Exam Reviews
70-291: Underpinnings of a Windows 2003 Network
This exam requires you to show expertise with TCP/IP, DNS, DHCP, RRAS and ISA Server-as well as a few services not mentioned on the objectives list.
Exam 70-291 is similar to 70-218, Managing a Microsoft Windows 2000 Network
Environment, which is required for Windows 2000 MCSAs. I took the exam
in its beta form. I took the exam in its beta form, but it was made available
August 14 (see "
Exams
70-290, 70-291 Debut Aug. 14," in News). In this review, I'll
walk you through the study areas I believe you should focus on in your
preparation.
IP Addressing
The first exam objective that Microsoft lists is Implementing,
Managing, and Maintaining IP Addressing. For this test you'll be expected
to demonstrate knowledge of TCP/IP addressing and all facets of DHCP,
including scopes, relay agents, reservations, databases, Automatic Private
IP Addressing (APIPA) and a little troubleshooting of all the above.
You may find a few subnetting questions, misconfigured subnet masks and
gateways, the ever present APIPA "default" addressing (169.254.x.x)
and IPconfig results with errors to diagnose.
When it comes to DHCP, not much has changed in Windows 2003. You'll need
to display knowledge of server placement (local, remote or in the middle).
If you place servers locally, DORA (Discover, Offer, Request and Acknowledgements)
traffic remains on the segment; but if the local server is unavailable
or out of addresses, the recommended 75/25 rule should be followed: Place
75 percent of your scopes addresses on the local server and 25 percent
as backup on a remote-segment server.
Tip: Windows 2003 DHCP can use Windows Clustering. This
allows two or more servers to be managed as a single system and allows
a local backup server.
You should know how to calculate, configure and troubleshoot such a split.
Configuring scopes with options such as router (003), DNS server address
and domain name and WINS (044 and 046) options and understanding default
name resolution order is required knowledge for this exam. The DNS name
resolution order is: local cache, hosts file, DNS, WINS, broadcast and
LMHOSTS file.
| Table 1. Requirements
for each of the certification paths. Exam 70-291 satisfies a core
requirement for the MCSA-Windows 2003 and MCSE-Windows 2003. |
| Core
Exams MCSA-Windows 2003 |
Core
Exams MCSE-Windows 2003 |
Accelerated Path
MCSA-Windows 2000
|
Accelerated
Path MCSE-Windows 2000 |
Normal
Path MCSA-Windows 2000 |
| 70-290: Managing and Maintaining
a Windows Server 2003 Environment |
70-292: Managing
and Maintaining a Windows Server 2003 Environment for
an MCSE Certified on Windows 2000 |
70-293: Planning and Maintaining
a Windows Server 2003 Network Infrastructure |
| 70-291:
Implementing, Managing and Maintaining a Windows Server
2003 Network Infrastructure |
| x |
70-293: Planning and Maintaining
a Windows Server 2003 Network Infrastructure |
No other core or elective requirements
necessary for MCSA-Windows 2000. |
70-296: Planning, Implementing
and Maintaining a Windows Server 2003 Environment for
an MCSE Certified on Windows 2000 |
70-294: Planning, implementing
and Maintaining a Windows Server 2003 Active Directory
Infrastructure |
| 70-294: Planning, implementing
and Maintaining a Windows Server 2003 Active Directory
Infrastructure |
| Core Client (take one)
|
No other core or
elective requirements necessary for MCSE-Windows 2000. |
No additional Core
Client Exam required. |
| 70-210: Installing,
Configuring and Administering Windows 2000 Professional
|
| 70-270: Installing,
Configuring and Administering Windows XP Professional
|
| xxx |
Core Design (take one) |
Core Design (take one) |
| 70-297: Designing a Windows
Server 2003 Active Directory and Network Infrastructure
(Note: May be used as Design requirement or elective,
but not both) |
70-297: Designing
a Windows Server 2003 Active Directory and Network Infrastructure
(Note: May be used as Design requirement or elective,
but not both) |
| 70-298: Designing Security for
a Windows Server 2003 Network (Note: May be used as Design
requirement or elective, but not both) |
70-298: Designing
Security for a Windows Server 2003 Network (Note: May
be used as Design requirement or elective, but not both)
|
|
|
Name Resolution
The next heading exam objective listed is Implementing, Managing
and Maintaining Name Resolution. This is all about DNS. Windows 2003 offers
a new zone type that you'll want to study and try out—stub—and
a feature called Conditional Forwarding.
