunneling protocol). When you create a dial-up connection, you can share it with Internet Connection Sharing (ICS). Understand how to set up ICS and how it works. This is a really neat feature for connecting a small network (like the one in your home) to the Internet.

EFS, the Encrypting File System, is a new feature of NTFS. Be aware that you can’t compress encrypted files. Only the person who encrypted a file or the designated Recovery Agent can decrypt that file.

40 Tasks to Prepare for the
70-210 Win2K Professional Exam

Installing Windows 2000 Professional

  1. Install Windows 2000 Professional
  2. Create an answer file and perform one unattended installation in which you boot from CD-ROM and one where you connect to a distribution server.
  3. Download the latest service pack and apply it to your Professional installation.
  4. Use slipstreaming to integrate the service pack into a distribution image of Professional.
  5. Set up a RIS server and use it to install Windows 2000 Professional. (This exercise should be done in conjunction with the RIS exercises for the AD exam. You may want to put this one off until you’re studying for that test.)

Administration of Resources

  1. Practice with NTFS permissions. What happens when you Deny Full Control to Everyone?
  2. Copy and move files within and between NTFS partitions. What happens to the permissions? n 8. Compress a file and then try to encrypt it. Can you?
  3. Share a folder on an NTFS partition and configure the share permissions. How do the share permissions interact with the NTFS permissions?
  4. Use convert.exe to convert from FAT or FAT32 to NTFS.
  5. Install a printer and configure the permissions. Then use your Web browser to connect to the printer.

Hardware Devices and Drivers

  1. Upgrade from a basic to a dynamic disk.
  2. Configure spanned and striped volumes.
  3. Set up a computer with two monitors.
  4. Install an old driver and then update it.
  5. Change the binding order on your network adapter.
  6. If possible, install a second processor in a computer.

System Performance and Reliability

  1. Change your driver signing options. Configure the computer to block the installation of unsigned drivers, and then try to install one.
  2. Use Task Scheduler to schedule a task.
  3. Set up offline files. Try different synchronization options.
  4. Use System Monitor to monitor your computer’s performance.
  5. Set up hardware profiles.
  6. Back up your computer with Windows Backup. Try it remotely and locally. What happens when you try to back up or restore the system state data remotely?

The Desktop Environment

  1. Set up a roaming and a mandatory roaming profile.
  2. Add an additional language and use the locale indicator on the Taskbar to switch between languages.
  3. Deploy a Windows Install package though a Group Policy object. What’s the difference between assigning and publishing the application?
  4. Set up a fax.
  5. Configure Accessibility options. Use Utility Manager to start them automati- cally when the computer starts.

Network Protocols and Services

  1. Configure TCP/IP manually and as a DHCP client. What happens when no DHCP server is available for the client?
  2. Create different types of dial-up connections. Dial up to the Internet, a VPN connection and a remote access server.
  3. Set the authentication methods and data encryption for a dial-up connection. In what case is each authentication method best used? How does encryption interact with each authentication method?
  4. Set up Internet Connection Sharing. How do the ICS clients need to be configured?

Security

  1. Use Encrypting File System (EFS) to encrypt data. Try to share an encrypted file. What happens?
  2. Recover an encrypted file with the Recovery Agent.
  3. Use the Security Configuration and Analysis snap-in to compare your computer’s security with one of the standard templates.
  4. Take a look at the options in the security templates: basicwk.inf, compatws.inf, securews.inf and hisecws.inf. When would you use each template?
  5. Set up auditing.
  6. Configure the password policy on the local computer.
  7. Create local users and groups and assign them access to resources.
  8. Create domain users and groups and assign them access to resources.

Mastering Win2K Server
According to the exam guidelines for this portion of the Accelerated test, there are seven major content areas for the Server exam. They include installation, resource administration, hardware administration, system performance, storage use, networking and security.

Understand the consequences of upgrading PDCs and BDCs. You must upgrade the PDC in an NT 4.0 domain before you can upgrade any BDCs or even install a new Win2K DC. If you simply go ahead and install a new Win2K DC, you haven’t upgraded the NT domain; instead, you’re trying to replace it!

Resource administration concepts are similar to those you need to understand for the Professional exam. You need a thorough knowledge of NTFS and share permissions. You also need to know how to provide print services to non-Windows clients. For example, how do you set up a printer so that a Unix client can use it? And how do you set up a Unix printer so that a Windows client can use it?

