Exam Reviews

70-290: Under New Management

Been through exam 70-218? This exam covers a familiar mix of security, permissions, and backup topics, with a heaping scoop of Windows 2003-specific features thrown in.

• By Andy Barkl
• 08/19/2003

Windows Server 2003 offers many new features and services beyond those found in Windows 2000 and the 70-290 exam reflects some of those differences. You'll find it similar to 70-218, Managing a Microsoft Windows 2000 Network Environment, where you were expected to prove your knowledge of AD, EFS, IIS, DNS and DCHP to name a few.

This new exam is similar in many respects as far as content, but includes additional topics such as the new DNS zone types offered in Windows Server 2003 and IAS and RRAS, which weren't as heavily tested in the Windows 2000 exam. This new exam concentrates on using Windows Server 2003 and network management. You'll need to demonstrate expertise in the areas of permissions, profiles, system backup, disk management and a familiarity with new product features such as Automated System Recovery (ASR) and Volume Shadow Copy. You'll also need to dive into security from a Microsoft perspective to prepare for this exam, since it's become more of a focus for the product.

What you probably won't be impressed with on this new exam is its engine. The text is lengthy, scroll bars are touchy and the screen is often split into three sections with lots of white space that you must scroll around in to move to the next question!

I tackled 70-290 in its beta form and won't know how I did until shortly after you've read this article. My intent in this review is to help you prepare for the test by covering some of the objectives listed in the exam preparation guide.

The table below spells out other core requirements for each credential. I suggest you start with the client exam then move in this order: 70-290, 70-291, 70-293, 70-294, 70-297 and 70-298, the same order recommended by Microsoft.

Table 1. Requirements for each of the certification paths. Exam 70-290 satisfies a core requirement for the MCSA-Windows 2003 and MCSE-Windows 2003.

Core Exams MCSA-Windows 2003 Core Exams MCSE-Windows 2003 Accelerated Path MCSA-Windows 2000 Accelerated Path MCSE-Windows 2000 Normal Path MCSA-Windows 2000 70-290: Managing and Maintaining a Windows Server 2003 Environment 70-292: Managing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure 70-291: Implementing, Managing and Maintaining a Windows Server 2003 Network Infrastructure x 70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure No other core or elective requirements necessary for MCSA-Windows 2000. 70-296: Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 70-294: Planning, implementing and Maintaining a Windows Server 2003 Active Directory Infrastructure 70-294: Planning, implementing and Maintaining a Windows Server 2003 Active Directory Infrastructure Core Client (take one) No other core or elective requirements necessary for MCSE-Windows 2000. No additional Core Client Exam required. 70-210: Installing, Configuring and Administering Windows 2000 Professional 70-270: Installing, Configuring and Administering Windows XP Professional xxx Core Design (take one) Core Design (take one) 70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure (Note: May be used as Design requirement or elective, but not both) 70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure (Note: May be used as Design requirement or elective, but not both) 70-298: Designing Security for a Windows Server 2003 Network (Note: May be used as Design requirement or elective, but not both) 70-298: Designing Security for a Windows Server 2003 Network (Note: May be used as Design requirement or elective, but not both)

Working with Devices
You'll need to demonstrate expertise with managing and maintaining physical and logical devices. As an administrator or engineer you should be expected to understand Basic and Dynamic disks, RAID configuration and troubleshooting, driver signing and the use of tools such as Device Manager and Hardware Troubleshooting Wizard.

Requirements Spelled Out Exam 70-290 is a core requirement for anyone wanting to be certified as an MCSA or MCSE on Windows Server 2003. Of course, if you're already certified on Windows 2000, you can bypass this one and go straight to 70-292 for the MCSA upgrade or 70-292 and 70-296 for the MCSE upgrade. These exams won't encompass a beta testing period since they'll include questions from other Windows 2003 exams such as this one.

As a reminder, basic disks can be converted to dynamic with no data loss but require backup and restore to revert back to basic. Dynamic disks are required for Disk Striping, mirroring and striping with parity.

Tip: When repair is necessary for a RAID 1 member, the mirror is first removed, failed member disk replaced, and the mirror recreated.

When updating drivers with Device Manager, the system driver signing includes the options for Ignore, Warn (the default) and Block. Familiarize yourself with Device Manager and the warning and disabled icons found when problems are present on installed devices.

A New Type of Question Exam 70-290 includes a new question type from Microsoft (see figure). The screen is split into three areas with the question at the top, pick-and-place items on the bottom left and configuration screens on the bottom right. A new question type splits the screen in three sections, which will require considerable scrolling action on small displays. (Click image to view larger version.) The areas are resizable just like frames of a Web page. This means you may have to do lots of scrolling and careful reading during the exam since many testing centers have smaller monitors that we're accustomed to on our desks. Many of the questions require selecting the correct button or checkbox on a simulated product screenshot. Microsoft offers a demo of all the new question types at http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp.

Users, Computers and Groups
The next objective, 'Managing Users, Computers and Groups,' includes many topics, so you should be prepared to face many questions that fall into this category.