As Bill Boswell explains in his book, Inside
Windows Server 2003, "A stub zone is used in place of delegation
records when configuring a parent DNS server to send referrals to delegated
DNS servers in a child domain." A stub zone contains a copy of a
zone with only the original zone's start of authority (SOA) and name server
(NS) records-the authoritative servers for the zone and resource records
needed to identify the authoritative servers.
A DNS server that is hosting a stub zone is configured with the IP address
of the authoritative server from which it loads. When this server receives
a query for a name-to-IP resolution in the zone to which the stub zone
refers, the server uses the IP address to query the authoritative server
and returns a referral to the DNS server listed in the stub zone.
When a DNS server loads a stub zone, it queries the zone's primary servers
for SOA records, NS records at the zone's root and host records. To update
its records, the stub-DNS server queries the primary servers for the resource
records.
You can use stub zones to ensure that the server that is authoritative
for a parent zone automatically receives updates about the servers that
are authoritative for a child zone. To do this, you add the stub zone
to the server that is hosting the parent zone. Stub zones can be either
stand-alone or Active Directory-integrated.
Although Microsoft recommends conditional forwarding for making servers
aware of other namespaces, you can use stub zones instead.
Conditional forwarding allows control of the name resolution process
beyond the default forwarding that occurs between non-root and root name
servers.
When you use conditional forwarding, DNS servers can be configured to
forward queries to different servers based on the domain name in the query.
This eliminates steps in forwarding and reduces network traffic. This
is especially useful during a network merger.
Tip: Integrated DNS zones offer fault tolerance through
Active Directory.
DNS AD-integrated zones support the secure dynamic update option, which
prevents computers and users not listed in the zone's ACL to change zone
records.
NSlookup, Event Viewer, System Monitor and DNS logs are the tools included
with Windows Server to troubleshoot name resolution problems. NSlookup
is the best bet; it's used to manually query name servers for resolution.
The DNS log in Event Viewer often holds the key to ongoing or past problems.
System Monitor is a "live" tool to find performance problems.
DNS logs can indicate management problems such as failed zone transfers.
| Requirements
Spelled Out |
|
Exam 70-291 is a core requirement for anyone wanting
to be certified as an MCSA or MCSE on Windows Server
2003. Of course, if you're already certified on Windows
2000, you can bypass this one and go straight to 70-292
for the MCSA upgrade or 70-292 and 70-296 for the MCSE
upgrade. These exams won't encompass a beta testing
period since they'll include questions from other Windows
2003 exams such as this one.
|
|
|
Network Security
Next up: Implementing, Managing and Maintaining Network Security.
Here you may find questions about security templates, IPSec monitoring
and troubleshooting with Event Viewer and Network Monitor.
To apply an IPSec policy in a domain environment, you must understand
IPSec policy precedence. Unlike most Group Policy settings, which are
cumulative, only one IPSec policy can be assigned to a computer at a time.
If there are multiple IPSec policies assigned at different levels, the
last one applied is the one that takes effect. IPSec policy uses the same
precedence sequence as other Group Policy settings, which is from lowest
to highest—local, GPO, site, domain and then OU.
New to Windows 2003, you can use RSoP (Resultant Set of Policy) to analyze
IPSec policy assignments. RSoP is a Group Policy snap-in used to view
IPSec policy assignments for a computer.