Dfs (distributed file system) is a new feature. You can create a stand-alone Dfs installation, but it won’t be fault tolerant. Domain-based Dfs is fault tolerant. You can create replicas of folders so that data is accessible, even if one copy of the folder is offline.

Web files and folders are covered in the objectives, so study the MMC for IIS. Understand how to configure site properties and permissions on folders. (There’s a Web sharing tab on the properties dialog box of each folder.)

Tip
System Monitor is similar to NT Performance Monitor. You also need to understand how to stop processes and set priorities with Task Manager.

The hardware management section of this exam really relies on experience. If you’ve set up your share of computers, you’ll be prepared. If you haven’t, get your hands on some hardware. Make sure you get plenty of practice with the Device Manager tool and understand how you can use it to update the installed version of the driver you’re using. Driver signing is a new feature. You can Block, Ignore, or Warn when a user tries to install an unsigned driver. You can also set these options with GPOs (Group Policy Objects).

Backup is similar to the Professional exam, with one big exception: when restoring a DC, you must understand the difference between an authoritative and non-authoritative restore of AD. This topic is also covered in the Directory Services exam.

Tip
To learn more about this topic, check out Jeremy Moskowitz’s article, “Active Directory, Back from the Dead,” in the February 2001 issue.

How much do you know about disks and volumes? Win2K introduced basic and dynamic disks. Basic disks are also used in NT and Windows 9x computers, but dynamic disks are only used with Win2K. You’d better understand disk mirroring, RAID and fault-tolerance concepts, hot-swappable drives, and how to recover failed drives.

Data compression and disk quotas are new to Win2K. Be aware that quotas measure uncompressed disk space, so a user may get an out-of-space warning even if it looks like he or she has some space left.

As a certified professional, you need to be able to set up the server side of the virtual private network or VPN. Know the “alphabet soup” of VPNs and authentication protocols. Make sure you’ve studied Routing and Remote Access. Do you know which options are set up with policies and which are set with profiles? Also, configuration options will change, depending on whether your domain is in Mixed or Native mode.

Terminal Server is a big new topic. It runs in two modes: remote administration and application. Application mode runs applications on the terminal server and can also be used to control a user’s terminal services session remotely.

Tip
Read Bruce Rougeau’s article, “Progress at the Speed of Thin,” in the July 2000 issue for more on this topic.

As I mentioned in my coverage of the Professional exam, EFS is a new topic for Windows 2000. As administrator, you must be able to recover files that have been encrypted.

NT and 9x computers can’t use the new GPOs of Win2K. For these clients, you need to be able to integrate System Policy into your Win2K environment. Note that Win2K Professional computers won’t take System Policy from Win2K DCs, but they will take it from NT 4.0 DCs—a big problem if you’re in the middle of an upgrade!

Users, groups, password policies, auditing and user rights are all similar to how they function in NT. Security templates are a new topic. Know how each of the different standard templates affects the security configuration of the computer.

40 Tasks to Prepare for the
70-215 Win2K Server Exam

Installation

  1. Install Windows 2000 Server.
  2. Promote a Windows 2000 Server to a DC.
  3. Upgrade a server from Windows NT 4.0 to Windows 2000.
  4. Upgrade an NT 4.0 domain to Windows 2000.
  5. Perform an unattended installation from a distribution server.
  6. Download the latest service pack and install it on your server.
  7. Install and configure a printer. Set permissions.
  8. Create a printer pool.
  9. Configure printer priorities.
  10. Install and configure a printer that can be used by Unix clients.
  11. Install and configure a printer that will allow Windows clients to print to a print device physically attached to a Unix computer.
  12. Review NTFS and share permissions. (You studied them for the Professional exam.)
  13. Set up a stand-alone Dfs.
  14. Set up a domain-based Dfs and create a replica.
  15. Configure Web site properties.
  16. Configure file permissions for files in your Web site.

Hardware Devices and Drivers

  1. Configure driver signing options on the server.
  2. Install an old driver and update it. Take a look at the Windows Update Web site.
  3. Use Task Manager to set the priority of a process.
  4. Use Task Manager to end a process.
  5. Use System Monitor to monitor your server’s performance.
  6. Use Windows Backup to back up the server locally and remotely. What happens when you try to back up and restore system state data remotely?
  7. Back up the system state data on a DC. Perform an unauthoritative restore and an authoritative restore.
  8. Upgrade a disk from basic to dynamic.
  9. If possible, create mirrored and RAID-5 volume.
  10. Remove a drive so that your mirror or RAID-5 volume fails. Then recover from the failure.
  11. Configure disk quotas for all users and for a few specific users.
  12. After configuring disk quotas, log on with an account that has a small quota, and copy a large amount of data. What happens when you exceed the quota limit?