Taking the 70-210 or 70-270 client OS exam before 70-290 will help. That ensures you'll have a healthy introduction to profile management, user and group accounts, permissions and troubleshooting.

The difference for this exam is you'll need to think more on a server and network level rather than from the lone client desktop perspective.

Tip: These new exams include topics not necessarily on the list of official exam objectives as posted from Microsoft. Better get used to it! For example, although there's no mention of printers in the official exam objectives, you should be prepared! After all, printers are bound to be part of a production Windows 2003 network.

70-290: Managing and Maintaining Windows Server 2003 Exam Title 70-290: Managing and Maintaining a Microsoft Windows Server 2003 Environment Status Expected to go live in August 2003. Reviewer's Rating "This exam is 'wordy' and requires expertise with Windows permissions, profiles, system backup, disk management and a familiarity with a few new server management features, ASR and Volume Shadow Copy." Who Should Take It Core for MCSA and MCSE on Windows Server 2003. Exam Guidelines www.microsoft.com/traincert/ exams/70-290.asp

ADUC, Active Directory Users and Computers, is the MMC snap-in used to create user and group accounts, manage user profiles and group membership. It includes the Delegation of Control Wizard, which is used to assign administrative permission at the Organizational Unit (OU) level.

Windows 2000 and 2003 both include two types of groups, Security and Distribution. Security groups are used in the traditional sense to group users for permissions to network resources. Distribution groups are used for e-mail only.

Tip: Remember AGUDLP If you're not familiar with the way Windows is designed for managing folder and file permissions, you need to study! Accounts are placed into Global Groups, which are placed into Universal Groups, which are placed into Domain Local Groups where Permissions are assigned. Accounts can also be placed directly into DL groups.

Active Directory objects such as user, group and computer accounts all have permissions assigned that can be inherited from higher levels or removed by using Block Inheritance.

If you've worked with Windows 2000, then you know that Group Policies enable centralized management of user and computer settings throughout the network. GP Objects or GPOs can be used to perform a variety of administrative tasks, including configuration of desktop settings, control of security settings, assignment of scripts, redirection of folders and software distribution. Group Policies are inherited by child domains from sites or child OUs within domains unless you enable Block Policy Inheritance, which can be reversed with No Override at a higher level. You can also filter inheritance with Read and Apply Group Policy permissions at the user or group level.

Resources
The objective Managing and Maintaining Access to Resources encompasses shared folder permissions and Terminal Services, among other topics.

Administrators and Server operators have the default rights to create and manage shared folders. Read, Change and Full Control are still present and cumulative. NTFS permissions are also cumulative but the most restrictive prevails when combined with shared folder permissions. Deny overrides all other permissions!

Files and folders can be encrypted with EFS, which requires NTFS. Don't forget to brush up on how folder and file permissions can change or stay the same when copying or moving within a drive or between drives.

The names have changed slightly. Windows 2000 Terminal Services remote administration mode is called Remote Desktop for Administration in Windows Server 2003. There have been many improvements made to Terminal Services, but it still operates the same, and daily administration hasn't changed much. However, expect coverage on the exam around such areas as licensing and remote connection management.

The Server Environment
In the objective Managing and Maintaining a Server Environment you'll find coverage of topics such as Event Viewer, System Monitor, software updates (including the functionality of Microsoft's Software Update Service or SUS), Remote Assistance, disk quotas, print queues, performance objects and IIS 6.0.

Event Viewer is the first resource most administrators refer to when checking, monitoring and troubleshooting application, security and system events. It allows you to filter displayed logged events by date, time, user and many other options.

System Monitor is the tool of choice when monitoring system activity in real time. Make sure you understand the most popular object counters such as % Processor Time, % Disk Time, Pages/Second and Page/Faults for memory objects.

New to the Windows Server 2003 exams is SUS. Although it's an add-on component in a Windows network, it's required these days for deploying and managing client and server critical updates. Through the Automatic Updates option built in since Windows 2000, client computers can be redirected to internal SUS servers instead of windowsupdate.microsoft.com. This allows administrators to better plan, test and track changes.

Tip: SUS requires IIS!

Speaking of IIS, another new version has arrived: 6.0. It's more secure by design and out of the box. In the course of your studies and experimentation, remember: This exam is about server and network administration. Spend time understanding IIS topics around Web sites, Virtual and physical directories, files and host and cname records in DNS.

Tip: Multiple Web sites can be hosted on a single IIS server with unique IP addresses, port numbers or host headers.

Disaster Recovery
Included in the final objective on the list, Managing and Implementing Disaster Recovery, you'll find coverage of ASR, VSS, backing up files and system state data, configuring security for backup operators, verifying backup jobs, managing media, restoring and scheduling backups and recovering from server hardware failures.

Automated System Recovery (ASR) allows you quickly and automatically to bring a non-bootable machine to a state where you can run a restore program to recover data. ASR will configure the new storage devices and restore the operating system, all applications and settings. The process for recovering a system using ASR is as follows:

1. Boot from a Windows Server CD and choose Automated System Recovery.
2. Provide access to the backup media and a pre-prepared ASR floppy.
3. Take a break. You'll come back to a working server with the operating system.