Tip: Using the Event Viewer Application log, you can begin
the process of troubleshooting when it comes to IPSec. Read carefully,
understand the question and view the exhibit to help make sense of the
vague Event Viewer screenshots!
Network Monitor is a preferred tool for viewing real-time captured network
data. It can also assist when troubleshooting IPSec. Know the basics of
this tool for this exam and make sure to get hands-on experience, which
will allow you to retain what you have learned.
| A
New Type of Question |
|
Exam 70-291 includes a new question type from Microsoft
(see figure). The screen is split into three areas with
the question at the top, pick-and-place items on the
bottom left and configuration screens on the bottom
right.
 |
| A new question type splits
the screen in three sections, which will require
considerable scrolling action on small displays.
(Click image to view larger version.) |
The areas are resizable just like frames of a Web page.
This means you may have to do lots of scrolling and
careful reading during the exam since many testing centers
have smaller monitors that we're accustomed to on our
desks. Many of the questions require selecting the correct
button or checkbox on a simulated product screenshot.
Microsoft offers a demo of all the new question types
at http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp.
|
|
|
Routing and Remote Access
Implementing, Managing, and Maintaining Routing and Remote Access
was the objective where I found the most questions on the beta exam. You
may find questions in this area about ISA Server and wireless LANs.
Windows 2003 RRAS includes support for PPTP and L2TP-based VPNs. However,
if you use L2TP-based clients or servers behind a network address translation
(NAT) router, both must support IPSec NAT traversal, which is now available.
Either way, you need to understand a little about certificate services
to deploy secure VPN connections.
Once a certification authority is present on the network, a client computer
in a Windows 2003 domain can use auto-enrollment or the Certificates snap-in
to install a certificate. Or users can use their Web browsers to connect
to the CA server at servername/certsrv. They follow the steps to request
a certificate and install it on their computers. Certificates are managed
from the CA server, which includes the Certificate Revocation List (CRL).
This can be used to revoke certificates for VPN remote access when security
is compromised.
Controlling access to RRAS can be done with remote access policies. They
include the ability to filter by such things as time of day and profiles
to limit connections for a specific type of authentication.
Tip: You can increase the security and manageability of
RRAS servers by using Internet Authentication Service (IAS) to centralize
VPN or dial-up networking authentication, authorization and accounting.
|
70-291: Windows Server 2003
Network Infrastructure
|
|
Exam Title
Implementing, Managing and Maintaining a Microsoft
Windows Server 2003 Network Infrastructure
Status
Live on August 14, 2003.
Reviewer's Rating
"This exam requires you to show expertise with
TCP/IP, DNS, DHCP, RRAS, ISA Server and a few topics
not listed within the exam objectives, such as deploying
wireless LANs."
Who Should Take It
Core for MCSA and MCSE on Windows Server 2003.
Preparation Guide
http://www.microsoft.com/traincert/
exams/70-291.asp
|
|
|
IAS now provides support for the authentication, authorization, and accounting
when connections that use the IEEE 802.1X standard for wireless are required.
This new standard adds another layer of security to wireless networks
and is also built-in to Windows XP (Wireless Zero Configuration (WZC)
is also included, which is a great feature).
Tech Note: The 802.1X standard defines port-based network
access control to provide authenticated access for Ethernet networks.
This port-based network access control uses the physical characteristics
of the switched LAN infrastructure to authenticate devices attached to
a LAN port. Access to the port can be denied if the authentication process
fails.
The wireless AP used must support configuration as a RADIUS client and
Wired Equivalent Privacy (WEP) with 802.1X authentication. The Microsoft
802.1X Authentication Client provides support for computers running many
different versions of Windows all the way back to NT. (You can download
this supported client from www.microsoft.com/windows2000/server/evaluation/news/bulletins/
8021xclient.asp.)
New GPO settings allow you to pre-configure a user's WLAN network connection
type, ad hoc or infrastructure, network name (SSID), WEP settings, access
control using 802.1X and authentication methods and settings.