Network Connections

  1. Install and configure DNS. (You’ll need to do this when you set up your first DC.)
  2. Install and configure DHCP.
  3. Set up a VPN on the server. Have a client connect to the VPN.
  4. Set up Routing and Remote Access as a remote access server.
  5. Create a remote access policy and a remote access profile. What are the implications of a Native mode domain vs. a Mixed mode domain?
  6. Install Terminal Services as remote administration server. Connect to your server remotely and administer the server.
  7. Install Terminal Services as an application server. Install an application on the server. Run the application as a remote user (not an administrator).
  8. Set up the Terminal Server (in application mode) for remote control. Try to control the remote client’s terminal services session.
  9. Install NWLink and GSNW. If possible, create a gateway to resources on a NetWare server. What happens if you configure NWLink to use a frame type not currently in use on your network?
  10. Create an NT 4.0 Group Policy and make it available to an NT 4.0 client from a Windows 2000 DC.
  11. Review the EFS, auditing, password policy, and user and group exercises you completed as you studied for the Professional exam.
  12. Review the security template exercises that you completed as you studied for the Professional exam. This time, look at the server templates instead of the workstation templates.

Inside the Win2K Network Infrastructure
You need to be an expert in eight major areas for the Network Infrastructure exam. These consist of DNS, DHCP, remote access, network protocols, WINS, IP routing, NAT and certificate services. This section is often considered the most difficult part of the exam. In my opinion, the thing that makes this part of the exam so difficult is the large and diverse number of topics that it covers.

Let’s start with DNS. The basics are the same as NT 4.0, with two important additions: dynamic updates and AD (AD)-integrated zones. Win2K DNS is actually Dynamic DNS. That means statically configured clients can automatically send their IP and host name information to the DNS server. When using DHCP with a Win2K client, the default behavior is that the PTR DNS record for the client is updated by the DHCP server and the DNS record is updated by the client. (Of course, older, non-Win2K clients don’t know how to do this.) AD-integrated zones store the zone database in AD. This is usually Microsoft’s preferred approach for implementing a Win2K DNS structure. The approach has some real advantages. Integrated zones support secure updates and you don’t have to configure zone replication. It’s taken care of as a part of AD replication.

DHCP also has some new features. An important one is its ability to update the dynamic DNS server with records for older clients. Win2K DHCP servers need to be authorized to run in an AD environment. This decreases administrative headaches, because it makes rogue DHCP servers less likely.

Tip
Non-Win2K DHCP servers have no idea they need to be authorized, so this doesn’t prevent someone from installing an unauthorized NT 4.0 DHCP server!

You also should understand superscopes and multicast scopes and when each is used. Another newer feature you need to be aware of involves the client. If a Win2K DHCP client can’t find a DHCP server, it will assign itself an IP address using Automatic Private IP Addressing (APIPA). An APIPA address has the format 169.254.x.y, with subnet mask 255.255.0.0. Option classes are another interesting new feature that allows you to have different DHCP-assigned values depending on the type of client, which could be by function and/or hardware type.

The remote access objectives are similar to those in the Server exam. One of the few new objectives is RRAS and DHCP integration. RRAS leases addresses from DHCP in blocks of 10 and passes them out to client computers.

Tip
As you study network protocols, you’ll find plenty of overlap with what you need to understand for the Server and Professional exams. For instance, you need to know TCP/IP backward and forward. You should also be very comfortable with subnet masks, always a favorite exam topic.

A topic new to this exam is IPSec (Internet protocol security), which protects IP packets as they’re transmitted over the network. Default IPSec polices include Client (Respond Only), Server (Request Security), and Secure Server (Require Security). The Client policy allows plain text communications, but will respond to IPSec requests and attempt to negotiate a secure connection. The Server policy has the server attempt to initiate a secure connection. However, the server will allow communication with a non-IPSec-aware client. The Secure Server policy requires that all clients connecting to the server be IPSec-aware. Note that this policy prevents communication with unsecured clients!