To use ASR, you have to prepare an ASR backup first. An ASR backup is a regular system backup plus the ASR floppy disk. This disk contains important configuration information about the server's storage system as well as information on how to restore the backup.

When you boot from the product CD and press the F8 key, you'll enter the ASR bootstrap program. The ASR code in Windows setup knows how to read the ASR floppy disk to reconfigure the server's storage system. ASR will automatically invoke the restore program to restore the rest of the data from the ASR backup.

Volume Shadow Copy Service (VSS) is another new feature, which allows administrators to create a point-in-time copy of user files that the user can access and restore when previous versions are needed. These snapshots can save both IT staff and users a whole lot of time usually spent waiting for manual restore operations of accidentally deleted files from tape. As the server administrator you can schedule the copy time-for instance twice a day at 0700 and 1200 hours, five days a week. If the amount of user data is great and changes often, you can even store this data on alternate server volumes!

If you have hosts other than Windows Server 2003 such as XP, Windows 2000 with SP3 or Windows 98, you'll need to install the shadow copy volume component available on the XP product CD (%Windir%\System32\Clients\Twclient\X86 or download it from http://www.microsoft.com) to enable the use of previous file access and restore. Once configured per volume, users will find the Previous Versions tab in the properties selection for files and folders on a network shares. Users can then select View, Copy or Restore; they'll be presented with a list of read-only file and folder copies they can access. For more information see the white paper, "Introduction to Shadow Copies of Shared Folders," at www.microsoft.com/windowsserver2003/docs/SCR.doc.

10 Things To Practice Configure and troubleshoot shared folders permissions-again, and again and again. Create different scenarios for your family and friends group accounts. Be the network administrator! Configure Volume Shadow Copy Service on your server and don't turn it off. (This has got to be one of the coolest new features of Windows Server 2003!) Load the client component and restore previously deleted files. Run Automated System Recovery, even if you don't want to simulate a dead server. Be sure to follow the steps I outline in the main article and in the help files. Download and install Software Update Services on your server. Download the latest Windows updates and configure the client to use your SUS server. Run server backups if only to a file as the destination. Just as important, restore the backups and verify EFS, compression and NTFS permissions remain the same. Create and assign permissions to printer users and change them for fun! Find out what happens when you stop the printer spooler service. Create a few group policies and explore the different computer and user settings available. Link a GPO to a parent OU and view the results of computer and user accounts changes within child OUs with and without Block Policy Inheritance and No Override. Create user accounts in Active Directory for your family and friends. Add them to groups and log on with their accounts from a client or a second server. Change group scope and membership, practice using the AGUDLP. Configure inheritance and inheritance blocking with AD objects. Set permissions and view their effects when accessed by different family members and friends. Configure and recover RAID arrays. Get at least three small hard drives and create a stripe, mirror and stripe set with parity configuration. Disconnect one of the RAID 1 or 5 drives and reconnect for a recovery scenario. Watch how Windows 2003 behaves and the warning and error messages it displays.

Data and system backups are still a must with Windows 2003 even with all the new file management services. Make sure you understand the nuances of backup, such as which is the fastest backup type (full, incremental or differential) and which is the fastest to restore or uses the fewest number of tapes? The answers to these questions are the same as they've always been! Incremental is the fastest but starts with a full backup. Differential offers the fastest restore, but full backup use the least amount of tape per backup cycle.

Tip: Backup of the System State includes the system files, the registry, Component Services and the Active Directory database Certificate Services.

Running the backup program still requires either Administrator or Backup operator permission. To run the backup program using Task Scheduler, you'll need to be a member of the administrator, backup operator or server operator group.

Server hardware failures happen! Windows 2003 offers ASR, but that doesn't address all troubleshooting and repair needs an administrator may have. Other resources include Performance console, Task Manager and Recovery Console. Make sure you understand which tool to use when the fatal time comes as well as how each serves a different purpose. Be sure to study each one and get the hands-on necessary to show your expertise!

Additional Information The exam guidelines are available here: www.microsoft.com/traincert/exams/70-290.asp. Study resources for Windows Server 2003 can be found within the help and documentation of the product. Of course, you'll also want as much hands-on practice as you can obtain. If your company hasn't made the move yet, work with the 180-day evaluation, available here: www.microsoft.com/windowsserver2003/evaluation/trial/default.mspx. There's also a lot of information available online from Microsoft such as at the Windows Server Community: www.microsoft.com/windowsserver2003/community/default.asp. I would expect self-study guides from sources such as Microsoft Press, New Riders, Sybex and others to start appearing in late August or early September. You can also take the Microsoft official training course at your local CTEC from an MCT. The course numbers are 2274 and 2275.

Final report
In my next article, I help you prepare for exam 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, which I don't consider nearly as tough as the 70-216, the Windows 2000 edition of this exam! Good luck!