Tip: To support a secure wireless solution with Windows
2003, you need: AD, DNS, DHCP, RADIUS, a PKI and EAP-TLS or PEAP.
Windows 2003 supports the RIP versions 1 and 2 and OSPF routing protocols.
Configuration is accomplished after adding support in the RRAS console.
Troubleshooting tools include the traditional ping, tracert and route
commands. Understand what each tool offers for this exam and how to decipher
the output of each.
Tip: The interfaces container in RRAS is used to add additional
interfaces for routing.
ISA Server is a proxy caching and firewall server first released for Windows
2000. The ISA Server SP1 update is required to install it on Windows 2003,
and it includes integration for protecting IIS and Exchange servers. There's
a specific exam for ISA Server (70-227), but 70-291 includes a few questions
with regards to its capabilities.
| 10
Things To Practice |
- Enable RRAS on your server. Practice configuring
and managing dialup and VPN connections. Using a null-modem
cable and a crossover network cable, you can easily
simulate remote-dialup and VPN connections.
- Deploy and distributing Certificate Services computer
and user certificates. Install a CA, issue certificates
to computers and users and publish them to AD while
you're there.
- Install, configure and manage all DNS zone types.
You need to practice creating, managing and maintaining
AD anyhow—create the DNS zones manually and understand
how each is used. Practice troubleshooting problems!
- Understand and configure DNS conditional forwarding.
Practice this one in conjunction with #3 and configure
one of your servers using conditional forwarding.
- Practice subnetting and understand IP addressing.
You'll need to know subnetting for this exam and how
to recognize addressing misconfigurations. Haven't
you put it off long enough?
- Install and configure IAS with RRAS. This is not
a difficult task and you'll be happy you mastered
it for this exam.
- Install and configure ISA Server. You can download
an evaluation copy for free. Even if you don't need
Microsoft's proxy and firewall server on your network,
understanding the basics of ISA Server is a must for
this exam.
- Create and manage DHCP scopes and options. Creating
a scope is an easy task, but do you really understand
DHCP servers and how to maintain them? Configure one
of your servers as a router and place a server and
client on opposite segments to learn about relay agents
and DHCP server management.
- Use and understand the capabilities of Network Monitor.
This can be boring for some, but after the initial
pain, analyzing network packets can be fun! Learn
how to use this tool if nothing else.
- Use and understand Event Viewer and System Monitor.
Easy enough-but do you really understand how to use
these tools to their fullest? Hands-on and help files
will get you through.
|
|
|
Maintaining a Network Infrastructure
The final objective on 70-291 is Maintaining a Network Infrastructure.
Here you'll find topics such as monitoring network traffic, using Network
Monitor and System Monitor, troubleshooting Internet connectivity and
server services.
Network Monitor is a preferred tool for finding network traffic that
is expected or unexpected! Using capture and display filters, you can
locate and diagnose TCP/IP, DNS, DHCP, RRAS and WLAN client and server
traffic.
IPSec monitoring and logging can be useful when locating VPN connection
errors or viewing current security associations.
Tip: SNMP is also a network management tool often used
to diagnose and help resolve network traffic issues.
Restarting services such as DNS, DHCP and RRAS can be a "quick fix"
in some cases after locating the problem. For more advanced troubleshooting,
Event Viewer and System Monitor come to the rescue once again!
Final report
Exam 70-290 is for those wanting to prove their network implementation
and administration skills on Windows Server 2003. There are many exam
topics here that aren't tested anywhere else in the MCSA and MCSE track,
and you'll need to have a firm grasp on networking as a whole, as well
as the Microsoft-specific details. With study time and practice, you can
ace this one.
Stay tuned for my next article where I will help you prepare for exam
70-293: Planning and Maintaining a Microsoft Windows 2003 Network Infrastructure.
The number of PKI, security and clustering questions was amazing! Good
luck!