If you’re up to speed on WINS for NT 4.0, the WINS section of the exam should be a breeze. If not, it’s time to hit the books. The biggest change with NetBIOS in Win2K is that it’s no longer needed. However, unless you’re working in a completely Win2K environment, you need NetBIOS name resolution and WINS for your older clients. You can disable NetBIOS over TCP/IP on your Win2K computers, but then they’ll have problems communicating with older computers that use NetBIOS.

Tip
Make sure to read Roberta Bragg’s three “Security Advisor” columns on IPSec in the August 2000, March 2001 and April 2001 issues.

Win2K supports static and dynamic routing. With static routing you manually enter the routes in the routing table. Dynamic routing protocols such as RIP and OSPF exchange routes among dynamic routers. OSPF allows routers to exchange routing information and create a map of the network that calculates the best possible path to each network. Problems can occur when the routing (link state) database becomes too large. OSPF divides the network into areas to combat problems associated with large databases. A backbone area connects areas to each other. Each router keeps only a database for the areas to which it’s connected. Area Border Routers connect the backbone to other areas.

Win2K supports two different solutions for translating private IP addresses to public IP addresses: ICS, already discussed, and Network Address Translation (NAT). As I mentioned earlier, ICS is only intended for use in very small offices or at home. Essentially, you share the modem in one computer and set up all other computers as DHCP clients. The computer with the modem becomes a mini DHCP server (but you can’t configure anything) and your gateway to the Internet. Don’t use ICS if you’re already running DHCP on your network or if you have more than a single subnet. NAT is the solution for most situations. It translates private IP addresses into public IP addresses so that traffic can be sent from your internal network out on to the Internet. The NAT computer can also act as a simplified DHCP server, although this isn’t required.

Certificate Services supports two types of Certificate Authorities (CAs): Enterprise and Stand-Alone. An Enterprise CA is integrated with AD. When a user requests a certificate, the user’s credentials are checked against the AD database and the certificate is automatically granted or denied. A Stand-Alone CA isn’t integrated with AD. When a user requests a certificate, an administrator must review the request. It won’t be automatically processed.

40 Tasks to Prepare for the
70-216 Win2K Network Infrastructure Exam

DNS

  1. Install DNS.
  2. Set up primary forward lookup zone and a reverse lookup zone.
  3. Convert your primary zone to an AD integrated zone.
  4. Configure secure updates and dynamic updates.
  5. Delegate a zone.
  6. Use NSLOOKUP to query the DNS entries.
  7. Use new options of IPCONFIG command on client to reregister IP address with DNS, and also to clear local DNS cache.

DHCP

  1. Install DHCP.
  2. Authorize the DHCP server.
  3. Set up a scope. Configure common options such as default gateway and DNS server address. Set up a second scope and create a superscope.
  4. Configure a multicast scope.
  5. Configure DHCP to update dynamic DNS.

Remote Access

  1. Configure Routing and Remote Access as a remote access server.
  2. Create a remote access policy and create a remote access profile.
  3. Set up remote access authentication and encryption protocols. Configure a dial-up client computer and determine which protocols you should use to connect to the RRAS server. Test the connection.
  4. Set up Routing and Remote Access to host a VPN.
  5. Configure Routing and Remote Access for DHCP integration.

Network Protocols

  1. Install NWLink. Take a look at the options, such as frame type.
  2. Configure your network bindings.
  3. If possible, install GSNW and connect to a Netware server.
  4. Configure TCP/IP packet filters.
  5. Configure IPSec. Set up transport mode and tunnel mode. Take a look at cus- tom IPSec policies and rules.

WINS

  1. Install WINS on two servers.
  2. Set up replication between the two servers.
  3. Configure DHCP to provide WINS server addresses to client computers.
  4. Create static mappings in the WINS server database. For example, create a static mapping for a Unix computer that is not a WINS client.
  5. Know the NetBIOS node types, such as b-node and h-node. Configure a WINS proxy.

IP Routing

  1. Configure Routing and Remote Access to support routing.
  2. Create a static routing table.
  3. Install and configure a dynamic routing protocol such as RIP.
  4. Configure a demand-dial connection using a modem.

Network Address Translation (NAT)

  1. Use ICS to share a modem and configure a client to connect to the Internet though the ICS computer.
  2. Install and configure NAT. You can do this with a computer that has a modem for the outgoing connection.
  3. In this exercise, your network has no DHCP server. Configure NAT to assign DHCP addresses to clients on your network.
  4. Configure a client to connect to the Internet through the NAT computer.

Certificate Services

  1. Install a standalone CA.
  2. Install an enterprise CA.
  3. Issue certificates with each type of CA.
  4. Revoke a certificate. Publish the certificate revocation list.
  5. Export and import EFS recovery keys.

Detailing Win2K Directory Services
You need to be well-versed in five major areas for the Directory Services exam: AD, DNS with AD, change and configuration management, managing and optimizing AD, and security.

Alas, unlike the other exams in 70-240, you won’t find much here that’s a repeat of NT 4.0. This exam is all new. For that reason, it ranks right up there with Network Infrastructure as the test people most worry about. Fortunately, it doesn’t have as many topics. You simply need a good foundation in AD (if I can use the word “simply” in the context of AD!).

Many of the installation topics are pretty straightforward. Dcpromo.exe promotes a Win2K member server to a DC. When run on a Win2K DC, it demotes the computer to a member server by removing AD. A site is a well-connected portion of your network. (Generally speaking, “well-connected” means approximately LAN (10Mb) speeds—so 56Kbps definitely isn’t!) Site boundaries are defined by subnets, and sites are connected by site links. Site links can be configured to control replication between the sites. In a fully routed network, you don’t need to create site link bridges because all sites using the same protocol are automatically bridged by default. However, if your site isn’t fully routed, you should disable default site link bridging and create your own site link bridges.

Pay special attention to global catalog servers and operations master roles. You need to understand what each of the operations master roles does, what happens when a master role is unavailable, and what to do when a master is unavailable. Unless there’s only one DC, the infrastructure master role shouldn’t be on a DC that’s hosting the global catalog. If you put both functions on the same computer, the infrastructure master won’t find out-of-date data and won’t replicate changes to other DCs.

Tip

If every DC is also a global catalog server, it doesn’t matter which DC is the infrastructure master.

You need to understand AD backup and restore with Windows Backup. Work with Ntdsutil until you’re familiar with all of its options. It’s used in an authoritative restore, to move the AD database and to compact the database. (In this case don’t forget to boot your server in Directory Services Restore mode first.)

If you studied DNS for the Network Infrastructure section of the exam, you should be almost up to speed for DNS with AD. The emphasis is the integration of DNS and AD. Non-Win2K DNS can be used with AD if it supports SRV records. Microsoft strongly recommends dynamic update support, but it’s not required. BIND DNS version 8.1.2 and later meet the requirements of AD.

The change and configuration management section of the objectives could just as easily be named GPOs and RIS. One of the best things you can do to study for the exam (and for real life) is to spend plenty of time in the Group Policy MMC. The User and Computer configuration containers have slightly different configuration options. Make sure you can picture each container and the available options.

Generally, you link a GPO to a site, domain or organizational unit (OU), and the GPO affects all of the objects in that container. However, sometimes you need to modify that behavior. You can modify GPO inheritance with the Block Policy Inheritance and No Override options. You can also use security groups to apply GPO to selected groups of users and or computers.

Tip
Review John Gunson’s article, “Assembly Line Deployment,” in the May 2000 issue to learn more about RIS.

Software deployment though Group Policy is a new feature of Win2K, and one that Microsoft is rightly proud of. Plan on knowing this well! As I’ve already discussed, there’s a difference between assigning and publishing an application. Know the difference.

RIS is another new feature that you should know inside out. An installation image is placed on the RIS server. To create this image, you install Win2K Professional on a standard computer. Configure the OS as desired and install any standard applications. Then run the wizard to add an image, which prepares the image and places it on the RIS server. Like DHCP servers, RIS servers need to be authorized in AD.

Tip
Every AD object has an Access Control List (ACL) that lists user permissions for that object. You can assign these permissions to grant administrative privileges to an object. The easiest way to do this is through the Delegation of Control Wizard.

Managing and optimizing AD is your next topic of study. Play with the MOVETREE command. Moving objects within a domain is simple: Right click an object and use the Move command. However, moving between domains is a bit more complicated. MOVETREE will move an object or a non-empty container to a different domain. You can move empty Domain Local and Global groups between domains. If they have members, you can move them within domains. You can also move Universal groups with members within and between domains. Note that in all of these cases the domains need to be in the same forest.

Security topics like auditing and security templates are similar to those in the Server and Professional exams. However, the emphasis is different here. Remember that you can assign security configurations and audit policies through GPOs. They don’t have to be set up individually on each computer.

40 Tasks to Prepare for the
70-217 Win2K Directory Services Exam

Active Directory

  1. Run dcpromo.exe to install AD. If you have enough computers, set up different domain combinations. This can be done on two computers by uninstalling and reinstalling AD in each of the combinations. If you have enough hard drive space, this can also be done on two computers, each of which has multiple boots. Try these: a) two DCs in the same domain; b) the first domain in a tree plus a child domain; c) the first domain in the forest plus an additional domain in the forest.
  2. Use dcpromo.exe to uninstall AD.
  3. Create and implement an OU structure. Make something that might work within your current job environment. In other words, make something relatively sophisticated and then use it for experimentation as you practice other AD tasks.
  4. Create three or four sites.
  5. Create subnets and assign them to the sites that you created.
  6. Move a server object from one site to another.
  7. Configure site links between each of the sites. Make sure you understand how to configure options such as replication interval, replication protocol, and cost.
  8. Create a site link bridge. (Note: This isn't required in fully routed networks, since all site links using the same protocol are bridged by default.)
  9. Create a global catalog server. (Note: This is done in networks with multiple sites to prevent global catalog queries from being performed across slow WAN links.)
  10. Make sure you can transfer operations master roles. Use Ntdsutil.exe to seize a role. What is the difference between simply transferring a role and seizing a role? Know the effects of each role going down.
  11. Use Windows Backup to back up AD.
  12. Perform an unauthoritative restore and an authoritative restore.

DNS for AD

  1. Install DNS and set up an AD integrated zone.
  2. Install DNS on a member server and set up non-AD integrated zones. Then run dcpromo on another computer and use the DNS server you just created to provide DNS services to your domain.
  3. Configure a zone for dynamic updates.
  4. Configure an AD integrated zone for secure updates.
  5. If you have access to a non-Windows 2000 DNS server that supports SRV resource records and dynamic updates, set up your AD environment to use this server. (This is a neat real life exercise, but if you don't have the equipment to do it, don't worry. Just make sure you understand the concepts.)
  6. Replicate data between DNS servers.

Change and Configuration Management

  1. Create multiple GPOs and link them to OUs, domains or sites. Make sure some of the configured options conflict with each other and then check the resulting options on a computer or user affected by multiple GPOs.
  2. Modify GPO inheritance by experimenting with No Override and Block Policy Inheritance. Try different combinations and then check the resulting options on an affected computer or user.
  3. Use security groups to filter the effects of a GPO. For example, create GPO with a very restricted desktop and link it to the domain. With filtering, make sure the GPO isn't applied to members of the Administrators group.
  4. Delegate administrative control of Group Policy.
  5. Use Group Policy to assign security templates, such as securews.inf and compatws.inf, to computers.
  6. Create and assign startup/shutdown and logon/logoff scripts. What happens when you assign multiple scripts? For example, assign a startup script to a computer and then assign a logon script to the user of that computer.
  7. Deploy a software package with Group Policy.
  8. Deploy an upgrade or patch to a software package deployed with Group Policy.
  9. Assign software to users and to computers. Then publish a package to users. How does each of these deployment options appear to the user?
  10. Use Group Policy to redirect a folder (such as My Documents) to a network server.
  11. Set up a RIS server and create an image that can be installed on the client. (The RIS exercises should be done in conjunction with the RIS exercises for the Professional exam.)
  12. Authorize your RIS server.
  13. Grant a user the right to create computer accounts for RIS installation.
  14. If you have the equipment, connect to the RIS server from a client that supports booting from the network. Also, use rbfg.exe to create a boot floppy to connect to the RIS server and start the installation.

Components of AD

  1. Delegate administrative control. Give someone full control of an OU. Give another user the right to change passwords for all accounts in the domain, but no other administrative abilities.
  2. Publish a shared folder and an NT printer in AD.
  3. Set permissions on AD objects to control access.
  4. Set up replication between two AD sites.

AD Security Solutions

  1. Create an audit policy on a DC. For example, audit logons, try to log on and fail. Also audit access to a file or printer, connect to the resource, and then view the audit results.
  2. Use the secedit command to refresh a policy after you make changes to the GPO's settings.
  3. Use Security Configuration and Analysis to open a security template. Make some changes to the template, save it with a new name, and then apply the new template to a computer.
  4. Create a security policy, such as a password policy, and apply it to the domain with a GPO.

It’s Waiting for You
There’s a lot of information covered on this behemoth of an exam, but it’s passable! Get yourself some study resources and try the homework exercises. Then grit your teeth and take on your future. Good luck!

comments powered by Disqus
Most   Popular